--- Day changed Sun Jan 01 2017
03:02 < iheartlinux> almost there. I'm trying to route my client router's private network to the vpn's private tun ip: http://www.trunkmasters.com/pastebin/vpn tnx
07:59 < moritz_s> Hi, is there a way to make openvpn add routes to a custom routing table, i.e. the equivalent of the iproute command "ip route add <mynetwork> table mycustomtable via <vpngw>"
08:04 < BtbN> If all else fails, add them to the up/down scripts
08:12 < moritz_s> BtbN: Right, I haven't thought of that. But still, then I can't push the option, since push works with route but not with up...
08:14 < BtbN> I'd guess you can only push stuff that works on all platforms OpenVPN supports
08:14 < BtbN> and Windows does not have that concept at all
08:23 < moritz_s> Oh, there seems to exist a PR for this: https://github.com/OpenVPN/openvpn/pull/13
08:23 <@vpnHelper> Title: netconfig: add option to use user defined routing table by speakinghedge · Pull Request #13 · OpenVPN/openvpn · GitHub (at github.com)
11:05 -!- Vampire0_ is now known as Vampire0
14:02 < lesderid> I just upgraded OpenVPN to 2.4.0 on both my client and my server, and connecting to the server now errors and crashes OpenVPN on the server
14:03 < lesderid> only error I can find in the logs is 'Assertion failed at crypto.c:81 (packet_id_initialized(&opt->packet_id))' on the client side, right after 'Initialization Sequence Completed'
14:05 < thereyouare> "crashes OpenVPN on the server", that is interesting
14:06 < lesderid> yeah ...
14:11 < lesderid> my system is fully updated on both my client and my server too
14:14 < lesderid> setting higher verbosity doesn't seem to output much more
14:14 < thereyouare> lesderid: so you can crash our VPN server ?
14:15 < lesderid> I'm sure it's just an issue with my configuration, but I don't see why it would just appear now when updating to 2.4.0
14:16 < lesderid> I haven't tried connecting to other servers
14:17 < lesderid> was support for some ciphers dropped maybe?
14:22 < SCHAAP137> what OS are you using lesderid
14:22 < SCHAAP137> and which SSL library?
14:23 < lesderid> Arch Linux with OpenSSL
14:24 < SCHAAP137> same here
14:24 < lesderid> the only slightly non-standard thing in my config is IPv6 support
14:24 < SCHAAP137> shouldn't matter, using that here as well
14:25 < SCHAAP137> it would suggest that, in your situation, HAVE_AEAD_CIPHER_MODES is defined but openvpn_encrypt_aead() is unable to call it, for some reason
14:25 < SCHAAP137> you just using the packaged version from the regular repo?
14:25 < lesderid> yes
14:26 < lesderid> both openvpn and openssl are from the core repo
14:26 < SCHAAP137> 2.4.0-2 for openvpn?
14:26 < lesderid> yeah
14:27 < SCHAAP137> and what crashes exactly? the binary server-side stops?
14:28 < lesderid> yes
14:28 < SCHAAP137> you say you see this assertion failure in the client logs; can you see what happens in the server logs?
14:29 < lesderid> exact same error (when the client connects) + 'Exiting due to fatal error'
14:30 < SCHAAP137> output of openvpn --version, shows the same versions and libraries used?
14:31 < lesderid> err, I already downgraded, give me a minute
14:31 < SCHAAP137> ah, ok
14:31 < lesderid> https://pst.moe/paste/ndjvde
14:33 < lesderid> on both client and server
14:34 < SCHAAP137> the digest and cipher, in the client config; do they appear in openvpn --show-digests / openvpn --show-tls respectively? both on client and server?
14:35 < SCHAAP137> as in; is the stuff being negotiated present on both sides
14:35 < lesderid> I don't explicitly specify a cipher in any config, it's just the default on both sides
14:36 < SCHAAP137> okay, since 2.4.0, it defaults to AES-256-GCM, irrespective of what's mentioned in the configuration
14:37 < SCHAAP137> in my situation, it didn't create an issue; even though i have AES-256-CBC in the config server-side, somehow it just uses AES-256-GCM
14:37 < SCHAAP137> possibly, in some way or another, this might be causing your issue
14:38 < SCHAAP137> i would try and ask in #archlinux as well
14:39 < lesderid> hmm maybe
14:39 < lesderid> I might ask there later, yeah
14:39 < SCHAAP137> you could test by configuring a defined set of cipher/auth/tls-cipher
14:39 < SCHAAP137> at least server-side, and then test reconnecting again
14:41 < SCHAAP137> only difference in my setup, is that i'm using LibreSSL here
14:41 < SCHAAP137> rest is identical
14:41 < lesderid> I don't really have time to debug it further right now, but thanks for the suggestion
14:41 < SCHAAP137> yw
14:44 < SCHAAP137> crashing is weird though, an assertion failure like that suggests something weird; i wouldn't expect that from vanilla repo packages
14:48 < lesderid> ¯\_(ツ)_/¯
15:33 < jkaberg> while using the up function while creating an config file, is it possible to pass along the client IP as an argument?
15:33 < jkaberg> I mean the OpenVPN client ip
15:34 < jkaberg> example: up /path/to/script.sh %IPADDR%
15:44 < SAKUJ0> !welcome
15:44 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
15:44 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
15:45 < thereyouare> !sample
15:45 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
15:49 < SAKUJ0> !goal I want to include multiple machines on the client side (10.218.0.0/16) when using a routed VPN
15:49 < SAKUJ0> !goal
15:49 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:50 < SAKUJ0> I want to include multiple machines on the client side (10.218.0.0/16) when using a routed VPN
15:50 < thereyouare> !goat
15:51 < SAKUJ0> The routes seem to be pushing just fine. I don't intend to use MASQUERADING. I can ping the VPN client from the client LAN using its VPN address (outside of 10.218.0.0/16)
15:51 < SAKUJ0> So my local LAN is configured properly. But either the VPN client does not forward the packages to the server, or the server cannot reach 10.218.0.0/16
15:52 < SAKUJ0> I assume it is the latter, as the VPN server can only reach the VPN client on its VPN address
15:52 < SAKUJ0> For posterity, the VPN's network is 10.219.218.0/24
15:52 < SAKUJ0> I am running ufw
15:53 < SAKUJ0> sysctl allows net.ipv4.ip_forward
15:53 < SAKUJ0> ufw is set to allow all routed traffic via policy
15:53 < SAKUJ0> I can verify the routes are added on both the VPN server and client using `ip r`
15:54 < SAKUJ0> How can I get the VPN server to ping the VPN client on its LAN ip address (10.218.0.10) ?
15:57 < SAKUJ0> I also get an error when connecting with the VPN client to the VPN server, as it is trying to push the 10.218.0.0/16 route, which the VPN client is already on
15:57 < SAKUJ0> But I figured that is by design, as the route just already exists
15:58 < SAKUJ0> Here is the server.conf
15:58 < SAKUJ0> http://paste.debian.net/905946/
16:07 < thereyouare> now wait
16:07 < thereyouare> someone could come buy and notice your question
16:07 < thereyouare> I asked my question 2 days ago still wait
16:07 < thereyouare> I think I will reask it
16:07 < thereyouare> in openvpn source there are files README and INSTALL that contain this text:
16:07 < thereyouare> Copyright (C) 2002-2010 OpenVPN Technologies, Inc. This program is free software
16:07 < thereyouare> why is it 2010 and not 2016 ?
16:08 < thereyouare> also in INSTALL file it says:
16:08 < thereyouare> Compile OpenVPN with OpenSSL/LZO built from source tarballs See INSTALL-nonstandard.txt
16:08 < thereyouare> but there is no INSTALL-nonstandard.txt file
16:13 < DarkSector> Hey guys, so my server.conf contains push route 0.0.0.0 with the comment saying push your local subnet to the client
16:13 < DarkSector> what is the advantage of using push route 0.0.0.0 instead of my actual local server side subnet "push route 192.168.31.0 255.255.255.0"
16:15 < thereyouare> !push
16:15 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
16:17 < DarkSector> Uh, I know what push does, but I was just wondering what is the idea of using 0.0.0.0?
16:17 < DarkSector> What does that do, I can't seem to grasp it
16:17 < DarkSector> oh wait
16:21 < DarkSector> so if the client gets the route 0.0.0.0 that means all traffic should just default to this if no route is explicitly defined?
16:22 < thereyouare> I don't know but you can wait for someone who does know
16:22 < DarkSector> That's okay I'll ask on #networking too :)
17:14 < SAKUJ0> for posterity, it seems the ccd directive was missing. Once I set that up, The server was able to reach the client on its lan ip
17:14 < SAKUJ0> and the client lan was properly routed with ip_forward on top
17:29 < thereyouare> posterity will never forge it
17:30 < thereyouare> forge
17:30 < thereyouare> forget
17:44 < Eugene> thereyouare - copyright reflects the date that content was created, not when you downloaded it
18:00 < thereyouare> "its alive, its alive !!!" -- Frankenstein
18:01 < thereyouare> the channel is actually not dead
18:01 < Eugene> Its a holiday, what do you expect
18:01 < thereyouare> SAKUJ0: hang in there
18:02 < SAKUJ0> thereyouare, it's already working (see my latest comment)
18:02 < thereyouare> right
18:48 < nightOwlHash> hey folks
18:49 < nightOwlHash> I have a question about DNS servers
18:49 < nightOwlHash> I tried putting 3 new DNS ips in my ubuntu system files , and i checked for dns leaks online, and in one of the instances, there was a leak
18:50 < nightOwlHash> anybody knows how i can remove my ISP dns from my files ?
19:07 < thereyouare> another poor soul
19:27 < KNERD> Holiday weekend, some people have lifes other than on IRC
21:59 < redrabbit> how do i switch off access to lan and/or internet access behind openvpn server to clients
22:01 < subzero79> redrabbit have you try a firewall rule that prevents forwarding from the openvpn subnet the lan or the main internet gateway?
22:07 < redrabbit> good idea
22:08 < redrabbit> i thought there was some options in openvpn itself
22:08 < redrabbit> i have ufw on the openvpn VM but i started using shorewall, should be good for that
22:35 < redrabbit> < Eugene> redrabbit - see the ping family of options < Eugene> Keepalives & polling can eat a lot of data.
22:36 < redrabbit> how do you deal with this, i would like to reduce idle data use
22:38 < KNERD> redrabbit: I am trying to do the opposite..I want clients to have internet access.
22:39 < redrabbit> well thats how it works default
22:39 < redrabbit> i guess
22:39 < KNERD> once this push "redirect-gateway def1 bypass-dhcp"  is enabled..they are cut off locally, but I want them to have access from the opernvpn server side
22:39 < KNERD> not really
22:39 < redrabbit> https://designdesk.org/security/setup-openvpn-vps-local-server
22:39 <@vpnHelper> Title: Setup an OpenVPN server (at designdesk.org)
22:40 < redrabbit> with this config it worked for me
22:40 < redrabbit> its probably down to firewall rules
22:40 < redrabbit> try
22:40 < redrabbit> echo 1 > /proc/sys/net/ipv4/ip_forward
22:41 < KNERD> It's not local..it's a remote server
22:43 < KNERD> IP tables is correct...I had this issue before on another server which I was able to fix with the help from thsi channel before, but the freaking hosting company deleted the VPS...thus what I added in to server.conf is lost
22:43 < Eugene> redrabbit - you can just unset them; they're part of the default helper set used by the --server directive
22:43 < KNERD> this time I need to save it
22:43 < redrabbit> Eugene: oh good
22:44 < redrabbit> can you point me to the proper syntax/man page
22:47 < KNERD> going to test that /proc/sys/net/ipv4/ip_forward now
22:48 < KNERD> i wonder if networking needs to be restarted
22:48 < KNERD> not working
22:49 < redrabbit> you need forwarding
22:49 < redrabbit> maybe iptables rules
22:50 < KNERD> ip tables are there
22:50 < KNERD> :POSTROUTING ACCEPT [609:43311]
22:50 < KNERD> -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
22:50 < KNERD> -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 104.192.169.78
22:50 < redrabbit> Eugene: did you tried to unset them, if so how much did you gained
22:50 < redrabbit> or, saved
22:52 < redrabbit> i set up 3 openvpn server from the link i posted above, all of them share their internet connection
22:53 < redrabbit> i have no clue which firewall rules i have to set to disable it
22:53 < KNERD> but are they getting internet from the local connection, or remotely
22:54 < redrabbit> from the connection behind the server
22:54 < redrabbit> so remotely i guess
22:55 < KNERD> ipchiken.com will show you for sure
22:55 < redrabbit> yes i do get ip from the openvpn server
22:56 < redrabbit> just compare your config with the stuff in my link
22:56 < redrabbit> or start fresh and follow it mindlessly
22:56 < redrabbit> :D
22:57 < KNERD> that link is using UFW, while I am using IP Tables
22:58 < redrabbit> aha, i should translate that part for iptables users
22:58 < redrabbit> for shorewall too
22:58 < KNERD> I am stuck using IP Tables
22:58 < redrabbit> ufw can be limiting
23:04 < redrabbit> KNERD: you need a forward rule
23:04 < KNERD> which is that?
23:05 < KNERD> I remember putting something in the servf.conf which helped with that but it is gone now so I dont have it anymorwe. I think someone pointed me toa helpful page on the openvpn site
23:06 < redrabbit> iptables -A FORWARD -i eth0 -s 192.168.0.0/24 -j ACCEPT
23:06 < redrabbit> try something like that
23:07 < KNERD> it's a remote server with static IP address
23:08 < KNERD> so what would I be forwarding? the static IP address? redrabbit:
23:10 < KNERD> i see this very issue in many forums. but the answer for them is to add to IP tables the same rules I alreayd have.. (posted above)
23:10 < redrabbit> maybe your ip after -s
23:11 < redrabbit> anyway im gonna edit the how to and add iptables without ufw
23:12 < redrabbit> ill do that later though
23:12 < KNERD> okay..and testing the iptabel rule now
23:12 < KNERD> NO change
23:13 < redrabbit> you prolly need the right foward rule
23:13 < redrabbit> gtg, gl
23:13 < KNERD> okay
23:13 < KNERD> thansk for helping
23:19 < KNERD> this states  how to  https://openvpn.net/index.php/open-source/documentation/howto.html#redirect
23:19 <@vpnHelper> Title: HOWTO (at openvpn.net)
23:19 < KNERD> Routing all client traffic (including web-traffic) through the VPN
23:21 < KNERD> yeah I have all that so it must be an IP tables issue
--- Day changed Mon Jan 02 2017
00:45 <@krzee> KNERD:
00:45 <@krzee> !redirect
00:45 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
00:45 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
00:45 <@krzee> see the flowchart
01:21 < jayray> good day!
01:24 < jayray> I have a quick question... I just upgraded from 2.3.14 to 2.4.0 and clients wouldnt connect because my CRL.pem had not been updated in years. is there a new config setting that will disable the crl expiration check, or do now have to update crl every 30 days?
01:43 < jayray> nvm...
06:03 < weasel> hm.
06:03 < weasel> I need 'proto udp6' if I want my openvpn to listen on v4 and v6, right?
06:34 < MrNeon> hey, I'm having problems with the openvpn 2.4 update, I'm getting a permission error when reading files from the ccd folder.
06:35 < MrNeon> from the log: Could not access file 'ccd/acer.brocktonbay': Permission denied (errno=13)
06:43 < ordex> MrNeon: maybe you are dropping priviledges to a user that is not allowed to read that directory/files ?
06:44 < BtbN> weasel, you don't need to listen on v4. An IPv6 Socket happily accepts both.
06:54 < MrNeon> ordex, that was it, it was dropping to the user nobody and it can't read inside the new server/ directory.
06:56 < ordex> yap
06:56 < ordex> goed :)
07:22 -!- remirol is now known as lorimer
07:44 < weasel> BtbN: that wasn't my question :)
07:45 < weasel> BtbN: the point is, it only listens on both with udp6.  but with 'proto udp6', openvpn (at least 2.3.2) is broken as it answers udp connections from the "wrong" address (i.e. it does not answer from the address that the peer connected to)
07:46 < BtbN> That's unfortunately just how UDP behaves, as it's connectionless.
07:47 < weasel> no, it's not just how UDP behaves.
07:47 < BtbN> You could start multiple instances, and bind each one to a specific IP
07:47 < weasel> if I don't specify 'proto udp6', then openvpn correctly binds on outgoing connections
07:47 < weasel> i.e. it picks the correct ipv4 address from the many it could.
07:48 < weasel> so it appears openvpn has code to handle this case, except it's broken with 'proto udp6'
07:49 < BtbN> Or the default IP just happens to work.
07:49 < weasel> nope
07:49 < weasel> with proto ipv6:
07:49 < weasel> 12:47:21.630490 IP 172.22.126.25.59944 > 141.201.27.94.14525: UDP, length 14
07:49 < weasel> 12:47:21.630697 IP 172.22.126.15.14525 > 172.22.126.25.59944: UDP, length 22
07:49 < weasel> without:
07:49 < weasel> 12:51:26.062338 IP 172.22.126.25.43965 > 141.201.27.94.14525: UDP, length 14
07:49 < weasel> 12:51:26.062750 IP 141.201.27.94.14525 > 172.22.126.25.43965: UDP, length 26
07:50 < BtbN> Is your server configured as multihome?
07:50 < weasel> "multihome" is in the config file.
07:51 < BtbN> And this is a linux server, right? Not some BSD?
07:52 < weasel> correct.
07:52 < weasel> (it's a debian wheezy, with backports openvpn)
07:52 < BtbN> Works fine for me then, with udp6 + multihome and two IPv4s + IPv6
07:54 < BtbN> https://community.openvpn.net/openvpn/ticket/306
07:54 <@vpnHelper> Title: #306 (--proto udp6 --multihome fails for IPv4-mapped clients) – OpenVPN Community (at community.openvpn.net)
07:54 < BtbN> "the code in 2.3 actually gets this right, if the operating system can handle this particular case (IPv4 packets arriving as IPv4-mapped on an IPv6 socket). Linux could not until 3.15 (see below for details)"
07:54 < BtbN> I'd guess Debian Wheezy has an older kernel?
07:54 < weasel> let me check
07:54 < weasel> correct.
07:55 < BtbN> Yeah, that's your issue then. Kernel too old for that case.
07:55 < weasel> Thanks
07:55 < weasel> guess those nodes will stay v4 only then
07:56 < BtbN> Isn't that debian variant dead, and in bad need of an update anyway?
07:57 < weasel> there's LTS.
07:57 < weasel> it's not ideal, but it's reasonable (imo) for this particular host.
08:21 < moritz_s> I have "server 10.12.34.0 255.255.255.0; route 192.168.0.0 255.255.255.0" in the server conf and "iroute 192.168.0.0 255.255.255.0" in the ccd conf for a client. But the server tells me "OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options".
08:21 < moritz_s> Am I missing something? As I understand, "server 10.12.34.0 255.255.255.0" should include the ifconfig option
08:36 < [0xAA]> Mon Jan 2 14:14:59 2017 WARNING: Bad encapsulated packet length from peer (0), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
08:36 < [0xAA]> I'm seeing this error
08:37 < [0xAA]> I'm designing a TCP proxy like port mapper
08:37 < skyroveRR> Fix the MTU on both the sides.
08:37 < skyroveRR> Is any of your connection doing PPPoE?
08:37 < [0xAA]> skyroveRR: It's the same
08:37 < [0xAA]> I'm designing a TCP MITM proxy
08:37 < [0xAA]> skyroveRR: this is not a general problem
08:37 < [0xAA]> this MITM does not modify any packet contents
08:38 < [0xAA]> this MITM just accepts connection, reads it, encrypts and sends over another tunnel
08:38 < [0xAA]> then all incoming packets are decrypted and the same happens
08:38 < [0xAA]> somehow, some of these packets are getting short
08:38 < [0xAA]> so, what do I do
08:39 < [0xAA]> I've tried this with multiple programs and the proxy works
08:39 < [0xAA]> only OpenVPN doesn't work
08:40 < [0xAA]> is there a specific size upto which this MITM should wait ?
08:42 < lorimer> can you snoop one of the other programs that's working and see if it's being more tolerant of the same error?
08:43 < lorimer> ie. are some of your packets always coming short and other programs just eat-and-retry?
08:43 < [0xAA]> lorimer: I've tried HTTP, netcat chat, IRC
08:43 < [0xAA]> all of them wait until the block arrives
08:43 < [0xAA]> and OpenVPN just rages out
08:44 < lorimer> ./thinking
08:44 < [0xAA]> (they wait until what they need comes)
08:45 < [0xAA]> HTTP does work
08:46 < lorimer> yeah, no, they're being tolerant but not incorrectly so
08:47 < lorimer> dunno, then. i'd dig into the openVPN code at this point if this was me, but i haven't ever looked at it so i don't know how quick a task that is.
08:47 < lorimer> sounds like openVPN expects a certain degree of consistency that the MITM is disrupting. just don't know if that consistency is excessive or there for a reason
08:47 < [0xAA]> but OpenVPN uses OpenSSL
08:47 < [0xAA]> and I've tried HTTPS as well
08:48 < [0xAA]> hmm, if OpenVPN is meant to run over insecure internet, then it should tolerate (block) until what it needs arrives
08:48 < lorimer> this is what i would expect as well because TCP is supposed to work that way
08:49 < lorimer> so it's either a bug or intentional-and-i-dont-know-why. either way i'm out of ideas though, so good luck :/
08:50 < [0xAA]> D:
08:51 < [0xAA]> can I lure OpenVPN by some configuration to allow whatever-packet-size ?
08:55 < para000> hi guys
08:56 < para000> what do you think is better to install an openVPN, ubuntu 16.04 or Debian 8?
08:57 < thereyouare> untill when new versions servers will support 2.3.11 version clients ?
08:58 < [0xAA]> para000: off-topic
08:59 < thereyouare> I remember when I tryed to use client 2.3.2 version to connect to 2.3.11 server it failed because client was too old, so now I use 2.3.11 client but its support will also be drooped sometime in the future, when it could happen ?
08:59 < thereyouare> so right now can client of 2.3.11 connect to server of 2.4.0 ?
09:00 < thereyouare> [0xAA]: why did hiya banned you in his channel ?
09:00 <@dazo> para000: openvpn should run equally well on both ... choose what you are most comfortable with .... With that said, if deb/ubuntu was my only options, I'd go for Debian .... normally I prefer RHEL/Scientific Linux/CentOS (in that order)
09:01 < [0xAA]> thereyouare: he's gay when it comes to security
09:01 < [0xAA]> thereyouare: https://bpaste.net/raw/a78a10eac0c4
09:01 <@dazo> thereyouare: its a long time ago ... but IIRC, it was mostly related to lack of humbleness and providing very bad advices ... which mean hiya was not capable of accepting s/he was wrong
09:01 < [0xAA]> this is off-topic though
09:02 < [0xAA]> dazo: read those logs, that will prove how insecure hiya and friends are
09:02 < [0xAA]> one of them (raiz) encrypts his keys with ECDSA
09:02 <@dazo> [0xAA]: iirc, I was one of them kicking him out of here at one point ... but it did happen a few more times
09:02 < [0xAA]> <raiz> my current ssh session is encrypted with ecdsa key
09:03 < [0xAA]> ^ topkek
09:03 < [0xAA]> dazo: hiya is idiot, everyone should know it by now
09:03 < [0xAA]> and back it my mitm
09:03 < [0xAA]> why isn't it working -.-
09:03 < [0xAA]> HTTP is working, HTTPS is, as well
09:04 < [0xAA]> As OpenVPN uses OpenSSL, it should do the same
09:04 <@dazo> [0xAA]: are you re-inventing stunnel?
09:08 < [0xAA]> dazo: nope
09:08 < [0xAA]> It uses custom crypto
09:09 < [0xAA]> with some other features that I want to do myself for realz
09:09 < [0xAA]> I just wrote my own implementation of copy
09:09 <@dazo> "custom crypto" .... that sounds risky
09:10 < [0xAA]> dazo: I know what I'm doing
09:11 < [0xAA]> I've wrote a hashlot of crypto apps
09:12 <@dazo> heh ... sorry, but without knowing your true identity, that sounds like last famous words to me ;-)
09:12 < [0xAA]> dazo: with this identity?
09:12 < [0xAA]> dazo: again off-topic
09:13 <@dazo> off-topic discussions are okay in this channel as long as it doesn't disturb other more "on-topic" discussions
09:17 < [0xAA]> hmm
09:17 < [0xAA]> openvpn is basically breaking me right now
09:19 < lorimer> "why custom crypto?", he asked secretively
09:19  * lorimer goes and stands in the corner
09:20 <@dazo> lorimer++ ... no need to go stand in the corner.  That's a very appropriate question
09:20 < lorimer> not for the question, for the tom-swiftie stuck to it
09:21 <@dazo> http://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own#18198
09:21 <@vpnHelper> Title: cryptography - Why shouldnt we roll our own? - Information Security Stack Exchange (at security.stackexchange.com)
09:34 < [0xAA]> dazo: I know what I'm doing
09:35 < [0xAA]> I understand what I'm doing as well
09:35 < [0xAA]> I use other libraries, but write the cryptosystem myself
09:35 < [0xAA]> I don't design primitives
09:42 < [0xAA]> and, I don't write in C
09:42 < [0xAA]> So I'm not vulnerable to buffer overflows and funny things
09:46 < KNERD> krzee: looking now
09:46 < redrabbit> interesting read dazo
09:46 < redrabbit> hi KNERD found the solution ?
09:46 < redrabbit> offtopic, are you a knife nerd ? :D
09:47 < KNERD> redrabbit: i just got back on looking now..  I an a K NERD
09:47 < KNERD> !def1
09:47 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
09:47 < KNERD> !ipforward
09:47 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
09:47 < KNERD> !nat
09:47 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
09:47 < redrabbit> pretty sure you need an iptables FORWARD rule
09:48 < KNERD> yes, but which one
09:50 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Quit: ZNC - http://znc.in]
09:50 < KNERD> !linipforward
09:50 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
09:51 < KNERD> well that is set for sure
09:51 < KNERD> def1 is also set
09:52 < redrabbit> something like iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
09:52 < redrabbit> kinds of looks like the command above ^
09:53 < KNERD> that looks good..i will try it now
09:54 < KNERD> no change
09:56 < redrabbit> try command from the helper
09:57 < redrabbit> tbh id start fresh, are you sure the rest of the configuration is good
09:59 < KNERD> yes..i have uset his same one before...just without the push "redirect-gateway def1 bypass-dhcp" because it has always gave problems
09:59 < KNERD> this time I want it
10:00 < KNERD> no change
10:02 < redrabbit> maybe it give problem because the configuration isnt proper
10:04 < KNERD> i have looked in many forums, dealing with the same issue, and the configuration is identical
10:04 < KNERD> even after they got it working
10:05 < redrabbit> would be easier to start fresh and try other instructions are this point
10:05 < redrabbit> at this*
10:07 < KNERD> not really. As I metnioned I had this issue before, and someone on here was able to help with it. If was over a year ago, though. They had me put something other in the configuratrion and it started working.
10:07 < KNERD> if I recall correctly, it was something posted in the helper link
10:09 < redrabbit> http://dpaste.com/0D7S844
10:09 < redrabbit> try this
10:10 < redrabbit> lol, that's why i always take notes when i get something to work :D
10:10 < redrabbit> i learned not to trust my internal brain memory much
10:10 < KNERD> yes...i did, but I had a HD crash a few months ago
10:11 < redrabbit> backups
10:11 < KNERD> and the dammed VPS provider wiped my VPS
10:11 < KNERD> Here is the config http://pastebin.com/XRwyQC94
10:11 < redrabbit> backups
10:11 < redrabbit> :D
10:11 < redrabbit> i backup my vps to my NAS every night
10:11 < redrabbit> with cron and rsync
10:12 < KNERD> plus...i accidentally eased a flash drive with some of my backups on it...what luck
10:12 < redrabbit> https://www.youtube.com/watch?v=B-khEYhppBs
10:14 < KNERD> I though it was Capt. Obvious
10:14 < redrabbit> its another flavor
10:15 < redrabbit> i will install another vpn from strach in a vm to add an iptables section on my how to
10:15 < redrabbit> but im pretty sure you can follow it and use the rules in the dpaste above
10:17 < KNERD> oh okay..but sure to test it
10:18 < para000> Anyone here is willing to help me setup an OpenVPN server with multiple IPs on Ubuntu 16.04 for a sum of money?
10:18 < redrabbit> how much ips
10:19 < para000> total of 10 external IPs
10:19 < redrabbit> :D gl
10:20 < para000> Is for private usage not for commercial.
10:20 < para000> why you say that?
10:20 < redrabbit> i don't know sounds hard
10:20 < redrabbit> id certainly need help too
10:21 < KNERD> Capt Hindsight says so
10:23 < para000> redrabbit: i have some ideeas on how to do it
10:23 < para000> i belive i crate a server1.cfg to server10.cfg for OpenVPN
10:23 < para000> each with 1 IP
10:24 < para000> and start all
10:30 <@krzee> para000: sure
10:30 <@krzee> msg me
10:42 < thereyouare> [0xAA]: you think if you don't use C you are safe from buffer overflows ?
10:44 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
10:44 -!- mode/#openvpn [+o syzzer] by ChanServ
10:48 < [0xAA]> thereyouare: Unless I'm again using a unsafe language
10:57 <@krzee> alright para000, whats the goal for the vpn?
10:58 <@krzee> you want clients to be able to connect to one of 10 public ips, and then traffic leaves for the internet with that source ip?
10:58 < para000> i wanna make all 10 IPs as VPN for 10 virtual machines
10:58 < para000> each client to an indiviaul IP
10:58 < para000> i`m thinking on crating 10 servers.config
10:58 < para000> for eachi IP
10:58 <@krzee> ok so theres 2 ways
10:58 <@krzee> 1 is that way
10:58 <@krzee> the other is --multihome
10:59 < para000> wich way give you more stability ?
10:59 <@krzee> and then give each client a static vpn ip, and give 10 NAT rules with source ip specified
10:59 <@krzee> = stability
11:00 < para000> some guy made me 1 year ago on debia with the 10 servers.config
11:00 <@krzee> well ya that works, but a single config can also do it
11:00 < para000> and something when i try to do a seach on the web from one of my virtual computers, pings jump from 100 to 2500 while the data is transferd
11:01 < para000> k, krzee
11:01 < para000> let me setup ubuntu for static IPs
11:01 <@krzee> you would not specify the ip to listen on, it'll listen on all, then with --multihome in linux it'll be able to handle being contacted on any ip
11:02 < para000> casue is see ubuntu 16.04 now give iface ens3 inet dhcp
11:02 <@krzee> then if clients had static ips you could give them each their own NAT rule based on vpn source ip and specify the ip to nat as
11:02 <@krzee> !static
11:02 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder, or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range, or (#5) See also: !addressing
11:02 <@krzee> !linnat
11:02 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
11:03 <@krzee> iptables -t nat -I POSTROUTING -s <vpn static ip> -o eth0 -j SNAT --to <PUBLIC IP ADDRESS>
11:04 < para000> yes, but if client do not have static IP
11:04 <@krzee> no i mean client vpn ip is static
11:04 <@krzee> !static
11:04 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder, or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range, or (#5) See also: !addressing
11:04 < para000> oh
11:04 <@krzee> you control that =]
11:05 < para000> oh your saying in the .ovpn file
11:05 < para000> right?
11:05 <@krzee> well kinda
11:05 <@krzee> in a ccd entry
11:05 <@krzee> !ccd
11:05 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
11:06 < para000> k, let me start on it
12:02 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has quit [Ping timeout: 260 seconds]
12:05 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn
12:05 -!- mode/#openvpn [+o danhunsaker] by ChanServ
13:21 < Koshi> hello. i have a server in digitalocean and i try to configure openvpn
13:22 < Koshi> but when i connect to app in windows shows a error
13:22 < Koshi> can not locate HMAC in incoming packed from ....
13:29 < ExoUNX> Koshi make sure the cipher suite lines up between the server and client configs
13:31 < Koshi> ExoUNX, i dont know
13:31 < Koshi> how can i find it
13:52 < ExoUNX> Koshi might help https://community.openvpn.net/openvpn/wiki/Hardening
13:52 <@vpnHelper> Title: Hardening – OpenVPN Community (at community.openvpn.net)
14:02 < Koshi> ExoUNX, Thanks
14:06 < thereyouare> so easy-rsa doesn't ships with source tarball of openvpn anymore ?
14:06 < thereyouare> why ?
14:25 < ExoUNX> thereyouare I think they separated them to be less monolithic
14:26 < ExoUNX> https://github.com/OpenVPN/easy-rsa
14:26 <@vpnHelper> Title: GitHub - OpenVPN/easy-rsa: easy-rsa - Simple shell based CA utility (at github.com)
14:40 <@dazo> Koshi: sounds like you're using --tls-crypt or --tls-auth on only one of the sides, not both
14:40 <@dazo> thereyouare: we decided easy-rsa should be de-coupled and have its own release cycle, not coupled with the core openvpn
14:40 < Koshi> dazo, what can i do
14:41 < Koshi> i followed : https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
14:41 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com)
14:47 < nahra> Hello. Which way to start openvpn systemd service for client, named "openvpn-client@clent.service"?
14:49 <@dazo> Koshi: don't use unofficial openvpn documentation, that's the first thing you can do
14:49 <@dazo> !howto
14:49 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
14:49 <@dazo> Koshi: start with #3
14:49 < Koshi> dazo, i will try now
14:54 < nahra> dazo: Any idea?
15:00 < thereyouare> Koshi: you think they have free VPS on digitalocean ?
15:02 < Koshi> thereyouare, no but i think i can install openvpn on ubuntu server
15:02 < Koshi> and i will try if works or not. i never try before
15:08 <@dazo> nahra: if your client configuration file is called 'clent.conf' ... then you need to do: systemctl start openvpn-client@clent
15:09 <@dazo> Koshi: openvpn on ubuntu on an digital ocean droplet works very fine ... in a previous job, I did some testing with exactly such a setup
15:10 < Koshi> dazo, thanks, when i finish i will tell you . :)
15:11 <@dazo> nahra: just remember that your configuration file must be saved under /etc/openvpn/client/ ... and it must have a .conf extension
15:20 < Vazity> !welcome
15:20 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
15:20 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
15:36 < thereyouare> http://www.keylength.com/en/8
15:36 <@vpnHelper> Title: Keylength - BSI Cryptographic Key Length Report (2015) (at www.keylength.com)
15:43 < thereyouare> on that page: http://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own someone said:
15:43 <@vpnHelper> Title: cryptography - Why shouldnt we roll our own? - Information Security Stack Exchange (at security.stackexchange.com)
15:43 < thereyouare> "More eyes means more likely that the current version doesn't have major vulnerabilities, as opposed to something developed in-house by non-experts"
15:43 < thereyouare> but shouln't it be in contrary like in real life when there is the more people whitness a crime the less likely someone call the police ?
16:04 <@krzee> when you roll your own there are no witnesses, so nobody can call the police
16:06 <@krzee> in your example, which is more likely to get a call to the police? the one with too many witnesses or the one with none?
16:07 < thereyouare> so "roll your own" means security through obscurity ?
16:07 < thereyouare> I though "roll your own" means its open source and everyone can see it but its just you made it instead of some other guy
16:08 < thereyouare> so there is no even single case when "roll your own" is better then "not roll your own" ?
16:08 <@krzee> sure there is, the case where you are a math expert and probably have a phd in cryptography
16:09 <@krzee> :D
16:09 <@krzee> so like, if you're DJB for example, then it can be fine
16:09 <@krzee> (he rolled blowfish and twofish, for example)
16:09 < thereyouare> who rolled AES ?
16:10 <@krzee> want me to google that for you?
16:10 < thereyouare> was that one guy ?
16:10 < thereyouare> don't google it for me, google it for yourself
16:10 <@krzee> (guys)
16:11 <@krzee> but i dont care, you're the one asking
16:11 < thereyouare> so AES is the best ?
16:11 < thereyouare> its like "the ring" that unites them all ?
16:11 < thereyouare> rules them all
16:11 <@krzee> its just whats currently recommended, "best" is a personal choice
16:12 < lorimer> 'best' is a significant oversimplification, too. it's just one particular standard that is "satisfactory" based on our current knowledge and tech level
16:13 < thereyouare> imagine if people start breaking encryption as intensely like they mine bitcoins
16:13 < lorimer> bitcoins are way behind the curve on effort level there
16:13 < lorimer> nations have entire departments devoted to breaking encryption
16:13 < thereyouare> its unbreakable because there is just not enough stimulus
16:14 < thereyouare> first they would use CPU then GPU then custom made ASICs
16:14 < thereyouare> and eventually they break AES
16:14 < lorimer> ...again, that kind of effort has been happening long before bitcoin
16:14 < lorimer> building custom hardware to break encryption is at least 25 years old
16:15 < lorimer> maybe more, you'd have to ask the NSA
16:15 < thereyouare> but do you think average people allowed to buy such hardware ?
16:15 < lorimer> not relevant.
16:23 <@dazo> thereyouare: AES is currently the safest algorithms according to several crypto experts
16:26 <@dazo> thereyouare: the SHA3 competitions concluded a year ago or so that the Keccak will be the basis for the SHA-3 generation of crypto algorithms, which is believed to be stronger ... so that's what crypto experts and mathematicians spend their available time on testing out
16:26 < thereyouare> how you compare what is "safest" ? I mean you can compare plastic bottle with glass bottle what is the safest to carry, because you can try to break both and its harder to break plastic one so from experinece of actually breaking stuff you can say which one is less unbreakable, so in case of encryption algorithms how they compare them ?
16:27 <@dazo> oh sorry ... I'm too tired now ... mixing hashing with crypto algorithms
16:27 < thereyouare> I mean it is whether breackable or unbreackable like 0 or 1 or is there scale 1 to 10 or what ?
16:27 <@dazo> thereyouare: "safest" means that no mathematicians or crypto experts have found a reliable way to break down the complexity of decoding an encrypted message
16:28 < thereyouare> like blowfish is safe 3 out of 10 and AES is safe 8 out of 10
16:28 < thereyouare> dazo: so for all others they did found it ?
16:28 <@dazo> for the vast majority, yes
16:28 < thereyouare> so I suppose that makes those vast majority deprecated ?
16:28 < thereyouare> or even useless ?
16:30 <@dazo> many of them are definitely deprecated and useless ... some are only partially broken, meaning it can't be cracked completely unless having enough CPU resources to solve the challenge in a reasonable time ... in these cases, it might be fine to use them if already implemented - depending on the information the crypto is protecting
16:30 < KNERD> redrabbit: hpw
16:31 <@dazo> (if it takes 3 months to crack it, but the information is useless after 1 month .. they you probably don't bother)
16:31 < KNERD> redrabbit: how is the install going?
16:32 <@dazo> thereyouare: but ... there's a ton of different algorithms ... many have not been through enough testing to deem it safe or not ....
16:32 < thereyouare> so AES is "good enough"
16:33 <@dazo> absolutely
16:34 <@dazo> thereyouare: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security
16:34 <@vpnHelper> Title: Advanced Encryption Standard - Wikipedia (at en.wikipedia.org)
16:34 < thereyouare> wikipedia to the resque
16:34 < thereyouare> rescue
16:36 <@dazo> there are some debates if it makes sense to use AES with 256 bit key lengths, or if 128 is more than good enough ... as there are some issues with the 256 bit algorithm, which don't make it much stronger than 128 bit ... Bruce Schneier have some blog articles on that
16:39 <@dazo> thereyouare: https://www.schneier.com/blog/archives/2011/08/new_attack_on_a_1.html
16:39 <@vpnHelper> Title: New Attack on AES - Schneier on Security (at www.schneier.com)
16:41 < thereyouare> so openvpn supports more than just AES right, so if one day it will be broken all you need to do is just change one line config and restart openvpn client and server ?
16:41 < thereyouare> one line in config
16:42 < thereyouare> or even better if AES so popular, and more and more people try to break it, so don't use it at all and use some less popular one in openvpn ?
16:42 <@dazo> thereyouare: openvpn supports most of what openssl (or mbed TLS) supports ... openvpn doesn't do the crypto stuff itself, it "outsources" it to a crypto library
16:42 < thereyouare> its like with viruses if you use some unpopular OS its less likely be hit by a virus or be broken in
16:43 < lorimer> every first world nation is trying to break AES.
16:43 < lorimer> with government-grade resources. and all the other ones, too.
16:43 < thereyouare> so it more chances AES will be broken early than other less popular algorithms
16:43 < lorimer> those other algorithms are also receiving the same level of effort
16:43 < lorimer> except the ones that are already broken of course.
16:44 < thereyouare> or is it possible to use more than one at once ?
16:44 < thereyouare> tunnel inside tunnel ?
16:44 < thereyouare> that will make it much more secure
16:44 <@dazo> thereyouare: crypto is not comparable to virus ... crypto is more comparable to the immunity system in our bodies ... the more it gets hammered and the more it survives, the better it is
16:44 < lorimer> less popular algorithms tend to be less popular because they are inferior, not because of some obscure reason.
16:45 <@dazo> yeah
16:45 < thereyouare> you mean if someone break AES it will got even more secure ?
16:45 < thereyouare> they just tweak the "flaw" and continue to use it ?
16:45 <@dazo> nope, I mean that when so many tries to break it and _still_ haven't managed to break it, it is a good quality sign
16:46 < thereyouare> but if algorithm is broken you can't just fix it you have to throw away its entirely ?
16:46 <@dazo> just as when our immunity system cracks down, we get badly ill ... until that happens, we handle quite a lot
16:47 <@dazo> if an algorithm is broken, something brand new is needed ... you don't easily "fix" an already implemented and distributed algorithm - that would break all implementation not adding the fix
16:48 < thereyouare> also it if was implemented in hardware you can throw those hardware away now
16:48 <@dazo> right
16:50 -!- mode/#openvpn [+v lorimer] by krzee
17:04 < KNERD> I am having issue "web browsing" when using >> push "redirect-gateway def1 bypass-dhcp"  <<   It seems this is a common issue with searches I have done..for example  http://serverfault.com/questions/593977/openvpn-connected-but-not-internet-access-on-the-client My config looks the same, and their suggested fix is already in IP tables
17:04 <@vpnHelper> Title: vpn - OpenVPN connected but not internet access on the client - Server Fault (at serverfault.com)
17:06 < KNERD> but I cannot find a solution
17:57 < fs0ciety> hi guys - with openvpn 2.4.0 - i noticed that the down-pre command doesnt work anymore. here is the config file
17:57 < fs0ciety> https://bin.fsociety.info/heribalode
17:58 <@vpnHelper> Title: bin (at bin.fsociety.info)
17:58 < fs0ciety> i get this error
17:58 < fs0ciety> Options error: Unrecognized option or missing or extra parameter(s) in client.ovpn:128: down-pre (2.4.0)
17:58 < fs0ciety> any ideas
18:38 < KNERD> maybe the script is the problem
18:44 < fs0ciety> i shall have a look
18:44 < fs0ciety> thanks
19:35 < egrain> !welcome
19:35 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
19:35 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
19:36 < egrain> !goal
19:36 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:38 < egrain> I would like to know what openssl versions my clients use. the version of their OS would also be nice. Basically everything --push-peer-info promises. I have "push-peer-info" in the server.conf, but i only get the basic info like what openvpn version and what kind of OS. The man page says "when it's enabled" (paraphrasing) so I'm guessing i have to put a "true" or "enabled" behind it, but then openvpn doesn't start. help would be appreciated.
19:58 < KNERD> !redirect
19:58 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
19:58 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
20:00 < KNERD> !nat
20:00 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
20:01 < KNERD> openvznat
20:01 < KNERD> !openvznat
20:01 <@krzee> !factoids search openvz
20:01 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn, or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
20:02 <@krzee> !factoids search vz
20:02 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn, or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
20:02 < thereyouare> !nerd
20:03 < KNERD> well..the guide points me to "you ,you likely have a firewall issue."
20:04 <@krzee> oh, my flowchart?
20:04 < KNERD> yes
20:04 <@krzee> nice
20:04 <@krzee> to see if your nat rule is messed up, watch tcpdump
20:05 <@krzee> see if packets are going out eth0 as vpn ip
20:05 <@krzee> if so, we know its the nat rule
20:06 < KNERD> doing now
20:08 < KNERD> krzee: don't see the 10.x.x.x IP address in tcpdump
20:09 <@krzee> see the traffic at all?
20:09 < KNERD> yes...to and from my client, and server
20:11 <@krzee> i guess i should not have assumed, this is traffic destined for the internet, right?
20:11 <@krzee> we're on the redirect flowchart, right?
20:11 <@krzee> (i also made flowcharts for clientlan and serverlan)
20:11 < KNERD> this one  http://pekster.sdf.org/misc/redirect.png
20:11 <@krzee> ok good
20:12 <@krzee> i assumed right
20:12 <@krzee> soooo do you have a complex firewall?
20:12 < KNERD> IP tables.
20:12 <@krzee> i mean the config
20:12 < KNERD> I can see .openvpn .openvpn: UDP, length 93
20:12 < KNERD> it is possible....
20:13 <@krzee> for example if its stock openwrt i dont want to look  at the firewall config lol
20:13 <@krzee> but alright, post iptables-save -c
20:13 < KNERD> just good ol Debian
20:13 <@krzee> oh good
20:13 <@krzee> lol
20:13 < KNERD> 8
20:13 <@krzee> ever seen stock openwrt firewall?  you need eye bleach after that thing
20:14 < KNERD> not yet..but it was on my bucket list
20:14 < KNERD> 2 routers with OpenWRT coming
20:14 < KNERD> this is a remote server
20:15 < KNERD> oddly..any connection already made still continutes to function, but new ones are denied
20:16 <@krzee> conntrack rules?
20:16 <@krzee> keep-state?
20:16 < KNERD> i dont know
20:16 <@krzee> if you made a rule stopping the vpn after connections exist, but have a keepstate rule allowing active connections, that could cause that
20:17 <@krzee> but ya, when you get a chance show me the iptables-save -c and we'll try to see if theres a firewall issue
20:17 <@krzee> im wondering if ip forwarding is blocked
20:17 <@krzee> also when you check this in tcpdump, use ping and filter for all icmp
20:18 <@krzee> that way if its going as an unexpected address, you'll still see it
20:20 < KNERD> krzee: ip tables -c http://pastebin.com/Bm5wmA25
20:21 <@krzee> ya man
20:21 <@krzee> !linipforward
20:21 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
20:21 <@krzee> see the firewall rule at #3
20:22 < KNERD> i did thta earlier...let me try again
20:23 <@krzee> maybe you rebooted since
20:23 <@krzee> or reloaded old firewall rulesets
20:23 <@krzee> but your only forward chain reference in that ruleset is default DROP
20:24 <@krzee> hmm but it got hit 0 times so i dont think that alone will fix this
20:24 < KNERD> http://pastebin.com/XiAbxmv8'
20:24 <@krzee> so do that first, then test again, then when it doesnt work tell me
20:25 <@krzee> yep new rules look better for that, you tested again and it doesnt work still, right?
20:25 <@krzee> so now,  cat /proc/sys/net/ipv4/ip_forward
20:26 < KNERD> it's 0
20:26 < thereyouare> why there is no "/proc/sys/net/ipv6/ip_forward" file in my system ?
20:26 < KNERD> i need to change it then
20:27 < thereyouare> I do have /proc/sys/net/ipv6/ directory
20:27 < KNERD> okay..it's now 1...retesting
20:29 < KNERD> krzee: No change, but tcpdump is displaying something new... 20:19:30.355571 IP 13.107.21.200.https >
20:30 <@krzee> KNERD: even if it doesnt work, show me iptables-save -c again
20:30 <@krzee> we'll see if we got passed that problem
20:30 <@krzee> which im sure we did
20:30 <@krzee> https?  i told you to use ping
20:30 <@krzee> [18:08] <krzee> also when you check this in tcpdump, use ping and filter for all icmp
20:30 <@krzee> [18:09] <krzee> that way if its going as an unexpected address, you'll still see it
20:31 < KNERD> krzee: http://pastebin.com/2BS3uTQy
20:31 < KNERD> okay.repinging
20:33 < KNERD> krzee: I see ping going out to 8.8.8.8 as 0:23:05.848302 IP google-public-dns-a.google.com.domain > but nothing coming back on the client screen except no response
20:35 <@krzee> KNERD: what source ip on the ping...?
20:36 <@krzee> ok good, i see forwarding is happening now
20:36 <@krzee> [131:6813] -A FORWARD -i tun+ -j ACCEPT
20:36 <@krzee> [131:6813]  (that part)
20:36 <@krzee> now, when you see that ping go out, is it the VPN ip as the source ip>/
20:38 <@krzee> if so, it tells me the NAT rule is our new problem
20:38 <@krzee> you are on openvz... your public interface is eth0???
20:38 < Muimi> can you guys help me set openvpn up on centos 6.9?
20:38 <@krzee> KNERD: shouldnt it be some weird openvz interface name?
20:39 < KNERD> krzee: it's not IP, but the FQDN
20:39 <@krzee> i dont know openvz but from helping people in here i remember it being something else
20:39 <@krzee> KNERD: thats cause you didnt use -n lol
20:39 < Muimi> I'm having trouble gaining access to some server info that might be required.
20:39 < KNERD> krzee: no..it's no OpenVZ
20:39 <@krzee> oh then whyd you  <KNERD> !openvznat
20:39 <@krzee> hehehe
20:40 <@krzee> Muimi: you will want to ask a more specific question, unless you're looking to hire somebody to do it for you
20:40 < KNERD> I didn't have my specticals on and thought it said openvpnnat
20:40 <@krzee> oh i got ya :D
20:40 <@krzee> so your internet facing interface *is* eth0, right?
20:40 < KNERD> yes
20:41 < KNERD> the source is a FQDN
20:41 < KNERD> no IP
20:41 < Muimi> So, right now, I'm trying to set up a ca certificate.
20:41 <@krzee> no, its ALWAYS an ip, use -n to stop resolving
20:41 < Muimi> I'm following this guide.  Is this a good guide?  http://www.server-world.info/en/note?os=CentOS_6&p=openvpn
20:41 <@vpnHelper> Title: CentOS 6 - OpenVPN - Install/Configure : Server World (at www.server-world.info)
20:41 <@krzee> !easy-rsa
20:41 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
20:41 <@krzee> !walkthrough
20:41 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
20:42 < KNERD> krzee: what should be set with -n? That nat command?
20:42 <@krzee> Muimi: follow the tutorial thats in !easy-rsa for making certs
20:42 <@krzee> or try:
20:42 <@krzee> !xca
20:42 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa., or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA
20:42 < thereyouare> !rsa
20:42 <@krzee> KNERD: the tcpdump command, you only see FQDN because you are resolving it
20:43 <@krzee> -n is no resolv
20:43 < KNERD> oh okay
20:43 <@krzee> !hard-rsa
20:44 < KNERD> krzee: 20:34:29.935328 IP 8.8.4.4.53 > 104.192.169.78.55676: 11560 1/0/0 A 131.107.255.255 (50) 20:34:29.935825 IP 10.0.1.118 > 104.192.169.78: ICMP host 192.168.1.160 unreachable, length 36
20:44 <@krzee> there we go
20:44 < Muimi> is it necessary to have those certificates to use openvpn?
20:44 <@krzee> Muimi: no, you can use PSK instead
20:44 <@krzee> !secretkey
20:44 <@krzee> !forwardsecurity
20:44 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can not decrypt past traffic, or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured
20:45 <@krzee> in the howto it goes over making a simple PSK (ptp) connection
20:45 < Muimi> Well, how can I just get the bare-minimum basics of installing OpenVPN ?
20:45 <@krzee> but there wont be client/server
20:45 <@krzee> Muimi: openvpn is advanced networking, its not very basic
20:45 <@krzee> unles syou have a background in networking
20:45 <@krzee> theres a learning curve to start
20:46 < Muimi> I installed vpn on ubuntu, and it was really easy, you know?
20:46 < Muimi> it took like 25 minutes.
20:46 <@krzee> its 100% the same on any linux
20:46 <@krzee> really on any OS
20:46 < Muimi> Nah, because yum.
20:46 <@krzee> so if debian was easy, centos is 100% as easy
20:46 <@krzee> nah, because same shit
20:46 < Muimi> And also, I'm not in the US, so I don't have as much information.
20:46 < Muimi> And I don't know all the commands in Centos to get the info that I need directly from the OS.
20:47 <@krzee> and i use both centos and debian, im positive its same
20:47 < Muimi> So, I was really hoping someone would maybe help me out with some of the commands to get the info to fill in teh blanks, you know?
20:47 <@krzee> same commands in centos and debian for the most part dude
20:47 < Muimi> Centos, Debian (neither ubuntu).
20:47 <@krzee> thats not really a valid question tho
20:47 < Muimi> Aren't Centos and Debian essentially the same?
20:47 <@krzee> no, ubuntu and debian are
20:47 <@krzee> centos and redhat
20:48 <@krzee> ubuntu is based on debian
20:48 <@krzee> centos is made by redhat
20:48 < Muimi> okay, so the CA certificates say I need export key country, province, etc.
20:48 <@krzee> just follow the guide at !easy-rsa
20:49 < Muimi> !easy-rsa
20:49 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
20:49 <@krzee> KNERD: whats your VPN subnet?
20:50 <@krzee> in your server config, server <subnet> <netmask>
20:50 < KNERD> krzee: I have none set
20:51 < KNERD> the server is remote to me
20:51 <@krzee> you have to
20:51 <@krzee> well the server has a vpn subnet
20:51 <@krzee> what is it
20:51 < KNERD> dedicated server in a colo
20:52 <@krzee> i dont think you get the question
20:52 <@krzee> for there to be a vpn server, there is a config file for openvpn on the server
20:52 <@krzee> in that config file there is a line starting with the word server
20:52 <@krzee> i want to see that line.
20:52 < KNERD> oh yes
20:52 < Muimi> ./easyrsa init-pki is something I should type into the CLI?
20:53 < Muimi> https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/README.quickstart.md
20:53 <@vpnHelper> Title: easy-rsa/README.quickstart.md at v3.0.0-rc1 · OpenVPN/easy-rsa · GitHub (at github.com)
20:53 < KNERD> krzee: local 104.192.169.78
20:53 < KNERD> oh..server
20:53 < KNERD> server 10.8.0.0 255.255.255.0
20:53 <@krzee> Muimi: you really going to read it and then run the commands by us?
20:53 <@krzee> just read it and try
20:54 <@krzee> if you have problems, then ask
20:54 <@krzee> hmm that nat rule looks fine
20:54 <@krzee> and its getting hit
20:54 <@krzee> !configs
20:54 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
20:54 <@krzee> KNERD: ^
20:55 < KNERD> okay..
20:56 < KNERD> krzee:  Server http://pastebin.com/Xvau1XR7
20:57 <@krzee> you probably dont need bypass-dhcp
20:57 <@krzee> you dont need mode server (its included in --server)
20:57 < KNERD> client  http://pastebin.com/aXNnshtQ
20:57 < KNERD> krzee: I tried without bypass-dhcp and same result
20:58 <@krzee> ya i wouldnt expect that to fix it
20:58 < KNERD> as you can see by the line under
20:58 <@krzee> just letting you know what i saw when i saw it
20:58 < KNERD> and I apreciate it
20:58 <@krzee> are you able to restart the vpn server without booting yourself off?
20:58 <@krzee> (like you have sshd without openvpn)
20:59 < KNERD> no..no console
20:59 <@krzee> only access is over openvpn?
20:59 < KNERD> oh. no..I have SSH to the public IP
20:59 <@krzee> ok good
20:59 <@krzee> so put verb 4 on both and get me some logs please
20:59 <@krzee> !logs
20:59 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
20:59 <@krzee> !logfile
20:59 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
21:00 <@krzee> (both sides)
21:01 < Muimi> krzee: I woudln't run them all by you except that it doesn't work.
21:02 <@krzee> oh i didnt think you had the chance to read it all and then start trying in the 4 minutes between me giving link and you asking that
21:03 < Muimi> -bash: ./easyrsa: No such file or directory
21:03 <@krzee> did you download easy-rsa 3 from the site?
21:03 <@krzee> or you're using something old from that walkthrough you were on before?
21:04 < Muimi> No, i used yum --enablerepo=epel -y install easy-rsa to install it
21:04 <@krzee> and is it the same version?
21:04 < Muimi> good question let me check.
21:04 < KNERD> krzee: client    http://pastebin.com/jT6iU38J
21:04 <@krzee> $50 says its not ;]
21:05 < Muimi> 2.2.2-1.e16.
21:05 < Muimi> so probably not.
21:05 <@krzee> nope, 2.2.2 != 3
21:05 < KNERD> krzee: Server http://pastebin.com/vf1e7z1Q
21:06 < Muimi> Okay, well it doesn't say to install it in the quickstart guide.  Let me get it installed if I can.
21:06 <@krzee> it does say its the quickstart guide for easy-rsa 3, i think its fair to assume youd use easy-rsa 3 while using it, so i wont push to modify that
21:07 <@krzee> funny enough KNERDall those multi errors in the server can be safely ignored
21:07 < Muimi> Yeah, that's great.  But it's not a quickstart if I have to search the internet for how to install it
21:07 < Muimi> it's a non-start
21:08 <@krzee> (some misconfigured app is sending traffic as ipv6 over the tunnel, that stuff gets dropped, and harms nothing)
21:08 <@krzee> Muimi: you're AT the github page for downloading it
21:08 < KNERD> :-) Some people would have complained I di dnot send about
21:08 < Muimi> I can't be at the github page because github doesn't work in my country, bro.
21:08 <@krzee> you linked me to the github page!
21:09 < Muimi> Oh.  they enabled it.
21:09 <@krzee> [18:44] <Muimi> ./easyrsa init-pki is something I should type into the CLI?
21:09 <@krzee> [18:44] <Muimi> https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/README.quickstart.md
21:09 <@vpnHelper> Title: easy-rsa/README.quickstart.md at v3.0.0-rc1 · OpenVPN/easy-rsa · GitHub (at github.com)
21:09 <@krzee> you literally liked me to the github lol
21:09 < Muimi> lol
21:11 < Muimi> I'm really happy they've finally unbanned it.
21:11 <@krzee> ya i hate that too
21:11 <@krzee> i do have plenty of ways around it, but annoying still
21:11 <@krzee> if i ever go to openvpn.net without bouncing through another country i have to click a box to say im not a robot lol
21:11 <@krzee> and i go to openvpn.net often!
21:11 < Muimi> So I have to use git to install it basically?
21:12 <@krzee> nah github will let you grab a zip
21:12 <@krzee> or you can git
21:12 < Muimi> the server is all text-based.
21:12 <@krzee> https://github.com/OpenVPN/easy-rsa/archive/v3.0.0-rc1.zip
21:12 < skyroveRR> git clone https://github.com/openvpn/easy-rsa
21:12 <@vpnHelper> Title: GitHub - OpenVPN/easy-rsa: easy-rsa - Simple shell based CA utility (at github.com)
21:12 <@krzee> ya or that ^
21:12 <@krzee> sup sky
21:13 < skyroveRR> A calm morning.
21:13 <@krzee> and a long evening for me :D
21:13 <@krzee> i feel like ive been here at work for 30 hours (its only been like 6)
21:13 < skyroveRR> (:
21:14 <@krzee> and i been all over those freelancer sites doing side work from the office, trying to save all i can for a new house
21:14 <@krzee> doing vpn setups, writing bash scripts, whatever
21:15 < skyroveRR> ooooh. nice.
21:15 <@krzee> im even thinking about taking data entry jobs and automating them in bash (everybody wants stuff in excell, which i see as a csv waiting to be made)
21:15 < Muimi> yeah how much would you charge to set up my VPN for me and save the terimnal log file for me to read through?
21:16 <@krzee> the terminal log wouldnt help much, it would mostly just be setting up configs and putting them in place
21:16 <@krzee> Muimi:
21:16 <@krzee> !goal
21:16 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:16 < skyroveRR> krzee: hope your wish of getting a new house comes true soon.
21:16 < Muimi> internet.
21:16 <@krzee> thanks skyroveRR!  im looking at a BEAUTIFUL one on wednesday
21:16 <@krzee> Muimi: may i msg you?
21:17 < Muimi> yeah sure.
21:17 < redrabbit> hi, i'm looking for a way to reduce idle data use, its around 700mb/month just to maintain the link. cost a lot in 3G, someone told me i had to disabled the "ping family of options", any ideas how
21:18 <@krzee> redrabbit: are you using --keepalive in your config?
21:18 <@krzee> (likely in server config)
21:19 <@krzee> 700mb sounds like a lot, you should probably set a firewall to watch wtf is causing that, i doubt its just openvpn keepalives
21:19 <@krzee> might have some misconfigured app sprewing crap
21:20 <@krzee> also, make sure you use tun not tap
21:20 <@krzee> tap would tunnel layer2 crap that you dont want taking up your precious bandwidth
21:20 < redrabbit> here is what i have : keepalive 10 120
21:20 < redrabbit> my measurements may be flawed though
21:20 < KNERD> redrabbit: did you get that test server up?
21:20 < redrabbit> probably because there is a ssh terminal open
21:21 < redrabbit> KNERD: nope but you should try starting fresh
21:21 < KNERD> I think it is getting close to solved
21:21 <@krzee> redrabbit: so now to see the ping options you are using, go look at --keepalive in the manual, see what it expands to
21:21 <@krzee> !man
21:21 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
21:21 < redrabbit> i never used tap
21:21 <@krzee> redrabbit: keepalive is a helper directive that expands to some --ping options
21:21 <@krzee> thats likely the options that your friend said to look at
21:22 <@krzee> honestly, i dont think you have 700MB of those tho
21:22 <@krzee> there should be something else going on id say
21:22 < redrabbit> very probable
21:25 <@krzee> !as
21:25 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
21:28 < KNERD> Any more ideas krzee? I would assume this is now an IP tables issue
21:29 <@krzee> sorry got sidetracked
21:29 < KNERD> yes, I know..it's okay :-)
21:30 <@krzee> well i agree, everything looks pretty good in openvpn
21:31 <@krzee> lemme grab my flowchart
21:31 < KNERD> you mean you don;t have it pasted in yoru desk :-p
21:34 <@krzee> lol nope, i generally dont need to look at them but im a little fried this evening
21:36 <@krzee> work is gunna be busy for a few
21:36 <@krzee> then ill be headed home and free for a bit
21:36 <@krzee> KNERD: you gunna be here?
21:37 < KNERD> probably so
21:38 < KNERD> I am stll a lot ticked that hosting service wiped my VPS, so my settings I had which had this rresoled are gone
21:39 < KNERD> redrabbit: whith the help here we have discovered   20:34:27.926941 IP 10.0.1.118 > 104.192.169.78: ICMP host 192.168.1.152 unreachable, length 36
21:39 <@krzee> my only suggestion between now and then is you could save your firewall ruleset and then reduce the hell out of it temporarily
21:39 <@krzee> for the vpn you'll need the ip forwarding rule and the nat rule
21:40 < KNERD> why not just disable it for a moment to see if i can connect?
21:40 <@krzee> without the ip forwarding and nat you wont have a working redirect setup
21:40 < KNERD> oh
21:41 < KNERD> see..I know little asbout IP tables
21:41 <@krzee> iptables-save > /tmp/firewall   (saves a backup)
21:41 <@krzee> iptables-restore < /tmp/firewall   (loads the backup)
21:41 <@krzee> you may also copy the file, mod it, then load that
21:42 < KNERD> oh..thanks
21:42 <@krzee> np
21:42 <@krzee> ill be gone for a bit
21:42 <@krzee> *afk
21:43 < KNERD> sure thing
22:15 < Muimi> so, i finally got easy-rsa into /usr/share/rsa.  Then I went to that directory and typed .easyrsa init-pki, and it said 'command not found'.
22:16 < Muimi> Do I need to do an easy_install? ^^
22:19 < Muimi> Oh.  Nevermind.  I see what it's hoping.
22:23 < egrain> I would like to know what openssl versions my clients use. the version of their OS would also be nice. Basically everything --push-peer-info promises. I have "push-peer-info" in the server.conf, but i only get the basic info like what openvpn version and what kind of OS. The man page says "when it's enabled" (paraphrasing) so I'm guessing i have to put a "true" or "enabled" behind it, but then openvpn doesn't start. do i need to recompile or am i just
22:23 < egrain> simply forgetting something?
22:32 < Muimi> Is my user, host, or server name my ipv4 address?
23:07 < KNERD> you don;t know what an IP4 address is?
23:08 < KNERD> Vampire0: i got it... :INPUT DROP [25:1582] && :FORWARD DROP [0:0]   was doing it
23:09 < KNERD> however stil have a problem... /proc/sys/net/ipv4/ip_forward keeps reverting back to 0 on reboot
23:10 < ordex> KNERD: the default is 0. you can change the value set on boot by altering /etc/sysctl.conf
23:11 < KNERD> ordex: that? net.ipv4.conf.all.rp_filter=1
23:11 < ordex> net.ipv4.ip_forward
23:11 < ordex> same as the path
23:12 < ordex> make it: net.ipv4.ip_forward=1
23:12 < KNERD> ordex: oh..okay..I uncommented the wrong wone
23:12 < KNERD> thanks
23:12 < ordex> np
23:12 < Muimi> i know what it is.  i don't know if it's what belongs there.
23:12 < ordex> Muimi: I think your question is too generic - you should give some context
23:13 < Muimi> Is there an easy-to-follow howto on installing OpenVPN so that I can connect to the VPN via another device to browse the internet through that VPN.
23:13 < Muimi> "Common Name (eg: your user, host, or server name)"
23:13 < KNERD> millions...i just got mine up and running
23:13 < Muimi> After ./easyrsa build-ca
23:14 < Muimi> KNERD:  can you link me to one?
23:14 < Muimi> for centos 6
23:14 < KNERD> Muimi: https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6
23:15 <@vpnHelper> Title: How to Setup and Configure an OpenVPN Server on CentOS 6 | DigitalOcean (at www.digitalocean.com)
23:16 < KNERD> I have been running into issues with Ip Tables blocking forwarding which prevents you from connecting...see my last message to krzee on this:
23:16 < KNERD> and I have set up a lot of openvpn servers, but only for connecting locally...this is my second time with browsing
23:17 < KNERD> Groovy...now I can get back to CBS On Demand, Hulu, Sling TV, etc.
23:20 < Muimi> For "user nobody" and "group nobody" should I leave them as "nobody"?
23:21 < KNERD> for CentOS that is fine, but in Debian I notice it does no like group nobody
23:21 < KNERD> you can put nogroup if you want
23:22 < Muimi> will that work in centos?
23:23 < KNERD> nogroup? I am sure it will, but nonody also works
23:23 < Muimi> cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa ... no such directory (easy-rsa)
23:24 < KNERD> was easy-rsa installed?
23:24 < Muimi> Yes.
23:24 <@krzee> hey im back
23:24 < KNERD> easy rsa is in EPEL repo
23:24 < Muimi> I have 2 and 3 installed.
23:25 <@krzee> KNERD: epel probably has easy-rsa2, you should use 3
23:25 < KNERD> krzee: i got it reseolved
23:25 <@krzee> nice!
23:25 <@krzee> what was it?
23:25 < KNERD> :INPUT DROP [25:1582]
23:25 < KNERD> :FORWARD DROP [0:0]
23:25 < KNERD> removed those and working now
23:25 < Muimi> right.  so, i extracted that and moved it to some other directory probably, and then I tried to destroy the changes because none of the tutorials matched what the directories looked like, including the built-in "quickstart guide"
23:25 <@krzee> oh blocking tun on input too
23:25 < Muimi> like that thing is intentionally misleading, you know?
23:26 <@krzee> KNERD: you can go back to drop and add another line like the FORWARD rule but for INPUT for tun+ device
23:26 <@krzee> Muimi: the quickstart guide doesnt even mention a directory
23:27 < KNERD> Muimi: that guide worked fine for me..HOWEVER I think there was some changes in 6.8 it seems differenent
23:27 <@krzee> it assumes you are in the proper directory
23:27 < Muimi> Should I do this: mv easy-rsa-3.0.0-rc1/* /usr/share/openvpn/easy-rsa/* ?
23:27 < Muimi> I know: that's why it's misleading
23:27 < KNERD> you can if you want
23:27 < Muimi> You can't just type commands in.  you need a directory.  How is it quick if yuo have to figure out which directory it is
23:27 <@krzee> KNERD: lets not confuse things, lets have him use the actual openvpn docs instead of what you found online that probably is for easy-rsa2
23:28 < KNERD> yes..it is easy-rsa 2
23:28 <@krzee> heh
23:28 <@krzee> !walkthrough
23:28 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
23:28 < KNERD> but it still works for me
23:28 <@krzee> KNERD:  wanna show me one of your public keys?
23:29 <@krzee> (they're public, thats safe)
23:29 < KNERD> how so?
23:29 < KNERD> i man which one
23:29 <@krzee> client server or ca
23:29 < Muimi> right--
23:30 < Muimi> I mean, here's the thing: softwares like Maya win tutorial of the year every year because they speak to the reader, you know?  Even an advanced user is going to have trouble figuring this stuff out.
23:30 < Muimi> A quickstart is supposed to be a howto.
23:30 < KNERD> krzee: http://pastebin.com/MTPjtf90
23:30 < KNERD> Hey, I am using this for Hulu, SlingTV CBS all Acess, not security
23:30 <@krzee> KNERD: oh your cert doesnt have anything above that in cleartext?
23:31 < Muimi> Wait, KNERD, I just want to know about that command I was using:
23:31 < Muimi> mv easy-rsa-3.0.0-rc1/* /usr/share/openvpn/easy-rsa/*
23:31 < KNERD> krzee: no
23:31 < Muimi> easy-rsa-3.0.0-rc1 is the directory which contains the contents of the .zip file rsa3.
23:31 < Muimi> I've made the directory and what-all
23:32 < KNERD> it contains the script to generate the cetificares easy so you dont have to keep retypign all that stuff in
23:32 <@krzee> it doesnt matter where you put the easy-rsa3 dir or what you name it
23:32 <@krzee> what matters is that you go in to the dir and follow the directions on the guide
23:33 < KNERD> krzee: http://pastebin.com/vTiiYFxY this?
23:33 < Muimi> @ KNERD but in the tutorial you're using, here (https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6), it says ...rsa/2.0
23:33 <@vpnHelper> Title: How to Setup and Configure an OpenVPN Server on CentOS 6 | DigitalOcean (at www.digitalocean.com)
23:33 <@krzee> Muimi: if thats too hard, you can try a gui
23:33 <@krzee> !xca
23:33 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa., or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA
23:33 < Muimi> so they're still using 2.0.  Not that I mind: I just want something that works, and I actually prefer to avoid the much more confusing 3.0
23:33 <@krzee> easy-rsa isnt the only option for your CA
23:33 < Muimi> can't use the GUI.  No monitor.
23:33 <@krzee> you dont have a monitor on any computers?
23:33 < Muimi> choosing a new option means uninstalling and re-installing things which is just a lengthy process.
23:33 < KNERD> Muimi: it is using easy-rsa from the EPEL repo
23:34 < Muimi> it's remote.
23:34 <@krzee> you shouldnt be running your CA on your server btw
23:34 <@krzee> lol
23:34 < KNERD> Muimi: you dont need a monitor.... you can do X-Fowarding, and run Ming, and x-server on your PC
23:34 < KNERD> sorry.. X-Ming
23:34 < Muimi> it says it's already installed.  I think the one from epel repo installs to a different directory on centos.
23:35 <@krzee> i mean you can, but its not recommended
23:35 < Muimi> -bash: cd: 2.0: No such file or directory
23:35 < KNERD> it must be a nwer version
23:35 < Muimi> 2.2.2
23:35 < KNERD> just use the newer directory
23:35 < Muimi> there isn't one.
23:35 <@krzee> are you using KNERD's guide or something?
23:35 < Muimi> -bash: cd: easy-rsa: No such file or directory
23:35 <@krzee> cause you're talking about stuff that doesnt exist in any openvpn guides
23:35 < KNERD> WHat is under /etc/openvpn/easy=rsa ?
23:36 <@krzee> it doesnt matter where you unzip easy-rsa to!
23:36 <@krzee> just enter the dir!
23:36 < Muimi> but it's asking for /share not /etc.
23:36 < Muimi> cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa
23:36 < KNERD> okay then
23:36 <@krzee> lol ok i give up
23:36 < Muimi> https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6
23:36 <@vpnHelper> Title: How to Setup and Configure an OpenVPN Server on CentOS 6 | DigitalOcean (at www.digitalocean.com)
23:36 <@krzee> enjoy those lame google walkthroughs
23:36 < Muimi> I'd accept any walkthrough that worked, krzee
23:36 <@krzee> no, obviously you wouldnt
23:36 < Muimi> If they're really that lame, openvpn should make one that works and isn't lame.
23:37 <@krzee> works for everybody else!
23:37 < KNERD> I created my own guide which I blindly follow for CentOS...been working 100% of the tiem for me
23:37 < Muimi> Last time I installed a VPN on ubuntu, I used digitalocean and finished in about 15 minutes.
23:37 < Muimi> This has already taken 4 hours.
23:37 <@krzee> KNERD: you're using a super old version of easy-rsa
23:37 <@krzee> KNERD: so you shouldnt even be helping him do it wrong lol
23:37 < KNERD> still works
23:37 <@krzee> works depends on what you want
23:37 < Muimi> Exactly: if it works, that's the goal.
23:37 <@krzee> you can have a bad setup with less than that
23:37 < KNERD> he wants to do what I am doing...browsing
23:37 <@krzee> why go through the trouble if you aint gunna use the right tools?
23:38 <@krzee> cool, ill let you help him
23:38 < Muimi> Did the old versions not work?
23:38 <@krzee> old versions use weaker stuff
23:38 <@krzee> and may or may not work, i dont know if anybody maintains them at all
23:38 < Muimi> Yeah, but there's no point in releasing something without proper documentation.
23:38 < Muimi> You might as well keep it in the spider hole where only you can use it.
23:38 <@krzee> worked when they were the active version for sure
23:39 <@krzee> Muimi: literally only you have the problem you describe
23:39 <@krzee> you been doing this over an hour and havent figured out how to enter the dir after you unzip and follow the instructions
23:39 < KNERD> Here is my command    cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/     so just change it to 3.x and be done
23:39 < Muimi> First of all, you're dealing with a limitted audience.  Second, I like to complain (especially about tutorials), which is very dissimilar to your standard linux user.
23:40 < KNERD> you are just copying the contents of the scipt to easy-rsa to run it from one location
23:40 <@krzee> cool, i dont think i can help you do this on your own, but i wish you guys luck
23:40 < Muimi> I'm just saying: why should people "do it on their own"?
23:40 < KNERD> but krzee knows this stuff better than me
23:41 < Muimi> There should be a quickstart guide that stays each command requierd, without glazing over commands like which directory you're supposed to be in.
23:41 <@krzee> what i mean is that im not sure you have the skill level to be doing this, you should probably hire a tech
23:41 < Muimi> It seems like a gimic.  Maybe just trying to sell the easy-to-use service or something, in the end.
23:41 <@krzee> or maybe use openvpn-as
23:41 < Muimi> No, krzee.  It doesn't mean that.  It means information was intentionally ignored.
23:41 <@krzee> as its made for people who cant do all this stuff on their own
23:41 < KNERD> people who develop things get to know it well, and tend to forget people new to it are not sure where to start
23:41 < Muimi> like figure out which directory they should be in, man?
23:42 < Muimi> Come on....
23:42 <@krzee> KNERD: running a ca isnt even an openvpn thing
23:42 <@krzee> you dont even have to use easy-rsa
23:42 <@krzee> i NEVER use easy-rsa
23:42 < Muimi> but at 10:30 a.m. you asked me to use it
23:43 < Muimi> and how can you say it's easy for a tech when you haven't even used it
23:43 <@krzee> ive ran it, and ive seen thousands of people come here and have no problem
23:43 < Muimi> rsa is a nightmare.  you have to install it manually, and then you need to shift it around to the right place, and then you have to figure out which directories and stuff
23:43 <@krzee> i give link, they read, they use, they say thanks
23:43 <@krzee> ive ran it, but i never use it for my stuff
23:44 < Muimi> I dunno, bro.  It just seems like a shoddy tutorial to me.
23:44 <@krzee> for my stuff i mostly use my own scripts that call openssl directly, or sometimes i use xca
23:44 < Muimi> Ttyl.  I'm going to keep trying to get a working vsn.
23:44 <@krzee> cool, complaining to people who donate their time is a sure way to get ignored
23:44 <@krzee> later
23:44 < Muimi> See?  That's the attitude I'm talking about, man.
23:44 < Muimi> If it's broke, it's broke.  You should expect people to complain.  Feedback's the most valuable thing you can get from someone.
23:45 <@krzee> if it was broke it wouldnt only be you whining
23:45 < Muimi> Apart from that, you're donating your time to a smoke screen.  Why would anyone appreciate it?
23:45 < Muimi> Well, that's your opinion, krzee.  But it's not mine, and it's very unconvincing given the facts.
23:46 <@krzee> ive been here helping people for years, its not opinikon
23:46 <@krzee> opinion
23:46 < KNERD> yes, he has.
23:46 < KNERD> I have made numerous successful OpenVPN installed based on that link I sent you.....The issue I had today was replated to IP Tables
23:46 < Muimi> I've been making a living on writing tutorials for 9 years.  It's hard to get complaints, krzee.  It is an opinion, and from your background, it's the popular opinion, and it's usually wrong.
23:47 <@krzee> !stats
23:47 <@vpnHelper> I have 6 registered users with 5 registered hostmasks; 3 owners and 0 admins.
23:47 <@krzee> !ircstats
23:47 <@vpnHelper> "ircstats" is (#1) See http://secure-computing.net/logs/openvpn.html for all-time IRC stats., or (#2) See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats.
23:47 <@krzee> Muimi: you're close to getting banned
23:47 < Muimi> But let's take another example: KNERD isn't using the quickguide.  Maybe the people who come here say: "Thanks....." And then they just go use a different tutorial, and you're blissfully unaware, you know?
23:47 <@krzee> ok, bye dude, good luck elsewhere
23:48 < Muimi> Don't be ridiculous.  Just because we have a difference of opinion you don't need to ban me, bro.
23:48 <@krzee> its not a difference in opinion, its you demanding that the docs are wrong because you cant figure out how to run your pki
23:49 <@krzee> and its not how people get help on irc
23:49 < KNERD> ny own guide was based on trial and error from different guides I found online. I set up a VPS on my computer and tried different things until I was happy
23:49 < Muimi> I'm not demanding that they're wrong.  I'm saying it's my opinion that they're missing important details.
23:49 < Muimi> You can't change my opinion by saying I'm the first one who's mentioned it.  It's the latest version.
23:49 <@krzee> !factoids search --values help
23:49 <@vpnHelper> 'router', 'notopenvpn', 'help', 'winroute', 'firestarter', 'allinfo', 'notovpn', 'irc', 'secret', 'snapshots', 'testing', 'no_as', 'msg', 'both', 'servercert', 'rocks', 'effort', 'ask', 'vampire', 'whining', 'iptables-rules', 'notovpn', 'connect', 'certman', 'netfilter', 'msg', 'netman', 'easyrsa', 'vague', 'speed', '', 'commercial', '', 'easyrsa-ng', 'speed', '', '', 'AS', 'welcome', 'welcome', and
23:49 <@vpnHelper> 'spoonfeed'
23:50 <@krzee> !welcome
23:50 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
23:50 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
23:50 <@krzee> !ask
23:50 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
23:50 <@krzee> there, i suggest you read the link in #1 of ask
23:50 < Muimi> You're saying thousands of people have been through here looking at the new version and have all been successful using that specific tutorial or whatever.... docs get updated based on people like myself saying: "something should be added" and then adding it, eventually.
23:51 <@krzee> you're not giving constructive feedback about a detail to add
23:51 <@krzee> you're saying that because you cant even figure out how to start that its bad, and i looked and say that anybody who has business running a PKI should be able to use that doc
23:51 < Muimi> add the directories you should run the commands  in.
23:52 < Muimi> that would be the first thing, you know?
23:52 <@krzee> is there a README file in the zip?
23:52 < Muimi> there's 2.
23:52 <@krzee> have you read them/
23:52 < Muimi> yes.
23:52 <@krzee> i wont ban, but i definitely need to remove myself from here
23:52 <@krzee> goodnight guys
23:52 < Muimi> and specifically speaking about the quickstart guide: it should include directory information.
23:53 < Muimi> not must, just should
23:57 < Muimi> Goodnight, bro.  My bad.  I'm just trying to figure this thing out--
--- Day changed Tue Jan 03 2017
00:00 < sigquit> this is not an act of war : https://dlshad.net/bypassing-censorship-by-using-obfsproxy-and-openvpn-ssh-tunnel/
00:00 <@vpnHelper> Title: Bypassing censorship by using obfsproxy and openVPN , SSH Tunnel Dlshad Othman Container of Scribbles (at dlshad.net)
00:03 < cyberanger> sigquit: act of war?
00:03 < Muimi> Okay seriously, though, I wonder why people are so adamant about using 3.0
00:03 < KNERD> i thoght I was going to have to set up obfsproxy  on a OpenWRT router for a person in Egypt
00:03 < KNERD> Muimi: he sadi it was better
00:04 < Muimi> cyberanger: The John Quincy Adams attitude doesn't exist in every country.  If you do something illegal, they just want to hunt you down instead of ask if it was constitutional.
00:04 < Muimi> Better in what way, though?  I mean, for example, would the openvpn community be negatively effected if I used 2.0 instead of 3.0.
00:04 < cyberanger> Muimi: no, I get that. I've been to some of those places.
00:06 < Muimi> Doesn't the ISP block and monitor traffic for the government?  I mean: how can you access a domain without the isp knowing?  Isn't that impossible?
00:07 < cyberanger> It's why I keep a few servers with those tricks, obfsproxy (both versions 3 and 4) stunnel, ssh, iodine (DNS Tunneling) and even some custom code that's just a way to discreetly notify if I'm okay or not.
00:10 < cyberanger> Use the hosts file, that'd avoid DNS
00:11 < cyberanger> if IP's are blocked, don't go directly to that IP address, if you run the site, use a CDN. If you don't then SSH Tunneling, Tor or a VPN
00:11 < Muimi> Starting openvpn:                                          [FAILED]
00:13 < cyberanger> Muimi: I'll be back on in 15 minutes, then read over things and see if I can help you.
00:13 < Muimi> yeah igotta take a break i'm zonked
00:13 < Muimi> thanks
00:14 < cyberanger> I've just clocked out from work, need the time to get home.
00:44 < cyberanger> Muimi: Okay, reading over and trying to get an idea of where your issue is. Can you give me a quick synopsis?
00:44 < Muimi> I'm working through this guide:  https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6
00:44 <@vpnHelper> Title: How to Setup and Configure an OpenVPN Server on CentOS 6 | DigitalOcean (at www.digitalocean.com)
00:45 < cyberanger> Muimi: Okay, and you are running CentOS 6?
00:45 < Muimi> I've just reached service openvpn start, and I got a [FAILED] error.
00:45 < Muimi> Yes, I am.
00:45 < Muimi> So, I'm trying to think of how I could figure out why it would fail.  Maybe I need to restart the server or check some logs?
00:47 < cyberanger> Okay, It's been awhile for CentOS here, Debian mostly, and yeah, we can turn on some logging and a few other things.
00:48 < Muimi> At this point, I'm actually running out of time to accomplish it; so, I might end up paying a tech to finish the job, you know?
00:49 < cyberanger> Yeah, I get that. My day job is one of the techs.
00:49 < cyberanger> Have you tried just launching it without systemd,
00:49 < Muimi> It's a fresh-new server.  So, there's nothing that can be damaged on it.
00:49 < cyberanger> see the output there?
00:50 < Muimi> No, I don't know how to do that.
00:51 < Muimi> i just rebooted.... see if tha thelps
00:51 < cyberanger> Where's your config file
00:51 < cyberanger> under /etc/openvpn/
00:51 < Muimi> which one?
00:51 < cyberanger> The one where you have it failing to start up
00:52 < Muimi> I have files in /etc/openvpn that are config riels
00:52 < Muimi> files
00:54 < cyberanger> okay
00:54 < cyberanger> cd /etc/openvpn
00:54 < cyberanger> then
00:54 < cyberanger> sudo openvpn server.conf
00:55 < cyberanger> (Assuming server.conf is your server config file, and that's the machine we're talking about here)
00:56 < cyberanger> Does that give you any output?
00:56 < cyberanger> Complain about missing files perhaps?
00:57 < Muimi> hold on i'll do that now
00:57 < cyberanger> Okay
00:57 < Muimi> Options error: --explicit-exit-notify cannot be used with --mode server  //  Use --help for more information.
01:01 < cyberanger> I'm double checking my memory, but explicit-exit-notify is a client option, not a server option I believe (I don't use it myself anyway, different use case)
01:01 < Muimi> acnnot be used with --mode server help?
01:01 < cyberanger> Open the config file, search for explicit-exit-notify and put a # in front of it.
01:01 < cyberanger> Then try again
01:01 < Muimi> Maybe this is what has happened?
01:01 < Muimi> https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6 At this guide....
01:01 <@vpnHelper> Title: How to Setup and Configure an OpenVPN Server on CentOS 6 | DigitalOcean (at www.digitalocean.com)
01:01 < Muimi> It has a way to generate server keys and a way to generate client keys
01:02 < Muimi> and the server keys are frist, and the client keys are second.
01:02 < Muimi> maybe I overwrote the server keys with the client keys?
01:03 < cyberanger> Muimi: from the output you gave me, you have two conflicting parameters, you just have to comment out the one that doesn't apply to a server.
01:03 < cyberanger> Comment out explicit-exit-notify
01:04 < Muimi> in what file?
01:04 < cyberanger> Can you do that, then run "sudo openvpn server.conf" again?
01:04 < cyberanger> Sorry, right
01:04 < cyberanger> Comment out explicit-exit-notify in server.conf
01:04 < Muimi> server.conf?
01:04 < Muimi> Okay.  It worked, now.
01:05 < cyberanger> Okay, so that fixes your server, care to try a client now?
01:06 < cyberanger> Then we can test it with systemd once we know the config files themselves aren't an issue
01:07 < Muimi> on my way to there.
01:08 < cyberanger> Forgive me, my 12 hour workday was actually a 16 hour day. I'm not rushing you, just my mind is racing a little from the caffine I think ;-)
01:09 < Muimi> do you know how to download a file from putty?
01:09 < Muimi> I know: I'm a noob, but I promise I'm working as fast as possible and not getting distracted.
01:10 < cyberanger> Muimi: Windows?
01:11 < cyberanger> Muimi: Eh, so was everyone here at some point in time, I didn't mean it like that.
01:11 < Muimi> Okay, so I'm making the --
01:11 < Muimi> client.ovpn file.  Do I need to change lines to the code?  Or add BEGIN END at the top and bottom?
01:12 < Muimi> Is there any whitespace needed?
01:13 < Muimi> for example, x.x.x.x should be my server IP?
01:14 < cyberanger> Your right on the IP
01:14 < Muimi> I can't believe I need to install a program to connect rather than just using the 'connect to vpn' dialogs.
01:15 < Muimi> I hope the port isn't blocked
01:16 < cyberanger> I think if you follow the tutorial from here you should be good
01:16 < cyberanger> Transferring files I'd use SFTP, a good windows client for that would be filezilla
01:16 < Muimi> Yeah, the download is gonna take 5 minutes, you know?
01:17 < Muimi> So, I add the contents of my certs to the ovpn file....
01:17 < Muimi> and the keys
01:17 < Muimi> and add the ip address
01:17 < Muimi> and change nothing else, basically
01:17 < cyberanger> That's how this tutorial is, yes.
01:18 < cyberanger> If something isn't matching the tutorial, or there is a port restriction, we can tweak something based on the error we get.
01:18 < Muimi> It's a litlte confusing, though
01:19 < cyberanger> But shouldn't be a need (unless you are aware of a restriction where you are)
01:19 < Muimi> client.crt doesn't start at BEGIN... there's a lot of data before that
01:19 < Muimi> like the signature algorithm
01:19 < cyberanger> Yeah, you can trim that out.
01:19 < cyberanger> For the client config
01:20 < Muimi> Do I also trim out --BEGIN CERTIFICATE--?  Or do I leave that?
01:20 < cyberanger> Leave that line, but what's above it can be trimmed out
01:20 < cyberanger> If it's left in, it won't hurt either.
01:20 < Muimi> okay.
01:21 < cyberanger> Just as long as it's between the <ca>..</ca> brackets
01:21 < cyberanger> same for <cert> and <key>
01:22 < cyberanger> I follow the tutorial easily now, but I'll admit a decade ago when I was learning, there's a learning curve to it.
01:24 < Muimi> cool.
01:24 < Muimi> but here's the problem: it doesn't use easy-rsa 3....
01:25 < cyberanger> What is it using?
01:25 < Muimi> which is different from easy-rsa 2, you know?
01:25 < Muimi> easy-rsa 2, and it says easy-rsa 3 was a major update with a lot of significant changes.
01:25 < Muimi> openvpn requires .net and everything, man.
01:27 < cyberanger> Shouldn't be a problem, easy-rsa is just setup for the certs and keys.
01:27 < Muimi> Now it says I don't have permission to copy the file
01:27 < cyberanger> Which file?
01:27 < Muimi> there it goes
01:28 < Muimi> failed. :'(
01:28 < cyberanger> Which file is failing
01:28 < cyberanger> ?
01:30 < cyberanger> Your client.ovpn file?
01:31 < Muimi> i'm trying to figure it out
01:32 < Muimi> it says view client.log, but there is no client.log
01:33 < cyberanger> What's failing, OpenVPN or Filezilla?
01:33 < Muimi> openvpn
01:33 < Muimi> it said exit code 1 check the log
01:34 < Muimi> Options error: Unrecognized option or missing or extra parameter(s) in client.ovpn:1: lclient (2.4.0)
01:35 <@plaisthos> Muimi: lclient is not a valid option
01:35 < cyberanger> can you open the config file in notepad, look for anything mentioning log
01:35 <@plaisthos> probably meant client
01:35 < cyberanger> Oh, plaisthos good catch.
01:36 < Muimi> the only config file is the ovpn file we made based on the tutorial.
01:37 < cyberanger> Muimi: can you open that file in notepad, look for a line with lclient in it
01:37 < Muimi>  line one.
01:37 < Muimi> it says "lclient".
01:37 < cyberanger> remove the l
01:37 < cyberanger> plaisthos: thanks for spotting that
01:38 < cyberanger> Muimi: If you can fix it, it should just be client, then try again.
01:38  * cyberanger needs to switch to decaf....
01:39 < Muimi> strange.  it changed it.
01:39 < cyberanger> Huh?
01:39 < Muimi> although i deleted the old file and coppied the new file, I get the same error.  I closed the program and re-imported the file, and it said "already exists".
01:40 < cyberanger> What is your client, what Windows version? (I'm presuming it's Windows)
01:41 < Muimi> win 7.  openvpn.
01:41 < Muimi> using the gui
01:41 < Muimi> There already exists a file named client.ovpn.  you cannot have two different files with the same name even if they reside in different folders.
01:42 < Muimi> When I click "edit config", it says lclient.
01:43 < cyberanger> Can you delete config?
01:43 < Muimi> it meaks a new one in a folder that doesn't even appear on my harddrive called client.
01:43 < Muimi> oh i finally could edit that.
01:44 < cyberanger> Okay, I have not used the Windows client in awhile...
01:45 < Muimi> key negotiation failed
01:46 < Muimi> WARNING: No server certificate verification method has been enabled
01:46 < Muimi> WARNING: No server certificate verification method has been enabled
01:46 < Muimi> hehe udp not bound
01:46 < Muimi> looks like it's gonna continue to mess with me. ^^
01:47 < cyberanger> Did you create the client.ovpn on the server?
01:47 < Muimi> No.
01:48 < Muimi> i'll start making one, though.
01:48 < Muimi> what directory do I stow it into?  Any changes to the file name?
01:49 < cyberanger> I'm just reading how the tutorial did it, do try and figure out where it's giving you issues on this step.
01:50 < cyberanger> The tutorial had you create it on the server, then transfer the one file.
01:52 < cyberanger> filename would still be client.ovpn
01:55 < cyberanger> The warning might be okay, the client config in the tutorial your using says nobind too.
01:56 < cyberanger> Key negotiation could be from a few things, is anything else different from the tutorial?
01:57 < Muimi> okay.
01:57 < Muimi> no, I just don't know where to put the client.ovpn file on the server.
01:58 < cyberanger> /tmp/client.ovpn works, it's just there for the transfer (and we may use it here in a second on the server for testing)
01:59 < cyberanger> We'll be removing it after it's all said and done.
01:59 < Muimi> wait what trasnfer?
02:00 < cyberanger> We have to transfer this file to your client, once we create it on the server.
02:00 < Muimi> should I use lclient or client in that file?
02:00 < cyberanger> client
02:01 < Muimi> it's saved there.
02:03 < Muimi> I started openvpn agani
02:07 < cyberanger> I'm trying to think, why you'd be having that error.
02:08 < Muimi> *shrug*
02:08 < Muimi> I dunno.  I'll ask someone else tomorrow.
02:09 < cyberanger> Anything else done differently from the tutorial?
02:09 < Muimi>  TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
02:09 < Muimi> maybe the port isn't open on the server
02:10 < cyberanger> I think the firewall default on CentOS 6 is open, port is 1194, udp right?
02:16 < Muimi> blocked by default, cyberanger
02:16 < Muimi> another reason the quickstart is ***awsome***
02:17 < Muimi> http://ask.xmodulo.com/open-port-firewall-centos-rhel.html
02:17 <@vpnHelper> Title: How to open a port in the firewall on CentOS or RHEL - Ask Xmodulo (at ask.xmodulo.com)
02:21 < Muimi> I've opened the port, and I'm still getting the connect error.
02:26 < jiquera> !goal
02:26 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
02:27 < Muimi> https://paste.fedoraproject.org/519223/34314551/
02:27 < Muimi> wrong channel.
02:27 < Muimi> I would like to access the internet over my vpn
02:28 < jiquera> I set up a openvpn server, and everything works except: on one of the networks i connect form I get MTU issues. I have to reduce tun-mtu to 952 to make it work. However, when i change the --fragment settings this doesnt help at all. From what i understand, that should work too right?
02:29 < jiquera> can anybody explain in nooby speak why the internal openvpn fragmentation doesn't seem to do anything? I used wireshark to trace and the udp packets are indeed too big with fragment
02:31 < jiquera> @muimi did you masquerade the tun traffic?
02:32 < jiquera> otherwise packets can't find there way back to you from the web --> not internet
02:33 < jiquera> aaaand you need to forward some tun traffic too as well
02:34 < Muimi> i dunno.  i just found out that openvpn starts but then immediately turns itself off
02:34 < Muimi> netstat -anulp | grep 1194 returns a blank line instead of openvpn.
02:35 < jiquera> ow then you probably have errors in config
02:35 < jiquera> what does your log say?
02:38 < Muimi> I dunno where the log is.
02:40 < jiquera_> @miumi just checked my server settings
02:40 < jiquera_> so what does your log say?
02:41 < Muimi> brb.
02:43 < jiquera_> #accept incoming traffic for our VPN-UDP server iptables -I INPUT -p <VPN_PROTOCOL> --dport <VPN_PORT> -j ACCEPT  #allow traffic to and from our VPN-UDP tunnel entry/exit point iptables -I INPUT -i <VPN_TUN_DEVICE> -j ACCEPT iptables -I FORWARD -i <VPN_TUN_DEVICE> -j ACCEPT iptables -I FORWARD -o <VPN_TUN_DEVICE> -j ACCEPT  #properly masquerade VPN-UDP traffic iptables -t nat -A POSTROUTING -s <VPN_IP_NET x.x.x.0>/255.255.255.0 -j 
02:43 < jiquera_> that's what made my firewall comply :D
02:43 < Muimi> huh?
02:43 < Muimi> https://paste.fedoraproject.org/519226/43234614/
02:43 < Muimi> They said "group nogroup" would work.  what should I actually use?
02:45 < jiquera_> are you running on windows?
02:46 < jiquera_> ow no ur not... I think it should be "nobody"
02:46 < jiquera_> and not "nogroup"
02:46 < jiquera_> but im not that much of a linux guru
02:47 < jiquera_> if you havent got it working yet... i recommend using the simplest settings eg. no security related stuff... and then once it works, start adding security until it breaks again :)
02:49 < Muimi> what's the simplest thing?  I would have done that from the start if it were an option
02:49 < Muimi> there should be an idiot's guide, you know?  I'm an idiot so... I use those
02:50 < Muimi> !ping
02:50 <@vpnHelper> pong
02:50 < Muimi> this is really weird, now.  I'm connected.
02:50 < Muimi> but ping google.com fails still
02:51 < Muimi> Authenticate/Decrypt packet failed.  Decrypt error.
02:51 < garman> Hello, I am trying to install a newer version than 2.3.11 in yakkety, but have run out of ideas.
02:51 < Muimi> decrypt packet error.  cipher failed.
02:51 < garman> The version 2.4 relies on initscripts but that's not in yakkety anymore
02:52 < Muimi> authenticated/decrypt packet error.  cipher final failed.
02:53 < garman> I see that 2.3.11 was changed to not require initscripts according to https://launchpad.net/ubuntu/yakkety/+source/openvpn/+changelog
02:53 <@vpnHelper> Title: Change log : Yakkety (16.10) : openvpn package : Ubuntu (at launchpad.net)
02:53 < garman> I have tried to build from source hoping to work it out, but there is no makefile after I ./configure
02:53 < garman> and google has failed me for any combination of searc terms I can think of
02:54 < Muimi> garman what are yuo trying to do man?
02:54 < jiquera_> oki back
02:54 < jiquera_> let me read first
02:54 < garman> Muimi: Install a newer version tha 2.3.11 in yakkety. Our servers require a newer version. I don't know why/what feature they depend on.
02:55 < jiquera_> @garman: ehhhh good luck, I have no clue :p
02:55 < garman> I have tapped "release/2.4 xenial" because there is no yakkety release in openvpn's releases
02:56 < garman> kk thanks
02:56 < jiquera_> well i noticed that the android releases are not updated either
02:56 < jiquera_> maybe just wait a week... is that possible?
02:57 <@plaisthos> jiquera_: hm?
02:57 <@plaisthos> jiquera_: openvpn connect or OpenVPN for Android?
02:57 < jiquera_> @miumi: you have control over server and client right?
02:57 < jiquera_> connect for sure
02:58 < Muimi> yeah i have
02:58 < jiquera_> for android, got updated on the 31st but i didnt check it yet... it said "tls-crypt" supported now... which sounded a bit like the rest was not
02:58 < jiquera_> but that was an assumption
02:58 < Muimi> windows connecting to centos server
02:58 < jiquera_> of course
02:58 < jiquera_> oki
02:58 <@plaisthos> jiquera_: that is my app
02:59 <@plaisthos> and the app uses OpenVPN master for years
02:59 < jiquera_> the for android one?
02:59 <@plaisthos> so the rest has been supported a long time already
02:59 <@plaisthos> yes
02:59 < jiquera_> nice :D
02:59 < jiquera_> kudos on that app
02:59 <@plaisthos> thanks
02:59 < jiquera_> yeah i was about to try it out... as the connect one has zero information on releases and basically everything
03:00 < Muimi> well, with the specific error.... I kind of imagine I should be able to figure out waht's wrong if I keep cracking at it
03:00 < jiquera_> @miumi can you post a config
03:00 < jiquera_> anonymised if you like
03:00 < jiquera_> using same compression/auth/cipher settings on client and server
03:00 < jiquera_> ?
03:01 < jiquera_> and they provide a sample script in the opevpn package btw
03:01 < jiquera_> it's not entirely idiot proof
03:01 < jiquera_> but it helps :)
03:01 < jiquera_> plaisthos... do you post the release notes somewhere?
03:01 <@plaisthos> jiquera_: no just the play store update log
03:01 < jiquera_> bummer
03:02 <@plaisthos> but openvpn itself is very close to official openvpn
03:02 <@plaisthos> and there is the git log if you are bored :P
03:02 < jiquera_> yeah i checked that one out :p
03:02 < jiquera_> after 15minutes i figured i wasnt that bored
03:02 < Muimi> what kind of config?
03:03 < jiquera_> on the server and client
03:03 < Muimi> the client.ovpn file and the server.conf file?
03:03 < jiquera_> yah (but remove IP, key and password materials)
03:03 < jiquera_> or change them after it works
03:05 < jiquera_> plaisthos, i remember why i thought it wasnt up to date. in the settings it lists LZO but nowhere LZ4, is that supported?
03:05 < jiquera_> i didnt see it in your license either
03:05 < Muimi> how do you select all and copy from nano?
03:06 < jiquera_> are you ssh-ing to your server?
03:06 < jiquera_> putty?
03:07 < jiquera_> @plaisthos: i remember why i thought it wasnt up to date. in the settings it lists LZO but nowhere LZ4, is that supported?
03:08 < TyrfingMjolnir> I have openvpn server running with dh and local key, how do I make a key for my iPhone?
03:09 < Muimi> tring to
03:09 < Muimi> yeah
03:10 < Muimi> putty yuck
03:10 < jiquera_> cant you just select with mouse and then right mouse button copies it i think
03:10 < jiquera_> @mjolnir have a look at the easy-rsa scripts
03:11 < TyrfingMjolnir> I have the easyrsa script
03:11 < Muimi> the pastebin doesn't carry over
03:11 < Muimi> it's like 500 lines, dude.
03:12 < Muimi> it's dumb.  i only changed 3 or 4 lines to the config file on the server
03:12 < jiquera_> then create a new key with a new common name-> create a config file for your iphone with the ca cert and the iphone key and use that on ur iphone
03:12 < jiquera_> 500 lines config :o
03:12 < jiquera_> thats a lot
03:13 < Muimi> on my windows pc, the file isn't hard to pasate.  it's the server tht i have to rip the data out line-by-line.
03:14 < jiquera_> hm
03:14 < TyrfingMjolnir> Muimi: cat /etc/openvpn/openvpn.conf | nc termbin.com 9999
03:14 < Muimi> https://paste.fedoraproject.org/519235/43434514/
03:15 < Muimi> i want to edit it before it displays, though.  doesn't it have some sensitive info?
03:15 < jiquera_> looks simple, looks good
03:15 < TyrfingMjolnir> Muimi: mine only has LAN IPs
03:15 < Muimi> k
03:15 < jiquera_> depends if you have the keys inline
03:15 < jiquera_> if they are in seperate files it's fine
03:16 < TyrfingMjolnir> Muimi: If you only reference the keys, the keys are in separate files
03:16 < Muimi> they're inline.
03:17 < jiquera_> ah hence the 500 lines... winscp?
03:17 < Muimi> nah the server.conf file is a lot of lines.
03:17 < jiquera_> or copy it on the server and remove the keys
03:17 < Muimi> maybe 180?  I'm not sure.
03:17 < Muimi> so if they're inline, what should I do?
03:17 < Muimi> how should I change the client.ovpn file?
03:18 < jiquera_> the client.ovpn file looks ok
03:18 < jiquera_> depending on how your server file looks of course
03:18 < jiquera_> copy the server file
03:18 < Muimi> but you said: "if the keys are inline..."
03:18 < jiquera_> and remove the keys in the copy and just use that one
03:18 < Muimi> there are no keys in tht copy.
03:19 < Muimi> the server file is a server.conf file not a .ovpn file
03:19 < jiquera_> if the keys are inline u shouldnt paste it wthout removing them... but you did it right, your client conf does not contain sensitive material
03:19 < jiquera_> thats ok
03:19 < Muimi> http://termbin.com/rw43
03:19 < Muimi> what file are you talking about?
03:20 < skyroveRR> termbin blocked? WTF?
03:21 < skyroveRR> Your requested URL has been blocked as per the directions received from Department of Telecommunications, Government of India. Please contact administrator for more information.
03:21 < skyroveRR> ^ Ridiculous.
03:21 < jiquera_> muimi
03:21 < jiquera_> the file you just posted uses no compression
03:21 < jiquera_> and uses AES
03:21 < jiquera_> where as ur client config uses the default blowfish
03:22 < TyrfingMjolnir> Muimi: Here is my openvpn.conf: http://termbin.com/npp1
03:23 < jiquera_> ah ok
03:23 < jiquera_> what was the other file then?
03:23 < jiquera_> just to be clear, you are using this: https://paste.fedoraproject.org/519235/43434514/ and this http://termbin.com/npp1
03:23 < jiquera_> correct?
03:23 < Muimi> Ahhh i dunno what you're saying hold on
03:24 < Muimi> you're talking to a cow man
03:24 < TyrfingMjolnir> jiquera_: Mine is for inspiration
03:24 < jiquera_> ow wait
03:24 < Muimi> so what should I change? ^^
03:24 < jiquera_> im confusing them
03:24 < Muimi> yes.  correct and no, not correct.
03:24 < Muimi> npp1 is not me.
03:24 < jiquera_> yeah i get it now :p
03:25 < Muimi> http://termbin.com/rw43
03:25 < jiquera_> do you understand all the settings?
03:26 < jiquera_> ";topology subnet" --> change to "topology subnet"
03:26 < jiquera_> and
03:26 < jiquera_> "cipher AES-256-CBC" --> ";cipher AES-256-CBC"
03:26 < Muimi> not  mytap
03:27 < jiquera_> let's first do all defaults
03:27 < Muimi> not diffie hellman
03:27 < jiquera_> so no fancy ciphers
03:27 < Muimi> they're bsically all default, man.
03:27 < jiquera_> and enable ";comp-lzo"
03:27 < Muimi> how do i turn the cipher off?
03:28 < jiquera_> you want no cipher at all?
03:28 < jiquera_> you already have keys right?
03:28 < jiquera_> just put ; in fron tof the aes line
03:28 < Muimi> okay.
03:28 < Muimi> i already have keys.
03:29 < Muimi> should I turn off the cipher?  Again: you're talking to a cow. :P
03:29 < jiquera_> lol
03:29 < Muimi> i'm just trying to find the fastest success, you know?
03:29 < jiquera_> me too
03:29 < jiquera_> dont worry
03:29 < jiquera_> :p
03:29 < Muimi> You can ignore my inane questions if you have a working method.
03:30 < jiquera_> well i see three things that for sure cause issues
03:30 < jiquera_> 1) ;topology subnet <--- remove the ; to enable this line
03:31 < Muimi> done.
03:31 < Muimi> i haven't removed the aes lines yet.
03:31 < jiquera_> 2) your client file is using the default cipher, and your server is using AES: put a ; infront of "cipher AES-256-CBC"
03:32 < jiquera_> 3) your client uses compression, and your server doesnt: remove ; from ";comp-lzo"
03:32 < Muimi> would it be possible to use one of the two ciphers without any complexity?  Like just say "blowfish"?  Not that I care: honestly, I don't see the point of a cipher for me.
03:32 < Muimi> done and done.
03:32 < jiquera_> the default is blowfish
03:33 < jiquera_> you can also use the cipher aes in your client
03:33 < jiquera_> as long as it's the same for both
03:33 < Muimi> well, i'm connected again.  no connection to google, though.
03:33 < Muimi> same errors.
03:34 < jiquera_> did you restart server?
03:34 < Muimi> just did now
03:34 < Muimi> and client to be safe
03:35 < jiquera_> do you have generated seperate keys for client ? so don't use the server key on the client... i think it won't like that
03:35 < jiquera_> @rest of the chatroom: my question about tun-mtu vs fragment is still open :)
03:35 < Muimi> I generated a key for the client and the server
03:35 < Muimi> but I added a password....
03:35 < jiquera_> oki
03:35 < jiquera_> on the private key
03:35 < Muimi> so I was wondering: why didn't it prompt me for the password?
03:35 < jiquera_> for the client
03:35 < jiquera_> or also the server
03:36 < jiquera_> yeah it should :p
03:36 < Muimi> I'm not getting that error anymore.
03:36 < jiquera_> yaaay progress
03:36 < Muimi> no password prompt and no access to google.
03:37 < jiquera_> no access to google is more tricky as you need to set your dns and iptables properly
03:37 < jiquera_> but the connection seems stable?
03:37 < Muimi> yes.
03:37 < Muimi> and the final goal is a couple of google sites, youtube, and github.
03:37 < Muimi> github was unblocked by the firewall, already, though.
03:37 < jiquera_> we'll get there :)
03:38 < jiquera_> can you ping your server?
03:38 < jiquera_> with a local address?
03:38 < Muimi> I'm connected to it by ssh soo probably right
03:38 < Muimi> i can from cmd. yes
03:38 < jiquera_> no i mean with a local address so the ping goes over the tunnel
03:38 < jiquera_> good
03:39 < Muimi> you mean ping the server from the server?
03:39 < jiquera_> no ping the server from your client
03:39 < Muimi> yes.
03:39 < jiquera_> but use the local server ip (192.168.1.1 or whatever it is in your case)
03:40 < jiquera_> can you do a nslookup from your client
03:40 < Muimi> i'm not sure what you mean....
03:40 < jiquera_> nslookup google.com <dns_ip>
03:40 < jiquera_> on your commandline
03:40 < jiquera_> client side
03:40 < Muimi> what's the dns_ip?
03:40 < Muimi> timed out timed out.
03:41 < jiquera_> what timed out the nslookup?
03:41 < Muimi> 8.8.8.8?
03:41 < Muimi> yes.
03:41 < Muimi> but I don't know the dns_ip.
03:41 < jiquera_> so how do you want your dns lookup to work
03:41 < jiquera_> directly to the dns server
03:41 < jiquera_> or via your tunnel?
03:42 < Muimi> I wish I knew what you meant.
03:42 < jiquera_> oki
03:42 < jiquera_> if you go to google.com
03:42 < jiquera_> first your machine will ask the web what the ip address is of google.com (this is called a DNS query)
03:43 < Muimi> okay.
03:43 < jiquera_> depending on who you want to answer that question your setup differs a bit
03:43 < Muimi> the one that's easiest to set up.
03:43 < jiquera_> either you ask your vpn server which then asks some other servers
03:43 < jiquera_> or you ask directly the other servers
03:43 < jiquera_> let me check your config
03:44 < Muimi> the vpn asks.
03:44 < jiquera_> and see what it does now
03:44 < Muimi> because i cannot access google from my country.
03:44 < Muimi> i can't even ask from here.
03:45 < Muimi> brb (5)
03:47 < jiquera_> are you connecting form china? because then openvpn will not do the trick for you
03:48 < cyberanger> Not just China, and it can alongside another tool.
03:48 < cyberanger> Obfsproxy, Stunnel or something.
03:52 <@dazo> !obfs
03:52 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols, or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation, or (#3) in client/server mode an admin can know that openvpn is being used. in
03:52 <@vpnHelper> static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
03:56 < Muimi> back
03:56 < Muimi> jiquera_: yes.
03:56 < jiquera_> china actively detects vpn tunnels
03:56 < jiquera_> and then blocks them
03:57 < Muimi> what's forward security?
03:57 < TyrfingMjolnir> How can I generate a key for a device?
03:57 < Muimi> So I need to figure out how to use obfsproxy also? :<<
03:58 < TyrfingMjolnir> I know how to make a key with easyrsa, but how do I match my keys made on my laptop with the keys from the server?
04:00 < jiquera_> @muimi: you need some kind of obfuscation on top of your tunnel so it doesn't look like a vpn tunnel, however china is pretty advanced in detecting this they take packet length, data intensity, packet timeing and data patterns into account
04:00 < jiquera_> so yeah
04:00 < jiquera_> i'd say your best bet is not openvpn but tor + obfproxy
04:01 < Muimi> tor?
04:01 < Muimi> isn't that for bitcoin?
04:01 < jiquera_> unless you want to code stuff yourself (like me, i made it a hobby project to bypass the chinese firewall)
04:01 < TyrfingMjolnir> jiquera_: ;-) Got source?
04:02 < Muimi> well, I could just pay a yearly service to bypass it....
04:02 < Muimi> But to be honest, I think they manually check things.
04:02 < jiquera_> no not exactly. Tor (the onion router) is a sort of protocol that routes every packet over a lot of computers all encrypted etc... to confuse eavesdroppers
04:02 < Muimi> They focus on banning people who are doing unsavory things like addictive gaming, porn,
04:02 < jiquera_> it is used for many things
04:03 < Muimi> one of my friends works in some terrorism prevention unit, and he has told me about some of this.
04:03 < jiquera_> @mjolnir: use the same CA cert on your phone, server and laptop and then they should be able to verify the keys from the server
04:03 <@plaisthos> jiquera_: newer compression algorithm are pushable and negotiable, so there is no need to configure them on the client, see also the script http://plai.de/android/peerid.py
04:04 < Muimi> Is it difficult to set tor and obfproxy?  Do I still need to go through the centos server?
04:05 < jiquera_> well it's a different setup... and although tor and obfproxy is basically the most powerful around when it comes to this you still need non-standard settings because china of course made sure the standard configuration doesn't work
04:05 < Muimi> I have to leave in like 10 minutes.  Basically, I'm just wondering if I would be able to set everything up tomorrow, or if it would be like a 10-day project.
04:05 < jiquera_> i can setup your vpn in 15 more minutes
04:06 < jiquera_> but it will probably not work stable
04:06 < Muimi> yeah, but it's useless if it's going to cause my server to block.
04:06 < jiquera_> if it doesnt
04:06 < Muimi> i also use the server for website hosting.
04:06 < jiquera_> it is more likely to be a 10 day project
04:06 < Muimi> last year, I used pptpd, and I had no issues.
04:06 < jiquera_> oki well
04:07 < jiquera_> let's setup openvpn for ya then
04:07 < jiquera_> and see how it works :)
04:07 < jiquera_> as i understand the blocks are not permanent and usually port specific
04:08 < jiquera_> @mjolnir: I'm using a lot of different tunnels to bypass the firewall, however at the moment a lot of them rely on obscurity of the protocol so no, no source ;)
04:09 < Muimi> i'll start with that
04:10 < Muimi> i'll try obfs later, maybe
04:10 < Muimi> so what's left?  I've got 4 minutes until I have to go.
04:10 < Muimi> Maybe less.
04:11 < jiquera_> oki
04:11 < jiquera_> oki ill give you some hints and then you can pick it up from there
04:11 <@plaisthos> also tls-crypt is worth a try
04:12 < Muimi> alright
04:12 < Muimi> I've taken the key from an employee.
04:12 < jiquera_> curreently your server pushes the google DNS servers (8.8.8.8 and 8.8.4.4) these will be blocked in china (change them to your centos server or a dns server that is not blocked)
04:13 < jiquera_> by force? :p
04:13 < jiquera_> then in your iptables you allow traffic to come in on the vpn port
04:13 < jiquera_> but you dont allow it to exit yet
04:14 < Muimi> in Windows?
04:15 < jiquera_> no on your server
04:15 < jiquera_> https://paste.fedoraproject.org/519261/83437970/
04:15 < jiquera_> there are 2 sets of commands
04:15 < jiquera_> one is an example of the other
04:15 < Muimi> but the server is in france.
04:16 < jiquera_> the packets that you send to your centos server, enter the server but you have to tell the firewall how to deal with those packets
04:16 < jiquera_> the first line you don't need to do as it's already done in your case (or you wouldn't be able to connect)
04:17 < jiquera_> the first line opens the external port of your server so you can make a connection with your vpn server
04:17 < Muimi> I dunno man.  it sounds way over my head.
04:18 < Muimi> I gotta take off.  Sorry.  Maybe see you tomorrow.  Have a good night.
04:18 < jiquera_> np
04:18 < jiquera_> goodluck though
04:18 < jiquera_> this stuff is never easy :)
04:18 < Muimi> is there like a config file i'd change?
04:19 < jiquera_> no you literrally type the commands that are in the example i showed
04:19 < jiquera_> but then with your parameters
04:19 < jiquera_> iptables <--  is the command to update your firewall
04:19 < Muimi> oh in that pastebin
04:19 < Muimi> alright i'll try those
04:19 < Muimi> tomorrow
04:19 < Muimi> maybe see you
04:19 < Muimi> have a good day.  thanks
04:21 < jiquera_> cheers
04:22 < jiquera_> @anybody else
04:22 < jiquera_> please help me with my mtu / fragment question
04:35 < jiquera_> @plaisthos: I see it can be pushed... but i don't see any mention of negotiation, plus the client needs to support it meaning your app needs to have the code right?
04:36 <@plaisthos> jiquera_: my app is basically OpenVPN master
04:36 <@plaisthos> everything that is supported in OpenVPN is supported by the app
04:36 <@plaisthos> even if there is no ui configuration
04:37 < jiquera_> oki cool
04:37 <@plaisthos> as for the negoation, the client pushes its capabilities (IV_*) to the server
04:37 < jiquera_> i like :)
04:37 <@plaisthos> so the server can check what the client supports and push certain options
04:37 <@plaisthos> for some things this is done automatically
04:38 <@plaisthos> e.g. the cipher will be AES-256-GCM in 2.4 server/client if you don't configure anything else
04:38 <@plaisthos> also peer-id will be automatically be pushed
04:38 <@plaisthos> !changes24
04:38 <@plaisthos> !24changes
04:38 <@vpnHelper> "24changes" is https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst
04:41 < jiquera_> yeah i read that
04:41 < jiquera_> i just didnt realize it could be used like that
04:41 < jiquera_> i have a pretty static setup... since i only have a handful users
04:43 <@plaisthos> :)
04:43 <@plaisthos> the cipher negoiation will happen unless you disable/fiddle with it
04:46 < jiquera_> there's a "bug" in ur python script btw... the ping pushed to the client should be half that of the srever
04:46 < jiquera_> in this case 1800
04:46 < jiquera_> ping-restart *
04:46 < jiquera_> yeah i fiddled with it
04:46 < jiquera_> :p
04:47 <@plaisthos> :)
04:47 <@plaisthos> worked well enough for me :p
04:48 < jiquera_> well the problem is that the server could close the connection before the client knows there is a problem
04:48 < jiquera_> "problem"
04:49 < jiquera_> pfff people are a bit silent today...
04:49 < jiquera_> do you know why fragment doesn't do the trick and tun-mtu does?
05:00 < Bitnova> hi, when i import .ovpn from my provider in network-manager Ubuntu xenial, it imports the file with the cert and key fields being auto-populated with .pem, yet inside the the .ovpn file there is a .crt and .key file. any idea why network-manager imports the file and generates .pem? whereas in terminal when i connect, it uses the correct crt and key.
05:15 < Koshi> SIGUSR1[soft,private-key-password-failure] received, process restarting
05:15 < Koshi> Tue Jan 03 11:01:54 2017 MANAGEMENT: >STATE:1483437714,RECONNECTING,private-key-password-failure,,,,,
05:16 < Koshi> i installed openvpn in digitalocean and it is now working
05:31 < Bitnova> can anyone help please?
06:17 < fsociety[00]dat> are there any traces on system after disconnecting a VPN service? ( connecting like "openvpn --config VPN.ovpn" )
06:22 < MrNice> fsociety[00]dat: bash history, system logfiles, openvpn logfiles, certificates / configurations
06:31 < fsociety[00]dat> MrNice, thanks.
06:40 < Koshi> i have installed OpenVPN on my digitalocean server, but not working
06:41 < Koshi> SIGUSR1[soft,private-key-password-failure] received, process restarting
06:41 < Koshi> MANAGEMENT: >STATE:1483403538,RECONNECTING,private-key-password-failure,,,,,
07:30 <@dazo> Koshi: private-key-password-failure .... that is the core error
07:30 <@dazo> you have a password protected key file
07:31 < Koshi> dazo, i try this but nothing again https://github.com/Nyr/openvpn-install
07:31 <@vpnHelper> Title: GitHub - Nyr/openvpn-install: OpenVPN road warrior installer for Debian, Ubuntu and CentOS (at github.com)
07:33 < ninja85a> hello
07:33 <@dazo> Koshi: *that* installer is not something I would recommend ....
07:34 < Koshi> dazo, what you recommend
07:34 <@dazo> Koshi: or any documentation or installer script not *officially* being provided by the OpenVPN community or company
07:34 <@dazo> !howto
07:34 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
07:34 <@dazo> Koshi: In particular: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
07:34 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net)
07:35 < Koshi> dazo, ok i will try this now
07:35 <@dazo> setting up OpenVPN isn't hard .... but you need to go through a little learning first
07:57 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
07:58 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
07:58 -!- mode/#openvpn [+o vpnHelper] by ChanServ
08:03 -!- You're now known as ecrist
08:19 <@krzee> dazo: for that guy who needed !obfs we could have try --tls-crypt, it's unlikely that china updated the great firewall's DPI so fast
08:20 < skyroveRR> !obfs
08:20 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols, or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation, or (#3) in client/server mode an admin can know that openvpn is being
08:20 <@vpnHelper> used. in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
08:20 < skyroveRR> o.o
08:20 < skyroveRR> Interesting.
08:20 <@krzee> skyroveRR: --tls-crypt is a new option that encrypts the control channel with a PSK
08:21 <@krzee> new in 2.4
08:21 <@krzee> (so the tls handshake is hidden)
08:21 < skyroveRR> Hmm.. using 2.3.10 here. :)
08:21 < skyroveRR> But I don't live in China, so "heh". :)
08:22 <@krzee> so at least for now its likely that a vpn with tls-crypt wont be detected as an openvpn tunnel
08:22 <@krzee> haha ya same
08:22 < skyroveRR> Yeah, that's a really cool thing :)
08:23 <@krzee> although its also somewhat better privacy (no looking at our pub certs), and its also poor mans quantum safe
08:25 < skyroveRR> krzee: may I pm you?
08:25 <@krzee> sure
08:28 <@ecrist> oh, snap
08:28 <@ecrist> I'll need to resubmit chapter 9
08:28 <@ecrist> I missed discussing --tls-crypt in my section on obfuscation
08:32 <@krzee> ya i mention that in like chapter 6 too iirc
08:32 <@dazo> krzee: there's already been some reports that the great firewall blocks connections with --tls-crypt ... which isn't really unexpected
08:32 <@krzee> oh interesting
08:33 <@dazo> it doesn't encrypt everything in the packet being sent ...only the stuff after a small header
08:33 <@dazo> (and only the control channel, iirc)
08:33 <@krzee> control channel seems like the perfect way to detect openvpn
08:34 <@dazo> the first bytes in each packet provides an identifier, if it is data or control channel
08:36 <@krzee> ecrist: here:
08:36 <@krzee> There are two scenarios where PSKs are used, in a static key point-to-point VPN, and with the --tls-auth directive in the more commonly deployed client-server topology
08:36 <@krzee> my note is:  "There is a new one in 2.4, and it is awesome! --tls-crypt uses the same key as –tls-auth, but instead of signing packets with an hmac for auth, it actually encrypts the tls channel with a statickey. This means that certificates are no longer public, and we have poor mans protection against quantum decryption! (Because no exposed handshakes)"
08:36 <@krzee> (thats in chapter 6)
08:37 <@dazo> right
08:37 <@dazo> that is correct
08:38 <@krzee> steffen had guessed that it tls-crypt may defeat dpi for a bit, i guess it didnt happen
08:39 <@krzee> but i'll bet on his guesses any time! ;]
08:56 < thereyouare> on that page https://en.wikipedia.org/wiki/NIST_hash_function_competition it says:
08:56 <@vpnHelper> Title: NIST hash function competition - Wikipedia (at en.wikipedia.org)
08:56 < thereyouare> Security: "We preferred to be conservative about security, and in some cases did not select algorithms with exceptional performance, largely because something about them made us 'nervous,' even though we knew of no clear attack against the full algorithm."
08:56 < thereyouare> so they used their intuition to guess that a algorithm is bad ?
08:56 < thereyouare> how is that scientific ?
08:56 < thereyouare> "something about them made us nervous" ?
08:57 < thereyouare> you know what intuition can do to you ? go outside and look at the sun, intuition tells you it goes around the earth, and earth is standing still, why still ? because if earth were moving or even spinning we all would fell down, this is what intuition tells us, and who disagree with that should be burned as heretic because intuition rules and scientce not
08:58 <@dazo> thereyouare: if you start digging into the math behind it, you might better understand what made them nervous ... if you don't understand the math, don't bother questioning their guts
08:58 <@ecrist> krzee: thanks.  Also, I just submitted FreeBSD PR 215734, updates -devel port to 2016-52 and fixes the mbedtls bug.
08:59 <@ecrist> I copied over the entire port structure from Mathias' main port and modified it for the -devel.
09:01 <@dazo> thereyouare: http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7896.pdf ... here you have a bit more verbose reasoning
09:03 <@plaisthos> thereyouare: something is telling you that this might break easily or could potentially break but you don't have a proof to show it
09:04 < cornfeedhobo> does anyone know, off the top of their head, how to force the default route in the _client_ config?
09:04 <@plaisthos> !redirect-gateway
09:04 <@plaisthos> !def1
09:04 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
09:05 <@krzee> ecrist: nice thanks!
09:05 <@plaisthos> cornfeedhobo: that is for you
09:05 < cornfeedhobo> that is what i thought. thanks for verification!!
09:05 < cornfeedhobo> (time crunch. ya'll are awesome!)
09:15 < [0xAA]> hmm
09:15 < [0xAA]> devs
09:15 < [0xAA]> Does OpenVPN not work when I limit the packet size?
09:15 < [0xAA]> (on handshake, it screams over small packets)
09:15 <@dazo> !logs
09:15 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
09:16 <@krzee> ive used openvpn over ip over dns, so i suspect small packet sizes can work
09:16 <@krzee> (that was long long ago, to be fair)
09:17 < thereyouare> "over ip over dns", what
09:17 < thereyouare> is that some kind of magic ?
09:18 <@krzee> ip over dns, dns tunneling,an app called iodine (and even older there was nstx)
09:18 <@dazo> https://github.com/yarrick/iodine
09:18 <@vpnHelper> Title: GitHub - yarrick/iodine: Official git repo for iodine dns tunnel (at github.com)
09:18 <@dazo> sorry ... http://code.kryo.se/iodine/
09:18 <@vpnHelper> Title: kryo.se: iodine (IP-over-DNS, IPv4 over DNS tunnel) (at code.kryo.se)
09:18 < thereyouare> krzee: you know free services that lets you use dns tunnel ?
09:18 <@krzee> no
09:19 <@krzee> and its very non ideal
09:19 <@krzee> however, it does bypass many captive portal logins
09:19 <@krzee> since they kinda have to do dns
09:19 < thereyouare> how is TCP working over it ?
09:19 < thereyouare> I mean TCP has 2 way stream of packets right ?
09:19 <@krzee> embedded in requests
09:20 <@krzee> and responses
09:20 <@krzee> google dns tunneling
09:20 <@krzee> theres also icmptx for icmp tunneling
09:20 < thereyouare> so as I understand it there is a constant stream of DNS requests and TCP ack are piggy backed on responses ?
09:20 <@krzee> thereyouare: correct
09:21 < thereyouare> because you send SYN with DNS request but then you have to send another DNS request and answer for that second request will contain ACK, right ?
09:21 < [0xAA]> that seems cancer
09:21 < [0xAA]> DNA A? <payload>.hah
09:21 <@krzee> https://dnstunnel.de/
09:21 <@vpnHelper> Title: DNStunnel.de - free DNS tunneling service (at dnstunnel.de)
09:22 <@dazo> probably IN TXT queries ... or a variety, based on the amount of data
09:22 < thereyouare> I have only 500MB per month internet but I noticed when my 500MB used up I can still resolve DNS names, I recently resolved 1000000 names with no working internet so I think I can use that tunnel ?
09:22 < thereyouare> you think ISP will notice if I use DNS tunneling ?
09:23 <@dazo> yes, that should work ... but that would be illegal in your case
09:23 < thereyouare> that is why I tested it resolving 1000000 adresses, nothing bad happened
09:23 < thereyouare> how is it illegal do DNS requests ?
09:23 <@krzee> i know *i* wouldnt do it
09:23 < thereyouare> krzee: you think that tunnel will work with IRC ? or the lag will be too big ?
09:23 <@krzee> but you feel free to do whatever you want, assuming you're an adult and responsible for yourself
09:24 <@dazo> DNS requests aren't illegal ... but you use it to circumvent a restriction you have on your subscription, *that* is illegal
09:24 < thereyouare> or how about using ssh over DNS tunnel ? it would be like a torture ?
09:24 <@krzee> thereyouare: ive used ssh over openvpn over dns, yes everything over dns is somewhat tortuous
09:24 <@krzee> but it worked
09:25 <@krzee> in that situation, that was all i could wish for
09:25 <@krzee> btw at http://dev.kryo.se/iodine/wiki/TipsAndTricks i have a script for starting iodine on the client and changing the route to go over it
09:25 <@vpnHelper> Title: TipsAndTricks – iodine (at dev.kryo.se)
09:27 < thereyouare> by the way will that clog up ISP's DNS resolver ? because it all will be cached
09:27 <@krzee> maybe, i only use it on fly-bys
09:27 <@krzee> i wouldnt use it from home simply because id be able to do a better solution
09:41 < [0xAA]> Tue Jan  3 15:31:45 2017 WARNING: Bad encapsulated packet length from peer (0), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
09:41 < [0xAA]> this problem is bugging me hard
09:41 <@krzee> [0xAA]:
09:41 <@krzee> !configs
09:41 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
09:41 < [0xAA]> krzee: the problem here is OpenVPN is not wrapping 0-len packets
09:42 < [0xAA]> krzee: My configuration is not a problem
09:42 < [0xAA]> If I try without the MITM, it does work
09:42 <@krzee> [07:06] <[0xAA]> Does OpenVPN not work when I limit the packet size?
09:42 <@krzee> [07:06] <[0xAA]> (on handshake, it screams over small packets)
09:42 <@krzee> [07:06] <dazo> !logs
09:42 <@krzee> well dazo asked for logs and got ignored, i asked for configs and got a no
09:42 < [0xAA]> 1 sec
09:43 <@krzee> logs might be better, as dazo knows more than i
09:43 < [0xAA]> https://bpaste.net/show/de9681420287
09:43 < [0xAA]> krzee: this
09:44 <@krzee> ok so theres a proxy in the middle
09:44 < [0xAA]> yep
09:44 < [0xAA]> I have control of code
09:45  * krzee taps dazo on the shoulder and walks away
09:45 <@krzee> lol
09:45 < [0xAA]> the first 0-len packets are meant to be ignored
09:50 <@krzee> [0xAA]: is that obfsproxy or something?
09:50 <@krzee> tor?
09:50 < [0xAA]> nope
09:50 < [0xAA]> krzee: I custom-wrote that proxy in Golang
09:51 <@krzee> oh
09:51 < [0xAA]> >language doesn't matter, ignore
09:51 < [0xAA]> I tried its io.Copy
09:51 < [0xAA]> every protocol worked except OpenVPN
09:51 < [0xAA]> Even HTTP works
09:51 <@krzee> i get the issue now, ya you'll wanna talk with dazo
10:04 <@dazo> [0xAA]: ensure that the first byte of the packet being sent on the wire consist of the packet length ... this is the only difference between the TCP and UDP packets
10:05 <@dazo> [0xAA]: the length value should be the length of the whole packet excluding these length field ... the length-field is 2 bytes (16 bits)
10:08 < [0xAA]> dazo: I read from TCP sockets
10:08 < [0xAA]> I tried this before with a Python MITM
10:08 < [0xAA]> it worked
10:08 < [0xAA]> dazo: I see my MITM sending 0-len packets to OpenVPN
10:09 < [0xAA]> OpenVPN server screams out of it
10:09 < [0xAA]> Tue Jan  3 10:56:04 2017 127.0.0.1:59265 WARNING: Bad encapsulated packet length from peer (0), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
10:09 < [0xAA]> see this
10:09 <@dazo> which is why you must send the proper length value
10:09 < [0xAA]> so dazo, I should wait (for servers) until the packet size becomes larger than zero ?
10:09 <@dazo> why it is stripped, I have no idea ... that's your code
10:10 <@dazo> all TCP packets in the OpenVPN wire packet have a length field > 0
10:10 < [0xAA]> dazo: hmm
10:10 < [0xAA]> so I SHOULD wait till packets become larger than zero
10:10  * [0xAA] writes
10:10 <@dazo> no ... all packets you receive will have a packet length > 0
10:10 <@dazo> so, all packets you send further MUST have a packet length > 0
10:11 <@dazo> if packet length == 0 ... OpenVPN wouldn't send the packet.
10:18 <@plaisthos> a packet without information is a packet is not worth sending is OpenVPN's logic
10:18 < [0xAA]> it's weird
10:18 < [0xAA]> why would a TCP stack even send 0-length packets
10:23 < mrpops2ko> hey m8s, question in general about tinfoil / opsec I guess, but how bad would it be to use opendns on a paid for vpn provider (instead of their own one)?
10:27 < moritz_s> [0xAA]: there are two instances that immediately come to mind where 0-size packets are used: 1. the initial syn syn/ack ack packets are usually empty, the fin packets as well, 2. when the receiver advertises a window size of 0, the sender periodically sends a 0-size packet to look if the window size increased
10:56 <@ecrist> mrpops2ko: unless you're using secure-dns, that traffic is snoopable once it leaves the VPN provider.
13:44 -!- Netsplit *.net <-> *.split quits: @krzee, @plaisthos
13:44 -!- Netsplit over, joins: plaisthos
13:45 -!- mode/#openvpn [+o plaisthos] by ChanServ
13:45 -!- batrick is now known as Guest1928
13:46 -!- RAX is now known as rax-
13:46 -!- Netsplit over, joins: krzee
13:46 -!- mode/#openvpn [+o krzee] by ChanServ
14:02 < klow> Can you push a specific dns entry similar to an /etc/hosts entry w openvpn, or just DNS server addresses?
14:19 <@ecrist> klow: what do you mean?
14:19 <@krzee> klow: pushing dns is really an up script grabbing a var and doing what it wants with it (editing resolv.conf)
14:20 <@krzee> look at the env and see if you can get the info you want from the env, then see about writing the code to edit your hosts file
14:20 <@krzee> or do whatever you want with it
14:20 <@dazo> so ... you could write your own --up script which parses some setenv_safe varialbes pushed to the client which updates /etc/hosts
14:20 <@ecrist> everything he needs is passed in the environment to the --up script
14:20 <@dazo> even simpler
14:20 <@krzee> setenv_safe?
14:21 <@krzee> we can push custom vars dazo?
14:21 <@dazo> krzee: see --setenv-safe in the man page :)
14:21 <@krzee> nice already searching
14:22 <@krzee> thats nice!
14:22 <@dazo> I even believe JJK documented it in the OpenVPN 2 Cookbook ;-)
14:22 < klow> thanks guys i will check that out
14:22 <@krzee> nooooo wayyyy
14:22 <@krzee> lets see, i have that here
14:22 <@dazo> he uses a Windows client with .vbs script as an example, iirc
14:23 <@krzee> dammit he did :D
14:23 < klow> basically what I mean is that say I have vpn clients out in the field,  and I want website.internaldomain.com to resolve , without putting in real-world DNS,  and without having to manage internal DNS infrastructure for every "customer if you will"
14:23 <@krzee> klow: i do the same =]
14:23 < redrabbit> i was thinking about doing it from the firewall
14:23 < klow> so /etc/hosts would do that, but thats another thing to configure on each client, and i dont know if that would be possible on iOS openvpn, which sadly i have to support in a big way
14:24 < redrabbit> i get internet from two interfaces, eth1 and wlan1, i also use tun0 device as openvpn client, how can i make sure only eth1 is used to connect to openvpn server, is there an openvpn setting for that ?
14:24 <@krzee> oh ya i dont know about ios supporting that either, id say it probably does not
14:24  * dazo decides to catch an earlier train ... will be back in a few hours
14:24 <@krzee> later dazo!
14:25 <@krzee> klow: rooted ios by chance?
14:25 <@krzee> or stock
14:25 < klow> nah just iOS OpenVPN Connect
14:25 < klow> its like a big platform for us, which is tough for me heh
14:25 <@krzee> ya my complete guess would be that it cant do that
14:25 <@krzee> since it shouldnt even have access to the hosts file
14:26 <@krzee> it manages routes and whatnot via vpn API
14:26 <@krzee> not via root
14:26 < klow> ya .. thats right. we actually went through the process of getting those API rights to build something ourselves
14:27 <@krzee> oh cool!
14:27 <@krzee> well in case you were ever curious, heres the source to connect
14:27 <@krzee> !connect
14:28 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide, or (#2) the source is here: http://staging.openvpn.net/openvpn3/ except for the portion that may not be released
14:28 <@vpnHelper> because of NDA with apple (for its vpn API), or (#3) It is impossible to retrieve your configuration from Connect itself. This is by design. Keep a copy of your config (and any certs/keys/etc that go with it) someplace safe, and where you can find it later.
14:28 <@krzee> #2
14:28 <@krzee> its open except for the vpn api part, as im sure you know theres an NDA there
14:28 < klow> i feel like when istarted looking for this, maybe a year ago, it was not open source ?
14:29 <@krzee> hard to find
14:29 <@krzee> its a complete re-write of openvpn
14:30 < klow> ya , pretty interesting .. lots of work involved heh
16:11 <@krzee> klow: better link: https://github.com/OpenVPN/openvpn3
16:11 <@vpnHelper> Title: GitHub - OpenVPN/openvpn3 (at github.com)
16:12 <@krzee> !forget connect 2
16:12 <@vpnHelper> Joo got it.
16:12 <@krzee> !forget connect 3
16:12 <@vpnHelper> Error: Invalid factoid number.
16:12 <@krzee> !forget connect 2
16:12 <@vpnHelper> Joo got it.
16:13 <@krzee> !learn connect as the source is here: https://github.com/OpenVPN/openvpn3 except for the portion that may not be released because of NDA with apple (for its vpn API)
16:13 <@vpnHelper> Joo got it.
16:13 <@krzee> !learn connect as It is impossible to retrieve your configuration from Connect itself. This is by design. Keep a copy of your config (and any certs/keys/etc that go with it) someplace safe, and where you can find it later
16:13 <@vpnHelper> Joo got it.
16:19 < redrabbit> is there a way to pick the interface the openvpn client uses to connect
16:20 < redrabbit> from openvpn options
16:22 <@krzee> what do you mean
16:23 < redrabbit> i only want to use eth1 to connect to openvpn server
16:23 < redrabbit> from client
16:23 <@krzee> set the route
16:23 < redrabbit> not other internet connection
16:23 < redrabbit> ok
16:23 <@krzee> not in vpn config, but before running openvpn
16:24 < redrabbit> in my firewall ?
16:24 <@krzee> add a route to your routing table so that traffic to your vpn server ip goes out the interface/gateway that you desire
16:25 <@krzee> before you start openvpn
16:25 < redrabbit> ok with "route" in the cli
16:26 < redrabbit> is there a way to make it permanent
16:26 <@krzee> definitely, and how depends on your distro
16:27 < redrabbit> i'm on debian, i have to look this up
16:27 <@krzee> "static route" will help your search
16:27 < redrabbit> thanks
16:27 <@krzee> https://www.cyberciti.biz/tips/configuring-static-routes-in-debian-or-red-hat-linux-systems.html
16:27 <@vpnHelper> Title: Configure Static Routes In Debian or Red Hat Enterprise Linux (at www.cyberciti.biz)
16:29 < redrabbit> i openened that page seconds before you posted it ^^
16:29 < redrabbit> i heard there is a way to do this with my firewall too
16:29 < redrabbit> with this : http://www.shorewall.net/MultiISP.html
16:29 <@vpnHelper> Title: Shorewall and Multiple Internet Connections (at www.shorewall.net)
16:30 <@krzee> you have multiple internet links?
16:30 < redrabbit> basically i want to make sure it only uses eth1 for the vpn
16:30 < redrabbit> yes
16:31 <@krzee> i do as well
16:31 < redrabbit> i have multiple wifi interfaces + 3G dongles
16:31 < redrabbit> + 100mbps at home
16:31 <@krzee> i manage it with an openwrt router, multiple routing tables, and policy routing
16:31 < redrabbit> 3G dongles are a lot of fun
16:32 <@krzee> ##networking was very helpful
16:32 < redrabbit> nice setup
16:32 <@krzee> thanks
16:32 <@krzee> so ya you just need a route
16:33 < redrabbit> atm i'm setting up a rpi3 to work on battery, controlled by umts (3G/H+) it connects to my local openvpn server on a vm and i can access it from there
16:33 <@krzee> ahh making your own lil pineapple
16:33 < redrabbit> works fine, i'm at the finishing stage
16:34 <@krzee> https://www.wifipineapple.com/
16:34 < redrabbit> tightening firewall rules + routing
16:34 <@vpnHelper> Title: WiFi Pineapple - Home (at www.wifipineapple.com)
16:34 < redrabbit> yea from hak5
16:34 <@krzee> ya its sweetness
16:34 < redrabbit> i don't know if it does all i can do with my setup
16:34 <@krzee> at least once you stop trying to use the web interface lol
16:34 < redrabbit> works pretty awesome
16:35 < redrabbit> web interfaces are meh
16:35 < redrabbit> :D
16:35 < redrabbit> cli ftw
16:35 <@krzee> agreed
16:35 < Koshi> dazo, i try some times to configure the openvpn on digitalocean but nothing.
16:36 < redrabbit> is there 3G connectity on the pinapple ?
16:37 < redrabbit> i have a wifi AP from wlan0 to connect to the machine when in close range
16:37 < redrabbit> 3G connectivity for virtually unlimited / international range
16:37 <@krzee> not built in, you need a 3g usb stick
16:37 <@krzee> but yes its made for it
16:37 < redrabbit> that's cool
16:38 < redrabbit> designed to run on battery as well
16:38 <@krzee> ya
16:38 < redrabbit> rolling you own seems much sweeter imo
16:38 <@krzee> oh totally, if you're up for it!
16:38 <@krzee> hell, im not
16:38 < redrabbit> i can put whatever kind of wifi card i want
16:38 <@krzee> at least not in the forseable future
16:38 < redrabbit> same for antennas
16:38 <@krzee> well in their defense, their 2 cards are win
16:39 <@krzee> and the antenna are rp-sma
16:39 < redrabbit> the standard
16:39 <@krzee> but i still agree
16:39 < redrabbit> im good with my awus036h
16:39 <@krzee> rolling your own is the win
16:39 < redrabbit> still the best card around for injection ect
16:39 <@krzee> you'll know it 100% and get way more use out of it
16:40 < redrabbit> what i like about my setup is how modular it is
16:40 < redrabbit> i'm gonna make it work on the pi0 ultimately
16:41 < redrabbit> i can pick wifi adapter depending on if i need more power or more battery time
16:41 <@krzee> you might even be able to go into different modes based on the different hardware, after you've used it a bit you might find certain hardware means you're doing certain things
16:42 < redrabbit> no sd card
16:42 < redrabbit> its practical to have a card you can copy/dd
16:42 < redrabbit> (on the pineapple)
16:43 < redrabbit> looking at the specs its not at the level of a pi3
16:43 <@krzee> not likely, pi3 came out way more recent
16:43 < redrabbit> looks decent but way more limited
16:44 <@krzee> pi3 has usb3 for 1 thing
16:44 < redrabbit> usb 3 on the pi 3 :o
16:44 <@krzee> doesnt it?
16:44 < redrabbit> its 2.0
16:44 < redrabbit> works fine though
16:45 < redrabbit> its still a small arm pc
16:46 <@krzee> i didnt think my gsm software defined radio worked on usb2
16:46 <@krzee> i guess it does tho
16:47 <@krzee> (since i only used it with a rpi3)
16:59 < redrabbit> it does ^^
17:01 < thereyouare> I just got an idea
17:01 < redrabbit> i'm about to make a sun powered one
17:01 < thereyouare> why not implement DNS tunneling and ICMP tunneling inside OpenVPN as a module ?
17:01 < thereyouare> can you imagine how much popular it will make OpenVPN
17:02 < thereyouare> like that iodine it doesn't encrypts data you have to do tunnel inside tunnel, but if it will be implemented in openvpn source tree it can do encryption by default
17:04  * redrabbit wonders if a pc fan can be turned into a mini windmill
17:05 <@dazo> thereyouare: you do know we are trying to slim down the feature set of openvpn, not increase it?  as it is a big burden to maintain all this code ... openvpn is by far incredibly popular already, with millions of users using it actively every day
17:05 <@dazo> we will look into adding support for plug-ins doing that kind of stuff, so other projects can maintain their own "this is cool"-project ... without adding maintenance burden on the core OpenVPN developers
17:11 <@dazo> redrabbit: probably depends on what kind of fan ... if it is such a 3-pin PCM based fan speed control capable fan (or 4 pins, for that matter) it probably won't work.  But a single 2 pin (only power) should be able to generate at least some electricity ... but how much you can load it, that's the difficult one - and I don't think it will be able to drive too much stuff
17:11 <@dazo> (if anything than a led, at all)
17:18 < redrabbit> wondering if i can rig a couple or more and recharge a battery from it
17:19 < redrabbit> i have a ton of spare fans around
17:19 < redrabbit> i can always get to the motor output if i remove the circuit inside
17:29 < MTecknology> using a fan as a windmill seems like an odd openvpn feature
17:29 < thereyouare> right, better use a hamster in a wheel, they are replaceable and doesn't require much feeding
17:30 < MTecknology> heh, that most assuredly fixes the out-of-scope dilemma
17:34 < klow> heres a new one to me:  Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link
17:34 < klow> wondering if this is because the server is running on a vmware fusion guest (debian)
17:35 < orev> openvpn not needing admin rights on windows is a game changer.  great work!
17:35 < klow> orev: agreed. major pain point for some of my customers
17:37 <@krzee> klow: should be fine in a vm, can you post your configs?
17:37 <@krzee> !configs
17:37 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
17:39 < klow> ignore, im dumb. wrong port
17:39 < klow> sorry, crunching big time
17:39 <@krzee> cool
19:41 < fa0> Hello all
19:41 < fa0> link local, if I'm not mistaken is for ipv6?
19:43 < fa0> Actually this? https://en.wikipedia.org/wiki/Link-local_address
19:43 <@vpnHelper> Title: Link-local address - Wikipedia (at en.wikipedia.org)
19:44 < fa0> In 2.3.14 it was listed as saying link local [undef] and now in 2.4.0 as [unbound] and I'm trying to figure if I should have this bound, what the purpose would be etc...?
19:46 < Muimi> i'm back :D
20:13 < fa0> can someone please explain, in 2.4.0 I now see this from the cmd line when running as a client connecting to a server;  Preserving recently used remote address:
20:13 < fa0> Before 2.4.0 I never saw this in any version of OpenVPN going back for the past 5 years... So I'm a little confused by this now...
20:19 < fa0> The thing I also don't get is that I didn't connect to this before, and having it saying 'recently used' seems odd...
20:20 < fa0> Anyone here know about this?
20:32 < thereyouare> fa0: How many apples grow on a tree?
21:01 < chandoo> hi
21:02 < chandoo> i have this error start openvpn server " Options error: --explicit-exit-notify cannot be used with --mode server"
21:12 < thereyouare> chandoo: How many apples grow on a tree?
21:20 < tx> 5
21:20 < thereyouare> All of them.
21:24 < [0xAA]> Update on my issue
21:24 < [0xAA]> I implemented buffering, added protection against 0-length packets
21:24 < [0xAA]> now the server is indefinitely stuck
21:25 < [0xAA]> because OpenVPN server is not sending packets to the TCP socket
21:25 < [0xAA]> and it's getting 0-length reads
21:28 < [0xAA]> who sends first?
21:28 < [0xAA]> OpenVPN server sends initial packet first, right?
21:29 < thereyouare> [0xAA]: How many apples grow on a tree?
21:29 < [0xAA]> thereyouare: 1337
21:29 < thereyouare> right, all 1337 of them
21:30 < [0xAA]> OpenVPN server sends TLS Initial Packet, then the handshake starts
21:33 < [0xAA]> afaik
21:34 < thereyouare> what is the difference between TLS and SSL ?
21:36 < [0xAA]> thereyouare: SSL is old, TLS Is newer
21:36 < [0xAA]> OpenVPN is not sending me any packets
21:36 < [0xAA]> the server aka
21:37 < thereyouare> so the package that called openssl is it SSL only, or it contains TLS too or is there separate package with TLS ? I know there is some GnuTLS software is it prefferable then OpenSSL ?
21:37 < thereyouare> !ssl
21:37 < thereyouare> !tls
21:37 < [0xAA]> thereyouare: OpenSSL is just the name
21:38 < [0xAA]> OpenSSL has both TLS and SSL constructs
21:38 < [0xAA]> gnutls is more preferable afaict
21:38 < [0xAA]> because GnuTLS is cleaner, safer, secure, and GPLv3 too
21:40 < thereyouare> so openvpn can use both OpenSSL and GnuTLS ?
21:41 < thereyouare> "./configure --help" doesn't says anything TLS related
21:41 < thereyouare> it only has:
21:41 < thereyouare> --disable-ssl           disable SSL support for TLS-based key exchange
21:42 < ordex> thereyouare: openvpn supports OpenSSL and mbesTLS
21:42 < thereyouare> mbes ?
21:42 < ordex> mbedTLS, sorry
21:42 < ordex> toy can choose with --with-crypto-library=openssl|mbedtls
21:43 < thereyouare> is it similar to PolarSSL ?
21:43 < ordex> polarssl is the old name of mbedtls
21:43 < thereyouare> there is no more PolarSSL ?
21:43 < ordex> it ha sbeen renamed
21:43 < ordex> afaik
21:43 < thereyouare> http://polarssl.org/download/polarssl-1.3.8-gpl.tgz so this package is outdated ?
21:44 < thereyouare> I was about to install it
21:44 < ordex> I don't know
21:44 < ordex> if you open polarssl.org you get redirected
21:44 < ordex> maybe you get the latest package from there ?
21:44 < thereyouare> and #polarssl is empty
21:44 < fa0> Can anyone tell me when using 2.4.0 and connecting for the first time to a server it's telling me; Preserving recently used remote address, when it wasn't used before?
21:44 < ordex> but you can also use your package manager, without compiling it
21:44 < thereyouare> there is no package manager
21:45 < thereyouare> I have to compile everything from source
21:46 < thereyouare> ba dum tssss
21:47 < fa0> A Linux distro without a pkg manager?
21:47 < [0xAA]> mbedTLS is kinda weird
21:47 < [0xAA]> that still works and is good
21:47 < [0xAA]> OpenSSL is just full of bloatware
21:47 < [0xAA]> need LibreSSL
21:48 < [0xAA]> -.-
21:49 < [0xAA]> now everything is deadlocked
21:49 < [0xAA]> I changed the MITM to wait until OpenVPN server sends TLS initial packet
21:49 < [0xAA]> now none is sending nothing
21:51 < [0xAA]> ok
21:51 < [0xAA]> finally got the fix
21:57 < redrabbit> is there a way to use openvpn to connect from two network interfaces client side and combine speeds from multiple providers
21:59 < [0xAA]> It's named PolarSSL because it was made in Antartica
21:59 < [0xAA]> Antarctica
21:59 < [0xAA]> redrabbit: nope
22:01 < redrabbit> do you know something do to that
22:02 < ordex> redrabbit: that is not an openvpn problem, but rather an upper layer thing
22:03 < ordex> you can do mtcp if supported by the server (for example), but still it requires upper layers support, openvpn will just create the interfaces
22:03 < [0xAA]> redrabbit: that won't with with SSL afaict
22:06 < redrabbit> i host my vpn, i can configure that on in the server i guess
22:41 < thereyouare> anyone heard of ipfs.io ?
22:51 < ordex> sounds similar to freenet to some extends, no ? at least the mechanism behind
23:07 < Muimi> !seen jiquera
23:07 <@vpnHelper> jiquera was last seen in #openvpn 20 hours, 32 minutes, and 48 seconds ago: <jiquera> what does your log say?
23:10 < Muimi> iptables -I INPUT -i <VPN_TUN_DEVICE> -j ACCEPT anybody know waht the vpntundevice is?
23:10 < redrabbit> iptables -a
23:10 < redrabbit> tun0
23:11 < redrabbit> ifconfig -a *
23:11 < redrabbit> lol
23:11 < redrabbit> its late
23:11 < redrabbit> type : ifconfig -a
23:11 < redrabbit> its probably tun0
23:12 < Muimi> the inet addr?
23:13 < Muimi> does the vpn server need to be started
23:42 < Muimi> !seen krzee
23:42 <@vpnHelper> krzee was last seen in #openvpn 6 hours, 2 minutes, and 45 seconds ago: <krzee> cool
--- Day changed Wed Jan 04 2017
00:03 < ordex> Muimi: no, if you are adding iptables rules, yu do not need to restart openvpn
00:03 < ordex> that will likely kill the rules linked to the tun interface
00:08 <@krzee> Muimi: picking up from msg
00:09 <@krzee> wellllll i havent had much chance to play behind the great firewall, but its of interest to me
00:09 <@krzee> because you cant risk you production server getting blocked i recommend getting a semi-disposable vps
00:10 <@krzee> then you may be able to play with a mix of techniques
00:11 <@krzee> like the xor patch that is out there for example
00:11 <@krzee> but if you cant risk getting that production server blocked, i suggest not testing with it
00:12 <@krzee> keep it safe, test with something else, and even when you get things right you can tunnel through a server to the real production server, so it's never at risk
00:13 <@krzee> going to lay down now
00:14 < ordex> Muimi: you got a vps behind the wall ?
00:28 < Muimi> yeah I did.
00:28 < Muimi> <3
00:35 < ordex> Muimi: cool :) what's the provider opinion with you running a vpn ?
00:36 < ordex> I am wondering because I also wanted to get one, but I was a bit reluctant to believe that a VPN could survive long enough on that machine :P
00:47 < Muimi> ordex: what's the qeustion again?
00:48 < Muimi> Oh.  They don't care about that, man.  They just don't want me jumping partitions.
00:51 < Muimi> ordex: but I've heard that they do some deep packet sniffing that gets through obfsproxy or whatever
00:57 < cyberanger> Muimi: obfsproxy is obfs v3, I think obfs4 is still fine last I heard.
00:57 < cyberanger> I used ssltunnel myself.
02:24 < ordex> Muimi: mh ok.. I may try
05:29 -!- Vampire0_ is now known as Vampire0
09:00 < redrabbit> ordex: providers dont care if you run your own vpn
09:00 < redrabbit> i run one of a vps at ovh, all is good
09:18 < ordex> redrabbit: what if you allow random users to connect from china ?
09:19 < redrabbit> :o
09:19 < redrabbit> mine is only for personal use
09:19 < redrabbit> and i dont use it much
09:20 < ExoUNX> redrabbit hopefully you don't use it for anonymity
09:20 < redrabbit> no
09:20 < redrabbit> i pay for the server its it the country i live in
09:20 < redrabbit> no point
09:21 < ExoUNX> well anonymity doesn't require your endpoint be a different country, but yah
09:22 < redrabbit> what would you do for anonymity
09:24 < ordex> redrabbit: why having a VPS in CN that connects to ovh via vpn? why not connecting directly to ovh with your client ?
09:25 < redrabbit> huh?
09:25 < redrabbit> i just have 1 vpn in france
09:25 < ordex> well, maybe I don't know what you use the vps for :P
09:25 < ordex> ah
09:25 < redrabbit> well 2 at home 1 at ovh
09:26 < ordex> we were talking about a VPN on a chinese VPS
09:26 < redrabbit> i use them for connectivity from 3G
09:26 < ordex> that's where the discussion started
09:26 < redrabbit> ok :p just saying my vps provider don't care
09:27 < ordex> ehhe ok
09:40 < tormoz> okay... looks like 2.4 client can't connect to 2.3 server....
09:40 <@plaisthos> tormoz: that would be considered a bug
09:41 <@plaisthos> and generally we are not aware of anything
09:41 <@plaisthos> unless you have a broken ssl library on the 2.3 server that does not support PFS
09:41 <@plaisthos> in that case the stricter ssl settings of 2.4 refuse to connect
09:42 < tormoz> ah i'll look into this. Thanks...
09:45 <@dazo> tormoz: I've done successful 2.4 client to 2.3 server connections .... so it might be a corner case issue .... I also believe we also run some various tests regularly which also tests against 2.3 servers
09:51 < tormoz> i just don't know where to start looking, cipher was specified implicitly  And yet... tls handshake failed...
10:25 < tormoz> uh oh... looks like tls-cipher default values differs
11:40 <@plaisthos> tormoz: yes
11:40 <@plaisthos> tormoz: but usually that should not be problem
11:41 <@plaisthos> tormoz: and you should get ssl library errors
11:41 <@plaisthos> at least on one side
11:52 < tormoz> i already found that yls cipher cannot be negotiated. just don't know why
11:53 < tormoz> *tls cipher
11:57 <@dazo> tormoz: you use --tls-cipher in your configs?
11:58 < tormoz> now? but ow i temporary use it to make it work
11:58 < tormoz> now, but now i temporary use it to make it work
12:00 <@plaisthos> tormoz: what is the error message?
12:00 <@plaisthos> http://ics-openvpn.blinkt.de/FAQ.html
12:00 <@vpnHelper> Title: Ics-openvpn (at ics-openvpn.blinkt.de)
12:01 <@plaisthos> see also the tls-cipher FAQ there
12:01 <@plaisthos> you might be running into that
13:10 < tormoz> ok most probably my certs require ECDHE encryption which openvpn 2.3 does not support
13:11 < tormoz> problem partially solved
13:45 -!- Netsplit *.net <-> *.split quits: @vpnHelper, +RBecker, @syzzer
13:45 -!- Netsplit over, joins: RBecker
13:45 -!- mode/#openvpn [+v RBecker] by ChanServ
13:46 -!- Netsplit over, joins: syzzer
13:46 -!- mode/#openvpn [+o syzzer] by ChanServ
13:47 -!- Netsplit over, joins: vpnHelper
13:47 -!- mode/#openvpn [+o vpnHelper] by ChanServ
14:08 -!- CGML_ is now known as CGML
14:30 < chandoo> where to copy the keys on the mobile phone
14:51 <@plaisthos> !inline
14:51 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV, or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
15:17 < rzyz85fr> hello, i have a config file .ovpn that works , but asking login and password, how can i automated that by cli when do openvpn --config config.ovpn?  (can't change server side config)
15:17 <@ecrist> rzyz85fr: check out the man page.  there is a way to provide a file name in the config that contains your user and password
15:18 < rzyz85fr> ecrist, is it possible by env var or directs args? (didn't find directs args in manpage)
15:58 <@danhunsaker> rzyz85fr: Just add a -- to the start of any config option to use it on the commandline.
15:59 < rzyz85fr> danhunsaker, aa thanks for this precision. !
16:01 <@danhunsaker> There may be a few that don't work, or that you'll have to adjust slightly to make work (anything with more than one argument needs them all quoted, for example), but overall that's the appreach.
16:01 <@danhunsaker> *approach
16:01 < rzyz85fr> danhunsaker, ok
16:03 < signo-> Hey, question related to rzyz85fr's. Is there anyway to point OpenVPN to an encrypted file that contains the username/password? I know you can do custom authentication on the server side but I don't know if you can either pass an encrypted password file or have a client script to decrypt. (Just trying to avoid storing plain-text passwords)
16:09 <@danhunsaker> I'm not aware of any such mechanism, but that doesn't mean they don't exist.  You still have to worry about handling the decryption key, though...
16:11 < rzyz85fr> signo-, nice ask, how i can automated that with storing plain password
16:17 < para000> krzee: are you here?
16:18 <@dazo> signo-: no, such feature does not exist ... the username/password needs to be in plain text
16:19 <@dazo> rzyz85fr: --auth-user-pass can take a an option, which is a filename to the file containing either username and password, or just password .... in the former, username must be the first line and password the second line
16:21 < rzyz85fr> dazo, thanks, auth-user-pass doesn't have good explain in manpage
16:23 < rzyz85fr> dazo, so, i will put login/password in the script, then echo it to working dir with .ovpn , then call openvpn --config config.ovpn --auth-user-pass mylogin.txt
16:24 <@dazo> ehm?
16:24 <@dazo>        --auth-user-pass [up]
16:24 <@dazo>               Authenticate with server  using  user‐
16:24 <@dazo>               name/password.   up is a file contain‐
16:24 <@dazo>               ing username/password on 2  lines.  If
16:24 <@dazo>               the  password line is missing, OpenVPN
16:24 <@dazo>               will prompt for one.
16:24 <@dazo>               If up  is  omitted,  username/password
16:24 < rzyz85fr> dazo, for me it is dirty, i prefer an encrypt password in .ovpn   ( i repeat, don't have acces to the server side : french ISP box name freebox )
16:24 <@dazo>               will be prompted from the console.
16:25 <@dazo> rzyz85fr: send patches and we'll review them and they might be added to the code when its good enough
16:26 < rzyz85fr> dazo, ok lol
16:26 <@dazo> the problem with encrypted passwords is that it needs to be decrypted regardless ... if that happens on the client side, what would be the difference between a plain text file with username/password vs an encrypted file and then some mechanism to automatically decrypt that file when openvpn starts?
16:27 <@dazo> if you worry about a leaking password ... you should type the password each time (or us 'pass' or something else to partly automate it for you)
16:30 < chandoo> hi
16:31 < chandoo> i have vpn server running and connected to vpn from my mobile. but nothing works, how to troubleshoot
16:31 < rzyz85fr> dazo, ok, you true.  for the manpage, i doesn't have this help in my ubuntu 16.04
16:31 <@dazo> !goal
16:31 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:31 <@dazo> chandoo: ^^
16:33 < chandoo> dazo, i cannot browse anything, i open browser and did cnn.com and it failed
16:34 <@dazo> that is describing what doesn't work ... what do you try to do with your VPN tunnel?
16:34 <@dazo> You want all Internet traffic to go via your own OpenVPN server?
16:35 < chandoo> i want to connect to my cameras through my app
16:36 <@dazo> !serverlan
16:36 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
16:36 < rzyz85fr> chandoo, which app you use?
16:36 < chandoo> yes
16:36 <@dazo> chandoo: start with reading that ^^^ .... and look at the image at #3 at the end
16:37 < rzyz85fr> dazo, where did you find your help about  "--auth-user-pass" ?
16:38 <@dazo> rzyz85fr: $ man openvpn
16:38 <@dazo> !man
16:38 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
16:38 <@dazo> rzyz85fr: you'll find the same there too
16:41 < rzyz85fr> dazo, ok i have problem in my man config   (can't search without fullword, lol)
16:41 < rzyz85fr> dazo, i leave, thanks and bye
16:55 < chandoo> dazo, push route?
16:56 < chandoo> ;push "route 192.168.10.0 255.255.255.0"
16:56 < chandoo> ;push "route 192.168.20.0 255.255.255.0"
16:56 < chandoo> i have those
17:03 < chandoo> dazo, how to check the client connections on the server
19:40 < orizzle> hello, is there a way to restrict users on my vpn to only be able to see each other and not any services on the vpn host or access the internet?
19:46 < redrabbit> i want to do the same
19:46 < redrabbit> tell if you find a reliable solution
20:13 < Ziginox> !welcome
20:13 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
20:13 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
20:14 < Ziginox> !goal
20:14 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:14 < Ziginox> oh, derp
20:16 < Ziginox> I'm trying to set up OpenVPN so I can access my LAN remotely; I have it installed with a server config on a Windows Server 2012 R2 machine and with client config on a Windows 7 machine. I've generated keys and opened firewall (both router and windows) on the server. The client machine appears to connect, but no traffic seems to be going through. Is there something I'm missing?
20:16 < Ziginox> Oh, and the local subnet is unique
20:18 < Ziginox> I followed the instructions here to the T, but no dice https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide#FurtherConsiderationsTroubleshooting
20:18 <@vpnHelper> Title: Easy_Windows_Guide – OpenVPN Community (at community.openvpn.net)
20:25 <@krzee> !serverlan
20:25 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
20:25 <@krzee> see #3
20:26 <@krzee> orizzle: sure, firewall and dont redirect-gateway
20:29 < Ziginox> !ipforward
20:29 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
20:29 < Ziginox> !winipforward
20:29 <@vpnHelper> "winipforward" is (#1) reboot after enabling it, or (#2) https://support.microsoft.com/EN-US/kb/230082 to enable ip forwarding on windows
20:32 < Ziginox> !route
20:32 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
20:32 < Ziginox> !route_outside_openvpn
20:32 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
20:49 < KMBBANS> can anyone help me real quick
21:14 -!- Netsplit *.net <-> *.split quits: +s7r
21:19 < KMBBANS> hello
21:28 < conrmahr> !welcome
21:28 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
21:28 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
21:30 < conrmahr> !goal I would like to access my devices on my local network to make connections to my ubuntu device running OpenVPN.
21:35 < KMBBANS_> can someone help me
21:51 < CoreISP> Hey guys - question; the ping mechanism in OpenVPN - is that something the client and host exchange over the regular port; or does it rely on ICMP?
22:14 < KMBBANS_> does anyone know what services in services.msc msc i have to set to automatic to enable the openvpn to connect to the server
--- Day changed Thu Jan 05 2017
01:35 < egrain> Is there a way to see the OpenSSL version of my clients? Push-peer-info doesn't seem to work. Or maybe I'm doing something wrong.
02:21 <@plaisthos> egrain: your client need to have a recent verrsion
02:21 <@plaisthos> might be 2.4+ only
02:21 <@plaisthos> not sure if that got backported to 2.3
02:21 <@plaisthos> Jan  5 08:14:15 hermes ovpn-aead-v6[3017]: 146.60.159.163 peer info: IV_SSL=OpenSSL_1.0.2j__26_Sep_2016
02:21 < egrain> my clients have 2.4
02:21 <@plaisthos> and push-peer-info in their config?
02:21 <@plaisthos> that is not pushable
02:22 < egrain> they need  that in their config? i thought server side only.
02:22 < egrain> that's the problem then.
02:22 < egrain> thanks a bunch.
02:22 <@plaisthos> yeah
02:22 <@plaisthos> you are pushing potientally sensitive information so that needs a opt in
02:22 < egrain> okay.
02:23 <@plaisthos> Jan  5 08:14:15 hermes ovpn-aead-v6[3017]: 146.60.159.163 peer info: IV_PLAT_VER=23_6.0.1_arm64-v8a_Sony_msm8994_E5823
02:23 < egrain> doesn't matter where in the config, right?
02:23 <@plaisthos> e.g. that :)
02:23 <@plaisthos> no
02:24 <@plaisthos> I think windows c lients/linux client also push their ethernetnet mac
02:25 < egrain> i'll take all the information i can get, but i really just need the client version and openssl.
02:26 <@plaisthos> :P
03:53 < jiquera> can somebody explain the difference between lz4 and lz4-v2 (from the code they look identical except from some handling of the header bytes)
03:55 < jiquera> @plaisthos: I get an error in OpenVPN for Android I don't get in other clients. "Got unrecognized line from management: ERROR: no username is currently needed at this tme"
03:55 < jiquera> I'm only using certs no user/pass login
04:00 <@plaisthos> jiquera: that is the difference
04:00 <@plaisthos> jiquera: hm
04:01 < jiquera> but what is the purpose of it? should one be used over the other?
04:01 <@plaisthos> jiquera: the v2 methods have no overhead for uncompressed packets
04:02 < jiquera> aaaah
04:02 < jiquera> cool
04:02 < jiquera> i like that
04:02 < jiquera> :)
04:03 <@plaisthos> for the user that is strange
04:03 <@plaisthos> somehow my app thinks that OpenVPN wants a username
04:07 < jiquera> can i test something for  you ? for more info?
04:09 < jiquera> also lz4-v2 seems to always add 2 bytes... an indicator and whether it was compressed or not
04:09 < jiquera> kind of looks like it is always 1 byte more than the v1 version
04:10 < jiquera> or am i being dufus now?
04:14 < jiquera> v1 stores the compression byte at the front and moves the head byte to the end (undos this for compression
04:15 < jiquera> v2 prepends 2 bytes one as indicator and a second one as the compression byte
04:15 < jiquera> but whyyyyy support both methods
04:18 <@plaisthos> jiquera: the moving around actually costs a bit of performance
04:18 <@plaisthos> both methods for backwards compatibility
04:18 < jiquera> for the second method you mean?
04:19 < jiquera> ah ok i didnt realize there was legacy involved here
04:19 <@plaisthos> v2 is OpenVPN 2.4+ only
04:19 <@plaisthos> Altough we implemented lz4-v1
04:19 <@plaisthos> which is kind of nonsense since lz4 is 2.4+ only anyway
04:20 < jiquera> yeah that's why i didnt get the redundancy
04:20 < jiquera> i mean the difference is 1 byte at most... might as well just pick one method
04:20 < jiquera> expecially since it's nowhere documented that there are two algorithms
04:21 < jiquera> the sample code uses lz4-v2 but the manual only mentions lz4
04:23 <@plaisthos> documentation might be improved ...
04:37 < jiquera> oki i get the point with lz4 algorithms now... although i still think one would have sufficed. Do you want me to debug the android thing? if so what do you need to know?
04:42 < jiquera> also... it might have been better to not use a legal ascii character as indicator byte... if you send plaintext now it might trigger the escape method. using 0x1B would have been less likely to trigger i guess
05:46 < jiquera> !heartbleed
05:46 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl, or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised., or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected., or (#4)
05:46 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed, or (#5) http://xkcd.com/1354/
05:48 < jiquera> !poodle
05:48 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has, or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
05:54 <@plaisthos> jiquera: can you send me a complete log of the app and tell me what is selected as authentication method under basic settings?
05:54 <@plaisthos> jiquera: the character has been to be something that an IP or Ethernet packet does not start with
05:56 <@plaisthos> the header is IP version 5
05:56 < jiquera> complete log is a bit tricky at the moment... (work security policy)
05:56 < jiquera> as for the character it makes sense
05:56 < jiquera> i can give you info about the config
05:57 <@plaisthos> jiquera: ah okay
05:57 < jiquera> but i have to type everything manually
05:57 <@plaisthos> jiquera: hm
05:57 < jiquera> so please use efficient queries ;)
05:57 <@plaisthos> what is selected under basic settings?
05:58 < jiquera> LZO -> ON; Type -> Certificates; and then the certs and key
05:58 <@plaisthos> is the key encrypted and requires a pw?
05:58 < jiquera> yeah
05:58 <@plaisthos> hm
05:59 <@plaisthos> I see the bug :P
05:59 < jiquera> the password is used to auth?
05:59 <@plaisthos> the bug is there since forever
05:59 <@plaisthos> literally
05:59 < jiquera> well the connection succeeds... so i guess unless somebody reads through the log, nobody notices
06:00 <@plaisthos> no when openvpn requires any kind of password I sent the username and the password
06:00 < jiquera> ah oki and in this case it just needs the pass for the key
06:01 < jiquera> weird that nobody noticed that though... what happens if you use key+pass and user/pass but with different passwords?
06:06 -!- Gizmokid2010 is now known as Gizmokid2005
06:07 <@plaisthos> jiquera: it works :)
06:07 <@plaisthos> jiquera: it always send the right password
06:07 <@plaisthos> but also always the user name
06:07 <@plaisthos> OpenVPNManagementThread.java:570 if you want to look ;)
06:08 < jiquera> looking
06:10 < jiquera> yup i see what you mean
06:10 <@plaisthos> is quite silly :)
06:10 < jiquera> im surprised nobody noticed :p
06:11 < jiquera> maybe openvpn has not always reported an error?
06:11 <@plaisthos> it does
06:11 <@plaisthos> but keys with password are rare
06:11 < jiquera> are they?
06:11 < jiquera> i work in security... never seen one without tbh
06:11 <@plaisthos> people most times have either pcks12 which gets imported into android keystore or just plain key+pem
06:12 < jiquera> ah key with pw on openvpn for android are rare :p
06:12 < jiquera> yeah i guess so then
06:12 <@plaisthos> yeah
06:12 < jiquera> :p
06:12 <@plaisthos> user certificates tend to be in pkcs12 format
06:13 <@plaisthos> if you are security orientated on android you store your certificate inside the keystore anyway
06:13 < jiquera> but then it still contains a key right? but it gets decoded by android :p
06:13 <@plaisthos> yeah
06:14 < jiquera> yeah well.. i do hardware security (side channel analysis and fault injection etc)... no too familiar with android
06:14 <@plaisthos> but either in a hardware keystore
06:14 < jiquera> but fair point :p
06:14 <@plaisthos> or at least in some trustzone special seperated zone
06:14 <@plaisthos> the app does not get the key anymore
06:16 < jiquera> when i start generating keys for 2.4 i'll make them pkcs12, pinky promise :)
06:16 <@plaisthos> do whatever you want ;)
06:16 <@plaisthos> for mobile devices you might want to look into
06:16 <@plaisthos> !inline
06:16 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV, or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
06:17 < jiquera> yeah i inline everything... without it it's a nighmare
06:17 < jiquera> just wasnt using pkcs12 as i didnt really see the advantage over the raw format
06:18 < jiquera> but if it can be imported into keystores and the raw format not... it finally has a benefit for me :)
06:18 <@plaisthos> Iirc my app asks you to import it into the keystore
06:18 <@plaisthos> not 100% sure if that also works for inline pkcs12
06:18 <@plaisthos> have to check
06:18 < jiquera> I'll tell you soon enough ;)
06:19 <@plaisthos> I also wanted to do a pem+key => pcks12 importer
06:19 <@plaisthos> but I have found the motivation to fight the horror of x509+pkcs12 again
06:20 < jiquera> well, if you can handle pcks12 decently, i guess the conversion can be left to the vpn admin
06:23 <@plaisthos> importing embedded pcks12 works
06:24 < jiquera> nice
06:24 < jiquera> i'll start doing some conversions this weeken then... so i have some fresh bugs to report on monday
06:25 <@plaisthos> :)
06:25 < jiquera> thx for the quick analysis though :D
08:05 < robsco> a while back someone shared with me the docs for allowing access behind an OpenVPN servers LAN for clients, and vice versa, with iptables rules, etc.  does anyone have that link, can't see to find a nice example
08:07 <@plaisthos> !iroute
08:07 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
08:07 <@plaisthos> basically that is the keyword
08:07 < robsco> thanks
08:07 <@plaisthos> don't know of a guid though
08:07 < robsco> i've got old configs that do it one way, but not the other
08:08 < robsco> it was this page https://community.openvpn.net/openvpn/wiki/RoutedLans but there was also another for doing it the other way round, i want to do both
08:08 <@vpnHelper> Title: RoutedLans – OpenVPN Community (at community.openvpn.net)
08:08 < robsco> will have a crack at this and see how I get on
09:31 < oditector> hello
09:32 < oditector> i usevpnkeys and get this error , what should i specify for --ifconfig paramter, or --default-gateway dhcp ? i tried it but didnt work?
09:32 < oditector>  NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
09:40 < oditector> hello??? is anyone here???
09:40 <@ecrist> yes, people are here.
09:41 < oditector> great then tell me my query that i asked?
09:41 <@ecrist> wow, you're off to a great start
09:41 <@ecrist> did you read !welcome?
09:41 <@ecrist> or even /topic?
09:42 < oditector> how should i do with --route-gateway for vpnkeys
09:42 < oditector> i don't have a firewall problem as vpnbook works without the --ifconfig option
09:42 < oditector> !welcome
09:42 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
09:42 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
09:43 <@ecrist> is vpnbook a VPN provider?
09:43 < oditector> ecrist: yes
09:44 <@ecrist> ok, unfortuneately, you'll need to contact their support for help.
09:44 <@ecrist> we normally will need to see server logs to offer any real assistance
09:44 < oditector> no vpnkeys i said
09:45 <@ecrist> ?
09:45 < DArqueBishop> Is vpnkeys a VPN provider?
09:45 < oditector> --route-gateway ?? was that?
09:45 < oditector> https://www.vpnkeys.com/get-free-vpn-instantly/
09:45 <@vpnHelper> Title: Free VPN - 100% Free PPTP and OpenVPN Service (at www.vpnkeys.com)
09:45 < oditector> yes it is a provider
09:45 <@ecrist> well, you said both vpnbook and vpnkeys
09:45 < DArqueBishop> oditector: then ecrist's answer still applies. You need to contact them for support.
09:46 < DArqueBishop> Support here is geared mainly towards those who run their own servers, and there's not much we can do to help when you only control one end of the connection.
09:46 < oditector> lol, i don't think they'd answer and moreover i don't know what should i do with --route-gateway
09:46 <@ecrist> we don't, either, without knowing how the server is configured.
09:48 < oditector>  https://ptpb.pw/31DO
09:50  * ecrist doesn't folllow random links without context
09:50 < oditector> yeah?
09:50 < oditector> https://www.vpnkeys.com/how-to-setup/ is this too random
09:50 <@vpnHelper> Title: VPN Setup – How to Setup VPN with VPN Keys (at www.vpnkeys.com)
09:51 < oditector> or shall i paste here , and make it less random
09:51 <@ecrist> no, but we don't support customers of XYZ service provider
09:51 < oditector> why is linux not mentioned , then where shall i go?
09:51 <@ecrist> contact THEIR support
09:52  * ecrist shouts "Make READY!"
10:00 < jiquera> i imported pkcs12 files into my android phone... however these were debug versions... does anybody know how to remove them again?
10:01 <@plaisthos> jiquera: settings -> security -> somewhere there
10:01 < jiquera> im trying... but i only find the CA cert
10:02 <@plaisthos> on Android < 7.0 you can only delete all
10:02 < jiquera> ffs
10:02 < jiquera> oki np
10:02 < jiquera> thx
10:02 <@plaisthos> there is a "delte auth data" with the subtitle "remove all certificates"
10:02 <@plaisthos> or similar
10:03 <@plaisthos> not sure what it is called in English exactly
10:03 < jiquera> yeah i have a "clear credentials"
10:03 < jiquera> but it indeed removes everything
10:03 < jiquera> lovely system
10:03 < jiquera> ow btw
10:04 < jiquera> is easyrsa still part of your development?
10:04 < jiquera> it has some serious bugs with filepaths with spaces
10:04 < jiquera> with serious i mean "it took me hours to figure out what was going wrong exactly and why"
10:04 < jiquera> using v3
10:08 <@plaisthos> !easy-rsa
10:08 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
10:08 <@plaisthos> blame ecrist :p
10:11 < jiquera> @ecrist: is this still something you work on?
10:12 < jiquera> if so: binaries for windows in the latest release are still missing + when using filepaths with spaces things go wrong when converting to pksc12 due to the interpretation of a variable as 1 cmd parameter instead of several
10:12 < jiquera> dinne!
10:13 <@plaisthos> jiquirea: Report that as github issue
10:14 <@plaisthos> narf
10:24 < para000> guys what do you think about this server.conf: https://codepaste.net/cdz7x4    ???
10:27 <@dazo> para000:  you're using too many options ....
10:29 <@dazo> para000: txqueuelen/rcvbuf/sndbuf/tls-cipher .... those should not be used unless you really know what you are doing
10:30 <@dazo> reneg-sec 7200 .... that is very aggressive
10:30 <@dazo> (and will be a performance hit)
10:30 <@dazo> oh wait ... that's every 2 hour ... that is reasonable .... somehow my head calculated it the other way around
10:31  * dazo is sleep deprived today
10:32 <@dazo> max-clients 1 ... doesn't really give you any advantage, it sure isn't doing anything good for hardening the security - it will just be annoying if your client disconnects and openvpn stops running ... restarting OpenVPN will cause a rejection until the server finally realises the client is dead and drops the session
10:34 <@dazo> further .... /etc/openvpn/easy-rsa/keys/  <<< that path makes me concerned ... see these URLs for details:  http://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN#Configuringencryption (Look for the BEWARE: paragraph) ... and https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg03466.html
10:34 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net)
10:39 <@plaisthos> float in server config is also strange
10:39 <@plaisthos> should give an error
10:39 <@dazo> oh true!
10:40 <@plaisthos> also 443/udp is a strange combination
10:40 < dakar> 23/udp ftw
10:40 <@plaisthos> mssfix 0
10:41 <@plaisthos> I have no idea if 0 default but don't do that
10:41 <@dazo> 443/udp ... true, but it often works surprisingly well on many networks only allowing http/https .... for some reason many firewalls opens for udp+tcp on the same ports
10:41 <@plaisthos> also comp-lzo is outdated
10:41 <@plaisthos> and you need to push compression to
10:42 <@plaisthos> and if you are planning for 2.4+ clients only
10:42 <@plaisthos> you might use tls-crypt instead of tls-auth
10:42 <@dazo> plaisthos: mssfix defaults to 1450 ...
10:43 <@plaisthos> dazo: yeah, but I have no idea what it does with 0 as paramater
10:44 <@dazo> plaisthos: my memory is very scarce ... but I think it pushes that value to --fragment ... or there are some combinations here which results in --fragment and --mssfix using the same value
10:44 <@plaisthos> :)
10:44 < __rob2> hello
10:45 < __rob2> Trying to connect to my openvpn server via a socks5 proxy
10:45 < __rob2> works normally
10:45 < __rob2> just not via the proxy
10:45 <@dazo> checked the proxy logs?
10:46 < __rob2> its on my phone
10:46 <@plaisthos> local proxy?
10:46 < __rob2> using it directly now with chrome proxy settings
10:46 < __rob2> well Im on a laptop
10:46 <@dazo> !all
10:46 <@vpnHelper> "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface
10:46 < __rob2> but I want everything to route via the phone
10:46 < __rob2> through the vpn, which I want to connect via the socks5 proxy on the phone
10:47 <@plaisthos> phone means android?
10:47 < __rob2> http://pastebin.com/Hhg6qL3A
10:47 < __rob2> yea
10:47 < __rob2> thats my logs
10:47 <@plaisthos> laptop => tethering wifi => phone [VPN client => socks ] => mobile
10:47 <@plaisthos> did I get that right?
10:48 < __rob2> yea, but I cant tether
10:48 < __rob2> or I would directly connect
10:48 < __rob2> but if my phone runs a socks 5 proxy server
10:48 < __rob2> it all looks like its internet on the phone, so it works
10:49 <@plaisthos> that proxy needs to be a normal android app for that to work
10:49 < __rob2> it is
10:49 < __rob2> SSHTunnel i think is the app Im using
10:49 <@plaisthos> and even then the behaviour for incoming connecting while a VPN is active is kind of undefined
10:49 < __rob2> its working right now
10:49 < __rob2> this is going through it on chromes proxy settings
10:49 < __rob2> but I want it to be system wide
10:50 < __rob2> or only chrome works, and not everything uses the windows proxy settings
10:50 < __rob2> if openvpn client is running, everything goes through
10:50 < __rob2> so each part is working, just not openvpn client with socks5 proxy set in the options..
10:52 <@plaisthos> __rob2: you seem to run into the 5s proxy connect timeout of openvpn 2.3
10:53 < __rob2> ohh, is that the cause ?
10:53 <@plaisthos> I don't know
10:53 <@plaisthos> that is all I see in your sparse log
10:54 < __rob2> https://i.snag.gy/yiQ7AG.jpg
10:54 < __rob2> thats the setup..
10:54 < __rob2> where ...43.1 is my phone
10:54 < __rob2> as I say, chrome is working
10:54 < __rob2> is there a setting to increase the verbosity of the logs on ovpn client ?
10:54 <@plaisthos> !verb
10:55 <@vpnHelper> "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info, or (#2) verb 5 is good for finding firewall problems, verb 4 for troubleshooting anything else, and 3 is good for every day usage., or (#3) Anything more than 5 is for developer debugging only (special debug build needed)
10:56 < __rob2> how high does it go ?
10:58 <@plaisthos> !man
10:58 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
11:00 < para000> plaisthos: i`m new at OpenVPN setups, now learning and setting up my first server :P, and i`m haveing a lot of problems
11:01 < para000> can you give me a example of a proper server.conf with certification auth ?
11:01 < para000> it will go long way for me finishing faster my first try :P
11:01 < __rob2> http://pastebin.com/0Avf2zh9
11:01 < __rob2> thats a more verbose log
11:02 < __rob2> verb=7
11:08 < __rob2> any suggestions ?
11:10 <@dazo> para000: If you're new to OpenVPN ... _do_ read this one: http://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
11:10 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net)
11:11 <@dazo> it provides the bare minimum configuration of something that does work ... and explains what all these settings do and why you need them ... and you _do_ need to understand that
11:14 < robsco> iroute issues.  client LAN ips can access any machine on the LAN of the vpn server.  the vpn server can access IPs on the clients LAN, but not other machines on the servers LAN. http://pastebin.com/qv2qyXKa
11:16 < robsco> feels like it's gonna be a tiny routing mistake somewhere
11:18 < robsco> possibly the default gateway (which I don't control) on the servers LAN is getting the traffic
11:19 <@dazo> do you have routing configured on all clients and server properly, for all networks?
11:20 <@dazo> client LAN must know of server LAN, and server LAN must know of client LAN
11:21 <@dazo> and is net.ipv4.ip_forward enabled on the OpenVPN server?
11:21 < robsco> yup, but this routing table on one of the machines on the servers LAN is making me suspicious http://pastebin.com/RZFMBT6X
11:22 <@dazo> that looks wrong ... which LAN is behind the VPN client?
11:22 < robsco> behind the vpn client is 192.168.0.0/24
11:22 < robsco> 172.31.1.0/24 is the server lan
11:22 < robsco> 10.10.10.0/24 is the vpn network
11:23 <@dazo> good .. and what is the IP of the VPN server?
11:23 <@dazo> IPs!
11:23 < robsco> 172.31.1.10, 10.10.10.1
11:23 <@dazo> good ... your server config lacks a gateway on the "route 192.168.0.0 255.255.255.0" ... it needs a third parameter
11:24 < robsco> really?  the examples I've been using don't have it?
11:24 <@dazo> you will need to have a fixed VPN IP for your VPN client (ifconfig-push in the ccd config) .... and then add that IP as the third argument to the route statement
11:24 <@dazo> 192.168.0.0     172.31.1.10     255.255.255.0   UG    0      0        0 eth0
11:24 < robsco> ok i'll try that
11:25 <@dazo> that should say:  192.168.0.0   10.10.10.X   255.255.255.0   tunX
11:25 <@dazo> 10.10.10.0      172.31.1.10     255.255.255.0   UG    0      0        0 eth0
11:25 <@dazo> that also looks odd, though
11:25 <@dazo> I'd expect to see:
11:26 < robsco> i'm sure I've it working quite easily on a previous platform
11:26 <@dazo> 10.10.10.1   0.0.0.0    255.255.255.0    tunX
11:27 < robsco> i thought the "route" config just tells ovpn to take care of that route?
11:27 < robsco> by following https://community.openvpn.net/openvpn/wiki/RoutedLans
11:27 <@vpnHelper> Title: RoutedLans – OpenVPN Community (at community.openvpn.net)
11:27 < robsco> no 3rd param
11:28 <@dazo> well, I have a working setup with 3 VPN clients ... where each VPN client can access the LAN(s) behind each of the other clients ... and I do need the third argument there
11:29 <@dazo> but it might be due to that my setup is far more advanced, with LAN<->client1<->server<->client2<->LAN
11:29 < robsco> yeah, this is just 1 client
11:30 <@dazo> and not providing the third argument ... it defaults to whatever --route-gateway is set to
11:39 < robsco> found it, was a setting on aws that checked source/dest addresses, disabled it, and hey presto
11:40 <@dazo> ahh!
11:41 < robsco> talk about a pain  :)
11:41 <@dazo> :)
11:41 < robsco> thanks for you input tho
11:41 <@dazo> when you mention aws ... I do remember others have stumbled upon the same issue though
11:42 <@dazo> but had you mentioned aws earlier, I probably wouldn't have remembered the solution though :/
11:42 < robsco> was sure i couldn't have been the first but took a while to find it in google
11:45 < para000> guys do i need to use a user and group on the server.config?
11:46 <@dazo> para000: on Linux/BSD (or other *nix OSes) it is advisable to add that
11:48 < para000> k, doing that now
11:56 <@ecrist> yes, I have plans to fix easyrsa sometime soon.
11:56 <@ecrist> I need to finish this damn book, first
11:59 < para000> i managed to make a connection
11:59 < para000> with basic settings
11:59 <@dazo> congrats!
11:59 <@dazo> then 1/3 of the job is done :-P
11:59 < para000> dazo now i need to optimize or what?
12:00 <@dazo> then you need to configure routing ... and then do the firewalling properly
12:00 <@dazo> and then, as an optional step, performance optimizing comes
12:00 < para000> k, yes. I done some routing and ufw seetings
12:01 < para000> krzee told me there is a way i can rout with only 1 server a specific client to a specific IP
12:02 <@dazo> that statement can be understood in several ways ... each with a different solution .... :-/
12:03 < para000> k, so a guy made me a server 6 months ago
12:04 < para000> and i learn some staff from him, but i see you guys are more proffesional then him
12:04 < para000> i needed 10 IPs on my VPN
12:04 < para000> and he made 10 servers.conf
12:04 < para000> for every IP
12:04 <@dazo> !???!!?!??
12:04 < para000> and every client connected to a server
12:04 < para000> and that how every client gets its own IP
12:05 < para000> cause i need Client1 to have same IP every time
12:05 < para000> do you advice me to do the same as him?
12:05 < para000> cause krzee told me it can be done with 1 server
12:06 < para000> and is more relaible and stable
12:06 <@dazo> okay ... let one thing be said .... it isn't entirely stupid to do so, if the network configuration is done equally clever (using p2p mode, not server mode) .... as that can give better performance if the VPN server is powerful with multiple cores and each VPN client does a lot of traffic over the VPN
12:06 <@dazo> *but* in most cases, it is not needed to do a setup this complex
12:07 <@plaisthos> without knowing your setup we never know
12:07 < icyjug> hi, i am using ovpn files to connect to vpn and i want to check if *all* traffic goes through the vpn
12:08 <@dazo> it is usually enough to have --server 10.8.0.0 255.255.255.0   in the server config (which adds a "DHCP" pool for all VPN clients) ... and then add --client-config-dir where each VPN client have their own unique Common Name in their certificate, with a matching filename inside the --client-config-dir directory
12:08 <@dazo> each of these config files will then have --ifconfig-push with the VPN IP address you want the client to have
12:09 < icyjug> i read somewhere that netstat -nr can do that
12:09 <@dazo> icyjug: use tcpdump/wireshark ... or visit some "what's my IP address" web sites from your VPN client and see which IP you get
12:09 < icyjug> dazo thats not enough
12:09 < icyjug> i am afraid
12:09 <@dazo> icyjug: netstat -nr just dumps the routing table
12:10 <@dazo> icyjug: using tcpdump/wireshark should definitely give you an indication if the routing works as expected
12:10 < icyjug> dazo is this a problem in my table then? 0.0.0.0   192.168.0.1  0.0.0.0    UG  0 0     0 wlo1
12:10 <@dazo> icyjug: just dump the traffic on the public interface ... all you should see there is the OpenVPN traffic to the server/client
12:11 < icyjug> dazo ok i will try wireshark too
12:11 <@dazo> icyjug: not necessarily ... if using --redirect-gateway def1 ... that is expected
12:11 <@dazo> it ensures you won't loose connectivity is openvpn crashes in a way where it doesn't restore the routing table with the old default gateway
12:15 < icyjug> dazo just a general question, would using a website like ipleak.net prove 100% that all my traffic goes through the vpn?
12:16 < para000> dazo: still here?
12:16 <@dazo> it will most likely give you a very strong indication which IP address your browser will use
12:16 <@dazo> para000: yeah
12:16 < para000> export KEY_CN="CommonName"
12:16 < para000> this one?
12:16 <@dazo> nope
12:17 < para000> export KEY_COUNTRY="US"
12:17 < para000> export KEY_PROVINCE="CA"
12:17 < para000> export KEY_CITY="SanFrancisco"
12:17 < para000> export KEY_ORG="Home"
12:17 < para000> export KEY_EMAIL="para@gmail.com"
12:17 < para000> export KEY_OU="Home"
12:17 < para000> # X509 Subject Field
12:17 < para000> export KEY_NAME="server"
12:17 < para000> wich one?
12:17 < para000> key_name?>
12:17 <@dazo> para000: when you do ./build-.... there is a a name used as an argument.  that is used for the Common Name field
12:17 < para000> k
12:17 < para000> got it
12:18 < para000> so the file name that export
12:19 <@dazo> yeah, it is also used as filename
12:19 <@dazo> openssl x509 -noout -subject -in $CERT_FILE ... will give you an indication
12:19 < icyjug> dazo i am sorry but cant figure out how to install or use wireshark..let me ask the root problem
12:20 <@dazo> try tcpdump instead?
12:22 < para000> k, i understand where you are going now dazo
12:22 < icyjug> i am using airvpn as a good p2p vpn and using some scripts i get no dns leaks, ipv6 leaks and also wrote a killswitch using ufw from an article i read.. i test this setup through many websites and there are no leaks, not even when torrenting as tested here ipleak.net
12:23 < icyjug> but recently i used a p2p streaming app called popcorntime, without testing it
12:24 < icyjug> and i cant even test it normally like my qbittorrent for ip leaks
12:24 < para000> one more stupid question: if i do ./build-key client then take the output file and eidit its name to client1 , client2 etc. it works ? or i need to ./build-key all of them?
12:24 < icyjug> is there any ground to be worried?
12:25 <@dazo> para000: the CN= field inside certificates are not based on the file name
12:26 <@dazo> icyjug: well, really hard to say ... if you have some clever kill scripts which disallows everything except establishing VPN connections when OpenVPN is not running ... you've moved the responsibility of a failure to that script
12:27 <@dazo> if you need to worry, depends entirely on how much you trust that script
12:28 < icyjug> so, the only need to worry is on the killswitch implementation?
12:28 <@dazo> if that is designed to block anything but OpenVPN traffic going out on your physical network interface, yes
12:29 < icyjug> yes it blocks everything and allows only tun0
12:30 <@dazo> well, then you need to trust that script to always do the right thing .... to get that confidence?  You need lots of testing, testing, testing, testing, testing .... did I mention testing, and testing?
12:30 < icyjug> my concern is that when i used this app the first time, (even though for less than 5 min) i had not yet used the killswitch script
12:31 < icyjug> i am just worried if there exists in theory a torrent app that could dump connection through tun0
12:31 <@dazo> and with testing I also mean testing when things go wrong, not just the expected behaviours ... what happens if openvpn dies unepxectedly (kill -9) ... what happens when your computer gets a new public IP ... what happens during re-negotiations, when it looses network connectivity, etc, etc, etc
12:31 < para000> dazo: do i need to edit /etc/ufw/before.rules as well?
12:32 <@dazo> icyjug: if you add default gateway via tun0 ... even torrent apps will send the traffic via tun0
12:32 < icyjug> oh damn it seems the best way is to use a client right?
12:33 <@dazo> para000: I have no idea ... I despise the ufw stuff ... that is the worst attempt to make iptables simpler while actually managing to do the opposite for no good reason
12:33 < icyjug> dazo please have a look it is very short :D http://pastebin.com/Q2Jt8cBY
12:34 <@dazo> icyjug: don't ask me .... what is best ... you haven't provided any goals
12:34 < icyjug> well for torrenting i mean
12:34 <@dazo> icyjug: I have no idea what those ufw commands results into
12:35 < icyjug> ok
12:35 <@dazo> as I just said to para000, I despise ufw ...
12:36 < icyjug> dazo do you think it is a better idea to use eddy client from airvpn?
12:36 <@dazo> I have no idea
12:36 < icyjug> ok :D
12:37 <@dazo> just don't take it for granted that airvpn will protect your back if someone tries to track you down due to illegal activities
12:37 <@dazo> airvpn may even provide your full identity or public IP addresses you've connected to without your knowledge
12:38 < icyjug> even though they say no logs?
12:38 <@dazo> how do you know they just say that without complying to it?
12:39 < icyjug> ok right
12:40 < icyjug> damn i just wanna be free to watch some movies at home as i used to
12:40 <@dazo> to be honest, from what I've heard ... Private Internet Access is one VPN provider who have had full transparency and pissed off the FBI due to this ... https://torrentfreak.com/vpn-providers-no-logging-claims-tested-in-fbi-case-160312/
12:40 <@vpnHelper> Title: VPN Providers No-Logging Claims Tested in FBI Case - TorrentFreak (at torrentfreak.com)
12:40 < icyjug> why do you despise ufw btw ?
12:40 <@dazo> that is the worst attempt to make iptables simpler while actually managing to do the opposite for no good reason
12:41 <@dazo> it even sometimes is so clever it does the wrong thing
12:42 <@dazo> icyjug: but to take the moral side of watching movies ... you should pay for the stuff you consume ... go subscribe to netflix or hbo or whatever and actually contribute back instead of being a parasite abusing others work
13:40 < para000> dazo: are you here?
13:51 < para000> so i added this to openvpn server.conf
13:51 < para000> client-config-dir /etc/openvpn/ccd
13:51 < para000> now in there i crated client2.user
13:51 < para000> with this inside: ifconfig-push 10.8.0.3 10.8.0.1
13:52 < para000> and when i connect with client2.ovpn
13:52 < para000> i get 10.8.0.2
13:52 < para000> :(
13:52 < para000> do i need to do something more?
14:19 <@dazo> para000: please provide the output of:  openssl x509 -noout -subject -in client2.crt   (client2.crt needs to be the certificate file of the client)
14:55 < para000> subject= /C=US/ST=CA/L=SanFrancisco/O=Home/OU=Home/CN=client2/name=server/emailAddress=para@gmail.com
14:56 < para000> sorry dazo i was away from computer, was so mad, working for like 3 days now on this :P
15:42 < para000> anyone left here?
17:03 < chandoo> my clinet(android phone) has no net after vpn connection, how to troubleshoot this
17:17 < chandoo> after i connect to vpn server from my phone how to use vpn connection in apps
17:17 < chandoo> is it default for all apps or do i have to do something on android phone
17:45 < BtbN> configure the client to redirect all traffic, if the server doesn't push that already.
17:56 < chandoo> i added route 10.8.0.0/24 to client.ovpn
17:56 < chandoo> BtbN,
17:57 < BtbN> so accessing that network will get routed over your VPN
17:58 < chandoo> i dont see bbc.com in my phone browser yet
17:58 < chandoo> is that the right thing to do on client side?
17:58 < BtbN> why would bbc.com be on 10.8.0.0/24?
17:58 < chandoo> i mean browsing to check if i can connect to net
17:59 < para000> chandoo you need to edit you server first
17:59 < para000> what linux are you using?
17:59 < chandoo> centos
17:59 < BtbN> if you want to redirect arbitrary traffic, you need to set the default route
17:59 < BtbN> And a server that's set up for it.
17:59 < chandoo> i followed this document in setting up the whole thing https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-7#step-6-%E2%80%94-configuring-a-client
17:59 <@vpnHelper> Title: How To Setup and Configure an OpenVPN Server on CentOS 7 | DigitalOcean (at www.digitalocean.com)
17:59 < para000> is your configuration working on a windows or linux clinet to connect?
18:00 < chandoo> i am with in the lan
18:00 < chandoo> haven't test on lan
18:00 < chandoo> first device i am testing is on my android phone
18:01 < para000> let me check your guide
18:01 < para000> so most of this guids are out of date
18:01 < para000> do a openvpn --version
18:02 < para000> on your centos server
18:02 < para000> command: openvpn --version
18:02 < para000> BtbN: are you here?
18:03 < chandoo> OpenVPN 2.3.14 x86_64-redhat-linux-gnu
18:03 < para000> coppy more
18:03 < chandoo> para000, do you want the complete output
18:04 < para000> OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 27 2016
18:04 < chandoo> http://paste.fedoraproject.org/520517/83660497
18:04 < chandoo> [root@kailash ~]#
18:05 < para000> i`m not an expert, but i tried with this guids on the internet and found out that is best to install openVPN from oficial website
18:06 < para000> https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
18:06 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net)
18:31 < mojtaba> Hi, do you know how can I transfer dns requests?
18:31 < mojtaba> I have an Asus router, and I am using ubuntu.
18:32 < mojtaba> I am outside of my LAN, and when I ping 4.2.2.4, I get response. but no luck with ping google.com
18:32 < mojtaba> Any idea?
18:34 < w9qbj> Using OPENVPN on a Raspiberr Pi, the vpn net is 10.8.0.x /24   I'd like to change it to a 172.16.x.y/24 net.  I've changed server.conf, i can connect, but nothing gets passed through. What am I missing??
19:23 -!- Netsplit *.net <-> *.split quits: @mattock
19:23 -!- Netsplit *.net <-> *.split quits: @dazo, @danhunsaker
19:25 -!- Guest44814 [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
19:25 -!- Netsplit over, joins: mattock
19:25 -!- mode/#openvpn [+o Guest44814] by ChanServ
19:25 -!- mode/#openvpn [+o mattock] by ChanServ
19:32 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn
19:32 -!- mode/#openvpn [+o danhunsaker] by ChanServ
20:04 < w9qbj> Using OPENVPN on a Raspiberr Pi, the vpn net is 10.8.0.x /24   I'd like to change it to a 172.16.x.y/24 net.  I've changed server.conf, i can connect, but nothing gets passed through. What am I missing??
20:12 <@ecrist> we need more info
22:42 <@krzee> w9qbj: probably firewall or routing
22:43 <@krzee> impossible to know with such little info tho
23:22 -!- ShadniX_ is now known as ShadniX
--- Day changed Fri Jan 06 2017
02:41 -!- Netsplit *.net <-> *.split quits: @mattock, @krzee, @plaisthos, @danhunsaker, @syzzer, @Guest44814, +RBecker
02:46 -!- Netsplit over, joins: @danhunsaker, @mattock, @Guest44814, @syzzer, @krzee, @plaisthos, +RBecker
02:47 -!- deetwelv- is now known as deetwelve
03:05 -!- Tenhi_ is now known as Tenhi
04:53 < para000> anyone here?
05:00 < Joners> not a clue, im trying to find someone to talk to re AS but no reply on that channel either
05:01 < para000> what chanel?
05:26 < egrain> i have a windows client connecting and even though he has openssl 1.0.2j installed it says: peer info: IV_SSL=OpenSSL_1.0.2i__22_Sep_2016
05:26 < egrain> reinstalled everything multiple times. no changes.
05:26 < egrain> help please.
05:26 < wget> Hello everyone. EVen if I'm an Arch Linux user, I maintain the OpenVPN package on Chocolatey for Windows. Since 2.4., I'm experiencing a weird issue on Windows. While I know the services have completely changed, this is not working correctly on my side.
05:26 < wget> The interactive service is started (obviously) and OpenVpnService (new new service) is started as well (auto start). However, the GUI does not connect automatically to my VPN configuration.
05:27 < wget> The latter is located in C:\Users\USER\OpenVPN\config
05:27 < wget> And the "Silent connection" checkbox is checked in the OpenVPN GUI
05:27 < para000> do you have the lates version of OpenVPN client?
05:28 < para000> if yes i had a problem with that, and i need to go into settings and specifie the config folder path
05:28 < wget> Yes, this is the 2.4.0 I have, like specified :)
05:29 < egrain> my windows client and server are also 2.4.  IV_VER=2.4.0
05:29 < wget> And the server I have is also 2.4 :)
05:30 < egrain> oh, wait, my server is on linux.
05:30 < egrain> anyway, who were you answering? i don't want to meddle between things.
05:31 < para000> wget: like i said i had a problem, i need to go in settings to specified the path.
05:31 < wget> egrain: I was answering to you.
05:31 < wget> My server is on linux. My client is a Windows 7 Ultimate.
05:31 < egrain> yeah, same here.
05:31 < egrain> okay.
05:31 < egrain> i'll pass it on.
05:31 < egrain> thanks a bunch.
05:31 < wget> para000: if you didn't specify the path and you asked to connect, was the client connecting?
05:32 < para000> wget: and for auto connect i usely use a .py script
05:32 < wget> para000: Hum. Ok. So it's a "normal" behavior to have no auto connection?
05:32 < wget> We had auto connection before with the 2.3 branch.
05:33 < wget> If we cannot ensure to have an auto connection with the 2.4 branch, I cannot push 2.4 to chocolatey until this problem is fixed.
05:33 < wget> (chocolatey is mainly used by tech savvies and companies)
05:33 < para000> i find it easy with .py script, didn`t try the openVPN one
05:34 < para000> as with .py i can preselect to autoconnect to what config i want
05:34 < para000> wget: wait for someone more experienced to come online
05:35 < wget> para000: could you share your Python script and specify in which location you put the file to be run automatically by Windows?
05:35 < wget> para000: ok will wait.
05:35 < para000> yes wget
05:35 < para000> let me find it fast
05:35 <@plaisthos> egrain: openvpn ships with its own openssl version
05:36 < wget> In the meantime I'm gonna update the Windows client VM I have to see if it fixes the issue (it shouldn't, but in doubt).
05:36 < wget> Since chocolatey requires perfect Powershell 2.0 compatibility I couldn't update the VM.
05:36 <@plaisthos> wget: there is a openvpn adminstrator user group iirc that specifies which users are allowed to have user configs
05:36 < egrain> plaisthos: so linux and windows client have different openssl versions? what are saying here.
05:36 <@plaisthos> egrain: linux distributions ship a openssl version, openvpn uses that
05:37 <@plaisthos> windows does not, so openvpn ships its own
05:37 < egrain> oh, i'm just being told exactly that. let me see what he did.
05:37 < para000> subprocess.Popen(['openvpn-gui', '--connect', 'client1.ovpn'])      # start and connect vpn
05:37 < para000> wget: you need just this one line
05:37 <@plaisthos> wget: user configs don't start automatically iirc
05:38 <@plaisthos> the new non-interactive service starts them
05:38 <@plaisthos> but I am no windows expert
05:38 < egrain> oh, he copied the j version over the ones in the /bin folder.
05:38 < egrain> now it works.
05:38 < egrain> thanks.
05:38 < para000> plaisthos: do you have a minute
05:39 < wget> plaisthos: if I'm reading the openvpn for win32 documentation correcly, since the service OpenVPNServiceInteractive is launched by default to allow unprivileged users to start OpenVPN connections using OpenVPN GUI without any extra configuration
05:39 < wget> and in my use case, the user I'm connected to belongs to the Admin group.
05:40 <@plaisthos> and what error are you getting?
05:40 <@plaisthos> para000:
05:40 <@plaisthos> !ask
05:40 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
05:41 < wget> plaisthos: I don't have any error stricly speaking, just that my configuration *is not loaded automatically*
05:41 < para000> k, i managed to configure the openvpn almost perfectly, but i can`t rout the clients to other external IPs
05:41 < para000> only for the main IP of the server
05:42 < para000> any idee how to do it?
05:42 <@plaisthos> wget: loaded automatically as in autostarted or does not show up on the tray icon
05:42 < para000> all my IPs are added to the server
05:42 < para000> cause i can ping all of them
05:42 <@plaisthos> para000:
05:43 <@plaisthos> !nat
05:43 <@plaisthos> bah
05:43 <@plaisthos> !factoids
05:43 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
05:43 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
05:43 < wget> plaisthos: autostarted. the vpn does becomes actives (checked with ipconfig and route print)
05:43 < wget> *doesn't
05:43 < wget> *become
05:43 <@plaisthos> wget: I think interactive service does not do autostart
05:43 <@plaisthos> !ipforward
05:43 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
05:44 < wget> plaisthos: Yep, ineteractive doesn't do anything related to starting connections, it just allows users to lanch connections without being administrator.
05:44 < wget> plaisthos: However when OpenVpnServer is started automatically it *SHOULD* take the default OpenVPN configuration and start it
05:45 < para000> plaisthos: do i need to create a subnet for every client and rout that one ?
05:45 <@plaisthos> !iroute
05:45 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
05:45 <@plaisthos> if you want a subnet behind each client
05:46 <@plaisthos> otherwise I don't really understand what you are trying
05:47 < para000> plaisthos: ifconfig-push 10.8.0.201 255.255.255.0  this is my ccd file for client one
05:47 < para000> client one is getting the ip 10.8.0.201
05:48 < para000> now how do i forword this specific IP to a specific external IP
05:48 < para000> cause i tried verious methods
05:48 < para000> nothing vorked
05:48 < para000> worked*
05:48 <@plaisthos> I understand what "Oh nooo, CHECK_INCDEC_PARAM seeems to behave differently on X7 than X9, not good :s
05:48 <@plaisthos> argh
05:49 <@plaisthos> wrong copy&paste
05:49 <@plaisthos> I don't understand i forword this specific IP to a specific external IP
05:49 <@plaisthos> what are you trying to achieve?
05:50 < para000> i have 10 external IPs
05:50 < para000> i want client1 to connect to nr1 external ip
05:50 < para000> client2 to nr2 externl ip
05:50 < para000> and so on
05:50 <@plaisthos> either nat
05:50 < para000> so i crated a ccd directory
05:50 <@plaisthos> or give out that ips to the clients and configure routing accordingly
05:51 < para000> and gived every client an subnet ip 10.8.0.xxx
05:51 < para000> but now in nat how can i redirect only 1 ip form subnet not the entire subnet?
05:52 <@plaisthos> !iptables
05:52 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this., or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG, or (#3) These are just the basics to get you
05:52 <@vpnHelper> started as firewall design is beyond this channel's scope; you can also see #netfilter
05:52 <@plaisthos> !notovpn
05:53 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn.
05:53 <@plaisthos> I know that iptables can do that but I never done that and have no idea how to do that
05:54 <@plaisthos> I would need to read iptables documentation myself
05:54 <@plaisthos> I would give the real ips to the clients and fix the routing
05:54 < para000> k. thx for your help
05:54 < para000> problem with real ip to client is that is not connecting
05:54 < para000> if for exempla i want to connect with external IP 2
05:55 < para000> i don`t get a connection
05:55 <@plaisthos> wget: I have no idea OpenVPNService is looking for the configs to start. I would assume C:\program files\openvpn\something
05:55 < para000> but if i try to ping that external IP 2 is working
05:56 < para000> do i need to put any command in server.conf to listen on all IPs?
05:56 < wget> Ok. I narrowed the issue. The config to be auto started still needs to be in C:\Program Files\OpenVPN\config. User configs are not started automatically.
05:56 < wget> Now the connection is started automatically, it isn't showing up in the OpenVPN-GUI.
05:56 <@plaisthos> that is expected
05:56 <@plaisthos> iirc
05:57 < wget> expected to not show in the OpenVPN GUI?
05:58 <@plaisthos> the ui shows only the connection for current user iirc
06:05 < davidgiluk> Greetings
06:07 < davidgiluk> a few minutes after I connect with OpenVPN I find the TCP connections I made hang;  I kill the things using them (mutt/hexchat) and restart those and then it's fine and carries on fine all day
06:07 < davidgiluk> This is on openvpn 2.3.14 on fedora 25 over a UDP tunnel;  this didn't used to happen until ~1.5 months ago, and I don't think my colleagues on the same ovpn servers are seeing it;    any suggestions on where to look?
06:13 <@plaisthos> i would run tcpdump on the tun and the eth interface writing in a file and look at the pcap with wireshark
06:13 <@plaisthos> if openvpn client/server logs are not telling you anything
06:18 < davidgiluk> plaisthos: So I did that on the tun interface and on a remote host and https://paste.fedoraproject.org/520754/48370453/  is a summary
06:19 -!- Guest44814 is now known as dazo
06:19 < davidgiluk> plaisthos: If I was tcpdump'ing the ether interface what would I be looking for given the stream is encrypted, note that the VPN doesn't drop - it's just the tcp connections over the VPN that hang
07:19 < para000> plaisthos: still here?
07:24 <@plaisthos> para000: yes
09:19 <@krzee> lol
09:33 <@krzee> davidgiluk: you can tcpdump the tun interface and its not encrypted
09:35 < davidgiluk> krzee: Right, I did that (together with tcpdumping a remote server I had a telnet connection to at the same time) which is what I summarised https://paste.fedoraproject.org/520754/48370453/
09:37 < davidgiluk> krzee: at some point the destination host stops receiving anything from me, but I see a dup ack that I dont knoe where it came from
09:53 < para000> krzee: every time i search the internet on the client machine my ping to www.google.com on that machine for the time of the search jumps to 2000+ from 160 for 5 seconds or so till the search ended?
10:24 < PugaBear> so if I want to use obfsproxy ( https://community.openvpn.net/openvpn/wiki/TrafficObfuscation ) do I need to make my openvpn server use TCP instead of UDP? since obfs uses TCP... Ive tried obfs before but I could never get it to connect, and I remember that changing the TCP/UDP settings in the client config (.ovpn) gave me some progress
10:24 <@vpnHelper> Title: TrafficObfuscation – OpenVPN Community (at community.openvpn.net)
10:25 < para000> how do i incress speed of my client ?
11:13 < iheartlinux> if I monitor a local tun via wireshark, should I see a ping directed to it's address?
11:21 <@dazo> iheartlinux: a tun/tap interface carries normal IP packets aimed at hosts/applications sending traffic via the VPN ... OpenVPN reads the tun/tap traffic, encrypts it, sends it to the remote host via a UDP/TCP connection, the remote OpenVPN process decrypts it, and writes these packets to its local tun/tap interface ... and vice versa
12:26 < diamerir> hello how do i view my openvpn profile and also connection log?
12:27 < diamerir> is any one eh here? then please tell me
12:29 < diamerir> i just did openvpn --config file ?
12:29 < diamerir> so?
13:06 < PugaBear> Im getting this error when I try to run OpenVPN (server side) http://paste.bn-mc.net/voqac (even as root)
13:06 < PugaBear> er sorry
13:06 < PugaBear> when I try to run obfsproxy
13:07 < PugaBear> I tried changing the permissions of that file but same error..
14:19 < diamerir> heij
14:19 < diamerir> my vpn is leaking
14:19 < diamerir> hwo do i stopo it which option to use in arch linux?
14:19 < diamerir> i tried --block-dns-leak but that doesn't work
14:20 < diamerir> why is it given when it is just for windows ?
14:20 < diamerir> ecrist: danhunsaker mattock ?
14:28 < diamerir> please for god's sake
14:28 < diamerir> do it for god's sake atleast
14:28 < DArqueBishop> !patience
14:29 < DArqueBishop> Oh.
14:29 < DArqueBishop> !whining
14:29 <@vpnHelper> "whining" is < MacGyver> If somebody reads your question, and knows the answer, he'll answer it when and how he feels like it. This is IRC, not your company's paid tech support desk. Whining doesn't do any good except annoy the people who could help you.
14:30 < diamerir> please
14:31 < diamerir> DArqueBishop: can you tell now
14:31 < diamerir> time is one thing that is running out of my hands
14:32 < DArqueBishop> I don't actually know, else I would have answered.
14:33 < DArqueBishop> Like the factoid pointed out, you need to have patience. This is not paid technical support.
14:34 < DArqueBishop> Those who do know are probably doing other things that they're actually being paid to do.
14:42 < para000> diamerir: still here?
14:42 < para000> push "block-outside-dns"
14:42 < para000> did you tired this>
14:42 < para000> ?
14:49 <@dazo> diamerir: --block-dns-leak is a Windows only feature ... for Linux, you need to use additional tools to configure and reset DNS settings up on connect/disconnect
14:50 <@dazo> para000: it is absolutely wonderful that you want to help out here!  We highly appreciate that ... but please don't try to guess solutions, that will more often just confuse users
14:51 <@dazo> !blockdns
14:51 <@vpnHelper> "blockdns" is (#1) --block-outside-dns is a Windows only option and there are no plans to add this for any other platforms. The reason is that it modifies the Windows Firewall on-the-fly, or (#2) You can achieve a similar functionality by using --up and --down (or using the down-root plugin) to manipulate the firewalls to deny DNS requests outside the VPN tunnel when it is running
14:51 <@dazo> !pushdns
14:51 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for
14:51 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option
14:51 <@dazo> diamerir: ^^^ look at !blockdns and !pushdns
14:54  * dazo calls it a week
14:55 <@ecrist> diamerir: why are you pinging everyone in the channel?
14:56 < diamerir> come okn guys
14:56 < diamerir> i try to draw maximum attention
15:26 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
15:26 -!- mode/#openvpn [+v s7r] by ChanServ
15:35 < w9qbj> !pivpn
15:35 < w9qbj> !dns
15:35 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns
15:36 < w9qbj> !raspberry
15:36 < w9qbj> !pi
15:40 < para000> !windns
15:40 <@vpnHelper> "windns" is (#1) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#2) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#3) http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
19:32 < blipsblops> hello due to the release of openvpn2.4 for windows i'm now using tap-windows NDIS6 (prior to that i always used the I00x versions rather than I60x), this new tap interface causes performance problems here (win7). For instance when listening to some radio stream i'm not able to surf anymore, downloads slow to a trickle, packets are dropped, latency is very high pings 3500ms+ etc... Any known
19:32 < blipsblops> issue/fix related to this?
19:33 < blipsblops> also using the old "tap-windows 9.9.2" with openvpn2.4 fixes the problem, performance as usual. I know i could just install this tap interface separately but isn't the default openvpn package supposed to work out of the box?
19:39 < blipsblops> could some combination of parameters to "optimize" windows's tcp/ip stack be the cause for such behavior?
20:58 -!- F2Knight is now known as F2Knight[away]
21:11 < _vyscond> Hello guys
22:39 <@ecrist> hola
22:59 < ordex> hola hola !
22:59 < ordex> :]
23:54 -!- ShadniX_ is now known as ShadniX
--- Day changed Sat Jan 07 2017
03:12 < echosystm> hi guys
03:13 < echosystm> my vpn shuts down once every 24 or so and i have to restart the service
03:13 < echosystm> whats the best way to make that happen automatically?
04:56 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 256 seconds]
05:19 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
05:19 -!- mode/#openvpn [+o syzzer] by ChanServ
11:03 < Ducky^> hi all, I have an openvpn server with a /16 subnet
11:04 < Ducky^> I was wondering if there is a way to allow certain ranges client to client access, i.e. 10.8.1.0/24 can ssh to 10.8.0.0/24 IPs but not vice versa
11:04 < Ducky^> I've been messing with firewalls but can't seem to find the right info
11:05 < Ducky^> if I enable masquerading on the default zone then I get client to client on all IPs, but I don't think that's the right method
11:05 < Ducky^> I'm using centos and firewalld
11:08 < Ducky^> alternatively, if there is another method of doing this, say only allowing client to client via key names or something
11:10 <@krzee> Ducky^: dont use the config option client-to-client
11:10 <@krzee> !c2c
11:10 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
11:10 <@vpnHelper> other clients
11:11 <@krzee> and yes with proper firewall rules you can do that
11:12 <@krzee> ##netfilter can go into depth with those rules once you have addressing right in openvpn, do you already have that setup?
11:12 < Ducky^> oh dear, I didn't realise that option avoided the firewall
11:12 < Ducky^> addressing is set up, I'm able to set certain keys to 10.8.1 and 10.8.0 with ipp.txt
11:13 < Ducky^> presumably that's all that's needed
11:14 < Ducky^> oh, no client-to-client was disabled
11:14 < Ducky^> so it wasn't affecting me
11:14 < julius> hi
11:14 < julius> got a problem with ccd, the ccd file is just ignored... here is my config: https://bpaste.net/show/3ed9981e5c11
11:14 < julius> any idea whats wrong?
11:15 < Ducky^> I'll ask netfilter, thanks krzee
11:15 <@krzee> !ipp
11:15 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
11:16 < Ducky^> !iporder
11:16 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
11:16 < Ducky^> !static
11:16 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder, or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range, or (#5) See also: !addressing
11:17 <@krzee> julius: verb 4 please
11:18 <@krzee> !client-connect
11:18 <@vpnHelper> "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
11:18 <@krzee> !script
11:18 <@vpnHelper> "script" is (#1) See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR, or (#2) to see all vars available to a script, you can env > /tmp/env, or (#3) if using bash you can put exec 2>&1 in the first line of your script and it will send all error output to
11:18 <@vpnHelper> your openvpn log. set -x as well to show your commands as they are executed
11:43 < Ducky^> krzee: I set the static IP for a client using ifconfig-push on a server side client file and it seems to have worked, but I can no longer ping the VPN server from that client anymore
11:43 < Ducky^> any idea what it can't find the server?
11:43 < Ducky^> why*
11:47 <@krzee> does the server have a route to the subnet that you gave the client?
11:47 < skyroveRR> Hey krzee
11:47 < skyroveRR> :)
11:48 < Ducky^> krzee: think so, I can ping the client from the server
11:48 <@krzee> does the server firewall allow tun+ on INPUT?
11:48 <@krzee> hey sky
11:48 <@krzee> !factoids search ping
11:48 <@vpnHelper> "shaping" is to enable traffic shaping on clients, you do this in your firewall. it is unrelated to openvpn. it is called QOS, and in linux you would enable it in iptables with tc
11:48 <@krzee> !factoids search 1way
11:48 <@vpnHelper> "1way" is a 1-way ping between client and server usually indicates that you have a firewall problem on the end that cannot be pinged but is able to ping the other side
11:49 < Ducky^> ot
11:49 < Ducky^> erm
11:49 < Ducky^> *ping is intermittent from server to client
11:49 < Ducky^> like it's just stopped working
11:49 <@krzee> intermittent?
11:49 <@krzee> i doubt that, its likely changing with settings
11:50 <@krzee> unless you have network issues unrelated to this
11:50 < Ducky^> possibly
11:51 < Ducky^> clients on 10.8.0.* don't seem to have any problems
11:51 <@krzee> show me your server config
11:51 < Ducky^> it's the one client on 10.8.1.* which is acting up
11:51 <@krzee> and iptables-save -c
11:55 < Ducky^> http://ks361234.kimsufi.com/s/server.conf
11:55 < Ducky^> http://ks361234.kimsufi.com/s/iptables.txt
11:58 < Ducky^> ping actually seems to be ok server to client now, not sure what was interrupting it before
11:58 < Ducky^> still no ping client to server though
12:00 < Ducky^> disabling the firewall doesn't seem to make a difference anyway
12:02 < Ducky^> in the client conf file I just have "ifconfig-push 10.8.1.200 255.255.0.0"
12:05 <@krzee> !configs
12:05 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
12:05 <@krzee> please respost the config without the comments
12:07 < Ducky^> http://ks361234.kimsufi.com/s/cserver.conf
12:08 <@krzee> route 10.8.1.0 255.255.255.0
12:08 <@krzee> in the config
12:08 <@krzee> restart the config, connect the client, try again
12:12 <@krzee> openvpn knows about the ip it gives the client, but the kernel routing table needs to know too
12:12 <@krzee> so that ^ will do it
12:21 < Ducky^> krzee: I added that and also rebooted the client, because for some reason it was showing two active tun interfaces one on 10.8.0.0 and one 1.0 even though only one vpn service was running
12:21 < Ducky^> one or the other fixed it, thanks
12:23 <@krzee> np
15:18 < arunpyasi> Hello everyone
15:18 < arunpyasi> I had an issue
15:19 < arunpyasi> anyone around ?
15:24 < _vyscond> Not quite.
15:25 < arunpyasi> _vyscond, do you have experience on VNC ?
15:26 < _vyscond> Nope. i just entered here on the early morning to ask about other stuff :/
17:26 <@krzee> !ask
17:26 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
18:06 -!- Ekho- is now known as Ekho
23:05 < sivang> !welcome
23:05 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
23:05 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
23:08 < sivang> !setup openvpn on latest amazon linux ami
23:08 < sivang> !make openvpn web ui work
23:09 < sivang> !howto
23:09 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
23:23 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
23:28 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
23:28 -!- mode/#openvpn [+o vpnHelper] by ChanServ
23:28 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
23:28 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
23:28 -!- mode/#openvpn [+o vpnHelper] by ChanServ
23:52 -!- ShadniX_ is now known as ShadniX
--- Day changed Sun Jan 08 2017
05:54 < phunn1e2> hi y'all, is there anyone who can help me with assigning public IP addresses via openvpn? I've done it according to page 338 of the cookbook but I lose connectivity when I start the server...
06:11 < Ducky^> does anyone know why pkitool would be creating certificates that aren't valid until 4 hours in the future?
06:11 < Ducky^> the date/time is correct on the server
06:51 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 240 seconds]
06:53 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
06:53 -!- mode/#openvpn [+o syzzer] by ChanServ
08:06 < honigkuchen> I blocked "Forward" with iptables
08:06 < honigkuchen> but vpn users can still access the routed network of the vpn lan
08:07 < honigkuchen> so how is it possible to allow and forbid ports
08:32 < honigkuchen> re
09:30 -!- Olufunmilayo is now known as CodeNameDrop
09:32 -!- CodeNameDrop is now known as Olufunmilayo
11:27 <@krzee> phunn1e2: you are using an entire subnet for openvpn that was assigned to you?
11:28 <@krzee> which cookbook? i have the openvpn2 cookbook in front of me and page 338 is glossary
11:29 <@krzee> the final page of the glossary in fact
11:29 <@krzee> Ducky^: date is probably incorrect on the client then
11:29 <@krzee> or on the CA machine (which should not be the server)
12:03 < Ducky^> the CA machine is the server (only for now in testing)
12:04 < Ducky^> I did check the date on the client and it matched within a minute or two
12:05 <@krzee> Ducky^: check that you dont have them off but corrected by timezone
12:05 <@krzee> run ntpdate or something
12:10 < Ducky^> I'll have a look tomorrow when I'm back in
12:10 < Ducky^> thanks krzee
12:10 <@krzee> yw
12:18 -!- [0xAA] is now known as ZeroPings
13:11 -!- ZeroPings is now known as [0xAA]
14:04 < slypknot> hi ?
16:50 < plertrood> Hi, I am trying to get my server connected to an openvpn vpn..
16:51 < plertrood> If I have "redirect-gateway def1" set then I cannot seem to access the server unless I am connected to the vpn myself. So no ssh or http..
16:51 < plertrood> If I have this setting off, I cannot access the server via its vpn address.
16:52 < plertrood> What I would like to do is for anyone to be able to connect to port 80 on the main address, and then me connect via the vpn to any other necessary port.
16:52 < plertrood> I seem to have all or nothing depending on this redirect gateway setting.
16:53 < plertrood> I think the problem is to do with how traffic is being returned.
16:54 < plertrood> Any ideas how I can set it so that traffic coming in through the vpn is returned via the vpn and all other traffic through the standard gateway?
19:28 -!- patcable_ is now known as patcable
--- Log closed Sun Jan 08 19:32:42 2017
--- Log opened Mon Jan 09 06:31:35 2017
06:31 -!- Irssi: #openvpn: Total of 242 nicks [7 ops, 0 halfops, 2 voices, 233 normal]
06:31 -!- mode/#openvpn [+o ecrist] by ChanServ
06:31 -!- Irssi: Join to #openvpn was synced in 1 secs
06:44 < jamesaxl> jiquera, Windows is good also, but ... :)
06:45 < jamesaxl> it is just for using an OS, not for studying Os or computer in general,
06:46 < jamesaxl> what is the good OS ? the answer is "No one".
07:23 <@krzee> !bestos
07:23 <@vpnHelper> "bestos" is the best os for openvpn is the one you are most comfortable with
07:25 < myeagleflies> hi
07:29 < Ducky^> hi
07:35 <@ecrist> !learn bestos as FreeBSD.  Always FreeBSD.
07:35 <@vpnHelper> Joo got it.
07:35 <@ecrist> !bestos
07:35 <@vpnHelper> "bestos" is (#1) the best os for openvpn is the one you are most comfortable with, or (#2) FreeBSD. Always FreeBSD.
07:38 <@plaisthos> ecrist: does freebsd have multipath tcp?
07:46 < ghoti> plaisthos: an introduction to MPTCP was presented at BSDCan in 2013. It existed as a kernel patch for FreebSD v10, and afaik should be included in the upcoming FreeBSD 11 release.
07:48 < ghoti> er, "an" upcoming FreeBSD 11 release, since 11.0 is already out. :) For the moment, it's still a kernel patch.
07:49 <@plaisthos> ah nice
07:51 < ghoti> I imagine it'll become a standard configurable part of the operating system with the release immediately after the standard gets nailed down -- at the moment, I think IETF has only published RFC6824 as "experimental".
07:53 <@ecrist> FreeBSD doesn't generally lag with network protocols.
08:15 < jiquera> lol at the quick bot config
08:15 < jiquera> but i agree more with the original definition
08:15 < jiquera> asking a user to configure something he's not familiar with is not gonna give a better result
08:16 < jiquera> ecrist: i found bugs for you btw (see trac) if you're bored, go fix :p
08:40 <@ecrist> :(
08:54 < jiquera> don't be unhappy, i think they're easy to fix, have confidence you can do it ;)
14:18 <@krzee> ecrist: i have received chapters 5 and 9, no 8 yet... how many chapters are there total?
14:35 <@ecrist> 9 total - I'm going to finish 8 this week.
14:36 <@ecrist> I wanted it done by the end of the weekend buy failed that.
14:36 <@ecrist> so you should have received ALL except 8 at this point.
14:57 <@ecrist> krzee: ^^^
16:07 < aegis> Hey, has anyone enabled the dickbutt mod in the latest version of openvpn?
16:10 <@plaisthos> aegis: ?!
16:11 <@plaisthos> what are you talking about?
16:27 < w9qbj>  /join #arduino
17:16 <@dazo> ouch ... Yahoo! seems to be going down big time ... https://twitter.com/TheRegister/status/818592023452057600
17:17 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds]
17:21 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:22 -!- mode/#openvpn [+v s7r] by ChanServ
18:45 < Eugene> I'm still amazed that they made it out of the 90s
19:01 <@ecrist> aegis: ?
20:02 < AverageAdam> Hello, I would like to update to the latest openvpn but I am getting an error when I try to compile from source.
20:02 < AverageAdam> it appears to be an issue with cmake
20:03 < AverageAdam> would someone mind helping me figure this out?
20:03 < AverageAdam> !! WARNING !! The cmoka git submodule has not been initialized or updated.  Unit testing cannot be performed.
20:04 < stellator> !welcome
20:04 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
20:04 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
20:05 < stellator> !redirect
20:05 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
20:05 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
20:06 < stellator> !ipforward
20:06 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
20:07 < stellator> !fbsdipforward
20:07 <@vpnHelper> "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd
20:07 < stellator> !nat
20:07 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
20:09 < stellator> I would like to selectively redirect network traffic from my desktop through my VPS, and I'm not sure what part isn't working
20:33 <@ecrist> Anyone aware of a way to test mbed TLS performance?  Something akin to openssl speed <cipher>?
20:40 < AverageAdam> ecrist: would you have any clue why I am getting these errors during compilation? http://pastebin.com/gADeqTu6
20:59 <@ecrist> AverageAdam: you didn't provide enough logs.
20:59 <@ecrist> Did you make sure to follow the compile instructions, including the bootstrap step?
21:00 < AverageAdam> what is the bootstrap step ecrist?
21:00 < AverageAdam> at first I just tried to do ./configure as usual
21:01 < AverageAdam> then I saw that it was asking for lz4 this time so I installed that, then I installed cmake dev
21:02 < AverageAdam> I have never have not had this issue in the past
21:02 < AverageAdam> last time I compiled from source was 2.3.11
21:06 < redrabbit> hi, how can i make sure tun0 only uses eth1 to connect to server
21:16 < ordex> redrabbit: openvpn will use the routing table to decide how to connect to the vpn server - like for any other packet being sent out
21:16 < ordex> you have to make sure that the routing table is configured the way you want
21:17 < redrabbit> so something like "route add 123.12.14.10 gw 10.8.0.1 eth1"
21:17 <@ecrist> AverageAdam: see here: https://community.openvpn.net/openvpn/wiki/TesterDocumentation
21:17 <@vpnHelper> Title: TesterDocumentation – OpenVPN Community (at community.openvpn.net)
21:17 <@ecrist> !build
21:22 < AverageAdam> ecrist: thank you for your reply...
21:22 < AverageAdam> this is my result  http://pastebin.com/YHL7b2TJ
21:25 <@ecrist> AverageAdam: the errors seem rather plain to see
21:25 < AverageAdam> forgive my ignorance but I don't know what I am doing wrong
21:25 < AverageAdam> I am not doing anything different than I usually do
21:26 <@ecrist> why are you trying to build?
21:26 < AverageAdam> so I can use openvpn
21:26 < AverageAdam> I normally always compile from source
21:26 <@ecrist> http://stackoverflow.com/questions/38722465/automake-subdir-objects-is-disabled
21:26 <@vpnHelper> Title: linux - automake subdir-objects is disabled - Stack Overflow (at stackoverflow.com)
21:27 <@ecrist> regardless, those are warnings
21:27 <@ecrist> you should be able to do a ./configure now
21:28 < AverageAdam> I have never experienced this before, why is this happening?
21:28 < AverageAdam> last time I compiled openvpn was 2.3.11
21:28 <@ecrist> software gets updated...
21:28 < AverageAdam> haha
21:28 <@ecrist> including the autoconfig, etc
21:28 < AverageAdam> fair enough
21:29 < AverageAdam> so where can I make the change to make this not pop those warnings or have issues?
21:30 < AverageAdam> is it an issue with the openvpn config files or do I need to make a change to automake?
21:30 <@ecrist> I googled it for you and posted a viable link above...
21:30 < AverageAdam> yeah I see, it just doesn't seem very clear
21:33 < AverageAdam> It seems to be an issue that I really need to resolve. I did autoreconf -iv like it said in your link earlier, and I just tried to compile now without success.
21:34 < AverageAdam> same errors
21:34 < AverageAdam> I tried autoreconf -i -v -f after reading the INSTALL file in source before that with the same results
21:35 <@ecrist> AverageAdam: can you post a more complete compile log?
21:36 < AverageAdam> where would I find the compile log?
21:36 <@ecrist> it's the output of "make"
21:36 <@ecrist> or does ./configure fail?
21:37 < AverageAdam> you mean the entire output of make, or just the errors at the end?
21:37 < AverageAdam> configue runs but with a warning
21:40 < AverageAdam> this is the tail end of ./configure  http://pastebin.com/SF7ZUj1B
21:41 < AverageAdam> and then this is the tail end of me running make just now... http://pastebin.com/PXtzxE94
21:44 <@ecrist> are you compinging git master, or the 2.4.0 release?
21:44 < AverageAdam> 2.4.0 tarball
21:44 <@ecrist> are you using BSD make, or gmake?
21:44 < AverageAdam> make on debian testing
21:45 <@ecrist> I'm not sure, then.
21:45 <@ecrist> I published the FreeBSD devel port and compile works just fine for me with gmake
21:45 < AverageAdam> me either
21:46 < AverageAdam> I have never experienced this and I am beating my head against the wall to try and figure it out
21:46 < AverageAdam> everything is usually so smooth
21:48 <@ecrist> poke #openvpn-devel about it in about 12 hours
21:48 <@ecrist> or send a message to the mailing list.
21:49 < AverageAdam> ok, I'll keep trying until then
21:49 < AverageAdam> thank you sincerely for trying to help me troubleshoot this headache
23:00 < AverageAdam> this is insane ecrist, now I have repeated the same thing on a completely different server
23:11 <@krzee> new debian or old?
23:13 <@krzee> With OpenVPN v2.4, the project has moved over to depend on and actively use the official C99 standard (-std=c99). This may fail on some older compiler/libc header combinations. In most of these situations it is recommended to use -std=gnu99 in CFLAGS. This is known to be needed when doing i386/i686 builds on RHEL5.
23:14 <@krzee> maybe that helps? dazo pointed it out to me before when i was compiling on an old system
23:17 <@krzee> oh i just saw, debian testing
23:17 <@krzee> i dont have any new debian servers handy
23:23 < AverageAdam> krzee: thank you for responding
23:24 < AverageAdam> I use debian testing
23:24 < AverageAdam> so it is very up to date
23:25 < AverageAdam> I just keep getting the same issue, warnings at the end up compile, failure at the end of make
23:26 <@krzee> can you post ./configure output just in case we see something?
23:28 < AverageAdam> absolutely
23:29 < AverageAdam> how can I give you the entire output?
23:32 < AverageAdam> here is the end with the errors http://pastebin.com/SYjgDZja
23:34 < AverageAdam> Sorry... here is the entire configure http://pastebin.com/WM5SrvRQ
23:39 < AverageAdam> here is the full make output  http://pastebin.com/1AsdUvY4
--- Day changed Tue Jan 10 2017
00:04 <@krzee> ya i looked but i dont see anything i can fix, so same advice from ecrist ++
00:05 < AverageAdam> just contact devel in a few hours? krzee
00:08 <@krzee> yep
00:09 < AverageAdam> well thank you for taking a look krzee. I am exhausted now.
00:09 < AverageAdam> o/
00:45 < Pegasique> hello. It seems that my vpn provider (paid) silently drops any packet with dst port out of range 0-1023, so no IRC, no p2p, no 3218,8080 etc. What's easy ways to avoid such restraints?
00:51 < subzero79> Pegasique get another provider or complain to them
00:51 < Pegasique> okay :(
00:52 < subzero79> which one is it?
00:52 < subzero79> after all you're paying for the service
00:52 < Pegasique> not me. it was a gift from friend.
00:52 < subzero79> useless vpn if is only for browsing
00:55 < Pegasique> ... also they block dst port smtp. Because you know spammers. Instead they offer to edit your route table manually.
01:04 < redax> hi!
01:05 < redax> is there a way to prevent pushing global routes to only one-two clients via client-config-dir
01:05 < redax> ?
01:18 <@plaisthos> !client-connect
01:18 <@vpnHelper> "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
01:18 <@plaisthos> !ccd
01:18 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
02:39 < redax> seems like, moveing generic push routes to ccd/DEFAULT from the server.conf, and creating ccd/common-name for the exceptions is a better choice
03:05 <@plaisthos> or that
03:05 <@plaisthos> or push-remove in 2.4
03:13 < redax> oh. push-remove ? Let me check, Thanks!
03:41 < jiquera> I migrated my server to 2.4 yesterday. However, my UDP server says: UDP: Cannot create UDP/UDP6 socket: Address family not supported by protocol (errno=97)
03:41 < jiquera> I then changed protocol form udp to udp4
03:41 < jiquera> and it works
03:42 < jiquera> is it supposed to work like this or do I have stuff misconfigured
03:42 < redax> plaisthos: thanks, it is working well with the push-remove directive as well.
03:46 < jiquera> I have it running on a router, and i dont have ip6 configured, how does openvpn determine it should use ipv6 or not?
03:47 < jiquera> I also have tun-ipv6 in the config (auto generated) is that causing issues?
04:19 < mjkr> is currently openvpn's vpn service accessible from within people's republic of china?
04:20 < mjkr> (I forgot the name of the service)
04:20 < ordex> mjkr: there are several service provider, each of them might be in a different risutation with respect to PRC
04:21 < mjkr> there is only one
04:21 < mjkr> run by openvpn...
04:21 < mjkr> i once had an app on android
04:21 < mjkr> again, i don't have the best memory...
04:23 < ordex> oh ok, sorry I don't know it
04:23 < ordex> but if you remember the name .. please shoot it here.. I am curious :)
04:24 < mjkr> okey
04:33 <@plaisthos> privatetunnel is the one opera by openvpn inc
04:33 <@plaisthos> operated
04:34 <@plaisthos> it might be that their service still works since it is basically the only service that runs a different server implementation than everyone else
04:34 <@plaisthos> and the GFW is confused by the minor differences
04:53 < ordex> plaisthos: I think he was referring to a provider with a server phisically located within china
05:02 <@plaisthos> or that
05:44 -!- Vercas_ is now known as Vercas
06:07 < jiquera> @ecrist: is easy-rsa still under active development? can I submit patches?
06:12 < mjkr> ordex: no
06:13 < mjkr> plaisthos: I am only referring to a server that's hosted by the official openvpn business unit
06:13 < mjkr> it's got an android app even
06:13 < mjkr> however, I have forgotten the exact name
06:13 < mjkr> it was a longlonglong while
06:17 <@plaisthos> mjkr: yes, privatetunnel
06:17 < mjkr> YEEEEES!
06:17 < mjkr> mind letting me know if privatetunnel still works for people's republic of china? (NOT republic of china, as there are two chinas)
06:19 < mjkr> apparantly not
06:25 < ordex> mjkr: sorry, I misunderstood
06:25 < ordex> mjkr: may I know how do you try ?
06:25 < ordex> are you in PRC ?
06:25 < mjkr> yes, the evil china
06:26 < mjkr> I'm tired of maintaining my own vpn server
06:26 < mjkr> so I wanna find a managed solution of some kind
06:27 < mjkr> the owner of the said business cannot be chinese
06:27 < mjkr> and the company MUST NOT have paid a single cent in tax to the chinese government
06:29 < mjkr> after all, softlayer's quite expensive...
06:29 < mjkr> so its cloudsigma etc
08:01 <@ecrist> jiquera: you're welcome to submit patches.  I merge good ones
08:07 < ordex> mjkr: I know expressVPN is quie resilient when it comes to PRC
08:07 < ordex> mjkr: I am also working on setting up a server that can be PRC resilient and I was looking for testers :)
08:07 < ordex> can I ping you in the future ?
08:07 <@ecrist> sPRC?
08:08 < ordex> ? :D
08:08 <@ecrist> oh, I see
08:45 <@ecrist> jiquera: to elaborate a bit more, I plan on picking up on easy-rsa development as soon as I'm done with another project (a book).  that should be wrapping up by the end of January.
08:45 <@ecrist> There's a number of issues with the project as it sits now, so it's definitely in need of attention.
08:45 <@ecrist> Also, I would like to merge it's functionality with ssl-admin in the future.
08:46 < jiquera> ow that's sounds awesome
08:46 < jiquera> let me know, if you need help or testers or you know, moral support :P
08:46 <@ecrist> there's always room for development help.
08:47 < jiquera> please keep it simple though, the more options you add the closer you get to actually just running openssl
08:48 <@ecrist> right.  ssl-admin is a menu-driven application.  I'm hoping to build easy-rsa into a hybrid interactive application with a batch mode
08:48 <@ecrist> (bring "easy" back to easy-rsa)
08:50 < jiquera> ow yeah :p
08:55 < jiquera> @ecrist: you might start collecting easy-rsa bugs from trac, I know you'll probably rewrite 100% of the code, but for the users it might be nice to know that it's on your list
08:58 < jiquera> and I'll be available at the beginning of februari for small development stuff :) I'll contact you then
09:00 < jiquera> at dev team, what is usually the strategy for minor updates? do you wait a certain amount of time? certain amount of bugs? critical bug?
09:01 <@ecrist> the official bug tracker for easy-rsa is github
09:02 < ordex> jiquera: about ticket #891: it looks like ipv6 is not enabled in your kernel
09:02 < ordex> either you have to insmod the module or at least you have to make sure it is compiled
09:02 < jiquera> im using dd-wrt
09:02 <@plaisthos>  getaddrinfo is behaving strange then
09:02 <@plaisthos> and just use udp4
09:02 < jiquera> but i didnt config ipv6
09:03 < jiquera> yeah i do everything is working now... but i'd like to find root cause :)
09:03 < jiquera> and then force somebody to fix it :p
09:03 < ordex> jiquera: if you use udp or tcp only, it will try to guess what's the system prefernce (simplication here)
09:03 < ordex> and in your system it seems to be IPv6, but then IPv6 is not enabled in the system
09:03 < ordex> if you use udp4/tcp4 then it will only try to use IPv4
09:04 < jiquera> yeah i already asked the dd wrt devs to confirm this
09:04 < jiquera> i know i know
09:04 < jiquera> i set it to udp4 for now
09:04 < ordex> plaisthos: I guess that getaddrinfo does not know if IPv6 is enabled in the kernel or not
09:04 < jiquera> if it is indeed a misconfig in dd wrt
09:04 < jiquera> they'll probably fix it
09:05 < ordex> because to resolve a name it does not need to have IPv6 capabilities, no ?
09:05 < jiquera> but it should be in the kernel... i mean dd wrt supports ipv6 just fine
09:05 < jiquera> i just dont use it
09:06 < ordex> what do you mean with "don't use it"? the module is blacklisted?
09:06 < ordex> in that case, it would lead to this behaviour I guess
09:07 < jiquera> ehhhhh... linux noob busted
09:07 < ordex> :D
09:07 < jiquera> so in the dd-wrt ui it's not enabled
09:07 < jiquera> but i have no clue what that means in the backend
09:07 < ordex> eheh
09:07 < jiquera> can i check that?
09:07 < ordex> me neither :D I don't use ddwrt
09:08 < ordex> you can probably just do "lsmod |grep ipv6" for starters
09:08 < jiquera> oki 1sec (i might disconnect)
09:12 < jiquera> lsmod only gives a small list
09:12 < jiquera> and no
09:12 < jiquera> no ipv6 in there
09:30 < ordex> jiquera: I guess it is not loaded then (I don't think ddwrt would compile it as builtin)
09:30 < ordex> it is very possible that the module is not installed at all - ddwrt may install it when enabled only
09:30 < jiquera> but it should be present in the system...
09:31 < jiquera> or is that not what you mean with install
09:31 < jiquera> i think loading makes more sense
09:31 < jiquera> I'll play with it this weekend
09:31 < ordex> jiquera: you can do "find /lib/modules |grep ipv6"
09:31 < ordex> to see if it's there at least
09:32 < jiquera> I'm afraid I disconnect myself from the router for the rest of the week if I do it now:p
09:32 < ordex> :D
09:32 < jiquera> ipv6.ko
09:32 < jiquera> is that a thing
09:32 < jiquera> like the kind of thing that does ipv6 :p
09:32 < jiquera> there are several others as well
09:36 < ordex> :D
09:36 < ordex> yes is that thing
09:36 < ordex> is that in /lib/modules/$something/$something/ ?
09:36 < jiquera> so I guess enabling it in the UI will load it after a reboot
09:37 < ordex> yap, or even without reboot
09:37 < jiquera> its in /lib/modules/4.4.39/
09:37 < ordex> still, if you don't want to load IPv6, I'd suggest to keep on using udp4
09:37 < jiquera> so if it's not loaded
09:37 < jiquera> openvpn cant see that it shouldnt use ipv6?
09:40 < ordex> it's not openvpn by itself, but getaddrinfo
09:41 < ordex> like plaisthos was saying before
09:45 <@plaisthos> jiquera: the os tells openvpn to do IPv6
09:45 <@plaisthos> so OpenVPN does ipv6
09:45 <@plaisthos> on a real dualstack ipv6+ipv4 system the ipv6 socket will also accept ipv4 connection
09:45 < jiquera> yeah i get that... but it's sounds weird that you need a ipv6 module to determine you dont want to do ipv6? right?
09:45 <@plaisthos> so that is right
09:46 <@plaisthos> jiquera: openvpn just does what it is being told by getaddrinfo
09:46 <@plaisthos> which is a libc function
09:46 < jiquera> yeah i know it
09:46 < jiquera> used it plenty
09:46 < jiquera> ow well let's see what ddwrt devs think of it
09:47 <@plaisthos> if you want to froce protocol, there is udp4 and udp6
09:47 <@plaisthos> probably nothing
09:47 < jiquera> yeah indeed :p
09:47 <@plaisthos> that is something that glibc or whatever libc ddwrt uses has to fix
09:47 < jiquera> blegh another forward
09:48 <@plaisthos> and then again, they might just tell you that a system without ipv6 capability in 2017 is a rare corner case
09:48 <@plaisthos> a ipv6 only system acting up is bug worthy to fix in 2017
09:48 < jiquera> yeah my guess now is that if I enable ipv6 but dont configure it, it works
09:49 <@plaisthos> jiquera: just use udp4 and don't make your life more complicated than it needs to be for god's sake
09:49 < jiquera> :D
09:49 < jiquera> but but
09:49 < jiquera> i like complications
09:50 < jiquera> ok... ill stick to udp4, i have a few other battles to fight with ddwrt guys anyway
09:51 < jiquera> ow @plaisthos: maybe you knwo
09:52 < jiquera> ow nvm
09:52 < jiquera> i kind of figured out the answer just now :p
09:59 -!- test___ is now known as kitsune1
10:12 < par> hey. How can I disable creation of ccd files in /etc/openvpn directory ?
10:13 < par> I would prefer something like client-config-dir /dev/null but openvpn does not like it
10:13 < bencc> can I use a vpn for connecting several VPSs like db, media and application servers?
10:13 < bencc> can I use a vpn across datacenters?
10:15 < jiquera> don't use the --client-config-dir option
10:15 < par> jiquera: I don't - it still creates those files under /etc/openvpn
10:15 < jiquera> ow hm
10:15 < par> it's openvpn 2.3.4 from debian 8 repos
10:19 < jiquera> are you sure openvpn is creating these files?
10:20 <@ecrist> par: which files does it create?
10:20 < jiquera> as the config-dir is usually used to read configs from
10:20 < jiquera> not to write files to
10:20 < jiquera> bencc: yes
10:20 < par> ecrist: in /etc/openvpn folder
10:20 <@ecrist> that means nothing to me
10:21 < par> with each file having content ifconfig-push 10.8.8.2 10.8.8.3
10:21 < par> seems like a ccd file
10:21 < par> but I do not have ccd directive in my configs
10:21 <@ecrist> yeah, that looks like it
10:21 <@ecrist> !configs
10:21 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
10:21 <@ecrist> also, what OS are you on?
10:21 <@ecrist> are you using a distro release, or downloading and compiling source?
10:21 <@ecrist> oh, I see above, debian
10:22 < par> ecrist: deb8, repo version of openvpn
10:23 <@ecrist> par: my guess is the debian package has some startup scripts that get run, creating those files.
10:23 <@ecrist> Can you please share your configs?
10:24 < par> ecrist:
10:24 < par> https://p.defau.lt/?03JBwOHHWqdZHlY19reUmw
10:24 <@vpnHelper> Title: default paste at 2017-01-10 16:13:03 (at p.defau.lt)
10:24 < par> https://p.defau.lt/?xymFlBHAbo_nSQPIC_SO0w
10:24 <@vpnHelper> Title: default paste at 2017-01-10 16:15:00 (at p.defau.lt)
10:28 < par> I don't see any other process creating these files
10:28 <@ecrist> maybe the radius plugin?
10:29 <@ecrist> this isn't behavior that openvpn normally does.
10:29 < par> could it be something to do with the fact that I am pushing some settings to the client ?
10:29 < par> and it's somehow mandatory to have those ccd files ?
10:30 < par> I'll try investigate more, add the ccd directive and compare the files etc
10:30 <@ecrist> not that I can see.
10:33 < bencc> jiquera: where can I see limitations like recommended number of servers
10:33 < bencc> and latency
10:34 < jiquera> a you can use a vpn to connect networks
10:34 < jiquera> or pcs over the web
10:34 < jiquera> but
10:34 < jiquera> latency etc depends on a lot of other factors
10:34 < jiquera> it's more about proper config i suppose
11:43 < kitsune1> par: the posted config loads /etc/openvpn/server-local.conf -- post that one too -- in any case openvpn does not create ccd files, only reads them if present. You're probably running a wrapper around openvpn. Was the server config deliberately split up into so many pieces or is this the handiwork of some automating server setup script?
11:43 < bencc> jiquera: thanks
12:33 < n1lqj> openvpn on ubuntu server successfully pushes dhcp-option to client, and client sees it but does not implement it
12:33 <@dazo> !pushdns
12:33 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for
12:33 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option
12:33 <@dazo> n1lqj: ^^^
12:34 <@dazo> n1lqj: if starting openvpn connections via NetworkManager, it will pick it up though
12:34 <@dazo> (but that's because the networkmanager-openvpn plugin provides support for that)
12:35 < n1lqj> starting through command line
12:35 <@dazo> right, where #3 in !pusdhdns is your challenge
12:35 < n1lqj> nmcli does not show DNS after establishment of tunnel
12:35 < n1lqj> still digesting it lol
12:37 <@dazo> when openvpn is _started_ via networkmanager, it adds several helper "modules" to the openvpn process, which extracts information and sends it to the core networkmanager.  That does not happen when starting openvpn directly from the command line
12:37 < n1lqj> I could never get openvpn .ovpn file to import via network manager, runs find on command line
12:37 < n1lqj> gvae that up a while ago
12:38 <@dazo> yeah, there are features nm-openvpn does not support ... and especially if the version is aging a bit and that version have not been updated to support newer openvpn options
12:39 < n1lqj> command line is fine, we are building a linux based edge router for AMPR with virtuals servers and text only linux installs
12:40 < n1lqj> okay, confused about #3, I am in man page, and I see the push --dhcp-option but nop mention of an env variable
12:42 < n1lqj> does this mean push the "--setenv" first?
13:05 < kitsune1> n1qj: if you push "dhcp-option DNS addr" openvpn will set an env variable named foreign_option_{n}="dhcp-option DNS 1.2.3.4" where {n} = 1,2,3 etc.. You have to parse that in an up-script and do whatever is needed to set it. --setenv is not involved. See openvpn man page.
13:40 < apus> hi, i'm trying to use multiple vpn servers (access to different parts of the network) in combination with a single freeradius server. anyone got ideas, how i can map users to the appropriate openvpn server aside from choosing different certificates for the vpn servers and selecting cert+auth ?
13:59 <@ecrist> apus: I'd suggest using group membership
14:26 < apus> ecrist: is this something that is freeradius based or openvpn? pfsense, which is where both servers are running on certainly doesn't seem to have that option
14:41 <@ecrist> have what option?
14:42 < apus> the pfsense gui doesn't have the possibility to set the group membership, or so it seems
14:43 < apus> however, what it allows is editing the config files of freeradius. i have to be careful to not venture too far outside the gui programming of pfsense, otherwise configs may not be backed up, overwritten at boot time, etc.
14:43 <@krzee> you could put all remote entries in the clients, and have a script deny access to all servers except the one you currently want whoever on
14:43 <@krzee> then youd be able to move them as desired on the fly
14:44 <@krzee> of course id test that it works how i want before going production ;]
14:44 <@krzee> (assuming i understood your goal right)
14:47 < apus> krzee: i'm new to openvpn and freeradius, which is why i've got a lot of learning to do it seems. my goal is just to use a single freeradius server with multiple openvpn server instances, all on the same system, just on different ports. i'm just trying to say, this user is allowed for that openvpn server configuration, ...
14:51 <@ecrist> there is a facility with CCD called --ccd-exclusive
14:52 <@ecrist> this prevents a user from connecting unless they have a CCD file present
14:52 <@ecrist> that file doesn't need to contain anything, it can be entirely empty
15:11 < apus> ecrist: is that also possible to use with an app on ios/android ?
15:27 <@dazo> apus: presuming you have certificates on the ios/android client device, then yes
15:32 < apus> alternatively, is there any way i could identify different vpn server instances from the same host, perhaps by port, so i could manually somehow add entries to the freeradius files?
15:34 < apus> i don't like the idea of users only having to exchange cert files and then being able to just login to another secure subnet using their user/pass combination
15:34 <@dazo> you mean, like the VPN servers IP address?
15:35 <@dazo> apus: I don't understand your goal, hence the poor suggestion
15:35 < apus> the ip address should be localhost, because both run on the same system, but the port i'd need in freeradius and then i'd have to somehow write: user1,server1(localhost,port2000)\nuser2,server2(localhost,port2001)
15:36 <@dazo> Still don't understand the goal
15:36 < apus> dazo: pfsense allows me to configure multiple vpn servers, which is what i kind of need, because they secure different subnets, but only one freeradius server
15:37 <@dazo> still don't understand what you try to solve with different subnets ... can't you just add some --client-connect and --client-disconnect scripts which updates the firewall on-the-fly?
15:37 <@dazo> or use the pf functionality in OpenVPN?  (granted, that is an odd and poorly described feature though)
15:38 <@dazo> http://backreference.org/2010/06/18/openvpns-built-in-packet-filter/
15:38 < apus> i have the users coming in from wlan, they go a different vlan than the netadmin users, who need access to the switches, etc.
15:38 <@dazo> (the guy behind that blog post used to be active on this irc channel, and so this is probably one of a few handful non-official openvpn blogs I would trust)
15:39 <@dazo> I still don't follow why normal routing + on-the-fly firewall updates won't solve the challenge
15:40 < apus> because i have no idea how to implement that in pfsense. if i start changing the files manually i'll create a big mess of the system, because half won't be there after the reboot
15:42 <@dazo> well, I don't have any pfsense experience at all ... so I wouldn't know anything about its quirks and oddities .... all I know is that you can do what you want fairly simple by routing + on-the-fly firewall updates
15:42 <@dazo> I even wrote my own plug-in doing this many years ago
15:43 <@dazo> !eurephia
15:43 <@vpnHelper> "eurephia" is http://www.eurephia.net/
15:43 < apus> i'll have a look, thank you for your help!
15:43 <@dazo> (well, it does a lot more too ... but dynamic firewall updates are part of it, and that only works with iptables)
15:43 < apus> yeah, so not for pfsense
15:44  * dazo wonders whats fuzz about pfsense is all about ....
18:21 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has quit [Read error: Connection reset by peer]
18:21 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn
18:21 -!- mode/#openvpn [+o danhunsaker] by ChanServ
18:41 -!- Jessica23Tx_ is now known as PrincessBob
19:31 < ordex> syzzer: morning :) I like the idea of using a wrapper for check_file.._inline() - but this has to be a macro, can't do it with a function. Is that ok ?
19:31 < ordex> about the push_options() are we sure none of them can be inline'd ? /me has no 100% oveview of what options can be passed
20:24 < tundra2002> using OpenVPN Community edition with Okta plugin. Has anyone gotten 2 factor auth working in conjunction with okta plugin?
22:57 < tyriondwarf> Hey question guys, how do i change my IP
22:58 < tyriondwarf> Using openvpn, for some reason I've connected to a well known free service, and for years is been the same IP.  I don't get why or how to change
23:41 < AverageAdam> ecrist: last night you told me to join the devel channel
23:41 < AverageAdam> what is that channel again?
23:49 < AverageAdam> ecrist: I have no idea why but it says I am banned when I try to join #openvpn-devel
23:49 < xanthaos> I need a bit of help... I just installed openvpn on centos 7 and went to the /etc/openvpn directory, it's empty. No configs, no keys, no easy-rsa, nothing. I was running it on another machine (which is now offline but I do have the entire /etc/openvpn backed up from that machine)... Is that directory supposed to be empty, and if so am I supposed to put easy-rsa, configs, keys, and all in /etc/openvpn myself?
23:50 < xanthaos> Or is there something else that needs to be done after 'yum install openvpn'?
23:51 < AverageAdam> if you put the configs and everything else in there, it should work
23:52 < AverageAdam> as long as the config can find the certs and keys, the default spot for the configs is /etc/openvpn
23:53 < xanthaos> awesome then I can use the configs and keys I was using, just move everything into /etc/openvpn; and move the .service file to /etc/systemd/system/
23:53 < AverageAdam> also... the reason you most likely don't see anything in /etc/openvpn is because you installed a newer version
23:53 < xanthaos> Likely so, it's been a while since I've installed it
23:53 < rayfoss-bk0> OpenVPN says connected. I've cleared all iptables on both client and server. Tried multiple clients. tcpdump on client shows packets going into tun0. But I can't even ping 10.8.0.1! ----- I can ping 10.8.0.1 if I don't connect to OpenVPN (it's installed on the gateway), as soon as I connect the only thing I can ping is the gateway running OpenVPN... I can't even ping an intermediate gateway when connected.
23:54 < AverageAdam> have you allowed forwarding thge traffic?
23:55 < rayfoss-bk0> I've added the IPTables to do so
23:55 < rayfoss-bk0> and did sysctl -w net.ipv4.ip_forward=1
23:56 < xanthaos> Now my backup of /etc/openvpn from the other machine also includes easy-rsa as it was nested inside /etc/openvpn; so I assume that will work as well or should I grab the newer version and install it? If so I'd likely have to redo all of my keys, which I'd rather avoid if I can (rather not have to redistribute keys to users)...
23:57 < AverageAdam> what does it say in /etc/sysctl.conf  rayfoss-bk0?
23:57 < AverageAdam> xanthaos: I would absolutely grab the latest easyrsa from git if you plan to make new certs/keys
23:58 < rayfoss-bk0> # Uncomment the next line to enable packet forwarding for IPv4 (nl) net.ipv4.ip_forward=1
23:58 < AverageAdam> can I see your firewall rules pertaining to your openvpn install?
23:59 < rayfoss-bk0> iptables -S ?
23:59 < xanthaos> Okay, when I get the new easy-rsa I will have to generate a new root ca, server cert/key, and new user certs/keys, or can I use the ones I already have to keep from having to redistribute? Have the algorithms changed significantly in the last year or so?
--- Day changed Wed Jan 11 2017
00:00 < rayfoss-bk0> @AverageAdam, your wish is my command http://pastebin.com/A2x7qkdh
00:02 < AverageAdam> xanthaos: you can use the ones you already have
00:02 < AverageAdam> if you decide to make new... this is a good tutorial to use https://tryapi.wordpress.com/2016/06/23/easyrsa3-batch/
00:02 <@vpnHelper> Title: easyrsa3 batch | raspberry pi running wheezy raspbian (at tryapi.wordpress.com)
00:05 < xanthaos> Okay, just use the new easy-rsa to generate any new keys then and it'll use my current certs and keys to sign?
00:05 < AverageAdam> rayfoss-bk0: try something like this http://pastebin.com/vGSafGYD if it works, then it is your rules causing the trouble.
00:05 < AverageAdam> xanthaos: no.
00:12 < Mayzie> !welcome
00:12 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
00:12 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
00:12 < Mayzie> !tap
00:12 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the
00:12 <@vpnHelper> protocol uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
00:16 < Mayzie> Hey guys, I'm following this guide [1] and up to the linked section. What do I need to do to make my VPN bridge use the IP range 10.10.10.x? [1] - http://www.emaculation.com/doku.php/bridged_openvpn_server_setup#vpn_setup
00:16 <@vpnHelper> Title: Bridged OpenVPN Server Setup [E-Maculation wiki] (at www.emaculation.com)
00:16 < Mayzie> I don't really understand what I need to change.
00:17 < Mayzie> I am trying to setup a bridge for the purposes of LAN gaming (Anno 1404).
00:18 < Mayzie> The VPN exists on a VPS, not on my home network.
00:26 < Mayzie> It's times like these when it sucks to be an Australian - when you're on, nobody else is on.
00:26 < Mayzie> :-(
00:27 < AverageAdam> Can someone help me solve the build issues I am having with compiling openvpn from source?
00:29 < Mayzie> What are they?
00:29 < AverageAdam> This is what I get when I start by bootstrapping with autoreconf http://pastebin.com/J6AuT1aT
00:30 < Mayzie> Looks like they're just warnings?
00:31 < AverageAdam> even if I don't do that, this is what I get when I configure... http://pastebin.com/nEvr3fc0
00:31 < Mayzie> That seems normal
00:32 < rayfoss-bk0> @AverageAdam, set the rules exactly and verified. Still cant even ping 10.8.0.1... It did drop my connection for a second.
00:32 < Mayzie> AverageAdam: `make`?
00:32 < AverageAdam> and this is the following failure when I make... http://pastebin.com/7Scp1jVM
00:32 < AverageAdam> Mayzie: that is not normal for me at all
00:33 < AverageAdam> typically I have no warnings
00:33 < Mayzie> Are you compiling from gi?
00:33 < Mayzie> git*
00:33 < AverageAdam> last time I compiled from source was 2.3.11
00:33 < AverageAdam> no, from the latest zip
00:34 < Mayzie> AverageAdam: See: https://community.openvpn.net/openvpn/ticket/802#comment:1
00:34 <@vpnHelper> Title: #802 (crypto.c:843:32: error: invalid application of ‘sizeof’ to incomplete type ‘cipher_ctx_t {aka struct evp_cipher_ctx_st}’) – OpenVPN Community (at community.openvpn.net)
00:35 < AverageAdam> =O
00:36 < AverageAdam> pretty sure I was on 1.1.0 when I compiled 2.3.11 from source
00:36 < AverageAdam> wtf
00:37 < Mayzie> Can nobody help me? :-(
00:50 < AverageAdam> Mayzie: http://pastebin.com/s1yzfcur
00:51 < AverageAdam> downgrading openssl made literally no difference
00:51 < Mayzie> Did you reconfigure?
00:52 < AverageAdam> yes
00:52 < AverageAdam> rm -rf to that openvpn dir
00:52 < AverageAdam> unzipped again
00:52 < Mayzie> And you also downloaded / installed the headers for OpenSSL 1.0, replacing all version 1.1 ones?
00:52 < AverageAdam> reentered, autoreconf again
00:53 < AverageAdam> no
00:53 < AverageAdam> I am not even sure how to check that
00:54 < Mayzie> Distro?
00:55 < AverageAdam> debian testing
00:56 < Mayzie> dpkg -l | grep openssl
00:58 < AverageAdam> http://pastebin.com/KK8GkFuA
00:58 < Mayzie> No clue :-(
00:59 < AverageAdam> see what I mean
01:00 < AverageAdam> I have been beating my head against the wall for a day and a half about this issue
01:03 < Mayzie> That error seems to be attributed to OpenSSL 1.1.
01:04 < AverageAdam> yeah based on that link, but the subdir issue seems to be a problem too
01:04 < AverageAdam> either way, I downgraded and the issue remains
01:04 < AverageAdam> I am now on 1.0.2j
01:05 < AverageAdam> I can try going to 1.0.1 but I doubt that will fix it.
01:05 < AverageAdam> I built my windows client using 1.0.2 in ubuntu 14.0.4 and it worked fine.
01:06 < rayfoss-bk0> Still cant figure it out ... why is my routing table pointing to 10.8.0.2 not 10.8.0.1? Trying to ping 10.8.0.2 goes nowhere http://pastebin.com/ghW5YL29
01:07 < AverageAdam> even after a reboot after downgrading my issue remains
01:09 < Mayzie> https://forums.openvpn.net/viewtopic.php?f=6&t=23191#p67012
01:09 <@vpnHelper> Title: Private LAN set up - OpenVPN Support Forum (at forums.openvpn.net)
01:20 < Mayzie> Don't know, sorry.
01:21 < Mayzie> This is my first time (trying to) use OpenVPN. And it's failing.
01:22 < rayfoss-bk0> my 4th time, second time failing. I have no idea what to do.
01:22 < ordex> AverageAdam: 1.0.2j is fine. from the latest output looked like the header files were still from 1.1 (?) no ?
01:22 < Mayzie> It's annoying when nobody helps, or rather, has no idea how to help. :-/
01:22 < AverageAdam> I didn't see
01:23 < AverageAdam> I don't know how to change the header files
01:23 < AverageAdam> what I do see is that I just tried 2.3.14 and then 2.3.11 and they both fail the same way
01:24 < AverageAdam> 2.3.11 does not give the cmoka warning in configure, but it does fail now during make
01:24 < AverageAdam> 2.3.11 was the last successful build I had
01:24 < ordex> AverageAdam: what does "dpkg -l | ssl-dev" says ?
01:24 < ordex> I dunno too much about debian, but you should look for the version of your *ssl-dev package
01:24 < ordex> not sure what the name is
01:25 < AverageAdam> ahhhh
01:26 < AverageAdam> ii  libssl-dev:amd64                                                 1.1.0c-2                          amd64        Secure Sockets Layer toolkit - development files
01:26 < AverageAdam> still 1.1.0
01:26 < Mayzie> ordex: Can you please help me? :-/
01:26 < ordex> AverageAdam: there you go - this is the package providing the headers and the lib that openvpn is using during compilation
01:26 < ordex> it should be 1.0.x
01:27 < ordex> that's why it fails
01:27 < AverageAdam> downgrading now
01:27 < AverageAdam> we'll see how it goes
01:27 < ordex> Mayzie: I can try - not sure what your problem is (?)
01:27 < AverageAdam> thank you sincerely either way
01:27 < ordex> no problem :)
01:27 < Mayzie> ordex: https://forums.openvpn.net/viewtopic.php?f=6&t=23191#p67012
01:27 <@vpnHelper> Title: Private LAN set up - OpenVPN Support Forum (at forums.openvpn.net)
01:29 < ordex> Mayzie: I haven't opened the guide you mentioned, but given this "(and receive broadcast and multicast addresses, too)" sounds like you want to have a TAP (aka Layer 2) setup with a single network ?
01:29 < ordex> not sure why you talk about a "LAN" if you later say that you don't want it to be exposed
01:29 < Mayzie> Yes that's what I believe I need too.
01:29 < Mayzie> Well, I want a separate LAN, kinda.
01:29 < Mayzie> And I can't expose it. Because it's on a VPS.
01:30 < ordex> are yu saying you want to "create a virtual LAN"? or you want to "share" another LAN that already exists ?
01:30 < ordex> *you
01:30 < Mayzie> Create a virtual LAN.
01:30 < ordex> just trying to rephrase the problem
01:30 < ordex> ok
01:31 < ordex> then when you create a VPN in TAP mode, you are basically creating a new network segment/LAN
01:31 < Mayzie> Pretty much this: https://docs.openvpn.net/how-to-tutorialsguides/administration/configuring-openvpn-access-server-for-a-privately-bridged-network/
01:31 <@vpnHelper> Title: Configuring OpenVPN Access Server for a Privately Bridged Network | Documentation (at docs.openvpn.net)
01:31 < Mayzie> But that's OpenVPN Access, which I do not have.
01:31 < Mayzie> ordex: Okay. How would I go about doing that?
01:32 < ordex> I'd just try to configure a simple point-multipoint (aka multiple clients connecting to the server) using "mode tap" - you can search the doc for it
01:32 < ordex> and make sure to enable client-to-client communication
01:32 < ordex> I think this is close to what you need (if I understood your problem properly)
01:32 < Mayzie> Okay thanks, I'll try and look into it.
01:32 < Mayzie> Although everything is very confusing. Kinda throws you in the deep end.
01:32 < ordex> np
01:33 < ordex> what do you mean with "everything" ? :)
01:33 < Mayzie> OpenVPN.
01:34 < ordex> I think this comes together with flexibility :) then you need to really understand what you want, otherwise you can't create a meaningful configuration (although basic cases are easy to cover)
01:34 < rayfoss-bk0> anyone have experience runnig OpenVPN on a Debian ARM Android Marshmello chroot?
01:34 < Mayzie> Like, there's no real straightforward guides to do things. Particularly with Debian, which does some screwy stuff with its packages which jsut complicates things.
01:34 < Mayzie> Yeah I agree.
01:36 < Mayzie> Yeah I agree.
01:36 < Mayzie> ordex: I can't seem to find anything on "mode tap"
01:36 < ordex> sorry
01:36 < ordex> it's "dev tap"
01:36 < ordex> my bad
01:37 < ordex> still sleepy today :D
01:37 < Mayzie> Oh, yeah, that's the thing to create a bridge. I know that.
01:37 < Mayzie> Or rather, dev tap0
01:37 < AverageAdam> success
01:37 < AverageAdam> Mayzie: thank you for pointing out what I was overlooking
01:37 < ordex> you can pick the device name if you want, yes
01:37 < ordex> AverageAdam: cool !
01:38 < AverageAdam> ordex: thank you for handing me my answers
01:38 < Mayzie> ordex: I am up to here: http://www.emaculation.com/doku.php/bridged_openvpn_server_setup#vpn_setup
01:38 <@vpnHelper> Title: Bridged OpenVPN Server Setup [E-Maculation wiki] (at www.emaculation.com)
01:38 < Mayzie> If you look at the script, it's telling me to enter an IP address, broadcast address, netmask, and gateway address.
01:38 < Mayzie> And that just sets up the interface
01:39 < ordex> yap
01:39 < ordex> on the server
01:39 < Mayzie> Yes.
01:39 < AverageAdam> seriously ordex thank you
01:39 < Mayzie> But I am on a VPS.
01:39 < ordex> those settings are then matched in the openvpn configuration
01:39 < ordex> AverageAdam: no problem :)
01:39 < Mayzie> I don't really have a LAN, nor a gateway that can just assign me IP addresses.
01:39 < ordex> Mayzie: those are the settings of the network you are going to create
01:40 < Mayzie> Ohh
01:40 < ordex> you are creating it, you are making up the IPs right now
01:40 < ordex> unless
01:40 < ordex> you need access to internet
01:40 < ordex> to be shared over this LAN
01:40 < ordex> mh
01:40 < Mayzie> So I can just have something like: IP: 10.10.10.100, netmask: 255.255.255.0, broadcast: 10.10.10.255, gateway: 10.10.10.1
01:40 < ordex> well, not really actually - it is not a problem
01:41 < Mayzie> No I don't.
01:41 < ordex> ok
01:41 < ordex> then I don't think you need to bridge eth0, no ? why does he suggest to do so ?
01:41 < ordex> this is crucial to understand
01:41 < Mayzie> All the guides on setting up OpenVPN for LAN gaming suggest you need it?
01:41 < ordex> because this also affects your IP decsion
01:41 < ordex> it depends on what is the goal
01:41 < Mayzie> So forego the bridge?
01:42 < Mayzie> And the `bridge-utils` package isn't a necessity?
01:42 < ordex> the bridge can still be used
01:42 < ordex> if you want
01:42 < ordex> it depends on you
01:42 < Mayzie> I don't really understand its purpose.
01:42 < Mayzie> All I want is a private/virtual LAN.
01:42 < ordex> bridging eth0 is something that might be skipped, based on what you need
01:43 < ordex> then
01:43 < Mayzie> I don't need or necessarily want clients connected to the VPN to assume the servers internet IP address.
01:43 < ordex> you may just try to setup openvpn with a simple tap configuration, without crating bridges or anything else, unless they are required
01:43 < Mayzie> Or have traffic forwarded via the VPN
01:43 < ordex> ok
01:43 < ordex> then you can really create a very simple L2/tap VPN, without increasing the complexity of all of this
01:44 < ordex> I haven't read the entire guide, so i don't know what it is about
01:44 < Mayzie> But there are no guides on that at all :-/
01:45 < Mayzie> Pretty much all guides / tutorials that walkthrough on setting up a TAP device, also setup a server-bridge.
01:46 < Mayzie> ordex: So essentially, I just have `dev tap` in my server.conf file, and comment out `server-bridge`?
01:46 < ordex> yap, because that is a standard use case
01:47 < ordex> you probably need an ifconfig line as well, to configure ip and network
01:47 < Mayzie> Okay, how can I do that? What's the command?
01:47 < Mayzie> And presumably I call that interface tap0, and then start OpenVPN, and voila?
01:48 < ordex> actually, you can use the "server" option I think, instead of ifconfig
01:48 < ordex> yap
01:48 < Mayzie> Oh cool
01:48 < ordex> if you check the man page
01:48 < Mayzie> That seems a _lot_ easier.
01:48 < ordex> you can search for "--server" (instead of --server-bridge"
01:48 < ordex> )
01:50 < ordex> clients should then automatically get an IP within the network configured on the server
01:50 < ordex> don't forget you need --client-to-client if you want clients to talkto each other
01:51 < Mayzie> Yep
01:54 < Mayzie> ordex: Does this seem alright / correct? https://bpaste.net/show/a7f228098489
01:55 < ordex> think so
01:55 < Mayzie> And I can just `systemctl start openvpn@server` and bam, it'll work?
01:55 < Mayzie> I'm sorry, I just can't believe it's really this simple lol
01:55 < ordex> dunno how systemctl works
01:55 < ordex> but assuming that this will start openvpn with that configuration .. I think so
02:02 < BlackBishop> is it normal for a company to give you all the keys to connect via openvpn ? I'd think I'd generate my own PRIVATE keys and stuff and they'd only sign and give me back the public one or something
02:05 < BlackBishop> I have a tls-auth something.key; ca something.crt; cert something.crt; key something.key
02:05 < BlackBishop> I'd think that at least one should be generated by me and should stay on my end so they can't impersonate me .. right ?
02:05 < ordex> I think i have seen this with many vpn providers
02:05 < BlackBishop> ordex: not a vpn provider, a company .. for some remote work
02:06 < BlackBishop> vpn providers I think I might understand ..
02:06 < ordex> I think the company just took care of the entire configuration burden
02:06 < ordex> if it is "normal" I don't know
02:06 < BlackBishop> but in this case, even if the key they gave me is protected by a username/password .. still.
02:06 < ordex> but I'd agree with you
02:06 < ordex> yap
02:07 < ordex> normally you create the key pair and give the CSR (containing the pub key) to the CA for signing, IIRC
02:07 < BlackBishop> ordex: true, but the security is 0 in this case for me. They can use it to impersonate me at any time.
02:07 < ordex> but I guess this is not what people wants to deal with.. so the company took care of everything
02:07 < ordex> yes
02:07 < ordex> but it depends what the goal is
02:07 < BlackBishop> the goal is for me to enter the network and do some stuff there !
02:07 < BlackBishop> and I'd like to do the security part by the book.
02:07 < ordex> yeah, they may not care about identifying who in the group of allowed people is connecting
02:08 < BlackBishop> Other remote companies I helped asked me for the ssh public key and an ip to whitelist.
02:08 < ordex> yap
02:08 < BlackBishop> which seemed more sane.
02:09 < ordex> I guess depends on the company - even in this case, the key is shared between you and who created it, not any other employee - I supposed
02:09 < ordex> but this is just company thing - dunno
02:09 < Mayzie> ordex: Wow, I think that worked. I'll find out later. Thank you so much.
02:09 < ordex> np :)
02:09 < Mayzie> So much easier than what all the other guides were doing.
02:09 < BlackBishop> shall see if I can change their minds.
02:10 < ordex> Mayzie: the secret was in understanding what problem you were tyring to solve :-P
02:10 < Mayzie> Yeah.
02:10 < Mayzie> XY problem, kinda
02:51 < nobiz> !welcome
02:51 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
02:52 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
02:53 < nobiz> i tried to find a tutorial on how to configure openvpn 2.4 (which is actually brand new) on how to use ecdh and elliptic curves in general. anyone here working with this configuration already?
02:58 < Mayzie> ordex: Doesn't seem to work :-(
02:58 < ordex> Mayzie: what is failing exactly ?
02:58 < Mayzie> I can ping each person, but there are no sessions in the games session list :-(
03:00 < Mayzie> ordex: Do you have any ideas?
03:01 < Mayzie> Windows user (friend) attempting to connect to Linux user (me)
03:02 < ordex> semms something about the gaming protocol that does not work
03:03 < ordex> that the VPN is not passing through (maybe?)
03:08 < ordex> Mayzie: do you know if the connection happens ? I dunno how the session list gets populated :P
03:08 < ordex> is it a mcast/bcast thing ?
03:08 < ordex> such traffic should be forwarded
03:09 < Mayzie> I imagine it is a multicast / broadcast.
03:10 < ordex> you can try to dump the traffic on your linux machine when the friend is connecting and see what passes and what not  - seems trange
03:10 < ordex> *strange
03:23 < Mayzie> ordex: Ended up working.
03:23 < Mayzie> Seemed Hamachi was conflicting with it.
03:23 < ordex> ah
03:23 < Mayzie> Just had to turn that off
03:23 < ordex> :P
03:23 < Mayzie> :-P
03:23 < ordex> good :)
03:49 < AverageAdam> can someone tell me how to use the lz4 option?
03:51 < AverageAdam> I tried just switching comp-lzo to comp-lz4
03:58 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 255 seconds]
04:05 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
04:05 -!- mode/#openvpn [+o syzzer] by ChanServ
04:08 < Mayzie> ordex: Couldn't get it to work on mac.
04:08 < Mayzie> Oh wells
04:08 < Mayzie> OpenVPN was the last one to try.
04:12 < ordex> I never used a mac :P sorry
04:14 < Mayzie> Neither have I
04:18 < ordex> :D good!
06:22 < trispace> somehow I cannot file a bug, trac fails with "internal error: IndexError: list index out of range" when submitting the ticket (POST: /newticket)
07:50 < xanthaos> I have a question: A while back I setup openvpn on my previous server, and I remember having two distinct .service files in the /etc/systemd/system directory (OS CentOS 7) so I could have separate interfaces for separate user groups. What I can't remember is how I got it to work:
07:52 < xanthaos> I have the files, but I can't remember if I just put the two .service files in the /etc/systemd/system directory and used systemctl enable and systemctl start or if I had to take additional steps before this to install them on the service list or to generate the multi-user-target.wants (or something like that) file in the appropriate directory.
07:52 < xanthaos> Can someone refresh my memory on which way is correct?
07:54 < BtbN> Can't really help you with your custom systemd service files.
07:54 < BtbN> On my distro there is only one global one with a parameter for the config file name.
07:57 < xanthaos> Yep mine has one at /usr/lib/systemd/openvpn@.service as well, but I remember that before I could never get that one to work at all. I ended up having to make a .service file for even the singe interface, so I used that as a template for an additional interface as well...
08:02 <@dazo> xanthaos: we ship now two unit files for systemd ... openvpn-client@.service and openvpn-server@.service
08:03 <@dazo> xanthaos: I haven't checked if Fedora EPEL packages now packages these files and installs them
08:03 <@dazo> meh
08:55 < tundra20_> anyone have experience setting up MFA(DUO, Authy, etc) while using Okta plugin for auth with OpenVPN Community Ed.
10:03 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: ZNC 1.6.3 - http://znc.in]
10:12 < ctjctj> Hello.  I have an .ovpn that I created for our company VPN.  I've downloaded it to my droid using OpenVPN Connect.  Imported it.  When I connect it connects to the server side but once I do pings from the server to the client seem to fail.  This same .ovpn configuration works for multiple linux systems.  (It might also be failing for a PC version but that is not confirmed)
10:17 <@plaisthos> android client might not respond to ping
10:18 < ctjctj> plaisthos, that is my first step in debugging,  using JuiceSSH I can't connect to any of the hosts that are on the VPN.
10:18 < ctjctj> If ping doesn't work that implies that ICMP is not working, right?
10:19 <@plaisthos> no
10:19 <@plaisthos> that just means the device does not repsond to ping
10:19 <@plaisthos> a lot of android devices also do not respond to ping on their mobile or wifi interface
10:19 < ctjctj> Fair enough.
10:20 < ctjctj> The phone responds to pings over the wifi.  (just tested)
10:27 < ctjctj> plaisthos, so how do I go about debugging the connection and getting it working?
10:29 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
10:29 -!- mode/#openvpn [+o krzee] by ChanServ
10:54 < ctjctj> How do I go about debugging an Android OpenVPN Connect connection.  Currently I can observe it connecting to the server, being assigned an IP address.  Pings from the server to the client fail.  Client does answer pings on wifi.  Using JuiceSSH on the client I can not connect to any machines on the VPN.  The VPN is working for a multitude of other Linux and Mac clients.
10:55 <@plaisthos> I have no experience with OpenVPN Connect
10:55 <@plaisthos> !android
10:55 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html, or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android, or (#3) For a difference between the clients see http://ics-openvpn.blinkt.de/FAQ.html#faq_androids_clients_title, or
10:55 <@vpnHelper> (#4) Really old (<4.0) see !android-old
10:55 <@plaisthos> I only know about OpenVPN for Android
10:55 < ctjctj> plaisthos, installing it now.
11:01 < ctjctj> Done and working.  Thank you!
11:58 <@dazo> Q: "How do I make OpenVPN Connect work?"  A: "Install OpenVPN for Android instead" .... :-P
12:01 < DArqueBishop> Apparently it was a valid solution.
12:01 < DArqueBishop> ;-)
12:01 <@dazo> ;-)
12:53 -!- sshow is now known as sshow1
12:53 -!- sshow1 is now known as sshow
14:07 <@krzee> plaisthos: is http://ics-openvpn.blinkt.de/FAQ.html#faq_androids_clients_title still valid?
14:07 <@vpnHelper> Title: Ics-openvpn (at ics-openvpn.blinkt.de)
14:07 <@krzee> didnt work or me
14:07 <@krzee> for*
14:07 <@krzee> hah nevermind sorry, proxy problem
14:25 < reinar> > TAP/bridging is almost always a bad idea
14:25 < reinar> wow, like totally bad? I got everything working, but there's one issue...
14:26 < reinar> somehow route-gateway always gets pushed to the client, despite 0 mentions of it in the server/client config file
14:29 < reinar> and thus I have 2 default gateways and it's becoming a metrics game
14:31 <@krzee> !bridge
14:31 <@vpnHelper> "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man), or (#4) also see !whybridge
14:31 <@krzee> !whybridge
14:31 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun., or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#3) See also !tunortap
14:32 <@krzee> ya it's very rarely the correct solution
14:32 <@krzee> and if the configs dont have it, then you probably have some gui configured to add it or something like that
14:33 <@krzee> wait, route-gateway or redirect-gateway?
14:33 <@krzee> because route-gateway does not add a default route
14:34 < reinar> server - ubuntu 16.04 LTS w/o (server, no X), client - ArchLinux, openvpn called from shell
14:34 < reinar> no gui involved
14:34 <@krzee> !logs
14:34 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
14:37 < reinar> in manpages it's specified as 'Specify a default gateway gw for use with --route.'. Maybe it supposed to be a gw for routing the subnet, but somehow after vpn is up I get second 0.0.0.0 gw
14:37 < reinar> I'll share logs rn
14:50 <@plaisthos> krzee: yes
14:50 < reinar> http://pastebin.com/Ci7cfE0Y - server config
14:50 < reinar> http://pastebin.com/x6N0r1Km - client config
14:50 < reinar> http://pastebin.com/FFSKEaYz - client log
14:51 < reinar> server log is on the way
14:51 <@plaisthos> although I could reword openvpn connect to partially open source
14:54 < reinar> http://pastebin.com/NQL8H2wD - server log
14:56 < reinar> http://pastebin.com/vwcAqKvm - routes on client
14:58 <@krzee> plaisthos: 3rd pp 'official' instead of officially
14:59 <@krzee> reinar: route-gateway is just a setting so it knows what gateway to set when adding routes, you do not have a default gateway being set by openvpn
14:59 <@dazo> reinar: even though you almost have your setup working now ... I highly recommend you to move over to tun+routing, you will never regret that.  The setup is simpler and much less fragile ... tap+bridging is a can of worms which to many suddenly explodes ... mostly due to unexpected amount of broadcast traffic, which doesn't necessarily impact only the VPN but also the LAN side
14:59 <@krzee> maybe what you are seeing is a byproduct of bridging, i wouldnt know because i never use bridging (never had a real reason to)
15:01 <@krzee> !goal
15:01 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:02 < reinar> I need bridge for linking openvpn clients with already existing libvirt bridge, so they would see all virtual machines from libvirt
15:03 < reinar> so I add openvpn tap device to libvirt's bridge and it's working, the only problem is that gateway which somehow appears on client
15:04 <@dazo> now, that is actually a more plausible reason why to use bridge ... seldom I see this need .... given, if the goal is to link two different hypervisors's VM nets
15:05 <@krzee> i dunno libvirt but ya sounds valid
15:06 <@krzee> wow and less than 2 weeks into the new year
15:06 < reinar> I mean it's possible to set up routing, but linking tap to bridge seemed like simplier solution
15:06 <@dazo> krzee: libvirt creates a bridge for each network among vms ... so you group VM subnets into separate bridges, which happens outside the VM guest itself ... so for the VM, the subnet is completely transparent
15:06 <@krzee> oh thats pretty clean
15:07 <@dazo> krzee: if a VM subnet needs physical access, then a physical interface is put into the corresponding bridge
15:07 <@krzee> for network simulation i take it
15:07 <@dazo> well, it's not simulation ... in a scientific research context ... but it is to create virtual networks, independent of each other
15:08 <@krzee> well i guess it could be used for many things too, but thats first that came to mind
15:08 <@dazo> :)
15:09 <@dazo> so ... if you then have two separate hypervisors on different locations ... putting an openvpn tap interface into the corresponding bridges, should provide a transparent cross-data-centre experience inside the VMs
15:09 <@dazo> reinar: ^^^ does this match your use case?
15:09 < reinar> tbh I just use it like poor man's cloud
15:10 < reinar> having one big server and creating easily accessible virtual machines inside
15:10 <@dazo> uhm .... "cloud" is a fairly, well, cloudy expression ....
15:10 <@krzee> he could do the transparent bridge from the cookbook
15:10 <@krzee> lol nice dazo
15:11 <@dazo> reinar: I don't follow you now .... what do you mean with "poor man's cloud"?
15:13 < reinar> yeah, buzzwords and all that. To make it clear - I have few people in the team and few services like gitlab, file share and so on, which I would like to make accessible (but don't want to expose them into internet to avoid securing them too much)
15:13 < reinar> right now the idea is that person is connecting to vpn and is seeing all the services on vpn's subnetwork
15:14 < reinar> which is at the same time libvirt's subnetwork where virtual machines are spawned
15:14 < reinar> so I spawn virtual machines and every vpn client can access them
15:14 <@dazo> and these VMs does not have any Internet access at all?  Or is it a NATted libvirt bridge?  Or bridged to a physical network?
15:15 < reinar> they're behind NAT
15:15 <@dazo> managed by libvirt?
15:15 < reinar> yes
15:15 <@dazo> okay
15:15  * dazo ponders
15:16 < reinar> > Or is it a NATted libvirt bridge?
15:16 < reinar> this case
15:17 <@dazo> what is the subnet of the libvirt created VM network?
15:18 < reinar> 10.10.0.0/24, the same as openvpn's
15:18 < reinar> openvpn's dhcp is giving ip's from 2 to 50, libvirt - from 51 to 250
15:18 <@dazo> okay ...
15:19 < reinar> just a quick solution, maybe I'll do it right and managed with one dhcp server later
15:20 <@dazo> I think this is reasonable enough ... OpenVPN clients does not issue proper DHCP requests to the OpenVPN server.  Windows clients might be a bit different
15:21 <@dazo> but generally, the Windows TAP driver fakes the DHCP server inside the TUN/TAP driver, to make Windows happy
15:24 <@dazo> reinar: I'm puzzled by the client log, tbh ... I do not see that any routes is configured except the "/usr/bin/ip addr add dev tap0 10.10.0.50/24 broadcast 10.10.0.255"
15:24 <@dazo> are you sure /usr/share/openvpn/update-resolv-conf doesn't do anything funky?
15:25 <@dazo> The server provides this config to the client: 'PUSH_REPLY,dhcp-option DNS 10.10.0.1,route-gateway 10.10.0.1,ping 10,ping-restart 120,ifconfig 10.10.0.50 255.255.255.0'
15:26 <@dazo> and that is very good ... route-gateway does not indicate the default gateway should be changed ... just the VPN servers VPN IP address where traffic over the VPN should be sent
15:26 < reinar> ah, ok
15:27 <@dazo> for some reason, /usr/bin/ip route add doesn't use it ... it uses the interface instead, which is just as fine where that is supported
15:28 <@dazo> with that said, your server is running 2.3.10 ... I don't recall all changes we've done since Feb 2016, but I know there are a few bugfixes .... so I'd try to upgrade that side to the latest 2.3 or 2.4.0, just to ensure we're not chasing a ghost
15:29 < reinar> http://pastebin.com/51BsRkFN - update-resolv-conf script, I don't see anything bad there. It's parsing pushed dhcp,dns and domain options and calling resolvconf
15:31 < reinar> tbh I got one observation there... second default route is added some time after vpn is connected like 10 seconds or something
15:31 <@dazo> that script looks sane
15:31 <@dazo> hmmmm ..... ahh, that can be some DHCP traffic
15:31 <@dazo> perhaps filter DHCP traffic or tell NetworkManager on the client to ignore that tap interface?
15:32 < reinar> let me check with wireshark
15:32 <@dazo> yeah
15:32 <@dazo> I need to run now .... but I'll be back in an hour or two
15:34 < reinar> thanks for the hint, if I find the resolution - I'll write it here
15:36 < reinar> maybe there actually is some collision since I've got dhcp server running for libvirt
15:42 < reinar> heh, I think I get it. Actual dhcp server for libvirt is answering dhcp queries (as they're visible from bridge) and my interface has also 10.10.0.175 lease from it
15:54 < reinar> well, yes - I resolved it. It was this second dhcp server, the right solution is to use empty server-bridge option and give actual dhcp server to handle queries
15:55 < reinar> krzee, dazo: thanks for the help, I'll also check if it's working well on Windows
15:57 < darq> Hello :)
16:00 < darq> Anyone here ? I'm tryng to connect to an openvpn server which obviously push routes in ipv6 except my lxc container has ipv6 disables in sysctl. The client seems to test me as "positive" for ipv6, tries to push the routes, and miserabl fail. Any ideas ?
16:01 < darq> do_ifconfig, tt->did_ifconfig_ipv6_setup=1
16:01 < darq>  /usr/bin/ip -6 addr add xxxx:xxx:xx::x/64 dev tun0
16:01 < darq> RTNETLINK answers: Permission denied
16:06 < reinar> do you need ipv6?
16:06 < reinar> > I'll also check if it's working well on Windows
16:06 < reinar> works like a charm btw
16:09 < bricklogic> Hi. I initiated a connection with openvpn, using vpnbook. A session begins and the last line reads "Initialization sequence completed" but I am not able to route my traffic through. I have used openvpn in the past without an issue. I just installed a default distro, prior to using a openvpn connection. After allowing the openvpn connection to stay up, I am receiving "VERIFY OK" , "Data Channel", "Control channel" and "TLS" messages when the key
16:09 < bricklogic> expires. But no web traffic is going through the connection. The same is for running it in a VM.
16:12 < darq> @reinar Actually I don't need ipv6 and am surpised that openvpn pushes the routes
16:12 < darq> Don't need and don't want
16:14 < darq> BTW: openvpn --version OpenVPN 2.4.0 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 28 2016 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
16:15 <@plaisthos> darq: pull-filter
16:16 <@plaisthos> and filter out the ipv6 options
16:16 < darq> Exactly what I was looking for, only found push-filter
16:16 < darq> I see there *is* reciprocation in poenvpn
16:21 < darq> Any list of options, my google-fu seems rotten (i'm at best landing on the feature wish page)
16:22 < darq> Got it...
16:22 < darq> (man openvpn was enough)
16:22 < darq> :q
16:22 < darq> q:q
16:22 < darq> (ooups, sorr, haha)
16:26 < kaze> yo all - just posted on the forum, figured i'd check here as well: our openvpn server is set up with LDAP authentication. Now, if our ldap server goes down / is unavailable for some reason, users would not be able to connect. so, as a precaution for that scenario, is it possible to create a "master" user that can bypass the ldap auth on connection?
16:28 < Eugene> kaze - coupla things you can do. 1) have a separate `openvpn` instance(with its own subnet, etc) that uses a different auth mechanism; 2) Combine --auth-user-pass-optional with a wrapper script that verifies a user cert in absence of a user/pass combo; 3) don't let LDAP go down
16:28 < darq> Works like a charm ^^
16:28 < darq> Thanks again, and have a nice day/night
16:32 < kaze> Eugene 3 is obviously the ideal haha. 1 is a pretty clever workaround. 2 sounds interesting, i'll look into that. thanks for your input
16:32 < Eugene> FWIW, I recommend path 1 as it takes no custom work
16:32 <@plaisthos> hmpf dark is gone
16:33 <@plaisthos> push-remove is the ccd option
16:33 < kaze> no custom work, but a secondary server to manage? e.g. config changes etc. yeah?
16:34 < Eugene> openvpn is generally fire & forget, but yes, you would need to run two instances with separate configs
16:34 < Eugene> In general I use SSH as a backdoor, rather than openvpn
16:34 < kaze> yeah, i don't think we've changed our config in a year
16:41 <@plaisthos> bricklogic: you should contact your vpn providers support
16:51 < kaze> uhhhhh
16:51 < kaze> anyone know what this means:
16:51 < kaze> openvpn_iptables_configure: client-side subnet collision between 192.168.136.0/255.255.252.0 'Group-owned subnets for developers' and [192.168.136.0/255.255.252.0 VALUE='Global Dynamic Subnets'] (EQUAL)
16:51 < kaze> service failed to validate
16:52 < kaze> we have a Group called "developers"
16:52 <@plaisthos> err
16:52 <@plaisthos> that is a iptables message
16:52 <@plaisthos> not openvpn
16:52 <@plaisthos> !notovpn
16:52 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn.
16:53 <@plaisthos> not from openvpn itself
16:53 < kaze> hm ok. getting that error on startup
16:54 < kaze> Screen Shot 2017-01-11 at 5.44.00 PM.pngOh it apparently did not like the duplicate IP address for User and Gruop
16:54 < mete> if anyone is interested: the pcengines APU2 boards are doing 100-120mbit of openvpn AES-256-CBC throughput on a single core. with three bonded openvpn instances I'm getting nearly 300mbit out of the thiny 12watt box
16:56 <@plaisthos> aes-256-gcm might be even better
16:56 <@plaisthos> if you have 2.4 on both sides
16:57 <@plaisthos> but will do aes-256-gcm then automatically anyway
16:59 <@dazo> kaze: you could consider using auth_pam, where PAM is configured to do the LDAP authentication via SSSD .... and let SSSD cache authentication credentials, so if LDAP fails, SSSD will use the cached credentials instead
17:00 < mete> plaisthos: may I ask a old question, let me check it :D
17:01 < mete> there is one reason why I'm not on 2.4
17:01 <@dazo> kaze: openvpn_iptables_configure ... that is not an error message produced by openvpn itself (it may have been proxied via openvpn, but openvpn itself knows nothing about iptables)
17:01 < kaze> dazo thanks for the idea. think going to try eugene's first suggestion of secondary backup server, would also let us tinker with settings without interfering with everyone's sessions
17:01 < mete> plaisthos: anyone know if https://community.openvpn.net/openvpn/ticket/603 is fixed in 2.4.0?
17:01 <@vpnHelper> Title: #603 (Tunnel latency issues on Windows 7) – OpenVPN Community (at community.openvpn.net)
17:02 < kaze> yeah the default IP block for groups overlapped with the default block for users, was not happy
17:02 < kaze> thank you though dazo
17:03 <@dazo> kaze: just beware that most authentication plugins doesn't use so called "deferred authentication" ... so if LDAP is just slow, it will impact other connected clients' traffic as well (OpenVPN is single threaded, that's why) .... so unless the auth mechanism is modified to do deferred authentication, or have some fallbacks (like SSSD, which can have some sane and acceptable timeout settings, which would reduce the impact)
17:05 < kaze> oh interesting, thanks for that heads up
17:07 <@dazo> reinar: glad it worked ... and you are probably my 3rd or 4th person in this channel since I joined here many years ago where bridging actually is the right solution ... so we good to know what to beware of
17:08 < mete> bridging is always needed when bonding interfaces ;)
17:09 <@dazo> mete: ??  that should plain bonding or teamd ... not bridging .... bridging is more like a switch kind of functionality
17:10 <@dazo> !learn libvirt as If attaching an OpenVPN tunnel to a libvirtd managed bridge with its own NAT setup, do not configure an IP address pool in OpenVPN; let libvirtd dnsmasq instance do the DHCP instead
17:10 <@vpnHelper> Joo got it.
17:10 < kaze> dazo Eugene thank you guys for your inputs. have a fair amount to learn
17:10 <@dazo> yw, kaze!
17:10 < Eugene> This is the part where I cry a bit because libvirtd's dnsmasq is horible and should be burned
17:10 < Eugene> But w/e
17:10 < mete> as tun (routing interfaces in openvpn) doesn't have a MAC address support, you have to use tap interfaces when doing simple bonding, like balance-rr
17:11 < mete> I have the setup running since year without any problems...
17:11 <@dazo> Eugene: what's wrong about libvirtd dnsmasq?
17:11 < mete> since years*
17:12 < Eugene> Nothing inherently, however my predecessor at $DAYJOB left behind horrifying rats nest of NAT garbage instead of just use a bridge to eth0
17:12 < Eugene> For no discernible reason
17:12 < Eugene> I have yet to find a good to use it instead of just bridging out to the real network.... "test labs" don't count, stfu
17:12 < Eugene> (also I hate dnsmasq)
17:13 <@dazo> Eugene: ahh, okay ... abusing functionality in the wrong way .... well, then any setup can be configured to suck big time
17:13 < Eugene> It's a lying, piece of shit DNS implementation used by assclown admins who think its simple, and don't bother to plan for maintenance or scaling or really anything other than "make it work"
17:13 < Eugene> </rant>
17:15 < Eugene> Sometimes I wish I had completed my USCG Captain's license
17:15 < Eugene> Boats are easy
17:15 <@dazo> Eugene: I'm using it occasionally ... where I have a virtualized firewall bridged to a physical eth and with virtualized subnets behind that firewall and where I don't want those subnets to be exposed directly to the Internet ... but granted, I don't use the NAT feature, just plain DHCP (I don't even use the DNS resolver in dnsmasq)
17:16 <@dazo> hehe ... boats are easy when the weather is warm, sunny and not too windy ;-)
17:16 < Eugene> I like nasty weather
17:16 <@dazo> you should watch a rather old movie these days ... "The Perfect Storm" ;-)
17:17 < Eugene> Terrible dramatization. Nice CGI though
17:17 <@dazo> agreed :)
18:17 < Ducky^> hey all, if I want to create an ovpn file with a tls key, do I use the tags <tls-auth> key </tls-auth>?
18:17 < Ducky^> I'm trying to connect my phone to the server but I'm getting: Authenticate/Decrypt packet error: packet HMAC authentication failed
18:18 < Ducky^> and TLS Error: incoming packet authentication failed from [AF_INET]
18:18 < Ducky^> I'm not sure where the problem is
18:18 <@ecrist> yes - you also need to define a key-direction
18:18 <@ecrist> the client and server should be opposite of each other.
18:18 < Ducky^> oh yes, that's when you put 1 on the end of the normal client config? when server is 0
18:19 < Ducky^> how do I add that to an ovpn file?
18:19 <@ecrist> yes
18:19 <@ecrist> an ovpn file is just text
18:21 < Ducky^> so key-direction 1 should do it?
18:24 < Ducky^> yeah, that worked
18:24 < Ducky^> thanks
18:24 <@ecrist> no problem.
--- Day changed Thu Jan 12 2017
01:57 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 256 seconds]
02:13 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
02:13 -!- mode/#openvpn [+v RBecker] by ChanServ
03:00 <@plaisthos> !paidvpn
03:02 <@plaisthos> !learn paidvpn as We are very reluctant to help you if you use a (commerical) VPN provider since we do not want to be their unpaid support team. See also !both
03:02 <@vpnHelper> Joo got it.
03:02 <@plaisthos> !paidvpn
03:02 <@vpnHelper> "paidvpn" is We are very reluctant to help you if you use a (commerical) VPN provider since we do not want to be their unpaid support team. See also !both
03:02 <@plaisthos> !both
03:02 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
04:05 < ndk> morning
04:07 < ndk> !welcome
04:07 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind
04:07 <@vpnHelper> openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
04:08 < ndk> !goal
04:08 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
04:39 < Brutser> hi, i have a fw.sh script on my openvpn server that configures some firewall settings, how can i run this script when the openvpn server starts?
04:47 <@plaisthos> --up
04:48 <@plaisthos> which might be what you need
04:48 <@plaisthos> since it is after tun opening i.e. the device exists for your fw.sh script
04:52 < Brutser> plaisthos: how i implement this in my server.conf ?
04:53 <@plaisthos> Brutser: did you read the man page to --up?
04:53 <@plaisthos> !man
04:53 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
06:48 < ndk> !man --dev
07:04 < ordex> lol
07:04 < ordex> that would be nice :D
07:28 <@plaisthos> feel free to code it :)
07:29 <@plaisthos> but please make it privmsg for !man :p
07:31 < ordex> :D
08:32 < ovidiu_calbajos> hi there. quick question. I've downloaded the lastest openvpn-build-2.4.0 and noticed that the output exe is a single file without architecture extension. Does the new build method contain both architectures of the OS (32,64bit) in one file? Thanks
08:41 < Brutser> hello, i am trying to create some script that when openvpn starts, it will ask to select a profile, then start openvpn with that profile - if no profile is chosen, it should not start openvpn - how would i approach that?
08:46 < w9qbj>    Brutser  - are you using Win?  or Linux ?
08:47 < Brutser> linux
08:49 < Brutser> the user has 4 different vpn profiles, i already made a zenity list to select from - i need to figure out how to continue now
08:49 < Brutser> not rly expert
08:50 < Brutser> i can make a startvpn.sh
08:50 < w9qbj> Brutser, two approaches,   A 4 different start scripts, one for each profile
08:52 < w9qbj> Brutser,  the other write a 'menu script' that asks which to start
10:31 < DArqueBishop> Brutser, if Network Manager is an option, wouldn't it be easier just to have it handle the OpenVPN connections?
10:32  * DArqueBishop points out he has limited experience with NM, but can't imagine that wouldn't be a better solution.
12:05 < MTecknology> Howdy fellers! I'm trying to work on a very simple ovpn setup. (not working on it this second, though) I'm trying to keep it incredibly simple and have one server and multiple clients using just a preshared key. I see this setup online all over for a single client, but I need to be able to accomodate all the way up to FIVE (zomg, big number!! :P) clients. Is it even possible to do this?
12:06 < MTecknology> side note: I'm aware relying on only a pre-shared key is not secure, but I promise, it makes sense in this scenario
12:11 < icasdri> !welcome
12:11 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
12:11 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
12:13 < icasdri> !goal
12:13 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:13 < icasdri> !goal specify 'auth' option (HMAC authentication hash algo) in server.conf
12:14 < icasdri> I would like to specify 'auth' option (HMAC authentication hash algo) in server.conf
12:14 < DArqueBishop> MTecknology: do you mean a static key? If so, static keys are not supported in client/server configurations.
12:15 < icasdri> 'auth' option seems to have disappeared in 2.4.0
12:22 < buckowski> hi general question here
12:22 < buckowski> if I have a service that connects on a specific port
12:22 < buckowski> will that service also be available when i connect to vpn?
12:22 < buckowski> like ftp on port 21
12:22 < buckowski> and i have my openvpn setup on a server
12:23 < buckowski> and when i connect to the openvpn will that ip of the server now be my ip for the ftp server on 21?
12:27 < MTecknology> DArqueBishop: yup, sorry, I meant static key
12:27 < MTecknology> bummer :(
12:29 < roby1kenobi> buckowski: it sounds like you're describing something that requires port forwarding, if you want to make your ftp server available from a remote vpn endpoint
12:29 < buckowski> like my ip is 69.69.69.69:21 and when i connect to ftp its 121.121.121.121:21 ?
12:29 < buckowski> oh does openvpn not do port forwarding?
12:29 < roby1kenobi> are you running the openvpn server and the ftp server on the same physical server?
12:30 < buckowski> no
12:30 < buckowski> ftp server is at home
12:30 < roby1kenobi> then no
12:30 < MTecknology> DArqueBishop: static key setups are only for connecting two devices or two subnets?
12:35 < buckowski> how can i forward ports with openvpn?
12:36 < buckowski> to connect to services behind the openvpn
12:58 < roby1kenobi> buckowski: I think your needs would be better suited with port forwarding via ssh for that. There are plenty of examples via google.
14:25 < BlackBishop> if I have log /var/log/something in my .conf file .. my /etc/init.d/openvpn.vpn script doesn't ask me for a password anymore ( I see it asking in the log file )
14:26 < BlackBishop> is there anything I can do or do I have to specify a username/password file ? :
14:43 < slypknot> BlackBishop: try starting openvpn from a root session # openvpn --config configname.conf
14:44 < slypknot> or $ sudo {as above}
14:50 < slypknot> BlackBishop: I presume your config has --auth-user-pass included ?
14:50 < slypknot> so what distro are you using ?
14:59 < BlackBishop> yep, I have auth-user-pass
15:00 < BlackBishop> gentoo .. the init script is a symlink that knows to take the config file as the param
15:00 < BlackBishop> it seems to start it as /usr/sbin/openvpn --config /etc/openvpn/vpn.conf --writepid /var/run/openvpn.vpn.pid --daemon --setenv SVCNAME openvpn.vpn --cd /etc/openvpn --up-delay --up-restart --script-security 2 --up /etc/openvpn/up.sh --down-pre --down /etc/openvpn/down.sh --setenv PEER_DNS yes
15:08 < BlackBishop> the weird thing is that the init script stopped and asked me for the password before having the log / log-append in the conf file.
15:08 < BlackBishop> so I'm not sure about what redirects it does....
16:00 < roby1kenobi>  /win 5
17:28 < slypknot> BlackBishop: do you have systemd on gentoo ?
17:54 < fyrril> anyone on 16.04 LTS had problems with predictable network interface names as opposed to the old standard eth0, etc?
19:04 < w9qbj> Fyrril What problems you having, I just booted a 16.04 and ifconfig says eth0
20:38 < jpwhiting> Does openvpn support being ran by two different users on the same machine?
20:38 < jpwhiting> I'm thinking specifically of linux and mac machines
20:38 < jpwhiting> by users with admin priviledges
20:40 < Eugene> Sure, so long as those users have privileges to use tun devices & set up routes
20:41 < jpwhiting> right, so if users a and b both have those privileges and user a connects to server a, then user b connects to server b I guess the machine will be using server b ?
20:42 < Eugene> What do you mean by "using" ? It doesn't matter how many tunnels you have going, unless there's conflicting routes
20:42 < jpwhiting> does openvpn have any code to make sure there's only one openvpn process running on a machine at a time or anything like that?
20:42 < Eugene> Nope.
20:42 < jpwhiting> k, sounds good
20:42 < jpwhiting> I think that should work fine then :)
20:43 < Eugene> It wouldn't make sense to have multiple connections providing a default route, if that's what you're asking.
20:43 < jpwhiting> yeah, I see, ok
20:43 < Eugene> But you can route 10.10.0.0/16 via A and 10.11.0.0/16 via B, no problemo
20:44 < jpwhiting> yeah, that makes sense, ok
22:34 < abb0zzo> ciao
23:03 < ordex> ciao
23:20 < abb0zzo> 2017 openvpn info? sources?
23:29 < ordex> ?
23:31 < abb0zzo> Are there new sources online that provide specific details about the use of openvpn that you can share?
23:32 < abb0zzo> So I can use the technology? <3
23:34 < ordex> the code is open source and is hosted on github, there is activ development going on, so there are new changes applied very often
23:34 < ordex> you can just clone the repo
23:34 < ordex> if you want to know what's new in the latest release, I'd suggest to check the changelog
--- Day changed Fri Jan 13 2017
01:20 < abb0zzo> [21:25] <ordex> if you want to know what's new in the latest release, I'd suggest to check the changelog << what's the point of irc if you're going to make me read a stupid change log?
01:21 < ordex> what's the point in writing on IRC what somebody else has already written in a file and many other people have already reviewed ?
01:38 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Ping timeout: 255 seconds]
01:44 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
01:44 -!- mode/#openvpn [+o vpnHelper] by ChanServ
02:06 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Ping timeout: 255 seconds]
02:13 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
02:13 -!- mode/#openvpn [+o vpnHelper] by ChanServ
03:29 < charnel> Hi, from openvpn admin panel I created an user and gave a password, also created an unix user from the server. However when I try to connect I am getting auth_error
05:14 < mheap> Morning all. I'm new to OpenVPN and am struggling to work out what to search for. I have two machines in a remote network, and my local machine. I want to run OpenVPN on one of the remote machines to provide access to the entire subnet once my local machine connects to it
05:14 < mheap> Should I be looking at routing or bridge mode?
05:15 < mheap> Everything I read about bridge talks about reduced efficiency, so I'm wondering if I need it
05:22 < ordex> mheap: for this use case you don't need bridging
05:22 < mheap> That's good to know
05:22 < ordex> only if you want to be in "the same LAN", then you need bridging
05:23 < mheap> I have machines in 10.0.1.x and 10.0.2.x. The OpenVPN machine is in 10.0.2.x
05:23 < mheap> Using routing can I access machines in both ranges?
06:44 < mheap> I can! I have it working :)
08:57 <@dazo> !howto
08:57 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
08:57 <@dazo> abb0zzo: ^^^ (<abb0zzo> So I can use the technology?)
10:17 < jiquera> what is --auth used for if the --cipher is  AES-GCM>
10:17 < jiquera> ?
10:29 <@dazo> jiquera: each packet contain a HMAC signature, which defaults to SHA1 ... that signature is actually ensure the packet have not been modified in transit
10:31 <@dazo> jiquera: and the key used for the HMAC is negotiated between client and server up on the TLS negotiation, so it really tricky to manipulate HMAC based signatures - as the key isn't static over time
10:32 <@dazo> oh ... you ask in connection to AES-GCM .... I believe it may be disabled, tbh, as GCM has its own authentication scheme
10:33 <@dazo> syzzer: ^^^
10:34 <@dazo> never mind!  Found it!
10:34 <@dazo> https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
10:34 <@vpnHelper> Title: Openvpn24ManPage – OpenVPN Community (at community.openvpn.net)
10:34 <@dazo> " If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth. "
10:34 <@dazo> jiquera: ^^^
10:35 <@dazo> syzzer: that statement should probably extended to include --tls-crypt as well
10:59 < Brutser> hi all, i start openvpn connection following this guide: https://www.qubes-os.org/doc/vpn/ , it is a bit off topic here, but the question is openvpn related - the vpn is started with the qvpn group credentials - the iptables anti-leak are in place, but now I cannot ping using the sg qvpn -c 'ping..' command - error is Operation not permitted.
10:59 <@vpnHelper> Title: VPN | Qubes OS (at www.qubes-os.org)
11:00 < Brutser> the weird thing is that route of traffic is possible, but sometimes, not all the time, for now it still seems random, which it probably is not, but ok.
11:00 < Brutser> but i should be able to ping from the vpn client, that's my first issue i want to solve
11:00 < Brutser> what commands can i run to troubleshoot this?
11:02 < jiquera> @dazo: thx! I read the manual like 15 times.... apparently missed every single time :p
11:04 < jiquera> what if it is combined with --tls-crypt
11:04 < jiquera> i would imagine that for the encryption of the control packets one would also use aes-gcm
11:05 < jiquera> and therefore ignore the --auth algorithm
11:11 <@dazo> jiquera: --tls-crypt (and --tls-auth) adds an additional HMAC signature, using a shared secret ... so that comes on top of whatever --auth or AES-GCM does
11:12 <@dazo> the --tls-{auth,cryp} HMAC is tackled much earlier, before the packet is even sent to the crypto library ... so in UDP mode, the UDP port seems closed if the tls-auth HMAC signature doesn't match up
11:13 <@dazo> (the difference between tls-auth and tls-crypt, is that the latter one adds a static key encryption on the OpenVPN control channel, tls-auth only adds the HMAC signature)
11:15 < jiquera> and for the static key encryption it uses which algorithm?
11:15 < jiquera> the one specified in --cipher?
11:23 < Brutser> dazo: any idea how i can troubleshoot my problem, the guide i know is not really only openvpn, it's qubes os, but it's pretty much related to openvpn https://www.qubes-os.org/doc/vpn/ - the ip anti-leak rules at the bottom of the article are in some way 'randomly' blocking traffic for me, how can i find the cause?
11:23 <@vpnHelper> Title: VPN | Qubes OS (at www.qubes-os.org)
11:25 < ordex> Brutser: it is supposed to, no? :)
11:25 < ordex> well, without randomly
11:30 <@dazo> Brutser: at a very quick glance ... I struggle to see how this is OpenVPN related ....
11:47 < Brutser> dazo: the iptables rules are the one that are causing the issue, so i guess it's not related to openvpn directly, but iptables are a part of openvpn, or atleast they were
11:48 < Brutser> ordex: well yes, but i should always be able to ping from the vpn client box no, i mean, if the vpn connection is established
11:48 < Brutser> i can always ping without the rules
11:48 < Brutser> but with the rules i can hardly ping, using the qvpn group creds obviously
11:51 <@dazo> iptables have never been part of openvpn ... that's an Linux kernel tool, to manipulate the firewall .... openvpn is merely a virtual network adapter
12:31 < Windy> heya, i've got a very old openvpn server (2.1) that just hit the 10 year expiration point on server and ca certs.  i found instructions to generate a new ca cert and sign with the existing key, but how do i generate a new server cert?
12:31 < Windy> also, am i correct that this should be valid on the clients since it's using the same private key without having to distribute a new client?
12:36 < DArqueBishop> Windy: if you're using easy-rsa, just use build-server-key (I think).
12:36 < Windy> to be honest i'm not sure how this was set up (10 years ago by someone who is no longer employed here)
12:36 < DArqueBishop> Though, if you're on 2.1, it might be time to think about upgrading if it's not an OS-provided package.
12:37 < DArqueBishop> Ah. In that case?
12:37 < DArqueBishop> !howto
12:37 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
12:37 < Windy> we actually have a new cluster built on the latest appliances, but haven't rolled it out yet
12:37 < DArqueBishop> The HOWTO is great for people getting into OpenVPN.
12:40 < Windy> openssl x509 -in ca.crt -days 36500 -out ca_new.crt -signkey ca.key  I found this command which appears to make a new cert and sign with the existing key,
12:45 <@dazo> Windy: interesting ... are you sure the output certificate have the proper CA flags set?
12:46 < Windy> no, i just found that in this thread https://forums.openvpn.net/viewtopic.php?t=18671
12:46 <@vpnHelper> Title: [Solved]Expired CA - clients can't connect - OpenVPN Support Forum (at forums.openvpn.net)
12:48 <@dazo> Windy: ahh, okay ... maikcat usually have good advises, and he even tests the CA certificate a bit later on
12:49 <@dazo> ecrist: have a look at that post Windy pointed us at ... that solution seems useful to promote several places in the forum
12:50 < buckowski> anyone know how I can port forward services to client?
12:50 < buckowski> I have a client with FTP port 21
12:50 < buckowski> should they be able to have this service accessable through the vpn?
12:51 < Windy> when i try that openssl verify against the new cert i get two errors though.  18 - self signed cert (which is fine) and 10 - certificate has expired
12:51 <@dazo> buckowski: you might need to have some FTP helpers loaded in your firewall config ... otherwise at least passive mode FTP won't work.  Active mode might work though
12:51 < buckowski> vpn.server.com:21 will redirect to clients ip automatically or do I need to set port forwarding?
12:51 <@dazo> (but ftp is a horrible protocol ... I'd rather recommend to move over to the SSH alternative, sftp)
12:51 < buckowski> ok sftp on port 444 lets say
12:52 < buckowski> or ssh
12:52 < buckowski> doesnt matter what servcie really
12:52 < buckowski> it was just an example
12:52 < buckowski> packets are packets
12:52 < buckowski> ports are ports
12:52 < skyroveRR> Packets are segments to us.
12:52 < skyroveRR> And ports are really "sockets".
12:52 < skyroveRR> Get the terms right.
12:52 <@dazo> okay ... the reason I said what I did with FTP ... is that it uses both port 21 and port 20, which direction port 20 goes depends on active/passive mode ...
12:53 <@dazo> !goal
12:53 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:53 < skyroveRR> !ot
12:53 <@dazo> buckowski: ^^^
12:53 <@dazo> !all
12:53 <@vpnHelper> "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface
12:54 < buckowski> the goal is client with servcies
12:54 < buckowski> accessable via vpn
12:54 < buckowski> external
12:55 < buckowski> openvpn config that routes specific ports to client
12:55 < buckowski> would i just do an iptables on the openvpn server then?
12:55 < skyroveRR> !iptables
12:55 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this., or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG, or (#3) These are just the basics to get you
12:55 <@vpnHelper> started as firewall design is beyond this channel's scope; you can also see #netfilter
12:55 < skyroveRR> buckowski: ^
12:56 < buckowski> iptables -t nat -A PREROUTING -s lannetwork/24 -p tcp --dport 21 -j DNAT --to-destination clientsvirtualip:21
12:56 < skyroveRR> FTP uses 20 and 21, not JUST 21.
12:56 < buckowski> its not beyond the channels scope
12:56 < buckowski> no it doesnt
12:57 < skyroveRR> It does.
12:57 < buckowski> I can set ftp to port 56453
12:57 < skyroveRR> Go and learn how FTP works.
12:57 < buckowski> passive mode will use specific ports I SET
12:57 < buckowski> you should go and learn it
12:57 < buckowski> but again, its just an example
12:57 < skyroveRR> You are on your own. Besides, your question is offtopic.
12:58 < buckowski> really? accessing servcies behind openvpn is offtopic?
12:58 < skyroveRR> Yes.
12:58 < buckowski> lol
12:58 < skyroveRR> Because it doesn't really concern openvpn itself, but the services behind it.
12:58 < buckowski> it directly concerns openvpn
12:58 < skyroveRR> if you have trouble with the VPN ONLY, then ask.
12:58 < buckowski> the question is simple
12:58 < buckowski> openvpn forwarding ports
12:59 < skyroveRR> It isn't. It's a firewalling issue unrelated to openvpn.
12:59 <@dazo> buckowski: so you want to have an OpenVPN server with a public IP address, exposing services which is hosted on an VPN client?
12:59 < buckowski> then the problem is why doesnt openvpn forward ports or have options to forward ports
13:01 <@dazo> skyroveRR: it might not be as easy as you believe, if I have understood the issue correctly .... services hosted on a VPN client will needs some routing policy tweaks
13:01 < skyroveRR> Yeah.. :)
13:05 <@dazo> buckowski: in regards to ftp .. you are right in regards to passive mode, the port number sent to server is crucial .... but for that to work, you will need the nf_nat_ftp.ko module loaded on your iptables firewalls as well .... Regardless, I suggest getting this working first on a less challenging protocol than FTP though
13:05 <@dazo> (like http or ssh)
13:07 < buckowski> ok http as an example, ideas on how to route openvpn server to client?
13:08 < buckowski> client has httpd apache installed
13:09 <@dazo> perfect ... so, iptables PREROUTING looks fairly good as a template ... but on the client you need to declare a routing policy ... let me dig up an example from one of my setups
13:12 < buckowski> oh so the openvpn client config would need to have some routing options as well?
13:12 < buckowski> not just the port open
13:12 <@dazo> it's abit more complex
13:12  * dazo is almost ready
13:14 < DArqueBishop> buckowski: if you wanbt to have services available only to OpenVPN clients, only open the ports on the server's VPN address.
13:14 < DArqueBishop> Then tell the clients to connect using the VPN server's IP address on the VPN subnet.
13:15 <@dazo> buckowski: https://paste.fedoraproject.org/526839/48433431/raw/
13:15 < DArqueBishop> Oh, wait, I didn't read the whole thing. Sorry.
13:16 <@dazo> buckowski: on the VPN client, you must then have opened up for the port as well, with a public IP address coming from the tun/tap adapter OpenVPN uses ... as well as also add the port to the FORWARD chain, where destination address is the VPN IP address
13:16 <@dazo> the FORWARD chain is on the VPN server!
13:17 <@dazo> the VPN client must have the ACCEPT rule in the INPUT chain
13:17 <@dazo> The iproute2 policy routing ensures that any traffic with a public IP address gets routed back via the VPN tunnel on the response, instead of going out on the default gateway
13:18 <@dazo> (any traffic with a public IP address coming in on the tun/tap adapter, that is)
13:19 <@dazo> buckowski: also ... you may need to adopt the vpn-up.sh script slightly ... using the proper VPN IP address of the VPN server
13:19 <@dazo> (in my example, it is 10.8.0.1)
13:40 < buckowski> DArqueBishop:  yah the services are on the client, and I want them accesable via the servers ip:port
13:40 < buckowski> DArqueBishop: yes if the service was also on the openvpn server, that would work
13:42 < buckowski> dazo: thank you for input!
13:42 <@dazo> !learn service_behind_client as In addition to normal iptables (firewall) configuration with port NAT, you also need to configure an ip routing policy ... for some quick clues: https://paste.fedoraproject.org/526839/48433431/raw/
13:42 <@vpnHelper> Joo got it.
13:42 <@dazo> !service_behind_client
13:42 <@vpnHelper> "service_behind_client" is In addition to normal iptables (firewall) configuration with port NAT, you also need to configure an ip routing policy ... for some quick clues: https://paste.fedoraproject.org/526839/48433431/raw/
13:43 <@dazo> buckowski: you're welcome!  I hope you'll get it working ... Currently I have a similar setup running, with three different VPN clients against the same VPN server, with services scattered across - in addition to LAN behind each of these clients
13:44 < buckowski> dazo: what is ${ifconfig_local}
13:45 <@dazo> that is a variable set by OpenVPN before executing the script
13:45 <@dazo> see the "SCRIPTING AND ENVIRONMENT" section of the man page for more details
13:47 < buckowski> thank you again, wikll check the scripting and environment section, openvpn is so complicated and powerful
13:47 <@dazo> yeah, the features of openvpn is both a blessing and a curse :)
13:51 < buckowski> so in addition also adding iptables -t nat -A PREROUTING -s lannetwork/24 -p tcp --dport 80 -j DNAT --to-destination clientsvirtualip:80
13:51 < buckowski> on the vpn server
13:51 < buckowski> to forward open port on the openvpn server
13:51 < buckowski> to the virtual ip of router?
13:51 < buckowski> virtual ip of client
13:51 < buckowski> s/router/client
13:52 <@dazo> you will need -A FORWARD -d $VPN_CLIENT-IP -p tcp --dport 80 -j ACCEPT   ... on the VPN server
13:52 <@dazo> -A INPUT -p tcp --dport 80 -j ACCEPT  .... on the VPN client
13:52 < buckowski> can openvpn push these routes?
13:52 <@dazo> and then you need the vpn-{up,down}.sh scripts from the paste
13:52 < buckowski> route-push -A INPUT -p tcp --dport 80 -j ACCEPT
13:53 < buckowski> -route-push ?
13:53 <@dazo> that's not routes ... that's iptables
13:53 <@dazo> openvpn doesn't grok iptables .... so you will then have to do that in the vpn-{up,down}.sh scripts
13:54 <@dazo> in fact, openvpn doesn't even care about iptables at all ... that is the networking stack on the kernel which is responsible for the firewalling
13:54 <@dazo> all openvpn is to read/write packets to the tun/tap adapter ... then the kernel takes care of transporting those packets to the right places
13:54 <@dazo> all openvpn *does*, is ...
14:09 < buckowski> ah i thought it does though?  iptables sets the routes so openvpn isnt using iptables?  what does openvpn use then to set its routes?
14:10 <@dazo> iptables is not iproute2 or route
14:11 <@dazo> iptables is firewalling .... iproute2 (ip) / net-tools (route, ifconfig) are network configuration
14:12 <@dazo> openvpn only runs /sbin/ip (or /sbin/route) to configure routes ... nothing else
14:13 <@dazo> (well, it will run /sbin/ip or /sbin/ifconfig to configure the tun/tap adapters IP address, of course)
14:23 < buckowski> jesus how do these vpn services offer this stuff to their clients automatically ?
14:24 <@dazo> could be they put a proxy server in front, instead of doing PNAT
14:24 < Windy> dazo: btw, that thread we were talking about before has an important error.  it shows to make certs with a validity period of 36500 which is 100 years.  when i tried that it made invalid certs, i think it should be 10 years tops
14:25 <@dazo> Windy: yeah, might be ... but that should be fairly obvious if you check the result afterwards :) ....
14:28 < Windy> the result shows a cert that's valid from 2017 to 1984
14:29 < Windy> hehe
14:29 <@dazo> exactly ;-)
15:03 < Windy> so, i generated a new cert from my real PKI.  it seems like it's chaining correctly but i get error depth=2, error=certificate signature failure
20:37 <@ecrist> dazo: post is sticky now, thanks for the pointer.
20:37 <@ecrist> should probably put something about that in the book
20:37 <@ecrist> also, should make that a function of easy-rsa
20:46 < KNERD> how about a tip. A got a VPN on a server here on my LAN. I have an outide device which is connected, and working just fine. When I connect PC to the same VPN, I cannot PING, nor connect the that device's web interface, Suggestions where to look?
21:01 < ordex> KNERD: have you checked client-to-client in the man ?>
21:05 < KNERD> ordex: yes, that is inclued, but let me check
21:06 < KNERD> yes...doubel checking it is in there "client-to-client"
21:14 < KNERD> maybe something in IP tables needs to be adjusted?
--- Log closed Sat Jan 14 01:12:46 2017
--- Log opened Sat Jan 14 11:54:47 2017
11:54 -!- Irssi: #openvpn: Total of 247 nicks [7 ops, 0 halfops, 2 voices, 238 normal]
11:54 -!- mode/#openvpn [+o ecrist] by ChanServ
11:54 -!- Irssi: Join to #openvpn was synced in 10 secs
14:07 < MTecknology> Not to knock openvpn, but... any chance you guys happen to know of something as complicated to set up as the static key setup that supports multiple clients connecting to a server and getting a random address from a pool?
14:07 < MTecknology> The other option seems to be one server/client pair per client that's gonna connect but that'll get ugly at >1 client
14:10 < MTecknology> I'm trying to set something up so devices with a random public address can come online and connect to a server that will let me connect to those boxes; that's it's only purpose in this scenario... connect to a system that I can use to connect to the device.
14:21 -!- FederationOfNULL is now known as [0xAA]
14:27 -!- FederationOfNULL is now known as [0xAA]
14:58 -!- FederationOfNULL is now known as [0xAA]
15:07 -!- FederationOfNULL is now known as [0xAA]
15:38 < merlin66676> afternoon
15:38 < merlin66676> anyone able to help answer a couple DMZ routing questions?
20:49 <@danhunsaker> MTecknology: Don't see why a certificate-based approach wouldn't work, here.
20:49 <@danhunsaker> More secure that way, too.
20:53 < MTecknology> danhunsaker: I'll probably go that way, just adds lots of extra work that isn't possible to automate
20:56 < MTecknology> If static key could handle the multi-client networking bits, it'd be great because I could just share that itty bitty key and it'd be more than enough security for my needs
21:00 < MTecknology> danhunsaker: now the question becomes... how do I have automation create a unique key when a server comes online and how do I securely get that from the vpn server to the client in an automated way?
21:01 < MTecknology> If I go with a static key, I get to show that I understand a reduced level of security, but still ensure more security than needed for the given application
21:16 <@danhunsaker> I point it out because certs are considerably easier to set up.  Static keys are practically deprecated.
21:34 < MTecknology> danhunsaker: how are certs easier to configure?
22:24 <@ecrist> MTecknology: you still here?
22:24 <@ecrist> You can use setup a VPN in such a way that a client certificate isn't required, or use a single client certificate common to all users.
22:25 < MTecknology> ecrist: how would you do the former?
22:26 <@ecrist> what version of openvpn are you using?
22:27 < MTecknology> 2.3.4
22:29 <@ecrist> so, the option you want is --client-cert-not-required
22:29 <@ecrist> the encryption is negotiated similar to how web browsers function then.
22:29 <@ecrist> you still need a CA, and a server certificate, though.
22:29 <@ecrist> then you set --username-as-common-name
22:29 <@ecrist> and enable user/path authentication.
22:32 <@ecrist> really, the best option is to just use certificates and issue them per device
22:33 <@ecrist> FWIW, ssl-admin makes this all really easy, with in-line certificates.
22:34 < MTecknology> interesting
22:35 < MTecknology> I created a repo for easy-rsa stuff (one group of stuff per cluster) and figured I'd worry about the rest later.
--- Day changed Sun Jan 15 2017
01:33 < MTecknology> TLS Error: TLS handshake failed  ... grrrr
01:35 < MTecknology> damnit... firewall
01:51 < MTecknology> Why can't there be an option for which interface to use?
01:56 < MTecknology> I'm going to probably need to include something like  "ip route add {{ salt['cmd.run']('dig ' ~ foo ~ ' +short', '') }} net eth1"
07:08 < r00tobo> Hi...does block-outside-dns option works under linux OS?
07:15 < ordex> the man says: "This option is considered unknown on non-Windows platforms"
07:15 < ordex> I'd say no :)
07:17 < r00tobo> so I think you have to set a manual dns servers on your linux box then
07:18 < r00tobo> thanks ordex ;)
07:18 < r00tobo> I just wanted to confirm that...because it must work under non-windows os too
07:21 < r00tobo> let's say for example if you're connected to a vpn and the internet service provider is blocking some major public dns servers that should be non-blocked when using a vpn right?
07:26 < r00tobo> ok so on the android is working !!
07:29 < ordex> r00tobo: if the traffic to the dns is going through the VPN, then I guess it would be unblocked - assuming that the VPN provider allows such traffic
09:03 < r00tobo> wonder why the openvpn connect on android is getting the dns servers from the vpn server O.O
09:03 < r00tobo> but it's not in linux openvpn 2.4.0
11:21 < stemid> is there some secret to mounting smb over openvpn on windows 7 clients? I mostly use my openvpn with fedora and macintosh clients and have no issues with mounting shares shared from my lan. but now I'm trying on a windows 7 client and tearing out my hair. the tap device is "public" and I've tried allowing both the tap IP and the LAN subnet in the firewall for the SMB in rule on the public scope.
11:21 < stemid> but I just get an error every time I enter the user credentials for the share.
11:22 < stemid> "user not allowed to login from this computer"
13:30 < KNERD> Tips on this? I got sever setup on my LAN, I can;t reach other clients connected, on the same LAN, or connecting from the outside:  Here is server.conf  http://pastebin.com/MjYgS5Za
13:52 < kitsune1> KNERD: What is meant by "I cant reach clients connected"? Does it mean clients can connect but you cant access those clients from the server through the vpn? Anyway, your server listens on a private IP 192.168.1.72 so to connect from outside you need a public IP that redirects port 1194 to this server IP. How's is that setup?
13:53 < KNERD> kitsune1: it means clients can connect, and send, and receive fine from the server, but clients cannot reach each other
13:54 < KNERD> outside is fine
13:54 < KNERD> meaning outside clients are connecting fine
13:57 < KNERD> I suspect this is the reason:   http://pastebin.com/TgPMq8ee   10.8.0.0 have no gateway listed, I am not familar with dealing with that
14:56 < kitsune1> KNERD: add client-to-client in server config -- note that clients are isolated from each other by default. This option causes the server route packets between clients.
15:00 < kitsune1> It will also push the required route to evey client.
15:01 < KNERD> kitsune1: it is in there
15:01 < KNERD> rout eis also in there
15:08 < kitsune1> KNERD: sorry I didn;t check the pastebin link --- a route to 10.8.0.0 through the tunnel should appear on all clients. No gateway listed is ok as the interface is listed.
15:08 < kitsune1> KNERD: sorry I didn't check the pastebin link --- a route to 10.8.0.0 through the tunnel should appear on all clients. No gateway listed is ok as the interface is listed.
15:12 < KNERD> kitsune1: how should " route to 10.8.0.0 through the tunnel" appear on let's say a windows client?
15:17 < kitsune1> KNERD: something like 10.8.0.0 255.255.255.0 on-link 10.8.0.x metric-value
15:18 < kitsune1> That was for subnet topo. If the topology is net30 it will show 10.8.0.x as gateway and 10.8.0.x+1 as interface
15:20 < KNERD> kitsune1: it is showing no value for as gateway
15:21 < kitsune1> KNERD: I guess on-link is shown as gateway on WIndows. Linux will just show * as the interface is listed as tun0
15:23 < KNERD> i dont have an client connected
15:24 < KNERD> I mena linux client
15:25 < kitsune1> KNERD: so?
15:26 < KNERD> it's in refernence to your "Linux will just show * as the interface is listed as tun0" statement
15:26 < KNERD> but no gateway listed in windows client
15:27 < kitsune1> Post the route on windows client when connected
15:28 < kitsune1> just the lines related to 10.8.0.0 network would do
15:30 < KNERD> http://pastebin.com/kfTtzqE3
15:30 < KNERD> Yeah I went ahead and posted all IPv4 routes
15:31 < kitsune1> route is fine -- see a few lines above where I wrote what to expect on Windows and it shows exatly as expected.
15:32 < KNERD> then maybe something in IP tables is not routing properly?
15:32 < kitsune1> iptables not involved in client-to-client -- packets are internally routed by openvpn
15:33 < KNERD> oh
15:34 < KNERD> well.anything else?
15:40 < kitsune1> hm... just checked on my win7 machine -- it shows two routes one with on-link as gateway and one with 10.x.0.1
15:41 < kitsune1> can you copy paste here the PUSH: ... PUSH_RECEIVED line from the client log?
15:43 < kitsune1> There should be one more line in the routes on windows: "10.8.0.1 255.255.255.0 10.8.0.1 10.8.0.3 metric"
15:44 < KNERD> okay
15:47 < KNERD> There is no "PUSH_RECEIVED" in the log... Howeer I do see  -> PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,explicit-exit-notify 3,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 20,ping-restart 60,ifconfig 10.8.0.3 255.255.255.0'
15:47 < KNERD> i think there is something more going on.  I have another windows client next to me also connected. It cannot ping the server, nor reach the internet
15:48 < kitsune1> KNERD: I have two routes because I added one into the config for testing this without realizing I also set client-to-client -- so there's no mystery there.
15:49 < kitsune1> PUSH_REPLY looks fine
15:50 <@krzee> KNERD: try to disable the windows firewall on the tap adapter on that client
15:50 < kitsune1> client loses internet when connected to vpn? as per your routes you are not sendingall traffic thru vpn, so that should not happen..
15:51 <@krzee> see if that helps you be able to ping the server?
15:51 < kitsune1> One issue tho -- you have added a route to 192.168.1.0 through vpn but that's your local network!
15:51 <@krzee> oh, since thats true theres something bigger going on
15:51 <@krzee> ohhh
15:51 <@krzee> !samesubnet
15:51 <@vpnHelper> "samesubnet" is (#1) clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway, or (#2) you can use --client-nat if on 2.3 to work around changing the subnet, but you should still just change
15:51 <@vpnHelper> the subnet
15:52 < KNERD> krzee: shit the firewall down altoghether with no change
15:52 < KNERD> kitsune1: what is that issue?
15:52 <@krzee> KNERD: ya i didnt realize what kitsune1 said... hes right
15:53 < kitsune1> KNERD: yes
15:53 < KNERD> oh.. I though you needed to do that if you have outside clients connecting
15:54 <@krzee> ill bbl =]
15:54 < kitsune1> If you want to make cleint side subnet available, look up howto use iroute on server
15:54 -!- mode/#openvpn [+v kitsune1] by krzee
15:54 <@krzee> if thats the case ^
15:55 <@krzee> !clientlan
15:55 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
15:55 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
15:55 <@krzee> (and especially !route)
15:56 <+kitsune1> KNERD: ^^ and anyway get client-to-client working first and then think of allowing access to client-side lan
15:57 < KNERD> i dont care if a client has lan side access, I just want to be able to connect to clients on the VPN
15:59 <+kitsune1> KNERD: Then remove the push route 192.168.1.0 from server config -- for that to work correctly you need iroute in a ccd
16:03 < KNERD> kitsune1: i did that, and topology subnet. Now the server cannot even ping the remote client
16:03 <+kitsune1> ping 10.8.0.3 from server should work, ping 192.168.1.x will not
16:04 < KNERD> I am pinging a client which is not on the plan at 10.8.0.4...no response
16:05 < KNERD> sorry.. not on LAN
16:05 < KNERD> when I had those two statements in there, I could ping
16:05 <+kitsune1> Which "Two" statements?
16:06 <+kitsune1> Only remove the push route "192..."
16:06 < KNERD> push "route 192.168.1.0 255.255.255.0"   and topology subnet
16:06 < KNERD> okay replacing the other
16:07 < KNERD> no change.. still cannot ping
16:07 <+kitsune1> keep topology subnet - if you remove that topo becomes net30 and ip addressing changes -- client ip wont be 10.8.0.4
16:07 <+kitsune1> let the client reconnect
16:08 < KNERD> okay..it did
16:08 <+kitsune1> can you ping from client to server?
16:08 < KNERD> I can ping again
16:09 < KNERD> i dont know. I have no access to it as it is not on location, however, I can now reach it's web interface. Thanks for all the help kitsune1:  and krzee:
16:09 < KNERD> whew.
16:09 <+kitsune1> whew of relief or frustration :)
16:10 < KNERD> I guess It will take some donations for someone to make the docs a little clearer on the site
16:10 < KNERD> yes
16:12 <+kitsune1> docs are clear once you have done it once..:) The only error in yoru config was pushing a route through vpn for your local subnet.
16:14 <@krzee> !route
16:14 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
16:14 <@krzee> if thats not clear, let me know
16:16 < KNERD> krzee: yes..that is clear...but... this is not  https://openvpn.net/index.php/component/content/article/65-open-source/general/89-2xhowto.html
16:16 <@vpnHelper> Title: OpenVPN (at openvpn.net)
16:16 < KNERD> The last step, and one that is often forgotten, is to add a route to the server's LAN gateway which directs 192.168.4.0/24 to the OpenVPN server box (you won't need this if the OpenVPN server box is the gateway for the server LAN).
16:17 <@krzee> oh thats not part of the community site, i have no access there
16:18 <@krzee> https://community.openvpn.net/openvpn
16:18 <@vpnHelper> Title: OpenVPN Community (at community.openvpn.net)
16:18 <@krzee> that's a lot more up to date
16:18 <@krzee> or at least i would expect it to be!
16:18 < KNERD> oh okay. thanks for that. I will bookmark that
16:18 <@krzee> np
16:19 <+kitsune1> KNERD: that's for letting server-side lan clients to access the server -- it doesnt ask you to push a route
16:19 <@krzee> the howto you posted is still good tho, but it could certainly use an update
16:20 <+kitsune1> s/server-side/client-side
16:20 <@krzee> it's still recommended reading, even tho the cert management is outdated, and 2.4 has a lot of awesome features that are not mentioned there
16:20 <@krzee> hell, 2.3 has cool features that should be mentioned there (topology subnet for example)
16:21 < KNERD> oh?
16:23 <@krzee> !topology
16:23 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
16:23 <@krzee> !/30
16:23 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
16:28 < KNERD> hmm
16:33 < misterxyz> Hi there
16:35 < misterxyz> i have a problem with apt update due to a wrong tine format in an file provided by openvpn, is this a common bug?
16:35 < misterxyz> *time
16:37 < misterxyz> apt complains about JST time format, looks like it needs UTC tine format to work properly
17:08 < Olufunmilayo> question. On debian when you are using openvpn to connect to a vpn what is the purpose of arping? I do not understand why it is necessary for the tunnel
22:21 < Criggie> Is there a client keyword for OpenVPN that I can use to ignore the OpenVPN server's DNS server offering ?
22:22 < Criggie> on my linux client I simply made /etc/resolv.conf immutable, but that's not possible on a windows client.
22:22 < Criggie> In this case I don't have access to the openvpn server configs.
22:22 < Criggie> any thoughts?
22:24 <@krzee> Criggie: in linux you just dont run the up script, since openvpn doesnt actually set dns servers in linux, but you run an --up script to grab the dns server vars and apply them
22:24 <@krzee> 2.4 is capable of ignoring whatever you want
22:24 <@krzee> !ignore
22:24 <@krzee> hmm
22:24 <@krzee> lemm look
22:24 <@krzee> !man
22:24 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
22:26 <@krzee> ok, see --pull-filter in the manual
22:27 <@krzee> !learn ignore as see --pull-filter in the manual (!man) to see how to have the client filter what it allows the server to push to it
22:27 <@vpnHelper> Joo got it.
22:31 < Criggie> nice - thanks everyone.  My google-fu wasn't being much good
22:34 <@krzee> no problem
22:38 < Criggie> WOOT that worked perfectly!    adding a line of        pull-filter ignore "dhcp-option DNS "
22:38 < Criggie> to my client config file did the trick
22:39 <@krzee> good job
--- Day changed Mon Jan 16 2017
00:21 < axsuul> is port 443 required for the openvpn server?
00:23 < Criggie> nope
00:23 < Criggie> it used to use 1194 by default, but you can use any free tcp or udp port.
00:23 < axsuul> what about the tls handshake?
00:23 < axsuul> doesn't that use port 443?
00:23 < Criggie> 443/tcp is often allowed out through restrictive firewalls.
00:24 < cyberanger> It's whatever port you set it to.
00:24 < Criggie> you *can* use 443/tcp but you don't have to.
00:24 < axsuul> alright, interesting. it's just that I'm getting tls handshake errors (key negotation failed to occur within 60 seconds)). I don't have port 443 forwarded to my openvpn server, only 1194 (which is the port set in the config)
00:25 < Criggie> okay - 443 is a red herring.   60 seconds is the time the server/client wait before giving up
00:25 < Criggie> so can you tell us about your setup ?
00:26 < axsuul> sure thing, i'm on a freeNAS and openvpn is installed within a jail. i followed this tutorial: https://www.kirkg.us/posts/running-an-openvpn-server-in-a-freenas-910-jail/
00:26 <@vpnHelper> Title: Running an OpenVPN server in a FreeNAS 9.10 jail | kirkg.us (at www.kirkg.us)
00:26 < Criggie> ok - what's your firewall ?
00:26 < axsuul> ipfw
00:27 < Criggie> can you run tcpdump on it ?
00:27 < Criggie> can you run tcpdump in the jail on the freenas box ?
00:27 < axsuul> apologies, i've never done that before. anything specific?
00:27 < axsuul> or you mean
00:27 < Criggie> well, something is stopping packets.  Using tcpdump you can see if the packets are getting through or not
00:27 < axsuul> keep it running, and try to initiate the openvpn connection again?
00:27 < Criggie> yes
00:28 < Criggie> when you connect, are you coming in from the internet or in from a LAN-attached device ?
00:28 < axsuul> coming in from the itnernet
00:28 < axsuul> internet*
00:28 < cyberanger> Before thinking packets, think cipher settings, along those lines for a mismatch
00:28 < Criggie> cool - that helps.
00:28 < axsuul> since I'm using UDP however, would tcpdump be relevant?
00:29 < Criggie> yeah - the error is failed to connect in 60 seconds
00:29 < Criggie> totally
00:29 < axsuul> I'm not seeing anything in tcpdump, however
00:29 < Criggie> on your freenas host, get to a shell and run       tcpdump -nn -i any port 1194
00:29 < Criggie> and see what happens when you connect
00:30 < cyberanger> I believe I've seen that before when it was a cipher mismatch too, it did technically fail to sucessfully connect in 60 seconds.
00:30 < Criggie> fair call and good point.
00:31 < axsuul> sorry, is "any" in that command by mistake?
00:31 < axsuul> or what does that refer to?
00:31 < cyberanger> -i = interface
00:31 < cyberanger> -i any = any interface
00:31 < axsuul> oh i see
00:32 < axsuul> gives any: No such device exixsts
00:32 < Criggie> okay
00:32 < Criggie> do you know what interface name freebsd has given the NIC ?
00:32 < Criggie> em1 or xl0 or re0
00:32 < Criggie> something like that
00:33 < axsuul> I suppose it's epair12b (ifconfig)
00:33 < Criggie> could be
00:33 < axsuul> ok now I'm seeing stuff!
00:33 < axsuul> lot's of UDP stuff
00:33 < Criggie> ok its all port 1194 because you put that in the command
00:33 < Criggie> use ^C to stop it
00:34 < cyberanger> Criggie: When I leave it out, I get the interface relating to my default route (but idk if that's just debian or not)
00:34 < axsuul> Criggie: so not a firewall issue?
00:34 < Criggie> cyberanger: yeah but this is freebsd, underneath freenas
00:34 < Criggie> axsuul: I'm surprised you're seeing a lot of traffic.  Is someone else connected ?
00:35 < cyberanger> Criggie: Exactly, I think it's default tcpdump behaviour. But I did want to disclaimer in case.
00:35 < axsuul> Criggie: nope don't think so
00:35 < cyberanger> axsuul: how many packets captured?
00:35 < Criggie> cyberanger: FYI the BSDs are picky - you can't put -nn at the end, all the options have to be before the parameters.
00:36 < axsuul> Criggie: 26 packets captured, 219 packets received by filter
00:36 < axsuul> this is my vpn client connecting and retrying
00:36 < axsuul> indefinitely, however
00:37 < Criggie> okay cool
00:37 < Criggie> so you see packets in both directions?
00:37 < Criggie> IE with the two IP addresses swapped over
00:37 < cyberanger> Criggie: yeah, aside from pfsense, it's been a few years since I've done anything substancial with BSD.
00:37 < Criggie> source:port --> destination:port
00:38 < Criggie> cyberanger: it doesn't change very fast :-)
00:38 < axsuul> Criggie: I believe so, here's the output: https://gist.github.com/anonymous/873e622d89a3713068c512f78aab1975
00:38 <@vpnHelper> Title: gist:873e622d89a3713068c512f78aab1975 · GitHub (at gist.github.com)
00:39 < axsuul> I guess it's not switched
00:40 < axsuul> Criggie: so openvpn is on 192.168.2.110
00:40 < Criggie> axsuul: so there are two devices trying to connect ?
00:40 < Criggie> 192.168.2.1 and 192.168.2.168 ?
00:40 < axsuul> Criggie: nope, shouldn't be, 192.168.2.1 is my router
00:40 < Criggie> ans 192.168.2.110 is your freenas box IP.
00:41 < axsuul> 192.168.2.110 is my openvpn jail
00:41 < Criggie> OK cool
00:41 < cyberanger> Criggie: also worth mentioning is ta.key
00:41 < axsuul> I also have TLS disabled
00:41 < axsuul> so not using ta.key
00:41 < Criggie> axsuul: what's .168 ?
00:42 < cyberanger> and yeah, it's not FreeBSD, it's my memory, as I've shifted to one platform, I've forgotten bits of the others.
00:42 < cyberanger> axsuul: ta.key disabled in client and server configs?
00:42 < axsuul> Criggie: it's my client, however, even though I'm using an external IP to connect, somehow it's using the internal IP
00:42 < Criggie> axsuul: okay that's your problem
00:42 < axsuul> cyberanger: both
00:43 < Criggie> axsuul: the packets are going asymmetcially and screwing with connection tracking.
00:43 < axsuul> yep
00:43 < Criggie> axsuul: can you disconnect from the lan completely ?
00:43 < Criggie> wait
00:43 < Criggie> were you just using your external IP from inside teh LAN ?
00:43 < Criggie> that's not a good test
00:43 < axsuul> Criggie: yep that's right
00:43 < Criggie> well that's not testing from the internet is it ?
00:43 < Criggie> OK
00:44 < axsuul> ah, i always assumed it went out into the cloud and then back
00:44 < axsuul> is that not the case?
00:44 < Criggie> well no - the server is replying directly
00:44 < Criggie> taking the shortest path
00:44 < cyberanger> It'll go to the router, but not out past router
00:44 < axsuul> ah interesting, so the router handles that magic
00:44 < Criggie> edit your config and simply put in the 192.168.2.110 IP address as your server.
00:44 < cyberanger> if your client is using the external ip
00:44 < Criggie> At least until you get it connected.
00:44 < axsuul> ok using my hotspot to try this
00:44 < Criggie> You have cheap cellular data?
00:45 < axsuul> yep, on an unlimited plan grandfathered to verizon :)
00:45 < Criggie> I get 100 Mbytes a month.
00:45 < Criggie> I work for a verizon company :-\
00:45 < axsuul> Whoa only 100?
00:45 < Criggie> yup
00:45 < Criggie> enough for strava but not much more.
00:46 < axsuul> what, that's insane
00:46 < axsuul> is that free data or something you paid for?
00:46 < Criggie> Yeah but I'm not in the US either.  WIN*  :-)
00:47 < axsuul> ah gotcha, whereabouts?
00:47 < Criggie> I'm in New Zealand
00:47 < Criggie> is about 19:38 here, on Monday evening
00:47 < axsuul> ah very nice
00:47 < axsuul> i've been to auckland before :)
00:47 < cyberanger> Canada's plans are kind of poor too, at least from the prepaid side.
00:48 < axsuul> yea, prepaid I think in US is garbage too but for some reason, I find myself in a third world country like Thailand where the prepaid is pennies on the dollar with tons of data
00:49 < Criggie> yup - cellcos charge what they can get away with.
00:49 < cyberanger> T-Mobile and AT&T offer (throttled) unlimited with unlimited international roaming here.
00:49 < Criggie> which is kinda useless if you don't go international
00:50 < cyberanger> Vice Versa, cost is higher,
00:50 < Criggie> people who can afford that don't really need to worry about the cost ofd their data
00:50 < cyberanger> true, but I am on, and cross the border a bit.
00:50 < Criggie> oh yeah - land boarders.
00:50 < Criggie> land borders even
00:50 < cyberanger> Right, NZ you kind of know when your leaving the area.
00:51 < cyberanger> And I can catch the other sides towers with bleed over too
00:51 < Criggie> 1633 km of water between NZ and AU and who'd go there by choice?
00:51  * cyberanger raises hand
00:51 < cyberanger> Granted, I'd go anywhere.
00:52 < Criggie> 10,300 km to california
00:52 < Criggie> bit of a swim....
00:52 < Criggie> anyway - back to openvpn
00:52 < cyberanger> axsuul: if you could use your cell to test vpn over internet, give you a real idea.
00:52 < cyberanger> but Criggie is right, test the lan first.
00:53 < cyberanger> that way we can rule out a lot of things first.
00:53 < Criggie> be quicker too, and not depend on the firewall's NAT being right
00:53 < tx> Criggie: who'd go where?
00:54 < Criggie> I'm putting the boot into aussies for being aussies.  They can't help it.
00:55 < Criggie> tx: its a trans-tasman thing.
00:55 < tx> to kiwiland?
00:55 < tx> I'd never.
00:55 < tx> :)
00:55 < Criggie> uh huh.
00:55 < tx> What's the point it's just a smaller, inferior AU with more annoying people. :D
00:56 < Criggie> tx: quality not quantity.
00:56 < Criggie> how do you make an aussie geek cry?
00:56 < Criggie> say "NBN"
00:57 < tx> how do you make a kiwi cry?
00:57 < tx> Cut the single cord that plugs them into the net.
00:57 < Criggie> yeah there is that
00:57 < Criggie> note it goes nowhere near australia
00:57 < tx> Not technically true though
00:57 < Criggie> okay yeah
00:57 < tx> it goes from AU to NZ to ..
00:57 < tx> Hawaii?
00:57 < tx> I dunno
00:57 < Criggie> the southern cross cable is in two legs from hawaii
00:57 < tx> somewhere north lol
00:58 < tx> yeah
00:58 < Criggie> its a triangle with redundancy
00:58 < cyberanger> Thought there was a New one to HK and Singapore now
00:58 < tx> there is
00:58 < tx> but not to NZ
00:58 < tx> it goes via Australia which makes sense considering its path
00:58 < Criggie> well the NBN made all sorts of "high speed internet to the home" promises
00:58 < tx> Yeah
00:58 < tx> and hey
00:59 < Criggie> and its dragging out and becoming more diluted
00:59 < tx> at least we have it
00:59 < tx> (partially at least) :P
00:59 < Criggie> I can have "gigabit" fibre to the home.
00:59 < tx> so can I
00:59 < Criggie> not many aussies can.
00:59 < tx> not all kiwis can
00:59 < cyberanger> I have whatever the dish or cell put out.
00:59 < cyberanger> or the wifi antennas
01:00 < Criggie> "all" != "many"   stop juggling pointy words, you'll cut yourself.
01:00 < cyberanger> axsuul: all good?
01:00 < axsuul> sorry, I'm back. they block IRC on my cell connection
01:00 < Criggie> axsuul: any progress ?
01:00 < axsuul> so it connects, wohooo
01:00 < axsuul> but there's no internet
01:00 < Criggie> axsuul: they block IRC on your cell link ?  that's really weird.
01:01 < axsuul> yea, unfortunately :/
01:01 < Criggie> I'm surprised OpenVPN connected then, if the cellco is being that snippy.
01:02 < cyberanger> Criggie: Verizon policy, it's a port restriction only.
01:02 < Criggie> but openvpn is allowed through?
01:02 < axsuul> but nothing works after I connect, typing local addresses in browser, whatismyip.com doesn't resolve
01:02 < cyberanger> Yes, different port
01:02 < Criggie> perhgaps its a trojan bot control thing where they block 6660-6669 ?
01:03 < cyberanger> Criggie: range maybe off, but that's the arguement.
01:03 < Criggie> so they block port 25/tcp outbound too?
01:03 < cyberanger> really it's a money grab (business users can ask for it off)
01:03 < cyberanger> I tell ZNC to listen on 65432 and no issues (or connect via my VPN)
01:04 < Criggie> and 123/udp and 53/udp out too ?
01:04 < axsuul> cyberanger: damn, i use ZNC, why didn't I think of that
01:04 < axsuul> but I connect on port 5000
01:05 < cyberanger> axsuul: ssl?
01:05 < axsuul> nope
01:05 < cyberanger> axsuul: I'm using ssl, maybe they got smarter, or maybe 5000 is filtered for another reason
01:05 < axsuul> ya i should try another port
01:06 < cyberanger> Criggie: they may do something to force 53 to their dns servers, unsure on ntp
01:06 < cyberanger> axsuul: I told you the exact port WITH ssl that works for me ;-)
01:06 < axsuul> i have a good feeling that'll work for me too :p
01:07 < cyberanger> Criggie: Welcome to America, where things trump me
01:07 < Criggie> cyberanger: that would be NAT of some kind.
01:07 < cyberanger> err stump me
01:07 < Criggie> cyberanger: -grin- get a hold of your hairpiece dude.
01:07 < cyberanger> (there's a reason I'm trying to stay on the CAN side lately)
01:07 < Criggie> thats what happens when you elect an oompa-loompa
01:09 < cyberanger> axsuul: so no internet, but can you do that and then move around inside the network
01:10 < axsuul> cyberanger: yea nothing works, not even the internal network.. can't ssh using internal IPs, etc
01:10 < axsuul> cyberanger: hmm what do you mean by moving around inside the network?
01:10 < cyberanger> By your answer, think you understood what I meant fine.
01:11 < Criggie> axsuul: does your client get a route to your LAN IP range when connected ?
01:11 < cyberanger> ssh into the vpn server, or anything like that.
01:12 < axsuul> Criggie: i dont' believe so -- not even 192.168.2.1 worked which is my router
01:12 < axsuul> in my config
01:12 < axsuul> I have: push "route 192.168.2.0 255.255.255.0" set
01:13 < axsuul> could this be the culprit?
01:14 < axsuul> hmm will try something
01:15 < cyberanger> well, to route traffic it's more than openvpn.
01:15 < cyberanger> Criggie: guessing FreeBSD doesn't have ip forwarding on by default either?
01:15 < cyberanger> I'm sure a pf rule too
01:32 < axsuul> cyberanger: Criggie: is it possible to connect via my VPN and access all devices as I would do if connected locally (via 192.168.2.x)?
01:33 < axsuul> i.e. 192.168.2.50 is my printer locally but I would also be able to access the printer using 192.168.2.50 while connected to the VPN
01:36 < cyberanger> Can it be done, yes.
01:36 < cyberanger> But the OpenVPN server is FreeNAS, something I'm not familiar with.
01:37 < axsuul> ah
01:37 < axsuul> thanks
01:37 < cyberanger> axsuul: I've done it personally, a step further actually. I've got my grandparents, parents and my own network tied to one vpn network.
01:38 < axsuul> cyberanger: wow, that's awesome, are they always connected?
01:39 < cyberanger> Yes, provided the RasPi's are powered on.
01:41 < axsuul> cyberanger: what' are some advantages of having them all on the same VPN?
01:42 < cyberanger> My case, It was simply ease of configuration.
01:45 < Criggie> axsuul: I've never worked with jails in freenas.
01:45 < Criggie> axsuul: you'll need to either nat all OpenVPN traffic behind the jail's .2 network IP
01:46 < Criggie> or add routes back to the OpenVPN IP range via 192.168.2.110 IP
01:46 < Criggie> Generally speaking, putting the VPN server on the firewall device is far more common.
01:47 < axsuul> Ah interesting, I know my router has a VPN server, but is that usually inferior to something to what I'm doing?
01:47 < Criggie> yeah - pptp at a guess, and that needs to die
01:49 < cyberanger> Could be OpenVPN on newer routers
01:49 < Criggie> maybe - that would be nice
01:49 < Criggie> Personally I'd look at pfsense as a firewall, but that doens't always suit.
01:49 < axsuul> yep i have OpenVPN on my asus router
01:49 < cyberanger> Alot of newer Buffalo & Asus routers have it.
01:50 < axsuul> but it doesn't feel that configurable
03:24 < wyseguy> I have a openvpn connection between 2 edgemax routers and the link is up on both ends, have hairpin nat enabled on both routers, but cat ping ip"s on the other router from the 1st router and vice versa.
03:55 <@plaisthos> I have no idea what hairpin nat is supposed to be
03:57 < wyseguy> its basically nat loopback
04:29 < obinoob> hi I'm having some troubles accessing company services through openvpn from 192.168.1.0/24 to company who has the same network 192.168.1.0/24
04:30 < obinoob> is it possible to route all traffic through vpn without having to change the local network address?
04:33 < obinoob> is it possible to route traffic via tunnel from 192.168.1.0/24 to 192.168.1.0/24 ?
04:34 < BtbN> no
04:38 < obinoob> BtbN so even if I change the company network to another range I can always have collision if the client network is in the same network range?
04:39 < BtbN> what?
04:40 < BtbN> You simply can't have the diffrent networks with overlapping network addresses.
04:40 < BtbN> It's impossible to define proper routes.
05:18 <@dazo> obinoob: overlapping networks are really painful and hard.  THere's a hack in OpenVPN you might be able to use to circumvent this though ... --client-nat
05:21 < obinoob> @dazo any docs?
05:22 <@dazo> !man
05:22 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
05:23 < obinoob> Thank you very much
05:26 < obinoob> @dazo should I use dnat over snat?
05:28 < obinoob> I guess dnat right?
05:28 < obinoob> once is one to client to the network there is no need for snat
05:29 < obinoob> *one client
05:31 <@dazo> snat vs dnat depends on what you want to nat ... the source or destination IP
06:22 < MichaelGG> hey there, im trying to write a dissector for openvpn. I'm confused as to the format of the control packet/key exchange. I understand the key methods, key source, options list, user/pass, and peer info. But after the peer info ends, there's 32 bytes of data without any structure i can tell (no length prefix)
06:23 < MichaelGG> its on every tls plaintext packet - client or server, key exchange or PUSH_REQUEST/REPLY
06:30 <@dazo> MichaelGG: have you had a look at the openvpn dissector code in Wireshark?
06:31 < MichaelGG> it doesnt dissect these packets as far as i can tell. Because they are usually inside TLS - im seeing it because i set TLS cipher to nul
06:32 <@plaisthos> tls-cipher nul will probably not work at all
06:33 <@plaisthos> unless you have patched openssl/mbed tls librariers
06:33 <@plaisthos> cipher null only affects the data packets
06:34 <@plaisthos> for < 2.4 you might have some luck by giving the dissector the server.key/server.pem to decrypt the tls stream
06:34 < MichaelGG> yeah it works - I get tls_rsa_with_null_sha256
06:34 <@plaisthos> but 2.4+ will per defualt enforce PFS ciphers
06:34 < MichaelGG> oh hmm. you know, sha256 is 32 bytes. so maybe wireshark is including the mac in the "app data".
06:34 < MichaelGG> thats probably it.
06:35 <@plaisthos> yeah
06:35 < MichaelGG> - that feel when youve spent 90 minutes trying to find something in source that wont be there.
06:35 <@dazo> MichaelGG: poked a little bit around ... it seems to be 32bits of packet ID and a timestamp follows ... each of them are 32 bits
06:35 <@plaisthos> it is like rubber duck debugging you just did there :P
06:35 < MichaelGG> hah yah
06:35 <@plaisthos> tell someone (or a rubber duck) your problem and solve it yourself by doing that
06:36 < MichaelGG> dazo the packet id is in the envelope though right? the openvpn layer
06:36 <@dazo> MichaelGG: then there is a packet-id array .. first an array length is provided (8 bits), then X number of 32 bits of packet IDs .... that is part of the packet replay protection, iirc
06:36 < MichaelGG> right but that comes before the TLS ciphertext
06:36 < ordex> maybe another hack would be to restrict your local LAN to your IP/32 and a forwarding/routing rule for your GW only
06:36 < ordex> this way the rest of the /24 should be routed over the VPN
06:37 <@dazo> MichaelGG: right ... after these fields I mentioned here, comes the payload itself
06:37 < ordex> this was for obinoob - but he is gone - sorry
06:40 < MichaelGG> dazo plaisthos bah it is the TLS MAC. Wireshark shows it as part of the encrypted app data
06:40 <@dazo> MichaelGG: so to summarize: It is OPCODE (5 bits), key_id (3 bits), session ID (64 bits), HMAC (128-512 bits, depending on HMAC algorithm), packet ID (32 bits), timestamp (32 bits), Packet ID array length (8 bits), N times Packet ID array elements (32 bits), and then the payload
06:40 < MichaelGG> I switched to NULL-SHA and now its a 20 byte ending
06:40 < MichaelGG> dazo right but to dissect the actual payload of a TLS packet
06:40 < MichaelGG> like the actual key method 2 exchange and push options etc
06:42 < MichaelGG> It's more of a bug in Wireshark's tls dissector. it shouldnt include the MAC/padding as part of the data itself. But I guess looking at null cipher TLS is uncommon enough no one has bothered to fix it up.
06:42 <@dazo> MichaelGG: the TLS part of the packet is inside the payload when the OPCODE is 1, 2, 3, 4, 5, 7 or 8 (which is control channel opcodes) .... OPCODE 6 and 9 are data channel opcodes (the payload contains tunnelled network traffic)
06:43 < MichaelGG> right so opcode 4 just means "tls payload" and has no further info. and that format doesnt seem super well documented
06:44 <@dazo> opcode 4 is CONTROL_V1 ... so that is the core TLS payload, indeed
06:44 < MichaelGG> like https://openvpn.net/index.php/open-source/documentation/security-overview.html doesnt mention that after user/pass there's the peer info
06:44 <@vpnHelper> Title: Security Overview (at openvpn.net)
06:44 <@dazo> that page most likely is not up-to-date
06:44 <@dazo> I've spent some time digging into this, as I'm drafting an RFC of the wire protocol ... nothing ready to be shared yet, but it is a work in progress
06:45 <@dazo> Documenting Peer Info is still on my todo list ;-)
06:45 < MichaelGG> i cant seem to find PUSH_REQUEST or PUSH_REPLY formats either, but they just seem like null-terminated strings
06:45 < MichaelGG> dazo awesome
06:45 <@dazo> that's also details I need to dig into as well
06:45 <@dazo> I've probably managed to draft around 20-25% of the protocol so far
06:46 < MichaelGG> and i guess since the push only happens once, it doesnt need any identification? it's the only thing the client can send after the key exchange msg
06:46 < MichaelGG> nice
06:46 <@dazo> well, pushes may appear later on as well .... like AUTH_FAILED, if a session is closed on the server side
06:47 <@dazo> but I don't think it requires the client to first send PUSH_REQUEST, the server just sends PUSH_REPLY,AUTH_FAILED ... or something like that
06:47 < MichaelGG> oh hm. so how are those identified vs key exchange?
06:48 < MichaelGG> guess the key exchange start with 0
06:49 <@dazo> I'm on really thin ice right now ... as I've not dug too much into those aspects yet
06:49 < MichaelGG> ok. well those other packets seem to just be a single nul-term ascii string. so no big deal
06:49 <@dazo> :)
06:50 < MichaelGG> the doxygen overviews are a lifesaver i must say
06:51 <@dazo> MichaelGG: have a look at both the send_push_reply() and those places calling this function in the openvpn code, that will give you some ideas here
06:51 < MichaelGG> ok cool, thanks
06:51 <@dazo> the doxygen stuff is truly wonderful! ... very thankful for Fox-IT, NL who did that job!
11:55 < xybol> Need help.  I run arch linux.  Ran update and openvpn broke.  I have started from the begigng and having a bitch of a time getting it running.  Using XCA to build keys.    Trying to connect win10 to home server via openvpn.  Keep on getting TLS errors Not sure what Is wrong in the server.conf or my .ovpn file
12:43 <@ecrist> xybol: are you using an arch linux package?
12:43 <@ecrist> we don't maintain those, so you might have to talk to the packager.
12:43 < xybol> Yes
12:43 < xybol> 2.4 now
12:43 <@ecrist> there's quite a few changes in 2.4
12:43 <@ecrist> !logs
12:43 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
12:45 < xybol> From what I can tell. It should have been as simple to move everything to /etc/openvpn/server and it should have worked.   starting my systemctl differnlty.
12:45 < xybol> right now i am simply doing openvpn server.conf to test
12:45 < xybol> unless that might be my issue also
12:45 < xybol> I am trying to figure out how to pastebin.  Give me a minute
12:53 < xybol> http://pastebin.com/RLthEzzE
12:53 < xybol> ecrist: http://pastebin.com/RLthEzzE
12:54 <@dazo> xybol: check the Changes.rst file ... dunno if it is shipped in the arch package, but it is at least in the git repos (github or gitlab will nicely format it)
12:54 <@ecrist> wait, you said arch linux, you sent me a log for Windows
12:55 <@dazo> https://gitlab.com/openvpn/openvpn/blob/master/Changes.rst
12:55 <@vpnHelper> Title: Changes.rst · master · OpenVPN / openvpn · GitLab (at gitlab.com)
12:55 < xybol> Yeah, i wasn't sure which log you wanted
12:56 <@dazo> xybol: and please read the Deprecated features and User-visible changes in particular
13:02 < xybol> REad both of those.
13:02 < xybol> I think the issue is something in my server.conf or my .ovpn file on my laptop
13:03 < xybol> should I pastebin both of the configs?
13:16 <@dazo> !all
13:16 <@vpnHelper> "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface
15:13 < gmc> hi folks.. i'm following up on a message in my openvpn log file to use another cipher, but using 'cipher AES-256-CBC' in both server & client gives me 'cipher_ctx_final:575: CIPHER - Decryption of block requires a full block' and 'Authenticate/Decrypt packet error: cipher final failed'
15:13 < gmc> am i missing something?
16:13 <@dazo> gmc: ouch ... that's a nasty one ... looks like your packets have been truncated
16:13 <@dazo> !configs
16:13 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
18:07 -!- Vampire0_ is now known as Vampire0
18:37 < axsuul> anyone familiar with running openvpn on freenas? I'm getting no internet and can't ping local network devices while connected
18:52 < w9qbj> axsuul, can you ping anything else on the local net (192.168.x for instance
18:53 < axsuul> w9qbj: nope gives Request timeout, but pinging 10.8.0.1 works
18:53 < w9qbj> axsuul, oops see your second line - dumb question on my part.  But others have asked about routing to the local net. I don't have the answer but am looking for it too.
18:54 < w9qbj> axsuul, not a priority on my part - yet. So I haven't looked too actively for the ans.
18:55 < axsuul> w9qbj: no problem, thanks for chiming in :)
18:55 < axsuul> i think this might be an issue with freenas + jails not working correctly for openvpn
18:57 < Criggie> axsuul: FYI there is #freenas too.
18:58 < w9qbj> axsuul, Yes  #freenas is on Freenode
18:59 < axsuul> thanks, i'm there too :)
19:04 < axsuul> Criggie: w9qbj: bingo, just got it working
19:04 < axsuul> was playing around with ipfw and now I can access everything locally + internet
19:04 < axsuul> is not using tls ok enough for secureness?
20:17 < zerohimself> !welcome
20:17 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
20:17 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
20:17 <@vpnHelper> you
20:18 < zerohimself> so i gotta ask.. is it a newb mistake to install openvpn client, and now my win10 box is pretty much a networkless brick?
20:19 < zerohimself> first time i ever netbricked a device. lol
20:22 < Criggie> zerohimself: that sounds.... odd
20:22 < Criggie> zerohimself: are you installing remotely ?
20:24 < zerohimself> you know what.. i downloaded my routers openvpn config file, and applied it.. now all seems to be well
20:25 < zerohimself> i mean it hung everything though.. no network settings... no browsing.. hell it took 2 hours to shutdown.. it was fight all day (and yes i reverted to a backup and tried again, same result)
20:25 < zerohimself> weird
20:38 < Criggie> zerohimself: hmmm is this box a bit messed up already?
20:47 < zerohimself> no, it's not
20:48 < Criggie> so you're just installing openvpn?  Or it goes nuts when you connect openvpn ?
20:48 < Criggie> if its the latter, can you share your config file ?
20:49 < zerohimself> i installed the client.. went to work.. (forgot to d/l my config file from my router), network was borked, couldn't even shut the machine down or access any network settings..
20:49 < zerohimself> so i restored from yesterdays backup
20:50 < zerohimself> reinstalled openvpn same thing
20:50 < Criggie> okay - where did you get the client from?  I wonder if its trojaned
20:50 < zerohimself> used my rpi to d/l the openvpn config file, and imported it...
20:50 < zerohimself> now it works... let me find link, and upload to virustotal and i'll tell ya :)
20:51 < zerohimself> https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.0-I601.exe
20:52 < zerohimself> hmmm.
20:52 < zerohimself> it says 1/56 detected virus.. might just be a falsie...
20:52 < zerohimself> https://virustotal.com/en/file/e355a164ba6bec583401126c54b12a2fefba2851b264f08a09b1374fc8c987c4/analysis/
20:52 <@vpnHelper> Title: Antivirus scan for e355a164ba6bec583401126c54b12a2fefba2851b264f08a09b1374fc8c987c4 at 2017-01-17 01:30:51 UTC - VirusTotal (at virustotal.com)
20:53 < zerohimself> got it off of openvpn.. i think it's a falsie
20:54 < zerohimself> upon importing my (first ever) config file, everything started working normally again
20:54 < zerohimself> OH
20:54 < zerohimself> shit, i have privateinternetaccess installed on the same machine...
20:55 < zerohimself> i believe it uses a openvpn client... maybe i had 2 adapters fighting...
20:55 < zerohimself> but i never even got to the point of opening PIA.. heck i couldn't even open that windows menu
20:57 < zerohimself> well, i'll check back in, in a little... got a odroid i have to reflash that i'm currently chatting with you on...
21:21 < Criggie> zero: yeah some providers screw with openvpn so they could easily be arguing.
21:33 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 256 seconds]
21:37 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
21:37 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Day changed Tue Jan 17 2017
00:41 < axsuul> is it still secure if I'm not using tls?
00:41 < skyroveRR> axsuul: wut?
00:42 < axsuul> i have tls-auth disabled
00:42 < axsuul> is openvpn still secure without that?
00:42 < skyroveRR> Depends on how you define "secure".
00:42 < skyroveRR> tls-auth just adds another wall around openvpn
00:44 < axsuul> gotcha
00:44 < axsuul> thanks
07:29 < freesky> Hi all! This is the first time I'm asking help there.
07:29 < freesky> I have OpenVPN server which is connected to our organisation gateway. Server have one NIC with global IP address and gateway assigned to it. From this host I could reach our LAN which is the 172.16.0.0/12. With help of ##networking guys I understand that routing to the 172.16.0.0/12 network is done by default gateway (with global IP assigned). Now I wonder how to provide access to the 172.16.0.0/12 network for clients connected. On my test-bed setup I hav
07:29 < freesky> Thank you for any advice!
07:34 < freesky> !heartbleed
07:34 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl, or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised., or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected., or (#4)
07:34 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed, or (#5) http://xkcd.com/1354/
07:36 <@dazo> !serverlan
07:36 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
07:36 <@dazo> freesky: ^^^
07:38 < freesky> thank you, i'll try this
07:42 < freesky> as I understand if I simply use push "route 172.16.0.0 255.255.0.0" it will work properly with external default gateway for VPN server?
07:43 <@dazo> "default gateway" means "everything" .... but, adding that push route, will route traffic to any IP address that particular subnet via the VPN tunnel
07:43 < freesky> my default gateway understands when I want to access 172.16.0.0/12 network and routes me properly - i can access hosts of this LAN from VPN server machine
07:44 <@dazo> default gateway is used when there exist no explicit route, then traffic is sent via the default gateway
07:44 <@dazo> j12t: j12t_: j12t__: please fix your client!
07:44 <@dazo> (or connection, or whatever your issue is)
07:45 < freesky> my VPN server machine have no explicit route to the 172.16.0.0/12 subnet however NIC is connected to the same physical network. Default gateway performs all routing
07:48 <@dazo> freesky: you need to get a grip of the terminology here .... and if your physical NIC is connected to a subnet in the 172.16.0.0/12 range, then you do have an explicit route for that subnet
07:49 -!- tx is now known as trublu
07:49 -!- trublu is now known as tx
07:51 < freesky> Ehmm... Our VPN server have only one NIC which is connected to the same physical network as other workstations. Every workstation obtains it's address via DHCP from 172.16.0.0/12 network. Previous network admin manually set external global ip address to VPN server's NIC (and external gateway, too). This IP address have no in coomon with 172.16.0.0 network. But I could reach workstations from this LAN by they 172.16.xxx.yyy address. As I understood the afo
07:51 < freesky> *common
07:53 < freesky> there are no explicit route to the 172.16.0.0 network because the only one NIC on VPN server machine have no IP from 172.16.0.0/12
07:53 <@dazo> freesky: so you have a box on an internal net with both a public and private IP address on the same NIC?
07:53 < freesky> no, only public IP
07:53 < freesky> I could connect to this host via that public IP
07:53 < freesky> i can't see any private IP on these interface
07:54 -!- mode/#openvpn [+b *!*@162.119.128.*] by dazo
07:54 -!- j12t_ was kicked from #openvpn by dazo [j12t_]
07:56 <@dazo> freesky: Sorry, I gotta run in a few minutes ... and this will take a bit too long to dig into right now
07:56 < freesky> Anyway, thank you a lot!
09:03 < Queenslayer> Hi guys, are you guys allowed to recommend VPN providers?
09:03 < Queenslayer> For those of us who can't find the time to configure our own
09:06 < Queenslayer> !welcome
09:06 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
09:06 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
09:06 <@vpnHelper> you
09:14 < mipo01> Hi guys, I have 2 OpenVPN servers I would like to connect from one client. That's easy. But sometimes one of the connections drops and I would like to figure out which adapter so I can restart only that one. How can I match the tunX to .conf ? Thanks!
09:44 <@plaisthos> mipo01: lsof perhaps
09:44 <@plaisthos> otherwise on bsd you get an opened by pid xxx
09:45 <@plaisthos> or
09:45 <@plaisthos> !dev
09:45 <@vpnHelper> "dev" is https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list
09:45 <@plaisthos> hm no
09:45 < AikiLinux> Hello
09:45 <@plaisthos> something like dev tun-udp
09:45 <@plaisthos> and dev tun-tcp
09:45 <@plaisthos> to name the tun devices according to your config
09:46 <@plaisthos> mipo01: or just compare ips of tun and config ;)
09:46 < AikiLinux> I am encountering an issue when both myself and my co-worker are in the same house and trying to connect to the office vpn , one succeeds  and the other fails
09:46 < AikiLinux> is this cause we both sent the request from the same outbound IP ?
09:47 < AikiLinux> is there something that can be done on the server to allow use both to work ?
09:52 < ordex> AikiLinux: the IP should not be a problem afaik. Are you trying to use the same client certificate ?
09:57 < mipo01> Thanks guys a lot!!! I'll take a look at those options :)
09:59 < AikiLinux> ordex, no, each user has it's own certificate assigned to him
10:00 < ordex> AikiLinux: then i'd suggest to have a look at the log and possibly paste them somewhere - it would be easier :)
10:03 < AikiLinux> ordex, the log only shows successful connections
10:04 < ordex> then if you see nothing about the second connection (and with nothing I mean *nothing*), maybe it's some firewall thing ? just guessing here
10:08 < AikiLinux> I am about to increase verbosity ( was on 3) and restart, then might see more tomorrow
12:34 < gmc> !configs
12:34 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
12:35 < gmc> !paste
12:35 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
12:35 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
12:55 < Ab3L> hello, i have an issue with my vpn home server.
12:56 < Ab3L> i set it up with openvpn according to the section "Using routing and OpenVPN not running on the default gateway" of https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
12:56 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
12:57 < Ab3L> my android smartphone is a client of that vpn
12:58 < Ab3L> and everything works fine (access to the other clients in the main lan, internet access, .... and so on)
13:03 < Ab3L> the problem is the sound. it seems that no sound can pass though the vpn (or it is blocked somewhere)
13:03 < Ab3L> for example, i can see videos, but i have no sound
13:11 < Ab3L> same problem with VoIP
13:11 < Ab3L> any idea about how to fix it?
13:12 < Ab3L> do you need more details? which ones?
13:23 < DanQuinney> Hi all, I could really do with a little help if possible?
13:23 < DanQuinney> I have a number of SIP phones that have a built-in OpenVPN client, all clients are connecting, however, a number of them after 2 minutes get an inactivity timeout.
13:23 < DanQuinney> my server config is http://paste.codebasehq.com/pastes/epnkt7eqsfj3zi16hn
13:23 < DanQuinney> and if I remove the pushed routes then everything is fine and the clients remain connected
13:38 < charnel> Hi I setup an openvpn as from aws marketplace. Everything works fine but no internet connection when I login to the vpn ? Everything is in defaults and I am out of ideas.
13:38 < charnel> Can anyone help ?
13:40 < kitsune1> DanQuinney: Your vpn server is at 185.110.248.19 but you push "route 185.110.248.0 255.255.255.192" which tries to send all traffic to the server through the route causing a routing loop.
13:40 <@dazo> charnel: you might get openvpn AS help here ... but there's a higher chance you'll get more quickly help if you go to the more official support channels .... if I'm not mistaken, you are eligible to official customer support (right, danhunsaker?)
13:40 < DanQuinney> Yeah, I've just come to the same conclusion, it's just odd how some phones are fine, and others aren't
13:41 < DanQuinney> I'm going to just push specific IP's for now
13:41 < charnel> dazo thanks
13:42 <@dazo> DanQuinney: those phones most likely does not have a public IP address within the 185.110.248.0/26 IP range
13:42 <@dazo> (those phones which work)
13:42 < kitsune1> DanQuinney: Just set up a route to the server through the net gateway. With he config you posted nothing should work unless such a route is present.
13:43 < DanQuinney> none of the phones are within our network, so wouldn't have a public ip within 185.110.248.0/26
13:43 < kitsune1> No, 185.110.248.19 is the server, so if you direct traffic to a subnet including that through teh tunnel nothing will work. Well, unless some iptables packet marking hackery is in place..
13:44 <@dazo> oh, right
13:44 < DanQuinney> does push "route 185.110.248.19 255.255.255.255 net_gateway" not do what I thought it did?
13:45 < kitsune1> Yest it would
13:46 < DanQuinney> I'm being a bit stupid now, so why doesn't it work?
13:46 < kitsune1> What doesn't work?
13:47 < DanQuinney> the config I posted, it works for some devices, but not others
13:48 < kitsune1> It shouldn't work for any device unless that device has a specific route to the server setup. By work you mean it appears not to timeout? Or works as in sends traffic through the vpn?
13:49 < DanQuinney> It sends traffic through the VPN
13:49 < DanQuinney> the only routes the devices have are those that are pushed to it via the server on connection
13:49 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 252 seconds]
13:49 < kitsune1> Or the device may be rejecting the route (say using --pull-filter in config) -- post a client config and client routing table that works
13:50 < DanQuinney> I guess that it's possible the device is rejecting the route (I have no other proof either way) - but it would explain why some work and others not
13:50 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
13:50 -!- mode/#openvpn [+o syzzer] by ChanServ
13:52 < kitsune1> As for why it doesn't work: you send a packet to xxx through vpn, vpn encrypts it, packs it as udp packet with 185.110.248.19 as the address and sends it out. The routing table decided that packet has to go throughthe vpn and send it to the VPN and the process repeats. In 2.4 there is a feature to detect this and reject the packet. Older versions will just eat up CPU with a never ending routing loop.
13:54 < kitsune1> DanQuinney: look at the routing table of a client that works -- that may give you a clue as why it works
14:02 < kitsune1> DanQuinney: Aha, Now I see your config does have push "route 185.110.248.19 255.255.255.255 net_gateway" -- that last line was hidden in my lynx window.. Then something else is going on..
14:04 < DanQuinney> ha, that's ok :)
14:09 < DanQuinney> It gets odder, pushing specific routes now; http://paste.codebasehq.com/pastes/jtqehxu6gf64t3gg7f
14:38 < kitsune1> DanQuinney: hmm.. one speciifc route to the vpn server through net_gateway should have worked.. Is that client log for openvpn 2.4?
14:40 < DanQuinney> it has worked in the end, I forgot a silly firewall, the clients are running OpenVPN v2.1.3
14:40 < DanQuinney> I've just pushed individual routes
14:40 < kitsune1> DanQuinney: looks like remote is specified as a hostname not IP (sip.dial9.co.uk). Are you sure it always resolves to the same IP so as to be sure that you are not routing to it through the VPN?
14:41 < kitsune1> holy macro... 2.1.3? That's pretty ancient
14:41 < DanQuinney> Yeah, built into an old Yealink phone, nothing I can do to change that.
14:42 < kitsune1> As they say if its not working it has to be the firewall...
14:42 < DanQuinney> it was only a firewall issue after I removed the gateway and full routing
14:43 < DanQuinney> before that it was ping timeouting :)
14:46 < kitsune1> Still not clear to me -- why firewall kicks in after the connection is completed..
14:48 < DanQuinney> it was trying to connect to a remote host via the VPN, so the firewall was already open for the VPN connections, but it would have failed after it had connected
14:53 < wknapik> hi
14:55 < wknapik> i switched from a dynamic tun device to a static one (also running as an unprivileged user, using sudo for iproute and up/down) and now when i killall -USR1 openvpn and get a new local IP pushed by the server, the IP of the static tun device doesn't get changed. i have persist-tun in my config. is that expected behavior ? what should i do to change it ?
14:56 < wknapik> i couldn't figure this out based on the man page. is persist-tun to blame, or is it something else entirely ?
14:56 <@ecrist> that's expected
14:56 < wknapik> ecrist oh ?
14:56 <@ecrist> your unprivileged user doesn't have permission to change the IP
14:56 < wknapik> ecrist i set `iproute my_sudo_script'
14:56 < wknapik> ecrist isn't that enough ?
14:57 <@ecrist> well, is it working?
14:57 < wknapik> ecrist it is on the first start
14:57 < wknapik> ecrist sets the device address and the routes
14:58 <@ecrist> so, in that case, you need to increase the logging you're doing and see what the errors are.
14:58 < wknapik> ecrist i didn't see any errors. can some be hidden at a lower logging level ?
14:59 < wknapik> ecrist i'll try it with more verbose logging. is persist-tun worth investigating as a possible cause ?
15:04 < Ab3L> bye
15:13 < wknapik> ecrist yep. it's persist-tun. when it's enabled, no attempt is made to change the ip (despite OPTIONS IMPORT: --ifconfig/up options modified in the log). with persist-tun removed, everything works as expected. i'm using 2.4.0.
15:14 < wknapik> ecrist if that's by design - fine. otherwise could be a bug.
15:26 < kitsune1> wknapik: persist-tun means tun will not be normally reopened on SIGUSR1. But if IP changed tun should get closed and reopened. But 2.4.0 has bug that breaks this. Fix will be in 2.4.1 (see https://community.openvpn.net/openvpn/ticket/812)
15:26 <@vpnHelper> Title: #812 (SIGUSR1 restart does not re-open tun even if the pushed ip address changes) – OpenVPN Community (at community.openvpn.net)
15:31 < wknapik> ecrist the behavior is the same when i run everything as root, with the vanilla config from my provider - the address is not modified for a static tun device in the presence of persist-tun, even when the server pushes a new ip
15:31 < kitsune1> wknapik: 16:16 < kitsune1> wknapik: But 2.4.0 has bug that breaks this. Fix will be in 2.4.1 (see  https://community.openvpn.net/openvpn/ticket/812)
15:31 <@vpnHelper> Title: #812 (SIGUSR1 restart does not re-open tun even if the pushed ip address changes) – OpenVPN Community (at community.openvpn.net)
15:31 < wknapik> kitsune1 ahh
15:32 < wknapik> kitsune1 thanks ;]
15:32 < kitsune1> wknapik: :)
16:40 < plum> hi, i'm having some trouble using my router's openvpn config with my android phone. other clients connect fine, but this one keeps showing an error: "PolarSSL: ca certificate is undefinded"
16:41 < plum> the router outputs a client.ovpn that has <secret>blablabla</secret>, which i've read is in the tls-auth format. but if i change it to be <tls-auth>blablabla</tls-auth>, i get the same error because it seems to expect a ca.crt which was not provided to me
16:42 < plum> i found this page linked in the forums: https://community.openvpn.net/openvpn/wiki/IOSinline    which supports changing the inline tags from secret to tls-auth, but i still have the same error running this from android
16:42 <@vpnHelper> Title: IOSinline – OpenVPN Community (at community.openvpn.net)
16:45 <@danhunsaker> dazo: That's right.  The AWS licenses still go through us.
16:51 < DArqueBishop> plum: for <tls-auth></tls-auth>, you need an additional line: "key-direction 1".
16:52 < plum> DArqueBishop: thank you, i'll try that :) should it be before or after the inline tls-auth?
16:53 < DArqueBishop> It shouldn't matter, but I put it immediately before in my configs just to keep things organized.
16:54 < plum> dang... tried it and still says PolarSSL error ca cert is undefined :(
16:55 < DArqueBishop> Well, it does also need the cert file from the signing authority (aka, <ca></ca>).
16:55 < DArqueBishop> !configs
16:55 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
16:56 < plum> my router doesn't seem to have an option to output the ca, it's set to use usernames
16:56 < plum> i'll check around though
16:57 < plum> cause this works to connect from Tunnelblick on Mac
17:18 < plum> i found more options i think!
17:18 < plum> going to look further into it now that i have these. thank you DArqueBishop
--- Day changed Wed Jan 18 2017
05:40 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 256 seconds]
05:45 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
05:45 -!- mode/#openvpn [+o syzzer] by ChanServ
08:56 < xybol> When creating key pairs.  I am using XCA and the walkthrough I have seen says to make all the Common name the same (eg xyz.com)    If I have 5 keys, i have the common name all the same.                     Or is it better to have the common name be client1 client2 etc....
08:56 <@ecrist> the common name should be different for each client
08:57 <@ecrist> whoever told you to make them the same should be punched
09:05 < xybol> ecrist: Heh.  It was a walk through for xca    I didn't think that sounded right
09:07 < xybol> ecrist: you familiar with XCA program for key management?
09:07 < xybol> more specificaly the key usage part?
--- Log closed Wed Jan 18 09:28:27 2017
--- Log opened Wed Jan 18 09:28:35 2017
09:28 -!- Irssi: #openvpn: Total of 252 nicks [8 ops, 0 halfops, 2 voices, 242 normal]
09:28 -!- mode/#openvpn [+o ecrist_] by ChanServ
09:29 -!- Netsplit *.net <-> *.split quits: @krzee
09:29 -!- Irssi: Join to #openvpn was synced in 43 secs
09:40 <@dazo> xybol: which xca walkthrough are you talking about?
09:48 < xybol> dazo: https://www.cult-of-tech.net/2016/05/setting-up-openvpn-certificates/
09:48 <@vpnHelper> Title: Setting up OpenVPN with Certificates - Cult of Tech.net (at www.cult-of-tech.net)
09:55 < xybol> dazo: unless you have a better one to follow
10:26 <@dazo> !blogs
10:26 <@dazo> !blog
10:26 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
10:26 <@dazo> ^^ xybol .... as a general note
10:27 < xybol> Yeah.   I was desperate.   Read a ton and can't get it to work
10:27 < xybol> !howto
10:27 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
10:28 <@dazo> xybol: http://community.openvpn.net/openvpn/wiki/XCA#no1 ... the openvpn-template.xdb should contain fairly correct templates for OpenVPN profiles
10:28 <@vpnHelper> Title: XCA – OpenVPN Community (at community.openvpn.net)
10:29 < xybol> dazo: thx
10:33 <@dazo> that said, I've quickly read through most of that post ... and that should be fairly correct
10:34 <@dazo> (there are a few nitpicks, and I've spotted at least one non-critical typo ... but should generally work just fine)
10:35 <@dazo> but this one is unforgivable ....
10:35 <@dazo> server              196.168.254.0 255.255.255.0     # Must not conflict with your LAN IPs
10:36 <@dazo> !1918
10:36 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#3) See !5737 for addresses to use for examples and documentation, or (#4) See !conflict for common conflicting address spaces.
10:36 <@dazo> (might be another typo ... where 198 should be 192)
10:40 < xybol> yeah.    I belive my keys are right.  Just having all sorts of tls connection issues.  I have to go work on a client ticket and will be back a little later to work on this more
10:48 <@dazo> !all
10:48 <@vpnHelper> "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface
10:48 <@dazo> xybol: ^^^
12:07 < sirscrubsalot> !welcome
12:07 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
12:07 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
12:07 <@vpnHelper> you
12:14 < sirscrubsalot> !goal is Installer (NDIS 5)/tap-windows-9.9.2_3.exe still ok for Windows 7 64 bit? I have this version currently running with my VPN service client (from the openvpn downloads page, Installer (NDIS 6)/tap-windows-9.21.2.exe was mentioned for Windows Vista+ // Also, if we run the installer with all options checked, there is no need to addtap.bat (e.g. from C:\Program Files\TAP-WINdows\bin)? I noticed when I did that from other
12:14 < sirscrubsalot> instructions, that it duplicates TAP adapters in both my device manager and viewed network adapters
12:43 -!- Gaffel_ is now known as Gaffel
12:57 -!- Vampire0_ is now known as Vampire0
13:06 < sirscrubsalot> apologies for the extended question... will check out v2.4.0 out with my vpn provider and report back if running into any issues. thanks for the community support and have a good day/evening!
13:06 < plum> hi, i keep getting an error on my openvpn server when trying to connect...
13:06 < plum> TLS Error: Auth Username/Password was not provided by peer
13:07 < plum> i've provided it in my client config though
13:08 < plum> my server is on an ASUS router, it seems to want me to authenticate with username/password even though i have keys and would opt for those
13:33 < plum> hmmm... my router is using openvpn v2.3.2 with tls 1.0
13:33 < plum> has this been disallowed in new versions?
13:52 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
13:52 -!- mode/#openvpn [+o krzee] by ChanServ
14:35 < kaen> Can anyone point me to the source code for the Mac OpenVPN connect client? I couldn't find it on github (openvpn-gui seems windows only but could be wrong)
14:36 < kaen> more directly, I'm trying to figure out why it puts my custom DNS settings in resolver #2 according to `scutil --dns`
14:37 < BtbN> Isn't that a proprietary Access Server thing?
14:37 < kaen> seems like this resolver is overridden by the DNS for my local network, despite the resolver itself looking exactly correct
14:37 < kaen> hmm I see
14:37 < Eugene> !as
14:37 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
14:38 < Eugene> !osx
14:38 <@vpnHelper> "osx" is (#1) Tunnelblick includes everything you need to run OpenVPN on OS X. https://code.google.com/p/tunnelblick/, or (#2) Viscosity is another OpenVPN client for OS X, but it is commercial. http://www.thesparklabs.com/viscosity/
14:38 < kaen> oh, so the client from the howto/splash page is a noob trap?
14:39 < kaen> tunnelblick actually does work out of the box but wanted to stay on whatever was the common usage pattern
15:39 < pdobrogost> Hi all!
15:41 < pdobrogost> I'm trying to use https://github.com/jonathanio/update-systemd-resolved as up/down script. It looks like something is not right but logs are not very helpful as one entry is
15:41 < pdobrogost> /etc/openvpn/update-systemd-resolved.sh ovpn-sfx 1500 1558 10.92.32.186 255.255.252.0 init
15:41 < pdobrogost> and the next one is
15:41 < pdobrogost> openvpn@sfx.service: Main process exited, code=exited, status=1/FAILURE
15:41 <@vpnHelper> Title: GitHub - jonathanio/update-systemd-resolved: Helper script for OpenVPN to directly update the DNS settings of a link through systemd-resolved via DBus. (at github.com)
15:42 < pdobrogost> How can I debug what's wrong with up/down script?
20:51 -!- Netsplit *.net <-> *.split quits: @vpnHelper
20:51 -!- SupaYoshi_ is now known as SupaYoshi
20:52 -!- pdobrogost_ is now known as pdobrogost
21:07 -!- Tenhi_ is now known as Tenhi
21:12 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
21:12 -!- mode/#openvpn [+o vpnHelper] by ChanServ
21:14 < somaReverse> hi
21:15 < somaReverse> recently openvpn updates have removed all the systemd units in Archlinux. What goes wrong?
21:18 -!- VA6DAH|ALT is now known as VA6DAH
22:33 < Eugene> somaReverse - that's a question for Arch packagers, sorry
--- Day changed Thu Jan 19 2017
01:34 < pdobrogost> Hi all!
01:37 < pdobrogost> I'm trying to use https://github.com/jonathanio/update-systemd-resolved as up/down script. It looks like something is not right but logs are not very helpful as one entry is NJ/etc/openvpn/update-systemd-resolved.sh ovpn-sfx 1500 1558 10.92.32.186 255.255.252.0 init
01:37 <@vpnHelper> Title: GitHub - jonathanio/update-systemd-resolved: Helper script for OpenVPN to directly update the DNS settings of a link through systemd-resolved via DBus. (at github.com)
01:38 < pdobrogost> ... and the next one is
01:53 < pdobrogost> openvpn@sfx.service: Main process exited, code=exited, status=1/FAILURE
01:54 < pdobrogost> How can I debug what's wrong with up/down script?
02:07 -!- Vampire0_ is now known as Vampire0
03:51 < xpt> Hello, is there any problem with installation of VPN server on machine where is VPN client installed (I need to provide secure access to one of my servers for a person which changes IP a lot, but I am forbidden by company policy to give him access to existing VPN server).
04:01 <@plaisthos> that sounds like breaking company policy
04:01 <@plaisthos> I would get an okay for that for doing something like that
04:16 < xpt> Well, it's special case and I'll get permission from man in charge for that. But I just want to be sure that it's doable before I propose such solution :)
04:18 <@plaisthos> but yes vpn server+client on the same machine works
04:18 <@plaisthos> it is more complex routing so you might run into more problems but otherwise no problem
04:22 < xpt> OK, thank you.
06:53 -!- haasn` is now known as haasn
07:15 -!- You're now known as ecrist
07:36 < OlofL> https://delphinus.qns.net/xwiki/bin/view/Blog/Mikrotik+OpenVPN+in+90+seconds followed this blog and guide, using ovpn community client, imported config, but error message doesnt say much  Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: msg-channel (2.3.14) Use --help for more information.. windows 10
07:36 <@vpnHelper> Title: Mikrotik OpenVPN in 90 seconds (Blog.Mikrotik OpenVPN in 90 seconds) - XWiki (at delphinus.qns.net)
07:37 < OlofL> gui says error "connecting to management interface failed"
07:37 < OlofL> If it does matter, I have the ovpn AS client installed aswell
07:57 <@plaisthos> OlofL: I have never seen the option msg-channel
08:02 < bastinenz> !welcome
08:02 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
08:02 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
08:04 < bastinenz> !tap
08:04 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the
08:04 <@vpnHelper> protocol uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
08:05 < bastinenz> !route
08:05 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
08:34 <@dazo> !blog
08:34 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
08:34 <@dazo> OlofL: ^^^
08:36 < DArqueBishop> OlofL:
08:36 < DArqueBishop> !as
08:36 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
08:37 < DArqueBishop> Oh.
08:37 < DArqueBishop> You'd think I'd read more.
08:37  * DArqueBishop shrugs.
08:49 < pdobrogost> !serverlan
08:49 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
09:58 < Alexander-47u> hello
09:58 < Alexander-47u> is there any way to edit the openvpn access server's client page?
10:00 < Alexander-47u> besides the logo
10:02 < DArqueBishop> Alexander-47u:
10:02 < DArqueBishop> !as
10:02 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
11:07 < star314> Anyone here who runs either Ubuntu 16.04 or Linux Mint 18.1?
11:09 < star314> In Linux Mint 17.3 is was possible to start a connection to a server by issuing /etc/init.d/openvpn start <name>. Isn't this supposed to work anymore in 18.1?
11:30 < xybol> !configs
11:30 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
11:31 < xybol> dazo: You assited a little yesterday.  I am free again.   I had openvpn working. when 2.4 came out stopped working.  I have started over.  Used XCA and your template.    Here are my configs.   I can't get anything to work.   please review and let me know what might work
11:31 < xybol> http://pastebin.com/266LUKCm
12:22 < kitsune1> xybol: configs looks ok except two minor things: client has tls-auth 1 which makes no sense but possibly overridden by anothe tls-auth line later. server has auth-cache which< i think, makes sense only on client. server has ccd-exclusive : make sure there is a ccd file for the client
12:56 < xybol> kitsune1: thanks.  I have made so many changes looking at the openvpn site.  No clue what is right anymore :(
12:56 < xybol> Not sure what teh ccd thing does.  Or what file I need on client
13:01 < Gaffel> xybol, the ccd is to keep track of settings for individual clients.
13:01 < Gaffel> xybol, the client needs server cert, CA cert, client cert, client key and TA key if used.
13:02 < Gaffel> No, sorry, not server cert.
13:02 < Gaffel> Client: CA cert, client cert, client key, TA key (if used)
13:02 < Gaffel> Server needs: CA cert, server cert, server key, TA key (if used)
13:03 < Gaffel> They also need matching configuration files.
13:05 < Gaffel> The client needs to know where to connect, the certs, key, TA key (with opposite direction of what the server has), compression or not, cipher, TLS settings
13:05 < Gaffel> The server needs the same but for its own certs as well as settings that the server should push such as route and gateway settings.
13:05 < Gaffel> Both also need to know the port number, protocol and type (TUN/TAP).
13:20 < kitsune1> xybol: nothing on client, the server needs a ccd file for each client. Anyway care to post logs?
13:23 < Gaffel> Aye, ccd stuff is only on server and it's not needed, just a feature for those who need more configurability.
13:36 < kitsune1> xybol's server has ccd-exclusie so it is necessary in this case, not optional
13:37 <@dazo> xybol: remove --auth, --tls-cipher, --tls-auth, --comp-lzo, --nice, --ping-timer-rem, --txqueuelen, --key-direction, --ccd-exclusive and --client-config-dir ... and to try to get things working with as few options as possible ... and then start adding those truly needed one-by-one
13:37 <@dazo> xybol: and ...
13:37 <@dazo> !logs
13:37 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
13:38 < xybol> Im back sorry.  Client got in the way
13:39 < xybol> dazo: remove those on both configs I guess
13:40 <@dazo> yes ... openvpn is really picky that many of these options match up, otherwise you won't get a proper connection
13:46 < s1kx> so i've been using the updown.sh script from perfect-privacy (slightly modified to work on archlinux) for multi-hop vpn, but it seems that with upgrading from 2.3 to 2.4 i can't get it to work properly anymore after disconnects. the routes seem correct when i check via `ip route get ...` for the respective servers, but openvpn seems unable to establish a UDP connection on the second hop once the first connection has been restarted.... not
13:46 < s1kx> quite sure how to debug the issue further
13:46 < s1kx> would you recommend using vpnchains instead?
13:48 <@dazo> s1kx: without any logs ... it is truly hard to say .... perfect-privacy is not something we support here anyhow, so perhaps it would be reasonable to get the support from them?
13:49 <@dazo> here we primarily support users managing their own server and client configs and have full access to their own network infrastructure
13:51 < s1kx> dazo, well i'm not using perfect-privacy, it's just where i got the script from, i can paste the script, configs and logs but i don't want to put that burden on anyone here to help. i'm sure i can figure this out myself, just wanted to see if there are proper solutions nowadays for chaining openvpn connections
13:51 < s1kx> i think that's outside the scope of this channel though so i'll be on my way
13:52 < s1kx> thank you though
14:24 <@dazo> s1kx: ewll, logs + configs + script is crucial for providing any type of help here ... otherwise it'll just be clueless guessing
16:44 -!- Ekho- is now known as Ekho
18:07 < s1kx> dazo, if i use --route-nopull, then the tun device's IP should still be updated on restarts (with the IP from the options pushed by the server), correct?
18:09 <@dazo> s1kx: yes, --route-nopull will just not apply any routes pushed by the server
18:09 < s1kx> because that is what seems to be the issue i'm encountering, i use --persist-tun and --route-nopull (and then --up/--down scripts), but after e.g. doing kill -SIGUSR1 <pid>, it will reconnect but the device IP remains the same
18:09 < s1kx> okay
18:09 < s1kx> i'll post config/logs in a second
18:12 <@dazo> The --persist-tun might be troublesome if you use --user/--group though .... if OpenVPN have dropped root privileges, it might not be allowed to change the IP (and most definitely not routing)
18:15  * dazo need to call it a day ... 01:05 at his location
18:25 < s1kx> dazo, ok have a good one, thanks for the help
18:26 < s1kx> maybe someone else can help: https://gist.github.com/anonymous/1c703fc2c30cb42b3fca2ccb5fed3455
18:26 <@vpnHelper> Title: OpenVPN does not update tunnel ifconfig on restart · GitHub (at gist.github.com)
18:27 < s1kx> that's on archlinux with systemd-network, openvpn running as root, no --route-nopull even or other shenanigans
18:28 < s1kx> tun0 should be updated with the new IP from the option pushed by the server (ifconfig 10.36.16.19 255.255.252.0)
19:11 < s1kx> so i just downgraded from openvpn 2.4.0 to 2.3.13 and the issue disappeared. i don't know if this bug applies generally to openvpn or if it is archlinux-specific. can someone try to recreate the issue with 2.4: use --persist-tun, then send SIGUSR1 signal to the openvpn process and see if the tun device IP gets updated?
19:52 < s1kx> okay the bug has already been filed @ https://community.openvpn.net/openvpn/ticket/812
19:52 <@vpnHelper> Title: #812 (SIGUSR1 restart does not re-open tun even if the pushed ip address changes) – OpenVPN Community (at community.openvpn.net)
--- Day changed Fri Jan 20 2017
01:54 < MarcoNL> Hello and good morning. Can anyone tell me if there is a way I can check if two way communication is possible? I need to prove to a sysadmin that the firewall configuration is not complete. I had a system in my network and it could set up a vpn connection to our server. Now since it's moved to their network it cannot be set up again. From the system I can telnet to our vpn server, but it looks like the communication from the server b
01:54 < MarcoNL> Can anyone point me out how I can prove this?
01:55 < MarcoNL> !welcome
01:55 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
01:55 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
02:01 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Disconnected.]
02:02 < ordex> MarcoNL: was there more text after "...but it looks like the communication from the server b" ?
02:02 < ordex> or is that the end of your message ?
02:07 < MarcoNL> back to the client is not working.
02:07 < MarcoNL>  :)
02:08 < MarcoNL> that's the part that was missing
02:10 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
02:10 -!- mode/#openvpn [+v s7r] by ChanServ
02:11 < ordex> MarcoNL: personally, regardeless of openvpn, I'd just check this by running tcpdump on the two interfaces of the firewall: the lan and the wan (whatever they actually are) and filter the traffic going to the client
02:11 < ordex> if you are right, you should see the outgoing traffic only on the LAN side
02:11 < ordex> (assuming you can do this)
02:11 < MarcoNL> yes that's what I did
02:11 < MarcoNL> but I can't do it by some sort of test like I did from the client with telnet or so?
02:12 < ordex> well, if you run something on the client, how do you know if it's the outgoing traffic being blocked or the traffic coming back ?
02:13 < ordex> you only see no reply, but you don't know what is being dropped
02:13 < ordex> no?
02:13 < MarcoNL> yup
02:14 < ordex> seems like a real world case of the 'two generals problem'  :p
02:15 < MarcoNL> the what?
02:15 < ordex> https://en.wikipedia.org/wiki/Two_Generals%27_Problem << but nothing interesting to helpsolving your issue
02:15 <@vpnHelper> Title: Two Generals' Problem - Wikipedia (at en.wikipedia.org)
02:41 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 240 seconds]
02:44 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
02:44 -!- mode/#openvpn [+o plaisthos] by ChanServ
03:02 < MarcoNL> ordex: Thanks!! I've send my findings to the sysadmin, so no I'll just have to wait.
03:02 < ordex> this was fast
03:27 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds]
03:45 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
03:45 -!- mode/#openvpn [+v s7r] by ChanServ
06:01 < aldur> !welcome
06:01 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
06:01 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
06:02 < aldur> !goal
06:02 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:04 < aldur> Hi guys, I have a question: once I connect to a OpenVPN server, is there any way I can ping the other peers?
06:34 -!- aldur is now known as aldur[away]
06:51 -!- aldur[away] is now known as aldur
07:07 < lauri> Hi, is there a MSI available for OpenVPN client? I'd like to install OpenVPN using Group Policy from AD. Is it possible?
07:10 < BtbN> None that I'm aware of.
08:43 < jpwhiting> hi all, I have built an openvpn installer with openvpn-build (cross compiling for windows on linux) which works fine, but
08:43 < jpwhiting> the installer seems to be 32 bit, while the openvpn it installs is the 64 bit one
08:43 < jpwhiting> when I do ./build-complete I notice it's building both 32 bit and 64 bit versions of openvpn
08:43 < jpwhiting> does the installer it creates contain both versions?
08:56 < jpwhiting> ah, no it seems to be putting the 64 bit version of openvpn because x64.nsh detects that my linux host is 64 bit? :/
08:56  * jpwhiting fixes that
08:58 -!- Pol is now known as MacGyver
09:12 -!- aldur_ is now known as aldur[away]
09:15 -!- aldur[away] is now known as aldur_
09:29 < jpwhiting> hmm, does this mean I need to build the windows installer on 32 bit linux to get a 32 bit windows openvpn.exe in it?
09:29 < jpwhiting> commenting out just x64.nsh makes the ${If} ${RunningX64} lines fail :/
09:53 < mooghog> For VPN authentication, my client has a ca.crt, private.crt, private.key and a ta.key. I want to test a tls handshake with the OpenVPN server, so I use the `openssl s_client'.
09:53 < mooghog> However, I cannot find and option to use the ta.key in the s_client synopsis.
09:53 < mooghog> Do y'all know what it is?
09:54 <@plaisthos> you cannot use s_client to connect with openvpn
09:55 <@plaisthos> openvpn has a protocl *based* on tls but not compatible
09:57 < mooghog> Oh. Thanks though.
10:38 <@dazo> mooghog: you can test the authentication stuff by preparing a different set of CA files (including client.crt/key) ... and then use openvpn to connect to your server ... that should not work at all
10:38 <@dazo> the client should connect, and be rejected
11:43 < ender|> is it possible to exclude a single route push for one specific client?
11:45 < ender|> (i've got multiple sites connected through a single hub, but i'd like to connect two sites directly in addition to being connected through the hub)
12:06 < kitsune1> ender|: yes, use a ccd file, add client specific push there and if needed use push-remove to remove any
12:11 < ender|> push-remove sounds exactly what i'd need - too bad it seems to be limited to 2.4; guess i'll just do route-nopull and add the routes manually on the client config (it's temporary anyway)
12:13 < kitsune1> push-reset and then rebuild all push options would work on 2.3
12:28 <@dazo> ender|: if using OpenVPN 2.4 ... there is a new --pull-filter option, which I believe can be used to filter out quite specific options
12:28 <@dazo> kitsune1: ^^
12:30 <@dazo> --pull-filter is a client side option, and --push-remove is the server side equivalent .... so both are v2.4
12:40 < ender|> dazo: unfortunately i'm still on 2.3 (pfSense), so i just used route-nopull (one of the sites is being decmmissioned, and it'll be faster to migrate the data directly than through the hub)
13:55 < s1kx> is the behavior intentional that on current git head, --up/--down scripts do receive env vars such as `route_vpn_gateway` with --up-restart (on restarts)?
15:02 < jpwhiting> is the ${RunningX64} bit of openvpn-build nsi script checking if the machine is 64 bit when running the installer? or when building the installer?
15:03 < jpwhiting> googling makes me think the former
15:03 < jpwhiting> yet a user on a 32 bit system says it installed a 64 bit version of openvpn somehow
15:03 < jpwhiting> is there a way to see what file got installed (or what files are in the .exe installer at all maybe?)
15:11 < jpwhiting> looking at the installer with 7zip it has two openvpn.exe files, ok
15:11 < jpwhiting> seems to be switching between them at runtime
16:01 < wknapik> hi
18:32 -!- fengshaun_ is now known as fengshaun
20:19 < notmike> I'm having some difficulty connecting my client to my openvpn server. I am receiving message 2017-01-20 21:06:38 TCP: connect to [AF_INET]###.###.###.###:443 failed, will try again in 5 seconds: Connection refused
20:20 < notmike> I'm a little out of my depth at this point. :/
--- Day changed Sat Jan 21 2017
01:24 < vect0rx> yoh yoh.. got some nasty sub 3mbit dowstraigh ob business, cop is per-associated device.
01:25 < vect0rx> thinking about doing a custom VPS openvpn server with bonding or total abaolable
01:25 < vect0rx> and I was hoping to find anyone who has
01:26 < vect0rx> cop=cap* downstream*... "on* business.. cant even blame thgat on being tired heh
01:27 < vect0rx> (thinkinb witj 2+ devices that are mwan3-friendly)
01:29 < vect0rx> directionlys seem frarly cut and drug, esp if access to debug and tweak the server-end of the VPN.
01:30 < vect0rx> mostly looking for little known tips or shit to watcj out for
09:14 -!- soyunaqk is now known as qk
09:36 < kiraro> !welcome
09:36 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
09:36 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
09:37 < kiraro> !goal Setting up VPN on Ubuntu
09:38 < kiraro> Hey guys.. sorry I'm relatively new to VPN setup. I've been trying to find guides online but nothing seems to be working.
10:05 < kitsune1> kiraro: post your client and servcer configs and logs
10:07 < kiraro> Well, I would if I knew how, or if I likely had those.
10:08 < kiraro> I'm trying to start again from scratch. I can't even click "Add VPN connection" because it's greyed out for some reason.
10:09 < kitsune1> kiraro: So the question is about networkmanager on Ubuntu? Sorry I've no idea of that..
10:10 < kiraro> kitsune1: I guess so. I just want to set up a VPN so I have something secure in different wifi areas.
10:11 < kitsune1> You need a VPN provider for that or your own server on the internet
10:13 < kitsune1> For example, you could connect through your home internet while in a cafe using a vpn server at home and client on your laptop, say. Is that the plan?
10:13 < kiraro> Well, I have an account with PureVPN. And I've seen they use OpenVPN to set up the connection; at least on Ubuntu. I've tried setting up PPTP or SSTP.
10:13 < kiraro> And no, my plan is just to have a VPN while at "open" WiFi spots.
10:13 < kitsune1> Then the best option would be to contact PureVPN for help.
10:14 < kiraro> I tried that.. they weren't exactly forthcoming in any decent guides.
10:14 < kiraro> I tried their silly SSTP guide or PPTP guide; each time I came up with.. errors or something else that impeded my ability to connect.
10:14 < kitsune1> Find a better provider -- there are so many who use openvpn tho I havent used any..
10:15 < kiraro> You may be right.
10:17 < kitsune1> You are most likely to get help here if you run the server and client using community openvpn release and have access to both configs and logs.
10:18 < kiraro> I've .. tried to set up the client and server and I received some errors
10:19 < kiraro> I've contacted PureVPN again, let's see if my more direct questions get me any answers. Thanks kitsune1 for the assistance.
10:19 < kitsune1> Good, !paste those configs and logs and likely someone here would be able to help
10:19 < kitsune1> :)
10:21 < kiraro> I'll keep working to get it figured out. Thanks.
11:13 < wknapik> hi guys. i wrote a script to automate these steps https://community.openvpn.net/openvpn/wiki/UnprivilegedUser (and a few others) - https://github.com/wknapik/openvpn-unroot - would love to get some feedback on it.
11:14 <@vpnHelper> Title: UnprivilegedUser – OpenVPN Community (at community.openvpn.net)
11:18 < BtbN> There steps seem kinda outdated.
11:19 < BtbN> init scripts are disappearing, and the wrapper isn't needed anymore, the openvpn user just needs  CAP_NET_ADMIN.
11:23 < wknapik> BtbN the script is updated in the sense, that it doesn't work with init scripts, but systemd configs instead
11:24 < wknapik> BtbN but the more important part of the whole thing is just to run the openvpn binary as non-root. the init stuff is just a bonus.
11:25 < BtbN> so far I never felt the need for a magic script for that.
11:25 < wknapik> BtbN sure, you can do it manually. the script only automates the manual steps.
11:26 < wknapik> BtbN you run it once and you're done.
11:28 < wknapik> BtbN also CAP_NET_ADMIN covers iproute, but not --up/--down scripts.
11:29 < BtbN> hm?
11:31 < wknapik> BtbN the stuff you need to do on up/down may require more privileges
11:31 < BtbN> then find the needed capabilities and add them
11:35 < wknapik> BtbN so capabilities instead of sudoers entries. good point.
11:47 <@dazo> wknapik: if you're on a more recent Linux distro with polkit ... using pkexec might have some security advantages over sudo ... but it is configured very differently
11:49 < wknapik> dazo the capabilities option is probably the best though. and portable.
11:50 < wknapik> dazo instead of sudo/pkexec
11:50 <@dazo> ehm ... well, capabilities isn't that well portable outside of Linux .... FreeBSD and the other BSDs have them, but not necessarily the same set of capabilities
11:50 < wknapik> dazo i meant portable between linux distros, but that's a good point
11:51 < wknapik> dazo well, it's something to look into. thanks for the suggestions.
11:52 <@dazo> I would say that if the openvpn process needs more capabilities to run a script, that is the wrong approach ... which actualy pkexec can help out with ... openvpn can run with very limited power, and pkexec ony grants the needed privileges when a specific user (like, openvpn) runs a specific exec/script
11:52 < wknapik> dazo the openvpn process runs as non-root, no capabilities
11:53 < wknapik> dazo only `ip' and the up/down scripts are currently called with sudo
11:53 < wknapik> dazo and that could be changed to using pkexec, or capabilities instead
11:53 <@dazo> right ... and you can reduce the power even more by using pkexec
11:54 <@dazo> in fact openvpn wouldn't need CAP_NET_ADMIN if it runs ip via pkexec which grants those privileges to that binary when started by openvpn
11:54 < wknapik> dazo i've never used pkexec. i'll have to read more about it.
11:54 <@dazo> which means, if a script or if openvpn itself runs /sbin/ip ... that process can have CAP_NET_ADMIN, while the openvpn process itself does not
11:55 < wknapik> dazo but a wrapper around ip could be given capabilities and be executable only to that one user.
11:55 < wknapik> dazo to the same effect ?
11:55 <@dazo> I'm far from being familiar with all the powers of polkit/PolicyKit ... but the flexibility is quite amazing, what I've discovered so far
11:56 <@dazo> wknapik: right, a wrapper may provide that ... or you use pkexec as that wrapper ... so, re-invent the wheel, or use a standard wheel, kind of ;-)
11:56 <@dazo> wknapik: man polkit is great starting point
11:57 < wknapik> dazo fair point, but how many distros have pkexec vs. bash+capabilities ?
11:57 < wknapik> dazo i'll certainly look into it, thanks
11:58 <@dazo> All distributions shipping GNOME from at last 7-8 years ago should have it .... all systemd based distros have it guaranteed
11:58 <@dazo> I believe also KDE makes use of polkit
11:58 < wknapik> ah
11:58 < wknapik> cool
11:58 < wknapik> bsds ?
11:58 <@dazo> and if you have dbus on the system, you are guaranteed to have it too
11:59 <@dazo> I am not sure about BSDs ... if GNOME is installed, most likely
11:59 <@dazo> BSD with KDE, probably
11:59 < wknapik> mhm
11:59 < wknapik> good stuff. should've come here earlier for suggestions. just followed the wiki...
11:59 <@dazo> !blog
11:59 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
12:00 <@dazo> ;-)
12:00 < wknapik> well, this is not a blog. it's a wiki under openvpn.net ;]
12:00 <@dazo> ahh ;-) ... *that* is an entirely different discussion .... and we probably should update it ;-)
12:01 < wknapik> yeah...
12:01 < wknapik> ;]
12:06 < wknapik> automatically figuring out the capabilities needed by an up/down script might turn out to be a problem...
12:08 <@dazo> yeah, that is indeed very tricky
12:09 < skyroveRR> Hi dazo :0
12:09 < skyroveRR> * :)
12:11 < wknapik> wait. you can't use capabilities with bash scripts. pkexec it is, i guess ;]
12:17 <@dazo> wknapik: you have capsh, to manipulate capabilities, but it's just a shell wrapper, though
12:17 <@dazo> skyroveRR: hey!
--- Day changed Sun Jan 22 2017
05:49 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
05:49 -!- mode/#openvpn [+o novaflash] by ChanServ
06:54 < jiquera> @plaisthos: ey, you showed me a script for long ping-restart time-outs (for phones eg.). However, I'm running into the issue that the key renegotiation fails (phone doesnt answer within a minute), how did you deal with that?
06:55 < jiquera> disable rekeying? setting a long rekey time out?
07:05 < Azrael_-> hi
07:07 < Azrael_-> https://forums.openvpn.net/ <-- there seems to be a slight problem with the forum
07:23 < Azrael_-> when is the file ipp.txt being rewritten? at start? at stop? i connected a new client and it doesn't show up in ipp.txt. can you give me a  hint?
10:54 -!- lorimer is now known as lorimer[ATL]
11:49 < Alpha112_> !goal
11:49 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:50 < Alpha112_> i'm going on travels, and would like to tunnel through my home network... instead of just access my internal network.  Is there a good tutorial on how to do this?
11:56 < Alpha112_> nm. got it working.  "direct clients to redirect internet traffic" turned on, and it works.
12:27 < jiquera> ping
12:27 < Gaffel> pong
12:27 < jiquera> :)
12:27 < Gaffel> :]
12:27 < jiquera> i reconnected to wifi... but somehow stayed connected in this chatroom :D
12:27 < jiquera> @plaisthos: ey, you showed me a script for long ping-restart time-outs (for phones eg.). However, I'm running into the issue that the key renegotiation fails (phone doesnt answer within a minute), how did you deal with that?
13:09 < MarcoP> vpnhelper well you could use a good safe private vpn over openvpn
13:10 < MarcoP> rofl
13:10 < MarcoP> never mind
13:10 < MarcoP> rofl
13:10 < MarcoP> stupid bots
13:10 < MarcoP> who makes this shit
14:26 -!- Vampire0_ is now known as Vampire0
16:34 -!- moviuro_ is now known as moviuro
17:24 < xpt> Hi, I have OpenVPN server in the same LAN network as Server2. I want to connect Client to Server2 via OpenVPN. Server2 does not have vpn client(actually it does but is connected to other VPN). Is it possible to connect from client to Server2 using normal LAN connection from OpenVPN server?
18:53 < brophat> I connect to a vpnbook server but when I go to the what is my IP address website it shows my real ip address
18:53 < brophat> I am using linux mint
18:53 < brophat> anyone else have this problem?
19:26 < brophat> my openvpn seems to connect to server but when I go to the "what is my IP" website it shows my real IP address
19:26 < brophat> is my ISP doing this?
19:28 < Azrael_-> brophat: just connecting to a vpn doesn't mean you're routing everyting through the vpn. in the standard setup you just connect to an additional network.
19:28 < Azrael_-> but i don't know how to configure it to what you want
19:30 < brophat> Azrael_- it used to work until about a month ago
19:31 < brophat> I use the config file and it connects by say sequence complete
19:31 < brophat> you are saying that does not mean it is actually connected? I don't understand, what else do i need to do?
19:32 < Azrael_-> have a look e.g. with "ifconfig" if you have an ip on the vpn-interface
19:32 < Azrael_-> with "route" you see your routing table, that's what is responsible where your data flows through
19:33 < brophat> I am using the linux openvpn program. you are saying that program does not take care of it all?
19:33 < brophat> so then how do i use openvpn? I don't understand. the openvpn program does not give you openvpn?
19:34 < Azrael_-> depending on the configuration of your client and what the server sends you, it will be taken care of. but they only work with your system settings and the commands above show your current settings
19:34 < brophat> what document explains all the details on how to set that up. I have never seen such a document
19:35 < Azrael_-> the openvpn-documentation is a good start, next is basic network understanding
19:36 < brophat> I will check it out. so you don't think it is my ISP messing with it?
19:36 < Azrael_-> i've never done a setup like you want/expect, so i don't know what perfectly to look for
19:36 < Azrael_-> yeah, it probably isn't your isp
19:36 < brophat> what set up? I just want to use openvpn
19:37 < Azrael_-> it's either your system or the config of the vpn-server you're connecting to
19:37 < brophat> it used to work in that the what's my ip website would say the location of the vpn server. then it stopped doing that
19:38 < Azrael_-> sorry, don't have enough knowledge regarding openvpn to really help you
19:39 < brophat> ok thanks. it is really weird but i will figure it out thanks
20:43 -!- Gaffel_ is now known as Gaffel
--- Day changed Mon Jan 23 2017
03:49 < sync0pated> Hello. Could anyone help me with an hardware estimate of a OVPN-AS linux machine capable of running ~25-50 concurrent clients?
05:01 < Henry151> so, I'm trying to follow the directions at https://www.offensive-security.com/kali-linux/kali-rolling-iso-of-doom/
05:01 < Henry151> I have a feeling I'm making a foolish mistake, but when I type cp keys/{server.crt,server.key,dh2048.pem,ca.crt} /etc/openvpn/ I get "cannot stat, no such file or directory"
05:01 < Henry151> If it is relevant, I am trying to do this from a AWS machine
05:01 < Henry151> Also, for general feedback, what I am trying to do is setup a toughbook CF-30 so that whatever wifi network it is connected to, if it has internet access, I will be able to ssh into it remotely. Any input into that project? I have three CF-30's and want to set them each up this way
05:01 <@dazo> !blog
05:01 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
05:02 <@dazo> Doing this step on a server is one most common offender and is just plain wrong, from a security perspective:   cp -rf /usr/share/easy-rsa/ test
05:02 <@dazo> !howto
05:02 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
05:03 <@dazo> Henry151: start with #3
05:44 < fsociety[00]dat> I want my phone connect to internet same rules as my pc; does the quick solution creating a local vpn server on my pc?
05:47 < fsociety[00]dat> or ssh tunnel?
05:52 < Flotho66> Good morning everyone
05:56 < Flotho66> I have 2 servers with different Public IP and the same vpn server conf on both server. I have a client conf that runs on the first. I copied the conf and start on the second sucessfully. yet when I tried to connect to both from my local machine it faile withe the message : TCP/UDP: Socket bind failed on local address [undef]: Address already in use . I also tried to change the port of one of the server, impossible to
05:56 < Flotho66> reach both servers. Is it "legal" to copy the client conf and apply it to different servers?
06:01 < Flotho66> damend
06:01 < Flotho66> lport 0 was the answer
06:04 <@dazo> Flotho66: --nobind is probably the proper answer
06:04 < Flotho66> lport 0 also helps us a lot , thanks dao
06:04 < Flotho66> dazo, thanks
06:06 <@dazo> Flotho66: I bet --lport 64321 would work too ... --lport 0 binds to local port 0
06:06 <@dazo> Flotho66: Really, --nobind is the proper solution .... but it's your call
09:35 < jiquera> @plaisthos: Hi, a while ago we discussed long keepalive times for phones. However, im now getting issues with rekeying when the phone is not "live" and the connection is dropped. What do you do to get around that?
09:51 <@plaisthos> tried to keep rekeying on the phone short than on the server?
09:51 <@plaisthos> so that the phone always initiates the rekying?
10:01 < Henry151> so I'm trying to follow https://www.offensive-security.com/kali-linux/kali-rolling-iso-of-doom/ and when I get doen to the section where we create ssh keys, when I run "openvpn --cd /etc/openvpn --config /etc/openvpn/server.conf" server.conf doesn't exist there. where might I get it/what step might I have messed up for it to not be there?
10:02 < jiquera> hm nice idea
10:02 < Henry151> oh there it is
10:02 < jiquera> ill give it a shot
11:20 < thumbs> Henry151: I'll point out that using kali linux as a starting point is a terrible idea.
11:31 < yabbah> Hi there, just started to use openvpn on ubuntu. How can I check for dns-leaks in temrinal? I dont use gnome/kde.
12:21 -!- Vampire0_ is now known as Vampire0
12:31 < lauri> Hi guys, is there a MSI available of the OpenVPN client?
12:31 <@ecrist> yes
12:31 < lauri> where can I find it?
12:31 <@ecrist> the exe typically just compress an msi file
12:31 <@ecrist> that goes for pretty much any installer for windows
12:32 < lauri> exe is not exactly MSI, I need to install OpenVPN client using group policy from Active Directory
12:32 <@ecrist> normally, if you run the exe installer, it will extract the data to a temporary location
12:32 <@ecrist> lauri: I know what you're asking
12:39 < lauri> I just checked the OpenVPN client .exe, it's using Nullsoft Installer and according to the forum posts that particular installer won't support dumping MSI-s
12:40 <@ecrist> yes, I'm reading the same thing
12:40 <@ecrist> what are you using to push software packages? SCCM?
12:40 < lauri> I am not the Windows expert here, I guess the plan was to put .msi on a network share and add group policy for installation of the package
12:41 <@ecrist> you can still do that, I think, but just run the openvpn EXE with the /S option (silent)
12:41 < lauri> But since we need to fiddle with certificate distribution as well it might make sense that we'll have to create .msi for the whole plumbing
12:42 <@ecrist> yeah, if you need to push certificates and configs, as well, that might be a better plan.
12:42 < lauri> Alrighty thanks anyway
13:07 < Eugene> I have had OK luck with the pfsense-generated rollup
13:07 < Eugene> !rollup
13:07 <@vpnHelper> "rollup" is See !win_rollup
13:07 < Eugene> !win_rollup
13:07 <@vpnHelper> "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
13:07 < Eugene> But, as you've already found it, the entire windows installer subsystem is a bit neglected
13:07 < Eugene> s/it/out
13:37 <@dazo> Eugene: oh dear, that write-up is more likely completely outdated ... and the windows installer we ship these days are improved in a lot of ways
13:37 < Eugene> Fixitfixitfixit
13:38 <@dazo> grab a beer, Eugene ;-)
13:57 < deep42thought> Hi, I'm successfully running openvpn for some years now, the server also routes between the vpn (client ips are in the range 10.0.0.0/24) and physical networks (192.168.0.0/23). However, now I have added a laptop in this setup, which connects from different places. I'd like to be able to connect into 192.168.0.0/23-net iff the laptops primary internet is in a different net (e.g. 123.45.67.0/24). I'm currently out of ideas to 
14:01 < deep42thought> FYI: I'm running debian on the server and archlinux on the client - both using systemd.
14:15 < MuffinMedic> When I set opnvpm to use 10.8.0.0/24, everything works fine. when i change it to 10.0.2.0/24 i can't connect to the internet if im on the VPN - disabled the firewall and still no luck. local network is 10.0.1.0/24
14:15 < KaiForce> I have two remote networks, A&B,  both using 192.168.0.0/24.  If I create a subnet to subnet tunnel to subnet A, will a local OpenVPN client (OpenVPN GUI) to subnet B override the route to subnet A?  In other words, I'd like a permanent tunnel to one of them, but only if I can temporarily override it as needed.
14:20 < deep42thought> KaiForce: The vpn-connection to A runs on the same host as the connection to B or is it on a different machine?
14:21 < KaiForce> different machine, in this case the firewall for the client (not A or B) network
14:21 < KaiForce> not A or B
14:21 <@dazo> KaiForce: if both the LAN side networks of A&B use the same subnet, you are in for some real pain if you want traffic to pass between these sites ... Highly recommend to change subnet on one of them
14:22 < KaiForce> dazo:  I don't want to do anything of the sort and understand the problem there.
14:23 < deep42thought> but if you only want to override the route to one particular ip in B, this will work, as long as the local client itself runs the tunnel to B
14:23 <@dazo> If you're not going to do the right thing, I'm moving on ... not going to waste my precious time on hacks
14:23 < deep42thought> however, this ip will "vanish" from A for that client
14:23 < KaiForce> deep42thought: ok, I thought it would but I want to make sure before I go setting it all up
14:23 <@dazo> deep42thought: that is truly going to cause complete havoc at some point
14:24 < deep42thought> dazo: yes
14:24 < KaiForce> dazo: i'm not a hack, you aren't understanding my question
14:24 < MuffinMedic> Actually, 2 issues. (1) not working when i change the address range (2) no domain resolution change i push dhcp-option to 10.0.1.100 even though i can ping it just fine while connected
14:24 < KaiForce> I manage devices on both networks (which are not mine) and I switch my client as neede.
14:25 < deep42thought> it will definitely create some confusion, since you'll see ips in the same subnet, but on different sites
14:25 < KaiForce> needed.
14:25 < deep42thought> A and B resp.
14:25 < KaiForce> I want to make one of them permanent (so anyone on my network - i'll call it C ) can manage anything on A at any time
14:26 < KaiForce> If i then have a windows machine on C connect with OpenVPN GUI to B, I would expect that machine could only see B, and not A, while connected.  That's the behavior I want
14:27 <@dazo> access control is best managed via firewall ... not network hacks like that
14:28 < KaiForce> this isn't an access control question, but thanks
14:28 <@dazo> " I would expect that machine could only see B," <<< that is the definition of access control
14:28 < deep42thought> this is actually similar to routing internet through vpn although the machine has internet already - isn't it?
14:29 < KaiForce> dazo:  it is a connectivity question, not access control.
14:30 < KaiForce> I spend more time managing devices on A, so a permanent subnet to subnet tunnel to A would be beneficial, but I'd like to be able to connect to B as needed to manage devices there
14:30 < deep42thought> can't you NAT them, so B looks like in 192.168.1.0/24?
14:31 < deep42thought> Then you can connect to all of them at all times
14:32 < KaiForce> deep42thought: I have done that, it does work
14:33 < KaiForce> i take that back - i DNAT'ed them through a client connecting to my firewall's OpenVPN service, so that everything I did on their network appeared to be coming from the OpenVPN client on their subnet.
14:35 < KaiForce> I'm just going to set it up and see what happens.  I can't imagine that it works differently than I think it does - OpenVPN GUI would intercept anything bound for 192.168.0, so my firewall would never see it.
15:13 < KaiForce> Confirmed, works as I expected.
15:29 < MuffinMedic> So when I push dhcp servers as 8.8.8.8 everythign works fine. However, DNS is breaking when i use 10.0.1.100 (local network is 10.0.1.0/24, VPN is on 10.0.2.0/24). I can access everything else on both LANs just fine, including the server the DNS sits on
15:34 < ponyofdeath> hi, I am seeing Options error: --status fails with permission denied. to my status file. only works when I chmod 777 the file
15:35 < ponyofdeath> any ideas why? the dir is /etc/openvpn or /var/log/openvpn which i create and change owner to nobody:nogroup the files does get created tho
15:35 <@dazo> ponyofdeath: what is --user/--group set to in your config? .... does that --user and/or --group have write access to the directory?
15:36 <@dazo> ponyofdeath: do not put --status updates into /etc ... /etc is for configuration files ... /var and /run is for variable data for running processes
15:37 <@dazo> oh, and with "write access to the directory", it must have at least --x access on all parent directories as well
15:39 < ponyofdeath> dazo: well how is it creating the file if it does not
15:41 <@dazo> if you use --user nobody --group nogroup in your config ... and use --status /var/run/openvpn-status.log ... then OpenVPN will NOT be able to create the /var/run/openvpn-status.log, because nobody:nogroup is not allowed to write to that directory (including create new files)
15:41 < ponyofdeath> i created /var/log/openvpn and chown nobody:nogroup
15:41 <@dazo> if you use /var/run/openvpn/status.log .... and /var/run/openvpn is owned by nobody:nogroup, things will work as expected again ...
15:42 <@dazo> yes, /var/log/openvpn with nobody:nogroup as owner should work just fine, as long as /var/log/openvpn have rwx on that directory
15:43 <@dazo> nobody:nogroup have rwx on that directory, I meant
15:43 < ponyofdeath> yup its 755
15:43 < ponyofdeath> still getting that error, status file gets created but then get that permission denied error
15:43 <@dazo> do you use --chroot?
15:44 <@dazo> which distro?  since you have nogroup, I presume Debian or Ubuntu, though
15:44 <@dazo> and which version of openvpn?
15:45 < ponyofdeath> ubuntu 16.04
15:45 < ponyofdeath> no --chroot
15:46 <@dazo> !configs
15:46 <@dazo> !logs
15:46 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
15:46 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
15:51 < ponyofdeath> dazo: https://bpaste.net/show/b78c042fa2f9
15:51 <@dazo> please, complete log files .... with --verb 4
15:52 < ponyofdeath> dazo: sudo -u nobody bash -c 'echo "test" >> /var/log/openvpn/dc1-server.status '
15:52 < ponyofdeath> works fine
15:53 < ponyofdeath> dazo: nothing extra with verb 4
15:53 < ponyofdeath> in journalctl
15:53 <@dazo> then add --log /var/log/openvpn.log
15:54 <@dazo> and pastebin that file
15:54 < ponyofdeath> haha permission denied for the log file too let me do tmp
15:55 <@dazo> okay ... this is some ubuntu-f***-up .... I see you use openvpn@.service .... do you have openvpn-server@.service available?
15:56 <@dazo> please pastebin the complete output of 'systemctl status openvpn@dc1-server'
15:56 < ponyofdeath> https://bpaste.net/show/86e4c7c4da4f
15:57 <@dazo> okay ... please pastebin /lib/systemd/system/openvpn@.service
15:57 < ponyofdeath> ahh its already appending --status
15:58 < ponyofdeath> https://bpaste.net/show/799e36cb2916
15:58 <@dazo> well, your --status should override the system one
16:00 <@dazo> I have a hunch the one of the capabilities in CapabilityBoundingSet= is causing this issue
16:01 <@dazo> can you try to upgrade to openvpn-2.4 and use the new unit files we have there? ... the systemd integration have seen quite an overhaul, and the Ubuntu approach have had some issues they've tried to fix (in the wrong way, even ... like KillMode=mixed)
16:14 < ponyofdeath> shit, ok let me see if i can find packages for 16.04
16:21 < ponyofdeath> same issue
16:53 -!- lorimer[ATL] is now known as lorimer
17:19 -!- DarkSector is now known as FatSector
19:40 <@dazo> ponyofdeath: but do you still use openvpn@.service ... or openvpn-server@.service?
20:02 < Eugene> systemd is a hell of a drug
20:03 < ordex> lol
20:04 < ordex> don't take too much
22:22 < notmike> Listen up, boys. I need you! We're so close.
22:23 < notmike> I'm able to connect my client to my openvpn server. My server is able to connect to the interwebz. However, my client cannot connect past the server. Why?
22:24 < notmike> Its not the firewall on my client because I turned that bitch off.
22:24 < notmike> !welcome
22:24 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
22:24 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
22:25 < notmike> !redirect
22:25 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
22:25 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
22:25 < notmike> !dns
22:25 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns
22:25 < notmike> !pushdns
22:25 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for
22:25 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option
22:27 < notmike> !goal
22:27 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:29 < notmike> I want to connect my client to openvpn server remotely, to access NAS on my server's LAN and to route my remote client's traffic securely (remote client on unsecured ---> VPN ---> internet)
22:29 < notmike> !route
22:29 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
22:31 < notmike> !tap
22:31 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the
22:31 <@vpnHelper> protocol uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
22:32 < notmike> !configs
22:32 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
22:33 < notmike> !howto
22:33 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
23:15 < notmike> help?
23:17 < ordex> notmike: I think !route !ipforward and !nat is what you are looking for, no ?
23:17 < notmike> !route
23:17 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
23:17 < notmike> !ipforward
23:17 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
23:20 < Henry151> hello there folks
23:22 < Henry151> I am struggling to configure an AWS instance as an openvpn server and configure several laptops to be clients... I was trying to live-build a debian-based system in such a manner that as soon as the iso was booted up it would be automagically connected to the VPN and route all internet traffic through it, but now I have pretty much given up on that, and would be happy if I can get even one laptop to
23:22 < Henry151> connect to the vpn successfully even once
23:23 < Henry151> I am presently stuck here, running "openvpn client1.conf" and getting this output: https://bpaste.net/show/1a66a3e127d3
23:23 < notmike> brb
23:32 < Henry151> no inputs?
--- Day changed Tue Jan 24 2017
00:32 < notmike> !route
00:32 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
00:32 < notmike> !serverlan
00:32 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
00:33 < notmike> !ipforward
00:33 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
00:34 < notmike> !linipforward
00:34 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
00:41 < notmike_> !osxipforward
00:41 <@vpnHelper> "osxipforward" is (#1) sysctl -w net.inet.ip.forwarding=1 for a temp solution, or (#2) add IPFORWARDING=-YES- in /etc/hostconfig for a permanent solution
00:43 < notmike_> !nat
00:43 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
01:08 < Henry151> I have been reading the links but haven't made any headway
01:14 < notmike> !fbsdnat
01:14 <@vpnHelper> "fbsdnat" is nat on $ext_if from $vpn_network to any -> ($ext_if) (this is for PF)
01:15 < notmike> !linnat
01:15 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
04:11 -!- Vampire0_ is now known as Vampire0
11:53 < ponyofdeath> hi, anyone know why with this config https://bpaste.net/show/5216fb488aed my clients if they connect from multiple places nothing works. i would expect their last client gets kicked and new one takes place?
12:23 < Eugene> !duplicate
12:23 <@vpnHelper> "duplicate" is the option duplicate-cn is for allowing the same cert to login more than once. It should not be used in most situations, with main exceptions being if you also use !authpass or if just testing
12:24 < Eugene> also, what's in your client-config-dir ?
12:24 < ponyofdeath> Eugene: I do not want more thant one connection
12:24 < ponyofdeath> i want them to be booted off from the old connection
12:24 < ponyofdeath> as it does from the logs
12:25 < ponyofdeath> but the client's on their old old connection then reconnects
12:25 < ponyofdeath> is there a way to push a config from the server that will prevent their clients from attempting a re-connect
12:25 < ponyofdeath> MULTI: new connection by client 'gorden.cheng' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
12:25 < ponyofdeath> everything works as expected until the old client re-connects again
12:26 < ponyofdeath> then the new client re-connects
12:26 < ponyofdeath> etc..
12:26 < Eugene> Maybe --ping-exit? That's the opposite behaviour of what people normally want, heh
12:27 < ponyofdeath> hmm that's pretty bad security wise
12:28 < ponyofdeath> let me read up on that is there a way to push that to clients
12:36 < Eugene> It's normally assumed that 1 user = 1 client
13:12 < cj> hey folks
13:12 < cj> anyone here have experience working with the openvpn auth socket?
13:41 < nullp0inter> for some reason my openvpn access server doesnt care that my user's group has access control rules. it only lets me access those IP ranges if i put the rules in my user's access control section. anyone know how to resolve this?
13:45 < DArqueBishop> nullp0inter:
13:45 < DArqueBishop> !as
13:45 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
13:46 < nullp0inter> ty
16:55 -!- xpt is now known as lpt
--- Day changed Wed Jan 25 2017
05:34 -!- Vampire0_ is now known as Vampire0
05:39 < echosystm> hi all
05:39 < echosystm> my vpn disconnects every 48 hours or so
05:39 < echosystm> and the log shows nothing. doesn't even show the disconnect. the tunnel stays open too.
05:39 < echosystm> any ideas?
05:40 < echosystm> i've tried playing around with keepalive and ping-restart, but they don't seem to do anything
05:40 < tx> does your net connection die every 48 hours
05:41 < tx> perhaps it's not the VPN
05:41 < echosystm> nope
05:41 < echosystm> internet stays up the whole time
05:41 < tx> check your modem
05:41 < tx> connection times etc.
05:41 < echosystm> i have
05:41 < echosystm> it's definitely not that
05:41 < echosystm> also, if i unplug my internet then reconnect it, the vpn reconnects fine
05:42 < echosystm> its like the VPN disconnects at some point and then doesn't realise it has been disconnected
05:57 < echosystm> ive had this issue on 2 different computers by the way
05:58 < echosystm> on two different internet connections, with 2 different routers
05:58 < echosystm> the only common thread is debian
05:58 < lpt> on the same network? I had simillar issue, the firewall had rule which closed connection that weren't explicitly specified after a fixed amount of time.
05:59 < echosystm> nope completely different networks
06:00 < echosystm> actually one other similarity between them is that i've used udp with iptables connection tracking
06:01 < echosystm> perhaps connection tracking is stopping inbound packets after some amount of time
06:01 < echosystm> however, that doesn't explain why openvpn doesn't try to reconnect
06:51 < fsociety[00]dat> I install openvpn server as same as "https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04" Able to connect from mobile device but no internet.
06:55 < lauri> Hi, I've installed OpenVPN Connect on Android 7.x device
06:55 < lauri> I copied .ovpn file to the device, verified it works on my laptop in advance
06:55 < lauri> on Android it just shows "starting" and nothing happend
06:55 < lauri> in the logs (server side, android side) there is nothing
06:58 < fsociety[00]dat> !welcome
06:58 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
06:58 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person
06:58 <@vpnHelper> helping you
06:59 < lauri> haha classic, unicode characters in the certificate ... :D
07:02 < lauri> it pretty much locks up the device
07:02 < fsociety[00]dat> !redirect
07:02 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
07:02 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
07:22 <@plaisthos> lauri: try openvpn for android instead :P
11:38 < TheWhisper> I'm running into what seems like a major issue. I have setup OpenVPN Connect on my phone, and have the following in my server config `tls-auth /directory/to/mykey.key 0`. If I try to connect to my server through OpenVPN Connect on Android, I can connect without having my keyfile on the client.
11:39 <@dazo> TheWhisper: that key may have been imported into some internal Connect configuration storage
11:40 < TheWhisper> Dazo, I went to Settings > More... > Forget Credentials and erased "...saved credentials and trust information..."
11:40 < TheWhisper> while saving the profile
11:40 < TheWhisper> Then tried to login again, and it still let me connect
11:40 < TheWhisper> I can try deleting the profile completely
11:41 <@dazo> I dunno much about the Connect stuff, it's closed source ... and I've never had a chance to get access to that code yet ... so I'm only speculating
11:41 < TheWhisper> Okay, so while trying to add the profile again, it says it cannot add it because mykey.key cannot be referenced
11:41 <@dazo> there you go :)
11:42 < TheWhisper> I don't like that they'd save the keyfile in their credential store or wherever :/
11:42 < TheWhisper> What if I wanted to remove the keyfile occasionally as a security measure, while keeping the profile...
11:44 <@dazo> file a bug ;-) http://community.openvpn.net/openvpn/newticket
11:45 < TheWhisper> I don't have ticket_create privileges :P
11:45 < TheWhisper> Probably need to register
11:45 <@dazo> that said ... client side security is a bad protection .... you should do have a kill switch at the server instead
11:45 < TheWhisper> Anyway, thanks for the help, Dazo
11:45 < TheWhisper> In what way?
11:46 <@dazo> well, if your keys are restored (despite having been removed ... google undelete files) .... it's possible to gain access anyway
11:46 < TheWhisper> I have key + password
11:46 <@dazo> so the importance of deleting the key is moot
11:46 < TheWhisper> The only next step would be hardware auth, no?
11:46 < TheWhisper> Well, it's not moot
11:47 < TheWhisper> It slightly increases security
11:47 <@dazo> yeah, 2FA will be a good factor
11:47 < TheWhisper> Not by much
11:47 < TheWhisper> but slightly
11:47 <@dazo> deleting keys as a security measure is security theatre
11:47 < TheWhisper> What if I zero out the keyfile?
11:48 <@dazo> same issue .... you need a specific shred tool which can get kernel filesystem guarantee that the inodes used for saving the file are zeroed out
11:48 < TheWhisper> I see
11:49 <@dazo> otherwise, for performance reasons the kernel may just as well just assign a new inode which got your zeros ... and the old inode reference is deleted - but not the file contents saved on that inode
11:49 < TheWhisper> Hardware 2FA is a bit too inconvenient for my current requirements
11:49 < TheWhisper> though I have been considering it
11:50 <@dazo> well, any OTP solution may work ... even software variants
11:50 < TheWhisper> I'm just irrationally worried I'd misplace the keys lol
11:50 < TheWhisper> Oh, really
11:50 < TheWhisper> I never looked into it for OpenVPN
11:50 < TheWhisper> I'll have to see what methods are supported
11:51 <@dazo> well, we don't have any official solution for it ... I've been considering to write a plug-in for it, but haven't had time to do so
11:51 <@dazo> I know there exists a few third party solutions, but don't know how well they work
11:52 <@dazo> unless you enable LDAP authentication against an FreeIPA 4.4 server .... that should in theory work quite well, and gives you centralized authentication even - FreeIPA is kind of like an Active Directory solution, just for Linux
11:53 < TheWhisper> Never heard of FreeIPA. I'll take a look into it.
11:54 <@dazo> it sounds like a beast ... but it's really not bad at all ... incredibly easy to set up and configure ... gives you Kerberos+LDAP with Single Sign On possibilities (including SPNEGO for your own web based services)
11:54 <@dazo> and it doesn't eat much resources at all
11:56 <@dazo> (I run this on a VM with 16GB disk, 768MB RAM and 2 virtual CPU cores - but even 1 core would actually work quite fine too)
12:35 < timmmaaaayyy> anyone know how to disable split dns for the android/ios "openvpn connect" client?
12:37 < timmmaaaayyy> we have a dns helper thing setup where clients can say: go/jira or go/confluence and they don't have to type out he full domain name.  this isn't working for my mobile vpn instance.  my phone cannot resolve "go" successfully.  when i tell it to use the openvpn assigned DNS server for the query then it can resolve go.  so it must be doing split dns, and i can't figure out how to stop it
14:18 < mefistofeles> hey, any ideas why all of a sudden I can't connect to my openvpn server with my android device?
14:20 < mefistofeles> it statys at waiting for server in client
18:02 < Eugene> Meanwhile, I'm still working to rip out FreeIPA at $CLIENT for $DAYJOB, because my predecessor set the whole thing up like an asshat
18:03 < Eugene> </2c>
18:57 < saul> hello, i am getting the following error when trying to connect (only when i use android openvpn client): http://pastebin.ca/3760383
18:57 < saul> it has been working OK until today
18:57 < saul> BTW i did check the CA and the user cert and they are NOT expired
19:10 < Gaffel> saul, client doesn't send its own cert to the server.
23:14 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Read error: Connection reset by peer]
23:15 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
23:15 -!- mode/#openvpn [+o vpnHelper] by ChanServ
--- Day changed Thu Jan 26 2017
00:29 < Mr-Protocol> How do I delete all current client keys on my openvpn server so I can modify the cipher used and re-create them?
00:32 < Mr-Protocol> basically I want to start-over from scratch without having to do a re-install of the server
03:04 < Mr-Protocol> I guess the better question would be is there a way to change what the clients and server used for cipher that doesn't require re-making all the certs?
03:13 < deever> after an upgrade from 2.3.x to 2.4.x, "push route" in ccd files don't work anymore
03:13 < deever> push route "192.168.28.0 255.255.255.0 192.168.1.1"
03:13 < deever> Options error: Unrecognized option or missing or extra parameter(s) in vpn/ccd/user@example.org:42: push (2.4.0)
03:14 < deever> without push it doesn't neither
03:14 < deever> route "192.168.28.0 255.255.255.0 192.168.1.1"
03:14 < deever> Options error: option 'route' cannot be used in this context (vpn/ccd/user@example.org)
03:14 < deever> how to fix?
03:46 -!- Vampire0_ is now known as Vampire0
06:22 < jem^> Hello channel.  If I issue certs for openvpn using an intermediate CA, will it only trust those issued by the intermediate, or will it trust any cert that chains back to my root CA?
07:02 <@ecrist> jem^: it depends on how you deploy the chain
07:02 <@ecrist> if you deploy based on the intermediate, it would only trust the certificates signed by that intermediate.
08:07 < jem^> ecrist: I'm not certain what you mean by "deploy based on"
08:07 < jem^> my server and client certs are signed by the intermediates
08:07 < jem^> -s
08:08 < jem^> I'm trying to work out if other certs signed by a different intermediate (under the same root) will also be trusted by the openvpn server
08:12 < jem^> My CA structure will look something like this: http://pastebin.com/15nKVgHv
08:13 < jem^> I want to ensure that the OpenVPN server won't also trust "Other certs"
09:17 <@ecrist> no, it won't
09:39 < jem^> thanks
10:38 < deever> after an upgrade from 2.3.x to 2.4.x, "push route" in ccd files don't work anymore
10:39 < deever> push route "192.168.28.0 255.255.255.0 192.168.1.1"
10:39 < deever> Options error: Unrecognized option or missing or extra parameter(s) in vpn/ccd/user@example.org:42: push (2.4.0)
10:39 < deever> without push it doesn't work neither
10:39 < deever> route "192.168.28.0 255.255.255.0 192.168.1.1"
10:39 < deever> Options error: option 'route' cannot be used in this context (vpn/ccd/user@example.org)
10:39 < deever> how to fix?
11:38 <@ecrist> deever: did you check out the man page?
11:39 <@ecrist> I thikn your syntax is a bit off
11:39 <@ecrist> think
11:40 <@ecrist> push "route 192.168.28.0 255.255.255.0 192.168.1.1" is likely what you're looking for
11:41 < spY|da> can i set up a tap interface with ipv6 like its possible for ipv4?
11:42 < Gaffel> Why not?
11:43 < Eugene> Yes, tap has always supported ipv6(its a layer 2 device), and tun has spoken IPv6 since.... 2.2? There's a full family of ipv6-related options in the man page
11:43 < Gaffel> TUN uses IP tunnel, TAP tunnels ethernet so anything that ethernet can carry will go through.
11:44 < spY|da> because i find udp6, server-ipv6, tun-ipv6, but i didnt find tap-ipv6 in the manpages
11:45 < spY|da> ok then, i will give it a try, anything special to keep in mind?
11:47 < BtbN> Except that you shouldn't use tap if at all possible, no
11:50 < spY|da> BtbN, i will keep that in mind and try to get everything working without using tap thank you
13:06 <@ecrist> !tunortap
13:06 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
13:06 <@vpnHelper> rooted/jailbroken) support only tun
13:06 <@ecrist> spY|da: keep in mind TAP isn't supported on mobile (or mobile-like, ahem *chromebook*) systems
14:29 < Korak> Hello, I have something setup wrong and not sure where to start looking. I have openvpn service running on my router and able to connect to it from my linux machine. This is allowing me to connect to machines on my home network. The trouble I am having is that it does not direct web browsing through the VPN, any internet traffic seems to go direct instead. Where do I need to look to fix this?
14:54 <@dazo> !redirect
14:54 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
14:54 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
14:54 <@dazo> Korak: ^^^
15:13 < Korak> dazo, vpnHelper: Thanks!
17:02 -!- Psi-Jack_ is now known as Psi-Jack
--- Day changed Fri Jan 27 2017
00:00 < iheartlinux> why does "mode server" & "topology subnet" require an iroute "vpn's network/mask"?
07:03 < OccamRazor> !welcome
07:03 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
07:03 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
08:30 -!- Vampire0_ is now known as Vampire0
08:59 < dn`> I’m using a simple shared key setup and do a “redirect-gateway def1” on the client side. The VPN works as expected, but I would like to modify the routes a tiny bit. The client lan ip is 192.168.1.10, the VPN is at 10.4.0.1/.2. If the client is not in the VPN the default router is 192.168.1.1 and it can reach e.g. 172.16.16.1 - How can I add a route after the connection that the client still uses 192.168.1.1 to talk to 172.16.16.1 instead o
08:59 < dn`> also sending this through the VPN?
08:59 < dn`> I hope it make sense ;-)
09:02 < DArqueBishop> dn`: let me see if I have the factoid right...
09:02 < DArqueBishop> !push-route
09:02 < DArqueBishop> That wasn't it...
09:04 < DArqueBishop> Ah!
09:04 < DArqueBishop> !route-override
09:04 < DArqueBishop> !route_override
09:04 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet, or (#2) you can read about the net_gateway variable in --route in the manual (!man), or (#3) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
09:08 < dn`> DArqueBishop: thanks, trying! that would be awesome
09:15 < dn`> oki, it might be a tiny bit more difficult for me. It seems the redirect-gateway rule creates “0.0.0.0         10.4.0.1        128.0.0.0 tun0” as rule (Dst, Gw, Genmask) - the IP I really try to reach is 10.8.0.2 via 192.168.1.1 - not sure how to read the 128.0.0.0
09:17 < dn`> https://gist.github.com/anonymous/1a1f254044f285ba74efff435502ac39 helps maybe
09:17 <@vpnHelper> Title: gist:1a1f254044f285ba74efff435502ac39 · GitHub (at gist.github.com)
09:46 < MacGyver> dn`: So, basically, you don't know how to read routing tables?
09:47 < MacGyver> dn`: That's not derisive, that's for me to establish at what level the explanation needs to be.
09:48 < MacGyver> dn`: Assuming you don't, "0.0.0.0" at the left is the pattern that needs to be matched by the IP address being routed; "128.0.0.0" in this case is the *mask* that defines which *part* of the IP address being routed needs to match.
09:48 < MacGyver> dn`: 128.0.0.0 translates into 10000000.00000000.00000000.0000000 in binary.
09:49 < MacGyver> dn`: I.e. only the first bit needs to match.
09:49 < MacGyver> dn`: 0.0.0.0 translates to all zeroes.
09:49 < MacGyver> dn`: So effectively, this rule captures all IP addresses that have 0 as their first bit, but only, *and this is important*, if there is no *more specific rule* matching those addresses.
09:50 < MacGyver> dn`: So you could have a route for 10.0.0.0 via 192.168.1.1 with a longer mask like 255.0.0.0
09:50 < MacGyver> dn`: That would match 10.*.*.* and send it through that gateway.
09:50 < MacGyver> dn`: But I would advise you to at least read up a bit on routing.
09:51 < MacGyver> dn`: Since messing with this stuff if you don't know what you're doing may very well result in not sending *any* of your traffic over the VPN.
09:53 < dn`> MacGyver: just playing for learning with it - it’s only VMs. Do you got any idea why the route I added https://gist.github.com/anonymous/1a1f254044f285ba74efff435502ac39#file-gistfile1-txt-L2 didn’t show up? I restarted the client
09:53 <@vpnHelper> Title: gist:1a1f254044f285ba74efff435502ac39 · GitHub (at gist.github.com)
09:55 < dn`> I would have expected that a route shows up to use the local gateway for 10.8.0.1-255
09:57 < MacGyver> Try if it works if you explicitly specify the gateway IP address - it may be having issues determining the gateway address.
09:57 < MacGyver> Also check error logs.
09:58  * MacGyver -> gone.
12:58 < iheartlinux> I use funtoo(gentoo) for both of my endpoints. I compilied openvpn with lzo turned off (both machines) and got this error: "ip packet with unknown ip version=15 seen" when compilied with lzo support and option not specified in conf files we're good. When compilied with lz4 support enabled; no problems. ??
12:59 < iheartlinux> openvpn-2.4.0
13:00 < Eugene> "It hurts when I poke myself in the eye"
13:01 < Eugene> Compiling without lzo is a bit stupid IMO... but I also take the funrool-loops view on Gentoo users so take it with a grain of saltiness
13:09 < iheartlinux> well, I'm a openvpn noob, so aparently openvpn requires lzo compilied in...
13:29 < notmike> I have a device that is connected to the interweb. It runs an openvpn server. I am able to connect to that server remotely with various devices. Those devices, however, cannot access the interweb while connected to the server. Why?
13:29 < notmike> 12:08 AM <notmike> I have read a lot on this, worked on it a lot. I'm stuck.
13:29 < notmike> Server.conf: http://paste.debian.net/910986/
13:29 < notmike> IPTables: http://paste.debian.net/910982/
13:29 < notmike> ifconfig: http://paste.debian.net/910985/
13:29 < notmike> ip route: http://paste.debian.net/910987/
13:29 < notmike> ipv4 forwarding is enabled and verified via #cat /proc/sys/net/ipv4/ip_forward  = 1
13:47 < DArqueBishop> notmike: did you enable NAT on the server?
13:47 < DArqueBishop> !linnat
13:47 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:49 < notmike> I believe I did this, but I don't recall. I apply this to eth0 on up. http://paste.debian.net/910992/
13:50 < notmike> should that lat ip be my router ip instead of my server ip??
13:50 < notmike> last*
13:53 < DArqueBishop> notmike: the #2 is if your OpenVPN server has multiple routable IP addresses it could use. In your case, you should use "-j MASQUERADE" instead.
13:53 < DArqueBishop> Or, wait.
13:53 < DArqueBishop> This may be one of those situations where I'm answering without looking at all the information. One second.
13:55 < DArqueBishop> Yeah, I'd still use the example in #1 instead of the one in #2.
13:55 < DArqueBishop> WAIT.
13:56 < notmike> lol the suspense!
13:56 < DArqueBishop> Are the devices unable to reach the 192.168.0.0/24 network either?
13:57 < notmike> When I'm connected remotely I am able to ping both the server and my router
13:57 < notmike> I think. Let me verify
13:58 < DArqueBishop> If you can ping the router then it's not what I'm thinking.
13:58 < notmike> yeah, I can ping router, server, playstation, cell phone, and cat's cell phone
14:01 < DArqueBishop> Hrm.
14:01 < DArqueBishop> All right, I'm out. Maybe one of the ops can tell you what I'm missing. :-)
14:06 < notmike> alright, thanks DArqueBishop
15:20 < Eugene> !logs
15:20 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
15:21 < Eugene> !logfile
15:21 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
15:21 < Eugene> Sigh
15:22 < b3d0u1n> Can the OpenVPN app for Android connect automatically to a VPN when the device is started?
15:33 < iheartlinux> In operating a linode vps, I had to switch to tcp to achieve stability on a tls-server setup. I have another unit in operation using ipsec without issues. UDP drops 50%, TCP is currently at 100%.
15:38 < pm7> Hello. "TCP/UDP: Preserving recently used remote address: [AF_INET]*.*.*.*:443" Can I do not use it? I don't have option  "--persist-remote-ip" I cannot even find where openvpn stores this IP :(
15:39 < pm7> I use "~# openvpn --config file", with all configuration and certs in one file.
15:42 < pm7> my configuration in file: https://gist.github.com/anonymous/0465023500b0da3b3333585b58954766
15:42 <@vpnHelper> Title: openvpn · GitHub (at gist.github.com)
15:46 < pm7> there are more than one openvpn by single domain address and I would lilke to change which I'm connected to, because it seems slow. ideally, server should be changed every connection, but even possilibity of manually removing cache ip would be nice
15:47 < pm7> I use openvpn from debian testing repo. OpenVPN 2.4.0 [git:master/f5bf296bacce76a8+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 29 2016
15:59 < pm7> obviously, restarting computer doesn't help
16:01 < pm7> !welcome
16:01 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind
16:01 <@vpnHelper> openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
16:02 < pm7> !1925
16:02 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
16:05 < pm7> !howto
16:05 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
16:05 < pm7> !ask
16:05 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
16:06 < pm7> !/30
16:06 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
16:06 < pm7> !goal
16:06 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:26 < pm7> I asked different server for ip with dig, added temporarily other ip to domain in /etc/hosts, removed it and magic: it seems openvpn changed ip. finally...
16:30 -!- Captain_Beezay is now known as LoudChollima
19:38 < Kadigan> !welcome
19:38 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
19:38 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
19:41 < Kadigan> !tap
19:41 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the
19:41 <@vpnHelper> protocol uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
19:42 < Kadigan> !tunortap
19:42 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
19:42 <@vpnHelper> rooted/jailbroken) support only tun
20:41 < Kadigan> Hm... After I configured the encryption (cipher / auth / tls-cipher), I can now connect to OpenVPN server (iOS client). I can visit LAN-side services by typing in http(s)://IP, but I do not seem to see DNS, nor can I route out to the Internet. I already have "push dhcp-option DNS 10.0.0.1" in place. What am I missing? I assume some firewall rules.
20:45 < Eugene> !redirect
20:45 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
20:45 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
20:45 < Eugene> Flowchart ^
20:45 < Eugene> Probably NAT
20:47 < Kadigan> The server is installed on dd-wrt. I'm already `push redirect-gateway def1`, hope that's correct.
20:49 < Kadigan> Hm... I'm not sure what "redirect-gateway enabled on the client" means. I have an option to redirect gateway on the server.
20:51 < Kadigan> I will try to figure it out, thanks for that flowchart.
20:51 < Kadigan> !def1
20:51 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
20:52 < Kadigan> !ipforward
20:52 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
20:52 < Kadigan> !linipforward
20:52 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
20:57 < Eugene> It means that the client has the option, either locally or pushed from the server(which you do)
20:58 < Eugene> And thank you for doing the reading on the bot instead of giving up and swearing at us ;-)
21:00 < Kadigan> It's a sad, sad world when you have to thank me for being polite and trying to do my part in troubleshooting -my- problem.
21:06 < Kadigan> Eugene: so I can ping within my local LAN, but I can't talk to the DNS at 10.0.0.1 (my VPN comes in as 10.0.10.0/27)
21:07 < Kadigan> Either way, when I drop into a terminal on the iOS device, I can ping say 10.0.0.1 just fine, but I can't DNS from it (requests time out).
21:07 < Kadigan> I'm having either a routing problem, or a firewall one.
21:08 < Eugene> tcpdump on 10.0.0.1 to see which
21:08 < Eugene> It'll tell you if its getting the packets or not
21:09 < Eugene> It might be that your DNS server is not configured to resolve for your VPN subnet(this is very common with bind)
21:10 < Kadigan> Okay, I found part of the problem.
21:10 < Kadigan> dd-wrt's iptables don't work well with "-source 10.0.10.0/27", but work with "-s 10.0.10.0/27"
21:10 < Kadigan> I also needed to POSTROUTING back to the new network
21:10 < Kadigan> I can now ping google DNS
21:10 < Kadigan> I still can't talk to local DNS.
21:11 < Eugene> Check the DNS daemon's logs
21:12 < Kadigan_KSB> Oh lookie. Seems my meddling with the router caused it to reset connections. Bleh. Happens.
21:13 < Kadigan_KSB> Yeah, I can get DNS from Google just perfectly.
21:13 < Kadigan_KSB> Local DNS, not so much.
21:14 < Kadigan_KSB> I can ping it just fine. Seems I need some INPUT rule or something.
21:18 < Kadigan_KSB> Hm... I -can- however access dd-wrt's config page (LAN-side) via VPN. Just not DNS.
21:18 < Eugene> Are you by chance forgetting that DNS is UDP?
21:18 < Eugene> very relevant for firewall rules
21:22 < Kadigan_KSB> No, that's not it. I had to explicitly tell dnsmasq to listen to tun2 as well.
21:22 < Kadigan_KSB> (it was simply ignoring me, that's all)
21:23 < Kadigan_KSB> DNS works now.
21:24 < Kadigan_KSB> (I could've just told it to use Google's DNS or OpenDNS or something, but I wanted to have access to my local domain as well)
21:24 < Eugene> Ah, if you're only binding to one interface, there you are.
21:24 < Eugene> I like ::
21:24 < Eugene> Or ::1
21:24 < Kadigan_KSB> Yeah, I'm not using IPv6.
21:24 < Eugene> You don't need to. That's the bind-all(ipv4 and ipv6) and localhost addresses
21:25 < Kadigan_KSB> Question: I'm using OpenVPN app on iOS. Can I be sure that all my traffic is being routed explicitly through VPN with that app?
21:25 < Eugene> Sorry, no idea about iOS. I think I'm buying an iPhone this weekend, so I'll soon found out
21:25 < Kadigan_KSB> (yeah, but I need to specify per interface... not sure if I just don't know any better, or if dnsmasq on dd-wrt is limited that way; can be both)
21:25 < Eugene> I suspect the answer is "no, you can't, the iphone is not a secure device"
21:25 < Eugene> But that's cynicism talking
21:26 < Kadigan_KSB> Actually, https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html -- you're not far wrong
21:26 <@vpnHelper> Title: OpenVPN Connect iOS FAQ (at docs.openvpn.net)
21:27 < Kadigan_KSB> Push and FaceTime don't use VPN per Apple's policy,
21:27 < Kadigan_KSB> and when the tunnel is reconnecting/paused/whatever, packets may be routed normally.
21:28 < Kadigan_KSB> And I finally know why I was getting Google's DNS in nslookup - I had "Google DNS fallback" enabled.
21:28 < Kadigan_KSB> On iOS8 you can enable "Seamless Tunnel" which will make a best-effort attempt to keep the tunnel up.
21:29 < Kadigan_KSB> (during resume and other non-transmitting states, so that packets don't route outside of it)
21:29 < Kadigan_KSB> I'm on iOS7, so I'm SOL. ;)
21:34 < Rothschild_666> sup open vpn
21:34 < Kadigan_KSB> sup Rothschild_666 ;)
21:34 < Kadigan_KSB> Eugene: anyway, thanks for sticking with me while I got this sorted out, and for your support. :-)
21:35 < Eugene> !blame
21:35 <@vpnHelper> "blame" is (#1) According to Bushmills, it's always krzee's fault, or (#2) According to krzee, it's always dazo's fault, or (#3) and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments, or (#4) cron2 says its always d12fk's fault (and sometimes the customers), or (#5) if it is crypto blame syzzer and plai for acking
21:36 < Kadigan_KSB> Also, I assume I got an old version of the app on iOS? (since I'm doing this on iOS7 and iOS8) It didn't support AES-512-CBC, I had to fall back to AES-256-CBC
21:36 < Kadigan_KSB> (for some reason the server on dd-wrt does support AES-512-CBC...)
21:38 < Rothschild_666> questionnnnnnnn about a vpn across tun interfaces
21:39 < Rothschild_666> how do i route all traffic over it without removing the route to my router?
21:41 < Kadigan_KSB> !def1 I think
21:42 < Kadigan_KSB> I'm new here, but let me try. Tell me if this answers your question:
21:42 < Kadigan_KSB> !def1
21:42 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
21:47 < Eugene> Yup, exactly that. Its more-specific than your default route(0.0.0.0/0). There's also a secondary route added for $SERVER_ADDRESS via the current default gateway
21:47 < Eugene> Otherwise you'd get chicken-and-egg sending the tunnel payload into the tunnel
21:49 < Kadigan_KSB> Makes sense.
21:50 < Kadigan_KSB> Yay! Baby's First OpenVPN Configuration: SUCCESS.
21:50 < Kadigan_KSB> (I'm refering to myself here)
21:53 < Rothschild_666> def1?  that is an openVPN option?
21:55 < Kadigan_KSB> It is. In your OpenVPN *server* configuration, you add exactly that line
21:55 < Kadigan_KSB> push "redirect-gateway def1"
21:55 < Kadigan_KSB> quotes and all.
21:57 < Rothschild_666> what if i manually start it from the command line, where would i add this option?
21:58 < Kadigan_KSB> Into the config file.
21:59 < Kadigan_KSB> Otherwise I do believe there's a --redirect-gateway switch?
21:59 < Kadigan_KSB> (see !def1 above, #2)
21:59 < iheartlinux> I got my first conf working as well. Although I had to use tcp because udp was giving me different errors. like "Bad source address from client", which is untrue because I added the network to an iroute in ccd/DEFAULT. Also got these errors all using udp: "no dynamic or static remote", "Authenticate/Decrypt packet error: cipher final failed", "bad compression stub decompression header", "bad lzo
21:59 < iheartlinux> decompression header byte", & "ip packet with unknown ip version=15 seen"
22:01 < Kadigan_KSB> Yeah, UDP didn't work for me either, despite having the port open. I had to use TCP.
22:02 < Kadigan_KSB> (it was generally timing out)
22:02 < iheartlinux> same here
22:02 < Kadigan_KSB> Stupid question - dd-wrt?
22:02 < iheartlinux> no
22:02 < Kadigan_KSB> Okay, so it's not dd-wrt-specific. Good to know.
22:03 < Kadigan_KSB> I was connecting via a GSM LTE network,
22:03 < Kadigan_KSB> so apart from my router not accepting UDP somewhere, there's also the possibility of my network filtering outgoing UDP.
22:03 < Kadigan_KSB> Meh. It works on TCP, what's a little overhead, eh?
22:03 < iheartlinux> I did downgrade to 2.3.14 from 2.4. The errors changed but again tcp worked
22:04 < iheartlinux> well, I'm doing this for voip use
22:04 < iheartlinux> If I can get upd working....
22:06 < iheartlinux> s/upd/udp
22:09 < iheartlinux> I use pia's vpn on occasion, which uses udp@1194 so no filtering by my cable provider. & I doubt my vps provider, linode is filtering either...
22:48 -!- LoudChollima is now known as Captain_Beezau
22:48 -!- Captain_Beezau is now known as Captain_Beezay
--- Day changed Sat Jan 28 2017
01:06 < ordex> iheartlinux: checked with tcpdump here and there if packets are reaching the various hosts
04:14 -!- FederationOfNULL is now known as [0xAA]
04:31 < IanMan> could somebody please lead me in the right direction of a good "dummies" guide to create a site-to-site tunnel with OpenVPN and Raspberry Pi. I have a server running on the main site and a client on the remote site. The client connects fine to the server and I can ping everything on the main site. What route do I need to create to have clients on remote sites being able to talk to servers on
04:31 < IanMan> main site? Thank you so much
04:33 < IanMan> :)
04:47 < [0xAA]> IanMan: read the guide
04:47 < [0xAA]> it's so easy
04:50 < IanMan> [0xAA] a guide to site-to-site on openvpn.org?
05:13 < Tykling> IanMan: you just need to add the route statements to the server config and the server will push those routes to the client
05:14 < Tykling> what you are looking for is not a site to site vpn, it is still clients dialing in to a server
05:22 < [0xAA]> you mean a P2P VPN?
05:22 < [0xAA]> well, you can set up a main server
05:22 < [0xAA]> have all sites connect to the main one
05:22 < [0xAA]> then NAT them together
06:38 < IanMan> [0xAA] no i am looking for a site-2-site vpn so that everyone on the secondary site can see all servers on primary site without using openvpn clients on all clients. :)
09:17 < Robirt55> Good Morning
09:18 < Robirt55> Anyone around?
09:18 < skyroveRR> Sup.
09:19 < Robirt55> I have heard that there is a free openvpn access server for private use would anyone here know if this is a thing?
09:24 < skyroveRR> No VPN is "free" in any real sense unless you deploy one and trust it... anyway, there's this VPN from openvpn devs themselves, https://www.privateinternetaccess.com/ if that's what you mean.
09:29 < Robirt55> I was planning on deploying my own vpn server so I have access to my servers from remote locations
09:29 < Robirt55> would also prefer to install the vpn server one of my linux servers
09:46 < ordex> Robirt55: you can just download and install openvpn (the opensource software)
09:55 < HiddenWolf> Hi
10:02 < HiddenWolf> I'm having an interesting problem where my FreeBSD jails stop having network access when I turn on openvpn
10:15 < Robirt55> @ordex, That's a good idea. Now I just need to find the open vpn sa source
10:15 < ordex> there is no "sa"
10:16 < ordex> it's just the openvpn software that you can configure as server or client
10:16 < ordex> usually you can easily install it with your package manager Robirt55
10:17 < Robirt55> Oh, Well then... https://github.com/OpenVPN/openvpn this would be it. Right?
10:17 <@vpnHelper> Title: GitHub - OpenVPN/openvpn: OpenVPN is an open source VPN daemon (at github.com)
10:18 < Robirt55> really. Oh... I am over complicating this.... lol
10:21 < edi> hi , I'm having trouble to resolve domain names on my client when it's connected to an aws-openvpn instance (a debian box I configured myself)
10:22 < edi> i have
10:22 < edi> push "redirect-gateway def1 bypass-dhcp"
10:22 < edi> push "dhcp-option DNS 10.0.0.105"
10:22 < edi> where the 10. = the ip of the openvpn instance (also acting as dnsmasq server)
10:23 < edi> help is much appreciated :-)
10:26 < pdobrogost> Hi  all!
10:27 < pdobrogost> How does one debug user scripts (up/down)?
10:39 -!- remirol is now known as lorimer
10:53 < ordex> Robirt55: why not using your package manager to install openvpn ?
12:34 < Robirt55> @ordex, I am going to now. I was not aware that this version could be configured for unlimited users.
12:39 < ordex> Robirt55: this is just the pure opensource openvpn software - you can also modify it if you don't like what it does :)
12:41 < Robirt55> @ordex, thanks. will do. I'll let you guys know as I get lost in the process =P
12:41 < ordex> :D
12:42 < ordex> good luck !
12:44 < Robirt55> Thank's you'll hear the complaining as I go. But first. Need to find a good guide to work from.
12:44 < Robirt55> I am thinking this will do. s is just the pure opensource openvpn software - you can also modify it if you don't like what it
12:44 < Robirt55> Oops must have missed Ctrl C
12:44 < Robirt55> https://wiki.debian.org/OpenVPN
12:44 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org)
12:45 < Robirt55> is what I meant to paste
12:45 < Robirt55> currently waiting on my girlfriend to leave so I can't really dive into this....
12:49 < ordex> eheh
12:50 < ordex> usually gf takes a lot more that claimed :D you may some some more time ;)
12:50 < ordex> btw, also on openvpn.net you find a lot of guides and howtos, which are usually uptodate, while external resources might not
12:50 < Robirt55> Okay I will take a look
13:11 < joeybane> Hello, I am in need of some help.  I am on Win7x64 trying to setup a openvpn server.  I am using easyrsa3, I have built the PKI and CA on the server and client and signed the req files and generated the crt.  But if I try to build a key using build-client-full, I get the error that the req file already exists.  How can a build a key if I need to build/sign a keypair/request
13:46 < landofcake> !welcome
13:46 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
13:46 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
13:50 < landofcake> I wondered if anyone has had any experience using IPTables to push traffic from a certain user through an openvpn connection?
13:50 < ordex> landofcake: I know there is an iptables-extenions that you can use to match traffic generated by a given uid
13:50 < landofcake> well, I've actually set that up, and it works well
13:50 < ordex> that should be helpful I guess ? man iptables-extensions
13:50 < ordex> ah
13:50 < ordex> ok
13:50 < landofcake> but there's a few peripherary problems
13:51 < ordex> :D
13:51 < landofcake> specifically I've set up scripts to sort out the routing tables and packet marks when the route comes up
13:51 < landofcake> which works great, but then things go a bit wrong when I try and tear down that stuff when the route comes down
13:52 < landofcake> just one moment, I'm just going to check the scripts
13:54 < landofcake> so basically, when the vpn connects, it calls a script on 'route-up' which sets up the packet marking with iptables and then creates a second routing table for those packets to go via the tunnel
13:55 < landofcake> and it then turns off reverse path filtering so the packets don't get dropped
13:55 < landofcake> and this all works out fine
13:56 < landofcake> the issue is that the reverse script, which removes all of these things (the packet marking and the second routing table) doesn't work because certain environmental variables don't get passed through when running a script on 'route-down'
13:56 < landofcake> for example $dev and $ifconfig-local
13:56 < landofcake> there is also an extra dimension to this problem unfortunately ...
13:58 < landofcake> actually to be honest it seems random as to whether the packets actually end up going through or not
13:59 < ordex> about the last statement: you should monitor iptables to see if the packets are matched or not and whether the yare redirected towards the tun interface. until you confirm that, there is not much openvpn can do
13:59 < ordex> about the route-down, what is exactly missing that in route-up exists ?
13:59 < landofcake> you're right ordex, let me check that quickly
13:59 < landofcake> the first thing I need to troubleshoot is that this setup used to work and packets actually went through the VPN correctly
14:00 < ordex> yap, let's decouple the problems :)
14:00 < landofcake> currently it isn't, and I suspect it's something to do with the rp_filter settings in sysctl, so let me just have a quick look at that
14:00 < ordex> btw, sorry but I am off to bed - has been a too long day here :P
14:00 < landofcake> no worries :]
14:00 < landofcake> before you disappear
14:01 < landofcake> I'm not overly familiar with iptables, is there an easy way to log which rules it's matching?
14:01 < Robirt55> night ordex thanks for your help earlier... well guidance =)
14:01 < ordex> landofcake: mh can't remmeber - I know you can use -j LOG with the same conditions as your rule
14:01 < ordex> that should print to log and let the packet continue the chain
14:01 < landofcake> great, I'll check that out, thanks chap
14:01 < ordex> Robirt55: np!
14:01 < ordex> goodnihgt !
14:06 < landofcake> I tell you, I could really do with my little iptables handbook right now
14:06 < landofcake> except it's at home :[
14:12 <@krzee> id try ##netfilter
14:12 <@krzee> thats the iptables channel
14:13 < landofcake> thanks krzee, I think I may have it now
14:13 <@krzee> np =]
14:13 < landofcake> ultimately this is all just diagnosis to make sure it is OpenVPN I need to think about ;)
14:13 <@krzee> whats the problem you need to check on?
14:13 <@krzee> sorry i missed the scroll
14:14 <@krzee> (assuming you need my help, if not then just keep going)
14:15 < landofcake> I'll summarise it real quick
14:16 < landofcake> setting up openvpn with iptables to route a specific user's packets via the openvpn interface, iptables part seems to work sporadically but when it does work there are also some issues with openvpn and hooking into running the iptables scripts at route-down or route-pre-down
14:16 < landofcake> but I'll get to that once I've troubleshooted the iptables part
14:17 <@krzee> if you get the first part to work perfect and for some reason cant get teardown right in the down script, you could always (ugly hack, but maybe it could help?) configure teardown during the up script, save it, then run it from the down script
14:18 <@krzee> or you could make the rules permanent and use static ips for vpn clients internally
14:18 < landofcake> that was my next line of thinking yes
14:18 < landofcake> v.good idea
14:18 <@krzee> which one? static?
14:18 < landofcake> nah, setting up the tear-down in the up script
14:19 <@krzee> ahh, i consider it an ugly hack but ya it could work :D
14:19 < landofcake> the problem specifically is that the set-up script uses environment variables provided by openvpn like $dev and $ifconfig_local
14:19 < landofcake> which aren't provided by openvpn when running scripts at the route-down stage
14:19 < landofcake> it seems to be OK if I run the script at route-pre-down
14:20 < landofcake> but then there's ... a secondary issue
14:20 <@krzee> ahh so ya , the ugly hack would help that
14:20 < landofcake> the secondary issue being that the VPN ideally needs to stay up at all times, which I've done by using keepalive 10 60
14:21 < landofcake> but when openvpn reconnects after a timeout, it brings the tunnel down and attempts to run the route-pre-down script, which fails at that point
14:21 < landofcake> but I'll get to this once I've troubleshooted what the bloody hell iptables is up to ...
14:46 < landofcake> aaaaaaaaah ok krzee
14:46 < landofcake> now I've worked out the iptables problem
14:47 < Robirt55> yeay! what was the issue?
14:47 < landofcake> basically because every time the VPN dropped out the 'tunnel down' script was failing, which had caused the nat and mangle tables to be totally spammed full of old rules
14:47 < landofcake> now the problem is how to set up openvpn so it deals with things correctly when the tunnel comes down or gets reconnected
14:47 < Robirt55> what kind of rules do you have in place?
14:48 < landofcake> there's a rule on the mangle table to mark packets from a specific user
14:48 < landofcake> and then a rule on the nat table to push any packets with that mark through a second routing table
14:48 < Robirt55> so your VLANing through OpenVPN?
14:49 < landofcake> well the aim is to have a specific user's packets go through the OpenVPN tunnel
14:49 < Robirt55> What kind of packets are you tagging?
14:49 < landofcake> all of them
14:50 < landofcake> and this all works fine
14:50 < Robirt55> Have you explained why you are trying to do this above?
14:50 < landofcake> no, I haven't
14:51 < landofcake> for me it was just handy to be able to have specific users able to go via VPNs to specific countries
14:51 < landofcake> because I only access this box remotely
14:51 < landofcake> so I can't just throw up a VPN and have it automatically push new gateways for the entire system
14:52 < landofcake> otherwise I'm then unable to hit the box via ssh
14:52 < Robirt55> right
14:53 < landofcake> what I could do ...
14:53 < landofcake> is simply flush the entire nat and mangle tables on route-down rather than trying to remove the specific rules which got set up on route-up
14:53 < Robirt55> The OpenVPN install guide just told me to install UFW apparently it's a front end for IP-tables. Is this something that you are using to manage your IP tables? You sound significantly more advanced than myself
14:54 < landofcake> nah I'm doing it all via the command line
14:54 < landofcake> this machine doesn't have X
14:54 < Robirt55> user based routing makes sense when I think about it based on multiple countries... then you can direct traffic to proper servers faster
14:54 < landofcake> but that sounds interesting ... I might have to try it at some point
14:55 < landofcake> well ultimately the idea is that if I need to go via the US I've just got a user called 'us'
14:55 < Mr-Protocol> Is there a way to change the cipher encryption for the server and clients they use? Or is it a total re-do of the configuration and client certs?
14:55 < Robirt55> I am on ssh as well and the guide uses all terminal commands.. I shall move forward
14:56 < The1_2> regarding the gigabit performance in the wiki ( https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux ) - how updated is it in relation to the recommendations about using the aesni engine in openssl when openssl 1.0.1+ uses EVP which should be enabled by default?
14:56 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net)
15:05 < Robirt55> Lol ufw stands for Uncomplicated Firewall
15:06 < landofcake> right, excellent, I've fixed it
15:06 < landofcake> it turned out the best way to solve this was to be more generic with the teardown of the iptables rules in the openvpn 'down' script
15:07 < landofcake> simply flushing the nat and mangle tables and flushing the new routing table rather than trying to specifically kill certain rules which were set up in the 'route-up' script based on device and ip address settings from the tunnel
16:28 < IanMan> i am looking for a site-2-site vpn guide so that everyone on the secondary site can see all servers on primary site without using openvpn clients on all clients. :)
17:01 < Anatzum> Could anyone help me fix my dns leak. I have openresolv installed. I'm reading about it on the arch wiki and there are two ways about it but both require adding lines to a client configuration file. in my /etc/openvpn/client folder there are no files. Am i to assume that all i have to do is make one?
17:03 < landofcake> is this on windows Anatzum ?
17:03 < landofcake> never mind, sorry, the only DNS leaks I'm familiar with are due to windows 10 multi-homed dns resolution
17:04 < Anatzum> I'm on arch linux using network manager
21:26 < Robirt55> Good Evening
21:30 < Robirt55> I am attempting to load a client.ovpn file into my laptop to test my server. However, I am receiving and error "Prifile Import-Error". What is the best way to troubleshoot this?
21:36 < Robirt55> nvr
21:36 < Robirt55> nvm*\
21:50 < PrincessBob> reaaly dumb question... but im a noob.... why is tap bridging a bad idea?
21:53 < Robirt55> even noobier question. does anyone know where the openvpn log files are off hand?
21:54 < PrincessBob> how dare you out noob me
21:54 < PrincessBob> hrumph
21:54 < Robirt55> lol
--- Day changed Sun Jan 29 2017
02:20 -!- chang is now known as yong
02:37 < abbas> hey every body i want to use on of this accounts  :http://freevpnaccess.com/  by openvpn  but i dont know how to create a ovpn config file , do you know should i write it ?
02:37 <@vpnHelper> Title: Real-Time Updates Free VPN Access Info - Free VPN Access - Easy, Fast & Organic (at freevpnaccess.com)
05:33 < ghost75> can openvpn be setup to use ipv4 and 6 at same time?
05:35 < ghost75> oh found it: http://serverfault.com/questions/651832/openvpn-with-mixed-ipv4-and-ipv6-clients
05:35 <@vpnHelper> Title: OpenVPN with mixed ipv4 and ipv6 clients - Server Fault (at serverfault.com)
09:54 < Robirt55> Hey guys. I have an OpenVPN server running on Debian. I can see that the server is listening or at least it looks like it is but I can't even use telnet to confirm that the port is open... Any advice?
09:56 < ordex> Robirt55: trying to connect with the client? :-P
09:59 < Robirt55> also a no go. "Connection time out"
09:59 < ordex> firewall issue ?
09:59 < ordex> do you see anything in the server log which tells you that the connection has at least started ?
09:59 < ordex> but the time out sounds like a firewall issue usually
10:00 < ordex> !firewall
10:00 <@vpnHelper> "firewall" is (#1) please see https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets., or (#3) Please see this for a better method to unloading netfilter (aka iptables ) rules: https://gist.github.com/QueuingKoala/6350127
10:00 < ordex> cool :D
10:00 < ordex> I just guessed there was a "firewal" key ehhe
10:00 < Robirt55> nice lol
10:00 < Robirt55> !help
10:00 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
10:01 < Robirt55> !keys
10:01 <@vpnHelper> "keys" is http://openvpn.net/howto#pki
10:04 < Robirt55> I have just disabled the uncomplicatedFirewall and still the same issue
10:04 < Robirt55> am i allowed to dump terminal snippets in here?
10:05 < ordex> maybe you can use a paste service ?
10:05 < ordex> that would be better
10:05 < Robirt55> okay what do you recommend?
10:06 < ordex> Robirt55: something like this: http://nopaste.linux-dev.org/ ?
10:06 < Robirt55> http://nopaste.linux-dev.org/?1120672
10:07 < Robirt55> cool and they last for a few weeks. Love it!
10:08 < ordex> Robirt55: is the openvpn server running first of all? :)
10:08 < ordex> then, what port is it using ?
10:08 < Robirt55>  ps aux | grep open
10:08 < Robirt55> nobody     639  0.0  0.0  30676  3036 ?        Ss   Jan28   0:00 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf
10:08 < Robirt55> root      3261  0.0  0.0  12728  2216 pts/0    S+   10:58   0:00 grep open
10:08 < Robirt55> running, and the port is default
10:09 < ordex> udp 1194 ?
10:09 < Robirt55> yes. Just checked the config
10:09 < ordex> udp        0      0 10.0.0.11:1194          0.0.0.0:*                           639/openvpn
10:09 < Robirt55> right
10:09 < ordex> seems like it's listening on a private ip, no ?
10:10 < Robirt55> ?
10:10 < ordex> it is listening on 10.0.0.11
10:10 < Robirt55> oh the 10.0.0.11 right
10:10 < ordex> is that the ip the client is using to connect ?
10:10 < Robirt55> It's on my home network I have PCs there I tried to tell net with
10:10 < ordex> oh ok
10:11 < ordex> and where is the client ?
10:11 < ordex> same network ?
10:11 < Robirt55> let me install the client on a windows 7 vm on the same network and attempt that
10:11 < ordex> so I guess it was outside ?
10:12 < Robirt55> i have my static forwarded to my domain name and I am connecting with that to port 1195 that is then translating to 1194 on that internal server.
10:12 < Robirt55> =D
10:12 < ordex> eheh ok
10:12 < ordex> as soon you made sure the forwarding is on udp :P
10:12 < Robirt55> i have both
10:13 < Robirt55> changed it to only UDP on the firewall
10:18 < Robirt55> just started the internal connection attempt...
10:18 < Robirt55> changed the client.conf settings to point right to the server...
10:19 < ordex> yap
10:19 < Robirt55> no go
10:20 < ordex> mh
10:20 < ordex> I'd suggest to check the incoming packets with tcpdump or similar
10:20 < ordex> anyway, bed time for me
10:20 < Robirt55> haha sleep wel
10:21 < Robirt55> well*
10:44 < devonrevenge> do people here know how to use sodium libraries?
13:33 < landofcake> hey again guys, so after all my troubleshoot yesterday I've now got a more concrete question for the OpenVPN side
13:35 < landofcake> so the question is, when openvpn automatically reconnects to a tunnel based on the use of the 'keepalive' rule
13:36 < landofcake> which script hooks does it execute?
13:36 < landofcake> I'm looking for a script hook that runs on 'down' but isn't run when openvpn reconnects to a tunnel
13:36 < landofcake> because the 'route-up' script only runs on the first connect, and not when it reconnects due to a time out
13:36 < landofcake> but it seems that 'down' runs every time the VPN reconnects
13:46 < landofcake> it seems that persist-tun is the right thing, but I already have that in my config
13:48 < notmike> I'm surprised none of you could remedy my issue.
13:50 < notmike> I thought you guys were really smart.
13:57 < notmike> !help
13:57 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
13:57 < notmike> !ipforward
13:57 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
13:58 < notmike> !linipforward
13:58 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
16:43 < Robirt55> !heartbleed
16:43 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl, or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised., or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected., or (#4)
16:43 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed, or (#5) http://xkcd.com/1354/
16:43 < Robirt55> !poodle
16:43 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has, or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
16:43 < Robirt55> !ovpnuke
16:44 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
16:44 < Robirt55> !sweet32
16:44 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32
--- Day changed Mon Jan 30 2017
01:45 -!- Darcy is now known as Spydar007
04:19 < T1w> 'lo
04:58 < akrasie> is there any way to get all CID's of all connected clients by management-interface or do i have to keep track of them in my application?
05:48 <@krzee> akrasie: status 3
06:05 < akrasie> krzee: that does give me the common name but not the CID (aka the X in >CONNECT ->X<- Y)
06:25 < bauruine> !welcome
06:25 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
06:25 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
06:38 < T1w> does anyone hwere know about the effects of matching MTU size of tun interfaces to something that matches what openssl can en/decrypt the fastest? ie. if output from "openssl speed -evp aes-256-cbc" says that 8192byte blocks perform the best, I should probably keep MTU around (or just a tad higher) than that
06:38 < T1w> hm
06:39 < T1w> and what about when we go above the small-ish blocks openssl speed tries?
06:39 < T1w> what if we look at 64k blocks or such
06:39 < T1w> how much data can openvpn "shove" into openssl at a time?
07:02 <@ecrist> T1w: have you hear of packet fragmentation?
07:02 <@ecrist> heard*
07:03 < BtbN> going for huge MTUs of like 60k or even higher is a common thing to increase crypto performance
07:03 < BtbN> But it also creates quite a bit of lag on the network
07:05 <@ecrist> what/who does 60k MTUs as a "common" practice?
07:05 < T1w> ecrist: well.. at the moment I've gone up from ~503Mbit/s to 958Mbit/s just by going up with tun-mtu and disabling fragmentation and mss fix
07:06 < T1w> that's in a local test, so it's what I'd expect to see for a 1gbit link, but I've got a real life 1gbit line where I've never gone above ~120Mbit
07:07 < T1w> and I'd like to change that before investing in a black fiber to get the speed I need
07:07 <@ecrist> Is your current 1g link through a normal ISP?
07:07 < T1w> BtbN: lag is the least of my problems - as long as I get more throughput
07:07 < BtbN> saturating a gigabit link with openvpn is close to impossible though, even with all the tuning you can get
07:08 < T1w> ecrist: that probably pedends on what you mean by "normal"
07:08 < T1w> it's a datacenter
07:09 < T1w> BtbN: 958 is as close to saturated as I'd expect to see
07:09 <@ecrist> ah, most of those are grossly over-subscribed
07:09 <@ecrist> T1w: can you send me your config for client/server?  I'd like to try that out
07:10 < T1w> BtbN: actually.. just trying the physical link between my testmachines (and not going through openvpn) I get a lower speed..
07:10 < T1w> 942Mbit/s compared to the 958Mbit/s through openvpn
07:10 < T1w> that's.. interesting
07:10 < T1w> ecrist: sec..
07:15 < T1w> ecrist: https://paste.sh/UgJDEDVG#u9Dnx5lXCZsBfSuHRY6QJV7a
07:15 < T1w> ecrist: it's where I've ended up after reading https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
07:15 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net)
07:16 < T1w> ecrist: and no.. our link is not oversubscribed - I can easily get really close to wirespeed when transferring other stuff from around EU (I'm located in Denmark)
07:17 < T1w> funny thing is that once I went above 50000 bytes MTU my iperf tests dies out
07:17 < T1w> 49000 is fine, 50000 is not
07:19 < T1w> ping is fine, but iperf dies out after the first few MB
07:21 < T1w> hm.. seemlingly because the serverside dies
07:22 < T1w> ah
07:22 < T1w> Mon Jan 30 14:09:29 2017 us=427893 gauss/10.5.99.205:42307 Assertion failed at lzo.c:202 (buf_safe (&work, zlen))
07:22 < T1w> Mon Jan 30 14:09:29 2017 us=427963 gauss/10.5.99.205:42307 Exiting due to fatal error
07:22 < T1w> lets try without lzo
07:22 <@ecrist> T1w: what is your iperf syntax for your performance measurements?
07:23 < T1w> ecrist: server:  -s -p 10000 -B 10.8.8.6
07:23 < T1w> ecrist: client:  -p 10000 -c 10.8.8.6 -t 30
07:24 < T1w> I squzed a bit more out by renicing the client iperf to -19 (since the system is used for other stuff)
07:24 < T1w> only a few mbit, but it removed a few fluctuations where performance dropped down
07:28 <@ecrist> which version of openvpn?
07:28 < T1w> hah.. no without lzo it just gives me
07:28 < T1w> 49781 IP packet with unknown IP version=15 seen
07:28 < T1w> ecrist: 2.3.14
07:29 < T1w> the version avabilable in the EPEL 7 x86_64 repo
07:29 < T1w> OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec  7 2016
07:29 < T1w> using
07:29 < T1w> library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
07:30 < T1w> (RHEL version of OpenSSL with backports)
07:30 < T1w> afk - back in 10-15 mins
07:31 <@ecrist> I'm trying this out - so far, just two servers connected to the same switch each over 1g uplinks, I see 936Mbps
07:31 <@ecrist> now to set up OpenVPN
07:51 <@ecrist> huh, this is a new one
07:51 <@ecrist> Mon Jan 30 07:39:16 2017 us=113384 Assertion failed at crypto.c:81 (packet_id_initialized(&opt->packet_id))
07:51 <@ecrist> Mon Jan 30 07:39:16 2017 us=113393 Exiting due to fatal error
08:39 < faraway> Hi, I currently try to setup an openvpn server. I’m already able to connect to the server using a vpn client. And I’m also able to access servers using the IP. But it looks like the dns resolving does not work. Can someone give me a hint how i can debug this?
09:03 < DArqueBishop> faraway: are you pushing DNS information to the clients, and if so, does the assigned DNS server know to listen for your VPN clients?
09:06 < faraway> @DArqueBishop: I tried varaious configuration without and with pushing the dns information. Right now I don not push any. But changing „proto udp“ to „proto tcp“ on both server and client solved the problem. But for me this does not really make sense because I thought that either i could connect using udp or not.
09:06 < DArqueBishop> That... makes no sense.
09:07 < DArqueBishop> You're right. There's no reason I can think of where changing the protocol would affect whether DNS resolution works.
09:08 < faraway> I do a sanity check and revert it back to udp probably i didn’t restart the server at another change i did.
09:11 < faraway> @DArqueBishop Hmm just chaning it back to upd makes it fails again.
09:13 < faraway> Could it be that if i’m behind of a dual stack light setup where i share the ipv4 with other customers of the ISP cause such a behaviour?
09:30 <@ecrist> of course he left...
09:44 < faraway> @DArqueBishop: it is my ISP, the somehow messup with the UDP connection.
11:15 < rzyz> hello, i'm trying openvpnas software, is it possible to have multiples private IP networks
11:17 < Chaz123> any idea why all new clients I create no longer work , but that olds one do fine, and I'm literally copy/pasting the config files
11:19 < rzyz> example, i have 4 vpn connections: noted AM(master, network A) AC(client, network A), BM et BC. I want client AC to do a VPN in bridge mode to AM and the same for BC, connect to server in bridge mode to be in the same local network as BM.
11:19 < rzyz> is it possible?
11:21 < DArqueBishop> rzyz:
11:21 < DArqueBishop> !as
11:21 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
11:23 < rzyz> DArqueBishop, sorry, thanks !
11:24 < ordex> rzyz: do you want to bridge network A and B ?
11:24 < ordex> or you don't care ?
11:27 < ordex> oh it was about as
12:51 -!- Vampire0_ is now known as Vampire0
13:23 < SupaYoshi> hi
13:23 < SupaYoshi> I'm trying to setup my server, everything works, but routing traffic from TUN0 to VNET0:0 seems to be an issue.
13:24 < SupaYoshi> !WELCOME
13:24 <@vpnHelper> "WELCOME" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
13:24 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
13:24 < SupaYoshi> !goal i'd like to access internet oer my vpn
13:25 < SupaYoshi> !redirect
13:25 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
13:25 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
13:26 < SupaYoshi> !nat
13:26 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
13:28 < SupaYoshi> !linnat
13:28 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:33 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
13:34 < Eugene> SupaYoshi - vnet0 or venet0? What virt technology is your server using?
13:35 < Eugene> The flowchart at the end of the redirect factoid is a great troubleshooting tool
13:51 < vraagmeneer> !welcome
13:51 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
13:51 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
13:51 <@vpnHelper> you
13:52 < vraagmeneer> !redirect
13:52 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
13:52 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
13:52 < vraagmeneer> !nat
13:52 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
13:52 < vraagmeneer>  !linnat
13:53 < vraagmeneer> test
13:53 < vraagmeneer> !linnat
13:53 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:54 < vraagmeneer> Hi, I've enabled ipforwarding, i've enabled NAT, and used the command, iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o venet0:0 -j MASQUERADE    HOWEVER i can still NOT ping 8.8.8.8 from my client.
13:55 < vraagmeneer> With tcpdump, i can see the traffic flow through tun0, on the server
13:55 < vraagmeneer> However now I've put several iptable rules in, and rebooted a couple of times, I'm completly mind-blown where to figure out my error, why ping is not working on a client and I cannot reach IP's.
13:56 < vraagmeneer> My problem is most likely firewall like you say, but I am unable to further investigate, even after using !linnat
13:57 < vraagmeneer> I've used this tutorial, but the only difference is my eth0 is vnet0:0
13:57 < vraagmeneer> https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04
13:57 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 14.04 | DigitalOcean (at www.digitalocean.com)
13:58 < Eugene> Are you using vnet0 or venet0? Your usage is inconsistent
13:58 < Eugene> venet0 indicates openvz
13:58 < Eugene> !openvz
13:58 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn, or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
13:59 < vraagmeneer> venet0:0
13:59 < Eugene> Does the file /proc/user_beancounters exist?
14:00 < vraagmeneer> ohh... it was vnet0
14:00 < vraagmeneer> venet0:0 but venet0
14:14 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
14:14 -!- mode/#openvpn [+v RBecker] by ChanServ
16:59 < deadhead> win7 openVPN server, client can connect as 10.8.0.5 can RDP into 10.8.0.1 win7 , win7 also is on as 192.168.0.49, I want the client to be able to access that network
17:00 < deadhead> so i create the route and push in the server config
17:00 < deadhead> then tell the gateway on 192.168.0.1 how to get to 10.8.0.0 via 192.168.0.49
17:00 < deadhead> right/
17:01 < deadhead> do I need to enable IP forwarding on this win7 box?
17:02 < deadhead> via the registry
17:03 < deadhead> cant get it to work
17:21 < Eugene> Windows is generally not used as a server OS.
17:21 < Eugene> That being said, yes, you can do it
17:21 < Eugene> !winnat
17:21 <@vpnHelper> "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows, or (#2) http://www.nanodocumet.com/?p=14 for windows XP, or (#3) https://community.openvpn.net/openvpn/wiki/NatOverWindows2008 for 2k8
17:22 < Eugene> !winroute
17:22 <@vpnHelper> "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin, or (#5) you might also want to see
17:22 <@vpnHelper> that and use trial and error with these solutions: http://openvpn.net/index.php/open-source/faq/79-client/259-tap-win32-adapter-is-not-coming-up-qinitialization-sequence-completed-with-errorsq.html
17:22 < Eugene> !windows
17:22 <@vpnHelper> "windows" is (#1) computers are like air conditioners, they work well until you open windows., or (#2) http://secure-computing.net/files/windows.jpg for funny, or (#3) http://secure-computing.net/files/windows_2.jpg for more funny
17:22 < Eugene> Not that one ^
17:22 < Eugene> !winipforward
17:22 <@vpnHelper> "winipforward" is (#1) reboot after enabling it, or (#2) https://support.microsoft.com/EN-US/kb/230082 to enable ip forwarding on windows
17:27 < Robirt55> is there a list of all of the ! commands?
17:27 < Robirt55> !commands
17:27 < Robirt55> !help
17:27 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
17:32 < deadhead> thanks
17:42 <@krzee> !factoids
17:42 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
18:28 < Robirt55> cool thanks
--- Day changed Tue Jan 31 2017
01:47 < iheartlinux> Found out CLAMPMSS=Yes is needed in shorewall.conf & incoming icmp in shorewall rules is needed for udp to work correctly
04:32 -!- Sweet-P is now known as Sweet_P
04:32 -!- Sweet_P is now known as Sweet-P
13:05 < sh3llc0d3> Hello
13:07 < nicknik> !welcome
13:07 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
13:07 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
13:08 < mefistofeles> !tap
13:08 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the
13:08 <@vpnHelper> protocol uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
13:09 < nicknik> !goal I would like to access my local files from the outside trough OpenVPN
13:15 < nicknik> Im using tun, everything seems to work well after going trough all the steps in the easy install guide for windows https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide. I am able to connect from my laptop connected to my phone's internet trough hotspot, to my local computer running the openVPN server. I'm not able to ping it tough, 10.8.0.1. I have all settings at default. Using only my public IP (setting is remote 17x.xxx.xx.xx). Port forwarded def
13:16 < nicknik> Any tips on what to check is welcome, I could not find anything more on the FAQ etc :)
13:16 < nicknik> my local network is 10.0.0.x, would not think that would conflict
13:19 < nicknik> !logs
13:19 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
13:20 < nicknik> !configs
13:20 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
13:28 < nicknik> I have one error message, but I cant see it beeing related to not beeing able to ping the IP of the server. "Need IPv6 code in mroute_extract_addr_from_packet"
13:31 < nicknik> !interface
13:31 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6), or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn', or (#4) For
13:31 <@vpnHelper> Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes)
13:40 <@krzee> !configs
13:40 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
13:40 <@krzee> nicknik: ^
13:41 < nicknik> working on it
13:41 < nicknik> :)
13:54 < nicknik> !paste http://pastebin.com/jWJBH0wk
13:55 < nicknik> is ; the same as # in configs?
13:55 <@krzee> !configs
13:55 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
13:56 <@krzee> and yes
13:56 <@krzee> why are you running a 6.5 year old copy of openvpn?
13:56 <@krzee> upgrade that
13:57 <@krzee> your versions could easily be your problem
13:57 <@krzee> !download
13:57 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn, or (#2) in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs
13:58 < nicknik> should I go 2.4 for both client and server?
13:59 <@krzee> sure
14:02 < Gaffel> Always keep all your software up to date so you can experience the same problems as the rest of us!
14:03 <@krzee> lol
14:03 < Gaffel> Collective frustration!
14:10 <@dazo> gee ... 2.1 is getting *that* old .... I remember we complained about 2.0 users at that time .... 2.0 was also ~6 years around those days
14:12 <@dazo> commit 4eb21d226313e81627d589c704ec9fbbeef6d7c4
14:12 <@dazo> Author: David Sommerseth
14:12 <@dazo> Date:   Thu Nov 4 20:35:24 2010 +0100
14:12 <@dazo>     Prepared for a OpenVPN v2.1.4 release
14:12  * dazo is getting old ......
14:13 <@dazo> ^^^ that's my first 2.1 release for the community
14:15 <@dazo> v2.2-beta1 was released Tue Aug 10 21:26:31 2010 +0200 ... which was the first truly community influenced release
14:27 < nicknik> this seems to be new in 2.4 compared to 2.1 config. tls-auth ta.key
14:29 < nicknik> I should probably create it, but what is the command in easy-rsa?
14:29 < nicknik> openvpn --genkey --secret ta.key is for linux I guess..
14:37 < nicknik> well, got it working without using tls-auth
14:38 < nicknik> after a few attempts at creating the client .crt. Somehow it got created without any info, just a blank file
14:38 < nicknik> and now I can ping 10.8.0.6 from the client
14:39 <@krzee> nicknik: instead of tls-auth, check out tls-crypt
14:39 <@krzee> and:
14:39 <@krzee> !topology
14:39 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
14:39 < nicknik> !/30
14:39 <@krzee> try topology subnet in the server config, but then rm ipp.txt before starting openvpn for the first time
14:39 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
14:50 < nicknik> sorry, dont think Im able to figure out how to configure it based on this, I know some networking, but not enough to understand everything going on here :)
14:51 < nicknik> I changed setting on the server to topology subnet, and Im only able to get it working using "server 10.8.0.0 255.255.255.0"
14:51 <@krzee> ya i didnt say to change the server line
14:51 <@krzee> just add topology subnet
14:51 <@krzee> and remove the ipp.txt file that already exists
14:52 <@krzee> and you may want to use the new option tls-crypt instead of tls-auth
14:52 <@krzee> see the options in the manual:
14:52 <@krzee> !man
14:52 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
14:52 < nicknik> ah, 10.8.0.0 was default, tought it was 10.8.0.1
14:52 < nicknik> thanks
14:53 < nicknik> the next step is to open up to my local net, 10.0.0.x. Like my NAS
14:53 < nicknik> would that be push "route ..... " settings?
14:56 <@krzee> server lan?
14:56 <@krzee> or the lan is behind a client?
14:57 < nicknik> server lan yeah
14:58 <@krzee> !serverlan
14:58 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
14:58 <@krzee> and for a way better understanding:
14:58 <@krzee> !route
14:58 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
14:58 < nicknik> !ipforward
14:58 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
14:58 < nicknik> !route
14:58 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
14:58 <@krzee> but !route shows how to do it with server and client lans
14:58 <@krzee> its meant for understanding whats happening
14:59 < nicknik> I see, thanks
14:59 < nicknik> I'll check it out
14:59 <@krzee> you're welcome, i hope it helps
14:59 <@krzee> i wrote it, so give it a good read or 2, and then feel free to ask questions you may have
15:00 <@krzee> let me give you 1 piece of advice
15:00 <@krzee> changing your server lan will save you future headaches assuming you plan on logging in from random places
15:01 < nicknik> yea, I dont have a problem with that, not much is bound to the current IP's
15:01 < nicknik> what would I change it to?
15:01 <@krzee> because your server lan uses a common subnet, when you login from a place that uses the same 10.0.0.0/24 you will have issues
15:01 <@krzee> !randomsubnet
15:01 <@vpnHelper> '"randomsubnet" is (#1) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `, or (#2) Or try this perl oneliner: `perl -e \'printf 10.%d.%d.0/24\n , int(rand(256)), int(rand(256));\'`'
15:02 < nicknik> I see
15:17 < nicknik> seems like I only have to enable client-to-client, and add this for the server config: push "route 10.0.0.0 255.255.255.0" ?
15:18 < nicknik> do I need iroute for the client even when its only one lan behind the server that needs to be accessed?
15:19 < Gaffel> The route is the network that the client can't see.
15:19 < Gaffel> You need to give it routes to the networks it can't see.
15:20 < nicknik> yup
15:20 < Gaffel> So if you want it to have access to 10.0.0.0/24 through the tunnel then yes.
15:22 < nicknik> that was yes to my first or 2nd line?
15:25 <@krzee> you should have changed the server lan subnet, but ya
15:25 <@krzee> and no iroute
15:26 <@krzee> iroute is only for subnets behind clients
15:26 < nicknik> ah, ok
15:27 < nicknik> I will change the server lan subnet later yea
16:10 < nicknik> even with push "route 10.0.0.0 255.255.255.0" and client-to-client in the config of the server, Im not able to connect to the 10.0.0.x lan from the client, so it seems I need to turn on ip forwarding or fix ip forwarding in my firewall. I have disabled the firewall just to test it, and it still does not work. Any tips on how to be able to ping 10.0.0.113(server lan ip)
16:14 < ranger81> I created a aws instance with openvpn AMI, but I am not able to ssh to this instance either as root or as openvpnas. Any suggestion? I have security group that allows ssh from any IP.
16:16 < DArqueBishop> ranger81:
16:16 < DArqueBishop> !as
16:16 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
16:19 <@krzee> nicknik:
16:19 <@krzee> !serverlan
16:19 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
16:19 <@krzee> use the flowchart
16:20 <@krzee> tell me where you get stuck
16:22 < nicknik> yea, that is what I was using :) stuck at trying to ping the ip of the server(10.0.0.113) from the client. Do I need to add "route 10.0.0.0 255.255.255.0" to the config for this?
16:23 <@krzee> ahh ok
16:23 <@krzee> to the server config no, to the client config yes (unless you pushed it from the server)
16:23 < nicknik> yeah I pushed it from the server, added push "route 10.0.0.0 255.255.255.0" to the server config
16:24 <@krzee> ok, now show me iptables-save -c
16:24 < nicknik> on client?
16:24 <@krzee> oh wait, is this windows or linux?
16:24 <@krzee> on server
16:24 < nicknik> windows
16:24 < nicknik> all windows
16:24 <@krzee> oh ok
16:24 <@krzee> !winipforward
16:24 <@vpnHelper> "winipforward" is (#1) reboot after enabling it, or (#2) https://support.microsoft.com/EN-US/kb/230082 to enable ip forwarding on windows
16:24 <@krzee> and disable windows firewall on tap interface
16:27 < nicknik> brb reboot...but insted I could set the route on the client insted? with route 10.0.0.0 255.255.255.0 in client config?
16:28 <@krzee> !push
16:28 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
16:28 < nicknik> yep
16:32 < nicknik> yey, got reply from ping lan ip of server
16:32 <@krzee> now, you probably cannot ping other machines yet
16:33 < nicknik> yup, do I need to add a po
16:33 <@krzee> !route_outside_ovpn
16:33 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
16:33 <@krzee> so now you have 2 choices...
16:33 <@krzee> you can add a route to each machine on the lan that you want to reach over the vpn
16:33 <@krzee> OR
16:33 <@krzee> you can add a route to the router for the lan
16:33 <@krzee> err sorry i mean OR
16:34 <@krzee> you can add a route to the vpn on the router for the lan
16:34 <@krzee> on the router you would configure 10.8.0.0 255.255.255.0 to gateway 10.0.0.13
16:35 <@krzee> or on the individual machines on the lan
16:35 <@krzee> as explained in !route under ROUTES TO ADD OUTSIDE OPENVPN
16:35 < nicknik> so if I want to specify each machine, I would do it in the config of the server?
16:36 < nicknik> if I just want to add everything, I do it on the router?
16:36 <@krzee> this all takes place outside of openvpn and machines running it
16:36 <@krzee> either you add routes to lan machines or to the router of the lan
16:37 < nicknik> ok
16:37 <@krzee> openvpn is configured already
16:40 < nicknik> on my router its called static route, so I added Destination IP: 10.8.0.0, Gateway: 10.0.0.113 (this is the lan ip of the server). and Subnet Mask: 255.255.255.0
16:40 < nicknik> does not seem to work
16:40 < nicknik> oooor, it does :)
16:40 < nicknik> just had to wait a sec
16:41 <@krzee> yep that sounds good
16:44 < nicknik> still not able to reach smb shares on the machine I can now ping, I looked at something with adding firewall rules to "File and Printer Sharing (SMB-In"
16:44 < nicknik> but I have the firewall completely disabled, so it should work...?
16:44 <@krzee> add them by IP
16:44 <@krzee> not by netbios name
16:44 <@krzee> alternatively, if you want netbios resolution, look into running a WINS server and then use that
16:45 < nicknik> yea, I just do \\10.0.0.20 in file explorer, does not work
16:45 <@krzee> it's very easy in linux, no idea how in windows
16:45 < nicknik> hmm
16:45 < nicknik> this is a synology nas
16:45 <@krzee> smb:\\10.0.0.20 ?
16:46 < nicknik> nah, just \\10.0.0.20
16:46 <@krzee> but ya, once you can ping its not an openvpn or networking problem
16:46 <@krzee> now its an smb problem
16:46 < nicknik> ok thanks
16:46 <@krzee> np
16:47 <@krzee> you should be able to map a network drive by ip
16:47 <@krzee> or whatever
16:48 < nicknik> yea, allways just map it, or go to \\IP
16:48 < nicknik> but not working now :P hmm
16:49 <@krzee> can you ping it?
16:49 <@dazo> I haven't read all the scrollback regarding between nicknik and krzee .... but have you looked at the GettingStarted wiki page?
16:49 <@dazo> !howto
16:49 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
16:49 <@dazo> That's the #3 ^^^
16:49 <@krzee> dazo: his vpn is done
16:49 <@krzee> and he has routing to his lan finished too
16:49 <@dazo> ahh, okay .... I just read "but not working now :P hmm" :)
16:49 < nicknik> yea, thanks to krzee its all good :) thanks dazo
16:50 <@krzee> hes just trying to reach a machine which he can already ping on its samba share
16:50 <@dazo> no worries :)
16:50 <@krzee> nicknik: maybe a firewall rule on the .20 machine
16:50 < nicknik> awesome community for openvpn
16:51 <@krzee> nicknik: you may need to allow the vpn subnet (10.8.0.0/24) to get in on the firewall on .20
16:51 < nicknik> hmm yeah, its a synology NAS
16:52 <@krzee> ya i dunno synology specifically, but check its firewall if it has one
16:52 < nicknik> I'll see if I find any settings for it
16:54 < nicknik> the firewall there is not enabled, so probably something else then
16:54 <@krzee> you can ping .20 from the client, right?
16:56 < nicknik> yup
16:56 <@krzee> it's definitely a setting on the synology somewhere then
16:57 <@krzee> but, also definitely not openvpn related
16:57 <@krzee> the openvpn part of your setup is complete
16:57 <@krzee> now your synology is having problems with being reached by a new subnet, but thats a setting on the synology somewhere
16:58 <@dazo> what kind of SMB/CIFS client is it?
16:58 <@dazo> *server*
16:58 < nicknik> true
16:58 < nicknik> its a synology NAS, dj411j or something, just have normal windows shares
16:58 < nicknik> ds413j
16:58 <@dazo> ahh, okay ... so it's a samba server
16:59 < nicknik> yup
16:59 <@dazo> locate the smb.conf ... and read up on enabling logging on the samba server ... that may give you some ideas why things does not break
16:59 <@dazo> the smb.conf is fairly comprehensive, but it is usually well documented
16:59 <@dazo> (could even be some browsing restrictions in smb.conf)
16:59 < nicknik> aha
17:00 <@dazo> gee ... I write not can today *grmbl* ..... "... why things does break"
17:01 < nicknik> well, new client/project tomorrow, doing something I know alot better then this...data warehouse / data analysis / reporting :P thanks for all help today, will continiue tomorrow
17:22 < saik0> I think I've found a bug in 2.4.0, my route pushed from the magagement interface @ client-auth is not being respected by the client
17:22 < saik0> https://gist.github.com/saik0/40082a3ced3f026645b8d80ba6714663
17:22 <@vpnHelper> Title: 2.4.0->2.4.0 · GitHub (at gist.github.com)
17:23 <@dazo> !topsecret
17:23 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust., or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice.
17:23 <@dazo> also:
17:23 <@dazo> !logs
17:23 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
17:24 <@dazo> (and make sure it is complete logs from when openvpn is started until it stops)
17:26 < saik0> dazo: I'll spin up some virtual machines and try and replicate it outside our environment
17:26 <@dazo> you know ... those logs doesn't carry sensitive information at all ... but sure, spend your time how you find it best
17:28 < saik0> dazo: I understand, it's not my decision
17:28 <@dazo> from what I can grasp from your logs ... it looks exactly how I would expect it ... but the mangling makes it hard to see the nuances
17:29 < saik0> PUSH_REPLY is where I'm looking
17:30 <@dazo> that's where I'm looking too
17:30 < saik0> it does not have a route 0.0.0.0 0.0.0.0 w.x.y.z stanza
17:30 < saik0> going from 2.4.0 client to 2.4.0 server
17:31 < saik0> same client/server configs, different version, missing route stanza
17:31 <@dazo> in line 10 I see: ....ping-restart 120,route 0.0.0.0 0.0.0.0 <vpn-router>,.....
17:31 < saik0> see line 11 of the other run 2.4.0->2.4.0
17:31 <@dazo> and in line 25 I see: /usr/lib/openvpn/ip route add 0.0.0.0/0 via <vpn-router>
17:32 <@dazo> meh ... several logs on the same url
17:32 < saik0> There are two logs, 2.4.0>2.3.12 and 2.4.0->2.4.0 in ad-hoc client->server notation
17:33 <@dazo> okay ... so 2.4.0->2.3.12 .... is server->client?
17:33 < saik0> client->server
17:33 < saik0> same naming schema for both
17:33 <@dazo> okay ... btw ... any reason you don't just push "redirect-gateway" ?
17:33 <@dazo> even better "redirect gateway def1"
17:34 <@dazo> and you can control the VPN router using ... push "route-gateway <vpn router>"
17:34 < saik0> We do some unusal things with FIB tables
17:37 <@dazo> "unusual things" are seldom a recipe for success though ... I know the code have changed many times in the --redirect-gateway aspects, so it might be the previous behaviour actually was a bug ... but need to dig deeper into the changes to know for sure what happened and why
17:38 < saik0> (1) Create a static route for the --remote address which forwards to the pre-existing default gateway. This is done so that (3) will not create a routing loop.
17:38 < saik0> Thats probably why not
17:38 < saik0> The FIB table the client sets up should only have the vpn routes
17:42 <@dazo> the --redirect-gateway is ensuring the redirect happens correctly and you don't get into routing loops ... and the 'def1' option ensure that if openvpn dies unexpectedly, the box will regain connectivity again by itself
17:42 < saik0> dazo: yes. In this care theres no loops as the entries exist in desparate routing tables
17:43 < saik0> Not having a static route to an unreachable address was cleaner, but I understand why it makes sense in almost any other case
17:46 <@dazo> saik0: is your intention to redirect all the network traffic via the VPN ... or just some of it?
17:52 < saik0> dazo: it's not quite so simple, some hosts NATed behind the client should nto have a route to the VPN, others shoud route all traffic through the vpn
17:53 <@dazo> I see
17:55 <@dazo> I've skimmed through the changes in git log from v2.3.0..v2.4.0 ... and I don't see any commits actually setting of any alarms
17:56 <@dazo> do you have a possibility to run 'git bisect' on the client?  (which means doing a bunch of compile, run and check result cycles)
17:56 <@dazo> that will help us pin down the exact commit causing this behavioural change
17:58 <@dazo> https://git-scm.com/docs/git-bisect ... that provides a nice intro to that git feature
18:00 < saik0> dazo: I'll take  look, meanwhile do you know offhand the precence order of --push, --client-connect cmd, --client-config-dir dir?
18:00 <@dazo> in your case ... git checkout -b v2.4 v2.4.0; git bisect start; git bisect bad; git bisect good v2.3_beta1
18:00 < saik0> (i'd like to experiment without chaning our management server client)
18:02 <@dazo> (should be maximum 9 rounds of compiling)
18:03 < saik0> dazo: I'll pick this up again tomorrow almost time to head out of the office. thanks you for your time.
18:04 <@dazo> yw!
18:10 < saik0> dazo: wow TIL git bisect thats really powerful!
18:11 <@dazo> bisect alone is a reason why to use git over any other vcs :)
18:11 < saik0> yeah thats just lovely. I'm smitten.
18:11 <@dazo> (mercurial might have it too, though)
18:12 <@dazo> (hg)
18:34 < nahra> route: writing to routing socket: File exists
18:34 < nahra> add net 10.8.0.0: gateway 10.8.0.2: File exists
18:34 < nahra> :|
18:42 <@krzee> nahra: openvpn is already running
18:45 < nahra> krzee: true. I run two instances of openvpn.
18:46 <@krzee> cant use same subnet on both
18:46 < nahra> One on udp, the other one on tcp as fallback.
18:46 < nahra> krzee: Subnets are different:
18:46 < nahra> udp -> 10.8.0.0/24
18:46 < nahra> tcp -> 10.9.0.0/24
18:46 <@krzee> then i think the udp server was running already
18:47 < nahra> Both are running at the same time as I wrote you.
18:47 < nahra> I at the moment am migrating server.
18:47 <@krzee> [16:34] <nahra> route: writing to routing socket: File exists
18:48 <@krzee> [16:34] <nahra> add net 10.8.0.0: gateway 10.8.0.2: File exists
18:48 < nahra> What does not work on new one worked on old one :|
18:48 <@krzee> when you ran openvpn and got that error, openvpn was already running on the subnet you were trying to start it on
18:48 <@krzee> anyways, be back in a few, walking down the street to get some eggs
18:52 < nahra> krzee: http://sprunge.us/CUEi
18:53 < nahra> So two instances are running on different subnets...
18:54 <@dazo> nahra: ip route show
18:56 <@dazo> but with that said .... add net 10.8.0.0: gateway 10.8.0.2 ... that doesn't really make sense ... you can't route 10.8.0.0 via a gateway on the same subnet
18:58 <@dazo> 10.8.0.0/24 doesn't need a gateway if a local interface got an IP address within that range ... which your tun0 interface does have
18:58 < nahra> dazo: http://sprunge.us/JZIF
18:58 <@dazo> what kind of OS is this?
18:58 < nahra> BSD
18:59 <@dazo> aha
18:59 < nahra> aha what?
19:00 <@dazo> it explains the unfamiliar ifconfig/route commands and/or output format
19:01 <@dazo> I believe krzee is a BSD user ... so he might know more of the quirks and tweaks needed or what is being allowed
19:01 <@dazo> (I'm primarily a Linux user)
19:01 <@dazo> This line does surprise me though ....
19:01 <@dazo> 10.8.0/24          10.8.0.2           UG          -        -      -  tun0
19:04 < nahra> dazo: Why?
19:07 < nahra> dazo: Here is what I get on old machine (same OS but previous version) on which everything works well.
19:07 < nahra> http://sprunge.us/BGhP
19:09 <@dazo> the surprising thing is that it routes traffic from an IP address within the same subnet to the same subnet
19:09 <@dazo> !logs
19:09 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
19:09 <@dazo> !configs
19:09 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
19:11 < nahra> dazo: What shoud it looks like instead?
19:13 <@dazo> that's the thing ... this might be a BSD thing ... in Linux you'll only find:
19:13 <@dazo> 10.8.0.0/24 dev tun0   proto kernel   scope link   src 10.8.0.2
19:14 <@dazo> or the net-tools variant looks like this:
19:14 <@dazo> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
19:14 <@dazo> 10.8.0.0       0.0.0.0         255.255.255.0   U     600    0        0 tun0
19:15 <@dazo> (both basically means, 10.8.0.0/24 can be found on tun0 ... and the iproute2 even says "source IP is 10.8.0.2 when traffic hits tun0")
19:16 <@dazo> but as I already said ... I'm not BSD user .... so there might be some artefacts there I'm not aware of
19:19  * dazo need to head for the bed .... over 2am here
19:20 < nahra> dazo: French?
19:24 <@krzee> ok, so what is the problem?
19:24 <@krzee> just got back
19:25 < nahra> krzee: Still the same :|
19:25 <@krzee> is there an actual problem?>
19:25 < nahra> route: writing to routing socket: File exists
19:26 < nahra> add net 10.8.0.0: gateway 10.8.0.2: File exists
19:26 <@krzee> thats not a problem, those are warnings
19:26 <@krzee> can you ping 10.8.0.1 from the client?
19:26 < nahra> krzee: No.
19:27 <@krzee> !configs
19:27 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
19:27 <@krzee> and then kill all instances of openvpn on the server, and give me the output of starting the server that we're talking about
19:28 <@krzee> with verb 4
19:28 <@krzee> i dont need the 10.9 config, just the 10.8 server and client
19:28 <@krzee> but when i say kill all openvpn instances on the server, i do mean *all*
19:45 < nahra> krzee: server config -> http://sprunge.us/NSdV
19:45 < nahra> OS: BSD
19:45 < nahra> OpenVPN version: 2.3.11nb1
19:45 < nahra> client configuration -> http://sprunge.us/egCS
19:45 < nahra> OS: Linux
19:45 < nahra> OpenVPN version: 2.4.0-2
19:45 < nahra> Server start log -> http://sprunge.us/aKUH
19:45 < nahra> krzee: only one instance (udp) is started
19:45 < nahra> It already complains about existing file
20:01 < nahra> krzee: ?
20:27 < nahra> krzee: ???
20:57 <@krzee> nahra: when you have no openvpn instances running, show me ifconfig -a
20:59 < skyroveRR> o/ krzee
21:06 < ordex> morning !
21:14 <@krzee> sup skyroveRR
21:14 <@krzee> and ordex
21:14 <@krzee> hows it going
21:14 < ordex> good :)
21:15 <@krzee> same!
21:15 <@krzee> blunts and wine in hawaii
21:15 < ordex> eheh :D sounds cool
21:16 < ordex> you should invite us one day !
21:17 <@krzee> im just visiting
21:17 <@krzee> havent lived in usa for over a decade now
21:17 <@krzee> although i guess the caribbean is pretty nice to visit as well :D
21:20 < Robirt55> Hey guys anyone around?
21:21 <@krzee> !ask
21:21 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
21:21 < Robirt55> The listen port on an openvpn server config in linux can be set to that machines LAN IP right?
21:21 <@krzee> ports dont get set to ips, but yes
21:21 < Robirt55> list on* not listen port sorry
21:22 < Robirt55> okay. I have the server configured on a linux box at it seems like a firewall is blocking the ports.. when I run tcpdump as ordex suggested it doens't look like there server sees the openvpn connection attempts...
21:23 <@krzee> maybe port forwarding isnt correctly setup in your gateway
21:24 < Robirt55> I am attempting to connect with a PC on the same LAN
21:24 <@krzee> oh interesting
21:24 < ordex> krzee: I'd argue tha hawaii is usa as well :-P
21:24 <@krzee> so from the client, you can ping the server on the lan ip that openvpn is listening on, right?
21:24 < Robirt55> the ufw has the ports forwarded...
21:24 <@krzee> ordex: exactly! i dont live here :D
21:24 < ordex> aah :D
21:24 < ordex> okok
21:24 < Robirt55> hey ordex surprised to se you awake this late!
21:25 < ordex> actually I am about to prepare lunch !
21:25 < ordex> :D
21:25 < Robirt55> no that is just confusing...
21:25 < ordex> well, not really, but close
21:25 < ordex> yeah, don't think abot that :D
21:25 <@krzee> Robirt55: <krzee> so from the client, you can ping the server on the lan ip that openvpn is listening on, right?
21:26 < Robirt55> krzee: correct
21:26 <@krzee> ok, firewall, most likely on the server
21:27 < Robirt55> right
21:27 < Robirt55> I have no idea how to find what firewall it would be in linux
21:27 <@krzee> iptables-save -c
21:27 < Robirt55> I like the look of that
21:28 <@krzee> iptables -t INPUT -I -p 1194 -j ACCEPT
21:28 <@krzee> assuming openvpn runs on port 1194, that may fix it
21:29 <@krzee> (off the top of my head, untested)
21:29 < Robirt55> I see ufw everywhere so this is the uncomplicated firewall that I install but when I run ufw status I see that 1194 is forwarded.
21:29 < Robirt55> let me try that
21:29 <@krzee> i dont mess with ufw or other frontends for iptables
21:29 < ordex> Robirt55: "forwarded" ? on the server should just be "accepted as input"
21:29  * ordex neither
21:29 <@krzee> so i cant help with that
21:30 < ordex> krzee: where do you usually sleep if not in hawaii? :)
21:30 < Robirt55> sorry yes accepted not forwarded
21:30 <@krzee> maybe you need a ufw help channel, or you can just short circuit it with iptables directly
21:30 <@krzee> ordex: caribbean
21:30 < Robirt55> I am going to uninstall it
21:30 <@krzee> life is rough ;]
21:31 < ordex> krzee: it is ;)
21:31 < ordex> krzee: may I ask which of the many islands? I am curious because it's a place I Want to visit soon :D
21:31 < ordex> just too far .-.
21:32 <@krzee> you dont have OTR on your irc?
21:32 <@krzee> weird!
21:33 < Robirt55> what is otr?
21:33 <@krzee> 'off the record'
21:33 < ordex> I have it on jabber
21:33 < ordex> otr on irssi was a bit cumbersome
21:33 <@krzee> i havent been on jabber since bushmills disappeared... aim?
21:34 < ordex> I will try to install it here again - wait
21:34 < ordex> I wouldn't mind having it working
21:34 <@krzee> <my irc handle>1234
21:36 < ordex> mh: otr/otr is ABI version 0 but Irssi is version 7, cannot load
21:37 < ordex> waiteh
21:46 < Robirt55> I think I broke my iptables =/
21:46 < Robirt55> iptables v1.4.21: can't initialize iptables table `INPUT': Table does not exist (do you need to insmod?)
21:46 < Robirt55> Perhaps iptables or your kernel needs to be upgraded.
22:06 < ordex> Robirt555: INPUT is not a table, but it's a chain
22:06 < ordex> not sure what command you are executing
22:06 < ordex> but it sounds wrong :-P
22:07 < ordex> ah, the command from krzee was wrong :D
22:07 < ordex> put -I instead of -t
22:07 < ordex> like: iptables -I INPUT -p udp --dport 1194 -j ACCEPT
22:07 < ordex> this should work
22:09 < Robirt555> will try that in a bit thanks
22:37 <@ecrist> krzee: :/
22:38 <@ecrist> you're not wrong, though.
22:38 <@ecrist> re: chapter 2 comments
22:38 <@ecrist> iptables vs pf
22:44 <@ecrist> !1918
22:44 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#3) See !5737 for addresses to use for examples and documentation, or (#4) See !conflict for common conflicting address spaces.
22:47 < Robirt55> ordex, do you have the command handy to save the iptable as well
22:48 < ordex> Robirt55: iptables by itself does not support "saving". that is usuallt a service implemented by your distro - so it depends on what you are using
22:48 < ordex> *usually
22:48 < Robirt55> okay
22:49 < Robirt55> I need to find a debian IP table 101 guide or such
22:49 < Robirt55> !iptables
22:49 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this., or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG, or (#3) These are just the basics to get you
22:49 <@vpnHelper> started as firewall design is beyond this channel's scope; you can also see #netfilter
22:53 <@ecrist> http://www.karlrupp.net/en/computer/nat_tutorial
22:53 <@vpnHelper> Title: NAT with Linux and iptables - Tutorial (Introduction) (at www.karlrupp.net)
22:53 <@ecrist> that's pretty neat, IMHO
22:53 <@ecrist> and is linked to in my next book
22:53 < Robirt55> in your next book 0.0
22:53 <@ecrist> !books
22:53 <@ecrist> !book
22:54 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn
22:54 <@ecrist> hrm
22:55 <@ecrist> !learn book as a troubleshooting guide for OpenVPN by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
22:55 <@vpnHelper> Joo got it.
22:55 <@ecrist> !book 3
22:55 <@ecrist> !book
22:55 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) a troubleshooting guide for OpenVPN by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
22:55 <@ecrist> there you go
22:56 <@ecrist> I'm sitting here doing final edits now. :\
22:56 < Robirt55> Nice!
22:57 < Robirt55> The cost of books amazes me =P
23:11 < Robirt55> Good Night guys
23:20 <@ecrist> good night
23:21 <@ecrist> Robirt555: if you knew how much time I spent writing, and how litle I make, you might be more willing to pay the price.
--- Day changed Wed Feb 01 2017
02:56 < nahra> krzee: http://sprunge.us/gNNT
03:13 < nahra> I get following error:
03:13 < nahra> route: writing to routing socket: File exists
03:13 < nahra> add net 10.8.0.0: gateway 10.8.0.2: File exists
03:13 < ordex> mh ecrist, not sure what Robirt55 meant, but I don't think it is expensive at all (?)
03:13 < ordex> adding twice the same route ?
03:13 < nahra> Can someone help?
03:13 < nahra> server config -> http://sprunge.us/NSdV
03:13 < nahra> OS: BSD
03:13 < nahra> OpenVPN version: 2.3.11nb1
03:13 < nahra> client configuration -> http://sprunge.us/egCS
03:13 < nahra> OS: Linux
03:13 < nahra> OpenVPN version: 2.4.0-2
03:13 < nahra> Server start log -> http://sprunge.us/aKUH
03:13 < nahra> krzee: only one instance (udp) is started
03:14 < nahra> It already complains about existing file
03:14 < ordex> nahra: why pushing that route? I think it is implicit in the ifconfig option, no ?
03:14 < ordex> I'd skip it
03:14 < nahra> ordex: ?
03:14 < ordex> nahra: ?
03:14 < ordex> :D
03:14 < nahra> I run 2 instances
03:15 < ordex> probably that's why it says it already exists ?
03:15 < ordex> mh
03:15 < ordex> nahra: maybe I don't know enough about your problem
03:15 < ordex> I should ask that, before jumping in
03:15 < nahra> ordex: no. I get this this when migrating from one server to another. Everything is OK and works fine using same configuration on old server.
03:16 < ordex> < nahra> ordex: no. I get this this when migrating from one server to another. << what does this exactly mean ?
03:16 < ordex> you have that config on server A and now using it on server B?
03:16 < ordex> and you get an error on server B?
03:16 < nahra> ordex: Yes
03:16 < ordex> nahra: so the client is irrelevant to the problem, right ?
03:17 < ordex> and what is exactly the problem that you have on server B? that message you printed before ?
03:17 < ordex> < nahra> add net 10.8.0.0: gateway 10.8.0.2: File exists << this one ?
03:18 < nahra> ordex: no client ca connect to server but can not ping server.
03:18 < ordex> ah ok
03:18 < nahra> Yes problem on server B is message printed.
03:18 < nahra> Message:
03:18 < nahra> route: writing to routing socket: File exists
03:19 < nahra> add net 10.8.0.0: gateway 10.8.0.2: File exists
03:19 < ordex> yeah, that's probably because of what I said before, but should not be important for the ping problem
03:20 < ordex> nahra: can you paste the output of "ip route" after starting openvpn on the client ?
03:20 < ordex> (run the command on the client)
03:21 < nahra> ordex: one moment please
03:23 < nahra> ordex: http://sprunge.us/PFBC
03:24 < ordex> nahra: the vpn server is one the 78... or 88... ip, right ?
03:25 < ordex> nahra: so when you ping 10.8.0.1 you get nothing back ?
03:25 < nahra> 88
03:25 < ordex> k
03:25 < ordex> not important, but just checking
03:25 < nahra> Can not ping 10.8.0.1
03:26 < nahra> ordex: ping to IPv^ addresses works fine
03:26 < nahra> IPv6
03:26 < ordex> over tun0 ?
03:26 < nahra> google for example
03:27 < ordex> ah
03:27 < ordex> but if you ping 8.8.8.8, does it work ?
03:27 < nahra> ordex: No
03:27 < nahra> I meant no I can not ping 8.8.8.8
03:27 < ordex> nahra: maybe the firewall on the server needs to be modified ?
03:27 < nahra> Which way to check if ping operates on tun0?
03:28 < ordex> well, you can dump the traffic, but the routing table clearly shows where the packets are going
03:28 < nahra> ordex: Firewall is not the cause of the problem: I tried to disable it. It did not change anything :|
03:28 < ordex> you can use tcpdump on tun0 if you want
03:28 < ordex> mh ok
03:28 < nahra> ordex: I also already tried to disable it on client
03:28 < ordex> you could dump the traffic on the server side to see what is received at leas
03:28 < ordex> t
03:29 < nahra> ordex: I do not know tcpdump :|
03:30 < ordex> mh, that would be my easy way to debug the traffic
03:30 < ordex> maybe there is a simpler way
03:31 < ordex> nahra: could you just paste the output of "ip route" and "ip addr" on the server side? maybe we spot something wrong
03:31 < ordex> well
03:31 < ordex> "ip addr" on the client too please
03:33 < nahra> ordex: I run BSD system on server. Do you know corresponding command?
03:33 < ordex> oh
03:33 < ordex> no, no clue
03:33 < ordex> :D
03:35 < nahra> ip addr on client (linux) -> http://sprunge.us/HdIE
03:36 < ordex> seems ok
03:36 < nahra> ordex: route show on server -> http://sprunge.us/KQBe
03:36 < ordex> nahra: on bsd maybe you can do "ifconfig -a" and "route"
03:37 < nahra> ordex: ifconfig -a on server has already been pasted -> http://sprunge.us/gNNT
03:38 < ordex> oh, thanks
03:38 < ordex> dunno, can't see anything immediately wrong in the interface configuration
03:41 < nahra> :|
04:14 <@krzee> nahra: try destroying the tun devices before starting openvpn
04:15 <@krzee> shouldnt be needed, but lets see if it is
04:16  * krzee goes to sleep
04:17 < ordex> gnight !
04:17 < ordex> :)
04:30 < nahra> krzee: Did not change anything.
04:32  * nahra just saw same message on old openvpn server to which client can well connect and works fine.
06:08 < spnk> hi all
06:08 < spnk> anyone could help me?
06:12 < spnk> Does anyone know why 2 clients on the openvpn cannot ping the same server ?
06:13 < spnk> however they can connect via ssh to the same server
06:16 < nahra> spnk: Firewall or proxy between clients et server?
06:17 < b0unce> hello guys. Can you help me troubleshoot a problem, please?
06:18 < spnk> nahra
06:19 < spnk> firewall in both clients is disabled
06:20 < nahra> spnk: And what about on server?
06:20 < spnk> clients are windows and server is a debian with iptables
06:20 < spnk> I can show you the iptables rules
06:20 < spnk> but only one client can ping the server but not they both at the same time
06:21 < spnk> Can i paste a text here without being banned?
06:22 < nahra> LOL
06:22 < nahra> Your question is not clear...
06:22 < nahra> "Does anyone know why 2 clients on the openvpn cannot ping the same server ?"
06:22 < nahra> Then: "but only one client can ping the server but not they both at the same time"
06:23 < nahra> That's not at all the same thing...
06:23 < spnk> i mean 1 client can ping an ip but not they both at the same time
06:23 < spnk> here my iptables rules: http://pastebin.com/TdcaJckL
06:24 < nahra> LOL
06:26 < spnk> If one client ping a server and then stop the other one will not able to ping the same server in a while
06:26 < nahra> spnk: Where is OpenVPN?
06:27 < nahra> Your question is far away from OpenVPN...
06:27 < spnk> What do you mean by where?
06:27 < spnk> It's a Linux Debian Jessie
06:28 < nahra> And?
06:32 < spnk> leave it man
06:32 < spnk> thanks for your help
06:37 < T1w> that was.. wierd
06:44 < ordex> but fast
07:08 < Robirt555> ill take a look in a store but I think it would look great next to my linux bible
09:35 < Harry`> Hi all
09:36 < Harry`> I've set "max-clients 100" in my server config, but it still doesn't accept more than 10 clients
09:36 < Harry`> "MULTI: new incoming connection would exceed maximum number of clients (10)"
09:36 < Harry`> Any idea ?
09:40 <@plaisthos> double check that
09:40 <@plaisthos> start server with verb 4 and see what max-client reports
09:51 < nicko88> !welcome
09:51 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
09:51 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
09:51 < skyroveRR> Someone reads the topic. At least on #openvpn, if not elsewhere. :)
09:51 < nicko88> lol
09:53 < nicko88> I'm looking for some help troubleshooting an issue that just started recently
09:54 < nicko88> "Authenticate/Decrypt packet error: bad packet ID (may be a replay):"
09:55 < nicko88> ive searched google for a couple days but haven't really found a solution
09:55 < Harry`> plaisthos : Fixed. I have another max-clients setting in the config file. Thanks :)
09:56 < nicko88> seems like it means packets are being duplicated somewhere, and the result is my vpn throughput is being severely limited as a result
09:58 < nicko88> i got an upgrade to my internet plan and a new modem along with that, i wonder if that could be causing it
09:59 < nicko88> to be more clear, this is me connecting my home PC to a paid VPN service using OpenVPN to connect
10:01 < DArqueBishop> nicko88:
10:01 < DArqueBishop> !both
10:01 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
10:01 < nicko88> ah
10:01 < DArqueBishop> You should contact the tech support for your VPN provider.
10:01 < nicko88> ok, yeah was just checking to see if there was anything i could try on my end first
10:01 < nicko88> thanks
10:02 < DArqueBishop> The support here is geared more towards VPN server admins.
10:02 < nicko88> i figured, but with openvpn experts in general maybe people had seen the sort of behavior before heh
10:03 < nicko88> but yeah i realize packet replay is pretty generic
10:38 < adac> Can I somehow set on the server side on how fast a client should reconnect?
10:38 < adac> If yes, how?
11:02 < nahra> ordex, krzee: my problem is certainly due to version of kernel I run (HEAD)...
11:03 < nicknik> btw, the link on https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide to the download of the installer should be updated with the 2.4 version
11:03 <@vpnHelper> Title: Easy_Windows_Guide – OpenVPN Community (at community.openvpn.net)
11:06 <@krzee> nicknik: thanks, updated
11:07 <@krzee> nahra: very interesting, maybe you could make a ticket in our trac? sounds like you may have a bug
11:07 <@krzee> found a bug*
11:07 <@krzee> !trac
11:07 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker., or (#2) if you have a forum login, use that for trac, its the same database.
11:08 <@krzee> the more you can give (configs, logs, details, etc) the better, or you may get asked for more when devs look into it
11:11 < nahra> krzee: not sure bug is on OpenVPN side...
11:53 -!- NonSecwitter is now known as Extremist
11:56 -!- Extremist is now known as leet
11:56 -!- leet is now known as l337
11:56 -!- l337 is now known as _1337
11:57 -!- _1337 is now known as NonSecwitter
12:15 < SCHAAP137> 2.4.0 doesn't build with LibreSSL 2.5.1
12:16 < SCHAAP137> error: ‘SSL_CTX {aka struct ssl_ctx_st}’ has no member named ‘cert’
12:16 < SCHAAP137> the comment above the line where it fails says it all though, "Little hack to get private key ref from SSL_CTX, yay OpenSSL..."
12:17 < SCHAAP137> line 511 in src/openvpn/ssl_openssl.c
12:17 < jpwhiting> hey all, on OS X occasionally I get an error connect(AF_SYS_CONTROL)): Operation not permitted
12:17 < jpwhiting> when using utun, is that a known issue? something I need to do differently on my end?
12:44 < nicknik> there is something strange with my VPN today, yesterday I got it working fine. I can no longer, from the client, ping the IP of a machine that is on another subnet on the server's LAN. http://www.ircpimps.org/serverlan.png in this chart, I am at "can you ping another machine in the lan". I can ping my router: 10.0.0.138. But not 10.0.0.20. I have added a route on my router,(Destination IP: 10.8.0.0, gateway 10.0.0.113(server local LAN ip), and subnet: 255.25
12:45 < nicknik> I can ping 10.0.0.20 from my server. I can ping 10.0.0.113(server ip) from the client
12:53 < Karlfiabeschi> hi guys
12:54 < Karlfiabeschi> i register today in the forum but i made a mistake: i wrote the wrong mail like xxxx.gmai.com not xxx.gmail.com
12:54 < Karlfiabeschi> so i cant confirm
12:54 < Karlfiabeschi> and i cant modify it
12:54 < Karlfiabeschi> what i should do?
12:59 < nicknik> fastest is probably to reregister with your correct email (Im not part of openVPN, so I dont know)
13:07 < nicknik> my route table before and after connecting to vpn http://pastebin.com/9k7tfEkv
13:07 < nicknik> if anyone got any idea on what I should check
13:10 < DArqueBishop> nicknik: you say that the machine is on "another subnet", and then say its IP address is 10.0.0.20. Those statements contradict one another.
13:11 < Karlfiabeschi> ok
13:11 < Karlfiabeschi> but i want that nick and i just wrote a post
13:12 < Karlfiabeschi> there is a mail of forum admin so i can wrote to him?
13:12 < nicknik> ah ok, I'm not sure what the correct term is, 10.0.0.0 is my local net at least, and 10.8.0.0 is the LAN created by OpenVPN
13:14 < DArqueBishop> nicknik: can you ping the server's LAN router from the client?
13:14 < nicknik> yup
13:14 < nicknik> 10.0.0.138
13:15 < DArqueBishop> What happens when you run a traceroute from the client to the machine, or vice versa?
13:17 < nicknik> tracert 10.8.0.2 from server is just one hop directly
13:17 < nicknik> tracert 10.0.0.113 from client is 10.8.0.1 -> 10.0.0.113
13:18 < nicknik> uhhhm, think I got it working
13:19 < nicknik> I did tracert 10.0.0.20 from the client, and it actually got there trough 10.8.0.1
13:19 < nicknik> and now I can ping it
13:19 < nicknik> thanks ;)
13:19 < nicknik> uhmm...and now I can't ping it again
13:21 < DArqueBishop> Your OpenVPN server is running on Windows, right?
13:22 < nicknik> somewhat unstable, but doing tracert again works, and I was now able to log into the 10.0.0.20 web interface (its a synology NAS)
13:22 < nicknik> the server is Windows, correct
13:26 < DArqueBishop> nicknik: please keep the conversation to the channel, so that others may benefit from the answers.
13:28 < DArqueBishop> FYI - security through obscurity is overrated. :-p
13:28 < nicknik> :D
13:29 < DArqueBishop> To answer your question, AFAIK there are no known vulnerabilities in OpenVPN that would allow attackers to connect without having the appropriate signed certs/keys.
13:30 < nicknik> my work uses OpenVPN, and it is a password to connect as well, would it ad a little bit of extra security in case?
13:31 < nicknik> some errors there, sorry :)
13:35 < DArqueBishop> Yes.
14:27 < dvl> My per-client configuration has the server setting 'ifconfig-push 10.8.1.60 10.8.1.61;' But after connection, ifconfig shows inet 10.8.1.80 --> 10.8.1.81 netmask 0xffffffff ... I'm wondering what other setting might be doing that.
14:27 < dvl> Bugger. Let me try that again.
14:28 < dvl> My per-client configuration has the server setting 'ifconfig-push 10.8.1.60 10.8.1.61;' But after connection, ifconfig shows inet 10.8.1.6 --> 10.8.1.5 netmask 0xffffffff ... I'm wondering what other setting might be doing that.
14:56 < kitsune1> dvl: what ip is shown as pushed in the client log -- look fo rthe PUSH_REPLY line in logs.
15:34 < dvl> kitsune1: in the PUSH_REPLY, I see ifconfig 10.8.1.6 10.8.1.5
15:38 < dvl> kitsune1: So based on what is in the PUSH_REPLY, the client is acting appropriately, but if I look in the client-config-dir, the file dent.int.unixathome.org (this hostname) contains ifconfig-push 10.8.1.60 10.8.1.61
15:45 < saik0> dazo: re missing routes conversaiton from last night, the push lines were not quoted. Somewhere between 2.3 and 2.4 the parser became stricter, guessing this is intentional and I should not bother bisecting?
15:49 < saik0> Interestingly it rejects unquoted push directives in config files, but ignores them from the management interface, which I suppose I should report for breaking the principle of least astonishment
15:52 < dvl> kitsune1: I checked the cert: CN=dent.int.unixathome.org and that matches the file name in client-config-dir
16:24 < Eugene> dvl - did you restart the openvpn server process after adding/modifiying the ccd entry?
16:25 < dvl> Eugene: yes.
16:25 < Eugene> !logs
16:25 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
16:27 < dvl> Well, there you go, I got it.
16:29 < dvl> Eugene: Not sure what happened, but I now I have the right IP address.  16:55:07 got the wrong value, but at 16:57:48 I got the correct values...
16:29 < dvl> *sigh* Glad it's working, disappointed that we can't be sure *why*
16:30 < Eugene> `reload` or `restart`? It matters ;-)
16:31 < dvl> Eugene: It was a restart.
16:31 < Eugene> openvpn caches ccd entries for performance, and there's also ifconfig-pool-persist
16:31 < Eugene> If either of those are in play then consistency is not guaranteed between connections, unless you stop, clear, and start.
16:32 < dvl> There was a CN name issue (wrong name in config files) but I fixed that today.
16:33 < dvl> Eugene: ifconfig-pool-persist is not specifie, but persist-remote-ip is, FWIW
18:54 <@ecrist> hey there dvl, how goes?
19:23 < dvl> hello ecrist.  Not bad.  Just some funny stuff today with odd IP address handed out to my laptops.
19:23 < dvl> ecrist: I'm still using ssl-admin at home.  Just created a new CA recently for here.
19:41 < dvl> ecrist: Not OpenVPN/pfSense's fault.  Mine.  Limped along working until I tried to start imposing some restrictions.
19:55 <@ecrist> dvl: glad you find it useful. :)
19:55 < dvl> ecrist: still useful after all these years.
19:55 < dvl> I thought I was going to have to patch it, but no, it was just a config option to get SHA256
19:57 <@ecrist> I still use it in quite a few places, as well.
19:57 <@ecrist> I'm thinking about finding a way to incorporate it's use with something like FreeIPA, combine ssl-admin with easyrsa, and then support both a batch mode and a menu-driven mode.
19:58 <@ecrist> ambition I don't have time for currently, but will soon.
20:07 < dvl> I've wanted to upgrade http://www.racingsystem.com/ to use PostgreSQL... for years now.
20:07 <@vpnHelper> Title: The Racing System (at www.racingsystem.com)
21:19 <@ecrist> dvl: This page last updated: Thursday, 02 March 2000
21:19 <@ecrist> heh
21:19 < dvl> Indeed.  Look at that old HTML
21:20 <@ecrist> your geocities links don't work anymore, either. :P
22:42 < ordex> hello
--- Log closed Thu Feb 02 00:11:45 2017
--- Log opened Thu Feb 02 06:44:27 2017
06:44 -!- Irssi: #openvpn: Total of 267 nicks [8 ops, 0 halfops, 2 voices, 257 normal]
06:44 -!- mode/#openvpn [+o ecrist] by ChanServ
06:44 -!- Irssi: Join to #openvpn was synced in 1 secs
06:56 < slowkeki> Hi. Does anyone here have experience with getting around China's firewall?
06:57 < cyberanger> slowkeki: What's up?
06:58 <@ecrist> there are folks that do it, yes
06:58 <@ecrist> slowkeki: I do know they recently increased some security and are doing a better job of specifically blocking openvpn
06:58 < slowkeki> Alright, well, I managed to get around the fact that you get kicked whenever you use a VPN
06:58 < slowkeki> By using obfsproxy
06:59 < slowkeki> The problem that remains is that I still can't access the blocked sites
07:01 < slowkeki> Do I have to rewrite the Source IP in post routing?
07:01 < slowkeki> or is this done automatically
07:01 <@ecrist> It sounds like you might be leaking DNS 
07:01 <@ecrist> so, your DNS queries are going to servers inside China, rather than out via the VPN.
07:01 < cyberanger> That or not routing traffic over the VPN
07:02 <@ecrist> right
07:02 < cyberanger> slowkeki: Would you be willing to share your routing table and DNS settings?
07:05 < slowkeki> https://ghostbin.com/paste/qquy5pwg : openvpn
07:06 < slowkeki> I'm just pushing dhcp DNS to use Google's
07:07 < cyberanger> What is the operating system of your guest? Are you sure that DNS is changing?
07:07 < cyberanger> Also, you password protected your paste (Nice!)
07:08 < slowkeki> I'm using FBSD
07:09 <@ecrist> slowkeki: even if you push DNS via OpenVPN, you need an --up script on the client side to actually do something with that pushed data
07:09 < slowkeki> The guest would be Windows 10.
07:09 < slowkeki> And yes, that DNS is changing
07:09 <@ecrist> openvpn doesn't change anything on its own.
07:10 < slowkeki> Well, that DNS is working otherwise I wouldn't be able to visit other sites ye?
07:10 <@ecrist> no
07:10 < slowkeki> I see.
07:10 <@ecrist> things will still work for sites not blocked by china, but DNS is one of the block methods they use
07:11 < cyberanger> Yes and no, China has DNS servers that give false truths
07:12 < slowkeki> is the source IP of the packet that is send back to the client automatically changed to the servers' IP?
07:13 <@ecrist> not unless you set up NAT
07:13 < slowkeki> Well, I enabled NAT, and set its interface to the external interface of the server; using dynamic -m for flags
07:13 < slowkeki> is that enough?
07:15 < slowkeki> Like, should this do the trick: https://www.digitalocean.com/community/tutorials/how-to-configure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1 or is it missing smth?
07:15 <@vpnHelper> Title: How To Configure and Connect to a Private OpenVPN Server on FreeBSD 10.1 | DigitalOcean (at www.digitalocean.com)
07:20 < slowkeki> My setup in essence is quite alike, so, maybe that makes it easier to pinpoint
07:20 < slowkeki> Whether its DNS / routing
07:24 <@ecrist> slowkeki: I don't typically read howtos people follow
07:24 <@ecrist> I assume you're using pf for the NAT?
07:25 <@ecrist> oh, now, ipfw
07:25 <@ecrist> the ipfw/natd stuff sucks, imho
07:33 < slowkeki> ecrist: I could use pf instead I suppose but I'm not sure whether its a routing problem or a DNS one
07:34 < slowkeki> would a tcpdump help at all?
07:36 < slowkeki> I'd kind of prefer not going the SSH tunnel way, since it will have quite abit of clients
07:37 < cyberanger> On windows 10, with the VPN on, can you run a command. "nslookup google.com"
07:37 < cyberanger> & give me the output?
07:42 < slowkeki> Working on it
07:42 < slowkeki> Giving you one of China client and one of Western client
07:45 < slowkeki> cyberanger: https://ghostbin.com/paste/n37pjvqm : passwd=openvpn
07:47 < slowkeki> Errr, sorry
07:48 < slowkeki> cyberanger: Refresh page if you're still on it
07:50 < cyberanger> slowkeki: Both those IP addresses are Google's, can you access Google?
07:50 < slowkeki> On the Western client, yes.
07:50 < slowkeki> in China? No.
07:51 < cyberanger> I still would like to see the routing table from the Windows 10 client too, netstat -rn
07:51 < slowkeki> the Chinese one?
07:51 < cyberanger> Yes
07:54 < slowkeki> Refresh
07:56 < slowkeki> What's weird though is that it uses hiwifi.lan DNS for China
07:56 < slowkeki> even though in ipconfig /all the TAP adapter has 8.8.8.8 and 8.8.4.4
07:56 < slowkeki> as thats what my server pushes
07:57 < vectr0n> doesnt china block google dns now?
07:57 < cyberanger> That's what ecrist was saying, server pushes the setting, but still need to tell windows to use it.
07:58 < vectr0n> suppose that doesnt matter as it would be going over the tunnel.. lol
07:58 < slowkeki> But for my W10 in NL it does that fine
07:59 < slowkeki> and according to ipconfig /all, it is using it
07:59 < slowkeki> according to nslookup, no : (
07:59 < cyberanger> slowkeki: are using 192.168.3.0/24 for the VPN?
07:59 < slowkeki> no
08:00 < cyberanger> What are you using?
08:01 < slowkeki> 192.168.3.0 is DNS of my lan
08:02 < slowkeki> It's using 10.8.0.0~
08:02 < cyberanger> Well, that'll do it.
08:03 < cyberanger> Your routing table isn't sending anything over the VPN
08:04 < slowkeki> What about L48,49,50?
08:05 < cyberanger> Try adding "redirect-gateway def1 bypass-dhcp" to your client.
08:06 < cyberanger> Line 45 is sending anything that doesn't match a higher priority route to your router, instead of the VPN.
08:07 < slowkeki> That would be push "redirect-gateway..." ye?
08:08 < cyberanger> Well, if you change the server config instead of the client config, yeah, it'd be push "redirect-gateway def1 bypass-dhcp" instead.
08:08 < slowkeki> The server config already has that line
08:09 < slowkeki> but in client its just "redirect-gateway def1 bypass-dhcp" ?
08:09 < slowkeki> thats kind of weird
08:10 < cyberanger> Becuase if it's in the client, your not pushing it, your using it.
08:10 < slowkeki> I get that but I'd at least expect something like "use "redirect..."'
08:11 < slowkeki> or smth :p
08:14 <@ecrist> slowkeki: pf is is a bit easier
08:18 < cyberanger> Your metric for the openvpn default and your router's default are the same, it appears
08:20 < dougquaid> When I connect to my openvpn server, it sends the client "dhcp-option DNS xxx.xxx.xxx.xxx" (IP omitted). I don't see any errors, but the client doesn't take the DNS setting automatically. The problem is that the openvpn server redirects my default gateway, but then the client still tries to use its local ISP's DNS servers which refuse its requests. How can I get the client to accept the server's DNS?
08:22 <@plaisthos> !resolvconf
08:22 <@plaisthos> !dns
08:22 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns
08:22 <@plaisthos> !resolv-conf
08:22 <@plaisthos> !push-dns
08:22 <@plaisthos> !pushdsn
08:22 <@plaisthos> !pushdns
08:22 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN
08:22 <@vpnHelper> for Android and OpenVPN Connect will happily accept push dhcp-option
08:22 <@plaisthos> that one!
08:23 < ordex> :D
08:23 < slowkeki> cyberanger: Sry some communicatoin problems
08:24 < cyberanger> slowkeki: all good
08:25 < DArqueBishop> !windns
08:25 <@vpnHelper> "windns" is (#1) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#2) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#3) http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
08:26 < dougquaid> plaisthos: Thanks. The server has the appropriate push dhcp-option DNS a.b.c.d line, and I see "PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS a.b.c.d" in the client's log, but still the client tries to use the wrong DNS server unless I manually change the client's DNS setting to a.b.c.d
08:26 < dougquaid> I'm on Ubuntu if it matters
08:27 <@ecrist> Get your ass to mars!
08:27 < dougquaid> ecrist: I'm already there, communicating on my long distance wifi connection!
08:28 <@ecrist> It never happened.  It's all a dream.
08:29 < ordex> must be a dream, otherwise latency would somewhat bad I guess
08:30 < cyberanger> slowkeki: I'd be willint to try and help you after the work day here, I know it's late there too.
08:30 < slowkeki> well signals travel pretty fast through space
08:30 < cyberanger> But for now I've got to run
08:30 < slowkeki> Alright : D
08:30 < slowkeki> I'll see you later
08:30 <@ecrist> dougquaid: it would take 182s for one-way travel at earth/mars closest approach
08:31 < ordex> reminds me of blink 182
08:31 < cyberanger> So the speed of Tor on a bad day ;-)
08:34 < slowkeki> cyberanger: Still using 192.168.3.1 for some reason
08:38 < MichaelGG> hi there, how do I enable the various debug levels in openvpn
08:38 < MichaelGG> I want to have openvpn log the keys
08:45 <@ecrist> MichaelGG: the entire key for both sides?  I don't think it will
08:47 < MichaelGG> There's a ton of D_ options like D_SHOW_KEYS
08:49 <@ecrist> MichaelGG: see the source, errlevel.h.  This tells you what is enabled per log level.  https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/errlevel.h
08:49 <@vpnHelper> Title: openvpn/errlevel.h at master · OpenVPN/openvpn · GitHub (at github.com)
08:50 < MichaelGG> so for example, "LOGLEV(7, 70, M_DEBUG)" - does that mean --verb 7 will enable it? I thought M_DEBUG was a separate thing
08:52 <@ecrist> yes, that will enable it.
08:52 < MichaelGG> Cause I set verb 7 and dont see anything noticeable
08:52 <@ecrist> the second number determines which messages get muted
08:52 < MichaelGG> OK
08:52 < MichaelGG> I'll look again, thanks
08:52 <@ecrist> np
08:53 < slowkeki> And thanks ecrist and cyberanger, it was a DNS leak after all.
08:53 <@ecrist> for what it's worth, these details are covered in my new book, due to publish this month. ;)
08:53 <@ecrist> slowkeki: no problem.
08:53 < slowkeki> Found some bug submit and someone wrote little hack for it
08:53 < slowkeki> plugin thingy
08:53 < slowkeki> ;d
08:54 < MichaelGG> ecrist, which book?
08:55 <@ecrist> !book
08:55 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) a troubleshooting guide for OpenVPN by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
08:55 <@ecrist> #3
08:55 <@ecrist> #2 was co-authored with jjk
08:55 < ordex> ecrist: I am curious: how long have you been working on #3 ?
08:56 <@ecrist> I started it in March of 2016
08:56 < MichaelGG> wow thats a lot of work, thank you!
08:57 < ordex> oh ok
09:31 < slowkeki> ecrist: Any idea why tor moved to obfs4?
09:31 < slowkeki> obfs2 seems to work to hide VPN connection from China
09:47 < ordex> slowkeki: I think they implemented a better obfuscation mechanism (inspired by another tool)
09:49 < slowkeki> Right by eh
09:49 < slowkeki> Smth with suit
09:49 < slowkeki> Scramblesuit. There.
09:50 < slowkeki> But still why bother if obfs2 still works fine?
09:50 < ordex> dunno, maybe it depends where you are exiting in china ?
09:50 < ordex> slowkeki: do you actually live in china or you got a vps in china ?
09:50 < adac> getting the followoing warning on one of my clients:
09:51 < adac>  WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
09:51 < ordex> adac: I think the message is also telling you what to do :P
09:52 < adac> it is interesting that this happens only on one client ordex
09:53 < slowkeki> ordex: I'm in China quite a bit, but it's not exactly my home
09:53 < ordex> slowkeki: oh ok, because I'd be interested in doing some tests on vpn connectivity soonish
09:54 < MacGyver> slowkeki: In an arms race, you don't want to fall behind.
09:54 < MacGyver> slowkeki: I imagine that's why they bother.
09:54 < slowkeki> MacGyver: But isn't it at least useful to not show that you're ahead?
09:54 < ordex> slowkeki: do you happen to know if Shenzhen is behind the great firewall too ?
09:54 < slowkeki> So you have instapatch
09:54 < MacGyver> slowkeki: That goes both ways - China could be detecting and not blocking obfs2.
09:55 < ordex> adac: maybe this client is new enough to have the warning, while the other instances don't (?)
09:55 < MacGyver> slowkeki: For more personal visits, for instance.
09:55 < slowkeki> ordex: no lol
09:57 < ordex> slowkeki: you mean you don't know? or it is not behind?
09:57 < ordex> :d
09:57 < ordex> :D
09:57 < slowkeki> I don't know ;D
09:58 < slowkeki> MacGyver: I guess ye
09:58 < slowkeki> or maybe there is other countries that do block through obfs2
09:59 < slowkeki> ordex: Could ask for you if you really want to know lol
09:59 < ordex> eheh I can quickly ask myself I think :D just curious in case you knew the answer right away
10:00 < slowkeki> But I haz cute female translator around at all times
10:00 < slowkeki> Much easy
10:00 < ordex> lol
10:03 < adac>  ordex hmm I have to check. Could well be
10:19 < adac> ordex, indeed you are right. It is a newer client
10:20 < ordex> I'd follow his suggestion anyway :)
10:22 < adac> ordex, https://github.com/kylemanna/docker-openvpn/issues/163
10:22 <@vpnHelper> Title: Address SWEET32 cipher vulnerability · Issue #163 · kylemanna/docker-openvpn · GitHub (at github.com)
10:22 < ordex> yap
10:29 < adac> ordex, would that mean that my certificates can stay the same and an upgrade to 2.4 would solve it automagically?
10:29 < adac> or do I have to exchange all certificates
10:29 < ordex> adac: I think you can specify a different cipher even without upgrading openvpn
10:29 < ordex> and yes, certificates can stay the same - this is the cipher for the data channel
10:30 < adac> ordex, exactly he mentions that also that it is also possible with his docker image
10:30 < ordex> yeah, the warning was introduced later, but other algorithms are already supported in previous versions
11:44 <@ecrist> slowkeki: no idea.
12:49 < jdavis30> hello
12:49 < jdavis30> I've run into a weird issue where I cannot connect to IRCs while my VPN's on
12:49 < jdavis30> what could cause this?
12:50 < KaiForce> I have a tunnel between two subnets, both endpoints have decent (60/5) connections.  I have prioritized traffic between the subnets (shorewall simple traffic shaping) but that didn't seem to help my issue.  Whether or not I have any load on either endpoint, I see about twenty low-latency packets, then 2 or 3 high latency (between .9 and 3.0 seconds) packets, then it returns to normal.  It...
12:50 < KaiForce> ...almost looks to me like the ISP is jacking with the VPN traffic.  Coincidentally, I think the ISP has their own VOIP service.  Anything I can do on my OpenVPN link??
12:59 < KaiForce> jdavis30: if the VPN is set up to tunnel all traffic through it, and your IRC isn't accessible through that connection.  That's only one possible cause
13:05 < jdavis30> so by using TLS, I won't have IRC working, potentially
13:05 < jdavis30> what other protocols exist?
13:18 < KaiForce> the protocol doesn't really weigh into this.  The routing configuration would, assuming my guess is correct.  Who owns your VPN server?
13:27 < DArqueBishop> It could also be that, if you're not running your own VPN server, that your VPN provider is deliberately blocking IRC traffic.
13:27 < DArqueBishop> That said,
13:27 < DArqueBishop> !both
13:27 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
13:43 < jdavis30> the network I'm using is from vpnbook
13:44 < jdavis30> yeah, they state web surfing only on their cert bundles
13:44 < jdavis30> that's probably why
15:42 < tetero> !welcome
15:42 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
15:42 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
15:44 < tetero> !goal 'I want to know if there is an environmental variable passed when openvpn auto-restarts after a timeout'
15:45 < tetero> I'm guessing the bot isn't going to be able to answer this one. So does anyone here know?
15:49 < tetero> The only thing I can think of is SIGNAL passing sighup
15:49 < tetero> or ping-restart perhaps?
16:05 < Eugene> !windows
16:05 <@vpnHelper> "windows" is (#1) computers are like air conditioners, they work well until you open windows., or (#2) http://secure-computing.net/files/windows.jpg for funny, or (#3) http://secure-computing.net/files/windows_2.jpg for more funny
19:28 < staticsafe> hello, whoever updated the iOS OpenVPN app, thank you!
20:39 < dvl> After a pfSense reboot, OpenVPN clients *out* there won't connect into here.  OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
20:42 < dvl> Clients were working before the reboot
20:42 < dvl> ^ the server reboot.  Clients were not rebooted.
20:43 -!- Vampire0_ is now known as Vampire0
20:47 < dvl> WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
--- Day changed Fri Feb 03 2017
01:53 < ianthius> I am on ubuntu and followed the directions here: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 to configure openvpn server, I am getting an error when trying to start openvpn server: ERROR: Cannot open TUN/TAP dev/net/tun: no such file or directory
01:53 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com)
01:53 < ianthius> I am indeed missing a /dev/net.... anything, there isn't any net in my dev.... any ideas?
02:04 < ianthius> I supposed a great majority of the users in this channel are just bots waiting to scrap the contents? How many real people do we have in here? :)
02:16 < adac> There is this ccd directory where I can set an ip address for a certain host/user. I was wondering if I can also set an ip range per user somehow?
02:16 < adac> So that an user can get more then one ip address
02:17 < adac> Like if he logs in with more then one device
02:56 < LumberCartel> Hello.  I'm trying to create a client certificate in OpenVPN, but NetBSD no longer includes the EasyRSA scripts for this.  How can I create client keys now?  Thanks.
03:39 < pdobrogost> Hi all!
03:39 < pdobrogost> Is there any way to track https://community.openvpn.net/openvpn/ticket/753 ?
03:39 <@vpnHelper> Title: #753 (OpenVPN should update systemd-resolved on systems running it) – OpenVPN Community (at community.openvpn.net)
06:25 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 240 seconds]
06:33 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
06:33 -!- mode/#openvpn [+o syzzer] by ChanServ
07:18 < AkkerKid>  Good {insert local time here} Everyone!
07:18 < AkkerKid> !welcome
07:18 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
07:18 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
07:22 < AkkerKid> !goal
07:22 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:24 < AkkerKid> OpenWRT vpn client on 3g. pfSense server on static IP. Network device's GUI on client-side's LAN needs to be accessible from server side via an unchanging IP.  Currently OpenWRT is throwing errors saying the cert pass is wrong, but it should be blank.
07:26 < AkkerKid> That's my goal.  I suppose I'm not just sending all that to a bot...   It's been a while since I've used IRC. ;)
07:36 < adac> There is this ccd directory where I can set an ip address for a certain host/user. I was wondering if I can also set an ip range per user somehow?
09:07 < rzyz> hello, what is the state of the dev of openvpn V3?
09:17 < rzyz> up
10:29 < CatKiller> Hi there! I have a quick question: I have a working OpenVPN server/client TAP (bridged) based setup (Ubuntu based). It works quite well. I tried using OS X with it and it also works, except for one annoying thing:
10:29 < CatKiller> OS X (using Tunnelblick) will run a DHCP request on the TAP interface for some reason (Ubuntu client doesnt) and this screws up my routing table etc
10:31 < CatKiller> The directive I use in the server.conf is server-bridge <ovpn server ip> <subnet> <start address> <end address>
10:31 < CatKiller> both start and end are outside of the DHCP range of course
11:12 < pdobrogost> Is there any way to track https://community.openvpn.net/openvpn/ticket/753 ?
11:12 <@vpnHelper> Title: #753 (OpenVPN should update systemd-resolved on systems running it) – OpenVPN Community (at community.openvpn.net)
11:24 < pdobrogost> Interesting, only CGML is both here and on #wireguard... I would have expected something else.
11:57 -!- rax-Y is now known as rax-
12:47 < sjohnson> !welcome
12:47 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
12:47 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
12:49 < sjohnson> my goal: 1) getting a ping command to work from 10.8.0.1 from 10.8.0.6, as which seems to be the default served by DHCP for me.
12:50 < sjohnson> 2) adding a route to get onto the server's 192.169.0.0/24 network (internet isn't required but might be an added bonus if it's implied)
12:50 < sjohnson> using Windows 7 (server) and 10 (laptop test), i have a connection working through port forwarded UDP, but i can't seem to do much else (hence the ping question).
12:51 < sjohnson> perhaps there's some sort of !nowwhat trigger?
13:37 <@ecrist> rzyz: they're working on it. ;)
13:37 <@ecrist> AkkerKid: what sort of problem are you having?
13:37 < rzyz> ecrist, hello, is there a dead line?
13:38 <@ecrist> CatKiller: you can disable the DHCP scripts in Tunnelblick
13:38 <@ecrist> rzyz: lol, o
13:38 <@ecrist> no*
13:39 < rzyz> ecrist, if i under well when i read the roadmap on it v3, on linux, openvpn will not need linux netdev...?
13:39 < rzyz> iterface*
14:11 < sjohnson> darn it OpenVPN... Y U NO WORK
14:14 < sjohnson> hmm, probably have to enable the "dev tun" technology in the config file.
14:18 < sjohnson> looks to be enabled by default... ;~;
15:33 < Eugene> 192.169? That's not RFC1918 space
15:44 < sjohnson> "help me Ja..."
15:46 < sjohnson> still getting "No network access" in Windows 10 on my laptop (i managed to figure out how to switch the TAP network to Private).
15:47 < sjohnson> despite the OpenVPN connecting being green and seemingly working.
15:49 < sjohnson> hmm, maybe i have to do it on the "mommy" (server) too.
16:18 < pdobrogost> Is there any way to track https://community.openvpn.net/openvpn/ticket/753 ?
16:18 <@vpnHelper> Title: #753 (OpenVPN should update systemd-resolved on systems running it) – OpenVPN Community (at community.openvpn.net)
18:03 < sjohnson> it is definitely a firewall issue, though moving the TAP network to Private in Windows 10 isn't enough to allow pings to go through.
18:04 < sjohnson> shutting off the firewall worked, but i'd rather not quite do that... but rather find out exactly what option is controlling TAP stuff on modern copies of Windows.
18:04 < sjohnson> the last version i see documentation for on OpenVPN's site applies to Windows XP SP2 which is heavily dated.
18:43 < Eugene> sjohnson - we generally consider firewall specifics to be outside-of-scope for this channel ;-). There is too much variation between OSes and even individual firewall packages for anything more than "yup, its your firewall"
18:44 < Eugene> I have enough trouble with powershell at $DAYJOB
21:09 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 276 seconds]
21:14 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
21:14 -!- mode/#openvpn [+o syzzer] by ChanServ
22:45 < VsyachePuz> !welcome
22:45 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
22:45 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
22:46 < VsyachePuz> !goal
22:46 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:47 < VsyachePuz> !paste
22:47 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2)
22:47 <@vpnHelper> paste.ee is also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
22:47 < VsyachePuz> !howto
22:47 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
22:56 < VsyachePuz> !goal hide ip address to browse forum
--- Day changed Sat Feb 04 2017
08:46 < lord4163> Hi
08:47 < lord4163> I have OpenVPN running on Ubuntu 16.04 and it works, but I get this message from systemd that: openvpn@Bilberry-Traffic.service: PID file /run/openvpn/Bilberry-Traffic.pid not readable (yet?) after start: No such file or directory
09:09 < BtbN> why does systemd need a pid file?
09:16 < lord4163> BtbN: I don't know
09:17 < lord4163> BtbN: It runs though and the pid file exists
09:17 < BtbN> systemd normally doesn't use pid files at all. Someone wrote a weird service file.
09:17 < lord4163> BtbN: how do I edit it?
11:00 < urinal-cake> So, I have a sort of strange question for anyone that might have experience with openvz+openvpn
11:00 < urinal-cake> i'm resurrecting some infrastructure that hasn't been touched/maintained in 6+ years
11:01 < urinal-cake> i can't find where openvpn server is installed across the various vms
11:01 < urinal-cake> any way to request info as a client of the vpn?
11:39 < sjohnson> Eugene: thanks for the reply!  i was worried i was just going to keep banging my head against the wall without any tips.
11:39 < sjohnson> with that in mind, i'll take another crack at it on Monday, via some sort of by-hand "binary search" of the firewall options until i get somewhere.
11:40 < sjohnson> life's too short to try to get Microsoft Windows working the way you want.
11:40 < ordex> :D
11:41 < ordex> sjohnson: I agre on your last statement ;) just swith to something else :)
11:41 < ordex> *switch
11:41 < ordex> eeh.. *agree
11:41 < ordex> (late night here)
11:43 < sjohnson> :)
11:43 < Robirt55> Hey guys
11:43 < sjohnson> ordex: i would, unfortunately it's 50% applicable to work, which still has a lot of Windows users... *cry*
11:43 < ordex> :(
11:44 < Robirt55> http://nopaste.linux-dev.org/?1120777
11:44 < Robirt55> Does this look right?
11:48 < Robirt55> I am still having a problem were the Debian server isn't getting the port connection attempts from other PCs on the LAN
11:50 < ordex> Robirt55: is this the OUTPUT chain ? you should make sure it is accepted on the INPUT chain
11:51 < Robirt55> ah yes. this in the input chain let me paste the whole output
11:51 < Robirt55> http://nopaste.linux-dev.org/?1120778
11:52 < ordex> well, that rule is useless actually, because your default policy is ACCEPT
11:52 < ordex> so you would accept everything unless a rule denies that
11:52 < ordex> Robirt55: have you checked with tcpdump if you are actually receiving the packet on the server ?
11:53 < Robirt55> yes let me check this again. need to help with laundry =(
11:53 < Robirt55> first
11:55 < ordex> :)
12:14 < Robirt55> any recommendation on how i can filter the tcpdump?
12:18 < ordex> Robirt55: by protocol and port? :)
12:20 < Robirt55> I have it filtered by port 1194 and it doesn't seem to see any attempted connections
12:21 < Robirt55> wait. Telnet XXX.XXX.XXX.XXX 1194 on the LAN did connect
12:22 < Gaffel> You've opened up 1194 but all your ports are open since the default policy is ACCEPT. So make sure that you "fix" that later once you've got it working.
12:23 < Robirt55> ?! really
12:23 < Gaffel> Yes
12:23 < Gaffel> Everything is open
12:23 < Robirt55> so that is the line 2 of the paste?
12:23 < Robirt55> Chain INPUT (policy ACCEPT)
12:24 < Gaffel> Yes
12:24 < Robirt55> learning =)
12:24 < Gaffel> That is what it does to all packages when it reaches the bottom of the list
12:25 < Gaffel> The first rule in INPUT should be this: iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
12:25 < Gaffel> Then after that, you add the ports that you want to be open.
12:25 < Gaffel> Then you can either append a -j REJECT at the end or change the policy to DROP.
12:25 < Gaffel> Make sure that you open up for SSH or other things you might need.
12:26 < Robirt55> will do. I guess I really need to properly read up on iptables
12:26 < Gaffel> Yes :]
12:26 < Gaffel> To reject all packages at the end: iptables -A INPUT -j REJECT
12:27 < Gaffel> Useful is the machine is facing a trusted network such as your LAN.
12:27 < Gaffel> If it's directly facing the internet then you can just change the policy of the chain from ACCEPT to DROP
12:28 < Gaffel> The iptables gurus hang out in #netfilter
12:29 < Gaffel> NetFilter is the component of the Linux kernel that does the filtering, iptables is a user space tool.
12:31 < Robirt55> I will need to bother them in the future.
12:31 < Gaffel> hehe :]
12:32 < Gaffel> Just make sure to read up on it before you ask. :]
12:32 < Robirt55> I think i just found my mistake -.-
12:32 < Gaffel> oh? Share :)
12:35 < Robirt55> So I made my original client.ovpn file to work from a remote location and I had the firewall accept the connections on port 1195 and push that to the LAN server on port 1194. So went I took the config and placed it on a LAN PC I change the server address but overlooked changing the port back to 1194... So the LAN pc just connected once I noticed this
12:36 < Robirt55> http://giphy.com/gifs/yFQ0ywscgobJK/html5
12:54 < ordex> :D
12:54 < ordex> good that you found the problem
12:54 < ordex> this is something to check as first thing :P
12:57 < Robirt55> Are there any channel that focus on routers, and routing?
13:05 < ordex> not sure about that
13:05 < ordex> too broad
13:05 < ordex> maybe in #linux you can find somebody helping on tha
13:05 < ordex> t
13:19 < Robirt55> I might just ask the reddit-sysadmin guys and see what they say
13:25 < Robirt55> And I just realized I already had rules using port 1195 n my firewall.... which is why the new rules didn't work...
13:25 < Robirt55> that is while trying to connect externally
13:37 < kitsune1> Hi guys, is it possible to export username and password to an upscript on the client-side?
13:37 < Robirt55> upscript? A script that starts on startup?
13:37 < kitsune1> yes
15:08 < Robirt55> Hey what setting in the config file needs to be change so all traffic is not routed over the VPN?
15:12 < Robirt55> I have just also commented out the DNS lines and everything seems to be working now
15:12 < Robirt55> =)
15:17 < Gaffel> Robirt55, it's the default route thingy. The config documentation will tell you which setting deals with that.
15:17 < Gaffel> What you want is NOT push the settings that makes the VPN network the default route.
15:18 < Robirt55> Yea I had only changed the setting for pushing the redirect. Then DNS failed so after disabling the DNS push everything started to work =)
15:19 < Gaffel> =)
15:19 < Robirt55> would you recommend any scripts that generate users and put there files in a folder per users?
15:19 < Gaffel> Nope, I haven't dealt with that.
15:19 < Robirt55> okay
15:21 < Gaffel> OpenVPN doesn't really offer a scalable way of dealing with users. The best way would tie OpenVPN do LDAP but that doesn't come out of the box, I think.
15:22 < Robirt55> I will worry about this later then.
15:22 < Robirt55> for now I will just make a few users
15:25 < Gaffel> =)
16:25 < kitsune1> Gaffel: ldap is easily handled using the auth-pam plugin. Then use pam_ldap in the pam config.
16:28 < Gaffel> Neat :]
16:28 < Gaffel> When using TLS too and matching the certs to the certs in LDAP?
16:31 < kitsune1> Never tried that --- could be handled in the tls-verify script?
16:35 < Gaffel> kitsune1, that's the thing I talked about. I've heard that it's problematic if the script is slow.
16:50 < kitsune1> Gaffe1: Deferred auth may solve the "slowness" issue -- but the pam plugin doesn't support it, I think.
17:15 -!- Chocolate is now known as Guest70764
17:40 < nahra> Hello. Doesn OpenVPN support proxy-protocol?
--- Log closed Sat Feb 04 17:48:08 2017
--- Log opened Mon Feb 06 08:23:15 2017
08:23 -!- Irssi: #openvpn: Total of 270 nicks [9 ops, 0 halfops, 2 voices, 259 normal]
08:23 -!- mode/#openvpn [+o ecrist] by ChanServ
08:23 -!- Irssi: Join to #openvpn was synced in 1 secs
09:03 -!- Vampire0_ is now known as Vampire0
10:16 < fling> How to fix this? -> TLS Error: local/remote TLS keys are out of sync:
10:16 < fling> I don't own the server.
10:16 < fling> Is it something wrong with my client?
10:44 < DArqueBishop> fling: you need to speak with the admin of your server.
10:44 < fling> DArqueBishop: why?
10:44 < DArqueBishop> !both
10:44 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
10:45 < fling> But what could be wrong anyway?
10:46 < DArqueBishop> The only thing that comes to mind that you could fix yourself might be to make sure the time on your client is set correctly.
10:46 < fling> Thanks.
10:47 < DArqueBishop> Otherwise, you need to check with the server admin, to make sure the keys are correct, that his server has the correct time, or any number of other possibilities.
10:48 < fling> DArqueBishop: also looks like everything works just fine despite the error
13:01 -!- Vampire0_ is now known as Vampire0
13:12 -!- tomeaton17_ is now known as tomeaton17
14:39 < stairmast0r> hey guys, having some trouble with openvpn. VPN services seem to be blocked by a DPI system where i'm connecting from, so i've been trying to tunnel traffic over ssh
14:39 < stairmast0r> now i'm getting the error "SIGUSR1[soft,connection-reset] received, process restarting" as soon as it seems to make the connection
14:45 < sjohnson> Eugene: i finally got things to work in Windows... that was a doozy!  i might post some blog post about how i got it to work, in case anyone gets frustrated.
14:45 < sjohnson> and manages to find some hope / light at the end of the tunnel.
15:02 -!- jamesaxl_ is now known as jamesaxl
15:46 < collide> hai
15:47 < Gaffel> Oh, hai!
15:51 < collide> I wonder can anyone here direct me to some reading to understand the following problem, I have openvpn running on a vps, my home router connects to itand my lan was accessable, when im away i can access all the resources, for some reason last night i lost all access to everything on that lan, I am on a different adress to my home lan so i dont think that is the problem, is there some reason everyhting
15:51 < collide> would stop responding to ping and ssh. I can ping my router one the openvpn ip and the home ip as well as access the gui on my browser but everything behind it has stopped
15:58 < collide> im pretty green and apologise if this question doesnt belong here
16:10 < AdagioT> hey, I was wondering if anyone has had experience with creating multiple VPN clients to test how many connections the server can take? The tool listed on the Performance Testing page is for AmazonEC2, and that only allows 20 or so instances per region
16:20 < Candid> i have a problem connecting from an openvpn client 2.4.0 to a server 2.3.10 using tap. i think the problem came with the client upgrade to 2.4. i get loads of errors like this: "Key [AF_INET]5.189.173.222:31952 [0] not initialized (yet), dropping packet.". i cannot find anything about this error message online, does someone have an idea?
17:34 -!- dakar- is now known as dakar
17:34 -!- aegis- is now known as aegis
17:34 -!- funnel_ is now known as funnel
17:35 -!- arlen_ is now known as arlen
17:35 -!- DrMac[WTF] is now known as DrMacinyasha
17:35 -!- vectr0n|cloud_ is now known as vectr0n|cloud
17:36 -!- DanQuinney_ is now known as DanQuinney
18:07 -!- Vampire0_ is now known as Vampire0
18:09 -!- scotthernandez is now known as skot
18:17 < law> anyone able to help me figure out why in the sam-hell Openvpn (2.4.0, on Ubuntu 16.04)  has decided, with no recent changes to an otherwise-working system, to ONLY generate user certificate bundles with a blank user certificiate?
18:17 < law> this is open-source, installed from the  http://build.openvpn.net/debian/openvpn/stable repo
18:17 <@vpnHelper> Title: Index of /debian/openvpn/stable/ (at build.openvpn.net)
19:12 <@ecrist> law: ?
19:12 <@ecrist> what do you mean openvpn generates user certificates?  it doesn't do any of that.
19:12 < sjohnson> is there any good book on OpenVPN that might give a general overview of how everything works?
19:12 < sjohnson> it turns out i know damn near nothing about it.
19:12 <@ecrist> indeed, there is
19:12 <@ecrist> !book
19:13 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) a troubleshooting guide for OpenVPN by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
19:13 <@ecrist> #2 is probably the best "overview" book
19:13 <@ecrist> #1 is a good cookbook
19:13 <@ecrist> #3 hasn't actually published yet - working on final edits as we speak.
19:13 < sjohnson> ecrist: thanks.  to give you an idea of my level... i found out the hardway through friends and IRC that i need to set up a NAT if i want to "share the tunnel internet".
19:13 < sjohnson> i sort of assumed it would just work out of the box.
19:14 < sjohnson> i might check out #2 if it makes points like that painfully obvious.
19:14 < sjohnson> for dunces like me.
19:16 < sjohnson> oh my, the 3rd book looks to be authored by you :)
19:17 < sjohnson> needless to say it's been a bit of an uphill battle for me, but maybe a book like this will help save a lot of time.
19:17 < sjohnson> instead of me trying to brute-force my way through understanding concepts that i don't already.
19:19 <@ecrist> sjohnson: both are authored by me. :)  #2 was co-authored with jjk
19:20 < sjohnson> oh, sweet.
19:20 < sjohnson> so number #2 might cover NAT stuff in a practical manner?
19:20 < sjohnson> the basic goal i had was to simply connect to a LAN at work from home.
19:21 <@ecrist> #2 does cover NAT in a practical manner
19:21 < sjohnson> i would have figured that this would be the most obvious example implementation for VPN software but i think i might have been mistaken.
19:21 < sjohnson> sweet... :3
19:21 < sjohnson> i think i might be doing some book shopping then.
19:21 < sjohnson> basically if it covers all i need to know to get a working OpenVPN setup in Windows at work, that's good enough for me.
19:21 <@ecrist> :)
19:21 < sjohnson> i'm guessing it will.
19:22 <@ecrist> yes, there is good material and examples for both Windows and Linux
19:23 < sjohnson> :)  thanks, you've been very helpful!
19:36 <@ecrist> no problem - if you buy the books, please feel free to send me feedback
19:52 < sjohnson> ecrist: know of a cheap site?  amazon's paperback seems pretty pricey
19:53 < sjohnson> but maybe that's the going rate for "textbook-like" items.
19:53 < sjohnson> i'd be willing to do that (give feedback).
19:55 <@ecrist> sjohnson: the amazon price is the going price.  It only took Jan and I a year to write. :P
19:56 < sjohnson> k, sounds good.
19:56 <@ecrist> you can do a subscription to packt publishing, and read more than one book, but it's a monthly thing
20:54 -!- Vampire0_ is now known as Vampire0
--- Day changed Tue Feb 07 2017
04:57 -!- Kelticfox_r_q_n is now known as Kelticfox
10:09 -!- |Mike| [mike@phrack.nl] has joined #openvpn
10:10 < |Mike|> Hi y'all. Im having a OpenVPN server in a LAN on 192.168.2.15 and my clients would like to contact the printer within the "office lan"
10:10 < |Mike|> !routedlan
10:10 < |Mike|> !routedlans
10:11 < |Mike|> The 192.168.2.15 is a Qnap TS 253A and it's beeing a pita since it puts default configs back whenever the service gets restarted or when the machine needs a reboot.
10:12 < |Mike|> push route "192.168.2.15 255.255.255.0" doesn't solve my issue for my clients for some reason. Could someone shed some light on it?
10:12 < |Mike|> Tnx.
10:12 < sjohnson> is that thing just a router?
10:12 < |Mike|> it's a NAS
10:12 < sjohnson> hmm.  i wonder if it's as simple as maybe having to update some config file with some web UI to make the changes stick upon reboot.
10:13 < |Mike|> Unfortunatly QNAP support doesn't support other configs then the ones you can do through the web ui
10:14 < |Mike|> They refer to https://wiki.qnap.com/wiki/Running_Your_Own_Application_at_Startup which is like a hack. I rather fix the config and make sure the NAS doesn't need to reboot anymore, neither with power outages.
10:14 <@vpnHelper> Title: Running Your Own Application at Startup - QNAPedia (at wiki.qnap.com)
10:16 < |Mike|> !serverlan
10:16 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
10:16 < |Mike|> !ipforward
10:17 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
10:17 < |Mike|> !linipforward
10:17 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
10:17 < |Mike|> forwarding is on, routes are set but doesn't show a thing. Hmm.
10:18 < ordex> |Mike|: do you know if the printer protocol is based on link-local discovery?
10:18 < ordex> or can you tell the clients what is the ip of the printer ?
10:19 < ordex> in the former case, my guess is that you may need a TAP device in order to have the link-local protocol travel across the VPN
10:19 < ordex> in the latter it should work with TUN too[ym]
10:19 < ordex> [tm]
10:19 < ordex> but I might be wrong
10:21 < |Mike|> ordex: I can tell the client the IP of the printer
10:23 < ordex> ok..then I guess it should work even across different networks
10:23 < ordex> can you print the printer ?
10:23 < ordex> if not, then I guess you have to setup the routing between the networks first
10:23 < ordex> and !serverlan should be the right direction in that case
10:24 < |Mike|> I've to set up the serverlan but for some reason it's not going as it should.
10:24 < |Mike|> At least if; push route "192.168.2.15 255.255.255.0" is correctly for what I'd like to achieve.
10:29 < |Mike|> Now I'm confused. By using the web ui putting a v/ in "redirect gateway" fixed the problem. But that's not what I want ;)
10:34 < |Mike|> http://pastebin.com/39dENyT0
10:49 -!- Vampire0_ is now known as Vampire0
11:14 < peti> Hi, I have a question. My OpenVPN client executes "ip -6 addr add ... dev tun" to configure an IPv6 address for the generated tun device when the VPN comes up. That command fails on my machine, however, because I have IPv6 disabled in the Linux kernel. Is there a config option to prevent OpenVPN from doing that?
11:16 <@plaisthos> !ipv6
11:16 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6, or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ, or (#3) http://xkcd.com/865/
11:16 <@plaisthos> !noipv6
11:18 <@plaisthos> !learn noipv6client as You can add pull-filter ignore "ifconfig-ipv6" and pull-filter ignore "route-ipv6" in your client to ignore IPv6 pushed by the server (OpenVPN 2.4 and later)
11:18 <@vpnHelper> Joo got it.
11:18 <@plaisthos> peti: that is for you
11:18 <@plaisthos> !database
11:18 <@plaisthos> !dump
11:18 <@plaisthos> !factoids
11:18 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
11:24 < peti> plaisthos: That worked like a charm. Thank you very much! I had discovered the route-ipv6 option before, but I hadn't found ifconfig-ipv6 yet. Again, thanks a lot for your help.
13:15 < sjohnson> ecrist: ping
13:25 <@ecrist> pong
13:29 < sjohnson> ecrist: hi.  odd question for you:  how long do you think it would take if you had a Windows 7 server (desktop PC) and a Windows 10 laptop (client) infront of you... to get the laptop to connect to it (with NAT so you can use the servers internet) ?
13:29 < sjohnson> and also, using your phone as the laptop's "ISP" to make sure the network is isolated.
13:30 < sjohnson> 5 minutes?  30 mins?
13:30 < sjohnson> i'm at about 32 hours and have gotten nowhere.
13:30 < sjohnson> (basically i'm trying to gauge how long this would take an expert, if you don't mind sharing your thoughts)
13:31 <@ecrist> sjohnson: it would take me a while, but not 32 hours
13:31 < sjohnson> hmm, okay, that's fair.
13:31 <@ecrist> The hard part would be getting NAT to work on Windows and playing with the windows firewall
13:31 < sjohnson> i'm still thinking the answers are in your book.
13:31 <@ecrist> I only say that because I'm not a windows guy by trade.
13:32 < sjohnson> i tried the "share this internet connection" and am getting nowhere.
13:32 < sjohnson> ah.
13:32 < sjohnson> i've been told that this is probably *far* easier to actually get working in Linux.
13:32 <@ecrist> ICS isn't what you should be using, I don't think.
13:32 < sjohnson> since you actually can control technical things like the NAT network, which cannot be done in Windows (to my knowledge).
13:32 <@ecrist> right, Linux/BSD are the way to go
13:32 <@ecrist> I wouldn't even suggest it on a Mac, to be honest.
13:33 < sjohnson> ah, that makes me feel a bit better.
13:33 < sjohnson> :)
13:35 <@ecrist> so, if you change your scenario and put a FreeBSD box as the server, I can have an OpenVPN with default gateway setup in about 15 minutes
13:35 <@ecrist> maybe less
13:35 < sjohnson> do you know if any of your volumes cover "what to do" when your TAP interface in Windows is listed as an "Unidentified network"?  the only cludgey-looking solution i see to get around that is manually adding a Gateway IP for what the DHCP ip is... but some of me wonders if this is just a complete band-aid that was never intended to be used.
13:37 < sjohnson> (sort of worried about forking out $100 to get to where i am now)
13:37 <@ecrist> I don't recall.
13:37 < sjohnson> in case small annoying Windows-y behaviour like that isn't mentioned or covered.
13:37 <@ecrist> if one did, it would be Mastering OpenVPN
13:38 < sjohnson> k, no worries.
13:38 < sjohnson> yeah, that's the one i had my eye on.,
13:38 < sjohnson> "#2 from the list"  iirc
13:39 <@ecrist> yup
13:39 <@ecrist> #3 is still pre-order.  I have all my final edits in, except for chapter 8
13:39  * ecrist eyes krzee
13:42 < sjohnson> k, i'll buy the book.  if it's not covered, can i give that as a suggestion for maybe a free "addendum" / piece of advice?
13:43 <@ecrist> everything in IRC is free. :)
13:43 < sjohnson> alright, sounds good.  thanks for your time!
13:46 < sjohnson> (was it the other co-author who tackled the Windowsy stuff maybe?)
13:46 < sjohnson> in "Mastering OpenVPN" ?
13:46 -!- Captain_Beezay is now known as AfternoonNap
13:46 <@ecrist> I think I tackled most of the windows stuff.  I just don't recall what I covered.
13:47 < sjohnson> so long as you got a working VPN in Windows, that's good enough for me.
13:47 < sjohnson> e.g., as Windows being the server instead of FreeBSD / Linux.
13:48 <@ecrist> not sure if I did that.
13:48 <@ecrist> s/I/we/
13:48 < sjohnson> oh.
13:48 <@ecrist> if not, it would be good to cover in a second revision
13:49 < sjohnson> yeah.  the farthest i've gotten is being able to ping 10.8.0.1, which is *some* success, but i believe i had to sacrifice my Firewall's integrity to make it work.
13:49 < sjohnson> so i likely did it "the wrong" way.
13:49 <@ecrist> firewall configuration on windows *is* covered in the book
13:49 <@ecrist> I know that for certain.
13:49 < sjohnson> unfortunately all the documentation seems to apply to Windows XP SP2 and a bunch of other guides that my friend has said are "incorrect".
13:49 <@ecrist> we covered windows 7
13:50 <@ecrist> windows 10 wasn't out yet and Windows 8, yuk
13:50 < sjohnson> yeah.  my thoughts too.
13:50 <@ecrist> I like Windows 10 so far.
13:50 < sjohnson> if the TAP ethernet "NIC" is covered, that might be enough.
13:52 <@ecrist> it's discussed, sure.  
14:29 < devicenull> do I have to do something weird to get ipv6 traffic routed via a tunnel?  I'm having a weird issue where tcpdump sees ipv6 traffic going in on one end, but it doesn't come out on the other
14:29 < devicenull> I found tun-ipv6, but this appears to be obsolete
15:06 < devicenull> ohh, just found https://forums.openvpn.net/viewtopic.php?t=21692#p61455
15:06 <@vpnHelper> Title: [Solved] Route extra IPv6 ranges across tunnel - OpenVPN Support Forum (at forums.openvpn.net)
15:38 < devicenull> converting to p2p mode fixed it
15:38 < devicenull> kinda sucks that tls mode doesn't work with p2p
16:18 < kitsune1> sjohnson: It would be much easier and reliable to do the NAT on the router of the server-side LAN. Assuming the router is capable of natting your LAN and another subnet. That's what I do for a windows server.
16:19 < sjohnson> that's more or less what i'd do too.
16:20 < sjohnson> unfortunately the requester of the research said "get this working in Windows.  most people don't have Linux and thus won't know how to set it up".
16:20 < sjohnson> i think that request is a bit of a tall order though.
16:31 < kitsune1> If you must do NAT on Windows, Windows Server OS may work. There has been soe discussion of using ICS, but its going to be a pain, if at all it works..
16:32 < sjohnson> heh, well put.
16:32 < kitsune1> I meant discussion on Trac (writing from memory)
16:32 < sjohnson> thankfully i got some good news.  the person who asked me to try and set it up asked me "how it's going" and i said it's a nightmare, and he is considering abandoning the project.
16:33 < sjohnson> i managed to get IP's to ping which might be enough for just a simple POC.
16:33 < sjohnson> if it's too slow, then we'll scrap it anyway.
17:28 < sjohnson> alright.  i'm using the default UDP port and getting a ton of AEAD errors while trying to use my cellphone's internet connection.
17:28 < sjohnson> like 330k/sec max.
17:28 < sjohnson> should TCP be used instead?
17:35 -!- Vampire0_ is now known as Vampire0
18:07 < cads> Hi guys, I've set up an openvpn connection between a windows machine in the office (client) and a amazon webservices windows machine (server). I can ping from server to client and vice versa using their Ovpn IPs, but I cannot use client's hostname to ping it or connect to shared folders.
18:08 < cads> I think it has to do with the route windows uses to look for a host name, and I'm not sure if that's in scope of this channel
18:10 < cads> A simpler solution might be to set a fixed IP for the client, but I could use a little help there
18:16 < cads> I've tried using ifconfig pool persist to give the client a fixed IP (10.8.0.4), but for some reason it gets assigned 10.8.0.6
18:40 < Eugene> sjohnson - cell networks are not known for reliable delivery, especially of UDP packets.
18:40 < Eugene> sjohnson - TCP(inside your tunnel) should pick up on it and fix the problem(by slowing down)
18:40 < Eugene> So, works4me? ;-)
18:40 < Eugene> !wins
18:40 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
18:40 < Eugene> cads - setup DNS or WINS ^
18:41 < Eugene> Link-local discovery is not to be relied upon
18:45 < cads> networking and especially windows networking is not a strong suit, so I think I'll settle for fixed IPs for now so I can get things up and running
18:46 < cads> I'm reading the manual here, looks like I can use use an ipconfig directive to do the work
18:47 < cads> Looks like I should be using p2p mode rather than server and client modes
18:58 < cads> but it looks like I'll need to learn learn more about wins soon, thanks for the link Eugene
19:27 < sjohnson> Eugene: yeah, you are right.  turns out UDP was a good choice anyway.
19:27 < sjohnson> i could tell the true bottleneck was actually the buildings shitty ass ISP connection.
19:27 < sjohnson> so i handed over the laptop so that it could be attempted at someone's house with perhaps a better ISP connection.
19:27 < sjohnson> even still, the "goal" might be salvaged, which is okay by me.
19:27 < sjohnson> sort of realized that maybe i'm not cut out for VPN work on Windows.
19:27 < Eugene> Its not a good choice of platform IMO
19:28 < sjohnson> (that too)
19:28 < sjohnson> constantly dealing with headaches is making me age probably 2x as fast.
19:28 < sjohnson> (Windows headaches)
19:28 < Eugene> I am a masochist and genuinely enjoy the puzzles
19:28 < Eugene> Its the human factors(deadlines) that get me
19:34 <@krzee> !learn ipv6 as to ignore ipv6 from the server see !noipv6client
19:34 <@vpnHelper> Joo got it.
19:35 <@krzee> ecrist: waiting for my airplane from vegas to southern California, should have chapter 8 done tonight
19:39 < sjohnson> Eugene: i'd hire you if you think you can get this setup.
19:40 < sjohnson> and have two Windows machines to use.
19:40 < sjohnson> and wrote up some tutorial (or at least told me how you did it so i can compile it)
19:40 < Eugene> It would have to go through $DAYJOB, and proooobably take a few hours
19:40 < sjohnson> i believe a definitive, no bullshit, no stack-overflow type comments guide to how to do this would benefit mankind greatly.
19:40 < sjohnson> indeed.  i'd be willing to fork out a few bucks for sure.
19:40 < Eugene> PM
19:41 < sjohnson> including meeting you more than half-way to prove i'm not joshing.
19:48 < Poster>   
19:48 < Poster> 
21:17 -!- AfternoonNap is now known as Captain_Beezay
22:30 < sunrunner202> will having a vpn endpoint on a same network segment work?
22:30 < sunrunner202> eg vpn server on 192.168.0.1 server is on .100
22:30 < sunrunner202> err
22:30 < sunrunner202> client for the first one
22:43 < ordex> sunrunner202: openvpn just tries to establish a udp/vpn connection - it does not care where the host is located
22:43 < sunrunner202> thats what I thought
22:43 < sunrunner202> but i'm getting TLS handshake failures
22:43 < sunrunner202> first thought was time
22:44 < sunrunner202> but time is within 5min on all servers
22:50 < sunrunner202> ordex, wireshark shows the openvpn traffic as malformed dns
23:04 < ordex> sunrunner202: whatever the problem is, it should not be related to the hosts being in the same network
23:11 < sunrunner202> ha
23:11 < sunrunner202> found it
23:11 < ordex> aha! what was that ?
23:11 < sunrunner202> pfsense had a blanket rule to block all private IP's from the WAN interface
23:12 < sunrunner202> this is a virtual test bed so the 'WAN" is 10.0.1.x
23:16 < ordex> eheh ok
23:18 < sunrunner202> grrr
23:18 < sunrunner202> can't get this bridged vpn working
23:19 < sunrunner202> yes it needs to be bridged
23:19 < sunrunner202> but i'm out for tonight
--- Day changed Wed Feb 08 2017
01:45 -!- Vampire0_ is now known as Vampire0
03:24 < ging> if i setup a simple site to site tunnel with open vpn, should i be able to ping the ip of the tun interface on the other host?
03:24 < ging> i have it setup based on this guide https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
03:24 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
03:24 < ging> and it connects ok
03:26 < ging> but i can't connect over the tunnel
03:26 < ging> firewall isn't blocking anything
03:26 < ging> but i don't have ip forwarding enabled on either host
03:46 -!- AndrewAlexMac_ is now known as AndrewAlexMac
03:47 -!- wkts- is now known as wkts
03:48 -!- SoreGums_ is now known as SoreGums
03:57 -!- zedde is now known as Varazir
05:21 -!- ikonia_ is now known as ikonia
06:47 <@ecrist> krzee: thanks.  everything else is done and turned back in.
06:47 <@ecrist> I incorporated most of your suggestions
06:47 <@ecrist> not all, though
07:59 -!- MrAlexandr0 is now known as CloudClimber
11:23 < kuzko> hello people, you might be able to tell me something google is not giving me a clear answer to .. what are these MULTI: bad source address from client packet dropped errors caused by?
11:32 <@krzee> kuzko:
11:32 <@krzee> !iroute
11:32 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
11:32 <@krzee> the MULTI errors are from when a client sends traffic with a source IP that the server does not know
11:32 < kuzko> krzee : what do you mean??
11:33 <@krzee> this could be from a misconfigured app on the client, or it could be that you're trying to share the client's LAN over the vpn
11:33 < kuzko> i'm trying to do exactly that, having a site to site vpn
11:33 <@krzee> ok, so tell me... you want to share the server lan with clients, and client lan with the server?
11:34 < kuzko> yup
11:34 <@krzee> !route
11:34 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
11:34 <@krzee> i made a writeup that should be perfect for you =]
11:34 <@krzee> then when you're ready to test, do 1 lan at a time, start with server lan
11:34 <@krzee> here are some handy flowcharts i made for ya
11:34 < kuzko> is your writeup compatible with pfsense?
11:34 <@krzee> !serverlan
11:34 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
11:34 <@krzee> !clientlan
11:34 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
11:34 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
11:35 <@krzee> the writeup is compatible with *, because i teach you whats happening instead of spoonfeeding commands
11:35 < kuzko> alright thanks
11:35 <@krzee> my pleasure
11:57 <@ecrist> sup krzee 
11:57 <@ecrist> did you get that review done???
11:57 <@krzee> hey, yep i just finished the questionaire
11:57 <@krzee> now im checking which book i want them to send me
11:57 <@krzee> something on puppet
11:58 <@krzee> my only real nagging questions on chapter 8 is what is your bandwidth from your ISP? and were your speedtests direct or over VPN?
11:58 <@ecrist> my ISP bandwidth is 1Gbps
11:58 <@krzee> <-- jelly
11:58 <@ecrist> but my VPN was hosted on an ESXi box on my LAN
11:58 <@ecrist> the real limiter was the wifi I was using
12:07 <@krzee> book sent
12:08 <@krzee> good book man
12:08 <@ecrist> you know how nice it was, last night, knowing I had ZERO to-dos on that book for once?
12:08 <@krzee> i couldnt do it...
12:08 <@ecrist> krzee: there are a few things you suggested I implemented, but some I did not
12:08 <@ecrist> all of them were good ideas, though
12:08 <@krzee> anything come to mind?
12:09 <@ecrist> the SSL generation I didn't feel was a part of this book, and there was a lot of coverage in the other book
12:09 <@ecrist> that was the big one
12:09 <@krzee> oh true i didnt even think about what the other book had
12:10 <@ecrist> I forget what you kept saying in your chapter 6 comments, something about "I don't know what's in chapter 5 yet, but I hope it covers xyz"
12:10 <@ecrist> I think that was the hardest part of writing this one - avoiding parroting the mastering book
12:12 <@krzee> their questions were somewhat incompatible for me with chapters coming out of order
12:12 <@krzee> "what do you think is next?"
12:12 <@krzee> haha
12:13 < skyroveRR> o/ krzee ecrist
12:13 <@krzee> wassup!
12:13 < skyroveRR> Idling :(
12:13 <@krzee> ecrist finished his book!
12:13 <@ecrist> krzee: yeah, that's my fault
12:13 < skyroveRR> sup with you?
12:13 < skyroveRR> krzee: oh, nice!
12:13 <@krzee> 'troubleshooting openvpn' by packt publishing
12:13 < skyroveRR> ecrist: when will it be available on amazon.in? :D
12:13 <@krzee> coming soon
12:13 < skyroveRR> Not amazon.com... .in.
12:14 <@ecrist> skyroveRR: it's posted to amazon for a while
12:14 < skyroveRR> .in ?
12:14 < skyroveRR> ...
12:15 <@krzee> isnt that still amazon?
12:15 < skyroveRR> It is.
12:15 <@krzee> they'll have an ebook copy for sure, i dont know if you have a hard time getting books in .in or something...?
12:15 < skyroveRR> But not ALL the things listed on .com are available in .in..
12:15 <@ecrist> skyroveRR: are you not able to search .in  yourself?
12:15 <@ecrist> https://www.amazon.in/Troubleshooting-OpenVPN-Eric-F-Crist-ebook/dp/B01MS0ANVH?ie=UTF8&keywords=troubleshooting%20openvpn&qid=1486577674&ref_=sr_1_1&sr=8-1
12:15 <@ecrist> jeepers man
12:15 < skyroveRR> ...
12:15 < skyroveRR> I *was* about to search.
12:16 <@krzee> thats dope its already on there!
12:16 <@krzee> !book
12:16 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) a troubleshooting guide for OpenVPN by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
12:16 <@krzee> hah vpnHelper knows!
12:17 < skyroveRR> ... only kindle edition, no hardcopy..
12:18 <@ecrist> skyroveRR: that's your fault for living in .in
12:18 < skyroveRR> lol
12:24 <@krzee> packt might ship to there
12:25 <@krzee> from the link on the bot
12:25 < skyroveRR> We are big fans of cash :D
12:25 < skyroveRR> Not debit or credit cards.
12:26 -!- Vampire0_ is now known as Vampire0
12:26 < skyroveRR> And if it were not for "cash on delivery", most Indians that I know wouldn't do online purchasing.
12:27 <@krzee> im the same way
12:27 <@krzee> but i give cash to people and they do the card stuff
12:27 < skyroveRR> Same here.
12:27 <@krzee> which usually means airline miles or similar for them, so everybody is happy
12:28 < skyroveRR> :D
12:37 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has quit [Remote host closed the connection]
12:40 <@krzee> there
12:40 <@krzee> puppet 4 essentials - second edition
12:53 < h0nus> Hi. I'm having connection issues with AndroIRC after connecting to OpenVPN on my Android tablet
12:54 < h0nus> when OpenVPNConnect is disconnected I am able to connect to my IRC servers via SSL; once I connect through OpenVPN I am unable to establish connection with IRC servers
12:55 < h0nus> I am using a US bundle on tcp443
12:56 < Eugene> Do you control the VPN server you are connecting to or are you using a service?
12:56 < h0nus> I am using free OpenVPN, not a dedicated VPN server
12:57 < Eugene> Where did you get your vpn config
12:57 < h0nus> vpnbook
12:57 < Eugene> So you're using a third-party provider then? Go talk to their support. In all likelihood their exit IPs are banned by the IRC network(s) for spamming
12:57 < h0nus> ok that makes sense. thank you.
12:58 < DArqueBishop> h0nus: I'm 99% sure vpnbook blocks all but web traffic.
12:59 < DArqueBishop> Someone was in here a few days ago with the same issue, and they found that vpnbook doesn't route non-web traffic.
13:00 < h0nus> can anyone recommend an openvpn source that will work with IRC clients?
13:13 -!- Vampire0_ is now known as Vampire0
13:23 < hh2010> Hi guys.  I am trying to set up OpenVPN on my Amazon AWS EC2 instance.  I am able to connect using Tunnelblick on Mac OS, but not able to connect to internet from there.  Can anyone help please?
13:36 <@krzee> hh2010:
13:36 <@krzee> !redirect
13:36 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
13:36 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
13:37 < hh2010> ok… interesting about the NAT part.  adding a NAT gateway costs extra through Amazon AWS
13:38 < hh2010> !nat
13:38 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
13:40 < hh2010> ah nevermind this isnt the same as NAT gateway/instance
13:40 < hh2010> very helpful will try these in a bit
13:44 <@ecrist> !amazon
13:45 < hh2010> !aws
13:45 <@vpnHelper> "aws" is Ziber> So, in the AWS console, you can disable 'source/destination checks', which allow you to route outside of the VPC. Which is a LAN-ception concept, that's isolated beyond belief.
13:46 < hh2010> !ipforward
13:46 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
13:46 < hh2010> !linipforward
13:46 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
13:51 < hh2010> !def1
13:51 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
14:03 < hh2010> !dns
14:03 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns
14:03 < hh2010> !pushdns
14:03 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for
14:03 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option
14:08 < hh2010> hrmm
14:10 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn
14:10 -!- mode/#openvpn [+o danhunsaker] by ChanServ
14:11 < hh2010> still no luck unfortunately
14:21 <@ecrist> hh2010: there's something you have to do to enable the tun adapter, but I don't recall what
14:27 < SpeakerToMeat> Hello
14:32 < SpeakerToMeat> My server .... ok odd... nevermind
14:33 <@ecrist> #openvpn++
14:35 < hh2010> ecrist:  I believe u are talking about “dev tun”, and i do have it in my config
14:36 < hh2010> tunnelblick is connecting now but it times out on acquiring IP address
14:37 < jpwhiting> hi all, if a user wants (for some unknown reason) to use both Openvpn gui and a custom openvpn client, is there a way for the company developing/shipping their custom openvpn client to set the windows registry keys it uses to store it's settings?
14:37 < jpwhiting> Nothing in the configure --help output is jumping out at me
14:37 < SpeakerToMeat> And my problem isn't firewall, it was sudden unexplained permissions
14:38 < jpwhiting> i.e. to use something other than HKLM/Software/OpenVPN to store the config file, log file, etc. in
14:38 < jpwhiting> especially since uninstalling openvpn nukes the registry key used
14:38 < jpwhiting> s/key/path/
14:39 < hh2010> i am also getting these two warnings in tunnelblick:
14:39 < hh2010> “WARNING: Ignoring ServerAddresses '10.0.0.2' because ServerAddresses was set manually”
14:39 < SpeakerToMeat> jpwhiting: If they're compiling a modified version of openvpn cli they should be able to modify the registry path they use... before compiling the source.
14:39 < jpwhiting> yeah, a patch to the sources of openvpn would work I guess
14:39  * jpwhiting greps for where in the sources the key name is coming from
14:39 < hh2010> and “DNS servers '8.8.8.8 4.4.4.4 2001:4860:4860::8888 2001:4860:4860::8844' were set manually” “WARNING: that setting is being ignored by OS X; '8.8.8.8 4.4.4.4' is being used.”
14:41 < jpwhiting> ah, it's using Software/PACKAGE_NAME, so just need to set PACKAGE_NAME at configure time
14:48 < hh2010> not sure why it wont assign IP address...
14:49 <@ecrist> hh2010: no, I'm talking about a permission or something in the AWS console that needs to be granted to make "tun" work at all
15:15 < SpeakerToMeat> Can you guys think of an "easy" way to avoid starting a client instance when connected to certain networks?
18:37 < HankMoody> Ooookay. I'm going to preface this with thank you to anyone that's even willing to help me with... whatever the hell is wrong with what I've got going on. I had OpenVPN server setup on a Debian Jessie setup, ended up switching to Ubuntu (went from Ubuntu to Debian initially but wanted newer/more frequent versions of software installed) and the VPN would get me inside my network but no access to the Internet when connected. Wasn't a big deal
18:37 < HankMoody> as I simply wanted access to my media server out and about. Upon installing Ubuntu Yak I got OpenVPN server (and client) installed and actually working (with net access via VPN) following this guide: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04 (I used it to setup the Debian server) but I couldn't access (or even see) my media server or any other client on the network. With that result I
18:37 < HankMoody> started checking every step I did with the openvpn wiki. Upon doing some tweaking I somehow broke access to the server. Forgive me as I don't remember exactly it was at this point. I tried adjusting things to get access back. Since this (this was early Tuesday morning and I've not had much sleep since then). But, since then I've apt-get purged and redone the install(s). I've been concentrating on the firewall as logic would dictate that's
18:37 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 14.04 | DigitalOcean (at www.digitalocean.com)
18:37 < HankMoody> where the problem lies. But upon even disabling the firewall I can't get it to log in. What really befuddles me is I don't see any attempt/refusal on the server's part to make a connection is syslog and auth.log.
18:39 < HankMoody> Well good, I'm glad to see that I picked a good tutorial to go by. I'm reinstalling it now and will no doubt run into the same issues I've faced in trying to get it working again.
18:40 < HankMoody> But, if someone could help I'd GREATLY appreciate it. I'm going to be out of town for over a week coming up and will either be in the hospital or a hotel room most of the time and will have plenty of time to kill  - essentially requiring me to get access to the VPN again.
18:44 < HankMoody> Oh also I should point out that the VPN server is setup on my desktop that I use (not ideal, but the only thing it does is host the VPN server, my ever expanding media server (20TB), and occasionally play a media file when I'm on my Playstation.
18:44 < HankMoody> Anyway, thank you in advance
19:27 < |Mike|> ordex: problem solved :)
19:28 < HankMoody> What was it |Mike| ? Perhaps it was the same infuriating problem I'm looking to solve ;)
19:28 < |Mike|> HankMoody: I was about to read your problem
19:29 < HankMoody> Groovy, thank you SO much. I will name my first born after you
19:29 < HankMoody> haha
19:33 < |Mike|> !configs
19:33 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
19:33 < |Mike|> HankMoody: ^^
19:34 < HankMoody> And I do apologize that it's so convoluted, but for the past few days I've been trying to figure out just what the problem is and have done and redone the steps so many times.
19:34 < |Mike|> You've a OpenVPN server within your LAN?
19:35 < HankMoody> Alright, I'm on it. Be back in a few minutes w/ the configs. Do you want me to hit up pastebin or just drop them in here?
19:35 < |Mike|> pastebin thanks.
19:37 < |Mike|> HankMoody: for my imagination; you've set up an OpenVPN server within your LAN and your client connects to it. But you can't reach the mediabox within the Lan via the VPN, correct?
19:39 < HankMoody> No, I've got it setup on my desktop (which is essentially a server with monitors) that has the OpenVPN server on it so I can access it from the outside (from tablet, hotel wifi, friend's house, whatever). Not just for the media server, but essentially just so I can hop on the VPN to then get onto the VNC server or do other stuff on the LAN as needed (run a O&G law firm out of the house so an encrypted connection on the road is kinda
19:39 < HankMoody> pertinent.). Essentially the only ports I would like to have open on the router are for SSH, VPN. Once I'm inside my VNC server, media server would be visible w/ avahi/Bonjour.
19:40 < HankMoody> No the VPN will be for connecting from outside the LAN, internally I can see everything just fine. I only need the VPN when I'm out of the house (media server, VNC, etc.)
19:40 < |Mike|> Okay, clear as. Did you configure your router to forward port 1194 to the outside?
19:41 < HankMoody> Yep.
19:41 < |Mike|> Your client is connected to your VPN server, right?
19:45 < HankMoody> |Mike|, initially yes I even had access to the net through it (didn't before for some reason) but it couldn't locate the media server running (port 5001, I had open under ufw) or any of the other computers that typically pop up
19:53 < HankMoody> Here's the server.conf --> http://pastebin.com/hxGF6uzi
19:58 < HankMoody> In the client.conf do you want the .ca, .crt, .key info that's in there as well or just up to that point?
20:01 < HankMoody> |Mike|, I should also mention that I do understand that that stuff should NOT be given out, I would have created a new .ca, cert, and key after the problem was resolved :p
20:07 < HankMoody> |Mike|, here's the client.conf/client.ovpn ---> http://pastebin.com/w8WvUM8q
20:17 < HankMoody> |Mike|, here also is the output of "ufw status" --> http://pastebin.com/m7HyCUy4
20:24 < HankMoody> The problem as it sits now is what it's consistently been at. I try and connect via my phone or tablet and all I get is: "Waiting for server reply". Also while I'm at this standstill I don't see anything regarding any kind of connection attempt in syslog or auth.log. I should also note that I run (or ran) "apt-get purge" on it earlier in the longshot attempt that it was that. However even after removing it I can ping my server via the
20:24 < HankMoody> DynDNS address but when I try to connect via ssh I get "Connection refused". I was going to tackle this after I got the VPN up and running, but do you think it could be that?
20:41 < HankMoody> I had to add a few more ports to open for other programs. All of these except the VPN and SSH are only open on the LAN, not outside.
20:45 < daemon> hey all on my vnc clients I have to do this route manually: route add 172.19.19.1/24 172.19.20.1
20:46 < daemon> on my vnc server I have: route "172.19.19.0 255.255.255.0 172.19.20.1"
20:46 < daemon> my vpn range is as follows: server 172.19.20.0 255.255.255.0
20:46 < daemon> what did I get wrong for that route to not be auto created?
20:51 < HankMoody> Oh my fucking.... I'm an idiot. Christ how embarrassing. My router at some point in the past 48 hours forgot all of the port forwarding assignments I had setup... I'm sorry for wasting your time on that |Mike|. But on the "plus" side my tablet still can't see the other devices (namely my media server and VNC server) so there's at least still something that needs looking at.
20:54 -!- pppingme is now known as pppingme2
20:55 -!- pppingme2 is now known as pppingme
20:55 < HankMoody> And the VNC server isn't showing up on my phone either.
20:58 -!- FerRamirf is now known as FerRamf
20:59 < daemon> I have changed my route definition to be
20:59 < daemon> push route "172.19.19.0 255.255.255.0"
20:59 < daemon> in the config; but openvpn comp[lains that that is an invalid option?
20:59 < daemon> Feb  9 02:59:19 gateway openvpn[2799]: Options error: Unrecognized option or missing or extra parameter(s) in /usr/local/etc/openvpn/openvpn.conf:16: push (2.4.0)
20:59 < daemon> apparentlyu
21:15 < vectr0n> daemon, i think it's suppose to be push "route 172.19.19.0 255.255.255.0" if i remember correctly
21:15 < daemon> vectr0n, ah
21:16 < daemon> vectr0n, that goti
21:16 < daemon> always the simple things
21:16 < daemon> :)
21:16 < vectr0n> :)
21:16 < daemon> before I totally lock my self out of the box, if I am using UDP as a transport and I have bound my vpn daemon to port 50000
21:17 < daemon> it would be totally fine for me to block all inbound udp and tcp to the server on $ext_if except for udp:50000
21:17 < vectr0n> should be alright
21:28 < HankMoody> Entirely offtopic question, little bit of googling hasn't given me a result... I always run my auth.log & syslog with tail -f in a terminal and my auth.log hasn't written anything new since 1645 this afternoon. Any ideas what I can do to "kick start" it?
21:31 < vectr0n> HankMoody, log file might of been rotated, ctrl + c and run tail -f again, see if it updates
21:31 < daemon> I just tail /var/log/messages normally
21:31 < daemon> seems to work fine
21:32 < vectr0n> it doesnt happen with all log file and i dont remember off hand the reason
21:32 < HankMoody> vectr0n, Already tried that, even opening in gedit or nano doesn't show notifications since then.
21:32 < vectr0n> hmm no idea
21:33 < HankMoody> yeah syslog rotates at 0740 each morning and auth.log usually stops showing after a day or two.
21:33 < HankMoody> Eh if it doesn't refresh anything when I reboot I'll start to worry.
21:33 < vectr0n> maybe ask in the os chan here if it exists? they might have a better idea
21:34 < HankMoody> Just curious if you guys knew any tricks offhand. Not a pressing matter.
21:34 < vectr0n> :)
21:35 < HankMoody> But my bigger (and now biggest problem that I fixed my airheaded oversight) is my OpenVPN client's can't see any devices on the network once logged into the VPN. It used to find them before I switched back to Ubuntu, now it doesn't. Though I do have Internet access once I'm connected; which it didn't before.
21:43 < HankMoody> cuz I'll be damned if I can find something I did differently last time from this time.
21:49 < daemon> can you ping any of the dervices?
21:49 < daemon> from your vpn client
21:55 < HankMoody> checking
21:57 < daemon> if you can't you have a routing issue somewhere
22:08 < HankMoody> It is not. I'm getting request timed out.
22:08 <@krzee> i believe tail -F will get the new file when rotated on you
22:08 <@krzee> instead of -f
22:09 < HankMoody> Oh, sweet. Thanks krzee
22:09 <@krzee> np
22:09 < HankMoody> Now I've just gotta find this routing issue.
22:10 <@krzee> !goal
22:10 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:10 < HankMoody> Gotcha, apologies. It turns out I can ping regular stuff on the network. I was trying to ping the device that was unplugged
22:11 <@krzee> oh ok, so no problems?
22:12 < HankMoody> Not quite, I still can't see the media server, my VNC server (or another Windows computer that has shares active) from any devices that are VPN'd in.
22:12 <@krzee> those are machines on the server lan?
22:13 < HankMoody> Correct, the media server's ethernet port is actually the device I'm trying to get my tablet to see.
22:13 <@krzee> !serverlan
22:13 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
22:13 <@krzee> see the flowchart at #3
22:14 <@krzee> tell me where you get stopped
22:14 <@krzee> (i got tired of asking the same questions over and over ;] )
22:15 < HankMoody> No I totally understand. I appreciate your time and patience. I was totally about to bash this machine into little silicon pieces a few hours ago.
22:15 <@krzee> no problem man
22:16 <@krzee> lemme know where you get stopped on the flowchart and i'll help
22:16 < HankMoody> kk
22:16 <@krzee> im working remotely for another 40min or so, so im here for a bit
22:16 < HankMoody> Cool, shouldn't take me too long *fingers crossed*
22:16 <@krzee> nah it wont unless you're busy with other stuff
22:16 <@krzee> im sure we can get this working quick
22:17 < HankMoody> Nope, this has been my sole burden for the last 48 hours or so.
22:17 <@krzee> now im with ya ;]
22:17 <@krzee> and before i wrote !route i wrestled with site to site for like a week
22:18 <@krzee> ended up digging through the source before i finally understood what iroute is and why it exists
22:18 <@krzee> !route
22:18 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
22:19 <@krzee> so i feel ya, and hopefully the 48 hrs of trying has led to better understanding =]
22:20 < HankMoody> Excellent, sounds like you're the guy I need. Oh definitely, I've had a fair share of network experience before, what prevented me from logging in earlier was my router decided to reset some settings to default so 1194 and 22 weren't open to the outside at all. So pissed when I realized it was that simple.
22:20 <@krzee> ahh so you were at:
22:20 <@krzee> !timeout
22:20 <@vpnHelper> "timeout" is if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or one of the ISPs blocks it
22:21 < daemon> is there anyway to 'hide' the openvpn stderr window in windows clients; it works perfectly but having a random cmd floating about looks untidy
22:22 < HankMoody> Okay, I'm assuming I need to ping the tun interface (inet:10.8.0.1) from my client: of which I am getting timeouts. I also tried pinging destination 10.8.0.2 of which I'm getting timeout as well
22:23 < HankMoody> yeah my issue earlier was it being at timeout, of course I rebuilt the entire server/client setup about 10 times before I logged into the router to do something else and noticed all my port forwarding had disappeared.
22:27 <@krzee> if there was anything after:    <vpnHelper> "timeout" is ...      then i missed it (my screen dropped)
22:30 < HankMoody> yeah, I can log into the VPN, have internet access, can ping devices on the LAN side of the network (pinging my Playstation just fine) but when I go to ping the VPN IP (threeve.ddns.net) i get timeouts.
22:30 < HankMoody> "request timeout for icmp_seq...."
22:31 <@krzee> the servers vpn ip is something more like 10.8.0.1
22:31 <@krzee> (depending what subnet you used)
22:31 <@krzee> but anyways, you can ping some lan machines
22:32 <@krzee> and not others?
22:33 < HankMoody> Ah, okay, yeah I did try 10.8.0.1 (tun's inet addy) and tried 10.8.0.2 (destination) and both got timeouts
22:33 < HankMoody> Let me see
22:33 <@krzee> that makes me think you are not even connected to the vpn
22:33 <@krzee> !logs
22:33 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
22:37 < HankMoody> Yeah it wasn't connected, I'm a moron I set the phone too far away from the computer. I'm running the pings again
22:39 < HankMoody> Okay, when it IS connected I can ping everything except 10.8.0.2 (tun destination)
22:39 <@krzee> !net30
22:39 <@vpnHelper> "net30" is (#1) https://community.openvpn.net/openvpn/wiki/273-qifconfig-poolq-option-use-a-30-subnet-4-private-ip-addresses-per-client-when-used-in-tun-mode explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology
22:39 <@krzee> !topology
22:39 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
22:40 < HankMoody> Gotcha. I was wondering whether to uncomment topology. I just wanted to get the bare bones working first
22:42 <@krzee> i agree, thats a good way to start
22:47 < HankMoody> Okay uncommenting topology still doesn't let me see anything
22:48 < HankMoody> And I know the stuff is visible as my PS4 is streaming stuff from the media server, and my phone can see the VNC servers in  avahi/bonjour
22:51 <@krzee> no no topology has nothing to do with that
22:52 <@krzee> i dont know what you mean by "see anything"
22:52 < HankMoody> Wait a second... In the push "route 192.168.10.0 255.255.255.0" if my LAN is on a 10.0.0.1 swath of addresses does that need to be changed to reflect the 10.0.0.* addresses?
22:52 <@krzee> you said you can ping everything, right?
22:52 <@krzee> lol yes you need to route the lan you want
22:53 < HankMoody> Jesus, how the fuck did I miss that?
22:53 <@krzee> you confused me back when you said  <HankMoody> Okay, when it IS connected I can ping everything except 10.8.0.2 (tun destination)
22:53 <@krzee> because to me that means you're done
22:54 < HankMoody> yeah I made it all the way through the flow chart before I thought to come back and look at the push routes. I had to walk in the other room for a second and had my phone in my pocket and when I sat back down I went to ping 10.8.0.1 10.8.0.2, etc. and it all timed out, but that was because the hotspot wifi signal had dropped out.
22:56 < HankMoody> On the push routes if my LAN is on 10.0.0.* do I need to set them to 10.0.0.0 and 10.0.10.0 or start at 10.0.10.0 and then go to 10.0.20.0?
22:56 <@krzee> huh?
22:57 <@krzee> 10.0.0.* has nothing to do with 10.0.10.* and 10.0.20.*
22:57 <@krzee> show me your configs:
22:57 <@krzee> !configs
22:57 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
22:58 < HankMoody> Okay, I was thinking it would put it on a separate swath of IP addresses
22:58 < HankMoody> k
22:59 < HankMoody> Server.conf --> http://pastebin.com/sRjp75Nm
23:00 <@krzee> what is the lan ip of the server?
23:01 < HankMoody> client.ovpn --> http://pastebin.com/MVvUZM5X
23:01 < daemon> Hey all someone in here mentioned that on windows clients, 'pushed routes' will not work unless I am using the latest client ... is that 'latest client' as in development snapshot? because I am using the latest 'release' and it still appears pushed routes fail
23:01 < HankMoody> 10.0.0.100
23:02 < HankMoody> my server's ip on the LAN is 10.0.0.100, the router itself is 10.0.0.1
23:02 <@krzee> daemon: whats happening when the routes dont work? error in the logfile?
23:02 < daemon> Thu Feb 09 04:01:19 2017 C:\WINDOWS\system32\route.exe ADD 172.19.19.0 MASK 255.255.255.0 172.19.20.1
23:02 < daemon> Thu Feb 09 04:01:19 2017 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.   [status=5 if_index=16]
23:02 <@krzee> HankMoody: ya your push routes on line 11/12 are wrong
23:03 <@krzee> daemon: damn, that has to do with the new priviledge seperation stuff i bet, i havent used windows in a long time so i cant really help =[
23:03 <@krzee> you should not be running it in admin compat mode anymore tho
23:03 < daemon> meh no worries, luckily all the windows boxs on the vpn only need access to 172.19.19.1 and that is also availible as 172.19.20.1
23:03 <@krzee> (in case you were doing that from before)
23:04 < daemon> so could be worse :)
23:04 <@krzee> now theres an admin service that runs
23:04 < daemon> yeah I just went into services.msc and flipped it on
23:04 <@krzee> and the client doesnt run as admin, but uses the admin service to add those
23:05 < HankMoody> krzee, okay just so I'm absolutely clear here do they need to be 10.0.0.0 & 10.0.10.0 or 10.0.10.0 & 10.0.20.0?
23:05 < daemon> so now if I understand, when I try to use openvpn I imagine it should run with elevated privledges
23:05 < daemon> which should give permission to the routing table
23:05 < daemon> perhaps that will remove the issue
23:05 <@krzee> HankMoody: where are you even getting 10.0.10.0 from?
23:05 <@krzee> from my writeup at !route ?
23:06 < HankMoody> the IP addresses in the server.conf were "192.168.10.0" and "192.168.20.0"
23:06 <@krzee> yes, why???
23:06 <@krzee> you want to push a route to clients so they know about the server lan
23:07 <@krzee> which is 10.0.0.0 255.255.255.0
23:07 < daemon> HankMoody, want to see a copy of my working openvpn.conf? see if it clears anything up
23:07 <@krzee> so why would you be talking about 192.168.10.0 10.0.10.0 and such?
23:07 <@krzee> daemon: please dont
23:07 <@krzee> thats how hes already so confused
23:08 < daemon> oh
23:08 < daemon> ok
23:08 <@krzee> remove lines 11/12 and put       push "route 10.0.0.0 255.255.255.0"
23:09 <@krzee> but so you know, whenever a client logs in from a lan that also uses 10.0.0.0/24 he will have problems
23:09 < HankMoody> Okay, I got ya. No thank you daemon I think I have it now but I appreciate it. krzee I've been messing with this all day and trying so many weird ass things to try and get it to work I wasn't sure if that was meant to "blend" them together or something.
23:09 <@krzee> you should probably use a less common subnet for your server LAN if you want to share it with people who will move around
23:09 < daemon> krzee, for your 'fake vpn lan' using 172.x.x.x is sometimes nice
23:09 < daemon> its not a very common LAN range
23:10 <@krzee> daemon: im talking about his servers lan
23:10 < daemon> ah I see
23:10 <@krzee> and not all of 172/8 is in 1918 btw
23:10 <@krzee> !1918
23:10 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#3) See !5737 for addresses to use for examples and documentation, or (#4) See !conflict for common conflicting address spaces.
23:10 < daemon> 172.16-31 afaik
23:10 < HankMoody> I'm not too worried about too many 10.0.0.0 LAN's logging into it, or if it does I'll back it up via ssh and change it. I just kinda want to get it working for the moment.'
23:11 <@krzee> ok hank, so did you do what i said?
23:11 < HankMoody> Yep, just saved it, rebooting vpn now
23:19 < HankMoody> Damnit, I'm still not seeing the VNC servers or the media server.
23:22 <@krzee> when you say "seeing"
23:22 <@krzee> are we talking about ping?
23:22 <@krzee> from the vpn client, can you ping 10.0.0.100
23:22 <@krzee> ?
23:22 < HankMoody> No, sorry in a media client on my tablet my media server pops up and in the VNC clients avahi or bonjour displays my iMac and my desktop.
23:23 < HankMoody> If I reboot the media server on the tun interface when I'm logged in to the VPN on my tablet it can find it then.
23:23 <@krzee> i believe those are layer2 only, im not sure if those will work like that even when we're done
23:23 <@krzee> lets only talk about ping
23:24 < HankMoody> Okay, I'm not sure if I ever tried the VNC servers before, but driving all the way from Jokelahoma to Minnesota I watched stuff from my media server on my tablet, and then in the hotel/hospital when I was up there.
23:25 < HankMoody> So I know the media server will work over the VPN.
23:25 <@krzee> ok, either way, test this my way please
23:25 < HankMoody> Will do.
23:25 <@krzee> somehow you said everything on the flowchart worked when you werent even on the vpn, so im going to walk you through it
23:26 <@krzee> can you ping 10.8.0.1 from the vpn client?
23:28 < HankMoody> I did get everything working. It didn't ping because I took my phone out of range of the iMac (using wifi hotspot) and it was in the middle of disconnecting.
23:28 < HankMoody> yes it pings 10.8.0.1
23:36 <@krzee> can it ping 10.0.0.100?
23:37 < HankMoody> yep
23:37 <@krzee> what is the ip of another computer on the lan?
23:40 < HankMoody> A Windows computer (I set all of the DHCP computers to start at 150)
23:40 < HankMoody> And I can ping that Windows computer.
23:40 <@krzee> so is there a computer at 150?
23:40 < HankMoody> yup
23:40 <@krzee> can the server ping it?
23:41 <@krzee> can the client ping it?
23:41 < HankMoody> The client can ping it. The server can ping it.
23:42 <@krzee> the client can ping 10.0.0.150?
23:43 < HankMoody> Yep.
23:43 <@krzee> and the client is NOT on the 10.0.0.0 lan, correct?
23:43 < HankMoody> correct, it is an iMac connected to my phone's wifi hotspot. I have the iMac logged into the VPN.
23:43 <@krzee> ok, so the vpn portion of this setup is finished
23:44 < HankMoody> Alrighty.
23:54 < gartral> ok all, I have a slightly irritating issue, I have an openvpn server on a host that has a very very fast connection (1.5gbps), client running on a connection that's only ~400kbps, I don't see a difference with tunnel on vs tunnel off, any ideas?
--- Day changed Thu Feb 09 2017
01:40 < HankMoody> Hey krzee you still around?
01:48 < HankMoody> I was thinking while doing some poking around to see if there was a way to get Universal Media Server (DLNA/UPNP) to come up when I log in w/ the VPN (without doing a bridged connection) that I think I might as well set it back up to just be able to access the local network... My problem lies in that when I erased the root partition of the Debian drive to throw Ubuntu on here that that was the one .config file I forgot to save/back up. So
01:48 < HankMoody> I've no idea where to start. I just recently switched to the 10.0.0.1, it was 192.168.1.1
02:45 < daemon> hey all, when some clients connect I get a warning
02:45 < daemon>  WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher w
02:45 < daemon> but only some clients?
02:45 < daemon> I take it there using older openvpns with different defaults ? or something like that
02:46 < eworm> daemon: Probably anyhting before 2.4
02:46 < daemon> anyway I can enforce they use something stronger on the server
02:46 < daemon> without alot of support calls
02:46 < eworm> recent version has cipher negotiation and uses something more secure
02:47 < daemon> eworm, indeed the server and my client are
02:47 < daemon> openvpn-2.4.0                  Secure IP/Ethernet tunnel daemon
02:47 < daemon> and my client does not generate that warning
02:47 < daemon> I assume the clients generating that are using older
02:47 < daemon> ah yes
02:48 < daemon> the new clients are saying;  Cipher 'AES-256-GCM' initialized with 256 bit key
02:48 < daemon> the older clients seem to be saying 'Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key'
02:48 < daemon> and then raising that warning
02:49 < eworm> specifying a cipher on server will break all older client
02:50 < eworm> the simplest way is to update clients to 2.4
02:51 < daemon> luckily I named the certs after the user they belong to
02:51 < daemon> I will do a quick grep than slap out a mail for those users
02:51 < daemon> warning them of the problem
02:51 < daemon> though I know some of them cannot be upgraded
02:51 < daemon> so looks like sod all I can do about it now
04:30 -!- Nik05_ is now known as Nik05
08:33 < Qantourisc> What determens what certificates are accepted by the openvpn server, all valid certificates that are below the tree of the CA ?
08:37 <@dazo> Qantourisc: yes, all certificates issued by the CA which the server is configured to check certificates against
08:39 < Qantourisc> dazo: so best to setup a completely seperate CA per constomer ?
08:39 < Qantourisc>  / server
08:40 < Qantourisc> actaully a CA per OpenVPN server (unless you have some sort of cluester, with more then 1 server that is)
08:43 < Qantourisc> dazo: or is it possible to use an intermedia CA ?
08:44 < Qantourisc> hmm --tls-verify script would work for me though
08:48 <@plaisthos> intermediate CAs work
08:49 <@plaisthos> but are usually more trouble to setup correctly
08:55 < Qantourisc> it's such small scale that -tls-verify seems to be going to work verry nice here
08:58 <@dazo> Qantourisc: you can use sub-CAs as well
08:59 <@dazo> --tls-verify is also a very elegant way to tackle this challenge
09:00 <@dazo> but sub-ca (intermediate) have the advantage of being able to better manage groups of users ... and you can use --tls-verify even to validate the CA chain
12:04 -!- exounx_ is now known as exounx
12:30 -!- Vampire0_ is now known as Vampire0
12:34 -!- Captain_Beezay_ is now known as Captain_Beezay
13:15 -!- MuffinMedic is now known as Evan
13:17 -!- Evan is now known as StudMuffin
13:18 -!- StudMuffin is now known as MuffinMedic
14:56 -!- Vampire0_ is now known as Vampire0
14:57 < gavimobile> hi folks, i have a free vps (windows server 2008) which i setup at my folks house in the usa. i would like to take advantage of this vps. i live overseas and i am blocked out of some sites which are only for usa internet users. can openvpn provide me with a solution?
15:03 < Jaywalker> Hey guys, this has been driving me nuts for a while now, so I hope someone can help. How does my openvpn server know where my client keys are? I put nothing in the server config that directs it to look there, nor do I see anything in my easy-rsa vars to push certs to somewhere ovpn does see.. So how does it find them?
15:03 < Eugene> Jaywalker - nothing; it looks at the certificates and verifies against the CA
15:04 < Eugene> Conceptual overview https://en.wikipedia.org/wiki/Public-key_cryptography
15:04 <@vpnHelper> Title: Public-key cryptography - Wikipedia (at en.wikipedia.org)
15:04 < Jaywalker> Ahhhh, ok, color me stupid then lol
15:04 < Eugene> When a client connects it presents a cert; server sees that the cert is from the CA, then asks the client to prove that they hold the matching key. Client does so.
15:04 < Eugene> (and the client does the same with the server's cert)
15:09 < HankMoody> gavimobile, yes that can fix your problem. I live in Jokelahoma yet when there's a Jets game I want to watch all I need to go is VPN in to the market that the game is in and I will be able to watch it on FoxSportsGo or CBS All Access.
15:12 < gavimobile> is openvpn a free solution?
15:12 < gavimobile> HankMoody:
15:12 <@krzee> if you already have the server and the client machines and network access, as well as the networking knowledge, then yes
15:13 <@krzee> just like apache is a free solution, if you have the webserver with network access already, and know how to use it
15:13 < HankMoody> Yeah, OpenVPN is open source, and as krzee said with the hardware already all you'll need to know is the knowledge to enable it.
15:13 < gavimobile> krzee: great explenation
15:14 < gavimobile> i have a vps in the usa at my folks house
15:14 < gavimobile> so i can setup a server there?
15:14 < gavimobile> !*
15:14 < Eugene> I'm not your mother
15:14 <@krzee> yes, depending on if it has a static ip you may need a dynamic dns setup
15:14 <@krzee> and you should ask moms permission :-p
15:14 <@krzee> you'ld need to setup port forwarding on her router
15:15 <@krzee> but technically speaking, i could do it ;]
15:15 < gavimobile> krzee: thanks
15:15 <@krzee> i setup a vpn on a dynamic ip at my moms house, so they can use their security cameras without exposing them to the internet
15:21 <@krzee> !factoids search pki
15:21 <@vpnHelper> 'intro-to-pki' and 'pki'
15:21 <@krzee> !into-to-pki
15:21 <@krzee> !intro-to-pki
15:21 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
15:21 <@krzee> !pki
15:21 <@vpnHelper> "pki" is (#1) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed specially as a server (see !servercert), or (#2) !certman for various PKI management tools, or (#3) see !intro-to-pki
15:28 < HankMoody> Hey krzee last night after you got the VPN up and running I got to thinking. My usenet provider gives me a VPN so I can use that when I am out of town when I need an encrypted connection. I'd like to go back to the odd way I had it setup where whenever I logged into the VPN on my server here at home I was able to "see" and use the upnp/dlna media server and VNC servers. I just couldn't access the Internet. But my problem lies in the fact
15:28 < HankMoody> that when I switched from Debian to Ubuntu I didn't save my old .server conf fils. I do have my old .OVPN certs
15:31 < daemon> thats freaky
15:31 < daemon> I went to sleep with HankMoody talking on irc, and the mrs was watching something some guy called moody in it; then I wake up and HankMoody is chatting in IRC
15:31 < daemon> (0_o)
15:54 < HankMoody> Anything I can do to make you question sanity daemon ;)
15:55 < daemon> HankMoody, sanity?
15:58 < HankMoody> You never know. I might not actually be here this could be a dream. Or you're the only one seeing me type here.
15:59 < HankMoody> Or the easier explanation is I was watching you guys and after I saw the Moody in reference in her show I decided to pop back in here.
15:59 < HankMoody> :P
16:08 < HankMoody> daemon: Don't mean to be a bother but do you know of a way that I could have set my VPN up last time to get the upnp/dlna media server & VNC servers to come up on the client side of the VPN? There's a package I stumbled on called linux-igd (upnpd) and there's a few posts I've seen where people have said when getting that installed and working it worked for them that way.
16:09 < HankMoody> I had thought of just running two instances of it, one on the LAN (10.0.0.000/enp0s10) and one on the VPN (tun0) but even with that working I wouldn't be able to access the VNC servers.
16:09 < daemon> HankMoody, I could likely help you with what knowledge I have now though it is pretty BSD specific, unfortunatly I am drunk and about to goto sleep; from tomorrow I am on holiday pretty much for 2 weks I will logon on the 12th; if you are still having issues I will try my best to help you
16:10 < HankMoody> Gotcha, much appreciated. I'll likely be here even if I get it fixed. Thanks man.
16:11 < daemon> np
17:16 < MichaelGG> hi there! are there any docs on how ovpn negotiates V2 data packets (peerid)? it is just the presence of a peerid in the server options ?
18:04 <@dazo> MichaelGG: it's based on the some of the IV_* strings sent in the peer-info packets
18:14 <@dazo> If MichaelGG appears again ... the clue is in src/openvpn/push.c:362 - prepare_push_reply() .... if the client have sent an IV_PROTO= peer-info string to the server, it supports peer-id, and the peer-id can be sent to the client
18:15 <@dazo> IV_PROTO=2, I mean
18:15 <@dazo> (2 or higher)
18:23 < HankMoody> dazo: How do I get my upnp/dlna media server & VNC server to become visible and accessible by the tun VPN client
18:41 < S1GSEGV> Has anyone heard about 143VPN?
20:41 < Sxcd6> can anyone help me with troubleshooting "Authenticate/Decrypt packet error: bad packet ID (may be a replay):" error in my openvpn.log?
23:09 -!- |Mike| [mike@phrack.nl] has quit [Read error: Connection reset by peer]
--- Day changed Fri Feb 10 2017
00:00 < blaq> !welcome
00:00 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
00:00 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
00:02 < blaq> !1925
00:02 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
00:16 < ordex> lol, interesting reading
00:18 < blaq> just playing around haha
00:18 < blaq> but so those truths, classic
00:39 < ordex> :)
02:27 < kromwell> Hi there
02:28 < kromwell> I have a question about openvpn. If I'm on a network and I log ino a website without https
02:29 < kromwell> the post body information is concealed but also the destination
02:29 < kromwell> openvpn doesn't create a header field in the connection to the openvpn server that tells them the url im accessing
02:29 < kromwell> I mean?
02:29 < kromwell> Just how much of my web traffic does it obscure.
02:32 < ordex> kromwell: openvpn encrypts at the network level
02:32 < ordex> everything going on top is encrypted
02:32 < ordex> but of course, if somebody is *in* the VPN they will see your non https traffic
02:32 < ordex> and note that the encryption is from you to the vpn server. from the server to the HTTP webserver the traffic will be normal http at that point
02:42 < kromwell> Thanks ordex
02:42 < ordex> I hope that makes sense to you :)
03:40 < pmden> !welcome
03:40 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
03:40 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
03:40 < pmden> !redirect
03:40 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
03:40 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
04:44 < denixx> !welcome
04:44 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
04:44 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
04:45 < denixx> !goal
04:45 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
04:47 < denixx> Goal is: secure connection between 2 computers, plus internet thru vpn-server. Client connects to server, it's ok. But there is an issue.
04:48 < denixx> Fri Feb 10 12:46:17 2017 [server] Inactivity timeout (--ping-restart), restarting | Fri Feb 10 12:46:17 2017 SIGUSR1[soft,ping-restart] received, process restarting | Fri Feb 10 12:46:17 2017 MANAGEMENT: >STATE:1486723577,RECONNECTING,ping-restart,,,,, | Fri Feb 10 12:46:17 2017 Restart pause, 5 second(s)
04:48 < denixx> These messages appear.
04:49 < denixx> Topology is: Virtual machine behind NAT of host-pc. VM connects using udp to server inside LAN, which both host pc and server use.
04:49 < denixx> UDP
04:51 < denixx> I'm here to ask a question about ping mechanism: is it using inner network?
04:52 < denixx> I mean is it trying to use configured 192.168.5.6 (VM ip which come from dhcp-server of openvpn) or 192.168.5.1 (gateway). Is ping occurs within opened connection?
04:54 < denixx> Now I will try to read some help from bot :)
04:55 < denixx> Oh, just mention one thing: all works, connection established, server configured to share internet... But these reconnects every ping-reconnect seconds make things not so ok.
04:59 < denixx> !paste
04:59 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
04:59 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
04:59 < denixx> !configs
04:59 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
05:04 < denixx> Eh... "Fri Feb 10 12:58:55 2017 MULTI: new connection by client 'client2' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect."
05:04 < denixx> Trying to...
05:09 < denixx> Maybe it's just a fight between two VMs
05:36 < denixx> Yep. That was the reason. Thanks, anyway. :)
06:52 < dionysus69> how do I manage multiple client configuration files at once?
06:52 < dionysus69> server IP address is going to change, now I have to go to all config files and change each file manually?
06:54 < Tykling> dionysus69: have you heard about dns? :)
06:54 < dionysus69> lol
06:54 < dionysus69> ye but I dont have domain xD
06:55 < Tykling> :) get a .tk domain, they are free
07:29 < dionysus69> thanks Tykling :)
08:54 < adac> with this ccd "functionality", can I give an IP range to a person?
08:54 < adac> Or is there perhaps another way to do that? I want to give some hosts a fxed id
08:55 < adac> and some other hosts/persons an ip range of lets say 3 ips
08:55 < adac> so they can login with three of their devices with the same config/cert
08:56 <@ecrist> adac: no, that's not how that works
08:57 < adac> ecrist, I see yes
08:57 < adac> Is it possible to set no ccd for a person
08:57 < adac> but at the same time set a static ip for a host?
09:06 <@ecrist> yes, you don't need to have a CCD for every user
09:06 <@ecrist> for more complex tasks, like assigning a block of IPs, it's likely better to dynamically generate the CCD with --client-connect
09:09 < adac> ecrist, ok thanks a lot
09:09 <@ecrist> that topic is also covered in the book Mastering OpenVPN
09:10 <@ecrist> specifically using --client-connect to dynamically generate CCD parameters
09:10 < adac> I assume a static Ip via ccd would always win against a dynamic one right? mean if at some point a person and a host would have the same address
09:10 < adac> ok ok i will check this out thanks
09:10 < adac> mastering openvpn sounds good :)
09:10 <@ecrist> when it gets assigned, it's removed from the pool
09:11 < adac> kk
11:55 < hh2010> hello all.  I am not able to connect to OpenVPN running on Amazon EC2 Ubuntu.  I have tried everything online and in the help in this channel’s bot.  Would anyone be willing to help?
11:56 < hh2010> I have no idea where the problem could be… firewall is open on 1194, ip forwarding enabled, iptables are set, server/client configs are set…
12:07 < _FBi> I never identify quick enough to join this channel after I drop. :/
12:07 < _FBi> !sweet32
12:07 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32
12:09 < _FBi> Awesome!  BlowFish is kinda broken!  how many years has it been unbroken.  Though the creator said to use TwoFish instead, once he created it.
12:13 <@krzee> blowfish isnt broken, but the first signs of weakness have come
12:13 <@krzee> newer openvpn versions will rotate the key more often to help protect it, if you still use it anywhere
12:14 <@krzee> and 2.4 will let a server use different algorithms for different clients
12:15 <@krzee> if you really wanna see broken, check out pptp ;]
12:39 < hh2010> ok, i got the vpn working, but performance is extremely slow...
12:41 < hh2010> most websites besides google are painfully slow to load, or timeout
12:41 <@krzee> !speed
12:41 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help., or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded), or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu), or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links, or (#5) less likely are issues with bad
12:41 <@vpnHelper> TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs), or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp), or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better., or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no), or
12:41 <@vpnHelper> (#9) a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them.
12:43 < hh2010> thanks very much. will look into those
12:43 < hh2010> !mtu
12:43 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting, or (#3) useful info here: https://forum.pfsense.org/index.php?topic=67080.0
12:53 < hh2010> actually the error i am getting is “Authenticate/Decrypt packet error: packet HMAC authentication failed”
12:53 < hh2010> my authentication setup is very simple for now, with just “secret xyz.key”
12:53 < hh2010> and “comp-lzo”
12:54 < hh2010> if there was an issue with the key, wouldnt it not be able to connect at all? surprised to be seeing a packet authentication error
12:57 < hh2010> hmm nevermind not getting that error anymore.  sorry
13:42 < HankMoody> Holy crap I slept way later than I intended
13:56 < sjohnson> oops
14:48 < hh2010> any ideas what i can do to improve my latency and download speed through openvpn?  i finally got it set up but getting 93ms latency..
14:53 -!- hh2010_ is now known as hh2010
14:58 -!- hh2010_ is now known as hh2010
15:03 -!- hh2010_ is now known as hh2010
15:31 < hh2010> so is it assumed that connecting to OpenVPN will result in significantly lower download and upload speeds? from 50mbps to 8mbps...
15:32 < hh2010> sorry for noob questions
15:35 < hh2010> server is Amazon EC2 running ubuntu on intel xeon processor
15:36 < hh2010> !speed
15:36 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help., or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded), or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu), or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links, or (#5) less likely are issues with bad
15:36 <@vpnHelper> TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs), or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp), or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better., or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no),
15:36 <@vpnHelper> or (#9) a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them.
15:45 < hh2010> !mtu
15:45 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting, or (#3) useful info here: https://forum.pfsense.org/index.php?topic=67080.0
15:51 < hh2010> yeah ive done all these things…
16:03 < tazjin> hey, I'm having trouble figuring out how to connect to a "Fireware SSLVPN" that has SMS-based two-factor enabled
16:04 < tazjin> the generated config has auth-user-pass set, entering credentials once will result in an AUTH_FAILURE though - after which I actually do get the text
16:04 < tazjin> but I'm not sure how to enter the code, I suppose some  renegotiation setting is missing that would bring up a second promp?
16:04 < tazjin> +t
17:26 -!- Vampire0_ is now known as Vampire0
17:45 -!- ketas is now known as ketas-
18:51 -!- Vampire0_ is now known as Vampire0
--- Day changed Sat Feb 11 2017
00:09 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 245 seconds]
00:19 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
00:19 -!- mode/#openvpn [+o krzee] by ChanServ
02:41 < ianthius> Hey folks. I've made it so far and need a little help to make it the rest of the way! I have a router connected to a remote machine via openvpn and it's working
02:42 < ianthius> dns resolves and i can ping the vps and the internet through the openvpn
02:42 < ianthius> however, i have a client machine on the LAN of the router and it's not able to get to the internet but is able to contact the router...
02:43 < ianthius> Probably need to bridge or bind something, any help appreciated :)
06:15 <@danhunsaker> ianthius: Is the client using DHCP or a static IP?
06:16 <@danhunsaker> Actually, no, nevermind.
06:16 <@danhunsaker> The router needs to be configured to send all client traffic through the tunnel, and to properly redirect incoming traffic from the tunnel to the client.
10:42 < tazjin> as a followup to my question from yesterday, it turns out the watchguard VPN negotiates its OTP credentials outside of OpenVPN (in what I consider a slightly unsafe way) and you can log in on openvpn with the result of that. Writeup here:  https://www.tazj.in/en/1486830338
10:42 <@vpnHelper> Title: Tazjins blog: Reverse-engineering WatchGuard Mobile VPN (at www.tazj.in)
10:51 < devonrevenge> hey im trying to find statistics about peoples encryption habits
10:51 < devonrevenge> do you know of such an article?
11:49 < Algernop> Google might
12:29 < devonrevenge> PGP is dying, are encryption applications dying also?
13:08 < _FBi> #openvpn doesn't use PGP for it's encryption XD :P
13:12 < Algernop> Go to security or some other possibly more relevant channel for information about PGP
13:13 < _FBi> he's already there :P
19:00 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
19:03 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
19:03 -!- mode/#openvpn [+v RBecker] by ChanServ
20:16 -!- Vampire0_ is now known as Vampire0
20:25 -!- Vampire0_ is now known as Vampire0
--- Day changed Sun Feb 12 2017
09:04 -!- |Mike| [mike@phrack.nl] has joined #openvpn
09:04 < |Mike|> re.
14:04 < Mr-Protocol> How can I change the cipher type used by the server and client to something stronger?
14:05 < _FBi> server.conf
14:05 < _FBi> client.conf
14:09 < Mr-Protocol> Will i need to rebuild the client keys at all?
14:09 < Mr-Protocol> or just modify the conf files and happy days?
14:10 < _FBi> modify I believe.  The Handshake is different than the cipher
14:10 < Mr-Protocol> awesome, thanks a lot, I'll give it a try
15:54 < Teraii> hello here
15:55 < Teraii> how can i configure IPv4 and IPv6 bridge ?
15:55 < Teraii> Options error: Unrecognized option or missing or extra parameter(s) in /usr/local/etc/openvpn/openvpn.conf:19: ifconfig-ipv6 (2.4.0)
17:20 -!- Vampire0_ is now known as Vampire0
--- Log closed Sun Feb 12 18:28:58 2017
--- Log opened Mon Feb 13 07:47:31 2017
07:47 -!- Irssi: #openvpn: Total of 264 nicks [8 ops, 0 halfops, 3 voices, 253 normal]
07:47 -!- mode/#openvpn [+o ecrist_] by ChanServ
07:47 -!- Irssi: Join to #openvpn was synced in 1 secs
07:47 -!- You're now known as ecrist
08:35 -!- zedde is now known as Varazir
09:40 < Night_Elf> Hi all. I have read the topic, but I still would like to ask, what is really the difference between the openvpn comunity and the openvpn Access-Server? I have checked the webiste and so far I have this feeling that the difference is the webinterface in the A.S. Is that it?
09:52 -!- r00t^2 is now known as t4t3rs
09:52 -!- t4t3rs is now known as r00t^2
10:05 < Eugene> Night_Elf - WebUI, support contract, and built-in support for XYZ
10:06 < Eugene> The GPL client will connect to the AS server(and vice-versa?), mostly
10:06 < Night_Elf> Eugene: What is support for XYZ ?
10:06 < Eugene> Features bullet-pointed on the website that I'm not looking-up
10:07 < Night_Elf> Ah I see.
10:08 < Night_Elf> So then I suppose that the client software for various platforms (linux, windows, mac, android, ios) that are mentioned at the Access Server variant would work if pointed to a community server as well?
10:09 < Night_Elf> I could always test it within a day or two, but having an initial lead would be nice as well.
10:18 <+hyper_ch> what is actually the difference between the AS server and Community edition?
10:24 < Night_Elf> I have come to understand it is the webinterface that is in the AS. The as also has a limitation of 2 concurrent users, for more a licence is required. I can see there are various client software to connect to an AS server, for several platforms. I am not sure if these function with the commuity edition, though Eugene mentioned a GPL client.
10:26 <@ecrist> Night_Elf: I don't think the AS client will connect to an open source server, but you can try it out.
10:26 < Night_Elf> Whether there are differences in protocol and mode of work, I do not know this. I am trying to figure out these things myself. Today I will test the AS client from home (it is acttually easy to setup so I installed that first).
10:26 <@ecrist> the AS mobile clients, will, though.
10:27 < Night_Elf> Yes I will do that. Tomorrow or the day after I will purge the AS installation and will see to install the comunity edition, and see if the client software work, for mobile and windows. That's what most of the people I expect to connect will use.
10:29 < Night_Elf> To be honest I have used the comunity edition 4-5 years ago for myself alone, both ends (server and client) being linux machines and I configured files with a text editor and that was it. Yet this time people I want to connect are not exactly the linux types. :)
12:19 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has left #openvpn ["Konversation terminated!"]
12:27 < korozion> if I have push redirect-gateway enabled globally, can I have specific clients not use that?
12:27 <@ecrist> yes
12:27 <@ecrist> it's easier to do it with CCD
12:28 < korozion> CCD?
12:31 < daemon> credit card duplicate
12:31 < daemon> j/k )
12:31 < daemon> :)
12:31 < korozion> I know :P  I'm reading up on it in the OpenVPN documentation
12:31 < daemon> korozion, ccd is client specific configurations
12:31 < daemon> so like a specific client can have different pushs etc
12:32 < korozion> this is making sense. Thank you ecrist and daemon. That looks like exactly what I need
12:32 <@ecrist> create a CCD entry called DEFAULT with the def gateway
12:32 <@ecrist> then you just create an empty configuration for users that don't want that directive
12:33 < korozion> perfect, thanks!
12:48 -!- Vampire0_ is now known as Vampire0
15:02 < Mr-Protocol> Does anyone have an issue running Minecraft through openvpn? Minecraft refuses to login on both the game client and website when i use my DigitalOcean openVPN setup. Soon as i turn it off, all works.
15:32 < Azrael_-> hi
15:33 < Azrael_-> i've connected to the management interface, how do i see what ip is assigned to what client?
15:35 < daemon> Mr-Protocol, The problem is not the vpn I can play MC fine through mine
15:35 < daemon> modded and vanilla
15:42 -!- F2Knight is now known as F2Knight[away]
15:43 -!- F2Knight[away] is now known as F2Knight
15:43 -!- F2Knight is now known as F2Knight[away]
15:43 -!- F2Knight[away] is now known as F2Knight
17:36 < |Mike|> !ccd
17:36 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
18:34 <@ecrist> Mr-Protocol: it's likely a failed route or something.  Have you captured the packets?  What protocol does Minecraft use?
20:39 -!- Vampire0_ is now known as Vampire0
20:56 < sunrunner20__> so I've got an openvpn appliance that isn't doing TAP tunnels correctly
20:56 < sunrunner20__> anybody care to give me a list of things to check?
20:58 < Eugene> sunrunner20__ - is it the Access-Server appliance? See #openvpn-as
20:58 < sunrunner20__> no
20:58 < sunrunner20__> pfsense
20:59 < sunrunner20__> and bbiab
20:59 < sunrunner20__> i've about given up on openVPN
21:00 < sunrunner20__> everything in my understanding says these tunnels should be working fine
21:02 -!- F2Knight is now known as F2Knight[away]
21:05 < sunrunner20__> I have multiple TUN tunnels working fine
21:05 < sunrunner20__> but some of my software requries that it appear to be on the same LAN
21:06 < sunrunner20__> and I don't know if that can even be acomplished with TUN instead of TAP
21:35 < sunrunner20__> figured
21:36 < sunrunner20__> $50 for anybody who solves my issue.
21:42 < Algernop> !tunortap
21:42 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
21:42 <@vpnHelper> rooted/jailbroken) support only tun
21:43 < Mr-Protocol> daemon, then what could it be? if itbdoesnt ork though the vpn but does instantly when it is off?
21:44 < sunrunner20__> i"m not an idiodt
21:44 < sunrunner20__> I already know its better to use TUN than tap
21:44 < sunrunner20__> hopwever unless you can magically make broadcast traffic cross domains I need a TAP tunnel
21:45 < sunrunner20__> *subnets
23:19 -!- F2Knight[away] is now known as F2Knight
23:33 < ordex> sunrunner20__: what is not working exactly ?
--- Day changed Tue Feb 14 2017
00:36 < SaAtomic> hello! How are Pre-Shared Key Ciphersuites for Transport Layer Security (TLS) used with OpenVPN? With mbedTLS cipher suites like "TLS-RSA-PSK-WITH-AES-256-GCM-SHA384" are configurable, but I have no idea how to define or even create the PSK in this case
04:07 < Night_Elf> Hi. I have compiled and installed version 2.4.0 using "./configure ; make ; make install". But how do I uninstall it now? I want to do this because I want to try to install it from prebuilt packages as descibed here: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
04:07 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net)
04:07 < Night_Elf> So I thought of removing the source install first, before installing from the repos.
04:17 -!- F2Knight is now known as F2Knight[away]
04:30 < Night_Elf> Anyhow, removed all the files from /usr/local/ that included 'openvpn' in their path. The timestamps matched with when I built them, so I guess nothing remanins there to interfere with the binary install from repos.
04:54  * olivetree_ oi ppl :)
05:14 < scratchy> hey im using pritunl in a docker container, when i start up openvpn i get a error message like this: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
05:15 < scratchy> i tried like everything from mapping the device to mapping as volume / creating the mknod file
05:15 < scratchy> any idears how to solve this?
05:16 < scratchy> ah and add cap NET_ADMIN and priviledged as well..
06:15 < Ramirez> Hi
06:16 < Ramirez> anybody to help me please ?
06:19 < Ramirez> i apologize before you help me because i m french and  it s diffucult to understand sometimes some words
07:36 <@ecrist> scratchy: we have no idea what pritunl is
07:37 < scratchy> a gui for openvpn, well this error comes directly from openvpn
07:37 <@ecrist> so, the first problem is docker
07:37 < scratchy> seems to be a common problem with docker,  so yeah its not that easy to figure out whos responsable
07:38 <@ecrist> networking is really tricker within a docker container
07:38 <@ecrist> you need to be able to create a tun device, and the container needs permissions to do networking.
07:38 <@ecrist> My suggestion is to get it working outside the docker container, first, then troubleshoot the docker specific problems later.
07:41 < scratchy> outside docker it worked, so yeah more or less a docker container issue
07:41 < scratchy> my current guess its related to docker version im running.. im upgrading my systems at the moment
07:43 <@ecrist> unfortunately, that means you'll need to seek help specific to docker
07:43 <@ecrist> if you do learn something, please share it with us so we can add it out our database.
07:43 <@ecrist> !factoids
07:43 <@ecrist> !docker
07:43 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
07:43 <@ecrist> it doesn't appear we have anything docker related now.
07:49 < scratchy> okay, if i get it running ill let you know
08:20 < Night_Elf> Is this documentaton valid for 2.4.0? https://openvpn.net/index.php/open-source/documentation/howto.html . There are many things - like files - mentioned there that I can't find.
08:20 <@vpnHelper> Title: HOWTO (at openvpn.net)
08:23 < Night_Elf> I have installed by compiling from the .tar.gz under debian wheezy, and now I can't seem to properly understand what goes where, usually the things that I'd think to be under /etc/ (or /usr/local/etc/) . I am confused at the part "Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients".
08:51 <@ecrist> Night_Elf: which files?
08:51 <@ecrist> also, if you compile yourself, none of the config paths or anything are created for you
08:51 <@ecrist> we recommend you use your distro package manager for that
08:52 < Night_Elf> ecrist: well, the build-ca, build-key, build-dh ...
08:53 < Night_Elf> But doesn't that howto describe the process of building from sources?
08:53 <@ecrist> that's Easy-RSA
08:54 <@ecrist> Night_Elf: I'm not sure if that howto is up to date or not.  It's been quiet some time since I've walked through it.
08:58 < Night_Elf> ecrist: to be honest I'd think it is a bit old. I remember installing openvpn from sources some 4-5 years ago. I think some small things have changed, namely here:
08:58 < Night_Elf> At the section "Generate the master Certificate Authority (CA) certificate & key" there's the part that says "If you are using Linux, BSD, or a unix-like OS, open a shell and cd to the easy-rsa subdirectory." ... and so on.
08:59 < Night_Elf> Back then there was such a directory, for I still remember copying that at my /usr/local/etc/openvpn/ and then doing all what I had to do there.
09:00 <@ecrist> Night_Elf: you could always buy one of the openvpn books.  
09:00 <@ecrist> !book
09:00 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) a troubleshooting guide for OpenVPN by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
09:00 <@ecrist> </shameless_plug>
09:03 < Night_Elf> But anyhow, I will see to figure out as I go through it. I have no rush for it so maybe my pace is slow. But I could also document the process and make it available so it could as well be used to update the howto.
09:03 <@ecrist> You're welcome to update that howto, as well.
09:03 <@ecrist> Or write a separate 2.4 howto on the community site.
09:04 < Night_Elf> Yes sure why not, I could do that, as it is exactly 2.4.0 that I am playing with.
09:05 <@ecrist> that's the spirit!
09:18 < exp-innit> I'm having an issue on ubuntu 16.04 whereby a tap VPN client does not get assigned an IP address, nor is the tap device brought up, doing so manually results in working connectivity. I've tried both server-bridge and ifconfig-pool and the server side logs correctly: MULTI_sva: pool returned IPv4=192.168.101.200, IPv6=(Not enabled)
09:18 < exp-innit> however, the client side doesn't log anything similar even at decently high verbosity levels
09:19 < exp-innit> have i missed something obvious? i'm sure i have other TAP VPNs where this works correctly, but i might be mistaken
09:20 < _FBi> !tap
09:20 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the protocol
09:20 <@vpnHelper> uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
09:21 < _FBi> !tun
09:21 < _FBi> :/
09:21 < _FBi> !tunortap
09:21 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
09:21 <@vpnHelper> rooted/jailbroken) support only tun
09:22 < exp-innit> i know I want tap (i'm sending multicast) but i was under the impression the ifconfig-pool option was supported
09:22 < exp-innit> i'm happy to switch it out for a DHCP server or similar, but the docs don't seem to indicate it's unsupported
09:22 < _FBi> might be?  I'm sorry I can't be much help
09:36 <@dazo> !all
09:36 <@vpnHelper> "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface
09:41 < exp-innit> dazo: roger
09:49 < exp-innit> server configs: http://sprunge.us/SNjC .. client configs: http://sprunge.us/Ihfb .. routing tables, firewall settings etc not really needed imho, logfiles can be provided but are very spammy
09:53 < ordex> exp-innit: is it normal that you have no "server" statement in your server config ?
09:53 < ordex> that should be used to configure and bring up your server tap interface with the specified IP
09:53 < ordex> IIRC
09:53 < exp-innit> ordex: oh i thought i had tls-server listed
09:53 < exp-innit> ordex: the server tap interface is not the problem
09:53 < exp-innit> it is joined to a bridge, and that part works fine
09:53 < exp-innit> it's the client IP address
09:53 < ordex> ah ok
09:54 < ordex> so it does not even need an ip, ok
09:54 < ordex> oh ok
09:55 < ordex> exp-innit: I think having the logs would make sense then
09:55 < ordex> even if spammy
09:57 < exp-innit> ordex: ack hold on then let me restart with verb 5 and see what i can pastebin
09:57 < ordex> ok
09:57 <@ecrist> ordex: --server is a macro for a few other options, and may not be present if the other components are
09:58 < ordex> ecrist: yeah - for a second I thought the problem was on the server side, so I wondered if the missing ifconfig could be the cause (hence missing server)
10:03 < exp-innit> ok client logs with IP address removed: http://sprunge.us/hcLF
10:04 < exp-innit> there's nothing particularly obvious or interesting in the server logs either other than the MULTI_sva: line i pasted above
10:04 < exp-innit> fwiw the client is also assigned that IP in the pool-persist file
10:04 < exp-innit> so it appears to be just the client side bringing the tap interface up
10:05 < exp-innit> manually configuring it works fine, and i can always just do that, but i thought i'd ask
10:06 < exp-innit> could be because i drop to nobody/nogroup, but removing that didn't seem to affect anything
10:38 < exp-innit> read in the howto under multiple client machines while bridging:
10:38 < exp-innit> You must manually set the IP/netmask of the TAP interface on the client.
10:38 < exp-innit> You must configure client-side machines to use an IP/netmask that is inside of the bridged subnet, possibly by querying a DHCP server on the OpenVPN server side of the VPN.
10:38 < exp-innit> which is odd because the manpage also describes ifconfig-pool from the perspective of a TAP server
10:38 < exp-innit> so there's some confusion / conflict there
10:42 < Phrk_> Hello, i can connect to my home server, i got a waning: your certificate is not yet valid!, is it the cause, i forgot to set up correctly the time, is it important ?
10:42 < Phrk_> i can't*
11:00 < DArqueBishop> Phrk_: yes.
11:01 < Eugene> Phrk_ - how far into the future did you make your certificates? An hour? A day? A week? If its too long, then start over with the clock correct(and go fix your clock anyway; ntp is great)
11:01 < Phrk_> Eugene, just one since it's not on the correct UTC thing
11:01 < Phrk_> one hour*
11:01 < Phrk_> i forgot to change it
11:02 < Eugene> Go blast space aliens for an hour and it'll work when you get back ;-)
11:02 < Eugene> (and fix your clock)
11:03 < Phrk_> fine for me, but this make me think, how to manage cert if you don't live on the same UTC ? (for the server/client) ?
11:10 < DArqueBishop> Phrk_: UTC is universal (hence the name); if a system has the correct time for the set time zone, it'll translate it into the correct UTC.
11:11 < Phrk_> okaay
11:11 < Phrk_> thx
11:11 < DArqueBishop> Again, this is why automated time synchronization is so important. :-)
11:12 < exp-innit> universal, other than TAI ;)
11:13  * olivetree_ Be Right Back 
11:13 -!- mode/#openvpn [+o Eugene] by ChanServ
11:13 -!- olivetree_ was kicked from #openvpn by Eugene [Disable that script ]
11:40 < _FBi> lol
11:40 <@ecrist> Eugene: what script?
11:41 < DArqueBishop> !away
11:41 < DArqueBishop> Should be a factoid. ;-)
11:41 < DArqueBishop> https://sackheads.org/~bnaylor/spew/away_msgs.html
11:41 <@ecrist> but, what was it doing?
11:41 <@vpnHelper> Title: People who use /away constantly suck ass (at sackheads.org)
11:43 -!- F2Knight[away] is now known as F2Knight
14:45 -!- F2Knight is now known as F2Knight[away]
15:14 -!- F2Knight[away] is now known as F2Knight
--- Log closed Tue Feb 14 16:35:53 2017
--- Log opened Wed Feb 15 07:13:23 2017
07:13 -!- Irssi: #openvpn: Total of 265 nicks [9 ops, 0 halfops, 3 voices, 253 normal]
07:13 -!- mode/#openvpn [+o ecrist] by ChanServ
07:13 -!- Irssi: Join to #openvpn was synced in 1 secs
07:35 < mib_kd743naq> hi
07:36 < mib_kd743naq> I would like to setup a vpn between 2 points, *without* worrying about host authentication, but still would like to have the traffic encrypted
07:36 < mib_kd743naq> do I still need to have a full blown PKI setup, or is there a more lightweight version for this use case?
07:37 < exp-innit> mib_kd743naq: there's this, but i don't warrant its completeness or suitability: https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
07:37 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
07:54 < BtbN> I'd still setup a small PKI for that.
07:54 < BtbN> static key has some limitations, like no PFS
07:55 < exp-innit> also no bridging i believe, there's no good argument against a simple PKI really
08:00 < mib_kd743naq> secret + static config like this is actually perfect in this situation, thanks!
08:02 < mib_kd743naq> the encryption is ( and the entire vpn setup for that matter ) is there only to obfuscate traffic from the PoV of corporate installed DPI
08:02 < mib_kd743naq> actual privacy isn't a goal at all
08:02 < exp-innit> don't expect privacy from DPI either, you will be able to obfuscate the contents of your traffic
08:03 < exp-innit> but not the existence of your traffic
08:03 < mib_kd743naq> precisely the expectation, yes
08:24 < DArqueBishop> <mib_kd743naq> the encryption is ( and the entire vpn setup for that matter ) is there only to obfuscate traffic from the PoV of corporate installed DPI
08:24 < DArqueBishop> Keep in mind that when your setup is discovered (and it will be), your IT department will be pretty pissed off and making sure you face disciplinary action.
09:07 < aiRness> Hello. I have 5 clients configured on ccd/ but it seems that only 4 are connected, how can troubleshoot this?
09:12 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
09:14 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
09:14 -!- mode/#openvpn [+o krzee] by ChanServ
10:58 < jnagro> ahoy - how do i configure an openvpn client not to become the default route?
10:58 < jnagro> ie just make the tun device and routes available so i can control what goes where
10:59 < jnagro> !goal
10:59 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:59 < jnagro> !goal i would like to connect an open vpn client without taking over the default route automatically
11:00 <@dazo> !redirect
11:00 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
11:00 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
11:00 <@dazo> jnagro: ^^^
11:00 < jnagro> thank you!
11:00 <@dazo> !route
11:00 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
11:02 < jnagro> lol
11:02 < jnagro> READ DONT SKIM
11:02 < jnagro> okay this is all good. thanks.
11:02 < jnagro> lots of reading to do.
11:02 <@dazo> I thought !route had more generic details ... I've forgotten a lot of these factoids
11:03 <@dazo> but there is also --route-nopull ... and with v.2.4, you also have --pull-filter ....
11:04 <@dazo> jnagro: but the key point is to ensure the client doesn't enable --redirect-gateway :)
11:06 < jnagro> dazo: 10-4
11:06 < jnagro> thank you
11:06 < jnagro> FYI ssl error on https://secure-computing.net/wiki/index.php/OpenVPN/Routing
11:07 < jnagro> which is ironic considering the domain :-)
11:10 <@dazo> ecrist: ^^^ your certificate have expired!
11:27 < sjohnson> *cry*
11:27 < sjohnson> jnagro++
12:12 < tinyV0id> !welcome
12:12 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
12:12 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
12:13 < tinyV0id> !goal I would like to access Internet over VPN
12:14 < tinyV0id> But I can'e connect
12:15 < tinyV0id> !ovpnuke
12:16 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
12:16 < tinyV0id> !sweet32
12:16 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32
12:17 <@ecrist> dazo: yeah, that web server has issues
12:17 <@ecrist> I'll poke at it now
12:45 < tinyV0id> My firewall is disabled and I still cannot connect
12:46 < tinyV0id> https://thepasteb.in/p/66hVj5vWJ6zTW
12:57 < DArqueBishop> tinyV0id: which firewall? Client or server?
12:57 < tinyV0id> Client
12:57 < tinyV0id> What is with server I don't know
12:57 < tinyV0id> University network
12:57 < tinyV0id> probably blocked
12:57 < DArqueBishop> Do you control the server?
12:58 < tinyV0id> no ofc
12:58 < tinyV0id> In Wondows vpn connection works
12:58 < tinyV0id> *Windows
12:58 < DArqueBishop> tinyV0id: you need to contact your VPN provider's tech support.
12:58 < DArqueBishop> !both
12:58 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
12:59 < tinyV0id> They told me the same
12:59 < tinyV0id> Tech support
12:59 < tinyV0id> VPN techsupport
12:59 < DArqueBishop> Then you need to talk to your university's tech support.
13:00 < tinyV0id> :D
13:00 < tinyV0id> I think they blocked everything not just for fun
13:00 < DArqueBishop> That makes sense.
13:00 < tinyV0id> even 6667 blocked
13:00 < tinyV0id> I use web interface to connect
13:01 < tinyV0id> But in Winodws everything works
13:01 < tinyV0id> with their software
13:01 < tinyV0id> I am talking about PIA btw
13:01  * DArqueBishop shrugs.
13:01 < DArqueBishop> If you say so.
13:02  * DArqueBishop has never used a commercial VPN provider.
13:02 < tinyV0id> oh ok
13:07 < tinyV0id> Feb 15 18:58:42 eos gnome-session[16399]: Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x3200007 (openvpn-tc)
13:07 < tinyV0id> I don't think it's an issue right?
13:14 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has left #openvpn ["Konversation terminated!"]
13:24 < tinyV0id> All 1501 scanned ports on my.network.host (0.0.0.0) are filtered
13:24 < tinyV0id> 500 - 2000
13:59 -!- F2Knight[away] is now known as F2Knight
14:14 <@ecrist> tinyV0id: shut down the filter.
14:14 < tinyV0id> I don't have access to the server unfortunately ecrist
14:16 <@ecrist> D:
14:18 < tinyV0id> It's not mine, I am in university network, behind NAT
14:19 < tinyV0id> In dorm, with no alternative ISPs
16:46 < timdotrb> Afternoon, all
16:52 < timdotrb> I’m trying to alter my server configuration so that clients can see each other on the VPN. I’ve uncommented the client-to-client line, but that didn’t seem to have any effect. I also added: push "route 10.8.0.0 255.255.255.0" to no avail
16:52 < timdotrb> Is there something else that I need to do so clients can see each other?
16:53 <@Eugene> You need to restart the openvpn daemon for config changes to take effect
16:54 < daemon> won't rehash do for most
16:54 < daemon> was not a suggestion, a question its self
16:56 < timdotrb> Sorry, forgot to mention that I restarted the openvpn service as well
16:57 <@Eugene> That should be all you need. tcpdump the client's tun interfaces to see what's going on(firewall is common here)
16:58 <@Eugene> Also, are you attempting to have the clients "see" each other via a L2 broadcast protocol(eg, WINS)? That won't necessarily work
16:59 <@Eugene> daemon - `openvpn` will respond to SIGHUP; however I don't care to make any assumptions about init scripts etc so I just say "restart"
16:59 < daemon> Eugene, seems fair, thank you
17:04 < timdotrb> Eugene: I was simply trying use Fing on my phone to have it map the “network”
17:05 < timdotrb> We are all on Macs. An issue that might be an obstruction currently is the VPN uses 10. IP addresses, and the local network here at the office uses 10. IPs
17:06 <@Eugene> Never heard of that tool. So you know, L2 discovery won't work over tun - L3 portscans will
17:06 <@Eugene> And yeah, 10.X collisions will be a problem.
17:06 <@Eugene> But that's a routing issue - not openvpn's fault ;-)
17:07 <@Eugene> !clientlan
17:07 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route
17:07 <@vpnHelper> for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
17:07 <@Eugene> !route
17:07 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
17:07 <@Eugene> Thw flowcharts are awesome ^
17:07 < timdotrb> Eugene: thanks. What should I be looking for in this tcpdump
17:08 <@Eugene> You want to verify that packets coming out of Client A bound for Client B actually show up at B
17:08 <@Eugene> And vice-versa
17:13 < timdotrb> Do I need to add the push “…” to my .ovpn client configs?
17:14 < angrynapkin> If I use  --push "redirect-gateway def1" to try and force all traffic thru the tunnel, after I connect, it seems my windows client is not removing its default route. I am probably doing something wrong, can someone lend a hand?
17:20 -!- timdotrb_ is now known as timdotrb
17:20 < daemon> angrynapkin, thats correct, the windows machine needs its default route to talk to its gateway and the internet
17:21 < daemon> def1 should be a more narrow scope, therefor capturing all the traffic that is meant for anything not directly the gateway
17:21 < daemon> so that openvpn which will interact with the gateway can
17:21 < angrynapkin> So even though the first route is the default non connected route, all traffic will still be funneled thru the tunnel?
17:21 < daemon> yeah consider it like this ... 0.0.00.
17:21 < daemon> err the default route is the entire internet
17:22 < daemon> 0.0.0.0/0 and that should goto the default gatewaY
17:22 < daemon> so openvpn adds a more specific route 0.0.0.0/1
17:22 < daemon> which in realism is the same, but it means that openvpn can still use the primary route to get internet access while capturing all the traffic
17:22 < daemon> because by default progarms will use the most precise route
17:22 < daemon> I think I got that right ^_^
17:24 < angrynapkin> I have a hard time understanding routes to tell you the truth.
17:24 < angrynapkin> I have basic understanding
17:24 < daemon> angrynapkin, I do understand it but I am shit at explaining lol
17:25 < angrynapkin> If my default is this:  0.0.0.0          0.0.0.0       10.10.10.1      10.10.10.20     25   befor and after I connect, doesnt this mean nothing is going thru the tunnel?
17:25 < daemon> right ... 0.0.0.0 means EVERYTHING
17:25 < daemon> I assume 10.10.10.1 is your gateway?
17:26 < daemon> and your 10.10.10.20
17:26 < angrynapkin> Yeah, so if thats my default when I am not connected....and when I am connected, and it should be diferent when I am connected.....it seems the Push command is not working?
17:26 < daemon> well, when you connect to openvpn a new network adapter is active I am not sure what it is on windows
17:26 < daemon> it is likely 'tunneling adapter' or something like that
17:27 < daemon> and for 0.0.0.0 it offers a more precise or 'faster' route
17:27 < timdotrb> Ok, so. I had my boss change the local IP range to 192. and now when I’m connected to the VPN, I can ping someone else on the VPN
17:27 < timdotrb> Is there any way to auto discover others on the network? My boss was looking for their computer to show up in Finder lol
17:27 < daemon> so all your internet traffic goes via 'tunneling adapter' and then openvpn routes that through your old 'default route'
17:29 < angrynapkin> this stuff is confusing, lol
17:29 < daemon> angrynapkin, short version: OpenVPN creates a fake network adapter, it tells windows its faster to get to the internet through that; so all progarms use that; while openvpn its self uses the original real adapter
17:32 < angrynapkin> Let me ask you this then. When looking at the routes, do they get matched by going top down? Do does the computer look at the Metric and use lowest number first? Or am I so off based I should just top asking questions.
17:33 < angrynapkin> The fake network adapter makes sense, because I seenan IP that I have no cluew where it came from, and its most likley the fake adapter
17:35 < daemon> for metrics you need someone else I deal with routing in BSD upstream
17:35 < daemon> but every OS will always use the most 'precise' route
17:36 < daemon> your default gateway is assigned the mask of 0.0.0.0/0 i.e. EVERYTHING, your lan might be 10.0.0.1/24
17:36 < daemon> so for lan traffic it will go down the /24 route as that is more precise
17:36 < daemon> so openvpn creates its 'adapter for the internet' as 0.0.0.0/1
17:37 < daemon> which is a TINY bit more precise than 0.0.0.0/o
17:37 < angrynapkin> Oh ok, I see. So if nothing is matched, it will go out the default 0.0.0.0
17:37 < daemon> yeah the more precise the scope the higher the priority
17:38 < daemon> so as 0.0.0.0/1 is more precise than 0.0.0.0/0 all your network activity goes to that
17:38 < angrynapkin> So will the OS keep trying to use the most precise no matter if the detibation can be reached or not? Or if it cannot be reached, will it try a less precise route?
17:39 < daemon> well you are sending 'default route' as in ... bottom of the pack
17:39 < daemon> there is nothing else to try
17:39 < daemon> as in reality 0.0.0.0/0 and 0.0.0.0/1 are the same thing, its just as its /1 its classed as more precise
17:40 < daemon> like your lan is 10.10.10.0/24 that is alot more precise than both of those masks
17:40 < daemon> so that will be dealt with before it even gets that far
17:41 < daemon> so if a packet is not bound for that range 10.10.10.1-254, it will pass to the next; which will be 0.0.0.0/1 which belongs to 'tunneling adapter' which is openvpn
17:42 < daemon> and hencefore passed off out into the cosmos
17:42 < daemon> if it did not match 0.0.0.0/1 it would goto 0.0.0.0/0 which it never will
17:42 < daemon> but you get the picture
17:43 < angrynapkin> Beginning to yes.
17:43 < angrynapkin> you say 0.0.0.0/1. Is that the same as a netmask of 128.0.0.0? Thats what I got for my vpn route
17:44 < daemon> http://www.subnet-calculator.com/cidr.php
17:44 < daemon> ;)
17:44 <@vpnHelper> Title: Online IP CIDR / VLSM Supernet Calculator (at www.subnet-calculator.com)
17:44 < daemon> default
17:44 < daemon> on screen
17:45 < angrynapkin> Oh ok, yeah. I wasnt sure if that was right when I looked up. ok, so then because its a /1 instead of /0, its just a tad bit closer to the destination, so its going to always choose the /1.
17:45 < daemon> yes
17:46 < daemon> and openvpn obviously knows this, ignores the routing table and passes to the real gateway
17:46 < daemon> hence why it can encrypt your traffic
17:47 < angrynapkin> And no matter what, if the /1 is not reachable, it will never goto the /0 because the default is 0.0.0.0, if the default of 0.0.0.0/1 isnt reahable, af fas its concerned, its got nothing else to try...0.0.0.0 is as low as it can go yeah?
17:47 < daemon> mmhmm
17:47 < angrynapkin> no? lol
17:47 < daemon> well the way routing tables work is they have a 'gateway' or a 'device' something that is responsible for them
17:48 < daemon> if you close openvpn the 0.0.0.0/1 route is removed
17:48 < daemon> so it will goto your normal gateway
17:48 < angrynapkin> yeah,
17:48 < angrynapkin> I am speaking while the connection is established
17:48 < daemon> well it is possible for a gateway to go missing and the route be active
17:49 < daemon> like if you turned your modem or whatever off
17:49 < daemon> all connections would simply timeout
17:49 < daemon> but in the event you closed openvpn it would mark the interface as 'down' and the routing table would immeediatly remove 0.0.0.0/1
17:50 < daemon> and everything would immediatly revert to using your system default gateway
17:51 < daemon> this is probably outside of your interest, but I tend to stick a BSD server upstream to my lan and do all the vpn routing stuff from there; makes life easier lol
17:51 < angrynapkin> So as long as that route 0.0.0.0/1 is in there, its always going to try that before 0.0.0.0/0. So If I added it manually with no tunnel established, with some garbage gateway, I would basically loose internet because it would be trying that route which clearly is bogus.
17:52 < daemon> yes
17:52 < daemon> you would effectively kill yourself from the net
17:52 < angrynapkin> Ahhh I am coming out f the fog
17:52 < daemon> if you ever find out what the hell metrics are
17:52 < daemon> let me know :P
17:54 < angrynapkin> I will, lol. Yeah I am tryng to setup openvpn on pfsense, and testing windows and linux clients, and just confused me when I was looking at the routes. But your expination helps a bunch.
17:54 < angrynapkin> linux isnt bad, there are only like 4, but windows...wow, its a whole page worth of numbers, lol
17:55 < daemon> hell yeah 7 and 10 have an entire scroll worth of them
17:55 < daemon> none of which appear to be of any relevance lol
17:55 < daemon> well except eth and tunnel
17:55 < daemon> :)
17:59 < angrynapkin> well: acording to MS, "The Metric field indicates the cost of a route. If multiple routes exist  to a given destination network ID, the metric is used to decide which  route is to be taken. " Bust since there is only one route usually, not sure what use this would be. :)
18:00 < daemon> ahhh
18:00 < daemon> multirouting
18:00 < daemon> I bet its for failover
18:01 < daemon> if you can access one location from multiple routes
18:01 < daemon> you can set 'weights' or as ms calls them 'metrics' on them
18:01 < daemon> so you can tell your system which path to use
19:29 -!- Vampire0_ is now known as Vampire0
22:52 -!- remirol is now known as lorimer
23:06 -!- F2Knight is now known as F2Knight[away]
23:23 -!- F2Knight[away] is now known as F2Knight
--- Day changed Thu Feb 16 2017
00:56 -!- eb0t_ is now known as eb0t
00:57 -!- def_jam is now known as eblip
02:35 < xalice> why is openvpn even doing packet reordering? isn't that TCP's job?
02:37 < xalice> (as TCP will most likely be used over the tunnel anyway, why would openvpn even check the order?)
04:01 < exp-innit> xalice: i imagine ovpn is using CBC or similar?
04:01 < adac> can there actually run 2 openvpn clients on one machine?
04:01 < exp-innit> i'm not an expert on the topic
04:01 < exp-innit> adac: certainly, i run more than 4
04:02 < adac> like I mean 2 binaries
04:03 < xalice> exp-innit: yes but each data packet is independently encrypted afaik
04:04 < xalice> i don't see why not adac, do you have a more precise problem with it?
04:05 < adac> xalice, hmm actually I didn't try it out yet, but I will soon. I will have two docker containers running with each of those running an openvpn client on the same host machine
04:05 -!- F2Knight is now known as F2Knight[away]
04:05 < xalice> well yes then that should work, I too have been doing that with and without containers for some time
04:06 < adac> cool then! awesome! :)
04:06 < adac> thanks a lot!
04:21 < swi> Hello.
04:23 < swi> I'm trying to make some of clients to have fixed IP (according to howto on site), but my server just ignore what is written in ccd/ files. In logs i dont' see any error. filesystem rights on this folder is readable by openvpn. Can someone help?
04:52 -!- ketas- is now known as ketas
08:02 -!- tx is now known as a_3C905TX
08:02 -!- a_3C905TX is now known as tx
08:25 <@ecrist> daemon: "metrics" is the normal term to "weight" a route.
08:25 <@ecrist> it's not just a microsoft thing
08:26 <@ecrist> adac: yes, you can run more than one instance of openvpn, even different versions
08:29 < adac> ecrist, thats cool!
08:29 < adac> :)
09:35 <@ecrist> dazo: secure-computing.net should be back online
09:35 <@ecrist> I fought and won the battle of letsencrypt since my previous SSL providerd couldn't properly manage the security of their signing keys.
10:06 < dakar> can somebody give me a hint or two about a simple issue?
10:06 < dakar> I had the same thing with a very similar setup in the past
10:06 < dakar> I can't remember what fixed it.
10:06 < dakar> I have OVPN running on a server behind NAT. I can connect to that server just fine remotely
10:07 < dakar> the end point IP of the server (10.1.0.1 or whatever) responds to pings just fine
10:07 <@dazo> ecrist: cool!  letsencrypt should work reasonably well ... I'm using acme_tiny.py myself in my private setups
10:07 < dakar> however, the whole network the server is connected to (192.168.1.x) is unreachable to the OVPN client
10:16 < dakar> I found it. I've set gateway_enabled, but I forgot that only applies on boot, so I manually sysctl'ed it. sorry for the bother ;p
10:42 < DArqueBishop> ecrist: I'm also using Let's Encrypt for my own site and haven't had any issues.
11:50 < jnagro> letsencrypt++
11:55 <@Eugene> LE is neat, but what we really need is another CA with ACME support.
11:55 <@Eugene> Eggs, baskets, etc
12:13 -!- F2Knight[away] is now known as F2Knight
13:35 <@ecrist> DArqueBishop/dazo: so far I hate LE
13:35 <@ecrist> I don't like short expiry
13:35 <@ecrist> and the hacking I had to do in order to get a certificate working was insane
13:35 <@ecrist> but it was free.
13:36  * ecrist eyes StartSSL angrily
13:39 <@Eugene> I actually didn't have very much of an issue, once I stopped fucking-about
13:39 < vectr0n> technically it wasnt startssl it was the parent CA ;(
13:40 <@ecrist> I liked their authentication model.
13:40 < vectr0n> i liked the new 3 year certs before they fucked up >.< lol
13:40 <@ecrist> prove your identity, they issued a certificate you used to authenticate with their website, where you could register/create other certificates for server/etc
13:41 < vectr0n> ya it was a decent setup
13:41 < vectr0n> if they hadnt of been bought out they would still be fine lol
13:41 <@ecrist> right
13:41 <@Eugene> Honestly, StartSSL was always really shady on the backend
13:41 <@ecrist> it was the purchase, too, that caused problems.
13:41 < vectr0n> chinese are usually always sneaky and sketchy, just how it is lol
13:41 <@Eugene> Yes they had a novel PKI scheme, but their customer support was "some dude in a garage in Israel"
13:41 < vectr0n> no offense to anyone..
13:42 <@Eugene> The handling of Heartbleed really put me off - you can't claim to care about security on one hand and then ignore major global TLS issues
13:43 < vectr0n> they wont ever regain any type of traction i dont think, everyone i know who used startssl are now using LE w/o much issues lol
13:43 <@Eugene> I believe that their code-signing certs are still good, but no, the company is dead
13:43 <@ecrist> my problem with LE is the lack of working software on FreeBSD for it
13:43 <@Eugene> I think thats good: losers should fail out of the market
13:44 < vectr0n> i have no issues w/ acme.sh
13:44 <@ecrist> you can get certbot installed, but it only does part of the work.
13:44 <@Eugene> `pip` works on FBSD doesn't it?
13:44 < vectr0n> no need for root either w/ acme.sh
13:44 <@ecrist> yes, but the stuff to restart apache, etc.
13:44 <@Eugene> acme.sh is a pile of shit
13:44 < vectr0n> easier to use then most things, so it is what it is ;p
13:44 <@Eugene> `certbot` has a --post-hook that you point to a wrapper....
13:45 <@Eugene> Use --webroot and symlink/nginx alias ^/.well-known/ and bob's your uncle
13:46 <@Eugene> The ncurses GUI is an inexcusable heaping pile of Ubuntuism trash; don't even try using it
13:46 <@ecrist> Eugene: I'm not saying it's not possible, I understand the mechanics.
13:46 < vectr0n> i always use the dns auth/challenge/whatever its called, not all my stuff is open but needs a "legit" cert lol
13:46 <@Eugene> acme.sh+DNS didn't work for me because of the long time to propagate DDNS updates out to my slaves
13:47 < vectr0n> works perfectly for powerdns :)
13:47 <@ecrist> certbot doesn't support the DNS option
13:47 <@Eugene> If I was running my own public resolvers it would be fine - I'm not, too much DoS crap
13:47 < vectr0n> was easy for me, been running powerdns for years lol
13:48 <@ecrist> Eugene: I'v never see DoS problems for DNS.  I've been hosting DNS for ~20 years
13:48  * ecrist holy shit I'm old
13:48 < vectr0n> same
13:48 < vectr0n> even if i did, ovh can deal with it np lol
13:48 <@Eugene> I've been dealing with it for just as long and I have definitely seen all kinds of DoS reflection crap with DNS, NTP, and everybody knows slowloris
13:48 <@Eugene> Maybe my websites jsut deal with more assholes
13:49 < vectr0n> lol
13:50 < DArqueBishop> ecrist: there's a certbot package in EPEL for CentOS, and I just use that. I also have an entry in crontab for automatic renewals.
13:50 <@ecrist> Eugene: I hear the admin was the first. :P
13:50 <@ecrist> DArqueBishop: linux, yuk
13:51 <@ecrist> even after using Red Hat/CentOS *heavily* for $work for 2+ years, I still prefer my FreeBSD
13:51 <@Eugene> ecrist - the full joke is that I host a goatse mirror :v
13:51 <@ecrist> heh
13:52 < DArqueBishop> Ah, so you host one of the internet's big gaping holes.
13:52 < vectr0n> lol
13:52 <@Eugene> Have any of you played with pfsense's new acme package? I installed it, but haven't stood up a lab instance with a public IP yet
13:53 < vectr0n> using it on 50+ pfsense systems
13:53 < vectr0n> no issues
13:53 <@ecrist> heh, so you guys use freebsd too
13:53 < vectr0n> i pref freebsd over any os
13:53 <@ecrist> fuckit, have an oper
13:53 -!- mode/#openvpn [+o vectr0n] by ecrist
13:53 <@vectr0n> just not for my desktop cuz i have better things to do with my time, lol
13:53 <@vectr0n> and dont like trueos, etc
13:54 <@ecrist> indeed, that's why I use a Mac for home
13:54  * DArqueBishop stands defiant.
13:54 -!- mode/#openvpn [-o vectr0n] by vectr0n
13:54 -!- mode/#openvpn [+v DArqueBishop] by Eugene
13:54 <@ecrist> RHEL7 at work
13:54 <@ecrist> started poking at Windows 10, not too bad so far
13:54 <@Eugene> I was hired as a linux guy; I've been replacing everything with pfsense+VMware & appliances
13:54 < vectr0n> mix of deb/freebsd at work, just depends on the requirements, and a few ubuntu for those piles of crap sw that "need" it lol
13:55 <@Eugene> Not-so-secretly automating myself out of any daily responsibility is a nice job
13:55 <+DArqueBishop> My work desktop is Windows 10, and my work laptop is Windows 7.
13:55 < vectr0n> lol, we run a full vmware "ecosystem"
13:55 <@Eugene> Its nice if you have cash
13:55 <@Eugene> (and customers without cash are customers we didn't want anyway)
13:55 < vectr0n> ya, thats not an issue for my employer, thankfully, not def not the norm
13:55 <@ecrist> I like that my current employer has cash
13:56 < vectr0n> but*
13:56 <@ecrist> we have multiple vmware clusters, lots of NetApp, etc
13:56 <@Eugene> We only have one NetApp :-(
13:56 <@Eugene> I miss my clusters
13:56 <@dazo> ecrist: The official LE client is a pain ... which is why I ended up with acme_tiny.py ... simple script which requires no root privileges, just read/write access to those things it really needs (not even the private key)
13:57 <@ecrist>   1:55pm up 2662 days, 20:55 191401012293 NFS ops, 5897 CIFS ops, 6836 HTTP ops, 0 FCP ops, 0 iSCSI ops
13:57 <@ecrist> Eugene: ^^^
13:57 <@Eugene> 2662 days.... 7.3?
13:57 <@dazo> https://github.com/diafygi/acme-tiny/
13:57 <@vpnHelper> Title: GitHub - diafygi/acme-tiny: A tiny script to issue and renew TLS certs from Lets Encrypt (at github.com)
13:57 <@Eugene> Time to get yoself some cluster-mode
13:57 <@ecrist> yeah, 7.3
13:57 < vectr0n> being a remote director, my security contract stops me from sharing fun stats :( lol
13:58 <@ecrist> I really enjoy CDOT on our newest system
13:58 <@Eugene> One problem that I ran into with acme.sh(and probably acme_tiny suffers from this as well?) is that the ACME spec isn't finished
13:58 <@Eugene> Nothing like a string change and forgetting a cron job to ruin production
13:59 < vectr0n> ive only used LE on my personal stuff, we have wildcards at work, so i dont really worry about small stuff like that, icinga2 will bitch at me if the certs isnt renewed in time, lol
14:00 < vectr0n> we havent pulled the acme pfsense package into production, still in the lab, but doing fine, lol
14:04 <@dazo> gee ... this list have grown a lot since last time I looked ... https://letsencrypt.org/docs/client-options/
14:04 <@vpnHelper> Title: ACME Client Implementations - Let's Encrypt - Free SSL/TLS Certificates (at letsencrypt.org)
14:06 <@dazo> but yeah, the acme spec is still a draft ... https://letsencrypt.org/docs/acme-protocol-updates/
14:06 <@vpnHelper> Title: ACME Protocol Updates - Let's Encrypt - Free SSL/TLS Certificates (at letsencrypt.org)
14:07 <@dazo> (but they do promise to try to have some stability and avoid breaking compatibility with older clients, it seems)
14:08 <@ecrist> I wonder what protocol SAP uses for the authentication scheme
14:08 <@ecrist> SAP generates a new certificate every day for every user
14:09 <@ecrist> there's a client on my Windows box, SAP Secure Login Client
14:09 <@ecrist> tied to SSO with AD
14:09 < vectr0n> when someone would like to change the ovpn server ip so it's not the first ip in say a /24 subnet and it be .254 ive seen in the man page 3 lines to change the server ip to something else, but it would be ifconfig .254 .255, but that wouldnt work as .255 being a broadcast ip, am i missing something? been a long day already >.<
14:11 <@dazo> vectr0n: have a look at the --server option ... that is basically a macro for a bunch of other options ... so you can't use --server, but you should be able to do it manually
14:12 <@ecrist> what dazo said, remove --server and add in all the lines that the macro provides manually
14:13 < vectr0n> and ifconfig 10.47.10.254 10.47.10.255 wont cause an issue w/ the ovpn server?
14:13 <@ecrist> I don't think you can do that
14:13 < vectr0n> thats what i kinda thought lol
14:13 < vectr0n> so just bump it forward one and it should be ok
14:15 < vectr0n> thx guys got some notes for tonight to explore :)
14:15 < vectr0n> and/or gals lol
15:10 <@dazo> vectr0n: Without having studied the code paths involved much ... I don't see why --ifconfig x.x.x.254 255.255.255.0 wouldn't work (using --topology subnet) ... together with --ifconfig-pool x.x.x.10 x.x.x.99 255.255.255.0
15:10 <@dazo> just to give an idea
15:11 <@dazo> the syntax you provided (ifconfig 10.47.10.254 10.47.10.255) looks more like a peer-to-peer/site-to-site ... without using --server
15:12 < vectr0n> aha that makes more sense, ya i was just trying to understand the man page and what it was showing, but what you suggested sounds more of what im after
15:13 <@dazo> --ifconfig can indeed be confusing ... as it have different syntax, based on the operational mode
18:38 -!- F2Knight is now known as F2Knight[away]
19:13 < ordex> morning !
19:27 -!- F2Knight[away] is now known as F2Knight
21:38 < jnagro> i've been really banging my head against the wall...
21:39 < jnagro> okay, so i have a server, eth0, tun0, and tun1
21:39 < jnagro> eth0 is clearnet. tun0 is cjdns (mesh networking, a form of VPN lets say), and tun1 is openvpn
21:39 < jnagro> when i connect to openvpn, a default route is pushed and takes over the box, dont want that
21:39 < jnagro> so i can like, --no-exec and thats fine
21:40 < jnagro> my end goal is to route tun0 traffic out to tun1
21:40 < jnagro> leaving the default gateway eth0 intact
21:40 < jnagro> so the network continues to work as it normally would without openvpn (as far as the server is concerned, not tun0)
21:40 < jnagro> any ideas? i've tried a number of things
21:43 < jnagro> by --no-exec i meant --route-noexec
21:59 < ordex> jnagro: maybe with a up.sh script ? you could create another routing table and push the def route coming from ovpn in there
21:59 < ordex> then with policy routing you push all the traffic coming from tun0 to use the new table
21:59 < jnagro> ordex: sure - ive been playing around with various attemps without luck...
22:00 < jnagro> ordex: would you have a suggestion on what that route/ip command would look like?
22:00 < jnagro> this is sorta what is already in place
22:00 < jnagro> https://gist.github.com/johnnagro/ae281f379d75342b2329a2521a246347
22:00 <@vpnHelper> Title: cjdns iptunnel iptables config · GitHub (at gist.github.com)
22:00 < jnagro> the "server" has openvpn running in client-mode
22:00 < jnagro> server in this case is like cjdns iptunnel server
22:01 < ordex> jnagro: you crate new policies with "ip rule" and then "ip route" with the table argument to use that specific table
22:01 < ordex> you can search online for "multiple routing tables" or something similar I guess
22:01 < ordex> I don't have time to dig into your case right now, sorry :( but I think that ip rule with an additional routing table might help here
22:02 < jnagro> ordex: no worries, thanks for the lead - i hadn't looked into multiple routing tables, that sounds promising
22:05 < ordex> with an additional routing table you can have it dedicated to traffic coming from a specific subnet only, the rest won't be affected as it will go through the main table
22:05 < ordex> hope this helps :)
23:23 < jnagro> it sort of does
23:23 < jnagro> i could still use some help if others have ideas.
--- Day changed Fri Feb 17 2017
01:54 < aarya> Hi everyone, I have setup openvpn server with a standby openvpn server in bridge mode, i have multiple client servers (having Public IP) with cert base. I used the ipp.txt for static ip persistance for clients. Now I am facing issue that if any of client fails or restarted or something else then i have to restart all the clients. Eg. I have 10 client servers and issue become like clinets 1-3 can connect to each other, 4-7 can connect to each other and rest
01:54 < aarya> to each other, but could not connect to other clients. it make them like small groups. when I restart all the clients again then every client can connect to each other. I am searching for solution, looks like ccd can solve my problem, but I am not sure how to give two ip address of (openvpn server and standby server ) in ccd/test.user file.
02:05 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
02:05 -!- mode/#openvpn [+v hyper_ch] by ChanServ
03:26 -!- F2Knight is now known as F2Knight[away]
04:08 < mahendratech> ho
04:09 < mahendratech> hi
04:09 < mahendratech> Can anyone helps how to add group in ldap auth
06:30 <+hyper_ch> hmmm, does aes-ni help with openvpn if you use rsa? I'm pretty sure it doesn't help when using ecdsa
06:31 < BtbN> It helps with AES, like the name might suggest.
06:31 < BtbN> rsa/dsa performance does not really matter to begin with
06:34 <+hyper_ch> well, wasn't sure if AES helps there as well :)
06:34 < BtbN> It doesn't, entirely diffrent problem.
06:35 < BtbN> But you don't use asymetric crypto outside of the initiation
08:04 < Egyptian_> !welcome
08:04 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
08:04 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
08:04 < Egyptian_> !route
08:04 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
08:05 < Egyptian_> !1925
08:05 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
08:12 < Egyptian_> !goal my openvpn server is setup with ldap . i can connect and authenticate and see the new routes. i cannot connect to the other servers behind the vpn server
08:16 -!- dazo [~dazo@openvpn/corp/developer/dazo] has left #openvpn []
08:16 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
08:16 -!- mode/#openvpn [+o dazo] by ChanServ
08:21 < skamath> !goal Make others access a service running on my local port when I am connected to an OpenVPN server
08:22 < skamath> !goal I need to also disable internet access to all those who have connected to the VPN
08:23 < Egyptian_> !goal make clients access servers behind openvpn server when they are connected
08:23 < Egyptian_> goal doesnt seem to be working ?
08:29 <+hyper_ch> !goal want to take over the world
08:29 <+hyper_ch> skamath: what do you need?
08:30 <+hyper_ch> !client-to-client
08:30 <@vpnHelper> "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other
08:30 <@vpnHelper> clients
08:30 < skamath> Perfect! Just what I wanted :)
08:30 < skamath> hyper_ch, Thanks a lot. How do I disable internet for openVPN clients.
08:31 <+hyper_ch> skamath: if their internet acess is disabled, how would they access the vpn?
08:31 < skamath> hyper_ch, It's like - I do not want them to have internet access when connected to openVPN.
08:32 < skamath> hyper_ch, It'd be nice if I can selectively choose who has internet access when connected to openVPN.
08:32 <+hyper_ch> force routing on them all through the vpn and then
08:32 <+hyper_ch> !def1
08:32 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
08:33 <+hyper_ch> !route
08:33 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
08:34 < skamath> I'll read about it. Thanks hyper_ch :)
08:34  * skamath gives hyper_ch a choco-chip cookie.
08:34 <+hyper_ch> there are ways... but haven't used that for a looooong time
08:34 <+hyper_ch> !gen
08:34 <+hyper_ch> !krzee
08:34 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20, or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg, or (#3) location: moon base where he smokes moonajuana, or (#4) takes bonghits on the freeswitch teleconference
08:35 <+hyper_ch> !generator
08:35 <+hyper_ch> hey krzee , you still got your ovpn generator?
08:35 < skamath> moonajuana, lmao.
08:38 < skamath> hyper_ch, Does it generate server ovpn or client?
08:38 < skamath> I found something here : https://github.com/korylprince/OpenVPN-Client-Generator
08:38 <+hyper_ch> both... if he still has it
08:38 <@vpnHelper> Title: GitHub - korylprince/OpenVPN-Client-Generator: An OpenVPN utility to create client bundles. (at github.com)
08:39 <+hyper_ch> that's not krzee's
08:39 <+hyper_ch> !confgen
08:39 <@vpnHelper> "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/, or (#3) you must run this in bash
08:39 <+hyper_ch> that was it
08:41 < skamath> Perfect!
08:41 <+hyper_ch> not sure if it's current
08:42 < skamath> Thanks a lot hyper_ch :)
08:42 < skamath> I'll check it out.
09:00 < alexandre9099> hi, i want to run openvpn on different ports with one instance, is that possible?
09:01 <+hyper_ch> not that I know of
09:02 < alexandre9099> :/ is it possible to run openvpn on side of apache? (Same port)
09:04 < alexandre9099> strange thing :/ connecting to openvpn server internal ip (using pptpd) i can connect with port 80, but with the outside ip it only works with other ports that 80 :/
09:08 <+hyper_ch> alexandre9099: yes, apache uses tcp.... openvpn prefers udp
09:08 <+hyper_ch> so you can run them both on port 8
09:08 <+hyper_ch> port 80 / 443
09:11 < Egyptian_> this is weird. i can connect and authenticate but tcpdump doesnt show any traffic
09:12 <+hyper_ch> do you use tcp or udp?
09:12 < Neighbour> are you running tcpdump on the correct interface?
09:12  * hyper_ch thinks tcpdump doesn't show udp traffic but not sure
09:12 < Egyptian_> ahhh
09:12 < ordex> why not ?
09:12 < Neighbour> tcpdump shows all IP-traffic, including udp :)
09:12 < ordex> it should dump anything, also non ip actually
09:13 < Neighbour> ah, yes, indeed
09:13 < Egyptian_> ok so i was doing tcpdump -i tun0
09:13 < Egyptian_> so .. how is it the client authenticated and was pushed the routes?
09:14 < ordex> -i tun0 dumps traffic *over* the vpn interface
09:14 < ordex> but it seems you are interested in the control traffic
09:14 < ordex> so you have to dump on the interface used to *connect* to the vpn server
09:14  * ordex recommneds using a filter :P)
09:15 < Egyptian_> ordex: i just want to find out why my client can connect and auth but not reach any server in the vlans
09:15 < ordex> Egyptian_: I have no clue about your setup, sorry :P but if you can ping the VPN server (*over* the vpn), it might be a routing/bridging problem
09:16 < ordex> but i haven't read anything about the discussion you had so far, so sorry if I am jumping to wrong conclusions
09:16 <+hyper_ch> so the name, tcpdump, is misleading then :)
09:16 < ordex> hyper_ch: yeah, i guess it is just its historycal name
09:16 < Egyptian_> ordex: i cant
09:16 < ordex> but i would say it is pretty famous nowadays to be not misleading anymore :P
09:17 < ordex> Egyptian_: what are you pinging exactly ?
09:17 < Egyptian_> any server in the vlan including the vpn server
09:17 < Egyptian_> and ssh
09:19 < ordex> maybe you start with the client & server configuration ? just to have an idea of what your network looks like ?
09:23 < Egyptian_> https://paste.fedoraproject.org/paste/Hy8J6ODWd6W3Qvhy2GZy4V5M1UNdIGYhyRLivL9gydE= https://paste.fedoraproject.org/paste/1~Gq46oMu3zafhUTY61rKF5M1UNdIGYhyRLivL9gydE=
09:23 < Egyptian_> 1st is server 2nd is client
09:26 < Egyptian_> and DEFAULT also exists with proper permissions (it pushes the routes)
09:28 < AquaL1te> guys... running openvpn as user and group nodbody is safe. buuuuut, executing learn-address scripts with for example ip route add/del commands require sudo entries for the ip command. giving the user nobody sudo rights for the ip command seems like a no-no since the user nobody is designed to have no privileges. what is wisdom? run the openvpn service with a system uid user with the /bin/nologin shell?
09:29 < ordex> Egyptian_: and if you ping 172.31.241.1 you get nothing ?
09:30 < ordex> if so, are you sure the firewall on the server is not blocking the ping? but even if this is the case, I don't see any route statement in your config - where is the VLAN exactly ?
09:32 < Egyptian_> iptables -nL shows no rules implemented
10:37 < AquaL1te> is there a way to define an order if multiple ports are defined on a openvpn client? for example i use 1194 udp and 443 tcp. the 443 tcp is just to have openvpn at places where port 1194 udp is blocked. but my preference is to have my openvpn tunnel through udp.
10:38 < MacGyver> I just have multiple client configs for that.
10:40 < AquaL1te> i think  <connection> profiles will work, just found it
10:44 < AquaL1te> MacGyver: yes, connection profiles work perfectly!
10:44 < ordex> AquaL1te: also multiple remote lines is the same
10:52 < AquaL1te> ordex: not in my experience, or it's just luck. now it only chooses the udp connection because that connection profile is first, only when i stop the udp profile it goes for tcp. tried about 10 times now
10:53 < ordex> yeah, the client tries the connection profile in the order provided (unless a specific option aimed to randomize the order is specified)
10:54 < AquaL1te> ordex: hmmm okay, i guess a default random switch was turned on. because before it was random
10:54 < ordex> mh
10:54 < ordex> ok
10:55 < AquaL1te> i see, remote-random in the man page. i'll turn that one of just to be sure. thanks ordex!
11:00 < mahendratech> Can anyone helps how to enable ldap auth on group
11:11 < lauri> Hi guys, in case of point-to-point OpenVPN tunnel how can I easily rewrite packet source IP address to a sort of canonical address (boxes IP in the LAN) instead of having to describe all tun subnets in the routing tables? Right now I have iptables -t nat -I POSTROUTING -s <tun-source-ip-address> -o tun-office -j SNAT --to <boxes-address-in-lan> but is there a better way?
11:14 < mahendratech> hi lauri have you tried ldap integration with openvpn with group based auth
11:15 < lauri> not really
11:16 < mahendratech> ok thanks
11:16 < lauri> I just use CA to issue certificates to users filtered by LDAP filter
11:17 < mahendratech> I am doing same
11:18 < mahendratech> I just wanted to auth specific users instead of all ldap users
11:19 < lauri> ldap user filter = (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(primaryGroupId=513)(samaccountname=%s))
11:19 <@ecrist> mahendratech: it's a two-step process
11:19 <@ecrist> you're comparing two different things in one
11:19 < lauri> this filters active user accounts from AD whose primary group is Domain Users
11:19 <@ecrist> first, authentication, which doesn't need to concern itself with groups
11:20 <@ecrist> second, authorization, which comes after authentication
11:28 -!- dazo [~dazo@openvpn/corp/developer/dazo] has left #openvpn []
11:30 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
11:30 -!- mode/#openvpn [+o dazo] by ChanServ
11:33 < mahendratech> ok
11:36 < mahendratech> i am using--
11:36 < mahendratech> <Authorization>
11:36 < mahendratech>         BaseDN          "dc=xxx,dc=xxx"
11:36 < mahendratech>         SearchFilter    "(&(uid=%u))"
11:36 < mahendratech>         RequireGroup    true
11:36 < mahendratech>         <Group>
11:36 < mahendratech>                 BaseDN          "ou=Groups,dc=example,dc=com"
11:36 < mahendratech>                 SearchFilter    "(cn=developers)"
11:36 < mahendratech>                 MemberAttribute MemberUid
11:36 < mahendratech>         </Group>
11:36 < mahendratech> </Authorization>
11:37 < mahendratech> but getting error
11:38 <@ecrist> !paste
11:38 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
11:38 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
11:48 < mahendratech> here is my full configuration:
11:48 < mahendratech> https://paste.fedoraproject.org/paste/YnTrxez75Fv9L6hsoEbmk15M1UNdIGYhyRLivL9gydE=/deactivate/vbPNrWEgv1vfO7OeyqXgn5Lj7Xj0cjHUPFvmvaTD1usdb2SqcNL2qv1YbqD1zCgD
11:58 < NotSecwitter> is the client's vpn interface supposed to have a default gateway that is the server?
12:21 < NotSecwitter> my server is pushing route-gateway, but the clients are not accepting it
12:21 < NotSecwitter> any thoughts?
12:37 < zoredache> increase the verbosity, and look at your client logs.  Do you see the option being pushed to the client?  Do you see any errors when it tries to set the gateway?
12:38 < NotSecwitter> i see it push
12:38 < NotSecwitter> on the client I see an error that ipconfig returned code 2
12:38 < NotSecwitter> in the logs, I don't see the client even setting route-gateway
12:38 < NotSecwitter> is there a way to increase client verbosity?
12:38 < zoredache> !logs
12:39 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
12:39 < NotSecwitter> sec
12:41 < NotSecwitter> zoredache: client log http://pastebin.com/J1RNkT5c
12:41 < NotSecwitter> this is the log I want to increase verbosity on
12:42 < NotSecwitter> zoredache: server log http://pastebin.com/hqjQP9WJ
12:43 < NotSecwitter> line 13 shows the push for route-gateway
12:45 < zoredache> What are you expecting the `route-gateway` to do?  Did you mean `redirect-gateway`?
12:46 < NotSecwitter> no, route-gateway shoudl apply as the default gateway ont he virtual adapter
12:46 < NotSecwitter> suddenly, none of my clients have a default gateway on the tunnel adapter
12:46 < zoredache> no, route gateway just defines a variable that is used for other routes
12:47 < NotSecwitter> well besides connecting, suddenly nothing can get into the network
12:47 < NotSecwitter> you can see I'm advertising a DNS server of 10.1.1.1
12:47 < NotSecwitter> i can't ping it or complete nslookup
12:48 < NotSecwitter> and if I ping 8.8.8.8 it's supposed to go out the normal interface, but I can't ping anything
12:49 < zoredache> the bigger problem is that your client doesn't seem to be seeing the `route 10.1.0.0 255.255.0.0` being pushed by the server which is almost certainly what permits access to your network.
12:49 < zoredache> Like the !logs set try bumping up the verb on the client if it isn't 4 already.
12:50 < NotSecwitter> zoredache: route print shows that route
12:50 < NotSecwitter> 10.1.0.0 255.255.0.0 172.16.5.1
12:50 < zoredache> well what happens if you do a traceroute to something across the vpn link then?
12:50 < zoredache> where does the trace fail?
12:51 < timdotrb> Morning all
12:52 < NotSecwitter> zoredache: first hop
12:52 < NotSecwitter> ping 10.1.1.1 fails at the first hop
12:53 < zoredache> ping isn't a traceroute, and the error your getting even from ping would tell  you something. Is it just dieing, or giving you a destination unrechable from ?.?.?.? or what?
12:55 < NotSecwitter> time out
12:55 < NotSecwitter> duh... the ping is failing because i'm an idiot
12:56 < NotSecwitter> but, I still can't ns lookup
12:56 < zoredache> A timeout would make me suspect the firewall or something on your VPN server.  I would probably next fire tcpdump on the vpn server looking at the tun interface filtering for icmp.
12:57 < NotSecwitter> it was the firewall for icmp, hence the me being dumb part
12:57 < dorp> Hello, I have a licensing question. I'm using a third-party Windows application that utilizes "openvpn.exe" in the background. It seems to me that it's a custom build- I was wondering if the author of said application is required to provide the source alongside this custom openvpn.exe binary?
12:58 -!- timdotrb_ is now known as timdotrb
12:58 -!- varesa_ is now known as varesa
12:59 < NotSecwitter> zoredache: now that I can ping, it's still having DNS issues
13:01 < zoredache> So why, is your client properly getting the DNS configured, can the client ping, or communicate with the DNS server, is the DNS server somehow restricting recursion or something based on network?
13:03 < NotSecwitter> no, ICMP is enabled on all of our servers
13:03 < NotSecwitter> but it's not responding
13:10 < NotSecwitter> zoredache: I think it's a routing problem
13:10 < NotSecwitter> I dismissed it at first.
13:11 < NotSecwitter> Our internal routers are managed by a contractor. I asked them to update a route when I had the OpenVPN server running behind our old ASA
13:11 < NotSecwitter> they sent me a copy of the configs, and I didn't see the route in there
13:11 < NotSecwitter> but I can see traffic coming into the network, just not back
13:14 < zoredache> Ah, well you could do the evil thing, and do SNAT on your vpn server temporarily.  That is SNAT/MASQ anything coming from the VPN network to the main network.
13:14 < NotSecwitter> eh?
13:14 < NotSecwitter> ah, give it the server's ip
13:15 < zoredache> So on the VPN server, if it is linux-based. just setup an iptables rule to SNAT your vpn network.  From the main network, everything will appear to come from the vpn server.
13:15 < NotSecwitter> it's pfsense
13:15 < zoredache> It breaks some protocols though, so it isn't a good permanent solution.
13:15 < NotSecwitter> i'll need to dig in the configs
13:16 < zoredache> I am sure pfsense has some kind of equivalent
13:16 < NotSecwitter> yea. I just need to figure out where :3
13:22 -!- F2Knight[away] is now known as F2Knight
13:41 < Algernop> !welcome
13:41 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
13:41 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
13:41 < Algernop> !triggers
14:27 < CelSecwitter> Hello
14:28 < CelSecwitter> So, the virtual adapter for the VPN in tun mode will never have a default gateway?
14:34 <@dazo> CelSecwitter: not by default
14:34 <@dazo> !redirect
14:34 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
14:34 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
14:36 < CelSecwitter> Hmm, because no traffic to unknown destinations would be routed to the server?
14:38 -!- r00t^2 is now known as jth4n
14:38 -!- jth4n is now known as r00t^2
14:43 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has left #openvpn ["Konversation terminated!"]
15:01 <+DArqueBishop> CelSecwitter: without specifically specified route commands involving the VPN (including if they were pushed from the server), the only subnet the VPN adapter would see is the VPN subnet.
18:31 < timdotrb> Not sure if this is a question for this channel or elsewhere, but I’m having an issue with openvpn where my IP address does not appear to change? After connecting, if I check a website such as whatismyipaddress.com, it shows the IP of the VPN server. However, if I try to ssh into the server itself, the firewall blocks the login attempt and says the source address is my ISP IP
18:33 < timdotrb> The problem also seems to be somewhat intermittent. I can’t connect to server A while VPN’d through server A because it says my IP is my ISP IP. If I’m VPN’d into server B, I’m allowed to ssh into server A because it recognizes my IP as server B. However, I can’t ssh into server B when VPN’d through A or B because it says my IP is my ISP IP ¯\_(ツ)_/¯
18:37 -!- timdotrb_ is now known as timdotrb
18:41 < timdotrb> I also have this line enabled: push "redirect-gateway def1 bypass-dhcp"
23:52 < Someguy123> I'm attempting to use OpenVPN to bridge an external server onto a small LAN
23:53 < Someguy123> right now, the VPN server can see the external server on the bridged LAN at x.x.x.200, and can ping other devices on the lan, e.g. x.x.x.13
23:53 < Someguy123> however, the external server cannnot see anything on the LAN. only the VPN server, x.x.x.18
23:54 < Someguy123> I've tried pushing a manual route, however that didn't seem to help anything
23:54 < Someguy123> how do I resolve this issue? I'm using the default bridge script suggested by the wiki
--- Day changed Sat Feb 18 2017
00:03 <@ecrist> suuuuuuuup bitches?
00:06 < ordex> :D
00:09 <@ecrist> heh
00:19 < Someguy123> update: looking at tcpdump on the VPN server, I can see that 10.99.0.13 is definitely getting routed to the VPN server, but I'm not sure what happens from there
00:20 < Someguy123> https://gist.github.com/Someguy123/10d68652c0087db32f351e1a1c580012
00:20 <@vpnHelper> Title: gist:10d68652c0087db32f351e1a1c580012 · GitHub (at gist.github.com)
00:20 < Someguy123> I mean, it looks like the ARP negotiation happens, so I'm not sure why .200 can't route into the LAN
00:31 < Someguy123> something odd I noticed, it seems to take 20 seconds for .13 (LAN) to send the ARP reply after .200 (external, vpn) asks for it
03:07 -!- F2Knight is now known as F2Knight[away]
04:38 < rizonz> hi guys
04:38 < rizonz> is it possible to run multiple openvpn server that deliver the same subnet to their clients ?
06:05 < SupaYoshi> !vpnhelper
06:05 <@vpnHelper> "vpnhelper" is "bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
06:05 < SupaYoshi> !topic
06:05 <@vpnHelper> "topic" is see /topic instead.
06:06 < SupaYoshi> !goal
06:06 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:06 < SupaYoshi> !goal i just want a secure connection between 2 computers
07:52 < thundergulp> Hi, I've been having an issue with dnsmasq and openvpn for a while now, I haven't been able to figure it out. I posted a question on stackoverflow earlier with the info if someone would be kind enough to help :) https://stackoverflow.com/questions/42315568
07:52 <@vpnHelper> Title: vps - OpenVPN Connection fails with DNSMasq (pi-hole) - Stack Overflow (at stackoverflow.com)
07:53 < NonSecwitter> you can't ping by IP, thundergulp?
07:54 < NonSecwitter> thundergulp: for your DNS issue, this might help: push "block-outside-dns"
07:55 < NonSecwitter> gotta go fix that myself, actually. best of luch
07:56 < thundergulp> NonSecwitter, no, i can't ping any IP when connected to the vpn with the client, but I can ping from the server
07:57 < thundergulp> which makes me think its somehow a firewall issue, but can't see how
08:13 <@dazo> Someguy123: either it's a firewall or return route issue ... that's what my gut feeling tells me
08:13 <@dazo> !all
08:13 <@vpnHelper> "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface
08:15 < thundergulp> that's what I thought too, just can't figure out whats causing it
08:15 < thundergulp> wait, you were talking to me, nvm, lol
08:16 <@dazo> rizonz: _theoretically_ it is possible to have multiple OpenVPN servers providing the same subnet.  But doing that right is not for inexperienced network admins. It may very well require a large boatload of hacks ... so unless you have at least a decade of network admin experience with large and complex networks, *don't* do that
08:17 <@dazo> !howto
08:17 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
08:17 <@dazo> SupaYoshi:  ^^ start with #3
08:17 <@dazo> thundergulp: coming to your question now
08:20 < thundergulp> awesome, thanks
08:22 <@dazo> !all
08:22 <@vpnHelper> "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface
08:22 <@dazo> thundergulp: ^^^
08:23 < thundergulp> ah, ok. 1 sec
08:24 < thundergulp> I put the server.cfg and firewalls rules in the question I pasted, do you want the client.cfg?
08:24 < thundergulp> dazo
08:24 < thundergulp> *.conf ofc
08:27 < thundergulp> !configs
08:27 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
08:29 <@dazo> thundergulp: well, client config is just as important here
08:30 < thundergulp> dazo, actually not sure where to find client.conf
08:31 < thundergulp> i see base.conf under ~/client-configs, but can't find client.conf there or in /etc/openvpn/
08:37 <@dazo> thundergulp: when openvpn is running ... do a 'ps faxuw | grep openvpn' ... you should see the config used there
08:39 < thundergulp> dazo, on the client of server?
08:39 < thundergulp> *or
08:39 < thundergulp> but I think this might be what you need dazo http://pastebin.com/E8gwiykR
08:40 <@dazo> on the client
08:41 < thundergulp> yeah, I use a .ovpn file on the client, thats why I was confused about the .conf dazo
08:41 <@dazo> okay
08:41 <@dazo> so the tunnel breaks once you restart the VPN server?  or the VPN client?
08:42 < thundergulp> dazo, but the base.conf in the pastebin above is the exact same as the .ovpn without the key
08:42 <@dazo> only breaks
08:42 < thundergulp> when I restarted the server after installing pi-hole (with dnsmasq), I can connect to the VPN, but can't ping anything on the client while connected
08:43 < thundergulp> but before restarting the server, I could disconnect and reconnect the client, and it would still work
08:43 <@dazo> !logs
08:43 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
08:43 <@dazo> provide logs from both client and server ... and from when the openvpn processes start on both sides
08:43 <@dazo> --verb 4 is crucial in this case
08:44 < thundergulp> I null-routed logging, so I don't think anything is there, but I will check, if not, I will turn on logging and set to verb 4
08:44 < thundergulp> !logfile
08:44 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
08:45 < thundergulp> give me a few min please dazo
09:03 < thundergulp> here you go dazo, sorry for the delay, had some issues with the log http://pastebin.com/B9P24htU
09:06 < thundergulp> that's what you needed, right dazo?
09:09  * dazo looks
09:10 <@dazo> need the same for the client as well
09:11 < thundergulp> oh, sorry. I got caught up with the issues with the server log I was having, any idea where to find the client log on ubuntu 16.04 dazo?
09:13 <@dazo> add --log /var/log/openvpn.log ... and you'll have the log there
09:13 < thundergulp> in my .ovpn file?
09:14 <@dazo> yes
09:14 < skyroveRR> Use "--log" only if running from command line, else just add "log" in the .ovpn file.
09:15 < thundergulp> k
09:15 < skyroveRR> Of course, log, followed by the path.
09:15 < thundergulp> thanks
09:15 < thundergulp> yeah
09:21 < thundergulp> here is the client log dazo http://pastebin.com/1nU8V81m
09:22 <@dazo> that log is mangled
09:22 <@dazo> !topsecret
09:22 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust., or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice.
09:23 < thundergulp> dazo the only thing i changed was the ip address of the vpn server, do you need that? :P
09:23 <@dazo> yes
09:23 <@dazo> in this case I do
09:23 < thundergulp> then I will give it to you in a pm, 1 sec
09:23 <@dazo> because I see some cloudflare IP in the server log ... which makes me wonder what the heck is going on .... putting cloudflare in front of openvpn won't work
09:24 < thundergulp> not using cloudflare
09:24 < thundergulp> the vpn server is running on a ovh vps
09:24 <@dazo> from your server log
09:24 <@dazo> Sat Feb 18 09:50:21 2017 us=221552 TCP connection established with [AF_INET]108.162.221.241:25067
09:24 < thundergulp> hmm
09:25 <@dazo> $ whois 108.162.221.241 | grep -i netname
09:25 <@dazo> NetName:        CLOUDFLARENET
09:25 < thundergulp> could it be pi-hole updating the rules?
09:25 <@dazo> try using a different port than 443/tcp
09:25 <@dazo> like the default openvpn port .... 1194
09:25 < thundergulp> only things on that server are pi-hole and openvpn
09:25 <@dazo> and btw ... tcp is a very bad choice too, udp is far better
09:26 < thundergulp> I will try to change the port to see if that helps, 1 min
09:28 < thundergulp> but if the port was the issue, wouldn't it have had problems before I installed dnsmasq (with pi-hole) dazo?
09:28 <@dazo> well ... then tell me why the IP addresses don't match between server and client logs?
09:28 < thundergulp> I have no idea
09:28 <@dazo> Your log is packed with clues .... start looking at all the ERROR and WARNING lines
09:29 <@dazo> Sat Feb 18 09:55:26 2017 us=950199 108.162.221.241:36957 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1575 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
09:30 < thundergulp> hmmm
09:30 <@dazo> this tells that packet between client and server have been severely mangled ... but doesn't look to be the typical configuration errors
09:30 <@dazo> Sat Feb 18 09:55:26 2017 us=949959 TCP connection established with [AF_INET]108.162.221.241:36957
09:30 < thundergulp> what do you think could be the issue?
09:30 <@dazo> with cloudflare IP on the client side ... that is definitely odd
09:31 < thundergulp> any way to figure out why its connecting to cloudflare? to my knowledge OVH doesnt use cloudflare
09:31 <@dazo> on the client side: Sat Feb 18 10:17:52 2017 us=43203 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
09:31 <@dazo> that tells you that the openvpn process does not have the required privileges
09:31 <@dazo> it can't configure the tun/tap device at all ... which ends up with
09:31 <@dazo> Sat Feb 18 10:17:52 2017 us=43329 Exiting due to fatal error
09:32 < thundergulp> well, that could be because i ran it differently to get the log, i normally use network-manager when connecting to the vpn
09:32 < thundergulp> had to use the terminal to get the client log
09:32 <@dazo> My crystal ball is too cloudy to guess what goes wrong with the IP address
09:33 < thundergulp> let me try something else, 1 sec
09:35 < thundergulp> yeah, for some reason its not producing the log when I use network manager, even though I set the log path in the .ovpn
09:37 <@dazo> network-manager doesn't use your config exactly how you tell it to.  It mangles it, and builds up its own config ... so it is probably in one of the syslog log files
09:37 < thundergulp> i'll try it another way
09:39 < thundergulp> ok, got the log in another way, i'll pastebin it now
09:40 < thundergulp> ok dazo this client log shows it with the proper permission http://pastebin.com/MWdP3Agy does that help?
09:44 < thundergulp> it shows an error at the end, but i think thats just because I ended it from terminal, line 331 shows it connected successfully
09:46 <@dazo> Sat Feb 18 10:36:35 2017 us=381772 /etc/openvpn/update-resolv-conf tun0 1500 1572 10.8.0.6 10.8.0.5 init
09:46 <@dazo> rm: cannot remove 'tun0.openvpn': Permission denied
09:46 <@dazo> that's why you get issues
09:47 < thundergulp> if that was the case, wouldnt I have had issues before installing dnsmasq on the server?
09:47 <@dazo> that means that update-resolv-conf isn't able to revert the changes in /etc/resolv.conf ... which means the DNS settings will point at an inaccessible DNS server
09:47 < thundergulp> ahhh
09:47 < thundergulp> I see what you mean
09:47 < thundergulp> any idea how I could fix that? :)
09:48 <@dazo> you need to use --plugin openvpn-down-root.so instead of --down
09:48 <@dazo> (you need to dig into the docs for your client distro where that plug-in is located)
09:50 < thundergulp> so in the .ovpn file, I need to use "plugin openvpn-down-root.so" instead of "down /etc/openvpn/update-resolv-conf"?
09:54 <@dazo> https://github.com/OpenVPN/openvpn/blob/master/src/plugins/down-root/README.down-root
09:54 <@vpnHelper> Title: openvpn/README.down-root at master · OpenVPN/openvpn · GitHub (at github.com)
09:56 < thundergulp> ok, I see it says to use "plugin openvpn-down-root.so "command ..."" in the config, not sure what the command arguments are
10:02 < NotSecwitter> hello
10:02 < NotSecwitter> So, I'm troubleshooting a DNS issue
10:02 < NotSecwitter> sec for link:
10:03 < NotSecwitter> http://community.openvpn.net/openvpn/ticket/399
10:03 <@vpnHelper> Title: #399 (Issue with register-dns in Windows 8.1) – OpenVPN Community (at community.openvpn.net)
10:03 < NotSecwitter> this issue
10:03 < NotSecwitter> I just pushed "block-outside-dns" to the clients, but they are still trying to acces DNS addresses from their hardware ethernet
10:04 < NotSecwitter> If I run "netsh interface ipv4 set interface Ethernet metric=1" then the whole thing works
10:05 < thundergulp> dazo, i'm a bit confused about the plugin you mentioned
10:06 < thundergulp> if the up script is successful, that should update the resolv.conf, right?
10:06 < thundergulp> the down script would just update it after I close the VPN connection
10:07 < thundergulp> so I'm confused as to how that issue would cause my vpn connection to not be able to ping or resolve dns dazo
10:08 <@dazo> you said the problem started when you restarted the server, right?
10:09 < thundergulp> right
10:09 <@dazo> that means the client disconnects ... and it can't restore the local DNS settings ... thus 'ping google.com' won't work as it can't resolve the IP address to google.com
10:09 < pdobrogost> Hi all!
10:09 < thundergulp> no dazo
10:09 < thundergulp> I manually disconnected the client
10:09 < thundergulp> before restarting
10:09 < NotSecwitter> hey pdobrogost
10:10 < thundergulp> and then reconnected before restarting, it worked fine
10:10 <@dazo> well ... you still have plenty of warnings and errors on the server side to look at
10:10 < thundergulp> it also worked fine for weeks before installing dnsmasq and pi-hole (through many restarts of both client and server)
10:11 < pdobrogost> I would like to setup wireguard tunnel over openvpn tunnel but have problem with routing configuration. My setup is depicted here https://paste.fedoraproject.org/paste/8SgX5iDg~NdzJziYBJYgL15M1UNdIGYhyRLivL9gydE=
10:11 <@dazo> I see this line several times, thundergulp
10:11 <@dazo> Sat Feb 18 09:50:21 2017 us=221820 108.162.221.241:25067 Connection reset, restarting [0]
10:11 < pdobrogost> I would appreciate if someone could help me setting this routing up.
10:11 < thundergulp> yeah, thats only from today after the problem starting, there were no logs before today since i had them turned off on the server dazo
10:11 < thundergulp> *started
10:12 <@dazo> *sigh* ... so I've helped you debugging stuff on the wrong log files?
10:12  * dazo moves on
10:12 < thundergulp> I mentioned that above, sorry
10:12 < NotSecwitter> lol
10:12 < NotSecwitter> hey dazo
10:12 < NotSecwitter> any chance you know how to fix this windows DNS issue?
10:13 <@dazo> NotSecwitter: I have used Linux exclusively on all my computers since early 2000 ... so I have no real experience with OpenVPN on Windows
10:14 < NotSecwitter> hm. bugger
10:14 < thundergulp> dazo, sorry we werent on the same page, I guess you missed earlier when I mentioned that I had to turn on logging
10:14 < thundergulp> but whatever this issue is, I have a strong feeling it has something to do with dnsmasq on the server
10:16 < NotSecwitter> dazo: how does openvpn handle ipv6?
10:16 <@dazo> pdobrogost: what is the chain?  client -> openvpn -> wireguard <--internet--> wireguard <- openvpn <- server ?
10:17 <@dazo> pdobrogost: or: client -> wireguard -> openvpn <--internet--> openvpn <- wiregard <- server ?
10:17 < pdobrogost> the second one
10:19 <@dazo> !serverlan
10:19 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
10:19 < thundergulp> wow, i thought when you said "moving on" you were moving on to another way to help, didn't realize you were ignoring me now because you didn't see what I said an hour ago
10:20 <@dazo> pdobrogost: try first to ensure that your setup works witnout wireguard involved ... that both sides can ping the appropriate subnets on the remote side
10:21 < NotSecwitter> man. I think the problem is IPv6
10:21 < NotSecwitter> no... no it's not
10:21 < NotSecwitter> ef
10:22 < pdobrogost> dazo: The setup does work without wireguard.  However due to some firewalling involved it's not without restrictions. Generally I have access from hostY to hostX's specific udp/tcp ports.
10:22 <@dazo> pdobrogost: if it works without wireguard ... I would recommend getting help from wireguard guys ... that is a very different beast than openvpn
10:22 <@dazo> !notopenvpn
10:22 <@vpnHelper> "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
10:23 < pdobrogost> Well, wireguard part is rather easy and the whole problem is the final routing which I guess you guys are good at.
10:25 <@dazo> heh ... well, we use tcpdump on the various interfaces and run ping ... and see where the traffic appears ... when spotting where it goes wrong, you know which node does the erroneous routing (or firewalling)
10:26 <@dazo> on those hosts where it goes wrong, also adding some iptables -j LOG rules (usually in the FORWARD chain) may also help see more details on where the box receives and tries to send the packets further
10:27 <@dazo> but ... except of that, each case is quite different ... so we mostly know the debugging tricks here, not the final solution :)
10:27 < pdobrogost> I believe if we swap wg for openvpn the problem would be the same; how to tell inner tunner traffic to go not to default gateway but to outer tunnel's endpoing.
10:27 < pdobrogost> s/endpoing/endpoint/
10:27 < thundergulp> dazo, thanks for wasting both of our time, you could have just actually *read* my initial question, which was very clear about when the problem started and why. it would have been much easier for you to just ignore my question rather than spending all this time diagnosing a problem that doesnt exist and continuing to fail to read what I told you during the conversation. I should have known better than to come on IRC and ask
10:27 < thundergulp> help from people whose self-worth is determined by how much they know about something. So when they fuck up, they blame the person they're trying to "help"
10:29 <@dazo> gee ... he forgot to mention not providing accurate and correct information is also important
10:29 <@dazo> pdobrogost: without knowing too much details on how the traffic goes ... you might need to look into routing policies
10:30 <@dazo> (that's 'ip rule' and iproute2 routing tables)
10:31 < pdobrogost> dazo: I guess we doesn't yet have to check details as the question for now is how it should be setup in this scenario. After setting it up if id doesn't work we might start checking things :)
10:32 < pdobrogost> I think all information is there. Question: what routes to add on hostY?
10:33 < pdobrogost> Do I need masquerading?
10:34 <@dazo> pdobrogost: I don't think so initially ... do you want to do redirect all internet traffic from hostY via this openvpn+wireguard setup?
10:34 < pdobrogost> No, only traffic to hostX.
10:35 <@dazo> good
10:35 <@dazo> it seems hostY is missing a route to 10.0.0.0/24
10:35 <@dazo> but it would be good to see the routing on hostZ too ... as that is also important here
10:36 <@dazo> actually it seems wg is not running on hostY at this moment
10:37 < pdobrogost> :) Why do you think it's not running?
10:37 <@dazo> I have no experience with wg ... so I might be very wrong, but I would expect to see a wg device on hostY
10:38  * dazo need to do a phone call
10:40 < pdobrogost> dazo: You are right. There is device –
10:40 < pdobrogost> wg.sfx: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1
10:40 < pdobrogost> The reason there's no route mentioning it is that I deleted the route setup by wg-quick as it was not working.
10:42 < pdobrogost> This rule which is added when starting wg-quick and which I deleted is this:
10:42 < pdobrogost> 10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 wg.sfx
10:43 <@dazo> sight, that route does make sense though
10:43 < pdobrogost> Yes, now when I look at it it does make sense.
10:44 <@dazo> it says that all 10.0.0.0/24 traffic should go to wg.sfx, which the wg software picks up and transports to the remote side
10:44 < pdobrogost> However ping 10.0.0.1 gives:
10:44 < pdobrogost> From 10.0.0.2 icmp_seq=4 Destination Host Unreachable
10:44 < pdobrogost> ping: sendmsg: Required key not available
10:44 <@dazo> then you need to have a look at the routing table at hostZ
10:45 < pdobrogost> No chance :) I don't have access there. What do you suspect is going there?
10:45 <@dazo> as well as ensuring ip forwarding is enabled on hostZ + firewalling allows traffic to pass
10:46 <@dazo> are the some logs you can look at on the wg side on hostX? ... do you see that hostY is connected?
10:46 <@dazo> It's the first time I see "Required key not available" as an sendmsg() error
10:46 < pdobrogost> Well, hostZ is OpenVPN server I'm connected to and it does make it possible to reach hostX on specific ports so I guess forwarding is enabled.
10:46 <@dazo> good
10:47 <@dazo> then it might be the wg key setup which is wrong? .... I'm on extremely thin ice when it comes to wg configuration  (just reading up about it on their web page)
10:48 < pdobrogost> I suspect this message might be comming from wg as I think it treats public keys as routing keys or something along this line.
10:49 <@dazo> yeah
10:50 <@dazo> what's the peer sub-section in wg config on hostX for hostY?
10:58 < pdobrogost> checking...
10:59 < NotSecwitter> dazo: how is this "setenv opt block-outside-dns" diferent from "push 'block-outside-dns'" ?
11:00 < pdobrogost> [Peer] PublicKey = <key>\nAllowedIPs = 10.0.0.2/32
11:02 <@dazo> NotSecwitter: the former doesn't make clients not supporting --block-outside-dns complain and stop working ... iirc
11:03 < NotSecwitter> sweet
11:05 <@dazo> pdobrogost: and the configuration on the client side have AllowedIPs = 0.0.0.0/0\nEndpoint = 10.92.2.80  ?  With the proper public key?
11:20 < pdobrogost> dazo: on the client side there's AllowedIPs = 10.0.0.1/24
11:22 < pdobrogost> keys look ok
11:25 <@dazo> pdobrogost: 10.0.0.1/24??  Shouldn't it be 10.0.0.0/24  ... or 10.0.0.1/32 ?
11:29 < pdobrogost> Well, I consulted this with the author himself :)
11:29 <@dazo> ahh, okay :)
11:29 <@dazo> that is definitely a better source than me ;-)
11:30 < pdobrogost> Unless I did something wrong.
11:30 < pdobrogost> He said this:
11:30 < pdobrogost> the server should give each client a /32 in allowed IPs
11:30 < pdobrogost> the client should give the server a /24 in allowed IPs
11:30 < pdobrogost> the client and server should both have a /24 for their IP address
11:31 <@dazo> I was actually wondering about .1/24  .... I would have expect .0/24  (network address, not host IP address)
11:32 < pdobrogost> Well, this peer has only one address so you might specify exactly its only address here I think.
11:32 <@dazo> but if it is designed to be .1/24 ... I have no arguments against
11:33 < pdobrogost> Something, somewhere doesn't go through...
11:33 < pdobrogost> ...so typical networking problem :)
11:35 <@dazo> :)
11:36 <@dazo> I'm sorry I can't help you further on this one ... but it seems to be wg related, so hard for me to have good clues here
11:36 < pdobrogost> Sure. Thanks for your time.
11:44 <@dazo> yw!
12:04 < pdobrogost> dazo: https://lists.zx2c4.com/pipermail/wireguard/2016-August/000368.html :)
12:04 <@vpnHelper> Title: [WireGuard] WireGuard doesn't work with network namespace on ArchLinux (at lists.zx2c4.com)
12:08 < pdobrogost> However changing this makes no change.
12:45 < |Mike|> Q: Can I run OpenVPN with certs to authenticate as well with passwords?
13:51 -!- jamesaxl_ is now known as jamesaxl
13:54 -!- F2Knight[away] is now known as F2Knight
16:45 -!- F2Knight is now known as F2Knight[away]
17:15 -!- F2Knight[away] is now known as F2Knight
17:42 < |Mike|> Q: Can I run OpenVPN with certs to authenticate as well with passwords?
19:28 -!- F2Knight is now known as F2Knight[away]
20:01 < AnnaRooks> so ive got some problems with forwarding, the vpn client connects fine, but not even ping is responding?
20:01 < AnnaRooks> im not sure what other info i need to provide
20:02 < AnnaRooks> https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
20:02 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com)
20:02 < AnnaRooks> ive been following this guide up until the client infrastructire?
20:06 < AnnaRooks> im currently just connecting using the ca cert, client cert and client key, no ovpn file
23:21 -!- F2Knight[away] is now known as F2Knight
23:21 -!- F2Knight is now known as F2Knight[away]
--- Day changed Sun Feb 19 2017
04:55 < jgjorgji> how can i filter openvpn traffic that's between peers?
04:55 < jgjorgji> i'm running with tun and subnet configuration
05:56 < jgjorgji> it turned out to be ufw config issues
07:28 < Hakon> !welcome
07:28 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
07:28 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
07:29 < Hakon> !goal
07:29 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:33 < Hakon> Hello. I have have had my openvpn server running for a few years but decided to change to another CA for my certificates. I have created ca, an intermediate ca, a server cert and a client cert for me, but openvpn seems to reject my client cert: "VERIFY ERROR: depth=0, error=unsupported certificate purpose". The certificate has key usage Key Encipherment and extended key usage TLS Web Client Authentication. Is there anything i'm missing?
07:35 < Hakon> apparently openvpn does not accept "Key Encipherment" but needs "Digital Signature"
07:45 < Hakon> how can i make openvpn accept the certificate with Key Encipherment?
07:46 < fnljk> made sure same version and capabilities available on server/client , and gone over manual-page for that parameter/option, yet still not finding answer....?
07:47 < fnljk> I guess such things could be helpful with debugging, at least. Sorry I may not othewise be of help, or assist you in whatever you may seek-good luck tho!
07:48 < fnljk> If any error... also, Google is a graet resoruce..assuming has googled the specific eventual error-output, and tried narrow down.. and such,... if could elaborate, even a newb like me may occasionally be able to spit out some helpful responses after doing such, assuming you did not,then.. :d
07:50 < Hakon> well i have found the remote-cert-ku and remote-cert-eku options, but setting remote-cert-eku "TLS Web Client Authentication" does not seem to make any difference
07:50 < Hakon> and it's not complaining about the key usage
07:51 < Hakon> i have set remote-cert-ku 80 08 88 and my certificate has key usage 08 so that should be fine
07:51 < fnljk> "does not accept":.hm, sorry if that's a standard return code/error response for, but..maybe pastebin some of such too, in case may aid in further narrowing down..?
07:51 < fnljk> hm
07:52 < fnljk> u sure the <whatever>-ssl variant on each side supports this natively, besides seemingly (possibly?) suggested by the openvpn application  ?
07:52 < fnljk> the..cipher suites, possibly, I maen... in case that's what u meant. (sry ifnot, im kinda newb to this myself really..:d but lackign other input so far...!:)
07:54 < fnljk> hm, not even sure what key usage 08 means.. sorry -- may be I'm simply too newb to both nix and openvpn to even get the basics, assuming is somewhat easy as such:| hmmh
07:54 < Hakon> it accepts the certificate if i set digitalSignature key usage bit instead of key encipherment, but for reasons i don't want this
07:55 < Hakon> and that makes me think the issue is restricted to this part of the certificate
07:55 < fnljk> hm!  why would it not accept it any more when unset.... (or eventually, why you wouldn't comfortable be able to give it permanent  access to--presumed some security concern or such..)
07:55 < fnljk> hm..:s
07:58 < Hakon> i could try with remote-cert-ku 20
08:27 < bennington> !welcome
08:27 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
08:27 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
08:29 < bennington> I'm getting a TLS handshake failed error when trying to connect to my vpn server, I was hoping someone could help me
08:37 < Hakon> fixed it by just using digitalSignature instead :)
08:53 < saltee> @bennington - did it work previously?
08:54 < saltee> If it did and certs are all okay check the time and date.
09:01 < bennington> saltee, yes, it did
09:01 < bennington> i've been troubleshooting
09:01 < bennington> when i change the port from 1194/udp to 443/tcp, it connects
09:01 < bennington> but I cant ping anything
09:02 < bennington> just tried with 443/udp, can't connect again now
09:02 < bennington> time and date are both synced, so that can't be it
09:03 < saltee> so the 1194 / 443 thing is most likely a blocked port on a f/w.  if you can ping the openvpn server it could be a routing issue.  if it's on linux make sure that ip forwarding is enabled and you've set the appropriate iptables.  (just thoughts)
09:04 < bennington> yeah, i thought of that as well, can ping the server from client, ports are open, firewall allows them
09:05 < saltee> oh - that sounds odd if it's intermittent
09:05 < bennington> its not intermittent
09:05 < bennington> it just wont connect with those ports now, and when i change them, it connects, but client cant ping anything once connected to the vpn
09:06 < bennington> havent been able to use it at all today, can't figure out why
09:06 < saltee> have you pushed a route to the vpn network on the client side?
09:06 < bennington> yes
09:06 < saltee> very strange (sorry naff comment, but...)
09:07 < bennington> it was working earlier until i install pi-hole
09:07 < bennington> that's when the problem started
09:08 < bennington> I assume its some kind of internal routing issue, but can't seem to figure it out
09:08 < bennington> everything is ported and forwarded properly to my knowledge
09:10 < saltee> well - pihole is just dnsmasq (albeit a nice implementation - I use it myself).  Don't see how it can affect you pinging an address.
09:11 < bennington> yeah, me either
09:11 < bennington> but everything was working fine before i installed it
09:12 < bennington> with port 443/tcp (the one that allows me to actually connect) both dns lookup and ip pings fail when connected to the vpn
09:13 < bennington> but before i installed pihole, i could sucessfully connect on 1194/udp
09:14 < bennington> and everything worked fine
09:14 < saltee> so openvpn server and pi-hole on same machine?
09:14 < bennington> on a vps, yes
09:14 < saltee> okay
09:14 < bennington> this is the method I used to install pihole https://www.cyberciti.biz/faq/ubuntu-linux-install-pi-hole-with-a-openvpn/
09:15 <@vpnHelper> Title: How to pair Pi-hole with an OpenVPN to block ads and increase privacy on Ubuntu / Debian Linux (at www.cyberciti.biz)
09:15 < saltee> must admit - I run both but they have their own vm's to sit in
09:16 < bennington> ah
09:16 < bennington> any chance you feel like looking at the link I posted and seeing if there is anything obvious there that could be causing my issue? (I followed it exactly)
09:17 < bennington> (including the UFW rules listed in the other tutorial linked from that article at the top - https://www.cyberciti.biz/faq/howto-setup-openvpn-server-on-ubuntu-linux-14-04-or-16-04-lts/)
09:17 <@vpnHelper> Title: How To Setup OpenVPN Server In 5 Minutes on Ubuntu Server (at www.cyberciti.biz)
09:19 < saltee> It all looks reasonably straight forward.
09:20 < saltee> what happens if you disable pihole
09:21 < bennington> didnt really think of that. can't access the web admin (stupid question) what the command line command to disable it? :P
09:22 < saltee> iirc pihole on the console - not sure of the switch
09:23 < saltee> pihole disable
09:23 < saltee> (:
09:24 < bennington> lol yeah, just found it
09:24 < bennington> but the same result
09:24 < bennington> can't connect with it disabled on 443/udp
09:24 < bennington> not able to ping when connecting with 443/tcp
09:29 < saltee> Not sure what the pihole installer does - I never looked.  maybe an idea to wgat the script and take a look at what it's doing
09:30 < saltee> I'd say disable dnsmasq and see what that does but I really don't see how that's going to affect routing
09:31 < bennington> yeah, I tried that as well when you mentioned disabling pihole, didnt help
09:31 < bennington> the script also install lighttp
09:31 < saltee> unless the pihole installer sets up its own iptables and overwrites what you already have
09:31 < bennington> it does add iptables rules i believe
09:31 < bennington> but I updated the rules after installing with ufw
09:32 < saltee> Mmmm - hate to say it but I'm at a loss
09:32 < bennington> even tried disabling iptables, that didnt help
09:32 < bennington> yeah, me too
09:32 < bennington> its driving me crazy lol, but i have no idea whats going on
09:32 < bennington> thanks for trying to help tho
09:34 < saltee> it really does sound like an iptables thing - if 1194 UDP is blocked after the install
09:34 < saltee> I'd try and avoid running a vpn over TCP though.
09:36 < bennington> yeah, but the problem is, even if i can connect to the vpn over tcp, the client can't ping anything once connected
09:37 < saltee> again - smells of iptables rules
10:11 < dorp> Hello, I'm using openvpn as a client under linux, and I call update-resolv-conf upon --up and --down. The DNS being pushed by the server is being added to: /etc/resolv.conf, but my existing entries are not being removed. Is there a common method for replacing the entries, and not just adding to them?
10:14 < ordex> dorp: maybe you could just move /etc/resolv.conf to .. /etc/resolv.conf.bak before calling update-resolv-conf (just making this up now)
10:16 < dorp> ordex: I see. I thought that maybe I misconfigured something, and that wasn't the expected 'default' behavior. I'll try to read more about resolvconf
10:17 < ordex> dorp: honwstly i don't know
10:17 < ordex> *honestly
12:32 < netan2> hello
12:33 < netan2> who can help me please with configuring openvpn?
12:33 < netan2> Sun Feb 19 21:24:26 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054)
12:33 < netan2> thanks
12:34 < netan2> !welcome
12:34 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
12:34 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
12:34 < netan2> @goal
12:34 < netan2> !goal
12:34 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:56 < netan2> Sun Feb 19 21:55:15 2017 Connection reset, restarting [0]
12:56 < netan2> Sun Feb 19 21:55:15 2017 SIGUSR1[soft,connection-reset] received, process restarting
12:56 < netan2> Sun Feb 19 21:55:15 2017 MANAGEMENT: >STATE:1487530515,RECONNECTING,connection-reset,,,,,
12:56 < netan2> Sun Feb 19 21:55:15 2017 Restart pause, 5 second(s)
12:56 < netan2> Sun Feb 19 21:55:18 2017 SIGTERM[hard,init_instance] received, process exiting
12:56 < netan2> Sun Feb 19 21:55:18 2017 MANAGEMENT: >STATE:1487530518,EXITING,init_instance,,,,,
12:56 < netan2> what can it be?
12:56 < netan2> please help me
13:02 < Karpo> i deploy openvpn on my server but when i have conection through vpn my ip on client doesn't changes
13:10 < netan2> push "redirect-gateway def1 bypass-dhcp" on client and on server
13:10 < netan2> see that
13:10 < netan2> Kapro
13:17 < Karpo> yes
13:17 < Karpo> when i uncommet it - i have errors while try connect
13:19 < netan2> paste here
13:19 < netan2> or in ls
13:23 < Karpo> Sun Feb 19 21:21:53 2017 ERROR: Linux route add command failed: external program exited with error status: 2
13:35 < netan2> sent me your config
13:37 < Karpo> server config?
13:41 < Karpo> http://pastebin.com/kZ6N42Lb
13:51 < netan2> sec
13:51 < netan2> and client config too
13:52 < netan2> give me auth to server
13:56 < Karpo> no, thanks
14:00 < netan2> why
14:00 < netan2> you than change password
14:00 < netan2> or i can give you my configs
14:05 < Karpo> because  i think that its problem on client side
14:06 < Karpo> it's my error listing: http://pastebin.com/0Pa9wUe9
14:06 < Karpo> it's something wrong with routes
14:16 < netan2> client WINdows ?
14:16 < netan2> what the system
14:16 < netan2> retry with tcp protocol
14:16 < Karpo> no, manjaro (arch)
14:29 < Dev0n> hey, can you still use a share-key in a subnet setup?
14:29 < Dev0n> shared-key*
14:34 < Karpo> it channel have a logs?
14:34 < Karpo> i was offline last 20 min
19:24 < |Mike|> Q: Can I run OpenVPN with certs to authenticate as well with passwords?
19:28 < ordex> |Mike|: yup
19:29 < ordex> I believe they are independent mechanism, thus you can use them together
19:29 < ordex> *mechanisms
21:11 < _FBi> |Mike|, freeradius works, too
--- Day changed Mon Feb 20 2017
00:07 -!- james41382_ is now known as james41382
00:46 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
00:46 -!- mode/#openvpn [+v hyper_ch] by ChanServ
10:52 < pdobrogost> dazo: Hi! How can I follow issue 753?
11:09 <@dazo> pdobrogost: you mean this one?  https://community.openvpn.net/openvpn/ticket/753
11:09 <@vpnHelper> Title: #753 (OpenVPN should update systemd-resolved on systems running it) – OpenVPN Community (at community.openvpn.net)
11:10 < pdobrogost> Yes
11:10 <@dazo> you need to sign up, then you can add your username/nick to the Cc field
11:10 -!- netwoodle is now known as noodle
11:10 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 240 seconds]
11:11 < pdobrogost> Btw, what's the status?
12:19 < P4k3> Uh, I don't seem to be able to generate new certificates for new clients anymore. I don't get any error messages when generating it. But they don't work :o
12:19 < P4k3> Complains about expecting some other cipher etc
12:20 < P4k3> I generate the certificates on a Windows machine, can a windows update break anything?
12:25 < P4k3> Ah, might have found the problem. client sample config have changed more than usual between version. Cipher was specified in the new version.
13:58 < pdobrogost> dazo: I am logged in but I don't see any way to add myself to cc....
14:14 <@dazo> pdobrogost: hmmm .... Have you tried clicking at "Modify Ticket"?
14:15 <@dazo> pdobrogost: if you don't have access, let me know your username and I'll add you
14:15 < pdobrogost> Yes, I did. All it does is showing me checked radio with " leave as assigned The owner will remain dazo." My username is piotr.dobrogost
14:16 < pdobrogost> Also CC: field is empty and the "CC:" string is grayed out.
14:18 <@dazo> ahh, okay .... I can add you on the Cc list then
14:18 <@dazo> (done!)
14:24 < pdobrogost> thanks
14:29 < RedShift> is it a good idea to already apply firewall rules in auth-user-pass-verify?
14:30 < RedShift> or should I do that on "up"?
14:30 <@dazo> RedShift: --up on the server side will only be run once, when the openvpn server starts.  If this is an alternative, I'd skip --up and put it in the default firewall configuration
14:31 <@dazo> RedShift: doing it in --auth-user-pass-verify can allow you for a more dynamic firewall updates, on a per-connected-user basis
14:31 <@dazo> RedShift: you can have a look at what eurephia does
14:31 <@dazo> !eurephia
14:31 <@vpnHelper> "eurephia" is http://www.eurephia.net/
14:32 <@dazo> (eurephia allows different firewall profiles to be applied, depending on the combination of username/password and the users certificate)
14:32 < RedShift> I wrote a small script that auths via radius and retrieves the filter-id, I can use that to append the client into a certain iptables chain
14:32 < RedShift> I was wondering if auth-user-pass-verify was the right place to do that so yes it appears so
14:33 <@dazo> Well, --learn-address might actually be an even better place to be honest
14:34 <@dazo> --learn-address also accounts for IP address changes, and you can also revert the firewall update when the client disconnects
14:35 < RedShift> that's the thing, I'm not sure how I can pass information from the auth script to the learn-address script
14:41 < RedShift> hmm I'll just do it in the auth-user-pass-verify step, and use learn-address only to delete it from the chain
14:43 <@dazo> RedShift: how I do it in eurephia, is that I use a several of the variables available both in the --auth-user-pass-verify phase and the --learn-address phase, combine and hash them.  Then store the data needed in the next phase with that hash as a key
14:44 < RedShift> ah, smart
14:44 <@dazo> well, I try to be smart :-P
14:45 < RedShift> I was thinking along similar lines but for some reason I just wanna avoid having to read/write files
14:46 <@dazo> use sqlite3 ;-) ... or even simpler echo " > /var/lib/openvpn/authcache/$HASH ....
14:46 <@dazo> duh
14:47 < RedShift> hehe
14:47 < RedShift> alright thanks
14:47 <@dazo> echo 'var1="value1"' > /var/lib/open/var/lib/openvpn/authcache/$HASH .... and then '. /var/lib/openvpn/authcache/$HASH' when reading the data cache  ... then you can just do $var1
14:47  * dazo brb
17:34 -!- dan- is now known as dan_
17:35 -!- dan_ is now known as Guest62944
17:49 < DeathShot> Why are there no guides or docs anywhere as to configuring a CLIENT on freeBSD for use with VPN provider config files?
17:50 < DeathShot> Last time I did this it took me hours to find the info, and I've already tried again.
17:50 < DeathShot> I just want openVPN to start up when my jail starts, and connect to a .ovpn file before everything else
17:51 < DeathShot> or I believe it was an .ovpn file that I changed the extension to .conf
17:51 < DeathShot> this can't be so hard
18:54 < axsuul> My OpenVPN setup was working flawlessly for a few months but I ended up restarting the jail that my openvpn runs in and now it connects but I can't access anything locally or internet. Any ideas on what settings could have changed due to a jail restart that might have interfered with it?
19:02 < DeathShot> axsuul no idea
19:02 < DeathShot> I can't even get it to auto connect on startup
19:02 < DeathShot> its obnoxious, every single guide in regards to OpenVPN wrt FreeBSD is about making servers
19:02 < DeathShot> some of us want to just use the client!
19:03 < DeathShot> axsuul, your case however sounds like a firewall issue, or a DNS issue. Try seeing if you can ping the server or google's IP.
19:04 < axsuul> DeathShot: sorry to hear about your situation
19:04 < axsuul> DeathShot: I'll look into that, thanks
19:06 < DeathShot> it could technically also be an issue with the server i suppose
19:11 < axsuul> DeathShot: thanks figured it out
19:11 < axsuul> the ethernet interface changed names
19:12 < DeathShot> that's a problem all of its own lol
19:12 < DeathShot> axsuul, how do you have the client configured to connect on startup?
19:12 < DeathShot> or do you start it manually?
19:12 < axsuul> DeathShot: I'm using Shimo
19:12 < axsuul> on macoS
19:12 < axsuul> macOS
19:12 < DeathShot> macOS has jails?
19:13 < axsuul> DeathShot: oh, sorry, i guess I dind't understand your question. My OpenVPN client is on macOS but the server is indeed within a FreeNAS jail
19:13 < axsuul> DeathShot: but what did you mean by connect on startup?
19:13 < DeathShot> oh I thought you were running your client on your jail ike I am trying to do
19:14 < DeathShot> axsuul basically what I awnt to do is start the ovpn client on start and connect to one of my commercial VPN provider's srevers
19:14 < axsuul> DeathShot: ah I see, your client is on your router?
19:15 < DeathShot> a jail on freenas
19:15 < DeathShot> it would be easier I suppose if I had a pfsense box
19:15 < DeathShot> but that wont happen for a few weeks, if then.
19:16 < axsuul> DeathShot: so you want the openvpn client to start when the jail starts?
19:16 < DeathShot> yup
19:17 < DeathShot> and auto connect
19:45 < ordex> DeathShot: what's wrong with your freebsd client?
19:46 < DeathShot> I just don't know how to get it to run on startup and connect
19:46 < DeathShot> and I can't find any info on it
19:46 < DeathShot> I know I need to put osmething in rc.conf
19:46 < ordex> oh ok, this is really freebsd specific .. then I don't know sorry :(
19:46 < DeathShot> like openvpn_conf="pathtoconffile"
19:46 < DeathShot> but I'm not sure
19:47 < DeathShot> I'm not sure why there are like zero docs on this
19:47 < ordex> probably not really common
19:47 < ordex> if there is an initscript, I would dig into that manually
19:47 < ordex> trying to extract what's needed
19:47 < ordex> maybe you could write the first doc about this, once you succeed :)
19:48 < DeathShot> I mean yeah I could run my own shell script
19:48 < DeathShot> ordex, I intend to
19:48 < DeathShot> but its wasteful if there is a simple built in way
19:48 < DeathShot> which I know there is, because I've done it once before
19:48 < DeathShot> I just can't remmebre how
19:48 < ordex> yeah
23:05 -!- stac- is now known as stac
--- Day changed Tue Feb 21 2017
00:00 < DeathShot> ugh
00:00 < DeathShot> openvpn looks for openvpn.conf to start
00:00 < DeathShot> but I don't want it to look for that I want it to look for my file name
00:00 < DeathShot> how do I make it do that?
00:01 < DeathShot> I changed the NAME_configfile value
00:01 < DeathShot> what more does it want?
00:08 <+hyper_ch> what looks where to start?
00:09 < DeathShot> when freebsd starts it runs all the scripts in /usr/local/etc/rc.d
00:09 < DeathShot> in there openvpn has its config file
00:09 <+hyper_ch> well, on linux it will use all conf files in /etc/openvpn
00:10 < DeathShot> basically when you run it to start openvpn you do /usr/local/etc/openvpn start
00:10 < DeathShot> when I do that I get /usr/local/etc/rc.d/openvpn: WARNING: /usr/local/etc/openvpn/openvpn.conf is not readable.
00:10 < DeathShot> sorry rather you run /usr/local/etc/rc.d/openvpn start
00:10 < DeathShot> and then the config file looks for openvpn.conf
00:11 <+hyper_ch> no idea, as said, on linux the init script is set to run all .conf files in /etc/openvpn
00:11 < DeathShot> however I have a ton of config files in /use/local/etc/openvpn and exactly 0 of them are called that
00:11 < DeathShot> I wanted it to run a specific one
00:11 < DeathShot> but it ALWAYS looks for openvpn.conf
00:11 < DeathShot> and yes I know I could just rename my script to openvpn.conf
00:11 < DeathShot> but that is shitty as all fucks
00:15 < DeathShot> I guess I am going to have to write my own script
00:15 < DeathShot> bleh
00:15 < DeathShot> this is 100% terrible flawed software design
00:17 < ordex> DeathShot: have you tried digging into the init script to understand how does it come up with openvpn.conf ? unfortunately I don't use freebsd so I have no clue
00:17 < ordex> but I guess that the script is written by the guy packaging openvpn for freebsd
00:17 < ordex> it is not part of the openvpn repository
00:18 < DeathShot> ordex, I did
00:18 < DeathShot> nothing I changed there seems to have any bearing on what it looks for
00:19 < ordex> mh strange, because openvpn expects the filename to be passed on the command line when the process is launched
00:19 < ordex> therefor emy guess is that the initscript at some point is forging the name ans passing it with --config $filename
00:19 < ordex> *and
00:22 < DeathShot> this is my script
00:22 < DeathShot> http://pastebin.com/nQd11xaH
00:24 < DeathShot> wait
00:25 < ordex> DeathShot: I am just reading the comment in the script
00:25 < ordex> NAME_configfile << why is it called this way ?
00:26 < DeathShot> got iy
00:26 < DeathShot> got it*
00:26 < ordex> # Below NAME should be substituted with the name of this script. By default
00:26 < ordex> # it is openvpn, so read as openvpn_enable. If you linked the script to
00:26 < ordex> # openvpn_foo, then read as openvpn_foo_enable etc.
00:26 < ordex> oh ok
00:26 < DeathShot> I don't know, because the guy apperantly doesn't know how to use veriables
00:26 < DeathShot> but I missed it
00:26 < DeathShot> as soon as I changed that NAME to say openvpn it worked
00:26 < ordex> yap
00:26 < DeathShot> so yeah this is bad software design
00:26 < ordex> this is what the comment said :P
00:26 < ordex> why ?
00:26 < ordex> it is well documented and easy to understand :D
00:27 < DeathShot> ordex, you ever try reading a wall of dark navy blue text on a white background?
00:27 < ordex> mh not sure I ever tried that
00:27 < DeathShot> if the script has to function with the name of the file there
00:28 < DeathShot> he could have just passed a variable there
00:28 < DeathShot> and set that variable at the start to be the name of the file
00:28 < ordex> I don't get what you are exactly saying, but the script is made to be able to work with as many openvpn instances as you want
00:28 < DeathShot> or at least, since the file is always called openvpn by default, just wrote openvpn_enable etc there and then change the comment to tell you to change openvpn to your file name
00:28 < ordex> so it has to be a bit generic
00:28 < ordex> this is pretty common - also on my gentoo it works in a "similar" way
00:29 < DeathShot> just because its common, doesn't mean its good.
00:29 < ordex> DeathShot: you are just saying that you did not want to read :P which is ok
00:29 < DeathShot> This is bad programming. Maybe in the 90s this was okay.
00:29 < DeathShot> I read it
00:29 < DeathShot> like three times
00:29 < DeathShot> I didn't understand it because it was hard to read
00:29 < DeathShot> however
00:29 < ordex> well, yeah, having it working out of the box would also probably be a good idea
00:29 < DeathShot> even though I missed it
00:29 < DeathShot> doesn't make this a good script
00:29 < ordex> then send a patch :)
00:30 < ordex> but not sure to whom
00:30 < DeathShot> and ordex this still doesn't answer one very simple question
00:30 < DeathShot> if you don't change the NAME to openvpn it doesn't accept custom values, okay, I get that.
00:30 < DeathShot> Where on earth did it get the default value though?
00:31 < DeathShot> because it wasn't from that damn script
00:31 < DeathShot> or anything that script referenced from within
00:31 < ordex> you mean the "openvpn.conf" that it was tyring to pass by default ?
00:31 < ordex> *trying
00:31 < DeathShot> because I looked for openvpn.conf in all of those
00:31 < DeathShot> and I couldn't find a single reference to that
00:32 < DeathShot> but you are right that if I had read it better it would have solved me a lot of issues. As soon as I put it into paste bin I understood that comment much more clearly
00:32 < DeathShot> because its a nicer font and better colors
00:32 < ordex> ah now I get what you meant about the colors
00:32 < DeathShot> I should invert colors on putty I wonder how I do that
00:33 < ordex> somewhere in the settings I saw it once .. but I don't use putty since ages - sorry :(
00:35 < DeathShot> issue is actually that I'm running mtputty and its sessions are seperate from putty sessions
00:38 < DeathShot> fixed my colors
00:38 < ordex> :)
00:38 < DeathShot> putty is a crappy program, I can't wait for Microsoft to fix some more kinks in Windows 10's native ssh client
00:38 < DeathShot> well not crappy
00:38 < DeathShot> its very outdated design
00:39 < DeathShot> and for some reason its improvements seem to warppers and not actual stand alone programs
00:39 < DeathShot> I'm just mad at everything at this point
00:39 < DeathShot> took me an entire day to do something that shuold have taken 5 minutes
00:39 < DeathShot> oh well
00:40 < DeathShot> time for bed
00:40 < DeathShot> thanks ordex
00:42 < ordex> np
00:42 < ordex> good night !
01:58 < zomaar> anyone recognise that learn-address is called on an internal host behind a client that I access? I have a client with IP 10.8.0.24 which is my VPN subnet. Behind that client there is a subnet 10.5.0.0.
01:59 < zomaar> now when I access a host on that subnet through the routing I have for it on the vpn server, this host is ... learn-address is called on it with the same common name as the client.
02:00 < zomaar> so originally learn-address was called on say "client / 10.8.0.24" and because I have an iroute for 10.5.0.0, also on "client / 10.5.0.0" and now when I access 10.5.0.1, it also gets a learn-address call with the same common name.
02:03 < zomaar> as a consequence because the learn-address script is fed to a dns server the new IP now replaces the old IP for that host, since I am using the common name as a hostname.
02:04 < zomaar> is there any way to prevent openvpn from calling learn-address on these "accessed" hosts?
02:12 < mbwe> What could be the cause for a received, client-instance restarting
02:38 < zomaar> mbwe: obviously the client instance is restarting? If your server receives that, then the client on the other side was restarting. I mean... ;-).
03:19 < mbwe> hi zomaar, yes that is the case, i think that the windows client did not start as administrator, but thanks zomaar
03:41 < zomaar> mbwe: there are just a million reasons why a client could restart. They can be actions by the client itself (the user), etc. etc., so just the fact that your server receives this message is just indicative of the message system working; of your server being notified of some event, it is not by itself indicative of some failure of any kind.
03:42 < zomaar> mbwe: so if you only share this message with us, here, that is not a lot of information to go by; apparentl you perceive something as a problem, but the message itself is not problematic.
03:43 < zomaar> mbwe: therefore without context it is impossible to know what you have been doing or why, and what is failing or why, and if anything is failing at all, you see.
03:53 < zomaar> I found that learn-address is apparently called on these 'internal' hosts in order to possibly effectuate firewall rules; and that if my script exits negatively the connection will also not be established (for the iroute directive)...
03:53 < zomaar> basically the learn-address script seems to be something like "Is this connection okay or not?"
03:54 < zomaar> and is required to exit 0 for the connection to be established.
04:05 < zomaar> but in fact, these "learn" actions *keep* getting called.
04:42 < nohitall> I am failing to setup openvpn serve ron debian, I can start it but its not running, and produces no log either, any idea how to get some info on what the issue is?
04:43 < nohitall> systemd says server is running just fine but its not at all
04:43 < nohitall> if I try manual I just get Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: config-file
04:43 < nohitall> using Sample OpenVPN 2.0 config file
04:52 < nohitall> nvm working now, forgot to load tun module *facepalm*
04:56 < ordex> :D it can happen
04:57 < ordex> but I am sure debian was logging the error somewhere
04:57 < ordex> (just for the future)
05:00 <+hyper_ch> hmm, tun module should be autoloaded on debian
05:03 < nohitall> man
05:04 < nohitall> on client I always get "unrecognized/missing on line1"
05:04 < nohitall> but its the default client sample, all I did was to edit the IP
05:04 <+hyper_ch> pastebin
05:05 < nohitall> http://pastebin.com/raw/XRCvHMb3
05:05 < nohitall> why line1, line1 is ############### :D
05:05 <+hyper_ch> doesn't look like a config file
05:05 < nohitall> I just tld you its the default sample
05:06 < nohitall> https://raw.githubusercontent.com/OpenVPN/openvpn/master/sample/sample-config-files/client.conf
05:06 < nohitall> this
05:06 <+hyper_ch> that's not the file on your system
05:06 <+hyper_ch> but whatever
05:06 < nohitall> yes it is
05:06 < nohitall> only added server address\
05:06 <+hyper_ch> good luck
05:07 < nohitall> not sure what you want from me, I wget'd the file, its identical
05:07 < nohitall> just that error makes no sense
05:09 < nohitall> would be nice to get some verbose out of that, the error ain't helpful
06:02 < fling> Can't I set ip rules with openvpn config?
06:04  * fling wired it to lo network scipts intsead :>
06:05 < fling> Can't I set up routing table for --route?
06:05 < fling> Is it only adding to main?
06:12 <+hyper_ch> !push > fling
06:12 <+hyper_ch> !push
06:12 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
06:16 < fling> hyper_ch: without push
06:18 < fling> I can use up/down!
06:27 < fling> tcpdump: pcap_loop: The interface went down
06:27 < fling> hyper_ch: how to make it not to exit with a timeout?
06:30 < fling> Whooops
06:30 < fling> WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail
06:30 < fling> But I don't have such things in the config ^
07:41 < rkzzy> I have this error when I use DHT in my torrent client https://forums.openvpn.net/viewtopic.php?f=4&p=67980#p67980
07:41 <@vpnHelper> Title: Recursive routing detected - OpenVPN Support Forum (at forums.openvpn.net)
07:42 < rkzzy> anyone have any idea how to fix it?
08:21 < ad^2> Anyone know if its possible to use nested group in Access Server for the purpose of simulating iptables jump targets for blocking?
08:22 < ad^2> I'm using sacli to create all my rules and have a common rule to deny all groups SSH to a specific subnet.
08:23 < ad^2> There are subset of servers on a subnet that should not be accessible via ssh but the rest on the subnet are allowed. My though was to create a specify deny_group and add this group to the other groups.
08:24 < ad^2> ex. sacli --user Block_Users --key access_to.# --value "+GROUP:Deny_Servers" UserPropPut
08:24 < ad^2> It does not work as expected.
08:26 < nohitall> hi again, I wonder if I push a route with the range that the vpnserver itself is on, that doesnt work, since its breaking the connection, whats the best way to do that? maybe I am thinking too complicated
08:32 <@ecrist> nohitall: you need to use a separate IP range for internal addressing
08:35 <+DArqueBishop> ad^2:
08:35 <+DArqueBishop> !as
08:35 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
08:37 < nohitall> ecrist: not internal, internal is different obviously, but the idea is to use the VPN to allow ssh access on the IP range, but the machine where its on is itself on that range which seems the problem
08:38 < ad^2> @DArqueBishop, ACK. thx.
08:38 < nohitall> only thing coming to my mind is to split the route with netmasks up...but thats crazy
08:49 < Egyptian[work]> hi - how do i tell the openvpn server to push new routes that are added _after_ the client connects ?
08:49 < Egyptian[work]> or get the client to periodically ask for new routes without disconnecting?
08:51 < nohitall> doesnt it require server restart to load new routes from config? thus the client would reconnect and grab them?
09:46 < monsterco> is it possible to setup openvpn server/client access using a username/password instead of certificate files? I see an option like this for client on Mikrotek router which I want to use but not sure how to setup my openvpn server side to accept this.
10:00 < Neighbour> Yes, and the Mikrotik website has the info for this
10:59 <@ecrist> nohitall: that is a problem - you need to provide a VPN-routable IP on that host.
10:59 <@ecrist> OR set a bunch of /32 routes to the individual systems
11:00 <+hyper_ch> hi ecrist
11:00 <@ecrist> hello hyper_ch 
11:05 <+hyper_ch> ecrist: can you explain this to me:  https://paste.simplylinux.ch/view/4f29cb95    rsa seems to be faster with verifying while ecdsa is faster with signing... so for openvpn, is more signing or verifying required?
11:07 <@ecrist> well, I would prefer the signing side, particularly in the case of OpenVPN
11:08 <@ecrist> A single server has to process all client connections, whereas each client only processes it's own traffic.
11:08 <@ecrist> so, Anything you can do to speed up the server side of things will have an overall larger performance gain for the entire vPN
11:09 <+hyper_ch> I see
11:09 <+hyper_ch> I just wasn't sure when "signing" is done and when "verifying" is done
11:09 <+hyper_ch> also, I thought to remember krzee wanted to write a patch that will enable the server to establish a tunnel between two clients, so that not all traffic has to go through the server
11:10 <@ecrist> that's quite a bit harder to do.
11:12 <+hyper_ch> I know
11:13 <+hyper_ch> https://forums.openvpn.net/viewtopic.php?t=141  -  by krzee » Mon May 11, 2009 9:31 am
11:13 <@vpnHelper> Title: Idea for direct connections - OpenVPN Support Forum (at forums.openvpn.net)
11:13 <+hyper_ch> and you were against it!!!!
11:18 < nohitall> ecrist: the weird thing is it works on OSX systems, but not on my linux, same routing table, very weird
12:45 -!- Vampire0_ is now known as Vampire0
14:14 -!- s7r [~s7r@openvpn/user/s7r] has quit [Read error: Connection reset by peer]
14:30 < KNERD> possible to do a client-server setup on one machine?
14:30 < KNERD> Let's say I wanted to make a chain/tree of machines connected together
15:49 < pdobrogost> Hi all!
15:50 < pdobrogost> Is this possible to run OpenVPN as a systemd _user_ service?
16:00 < redrabbit> when you setup openvpn does KEY_COUNTRY and other KEY_ values matter ?
16:00 < redrabbit> does leaving them to defaults it fine
16:01 < redrabbit> KEY_PROVINCE,KEY_CITY,KEY_ORG....
16:37 <@Eugene> Not really. Those values are used to populate the x.509 felds in your certificate
16:37 <@Eugene> You can set them to whatever you want
16:37 <@Eugene> The fields that matter are the Common Name(CN=)
16:58 < redrabbit> # export KEY_CN="CommonName"
16:58 < redrabbit> i see its commented by default
16:58 < redrabbit> should i mess with it ? i guess no
17:10 < rizonz> does anyone know a way to create a portable client ?
17:11 < rizonz> driver is no issue, I have admin rights
17:36 <@Eugene> What do you mean by "portable client" exactly? A rollup installer?
17:58 < |Mike|> Q: dual authentication possible? Certs & l/p possible?
18:04 <@syzzer> |Mike|: if l/p means "username/password", yes
18:54 < stavr> hi! If anyone could provide some directions on the following problem, it would be much appreciated: I have configured a Tun openvpn server (ubuntu) behind my home router. Now I have no problem establishing a connection to that server on my LAN but when connecting from my public ip, as soon as the VPN server is up, disregarding any port forwarding r
18:54 < stavr> ule on the router side, all ports on my server appears to be closed.
18:55 < stavr> Note that: there is no port forwarding issue on the router's side (when stopping the open vpn service, I can connect just fine to the forwarded ports)
19:01 <@Eugene> |Mike| - you've been asking(and been told), yes, you can do this
19:01 <@Eugene> --client-cert-not-required is a good starting point in the man page
19:01 <@Eugene> Go read
19:20 < Kniaz> !welcome
19:20 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
19:20 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
19:20 < Kniaz> !goal
19:20 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:47 -!- r00t^2 is now known as jth4n
19:48 -!- jth4n is now known as r00t^2
20:01 < ordex> morning
20:12 < Kniaz> how can I clear all the keys from the server?
20:12 < Kniaz> I want to disable all the old clients connections
20:19 < Kniaz> !howto
20:19 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
20:24 < ssalevan> hey there, I was wondering if I could ask a quick question.  i've set up an OpenVPN server on an Amazon EC2 instance which successfully stands up and have tested that clients can connect to it successfully.  however, after i do so, the server running OpenVPN seems to have issues routing connections out, and even more weirdly, running netstat -r and iptables -L takes a very long time
20:24 < ssalevan> this is my current openvpn config: https://gist.github.com/ssalevan/f210142a229ff68fa515871a2ede7a22
20:24 <@vpnHelper> Title: gist:f210142a229ff68fa515871a2ede7a22 · GitHub (at gist.github.com)
20:25 < Kniaz> is this a correct file for openvpn client installation on windows 10?  openvpn-install-2.4.0-I602.exe
20:26 < ssalevan> i've disabled source/dest check on my ec2 instance's network interface, have executed 'iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -o eth0 -j MASQUERADE' and ensured that net.ipv4.ip_forward=1 is set
20:26 -!- Vampire0_ is now known as Vampire0
20:27 < ssalevan> has anyone else run into an issue like this?
20:31 < ssalevan> here's the output of the netstat and iptables commands as well: https://gist.github.com/ssalevan/e81c8f9cb95a62c9d8bc06df46eaac26
20:31 <@vpnHelper> Title: gist:e81c8f9cb95a62c9d8bc06df46eaac26 · GitHub (at gist.github.com)
20:40 -!- MuffinMedic is now known as mrmuff
20:40 < ordex> ssalevan: I have never seen this issue
20:40 -!- mrmuff is now known as MuffinMedic
20:40 < ordex> ssalevan: does thi happen also when NAT/forwarding is off ?
20:41 < ordex> is just the iptables/netstat command that is slown down or the entire EC2 becomes somewhat unresponsive ?
20:42 < ssalevan> so, when i kill openvpn, everything becomes responsive again.  it looks like anything involving network activity results in a slowdown
20:42 < ssalevan> i am suspicious that there is a bad route being set somewhere in my routing table
20:42 -!- MuffinMedic is now known as MrMuff
20:42 -!- MrMuff is now known as MuffinMedic
20:51 < ordex> ssalevan: or maybe a loop
20:51 < ordex> that's why I suggested to deactivate the forwarding for starters
20:53 < ordex> although I don't see anything clearly wrong in your output
20:53 < ssalevan> gotcha, so i've disabled forwarding from the kernel's perspective, is there a way to do that from the openvpn config as well?
20:53 < ordex> push "route 10.0.0.0 255.255.0.0" << I don't think this is required
20:53 < ordex> nope, forwarding is just handled in the kernel
20:54 < ssalevan> cool, so i've done so and removed that line, restarted the openvpn server; looks like the issue still persists
20:56 < ssalevan> i ran an strace on ping to see if i could find anything interesting:
20:56 < ssalevan> https://gist.github.com/ssalevan/40e2d2a30af2c99f20f9f8fe84eccc1a
20:56 <@vpnHelper> Title: gist:40e2d2a30af2c99f20f9f8fe84eccc1a · GitHub (at gist.github.com)
20:57 < ssalevan> looks like it's able to connect to a socket but doesn't seem to be getting a response back
20:58 < ordex> when you have this slow down, does top show any process with huge load ?
20:58 < ordex> top/ps
20:58 < ssalevan> nah, CPU load is very minimal right now
21:01 < ssalevan> interesting, so if i get rid of the following route, things seem to return to normal:
21:01 < ssalevan> 10.0.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
21:02 < ssalevan> amazon maintains a gateway at 10.0.0.2, i wonder if we're just blocking routing out to it
21:08 < ordex> well, you are using 10.0.0.0/16 in the VPN, no ?
21:08 < ordex> this does not sound really good :P means you are using overlapping subnets in two networks you are connected to, no?
21:08 < gh16ito> !goal
21:08 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:09 < gh16ito> Is there a way to determine the expiry dates of my certificates?
21:09 < ordex> ssalevan: ^^
21:09 < ssalevan> ordex: yes indeed, my VPN is for the 10.0.0.0/16 subnet
21:10 < gh16ito> Something is wrong with my certs, but I'm not sure what it is.
21:10 < gh16ito> Just want to see which ones have expired (user or server), and presumably renew the one that expired.
21:10 < ordex> gh16ito: openssl can do that: openssl x509 -text -in $certfilename
21:11 < ordex> ssalevan: yap, that sounds bad :)
21:11 < ssalevan> ordex: gotcha, i'll investigate that.  thanks very much for your help!
21:11 < ordex> ssalevan: np, you found it on your own :)
21:11 < gh16ito> ordex: Thanks!
21:11 < ordex> gh16ito: np!
21:11 < ordex> ssalevan: my suggestion: just use another subnet for the VPN - should be easy, unless you have anything depending on that
21:12 < ssalevan> i'll definitely try that
21:12 < fling> Can't I connect ipv6 addresses with openvpn?
21:13 < ordex> fling: not sure what yu mean with "connect", but openvpn can connect "over" IPv6 and can also encapsulate IPv6
21:13 < fling> over
21:13 < ordex> so the answer should be "yes, it can" probably
21:13 < ordex> yup
21:14 < fling> it is trying to resolve the address thinking it is a domain name
21:15 < ordex> if it is a pure IP, it should properly use it
21:15 < ordex> what version of openvpn are you using ?
21:15 < fling> 2.3.12
21:15 < ordex> mh, I think something changed in 2.4 and made this entire thing easier
21:15 < ordex> I am not very familiar with 2.3.x
21:16 < ordex> are you using tcp6 or udp6 as proto? (assuming this was supported back then)
21:17 < fling> udp6
21:17 < fling> ahh
21:18 < fling> I need to fix my config! thanks.
21:18 < ordex> np!
21:18 < fling> Can't I have both udp and udp6 in the config?
21:18 < fling> For example if I have two remotes used in round robin fashion and some of them are ip6
21:18 < ordex> mhh with 2.3 I think there were some issues with this
21:19 < ordex> in 2.4, using udp (or udp6 - can't remember which of the two) will provide dual-stack support
21:19 < fling> Great!
21:19 < fling> Any other config changes needed?
21:19 < ordex> this is also true for the server: it can listen in a dual stack fashion
21:19 < ordex> don't think so
21:19 < ordex> but you will find out after the upgrade :-P
21:20 < fling> Then I will try upgrading one-by-one
21:20 < fling> haha :D as usual
21:20 < gh16ito> Hm, not entirely sure how to update the certificate expiry here.
21:20 < fling> Can you update the expiry date?
21:20 < ordex> gh16ito: not sure you can to be honest (although I am not extremely expert of x509). I'd rathe re-issue a new certificate
21:20 < gh16ito> Hm.
21:21 < fling> Exactly.
21:40 < ssalevan> ordex: flipped the VPN IP range to one that didn't conflict, fixed everything up.  thanks so much again!
21:41 < ordex> ah cool ;)
21:41 < ordex> np
21:50 < gh16ito> If I already have a CA, what's the process for creating new server and client certs?
21:50 < gh16ito> I can only get as far as creating CSRs.
21:50 < gh16ito> But I think I need CRTs.
22:26 < ordex> gh16ito: yap, CSR is the request, then you need to convert it to cert
22:26 < ordex> gh16ito: on openvpn.net there are some guides/tutorial on how to do that usng easyrsa
22:26 < ordex> can't remember the commands by heart
22:26 < gh16ito> Yah, I actually think I got it handled.
22:26 < gh16ito> Using openssl not easyrsa.
22:27 < Kniaz> hi again. I am trying to connect to my openvpn server but I am getting the following error on the client side http://pastebin.com/fcmsGP7i
22:27 < Kniaz> TLS Error: TLS handshake failed
22:27 < Kniaz> any hints on what I can check?
22:28 < Kniaz> on the serve side in the logs I see this TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
22:31 < Kniaz> something with the firewall?
22:31 < Kniaz> I can telnet on port
22:38 < gh16ito> Hm, I'm getting the same thign.
22:39 < Kniaz> gh16ito: where you able to connect to your vpn server before or is this the first time?
22:39 < ordex> tls-auth issue ?
22:40 < gh16ito> Kniaz: I've always been able to do it, but then my server cert expired.
22:40 < Kniaz> how can I check if the cert server is still valid?
22:40 < gh16ito> So I installed a new server-cert and created a new client cert and it seems like it should be working, but I'm getting the same thing.
22:48 < fling> WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail
22:48 < fling> And it fails
22:48 < fling> But I don't have such directives in the config ^
23:10 < gh16ito> I have no idea why this isn't working.
23:10 < gh16ito> It's super frustrating.
23:23 < fling> added persist-key and the error disappeared
23:23  * fling is waiting for a crash
23:24 < gh16ito> fling: Added persist-key where?
23:36 < fling> gh16ito: to the config
23:36 < fling> D'ho!
--- Day changed Wed Feb 22 2017
02:20 -!- def_jam is now known as eb0t
06:20 < nohitall> I am frusted by an issue, if the IP of the vpn server is on a range that gets pushed to be routed via the VPN it shuld break right? becaues it would loop
06:29 < nohitall> but with an existing server with the identical server/client it works for w/e reason
06:29 < nohitall> and it doesnt make any sense
07:31 < Kniaz> what is the command to check when the ca cert expires?
08:00 < hoper> Hi everybody
08:02 < hoper> small question about openvpn in bridge mode (tap interface)
08:03 < hoper> Got a client, a server. Cnx is OK, the client can send paquet to the server, or server behind him
08:03 < hoper> But, from the server, I can't ping the client
08:03 < hoper> How to make this vpn "bi directional" ?
08:11 < hoper> nobody is using openvpn with tap ?
08:11 <+hyper_ch> yes
08:11 <+hyper_ch> !tunortap
08:12 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
08:12 <@vpnHelper> rooted/jailbroken) support only tun
08:18 < hoper> In fact, the reason I choose tap is that I need to see the source IP of the PC in my LAN...
08:18 < hoper> I have a lan, with locals adresses (say 10.X)
08:19 < hoper> I want to connect this lan to another server on the net
08:19 < hoper> So I want a vpn between the gateway of the lan, and this server on internet
08:20 < hoper> But, on this server, I need to be abble to see the src IP (10.X) of all the client on the lan
08:21 < hoper> With tun interface, I only see the IP of the gateway. That's not my need
08:22 < hoper> So I begin to test with tap interface. And it's seems to work better... tcpdump show me the src IP I want to see
08:22 < hoper> Problem is : nothing can go "back" throught the tunnel
08:23 < hoper> To put it simply : Got a client with tap, got a server with tap
08:23 < hoper> When the client is connected, he receive an IP. (but there is none on the server on the newly created tap interface)
08:24 < |Mike|> Eugene: Sorry, I couldn't scroll back high enough and forgot to set /away to catch the hilights ;)
08:25 < nohitall> anyone an idea how to debug inactivity issues? it seems my connection fails after a few minutes
08:26 < |Mike|> nohitall: more info?
08:27 < hoper> But then, the server can't ping the ip on the client (gateway).
08:28 < |Mike|> hoper: you're tying to reach a lan network behind a certain client?
08:32 < nohitall> |Mike|: I have 2 openvpn machines, 1 is the old, 1 new, the have both the same iptables config, the same server/client config, but on the new one I get no proper routing + connection fails after a few minutes with inacitivty timeouts
08:33 < |Mike|> !logs
08:33 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
08:33 < hoper> |Mike|: No. I just need to connect a lan to another lan
08:34 < hoper> |Mike|: I thought I could do this with just a client and a server, but I begin to wonder if I need both end to act as client AND server (and start a conexion at both end)
08:37 < nohitall> |Mike|: http://pastebin.com/raw/bRfnXWZp
08:37 < nohitall> begin to wonder if its not openvpn issue since the server/client configs are the same
08:41 < |Mike|> nohitall: so your client isn't able to connect to the server. Are you connecting to the right server?
08:41 <+DArqueBishop> <hoper> In fact, the reason I choose tap is that I need to see the source IP of the PC in my LAN...
08:41 < nohitall> |Mike|: no it does succesfully, but after 5min it fails to connect again and then it times out
08:41 < |Mike|> have you tried to connect with a disabled firewall?
08:42 < nohitall> on the new one is not firewall active, only NAT setting for postrouting
08:42 <+DArqueBishop> Unless I'm missing something, if you're not using SNAT on the VPN server you would be able to see the source IP address using tun as well.
08:43 < |Mike|> nohitall: how's the connection in general withouth a vpn in between?
08:43 < nohitall> fine, also imusing TCP
08:43 < nohitall> no packetloss
08:44 < nohitall> but it completelys fails to reconnect after a while
08:44 < |Mike|> could you pastebin the server and client config?
08:44 < nohitall> although I am just told its different for collegues so might be local problem
08:44 < nohitall> but routing aint working either past the VPN, not sure why
08:44 < |Mike|> the client is using a firewall?
08:45 < nohitall> do I need anything else but postrouting entry to send the traffic out over eth0 on the server?
08:45 < nohitall> |Mike|: no firewalls in between there
08:46 < |Mike|> nohitall: you've a line what looks like this: -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE ?
08:47 < nohitall> -A POSTROUTING -s 192.168.250.0/24 -o eth0 -j SNAT --to-source xxx.xxx.xxx.xxx do the same? I tried both versions
08:47 < nohitall> should be all for postrouting right?
08:48 < |Mike|> 192.168.250.0/24 is your vpn subnet, correct?
08:49 < nohitall> yea
08:49 < nohitall> one sec I show u sserver conf
08:50 < |Mike|> !logfile
08:50 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
08:50 < nohitall> |Mike|: its pretty standard http://pastebin.com/raw/2quTQFLC
08:51 < |Mike|> Could you set verb to 6 and have a look at the server config?
08:52 < |Mike|> eh, server logs*
08:52 < nohitall> k
08:53 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
08:53 -!- mode/#openvpn [+v s7r] by ChanServ
08:56 < nohitall> yea ping fails after a while
08:56 < nohitall> causing server trying to reinitiate I guess
08:57 < |Mike|> What's in /var/log/openvpn.log?
08:58 < nohitall> one sec its still running,but ineresitnly the log still shows the same even though client already disconnected
08:58 < nohitall> server still sending tcp packets to client
08:59 < nohitall> |Mike|: ended like that http://pastebin.com/raw/9H0wRYXV
08:59 < nohitall> 5min before same tcp lines
08:59 < nohitall> client reported failure to communicate too
09:00 < nohitall> usually about 5min after initiation, then ping stops working and vpn connection timesout
09:02 < nohitall> but more important would be the routing failure, other clients dont have the timeout issue but vpn doesnt work properly, as in I can't reach any machines from the serve host
09:02 < nohitall> but I only remember using the postrouting line as you said, not sure what else
09:07 < nohitall> kind of out of ideas on this
09:07 < nohitall> could tcpdump that connection issue but the routing problem is more important as long as others can use it
09:14 < nohitall> |Mike|: any ideas left?
10:09 < niconiconi> hello? plz help me, I'm setting up a simple routed VPN, but OpenVPN redirects 127.1.0.2 to LAN gateway with redirect-gateway def1 bypass-dhcp...
10:09 < niconiconi> how can I stop OpenVPN from doing that?
10:10 < niconiconi> I think OpenVPN doesn't want to route 127.1.0.2 through VPN, it is good, but net_gateway won't able to route it neither...
10:18 -!- allizom1 is now known as allizom
10:21 < niconiconi> okay I'm going to workaround the problem by setting up the routes by myself instead of redirect-gateway...
10:26 < niconiconi> I think what actually has happened was OpenVPN trying to whitelist the server itself, unfortunately the server IP was 127.2.0.1, redirecting it to net_gateway breaks it...
10:26 < niconiconi> s/2.0.1/1.0.2/
10:32 < ordex> niconiconi: that's because openvpn tries to keep a valid route going towards the vpn server
10:32 < ordex> andnot break it after setting a new default
10:32 < niconiconi> yes I know
10:33 < ordex> niconiconi: if you check the man for --redirect-gateway it will tell you how to avoid that
10:35 < DArqueBishop> 127.1.0.2?
10:35  * DArqueBishop blinks.
10:37 < niconiconi> I'm using different subnets on 127.x.x.x to isolate different services, better to manage than ports
10:37 < DArqueBishop> ...
10:38 < niconiconi> ordex: thx, apparently the "local" flag does it, I have overlooked it.
10:38 < DArqueBishop> You ARE aware that 127.0.0.0/8 is the loopback interface, right?
10:38 < ordex> cool!
10:41 < niconiconi> for some reasons it is still not routing traffic at all, though I think I could manage it solve by myself... maybe it's the firewall...
10:48 < niconiconi> just discovered my stupid mistake, while 127.1.0.2 is clear, it is a forwarder to a real server on the internet anyway, I need to route that server through net_gateway.
10:49 < niconiconi> now '
10:49 < niconiconi> now I'm connected within the VPN
10:49 < niconiconi> ordex: thanks for reminding me the doc.
10:49 < ordex> np
12:53 <+hyper_ch> krzee: http://seclists.org/oss-sec/2017/q1/471
12:53 <@vpnHelper> Title: oss-sec: Linux kernel: CVE-2017-6074: DCCP double-free vulnerability (local root) (at seclists.org)
12:55 < par> Hi - are there any known bugs with the current OpenVPN Connect client? I am getting VERIFY FAIL CERT_NOT_TRUSTED. The certs work just fine on mac/linux/windows though
12:55 <+hyper_ch> what's the openvpn connect client?
12:56 < par> the Android one
12:56 < par> sorry for not clarifying
12:57 <+hyper_ch> using openvpn connect 1.1.17 build 76
12:57 <+hyper_ch> works without issues
12:57 <@Eugene> Its almost surely not a bug in the client, but something you didn't setup right with your connection
12:57 <+hyper_ch> I integrate just 1 file that also contains all certs and dh inline
12:58 < par> I am trying to get a more meaningfu error, but no success
12:58 < par> Im using identical .ovpn I use on tunnelblick/network manager(ubuntu)/windows openvpn
12:58 < par> with inline CA inside the file
12:59 < par> other android clients work, just not the "official one"
12:59 < par> the only difference I can find that it uses PolarSSL
12:59 < par> and not openssl
13:00 <+hyper_ch> par: my little scrip to build the config files:  https://paste.simplylinux.ch/view/69c279b9
13:01 < par> well it's definitely not the .ovpn issue, as the same file works on all other clients just fine?
13:01 <+hyper_ch> certainly not oepnvpn connect issue as I use it on multiple devices without problems ;)
13:03 < par> it seems like an issue with the server cert maybe, what Signature Algorithm are you using for the server cert?
13:03 <+hyper_ch> depends what you mean by signature algorithm
13:03 < par> your server x509 cert signature algo
13:04 < par> i.e, sha256WithRSAEncryption
13:04 <+hyper_ch> no idea, just used easy rsa and issued 4096bit cert
13:05 < par> openssl x509 -in server.crt -text -noout
13:06 <+hyper_ch>     Signature Algorithm: sha1WithRSAEncryption
13:07 <+hyper_ch>             Public Key Algorithm: rsaEncryption
13:07 <+hyper_ch>                 Public-Key: (4096 bit)
13:08 < par> ty
13:09 <+hyper_ch> my conf gen works with afore mentioned openvpn connect app
13:16 < par> yeah but it's almost surely not a config issue, it seems like polarssl is not trusting the cert provided by the server
13:16 < par> for some reason
13:23 < Kniaz> hi. what is the command to check when the ca cert expires on the server side?
13:24 <@Eugene> You can examine certs with `openssl x509 -text -in <cert file>
13:26 <@Eugene> You can verify validity with `openssl verify -CAfile ca.crt <cert file>`, which includes a date check
13:38 < par> I am refering to this https://github.com/Nyr/openvpn-install/issues/236
13:38 <@vpnHelper> Title: PolarSSL: SSL read error : X509 – Certifcate verification failed, e.g. CRL, CA or signature check failed · Issue #236 · Nyr/openvpn-install · GitHub (at github.com)
13:39 < par> if this is something current
13:47 < mjt> why openvpn still requires that on windows, ifconfig ip addresses are in the same /30 subnet?
13:49 < chipitsine> it depends on "topology" option
13:49 < chipitsine> default if "net30"
13:50 < mjt> the source checks for /30 for tun device
13:50 < mjt> regardless of topology
13:52 < mjt> i'm trying to rebuild openvpn with this check removed, but since I haven't done this before, it's not exactly trivial.. installed mingw, built openssl, built lzo, extracted tap-windows.h, built openvpn.exe... now running it on windows, it complains it can't find libeay32.dll
13:55 < mjt> oh. got it working
14:55 < Kniaz> Eugene: thanks
16:35 -!- allizom1 is now known as allizom
16:44 < mikenasr> hello
16:44 < mikenasr> !welcome
16:44 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
16:44 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
16:45 < mikenasr> !goal
16:45 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:49 < mikenasr> !goal, I am setting up site to site vpn, my server is configured correctly however the client with basic configs keep on asking that i need to specify me --dev tun interface, however "dev tun" is stated inside the configuration file, used to work before now its not, command run on debian vpn is "openvpn --config client.conf  , client basic configuration is "remote <serverip> <serverport> udp, dev tun, ifconfig <iplocal> <ippeer>, secrect static.key"
16:55 < rob0> okay, strictly speaking that's not a client.  Is the corresponding peer process running and reachable?  Add "verb 4" and try again -- running in foreground.  Then pastebin the error.
16:56 < mikenasr> yes reachable, the command is failing before initiating
16:57 < mikenasr> same with verb 4, Options error: You must define TUN/TAP device (--dev)
16:59 < rob0> I guess there's a problem with your config file
16:59 < mikenasr> added "client" in the top of the configuration file and tried, still asking for dev, tired --mktun --dev tun0 , dev is up so no issues with modules, a normal openvpn client configuration file ( with tls working )
16:59 < rob0> it is NOT a client
16:59 < mikenasr> yep
16:59 < rob0> no
16:59 < mikenasr> i mean yep its aconf file issue :)
17:00 < rob0> "dev is up"?
17:00 < mikenasr> i used the basic client configuration file from https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
17:00 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
17:01 < mikenasr> when i do openvpn --mktun --dev tun0 .... , then ifconfig -a, i can see the tun0 adapter, so their is no issues with drivers
17:02 < mikenasr> how can i stat its is a client , other then the "client" string in the configuration files?
17:02 < rob0> "client" is not applicable
17:02 < rob0> I started off saying that, said it twice moree, it's still true
17:03 < rob0> server/client is the TLS thing with multiple client capability
17:05 < mikenasr> yes your right, in terms of literally speaking, however i am used to working with pfSense, and thats where id do the config file
17:06 < mikenasr> anyway, i do understand what you mean and we both agree on that
17:06 < mikenasr> do you have a sample basic config file for openvpn site to site preshared key?
17:08 < mikenasr> i have a n openvpn configuration ready on pfsense side, the one i am configuring now is the other end on another server ( debian )
17:08 < mikenasr> and the link provided by  openvpn.net ( stated earlier ) is not working
17:09 < mikenasr> the examples their are not enough, something is missing
17:17 <@dazo> mikenasr: configuring site-to-site with preshared key is drop dead simple if you just read the docs we have
17:17 <@dazo> !howto
17:17 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
17:17 <@Eugene> Reading is so hard though
17:19 <@dazo> mikenasr: from the #1 in the !howto factoid, you can find the way to https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html  by clicking on "Examples" in the menu to the left
17:19 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
17:20 < mikenasr> hehe, guys i am sorry for the inconvinience, been working with openvpn for several years, i know this, and just figured out my mistake due to my headache setting up more the 40 routed vpn sites today, it was so stupid, i was using --client instead of --config as commad option
17:20 <@dazo> Such a tunnel is by all means the simplest tunnel ... but it is also the least secure one
17:21 < mikenasr> yes it is, will switch to SSL/TLS after making sure everything is working properly
17:22 < mikenasr> thanks anyway , embarrassed
17:22 < rob0> aha, so all my "not a client" stuff was on the mark
17:23 < mikenasr> i tought you were regarding my explanation :D
17:23 < mikenasr> exactly
17:23 < rob0> :)
17:31 < mikenasr> since you guys are here would like to benefit from you experience, i have 1 vps, and 40 different sites ( decentalised ) i was using cient/server SSL/TLS to connect them, ( 1 server , multiple clients ) , now i switched to sitetosite setup, ( 1 client 1 server so do seek ), for each one of the 40 sites, seems better cause we need trafic shaping and some restriction on level of vps, my main concern is to route the lans properly behind each site, so my ques
17:31 < mikenasr> tion is wich method would be the best ( most stable and proper ) for thsi kind of setup?
17:32 < mikenasr> i can see that sitetosite is faster, is that true?
17:33 <@dazo> peer-to-peer ("site-to-site") with static key might be faster, as it does not carry the TLS overhead ... *but*  it does not give you perfect forward security (PFS), so if the static key is leaked - any saved VPN traffic using that key can be decrypted and replayed
17:34 <@dazo> *but* it is possible to use peer-to-peer using TLS ... just add --tls-server and --tls-client on each of the sides
17:34 < rob0> which might not be much of a concern unless you anticipate the possibility of a state-level attacker?
17:34 <@dazo> (with the appropriate keying material)
17:35 < rob0> how much overhead do you think the TLS would add?
17:35 <@dazo> well ... it depends on the cipher used as well .... but having a re-keying every now and then is a good safety measure, regardless
17:36 <@dazo> I honestly don't know ... the key exchange takes most time ... so using 2048 bit keys helps improving that
17:36 <@dazo> but once the key exchange is done, the performance should be comparable
17:36 < rob0> What I did with a 6-node mesh and static keys: a cron job to create and distribute new static keys every week.
17:36 <@dazo> well, there is one important change with TLS and without .... the wire packets are different
17:37 < mikenasr> yep, i will switch to tls thats for sure
17:37 <@dazo> non-TLS is basically just the tun/tap encrypted traffic
17:37 < rob0> indistinguishable from random data
17:37 < rob0> unless you have the key
17:38 <@dazo> in TLS mode ... the wire packets can be either control channel or data channel .... so there are a few bytes here
17:38 <@dazo> in addition
17:38 <@dazo> the control channel packets are essentially the TLS handshake traffic, push messages, ping packets etc
17:38 <@dazo> while the data channel packets are the encrypted tun/tap traffic
17:38 < mikenasr> ahan
17:40 <@dazo> but if you're switching to EC certificates ... the TLS handshake will also be somewhat quicker (smaller keys, which are essentially stronger than RSA with lower key length - when not considering post-quantum computing)
17:40 < mikenasr> so tls is a must *as i think* for a production use, what about the topology? client/server VS peer-to-peer?
17:41 <@dazo> well, peer-to-peer requires a single tun/tap device per site, which again means a single openvpn process per site
17:41 <@dazo> there is a stability advantage with that ... as if one openvpn process dies, others may survive so the disruption is smaller
17:42 < rob0> peer-to-peer won't have to send all packets through one single server
17:42 < mikenasr> exactly, more over you will be able to use interface level commands ( ip tables rules ) to fine tune
17:42 < rob0> so node-B and node-Q can communicate directly
17:43 <@dazo> performance wise there will also be a difference too, especially if many clients have lots of traffic ... --server/--client wil be saturated too ... OpenVPN is (still) a single threaded application, so each client have their "time slot" where they can send traffic
17:44 < mikenasr> strange how its still sing threaded right
17:44 <@dazo> on the other hand ... if you have lots of client-to-client traffic and don't want to filter that in iptables on the server ... you can add --client-to-client to the server config, which means inter-VPN traffic will never hit the OS kernel, so the openvpn process will just redirect the packets internally  (avoiding some context switches along the way)
17:44 < mikenasr> however i think its more stable that way
17:45 <@dazo> you don't have to care much about mutex and locks in a single threaded application :-P
17:46 <@dazo> well, remember that the current code basis of OpenVPN was written 15 years ago or so ... where dual socket single core servers where expensive beasts, so not that common ... so the benefit of multi-threads where not present
17:46 < mikenasr> yes i have used that on my old server, but now i have a more suitable one that has the processing power
17:46 <@dazo> so, in that sense ... multiple openvpn processes is also a benefit and can improve the performance as well
17:46 <@dazo> (openvpn processes can run on different CPU cores in parallel)
17:46 < mikenasr> hehe
17:47 < mikenasr> yes
17:47 < mikenasr> true
17:48 <@dazo> the plus side of --client/--server is mostly management wise ... less configuration to maintain.  But the minus is definitely performance first of all
17:48 <@dazo> (not just less configuration, but simpler overall configuration)
17:48 <@dazo> for p2p, it is basically the opposite
17:49 < mikenasr> yes once place to manage certs and subnets under one conf file, and using ccd to manage predefined clients
17:49 < mikenasr> thats what i was hoping for and its true
17:50 <@dazo> exactly
17:50 < mikenasr> p2p takes longer time to setup, however is think it is more suitable for my setup
17:50 <@dazo> well, you can probably automate much of it through ansible, puppet or similar tools
17:51 < mikenasr> i configured a client/server access server on same vps for clients with laptops and phones
17:51 < mikenasr> havint tried any of them, but will need to, thanks for the tools will deffinetly check them out
17:52 <@dazo> I find ansible the simplest one and requires no big infrastructure ... it just needs ssh access to the hosts you want to manage
17:53 <@dazo> ansible copies over all the stuff it needs on-the-fly to the remote host and performs the script ... plus it can manage multiple hosts in parallel
17:53 <@dazo> http://docs.ansible.com/ansible/intro_getting_started.html
17:53 <@vpnHelper> Title: Getting Started Ansible Documentation (at docs.ansible.com)
17:53 < mikenasr> nice
17:54 < mikenasr> checking it now
18:03 < mikenasr> @dazo, thank you for all the help, goin to sleep now
18:03 <@dazo> g'night!
18:04 < mikenasr> gd night :)
18:52 < |Mike|> nohitall: your pastebin got removed. Sorry.
18:52 < |Mike|> anyway, time to sleep!
22:01 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has left #openvpn ["Konversation terminated!"]
23:17 < stux> !welcome
23:18 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
23:18 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
23:19 < stux> !route
23:19 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
23:20 < stux> !tap
23:20 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the protocol
23:20 <@vpnHelper> uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
23:20 < stux> !sweet32
23:20 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32
23:21 < stux> !ovpnuke
23:21 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
23:21 < stux> !poodle
23:21 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has, or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
23:21 < stux> !heartbleed
23:21 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl, or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised., or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected., or (#4)
23:21 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed, or (#5) http://xkcd.com/1354/
23:23 < stux> sorry for the spam, thank you for the links!
23:23 < stux> !1925
23:23 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
--- Day changed Thu Feb 23 2017
00:32 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
00:32 -!- mode/#openvpn [+v hyper_ch] by ChanServ
01:00 < commanderkeen> i have an openvpn server on a network (10.0.0.1/24) that a remote client connects to. how would I go about assigning this remote client an ip (say 10.0.0.50) and have machines on both side be able to communicate? any suggestions or tips?
01:07 <+hyper_ch> !lan
01:08 <+hyper_ch> you mean othe rcomputers in the same lan as the client shall also have access?
01:09 < commanderkeen> other machines on the LAN (same lan with openvpn server) can communicate with the remote client with an IP that appears on the same lan
01:09 < commanderkeen> is that possible?
01:10 <+hyper_ch> why not make them clients as well?
01:10 <+hyper_ch> and you can give a static ip to your clients
01:10 <+hyper_ch> !ccd
01:10 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
01:11 < commanderkeen> there are many computers on the LAN but only 1 remote that they need to talk to
01:11 <+hyper_ch> e.g. if the client cert name is "client1" then make a ccd directory and add a file "client1"
01:12 <+hyper_ch> and add:   ifconfig-push 10.x.x.x 25.255.255.0    as example
01:13 <+hyper_ch> as for the other computers talking to clinet - you have just to route accordingly
01:16 < commanderkeen> okay
01:16 < commanderkeen> I think I see
01:17 < commanderkeen> i will give it a shot
01:17 < commanderkeen> thanks for the help
01:22 -!- Vampire0_ is now known as Vampire0
05:04 < par> Hey. I'm using a chained certs system for openvpn (that, is the server is signed by intermediate cert, not the root CA). Client configs have root CA only, in them. It doesn't cause problems with any of the clients (mac, linux, windows) except for with Android app "Openvpn Connect". If I stick intermediate CA together with the root CA into the <ca> </ca> section, then the app works - trusts the cert, otherwise it complains the cert is not trusted". So my quest
05:04 < par> none of the other openvpn clients on any of the platforms require intermediate cert in <ca> section, only the root CA there is enough
05:16 < nohitall> im still stuck with my nonrouting vpn, postrouting rule for iptables is in but I can't get out anything, not sure what else to try
05:16 < nohitall> otherwise iptables is open
06:13 <+hyper_ch> par: tested my conf generator?
06:13 <+hyper_ch> nohitall: what do you want to achieve?
06:15 < par> hyper_ch: I havent no, sorry, but the issue is clear, it's not the config that is wrong, it's just that intermediate certs are needed in the client config for that particular app to work
06:15 <+hyper_ch> and I told you yesterday, the way I generate my cerst works with openvpn connect
06:15 <+hyper_ch> s/cerst/config files/
06:16 < par> I know, you're using easy-rsa to generate your own ca cert
06:16 < par> this is not the setup we have
06:22 < par> and I as I said, I can now make it work, i'm just asking if there's any known issue with polarssl used in openvpn connect and chained certs
06:22 < par> cause to make it work I have to add both, root CA and intermediate CA
06:26 < speedy__> hi! Client1 - Bridge - Client2 I make some tests with tcp in tcp tunnel and as long there is no delay on the bridge all works fine. as soon i add delay (lets say 5ms) to the bridge the throughput breaks down to about 60% with massive package loss. I am running all 3 machines on linux. Can anyone help me figure out whats happening here? Delay shouldnt create package loss :/
06:28 < speedy__> its definitly a openvpn problem, the same testsetup with ssh -w 0:0 <ip> and same test runs fine
06:59 -!- skamath is now known as z3r0
07:00 -!- z3r0 is now known as skamath
07:18 < nohitall> hyper_ch: to be able to reach other machines on the subnet where the vpnserver is on, I already have the standard postrouting rule in
07:18 < nohitall> but I can't reach anything
07:30 <+hyper_ch> nohitall: https://community.openvpn.net/openvpn/wiki/RoutedLans
07:30 <@vpnHelper> Title: RoutedLans – OpenVPN Community (at community.openvpn.net)
07:39 < nohitall> hyper_ch: yea routes are pushed, we have a second vpnserver, everything is 1:1 in config, thats why I am out of ideas
07:41 <+hyper_ch> !configs
07:41 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
07:52 < nohitall> hyper_ch: already had someone check it, its defnitely not a config issue, they are identical to the existing working vpn
09:20 -!- Poster is now known as Poster|y
09:20 -!- Poster|z is now known as Poster
09:20 -!- Poster|y is now known as Poster|z
09:42 < domme> hey
09:43 < domme> i'm trying to debug an issue with my openvpn client not connecting when there are special chars in the password in authfile
09:43 < domme> for http proxies. is it possible to encode it with base64?
09:44 < domme> or do I seem to be on the wrong path here?
10:22 < LaserEyess> !welcome
10:22 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
10:22 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
10:22 < LaserEyess> wow
10:22 < LaserEyess> uhhh
10:22 < LaserEyess> !goal I just havea a question that I can't seem to find the answer to online
10:23 < LaserEyess> basically does the newest iOS client support tls-crypt
11:53 < fjadfjjasad> I'm having a weird MTU issue (at least I think it is MTU).  For starters, if I 'ping -M do -s 1472 x.x.x.x' it comes back ssuccsesfully
11:54 < fjadfjjasad> so the mtu should be fine at 1500
11:54 < fjadfjjasad> however,
11:54 < fjadfjjasad> connecting works fine, and then soon after locks up and ping-restart reconnects me
11:54 < fjadfjjasad> i've tried setting "fragment 1200" and "mssfix 1200" on both ends, still does the same thing
11:54 < fjadfjjasad> anyone have any ideas?
11:55 < fjadfjjasad> its behaving like a classical MTU issue, however I would think that setting fragment and mss-fix at 1200 would work around any potential mtu issue
11:56 < fjadfjjasad> not to mention i verified with tracepath that PMTU discovery works
12:19 < fjadfjjasad> whats even more strange is that if I enable mtu-test on the client, I get the error "NOTE: failed to empiraclly measure MTU (requires OpenVPN 1.5 or higher at other end of connection)."
12:20 < fjadfjjasad> however both ends are ubuntu 14.04 LTS fully patched, OpenVPN 2.3.2
12:25 < chipitsine> openvpn-2.4 and higher is capable of negotiating mtu during hanshake
12:33 -!- Captain_Beezay is now known as TurboC
12:34 -!- TurboC is now known as Binome
12:55 -!- Vampire0_ is now known as Vampire0
14:35 < pdobrogost> Hi all!
14:36 < pdobrogost> When stopping openvpn systemd service I see the following log entry "openvpn_execve: unable to fork: Resource temporarily unavailable (errno=11)" It looks like openvpn did not get a chance to exit cleanly. Am I right and if so is there any way to fix this?
14:54 -!- Binome is now known as AndromedaGamarue
17:16 -!- AndromedaGamarue is now known as Captain_Beezay
18:05 -!- Vampire0_ is now known as Vampire0
19:20 -!- Vampire0_ is now known as Vampire0
20:01 <@dazo> pdobrogost: what's the exact systemd command line you use?  (in particular which unit file)
20:02 <@dazo> pdobrogost: openvpn should shutdown cleanly, so if it doesn't we need to figure out what is happening
20:21 -!- Vampire0_ is now known as Vampire0
21:47 < Celmor> does someone know a way to have 'alwasys-on' functionality through the android client of openvpn? a guide for enabling always-on functionality from google says I'd have to add the vpn connection through androids settings but lists openvpn too so not sure if that's possible
22:58 < Celmor> the vpn server writes there rules http://ix.io/nKe (whereas 1.2.3.4 would be the ip of the vpn server) can someone help me understand them?
23:00 < Celmor> wouldn't a route for "0.0.0.0/1" cause all to be routed through it and disable me from accessing local networks?
--- Day changed Fri Feb 24 2017
00:34 <+hyper_ch> Celmor: can you still access local networks?
00:36 < Celmor> I can discover clients on my local network via nmap -sn 192.168.0.10-25 but can't seem to ping them
00:36 < Celmor> could be that they just drop ICMP though
00:36 < Celmor> tried another machine, yes I can ping machines from my local network
00:41 < Celmor> the vpn server added a route for 0.0.0.0/1 and 128.0.0.0/1 so being kind of tricky to reroute all traffic through the tun device but not deleting the normal default, is this true?
01:27 < moviuro> Hi all! Is there ongoing effort to add the pledge(2) call to openvpn(8)? (specific to OpenBSD at this time)
01:28 < moviuro> Celmor: recent Android versions with the unofficial FLOSS client allow the always-on feature
01:28 < Celmor> FLOSS client?
01:28 < moviuro> "OpenVPN for Android"
01:29 < Celmor> what's "recent"?
01:29 < moviuro> https://play.google.com/store/apps/details?id=de.blinkt.openvpn
01:29 < moviuro> recent is 7.1.1 (latest)
01:29 < moviuro> I can't try on older version
01:31 < Celmor> there's a new update for "openvpn for android" via f-droid but it says that it would delete local data when updating (because apparently a different key has been used to sign the update)
01:31 < Celmor> where do you see the option to turn on 'always-on'?
01:31 < moviuro> not a problem since you have backups, right? ;)
01:32 < Celmor> sure...
01:32 < moviuro> in Settings > under networking/others > VPN > Always-on
01:32 < Celmor> of-course...
01:32 < Celmor> the setting I tried before and isn't functional at all
01:32 < moviuro> oh, that's weird, it works here (TM)
01:33 < moviuro> sorry Celmor , gotta run
01:33 < Celmor> np
01:40 <+hyper_ch> wow, cloudflare seems to have a huge problem
01:50 < Celmor> does someone know how to block all traffic except through the vpn connection, i.e. have nothing be able to connect to the internet until the vpn connection is established?
01:55 < moviuro> Celmor: block drop out on <ext_ifs>
01:55 < moviuro> pass out quick on <ext_ifs> proto udp port 1194
01:55 < Celmor> 'drop out'?
01:55 < moviuro> (Firewall rule syntax for pf - BSD's firewall)
01:55 < moviuro> you'll have to use your firewall
01:56 < Celmor> I doubt BSD's firewall rules would work for me
01:56 < moviuro> translate them to iptables ;) the idea is to 1) block everything outgoing, except if it's VPN trafic
01:56 < Celmor> wouldn't know how to check for vpn traffic except via destination port
01:57 < moviuro> unless you know how to deal with virtual interfaces, attach specific processes to them... nope
01:58 < moviuro> (I don't)
01:59 < Celmor> so... what would be the solution for windows then?
01:59 < Celmor> got redirected from ##windows to #openvpn-windows to here to ask this
02:00 < moviuro> now you've got the gist of the rule, you'll need help from people used to Windows' FW --> ##windows again, I believe
02:00 < moviuro> now, really gotta go
02:00 < Celmor> wouldn't really trust windows' FW but yeah...
02:01 < Celmor> thanks anyway
02:31 < pdobrogost> dazo: Thanks for your interest. The command run was `sudo systemctl stop openvpn@<some_name>` and unit file is at https://da.gd/fdupp
02:31 <@vpnHelper> Title: Anonymous users paste - Modern Paste (at da.gd)
02:34 < pdobrogost> dazo: And relevant entries for journal are at https://paste.fedoraproject.org/paste/~4ymWKRDOEIZ4NhCow5erV5M1UNdIGYhyRLivL9gydE=
02:34 < pdobrogost> s/for/from/
02:59 < Celmor> would someone know here where openvpn for android stores its settings?
02:59 < Celmor> I need to back it up because updating it would cause that data to get deleted (someone signed the update with a different key)
--- Log closed Fri Feb 24 03:28:29 2017
--- Log opened Fri Feb 24 03:28:37 2017
03:28 -!- Irssi: #openvpn: Total of 270 nicks [9 ops, 0 halfops, 3 voices, 258 normal]
03:28 -!- mode/#openvpn [+o ecrist_] by ChanServ
03:29 -!- Irssi: Join to #openvpn was synced in 47 secs
04:03 < nohitall> I don't understand why my vpn connection sometimes pushes the correct route for the host itself and sometimes not
04:03 < nohitall> shouldnt openvpn always do that? to keep the correct route open
04:20 < atmosx> Hello, I'm trying to reach out a subnet (10.2.0.1/24) behind an openvpn server (10.8.0.1/24). I can ping 10.2.0.1 but not the subnet behind. My client IP is 10.8.0.22 and 10.2.0.40 can ping me. Routes properly setup any ideas? I can see PRE/POSTROUTING setup also
04:21 < atmosx> and routes are pushed properly from the config
04:23 < Celmor> could it be that you are NATing?
04:24 -!- va6dah is now known as parity
04:24 < nohitall> I dont get it, suddenly vpn doesnt push the correct route anymore :/ I dont get it
04:25 < nohitall> atmosx: I have similar issue
04:28 < atmosx> Celmor: ΝΑΤ is configured for packets getting out of 10.2.0.0/24
04:29 < atmosx> But I have reports that works for 'others' I'm the more recent connected client
04:30 < nohitall> https://arashmilani.com/post?id=53 <-- those forward and postrouting rules should be sufficient for all tun traffic to go to eth0 right?
04:30 <@vpnHelper> Title: How to configure iptables for openvpn (at arashmilani.com)
04:32 < Celmor> so this works, right? 10.2.0.40 -> 10.2.0.1 (gateway) -> SNAT -> 10.8.0.1 (local interface) -> 10.8.0.22
04:33 < atmosx> nohitall: yes
04:34 < atmosx> nohitall: I'm trying to reach a network that sits behind the openvpn server. I can reach the openvpn server, the thing is that from 10.2.0.40 I can ping 10.8.0.22 but the other way around I get no echo reply
04:34 < nohitall> I still have no working routing, I am trying to figure this out since 3 days
04:35 < nohitall> atmosx: I am trying to reach the subnet thats on eth0
04:35 < nohitall> simple as that
04:35 < nohitall> atmosx: yours is more curious indeed
04:35 < nohitall> atmosx: probably best to show iptables rules
04:38 < nohitall> my foremost problem is that openvpn does not push the route to the vpnserver itself over the eth0/wlan interface anymore, and I didnt touch anything
04:39 < atmosx> Here are the rules: https://gist.github.com/atmosx/9ef139010b1f33c8bef3cd56780fa4b3
04:39 <@vpnHelper> Title: gist:9ef139010b1f33c8bef3cd56780fa4b3 · GitHub (at gist.github.com)
04:41 < nohitall> atmosx: why is it shoing 15GB of data from mybr to the 10.2 subnet if its not working
04:44 < atmosx> nohitall: mybr0 is the iface for the 10.2.0.0/24
04:44 < atmosx> nework
04:44 < atmosx> s/nework/network
04:49 < nohitall> atmosx: shouldnt ther ebe forwarding entries for the tun interface
04:50 < taptapir> I have openvpn setup with tun bridging and my firewall allowing all the traffic in 4 different locations with Linode and Vultr. I've tried both OpenVPN 2.3 and 2.4 and the difference between my raw speed vs vpn speed is always around 3-6 times.
04:50 < taptapir> Where can I start analyzing the problem?
04:58 < taptapir> compression is turned off
04:58 < taptapir> cipher is aes-128
04:58 < taptapir> and the protocol is UDP
04:58 < taptapir> I've even tried sndbuf rcvbuf tricks (eventhough it's not needed in 2.4)
04:59 < taptapir> not a difference
05:08 < nohitall> taptapir: what speed are you talking here
05:08 < nohitall> taptapir: whats the process load of the vpnserver?
05:08 < taptapir> raw is around 80 mbps and with vpn around 4-10
05:08 < taptapir> 6% cpu
05:09 < taptapir> while downloading something with vpn
05:09 < nohitall> try blowfish default cipher to get some value to compare to see if ther eis any difference
05:09 < nohitall> although AES should result in best throughput
05:09 < taptapir> with VPN I also see some throttling every couple seconds
05:09 < nohitall> checked for packet loss?
05:09 < taptapir> the speed goes 0 for an instnat
05:10 < nohitall> mtr the connection
05:10 < taptapir> nohitall: how can I do that
05:10 < nohitall> depending on the country you live in your ISP might be interfering
05:10 < nohitall> taptapir: install mtr, do mtr -r ipofvpnserver
05:10 < taptapir> nohitall: that's what I tought so I changed the default port to something random
05:10 < taptapir> can they still interfere?
05:10 < nohitall> sure, if they have DPI
05:11 < nohitall> but only if you live in china or iran
05:11 < taptapir> fuck it they probably have :(
05:11 < nohitall> less likely for most other countries
05:11 < taptapir> could you test If I gave you a *.ovpn :D
05:11 < nohitall> yea can do
05:11 < taptapir> 1 sec
05:11 < nohitall> query me url to a pastebin
05:21 < kim0> Hi folks, is openvpn able to ask the user for a secondary (multifactor) password ? I'm trying to use MFA authentication, where the user gets a code via SMS .. not sure how the user would enter that though
05:22 < nohitall> taptapir: I have no speed issues
05:22 < nohitall> actually speed is better than before for my file test
05:22 < nohitall> taptapir: must be your home ISP/wifirouter w/e interfering
05:22 < taptapir> thanks very much
05:22 < nohitall> taptapir: yea superb speed, no packet loss
05:22 < taptapir> that's what I was afraid of
05:23 < taptapir> Turkish government fucks us again
05:23 < taptapir> all the ISPs behave the same
05:23 < taptapir> I've tested 4-5 different ones
05:23 < nohitall> ah
05:23 < taptapir> so probably it'sa government order
05:23 < nohitall> I know what you ca do
05:23 < nohitall> you have root on the server?
05:23 < taptapir> yeap
05:24 < kim0> Try the obfuscation patch
05:24 < nohitall> taptapir: https://ixorthings.blogspot.bg/2015/07/howto-openvpn-obfuscation-with-xorpatch.html
05:24 < kim0> Works for me (in Egypt) to beat our lovely government as well
05:24 <@vpnHelper> Title: I THINGS: HowTo compile OpenVPN + obfuscation with xorpatch on Debian (at ixorthings.blogspot.bg)
05:24 < nohitall> taptapir: follow my tutorial, adapt for 2.4
05:24 < taptapir> nice!!
05:24 < taptapir> will try asap
05:24 < nohitall> taptapir: that might help getting by their DPI, no guaranteees though
05:24 < nohitall> but doubt they use advancaed DPI, so should work
05:24 < taptapir> ok good to know there is hope
05:24 < kim0> I hope xorpatch would be accepted upstream
05:25 < nohitall> taptapir: feel free to query me if you run into problems
05:26 < nohitall> taptapir: dont forget irc is plain text, so be aware of what you write
05:26 < nohitall> taptapir: best if you ssh into some offcountry machine and run irc from there
05:27 < atmosx> nohitall: freenode has SSL + clients with OTRs can be used for enhanced security
05:27 < nohitall> atmosx: yea true, but more complicated to explain/setup than just to use ssh and irc on other machine
05:27 < taptapir> I'm on socks proxy now so should be ok I think
05:28 < nohitall> worse is if they limit your ssh connections
05:28 < nohitall> iran does that often down to 5-10kb/s
05:28 < taptapir> nohitall: thanks I'll query you if something comes up
05:28 < taptapir> whoa
05:28 < taptapir> 5-10...
05:29 < atmosx> nohitall: you're from Iran?
05:29 < nohitall> no
05:30 < atmosx> ok
05:30 < nohitall> was working with journalists
05:30 < nohitall> prepping them on communication security
05:30 < atmosx> I see
05:31 < atmosx> interesting and dangerous, there a couple of scary documentaries on organisations (state actors) that were monitoring journalists from middle east
05:31 < atmosx> scary shit
05:32 < nohitall> yea I know
05:33 < nohitall> technology is complicated
05:33 < nohitall> people are not tech-affin usually
05:33 < nohitall> if you have a DNS leak your encryption doesnt do anything
05:33 < nohitall> they'll be arrested witn the day
05:34 < nohitall> but rightnow I still am stuck with my vpn issue
05:34 < nohitall> my iptables must be wrong
05:35 < nohitall> http://pastebin.com/raw/0TFyHwp8
05:35 < nohitall> I got open firewall, just forwarding/postrouting rules
05:35 < nohitall> this should work no? my vpn is on 192.168.250.0/24
05:52 < nohitall> well also the issue that the server is not pushing its own route to client
05:52 < nohitall> thus the connection dies
05:56 -!- Vampire0_ is now known as Vampire0
06:01 < nohitall> anyone got an idea why my routing fails? see rules above
06:02 < gderou> Hi All, I would like to redirect all openvpn to another host - I thought that would be feasible with a couple of iptables rules on the intermediary server (the one that is accessed by the clients, but on which I don't want to run the openvpn server anymore) but I get errors after the vpn connection ( MULTI: bad source address from client)
06:18 < kim0> Is openvpn able to ask the user for a secondary (multifactor) password ? I'm trying to use MFA authentication, where the user gets a code via SMS .. not sure how the user would enter that though?
06:21 < nohitall> kim0: in theory you can code a plugin for it
06:21 < nohitall> kim0: openvpn would just ask for the code in terminal, maybe GUI does popups no idea
06:21 < kim0> I actually have a bit of a conceptual problem
06:21 < kim0> username+password .. assumes I know the password before the connection is made
06:22 < kim0> While in this case, I receive the password over SMS after connection is made
06:22 < nohitall> usually 2FA is user+pw +additional
06:22 < kim0> Yeah I agree
06:22 < nohitall> kim0: then ues a default pw for everybody and use the SMS for the 2FA
06:22 < kim0> so if I write a plugin .. openvpn can ask for the extra piece of data
06:23 < nohitall> or empty password
06:23 < kim0> To actually "2" FA .. a user would need to enter 2 passwords
06:23 < kim0> While openvon only asks for one
06:23 < kim0> (not sure if writing a custom plugin removes this limitation though)
06:24 < kim0> And ofc it would be lovely if such a plugin already existed :)
06:26 < nohitall> does it have to be by SMS
06:27 < kim0> mm what's the other option
06:27 < kim0> Manager doesn't like TOTP  :)
06:28 < kim0> anything else ?
06:34 < nohitall> kim0: google auth app
06:35 < kim0> that's the totp
06:37 < nohitall> yea
06:37 < nohitall> well there are some providers offering SMS with openvpn plugin
06:38 < nohitall> all paid services obviously
06:38 < nohitall> I can think of some ways to DIY
07:10 < realies> ive followed this guide https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
07:10 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com)
07:10 < realies> i managed to connect from a client to the server
07:10 < realies> when i ping the ip gets resolved but i receive no data
07:11 < realies> any clues how to debug?
07:11 <+hyper_ch> ?howto
07:11 <+hyper_ch> !howto
07:11 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
07:16 < realies> hyper_ch, i have iptables config, redirecting gateway and pushing dhcp
07:16 <+hyper_ch> !configs
07:16 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
07:18 < nohitall> early: sounds like your iptables/ufw rules are not properly set
07:23 < realies> hyper_ch, https://dpaste.de/DRPN/raw
07:26 < realies> running on 16.04.2 LTS, ipconfig settings from the digitalocean tutorial
07:26 < realies> latest openvpn server and latest windows client
07:27 < realies> latest stable
07:29 <+hyper_ch> configs look ifne
07:29 <+hyper_ch> what did you run for ip4forward and firewall rules
07:30 < realies> net.ipv4.ip_forward=1 in /etc/sysctl.conf followed by sudo sysctl -p
07:31 < realies> added https://dpaste.de/F4GT/raw to  /etc/ufw/before.rules
07:31 < realies> DEFAULT_FORWARD_POLICY="ACCEPT" in /etc/default/ufw
07:33 <+hyper_ch> why /8?
07:33 <+hyper_ch> server 10.8.0.0 255.255.255.0
07:34 <+hyper_ch> POSTROUTING -s 10.8.0.0/
07:34 < realies> what's /8 doing?
07:34 <+hyper_ch> and what is your network interface on the openvpn server?
07:34 <+hyper_ch> is it eth0?
07:34 < realies> yes
07:35 <+hyper_ch> the no idea
07:35 < realies> i'll give it a reboot...
07:37 < realies> and it works :|
07:37 < realies> maybe ufw's rules weren't reloading
07:40 <+hyper_ch> ufw is too complicated for me
08:02 < nohitall> realies: knew it
08:06 < rob0> ufw is too complicated for anyone
08:06 < _vyscond> hello mates! i've quite a question so posted here https://dpaste.de/VZfY if anybody could read and give me some hints on the resolution.
08:07 < _vyscond> thanks a bunch :)
08:09 < nohitall> i stopped at docker hihi sorry
08:10 < _vyscond> nohitall: you can treat it like it was a virtualbox isseu too.
08:10 < _vyscond> it's a routing problem, as far as i know
08:12 < rob0> there's not much information there.  You say what you did but don't show anything, such as "iptables-save -c ; ip a ; ip r".  It's also unclear if you determined the problem was DNS or routing.  Sounds like DNS, but you need to test to be sure.
08:15 < nohitall> _vyscond: not really clear to me on the setup and what you try to achieve
08:17 < rob0> oh, and since this IS the openvpn channel, you probably also should include the openvpn configs -- comments removed of course.
08:17 < rob0> they connect and can ping thru the tunnel?
08:18 < _vyscond> here is the ip output
08:18 < _vyscond> https://dpaste.de/7NuL
08:20 < _vyscond> The IP i use on the host  machine (OS X) to access the services is this one here 192.168.99.100
08:21 < _vyscond> nohitall: i dont about sharing the config. but i can show the logs
08:22 < _vyscond> nohitall: is it worth something?
08:24 < nohitall> _vyscond: sure but you'll have to find for someone, im no expert here nayway + busy
08:27 < _vyscond> hm
08:27 < _vyscond> i want to solve it today. willing to pay.
08:27 < _vyscond> .-.
08:27 <@ecrist_> hold amigos
08:27 <@ecrist_> hola
08:28 <@ecrist_> I can't even blame autocorrect on that one
08:28 -!- You're now known as ecrist
09:10 < SviMik> a user is complaining that tun works slower on his machine than tap. what can be the reason?
09:10 < SviMik> speedtest with tun: Download: 1.01 Mbit/s, Upload: 28.59 Mbit/s
09:10 < SviMik> speedtest with tap: Download: 23.17 Mbit/s, Upload: 16.81 Mbit/s
09:11 <@ecrist> well, those are conflicting fast
09:11 < SviMik> user is using linux. speedtest is done using the same server speedtest server.
09:12 < SviMik> both configs are tcp
09:12 <@ecrist> well, TCP is usually a bad deal
09:12 <@ecrist> the same OpenVPN server at the other end?
09:12 < SviMik> on my side, I run two ovpn server instances on same machine with indentical config except that one is tun, and another is tap
09:13 <@ecrist> Have you tested yourself?
09:17 < SviMik> nope. something makes me think it's a problem on user side, and I doubt I can even reproduce it... but I'll try
09:18 < SviMik> it looks just impossible for me. tun must have even less overhead than tap
09:21 < SviMik> I could think something about MTU, but it doesn't make any sense, especially over tcp
09:25  * nohitall tableflips
09:25 < nohitall> if vpn deosnt route to eth0 it must be a iptables issue right?
09:27 < SviMik> you might have firewalled it. check `iptables -L -vn` for any DROP rules
09:28 < nohitall> SviMik: was that for me?
09:29 < SviMik> yep
09:29 < nohitall> no there arent any rules but 2 forwarding and 1 postrouting
09:29 < nohitall> firewall is blank/open
09:29 < nohitall> thats why I dont get it
09:30 < SviMik> well, if iptables is blank, and chains has default rule as ACCEPT, then it's not an iptables issue.
09:30 < SviMik> check your routing table then
09:30 < nohitall> http://pastebin.com/raw/pkfxXTSL
09:30 <@ecrist> I'd suspect routing table first
09:31 < nohitall> 192.168.250.0   192.168.250.2   255.255.255.0   UG    0      0        0 tun0
09:31 < nohitall> 192.168.250.2   0.0.0.0         255.255.255.255 UH    0      0        0 tun0
09:32 < nohitall> looks rightish to me?
09:32 < nohitall> my vpn is on that subnet, not on default 10..
09:32 <@ecrist> !paste
09:32 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
09:32 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
09:32 < nohitall> ecrist: yea 2 lines ...;)
09:32 <@ecrist> nohitall: shot across the bow. :)
09:32 < nohitall> I dont know what that menas
09:33 <@ecrist> nohitall: you http://idioms.thefreedictionary.com/a+shot+across+the+bow
09:33 <@vpnHelper> Title: A shot across the bow - Idioms by The Free Dictionary (at idioms.thefreedictionary.com)
09:33 <@ecrist> nohitall: you can't just put your VPN on the same subnet and expect it to work.k
09:34 < nohitall> its not on the same subnet?
09:34 <@ecrist> You can get away with that using the tap device and interface bridging.
09:34 < nohitall> http://pastebin.com/raw/yew5txjc
09:34 <@ecrist> otherwise, you need proper routing.
09:34 <@ecrist> it's not
09:34 <@ecrist> notice the netmask of 255.255.255.255 - that's a /32, which means one IP only
09:34 < nohitall> im just not using the default 10.0.0.x
09:35 < nohitall> server 192.168.250.0 255.255.255.0
09:35 < nohitall> not sure what the .2 is, the dhcp?
09:35 < nohitall> tun interface is .1
09:36 <@ecrist> !net30
09:36 <@vpnHelper> "net30" is (#1) https://community.openvpn.net/openvpn/wiki/273-qifconfig-poolq-option-use-a-30-subnet-4-private-ip-addresses-per-client-when-used-in-tun-mode explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology
09:37 < nohitall> I still dont follow, we are using the same config with same subnet on another vpnserver with no issues
09:37 <@ecrist> I don't believe that.
09:37 < nohitall> thats the whole issue, im trying to create a second one but I fail
09:38 < nohitall> the routing table on the working one looks the same
09:39 < nohitall> btw not sure what you saw
09:39 < nohitall> 192.168.250.0   192.168.250.2   255.255.255.0
09:39 < nohitall> which is /32 netmask pointing to 0.0.0.0
09:39 < nohitall> seems right to me
09:40 < nohitall> and tun is forwarded to eth0 by iptables
09:41 < nohitall> I checked everything, configs/iptables/route tables all is the same but its not working :/
09:43 < nohitall> my iptable rules looks right correct? http://pastebin.com/raw/pkfxXTSL
09:48 < nohitall> begin to wonder if I run into some bug
09:49 <@ecrist> how about sysctl?
09:49 <@ecrist> net.inet.ip.forwarding or something similar
09:50 < nohitall> all set
09:50 <@ecrist> that's typically required to allow linux/unix to route across interfaces.
09:50 <@ecrist> so you must be wrong about something
09:50 < SviMik> sysctl net.ipv4.ip_forward=1
09:50 < nohitall> yea something, just not sure what
09:50 < nohitall> I triple checked everything
09:50 < nohitall> not my first setup
09:50 <@ecrist> it's not possible to have to identical systems with identical config and have one work and another not - there's something different about them.
09:50 <@ecrist> s/to/two/
09:51 < nohitall> indeed
09:51 < nohitall> another issue that appeared today is
09:51 < nohitall> the client doesnt get the route pushed anymore for the connection to stay alive
09:52 < nohitall> last time I fiddled with iptables I had similar issue, but I don't get it since this should be a openvpn server thing
09:52 <@ecrist> if clients can connect and talk to the server, openvpn has done it's part
09:52 < nohitall> no the issue is it connects but then the route loops
09:53 < nohitall> it doesnt push the vpnserver IP with netmask /32 for eth0/wlan
09:53 < nohitall> so it falls on another /24 I push and then fails
09:53 < nohitall> follow what I mean?
09:55 < nohitall> http://pastebin.com/raw/T6yx7TCg
09:55 < nohitall> hope that expains it
09:59 < nohitall> btw those server are debian 8 stable, I tihnk version is 2.3.4
10:00 < nohitall> not sure if relevant but maybe I dont know of some issues with those older version
10:04 < nohitall> I am just out of ideas
10:25 <+hyper_ch> ecrist: openvpn.net uses CloudFlare?
10:27 <@ecrist> they used to - at lease for the main site 
10:27 <@ecrist> not sure about community sites.
10:27 <+hyper_ch> well, I use pass as password manager
10:27 <+hyper_ch> and save logins etc as Web\domain.tld
10:28 <+hyper_ch> and I just compared the CF domian list with my entries ;)
10:28 <+hyper_ch> and openvpn appeared
10:30 < nohitall> ecrist: you out of ideas too?
11:19 < rob0> Is there a pastebin with COMPLETE information on the problem?  I scrolled up and looked at the last two, but even taken together there is not enough information.
11:21 < rob0> supposing that the VPN connects and works, at least ping from each endpoint to the other, "iptables-save -c ; ip a ; ip r" might help find the problem.
11:26 < nohitall> rob0: can't ping the vpn server because after connection initialized the routing is all broken because for w/e reason the server is not pushing its own route anymore
11:27 < rob0> the goal is, redirect?
11:28 < rob0> Maybe you started by telling your goal, but I didn't see it.
11:28 < rob0> !goal
11:28 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:29 < nohitall> rob0: goal is to get a proper vpn connection with working routing, but there are 2 issues here a) routing aint working on vpnserver side b) vpnserver is not pushing its own route thus breaking the connection to client after initialization
11:30 < nohitall> rob0: http://pastebin.com/raw/T6yx7TCg it is not pushing the second line anymore, no idea why
11:31 < rob0> you did not answer the question
11:31 < nohitall> yes obviously access the subnets I push to client
11:32 < rob0> good luck
11:33 < nohitall> rob0: dont appear wanting to help if you cop out so easily
11:34 < rob0> right, I don't want to spend my time on someone who wants to make it difficult
11:34 < nohitall> not sure what you want to hear, I already said what I need
11:34 < nohitall> its just a simple standard vpn connection with access to subnets I push to client
11:35 < nohitall> for starters the access on servers eth0 would suffice
11:36 < nohitall> but there are multiple problems with it, especially the one with themissing route is frikking mysterious
11:37 < rob0> so you manually add a route and it works
11:38 < nohitall> I dont think I can push the route which the vpnserver is supposed to use to keeep its connection open since it has to go via eth0
11:38 < nohitall> http://pastebin.com/raw/T6yx7TCg
11:39 < nohitall> the second line is missing, without changes to the configs
11:39 < nohitall> It disappeared once before when I worked with the iptables but I don't see why they affect what openvpn pushes to the client
11:40 < nohitall> without it the connection dies after initializatoin because it loops
11:41 < nohitall> and manually adding is a workaround at best, it should be done automatically by the client
11:43 < nohitall> I assume the openvpn in client mode always does that automatically to ensure connection stays open
11:54 < Darkhunter> Hi, I have issue with openvpn-client. I set it up and it works for like a day and then it stops working...Even with restarting and so on...
13:00 <+hyper_ch> krzee: dazo: ecrist: https://twitter.com/marcan42/status/834814996752191488
13:04 <@dazo> hyper_ch: well, that's just one of the arguments ...
13:04 <+hyper_ch> dazo: well, SHAttered shouldn't affect git too much I think
13:08 <@dazo> I've been pondering on how critical this is for git ... and yes, it can be critical.  It can (theoretically) be possible to inject commits without breaking the SHA1 chain ... But we have another trick up our sleeves ... at least those commits I push out to the public repos, so those commits are definitely safer ... and I believe (without knowing too much of the SHA1 chaining in detail) that signature makes it somewhat harder to inject patches
13:08 <@dazo> before that that signed commit
13:09 <@dazo> or even worse that injectiong commits ... modifying existing commits without changing the SHA1 committish reference .... *that* only GPG signed commits can protect against
13:10 <@dazo> but I'll expect quite some noise about this in regards to git ... so I'll just jump to the nearest fence with a box of popcorn ... this will be sorted out somehow :)
13:11 <+hyper_ch> I would think injecting altered commits would be difficult because subsequent commits will have things reverted back again
13:15 <@dazo> afair, git tracks the changes, in a long chain ... so an inserted commit could add a completely new function and that function could be called from anywhere ... or by doing even nastier gcc hook tricks
13:16  * dazo brb
13:16 <+hyper_ch> dazo: this portrais my git-fu perfectly:  https://xkcd.com/1597/
13:16 <@vpnHelper> Title: xkcd: Git (at xkcd.com)
13:42 <@dazo> hehe
14:28 -!- besf is now known as besfort
14:30 < TheWhisper> Hi, I seem to have mangled my VPN and am not sure what I did or how to fix it. It was working fine earlier this morning, and then I started playing around with this Docker container: https://github.com/haugene/docker-transmission-openvpn
14:30 <@vpnHelper> Title: GitHub - haugene/docker-transmission-openvpn: Docker container which runs Transmission torrent client with WebUI while connecting to OpenVPN (at github.com)
14:31 < TheWhisper> I'm not sure how that could have messed it up, but now I cannot connect to my VPN. I've deleted the container completely, but that has not helped. When I try to connect. I get up to `UDPv4 link remote: [AF_INET]IP:1194
14:31 < TheWhisper> ` and then it hangs for a while
14:31 < TheWhisper> And then I get `TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)`
14:32 < TheWhisper> I've looked at https://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html, and I don't see any issues that would impact my setup
14:32 <@vpnHelper> Title: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) (at openvpn.net)
14:32 < TheWhisper> The server in the config is correct — I've triple checked
14:32 < TheWhisper> The firewall on the router is set to let through UPD 1994 to the VPN device
14:32 < TheWhisper> *UDP 1194 (sorry, my eyes are starting to cross)
14:33 < TheWhisper> The software firewall on the VPN device seems like it should be letting through UDP 1194 (I can send iptables, if needed)
14:36 < TheWhisper> Just tried to connect through another client device on a different network, and I get `read UDP [ECONNREFUSED]: Connection refused (code=111)`
14:37 < TheWhisper> really makes it seem like it's a port issue...
14:38 < TheWhisper> I'm just hoping that docker container didn't somehow modify /tun and garble it
14:38 < TheWhisper> cuz it was trying to do stuff to /tun
14:39 < TheWhisper> not sure if that's even possible or what /tun actually is ¯\_(ツ)_/¯
14:43 < TheWhisper> just completely disabled the firewall on the VPN device and cleared out iptables - no help
14:49 < TheWhisper> I'll be around if anyone has any suggestions
15:22 < TheWhisper> okay, figured that out. It was a fatal error causing the VPN server to quit right when it was started
15:23 < TheWhisper> fixed that, and now I'm getting `TLS Error: cannot locate HMAC in incoming packet`
15:23 < TheWhisper> and on the server `TLS Error: reading acknowledgement record from packet`
15:34 < TheWhisper> yeah, still stuck with these errors. Not sure what to do
15:43 < TheWhisper> okay, looks like it's an issue with my tls keys
15:43 < TheWhisper> if I remove the tls-auth from server and client, then it connects fine
15:59 < TheWhisper> still can't get tls-auth to work :/
16:05 < _FBi> http://thehackernews.com/2017/02/sha1-collision-attack.html
16:05 <@vpnHelper> Title: Google Achieves First-Ever Successful SHA-1 Collision Attack (at thehackernews.com)
16:21 < TheWhisper> Either Openvpn or Synology is removing my tls-auth line every time I start openvpn...
16:21 < TheWhisper> 🤔
16:40 < rocktop> is it possible to install my own vpn in my server and configure it in my PC or my mobile and connect to the internet via this VPN ?
16:45 < TheWhisper> weird
16:45 < TheWhisper> can't get it to use user-pass auth AND tls-auth
16:45 < TheWhisper> It was working prior to today :/
20:15 < strav__> Hi! I would appreciate to know the proper way to achieve the following: on a host behind my home router, I am running an openVPN client (tun1). Now I wish to run an openvpn server (tun0) on that same host as a secure gateway to access the services it exposes. When the vpn client is down, I can access the server from my public ip without any issue. When the client is up however, it seems that the packets never reach their
20:15 < strav__> desitination. Is there a way that I could configure my host so that the server does see the connection requests? (note that I have tried connecting to the server from both my public ip and the vpn client's ip without any success)
20:44 <@Eugene> Sorry, I got los halfway through reading your explanation
20:44 <@Eugene> Could you put your hosts in terms like "A connects to B, B connect to C" ?
20:44 <@Eugene> (please keep in mind that this is community support; It is 6:45PM on a Friday and I'm drunk, soooo"
20:45 < rob0> huh?  You moved out west?
20:45 <@Eugene> Seattle! Couple years ago. I'm married now.
20:45 < rob0> oh wow
20:45 <@Eugene> And how are you?
20:46 < rob0> better than I deserve
20:46 < rob0> so you're no longer a fireman out there?
20:47 <@Eugene> Sadly no, All the departments here are pay, and not my carrer.
20:47 <@Eugene> OTOH, WA has recreational cannabis
20:47 < rob0> haha
20:48 < rob0> yeah, I guess you have to get pretty far out from the city to find a VFD
20:48 <@Eugene> Wh's the vpnHelper admin? krzee?
20:48 < rob0> I thought it was ecrist
20:49 < strav__> Eugene: All for the best, I'm friday night drunk as well ;)
20:49 <@Eugene> I was on Vashon Island(wife's famiyl has a farm) for abotu a year. They have a VFD, but you have to do on-site stuff
20:49 <@Eugene> I really miss it, but c'est la vie.
20:49 <@Eugene> I do what I can elsewhere
20:51 < rob0> month ago we had a firefighter die -- not line-of-duty.  We gave her a great sendoff, 6 fire trucks escorting the hearse.  That was sad that she died, but cool to salute her.
20:51 < strav__> Here's the senario: Host A runs an open vpn server as well as an openvpn client connection to some provider B. Now client C (from the net) can reach A if the openvpn client on host A is down. If I fire up the client vpn on A, the C cannot connect.
20:51 <@Eugene> Rest peacefully. That's always difficult.
20:52 < rob0> provider B reedirects the gateway, I guess?
20:52 <@Eugene> My old company's chief had a heart attack. Not a surprise, but still difficult
20:52 < strav__> Provider B is just some random internet VPN provider that indeed serves as a gateway for A on the net.
20:53 <@Eugene> You need policy routing
20:53 <@Eugene> Which sucks, sorry
20:53 <@Eugene> What OS?
20:53 < strav__> ubuntu 14.04
20:54 <@Eugene> !lartc
20:54 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux, or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
20:54 < strav__> any article on policy routing I could...ha!
20:54 < strav__> excellent.
20:54 <@Eugene> This is a typical split-gateway scenario
20:55 <@Eugene> Traffic incomg on interface eth0 needs to be replied to via eth0. THis is done with `ip rule` and a separate routing table
20:55 <@Eugene> Then you also need to match other traffic and send it out tunX to the client vpn
20:56 < strav__> I see
20:57 <@Eugene> pfsense handles this natively without much trouble. I knwo that switching to a dedicated router OS may be a bit of a steep learning curve
20:58 < strav__> It might not be efficient but say I'd be ok to receive incoming connections from the gateway associated with my vpn provider... (namely the vpn client on host a would relay connections to the openvpn server on that same host), would it be easier to accomplish?
20:58 <@Eugene> Sorry, start over again. Too drunk
20:59 <@Eugene> Smaller sentences help
21:01 < strav__> ya. To rephrase: Client C wishes to connect to the Openvpn server running on host A. Could it simply connect to the openvpn client interface (tun0 in this case) on host A and the openvpn server would automagically register the connection?
21:02 < strav__> (I could run on host A something like a no-ip update service to make my VPN provider's assigned public ip binded to some dns than connect to host A in that way)
21:04 < rob0> If the VPN provider is using NAT, you can't receive connections there without NAT
21:06 < strav__> argh. Too much of a drunk networking noob to really understand what you just said. I know NAT refers to network address translation but... dunno how it could prevent my openvpn client to accept a connection request to my openvpn server on it's designated port (as long as it does not overlaps the client's port)
21:06 < rob0> what IP address does the VPN provider give you?
21:06 < rob0> first two quads is enough to know
21:06 < strav__> hmm let me check
21:07 < rob0> this.that.x.x
21:08 < rob0> also, even if they give you a "real" (non-RFC-1918) IP address, they might be firewalling inbound connections to you.
21:09 < strav__> 173.199
21:09 < rob0> okay, that's "real"
21:10 < rob0> can you ping it from somewhere else, like a remote shell?
21:10 < strav__> just a moment
21:15 < strav__> yep it responds to ping
21:16 < strav__> however when I try a udp nmap on my vpn ip, my openvpn server port is shown as closed
21:16 < strav__> (while it's show as open when I try my ISP assigned ip)
21:20 < strav__> note that when I go to ipleak.net, it says that the webrtc detection for my ip is 10.4.xx.xx
21:20 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has quit [Quit: Connection closed for inactivity]
21:21 < strav__> and above that is the other ip I gave: 173.199.xx.xx
21:37 < strav__> btw, eugene, rob0, thanks for your time and concern... I'll take some more time to get acquainted with the policy routing articles you linked. Have a good evening!
21:39 <@Eugene> $2000 of pfSense and my pussy https://goo.gl/photos/DD3x51TuhCmPCzMb6
21:40 < strav__> nice pussy
21:40 < strav__> hairy but nice
21:41 < skyroveRR> That kitteh...
--- Log closed Fri Feb 24 23:13:02 2017
--- Log opened Sun Feb 26 15:16:39 2017
15:16 -!- Irssi: #openvpn: Total of 279 nicks [8 ops, 0 halfops, 3 voices, 268 normal]
15:16 -!- mode/#openvpn [+o ecrist_] by ChanServ
15:16 -!- Irssi: Join to #openvpn was synced in 1 secs
15:16 -!- You're now known as ecrist
15:21 < flaf> slypknot: ok,just FYI, I think I got it. In fact, it's logical. If I use --user nobody, to have no permission error, I have to set all the network part in the /etc/network/interfaces of my Debian.
15:26 < flaf> slypknot: just FYI, something like that http://paste.alacon.org/43495 .
15:29 < flaf> in brief, --user nobody is completely OK _if_ there is no network management in the openvpn conf. I think --up is Ok because it's launched before the UID/GID is set.
15:30 < flaf> And personally I like the idea to let just /etc/network/interfaces manages the network.
15:42 < pdobrogost> Hi all!
15:43 < pdobrogost> Is there any way to specify dns search domains by client if server do not push them to client?
15:48 < rob0> some kind of scripting, I suppose?  and a ccd?
15:49 < rob0> !ccd
15:49 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
16:03 < pdobrogost> rob0: Thanks for idea. As I actually know this domain and it doesn't change I put it in systemd .network file for openvpn  's interface.
16:04  * rob0 is no fan of search domains
16:04 < pdobrogost> I also set dns server ip address on this interface but, of course, name resolution doesn't work as I was expecting.
16:06 < pdobrogost> `systemd-resolve host.local.domain` ends with "host.local.domain: resolve call failed: No appropriate name servers or networks for name found"
16:06 < rob0> !dnsmasq
16:06 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
16:07 < rob0> ^^ that's what I do with DNS
16:07 < rob0> and give clients static addresses via ccd, and list them in /etc/hosts
16:08 < pdobrogost> in /etc/hosts on the server?
16:09 < pdobrogost> Well, I'm on client side myself and I'm not interested in reaching other openvpn clients. I want to resolve hosts on remote lan.
16:15 < rob0> yes, so that's what the static dnsmasq config does.  It refers queries for names in that LAN to that dnsmasq nameserver.
16:16 < slypknot> rob0: was that a perma-ban ? https://forums.openvpn.net/viewtopic.php?f=1&t=23516&p=68295#p68292
16:16 <@vpnHelper> Title: banned by rob0 uncalled for - Page 2 - OpenVPN Support Forum (at forums.openvpn.net)
16:20 < rob0> I guess that will depend on him.  I have no intention to revisit it.  I briefed ecrist and told him to talk to ecrist about it.  I hope he will be calmer and more mature in talking to ecrist, but the stuff on the forum does not look good.
16:20 < rob0> I had to /ignore MSGS from him because he was being nasty and abusive, and showing no sign of letting up.
16:22 < slypknot> yep .. looks bad
16:22 < slypknot> lol
16:22 < rob0> There is no means of automatic ban expiration in this channel.  Many bans are much older than his.
16:22 < slypknot> and it is for a VPN service not his own
16:22 < rob0> yep
16:29 < slypknot> lol .. frootvpn paid !
16:43 < pdobrogost> I set dns and search domain for openvpn's interface in .network file yet resolution of names from this domain doesn't work. In case someone wants to take a look here is short log and status of systemd-resolved – https://paste.fedoraproject.org/paste/rOU1fvAwOcCd5-Vmk1QmE15M1UNdIGYhyRLivL9gydE=
21:10 <@ecrist> ?
21:11 <@ecrist> awww shit
21:13 <@ecrist> slypknot: he's been messaging me privately.  I didn't know about the forum post until now.
21:13 <@ecrist> awaiting his reply on that one
21:20 <@ecrist> rob0: we can do auto-expire bans via chanserv.   We don't, by policy, do that normally.  It's up to the OP though.
21:31 < rob0> oh, okay.
22:27 -!- mode/#openvpn [-bb *!*@unaffiliated/compsman $a:compsman] by ecrist
22:30 < compsman> sorry rob0
22:30 < compsman> for yesterday
22:31  * thumbs raises an eyebrow
22:32 < thumbs> I would apologize on the forum too.
22:32 <@ecrist> compsman: welcome back.  I'm on my way to bed, so maybe someone here can help you, otherwise I'l be around in ~10 hours
22:32 < rob0> compsman, np, welcome back.
22:32 < rob0> ecrist, thanks and gn
22:33 < compsman> hey so i am a pppoe user
22:33 < compsman> meaning mtu locked 1492
22:34 < compsman> vdsl
22:35 < compsman> you use teamviewer?
22:36 < compsman> i did thumbs and thanks for reminding(:
23:52 < compsman> hey anyone around? that knows mssfix tun-mtu? aware of pppoe?
--- Day changed Mon Feb 27 2017
01:56 < pdobrogost> Hi all!
01:57 < pdobrogost> I set dns and search domain for openvpn's interface in .network file yet resolution of names in this domain doesn't work. Short log and status of systemd-resolved is at https://paste.fedoraproject.org/paste/rOU1fvAwOcCd5-Vmk1QmE15M1UNdIGYhyRLivL9gydE= Any ideas why this doesn't work?
02:04 -!- Comps__ is now known as compsman
03:10 <+hyper_ch> strange thing on the openvpn forums
03:10 <+hyper_ch> I can login but I can't alter my password
03:10 <+hyper_ch> when I'm prompted in the account settings to provide my password, I get inncoret reply
04:37 < nohitall> hello folks, I was following this https://possiblelossofprecision.net/?p=1746 but I fail to get revokation working, I can still connect after I revoked the client
04:37 <@vpnHelper> Title: Revoking an OpenVPN certificate /dev/blog (at possiblelossofprecision.net)
04:37 < nohitall> I got the proper line in server.cfg but not sure how to debug on failure
04:37 < nohitall> anything else needed but revoke-all script?
04:44 < slypknot> hyper_ch: you have to go here to change your password: https://community.openvpn.net/pwm/private/Login
04:46 <+hyper_ch> slypknot: thx, that seems to work
04:46 < slypknot> nohitall: See https://community.openvpn.net/openvpn/wiki/301-does-openvpn-support-certificate-revocation-lists-crls
04:46 <@vpnHelper> Title: 301-does-openvpn-support-certificate-revocation-lists-crls – OpenVPN Community (at community.openvpn.net)
04:46 < nohitall> slypknot: yea the option is set
04:47 < nohitall> but seems ot be ignored or not propelry utilized
04:47 < nohitall> I dont see anything in the logs regarding any checks
04:47 <+hyper_ch> finally changed pwd to a pwgen -ync 40 one :)
04:48 < nohitall> I see how the client got revoked in the index file and the crl.pem was updated
04:50 < nohitall> hm wonder whats missing, seems pretty straight forward
04:51 < nohitall> serial ID and revokation date/time also show in crl.pem
04:53 < nohitall> can't be that if there is another auth method used and it is legit that it allows it anywy?
04:53 < nohitall> it shouldnt allw the connection in the first plae
05:08 < nohitall> if I use a auth plugin would clr be ignored? seems so
05:33 < nohitall> ok WARNING: Failed to stat CRL file
05:33 < nohitall> but why
05:43 < nohitall> ah permissions :/
05:49 < k-man> !welcome
05:49 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
05:49 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
05:50 < k-man> hi
05:50 < k-man> !goal
05:50 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:51 < k-man> i would like clients to be able to access the LAN at work, from the WAN, i have configured openvpn on our openwrt router. i can connect to it from outside
05:52 < k-man> however the client doesn't seem to get an ip from the server side, nor can it ping anything on the LAN once connected
05:53 < slypknot> nohitall: you're almost there ;)
05:54 < slypknot> k-man: if your client does not get a vpn ip then you have done something very wrong
05:56 < slypknot> once you fix the ip .. see this : http://openvpn.net/index.php/open-source/documentation/howto.html#scope
05:56 <@vpnHelper> Title: HOWTO (at openvpn.net)
05:57 < k-man> oh, firxt it!
05:57 < k-man> fixed it even
05:57 < slypknot> rob0: that guy posted an apology to the forum .. so we deleted the post .. no need for further humiliation ;)
05:57 < nohitall> slypknot: yea the issue is that openvpn runs as nobody thus it failed to reload the file
05:57 < slypknot> nohitall: yeah .. permission are a PITA
05:57 < nohitall> which means I gotta restart everytime I revoke a cert
05:58 < nohitall> or copy file and adjust permissions or dont run as nobody
05:58 < k-man> i had commented out the com-lzo as it wasn't on my server (but was on my client config) but forgot  to re-add it to tunnelblick
05:58 < slypknot> nohitall: no .. you must ensure you have permission to read the CRL with the dropped privs
05:59 < slypknot> nohitall: the CRL gets read everytime a client connects
06:00 < nohitall> slypknot: yea well then I'd have to adjust file permission everytime to have it read by nobody
06:01 < nohitall> although I could simply add a line to the revoke-all script I guess
06:01 < nohitall> I try that
06:02 < nohitall> slypknot: or got a better idea?
06:03 < slypknot> how often does your CRL change ?
06:03 < nohitall> no idea, but laziness prevails
06:03 < nohitall> so I just use the full path and add chown to revoke-all
06:03 < nohitall> :D
06:03 < nohitall> shouldnt cause a problem
06:04 < slypknot> linux permissions are very flexible .. perhaps there is a simple way through a group or something
06:05 < nohitall> well I see no issue with this
06:05 < slypknot> that is upto you
06:05 < nohitall> crl.pem is owned by nobody.nobody then
06:05 < nohitall> but if I revoke again its overwritten anyway by root
06:05 < nohitall> and then chowned again, should work
06:06 < nohitall> k problem solved then
06:22 < nohitall> slypknot: thx for input
06:44 <+hyper_ch> dazo: online?
07:19 < slypknot> hyper_ch: accessing the LAN ?
07:38 <+hyper_ch> slypknot: ?
09:25 < rob0> slypknot, thanks, I saw the apology, which was nice, and he gave a short version of it here.
10:21 <+hyper_ch> dazo: you've heard of https://www.wireguard.io/ ?
10:21 <@vpnHelper> Title: WireGuard: fast, modern, secure VPN tunnel (at www.wireguard.io)
10:22 <+hyper_ch> or ecrist  or krzee
11:10 < slypknot> hyper_ch: wireguard looks ok
11:40 < monsterco> what is the simplist openvpn connection I can make? I also want the fast speed - no encryption needed
11:55 < pdobrogost> Can openvpn's interface be managed by systemd-networkd?
11:59 < pdobrogost> monsterco: If you want it fast then use https://www.wireguard.io
11:59 <@vpnHelper> Title: WireGuard: fast, modern, secure VPN tunnel (at www.wireguard.io)
12:00 < monsterco> this is diff than openvpn?
12:01 < pdobrogost> It's much simpler. Just go and read. You can setup it in a few minutes.
12:02 < pdobrogost> Also you can ask on #wireguard if you can turn encryption off.
12:03 < pdobrogost> monsterco: The best man to ask there is zx2c4 who is the author himself.
12:19 < rob0> monsterco, with no encryption, you could use ipip or gre tunnelling.
12:30 < monsterco> rob0 - that is in openvpn?
12:30 < monsterco> pdobrogost - pfsense doesn't support wireguard - i will explore it another time
12:33 <+hyper_ch> slypknot: what makes you think that it looks ok?
12:39 < rob0> ipip and gre tunnels in Linux are a feature of the kernel and iproute2.  Other systems support them also.
13:06 < monsterco> what do i have to install to be able to create keys?
13:06 < zx2c4> hey folks
13:06 < monsterco> i know old openvpn allowed this but new one requires something extra
13:07 < zx2c4> somebody mentioned i should come in here to herd y'all toward #wireguard / www.wireguard.io instead
13:07 < zx2c4> *shrug*
13:07 < zx2c4> here i am!
13:08 < rob0> haha
13:09 < rob0> monsterco, depends.  If you're using static keys, openvpn itself generates those.
13:10 < rob0> If you're using TLS, you use openssl or one of many frontends, such as easy-rsa
13:10 < rob0> Any major distro of GNU/Linux should come with openssl.
13:11 < rob0> You can also use any comparable commercial software which implements x.509
13:21 < monsterco> rob0 - not static
13:22 < monsterco> rob0 - i have a script that runs things like: ./build-ca --batch and ./build-key-server --batch which doesn't work now
13:22 < monsterco> is there any easy builder of keys tha can spit out keys and certificates for me?
13:23 < slypknot> monsterco: you hae easyrsa-2.2.2
13:24 < slypknot> https://openvpn.net/index.php/open-source/documentation/howto.html#pki
13:24 <@vpnHelper> Title: HOWTO (at openvpn.net)
13:25 < monsterco> slypknot - it is installed already
13:25 < monsterco> wher are the files for it? not in openvpn forlder anymore?
13:25 < slypknot> zx2c4: so get on with reading the howto
13:25 < slypknot> monsterco: so get on with reading the howto
13:25 < zx2c4> slypknot: say what
13:26 < slypknot> zx2c4: sorry .. wrong name
13:26 < zx2c4> oh
13:26 < zx2c4> :)
13:26 < slypknot> i looked at your wiregaurd
13:26 < slypknot> it looks quite neat .. but you don't want openvp-users .. not yet, your too early in dev
13:27 < zx2c4> slypknot: how come?
13:27 < slypknot> zx2c4: hey . paoch them all you want .. and wath your support channel ober flow
13:28 < slypknot> watch* and over*
13:29 < rob0> monsterco, you should not run your PKI CA on a machine which is a part of your VPN.  Ideally it should be kept on a machine which is entirely offline.
13:29 < monsterco> no
13:29 < monsterco> that's true
13:29 < monsterco> I need to setup a system for creating like 100s of keys
13:29 < monsterco> what is the best way?
13:29 < slypknot> read the howto
13:30 < monsterco> this is an ongoing thing - will be
13:30 < monsterco> i think i have to do a pki server?
13:30 < slypknot> if you dont read the howto .. you won't know how to
13:32 < rob0> openvpn and easyrsa aren't set up this way, but a proper TLS CA has the user generate her own key and send a CSR (certificate signing request) to the CA.
13:32 <+hyper_ch> rob0: easyrsa3 actually puts emphasis on users generating their own key and csr
13:33 < zx2c4> slypknot: yea thats a fair fear
13:33 < rob0> Then the CA admin signs the CSR to generate a certificate.  That can be returned to the user via email.  Nothing secure was transmitted that way.
13:33 < rob0> hyper_ch, oh, I have not looked at easyrsa in awhile
13:34 <+hyper_ch> https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto  -   On each client, generate a keypair and request.
13:34 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net)
13:34 <+hyper_ch> but you can still generate it all on the pki if you want to
16:33 < pdobrogost> Any idea why with this config https://da.gd/e7he ssh hostX.sfx results in ssh using pdobrogost username instead piotr?
16:33 <@vpnHelper> Title: Anonymous users paste - Modern Paste (at da.gd)
16:42 < DArqueBishop> Uh.
16:42 < DArqueBishop> pdobrogost:
16:42 < DArqueBishop> !notovpn
16:42 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn.
17:52 < compsman> hello all.
18:03 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 245 seconds]
18:03 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
18:03 -!- mode/#openvpn [+o plaisthos] by ChanServ
18:12 < animehacker> hey guys I'm having trouble setting up an openVPN connection. I'm using an ovpn config file. it didn't automatically import the certs so i tried it manually by putting the certs into their own files but still not connecting
18:12 < animehacker> I'm on Linux Mint 17.3
18:39 -!- Vercas_ is now known as Vercas
19:27 < compsman> hey can anyone help with mtu?
19:36 < slypknot> compsman:
19:36 < compsman> yo
19:37 < slypknot> your operating MTU is ?
19:37 < compsman> 1492 (pppoe)
19:37 < slypknot> wireless vs ethernet ..
19:37 < compsman> vdsl user
19:37 < slypknot> ahh
19:37 < compsman> locked
19:37 < slypknot> no problem
19:38 < compsman> phew so you know?(:
19:38 < compsman> i got bond pair vdsl also 80/40(:
19:40 < compsman> just my vpn cant get most use cause it trying at 1500 mtu i think? am i wrong?
19:41 < slypknot> I got operating MTU=1432 .. still works
19:41 < compsman> This connection is unable to accommodate a UDP packet size of 1585. Consider using --fragment or --mssfix options as a workaround.
19:41 < slypknot> pppoe
19:41 < compsman> i am just sooo confused
19:42 < slypknot> to whom ?
19:42 < slypknot> who is the server ?
19:42 < compsman> about openvpn speeds
19:42 < compsman> frootvpn
19:42 < slypknot> ^^^^^^^^
19:43 < slypknot> you do not have an MTU problem
19:43 < compsman> i dont?
19:43 < compsman> i am learning here
19:43 < compsman> sorry(:
19:43 < slypknot> you have an abuse problem
19:43 < compsman> ?
19:43 < compsman> abuse?
19:44 < slypknot> my mtu is pppoe and exactly the same as yours
19:44 < compsman> 1492?
19:44 < slypknot> frootvpn either have a network problem
19:44 < slypknot> or
19:44 < slypknot> they dont like you
19:45 < slypknot> yes 1492
19:45 < slypknot> adjusted
19:45 < compsman> abuse problem how?
19:45 < slypknot> i have no idea
19:45 < compsman> i am so lostman
19:45 < compsman> can you explain more?
19:46 < compsman> sorry
19:46 < slypknot> ok
19:46 < compsman> and thank you
19:46 < slypknot> np
19:46 < slypknot> frootvpn is in scandinavia or there abouts ?
19:47 < compsman> sweden
19:47 < slypknot> yeah
19:47 < compsman> i used them long time
19:47 < compsman> these just started
19:47 < slypknot> which part of the world are you in roughly .. no need for details
19:47 < compsman> oregon..
19:47 < compsman> dont care:/
19:48 < slypknot> fair enoug
19:48 < compsman> i can get to 7 mbytes
19:48 < compsman> but should get more...
19:49 < compsman> and my upload been bad...
19:49 < slypknot> no body ever gets more
19:49 < compsman> from my 40mbit jeesh
19:49 < compsman> 500kbytes
19:49 < slypknot> that is a diff discussion
19:50 < compsman> so they hurting me somehow?
19:50 < slypknot> ..
19:50 < compsman> udp packet overbuffer? i am trying understand
19:50 < slypknot> you seem very angry .. but you dont understand .. is that fair ?
19:50 < compsman> oh i am calm
19:50 < compsman> i just have cerebral palsy
19:51 < compsman> its my brain, i am sorry man
19:51 < compsman> its me
19:51 < slypknot> well .. i am an recovering alcoholic and i am currently pissed and stoned ..
19:51 < slypknot> so
19:51 < compsman> i dabb(:
19:51 < compsman> dab weed(:
19:52 < slypknot> this conversation will probably not end well
19:52 < slypknot> weed up the wazoo
19:52 < compsman> i hope it does honest
19:53 < slypknot> my girl friend came home today with an ounze of weed and she did not have sex with me
19:53 < compsman> toooo blazed?
19:53 < slypknot> i am not very happy about that
19:53 < compsman> i be pissed too
19:53 < slypknot> my fingers are folding space / time
19:54 < slypknot> i would probably rip mine off
19:54 < compsman> just smoke a bowl, she will.(:
19:54 < slypknot> so
19:54 < compsman> time moves(:
19:54 < slypknot> we have established one line of communication ;
19:54 < slypknot> )
19:54 < slypknot> :)
19:54 < compsman> fellow stoners(:
19:55 < slypknot> its a long hard road for you ahead
19:55 < compsman> i trully can snap though at times and i am sorry for that, its my stupid brain.
19:55 < slypknot> yep .. my stupid brain does that too
19:56 < compsman> been in hospital 5 times pass 2 months..
19:56 < compsman> seizures
19:56 < slypknot> i been banned from openvpn for over a year .
19:56 < slypknot> but i fought back
19:56 < compsman> oh i done worse in other places
19:57 < compsman> feel bad
19:57 < compsman> like why did i do that
19:57 < slypknot> i dont know if we is the same sort of fucked up .. that would need a doctor
19:57 < compsman> why i see my doctor
19:57 < slypknot> but you and me IS fucked up
19:58 < compsman> recently has changed meds
19:58 < compsman> and loving them.
19:58 < slypknot> so listen
19:58 < compsman> no more black outs
19:58 < compsman> yo
19:58 < slypknot> openvpn is not easy
19:58 < slypknot> you gotto know what is going on
19:58 < slypknot> yopu got
19:58 < slypknot> openvpn config
19:59 < slypknot> ans
19:59 < slypknot> and
19:59 < slypknot> iptables
19:59 < slypknot> and
19:59 < slypknot> network shit
19:59 < slypknot> and
19:59 < slypknot> sometimes ..
19:59 < slypknot> it dont fuckin work cos some dick head fucked something up
20:00 < compsman> i know how subnet works thanks to lan gaming hehe
20:00 < slypknot> from all your stuff
20:00 < slypknot> i think somebody else fucked something up
20:00 < slypknot> may be on purpose
20:01 < compsman> so mssfix wouldnt help?
20:01 < slypknot> you tried froot vpn sdupport ?
20:01 < compsman> they havent replied in 10 days other then basic support
20:01 < slypknot> yeah
20:02 < slypknot> you need a VPS
20:02 < slypknot> or openWRT
20:02 < slypknot> openwrt is cool
20:02 < compsman> i have tomatousb..
20:02 < compsman> close to openwrt
20:02 < slypknot> you are half way there
20:02 < compsman> haves openvpn
20:03 < compsman> on this build
20:03 < slypknot> hyep
20:03 < slypknot> you just want to play a game over openvpn ? or more ?
20:03 < compsman> but i am only trying do vpn one pc
20:04 < slypknot> ^^
20:04 < compsman> windows 7 pc
20:04 < slypknot> some games ?
20:04 < compsman> very stable long uptimes
20:04 < slypknot> sure
20:04 < compsman> more as a server
20:05 < slypknot> i get 100 plus days out of my win10 server .. then it goes into melt down
20:05 < compsman> has a cctv program, other programs
20:05 < slypknot> cos itys M$
20:05 < compsman> ispyconnect
20:06 < compsman> windows cctv camera system.
20:06 < slypknot> sure
20:06 < slypknot> i get you
20:06 < compsman> vpn on there
20:06 < compsman> has sha386
20:06 < compsman> if that helps
20:07 < compsman> you use teamviewer?
20:07 < slypknot> a little
20:07 < compsman> i have it on there
20:08 < slypknot> team viewer is not importantr
20:08 < compsman> just want you see the results yourself:P
20:08 < slypknot> they have thier own "security"
20:10 < slypknot> their* lol
20:10 < compsman> so is my mtu wrong?
20:10 < compsman> inside vpn?
20:10 < slypknot> outside
20:11 < compsman> server side?
20:12 < compsman> just trying understand haha
20:12 < slypknot> you are not a frootvpn server ..
20:12 < compsman> just a frootvpn user
20:12 < compsman> paying user
20:12 < slypknot> ^^^^^^^^^^^
20:13 < compsman> so whats wrong?
20:13 < slypknot> the world
20:13 < compsman> :/
20:13 < compsman> so theres no fix?
20:13 < slypknot> try a different provider
20:15 < compsman> well i have 8 more months:/
20:15 < compsman> gotta be a fix
20:15 < slypknot> they have the obligation to you
20:16 < slypknot> demand your money back
20:17 < slypknot> ..
20:17 < slypknot> unless somebody else wants to *chime* in
20:17 < slypknot> ..
20:18 < slypknot> ding dong .. the witch is dead
20:18 < slypknot> _)
20:18 < slypknot> \\);
20:20 <@Eugene> !mtu
20:20 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting, or (#3) useful info here: https://forum.pfsense.org/index.php?topic=67080.0
20:20 <@Eugene> FWIW, I have never, ever found a need to actually fiddle with the MTU settings in openvpn. The people who write the MTU-determination algorithms are, as a general rule, smarter than I.
20:20 < slypknot> i can do that too
20:21  * slypknot is taking a piss
20:21 <@Eugene> AT FULL POWER ONLY
20:25 < rob0> I think compsman's hypothesis, though, has merit.  PPPoE is often where such MTU problems come up.
20:25 < slypknot> i am pppoe
20:26 < slypknot> it is alittle unclear
20:26 < rob0> I am too, but I have never tried to --redirect-gateway behind it.
20:26 < slypknot> Operating MTU: 1432; Default MTU: 1492
20:27 < slypknot> there is no way--redirct is a factor
20:27 < slypknot> it is mtu
20:27 < slypknot> but whos fault is it
20:27 < rob0> well, you wouldn't notice performance issues so much without --redirect
20:28 < slypknot> this is a frootv client
20:28 < slypknot> internet monkeys gone mad ?
20:29 < rob0> and there too, I have never dealt with a VPN provider, personally
20:29  * slypknot agrees
20:30 < compsman> i am just trying make the mtu match up thats all.
20:30 < compsman> just i only messed with mtu only to put to 1492 for vdsl
20:31 < slypknot> personally .. i think this is a mountain out of a mole hill
20:31 < compsman> but i need vpn:/
20:31 < compsman> sorry.
20:31 < slypknot> and i think that was more or less proven
20:32 < slypknot> you need school and less drugs
20:32 < rob0> hey, can you try your frootvpn from a hotspot somewhere?  Something not DSL preferably?
20:32 < compsman> thats very insulting to a disabled person.
20:32 < rob0> Please don't take silly remarks personally.
20:32 < slypknot> compsman: you need to dial down you attitide
20:33 < compsman> yea at the hospital, its not a problem, or my aunts
20:33 < slypknot> and listen for a change
20:33 < rob0> okay, that's something
20:33 < compsman> i am an disabled person with cerebral palsy..
20:33 < rob0> aunt has fiber or cable?
20:33 < slypknot> big deal
20:33 < compsman> cable
20:33 < compsman> i hooked it up
20:34  * slypknot is listening to rob0
20:34 < compsman> i am banned from camcast because i ignored dscp packet..
20:34 < compsman> speed cap.
20:35 < slypknot> game over man
20:35 < compsman> eh dsl just anit stupid like comcast lol
20:35 < slypknot> i already miss: Bill Paxman
20:36 < compsman> and i learned the hard way honestly
20:36 < compsman> learning what dscp was
20:36 < slypknot> you never learned shit
20:36 < compsman> dude back off..
20:37 < slypknot> or what
20:37 < compsman> can you really just back off already..
20:37 < slypknot> yeah ..
20:37 < compsman> thank you..
20:37 < slypknot> naff off dick
20:38 < slypknot> go stick your peg leg in your ass
20:38 < rob0> I'm not without sympathy for the problem, but like Eugene said, I've never had to mess with the MTU stuff either.
20:38 < slypknot> ^^^
20:38  * slypknot is gonna get banned
20:38 < rob0> slypknot, I hope not :)
20:39 < rob0> but to be fair I should ask you again to be nice
20:39 -!- EviL_ViBes|2 is now known as EviL_ViBes
20:39  * slypknot preys to the gods of vpnummination
20:40 < rob0> compsman, and thank you for not overreacting to it
20:40 < slypknot> life :)
20:40 < slypknot> almost better than the real thinh
20:41 < compsman> i just want to learn and figure out what to use on this config
20:41  * slypknot is calm now
20:42 < slypknot> i have the same mtu as you
20:43 < slypknot> i even used frootvpn a couple of timer
20:43 < slypknot> they just kicked me off when they want
20:43 < slypknot> but you are paying
20:43 < slypknot> so .. i dont know
20:44 < compsman> just udp 1585?
20:44 < compsman> why?
20:44 < slypknot> they can do stuff like that
20:45 < slypknot> they are the server
20:45 < compsman> but i cant have that though right
20:45 < slypknot> but
20:45 < slypknot> robo + eugine may have more constructive ideas
20:45 < compsman> yea
20:45 < slypknot> you know who you are
20:46 < slypknot> compsman: dont use your physical disabilities as a wedge
20:46 < slypknot> otherwise i willl destroy you
20:47 < compsman> have to find me first though ha ha:P
20:47 < slypknot> ani dont need to find you
20:47 < slypknot> YOU FOUND ME
20:47 < slypknot> 3x caps
20:48 < slypknot> ring any bellss
20:54 < slypknot> ..
20:54 < slypknot> domkopf
20:56 < slypknot> maybe he is getting some meds right now
20:56 < slypknot> i can top it
20:57 < slypknot> either way
20:58 < slypknot> when you finf your life partner dead and your son crying about it on new years eve then you can winge
20:58 < slypknot> or else you can .............
20:58 < slypknot> brain cancer
20:59  * slypknot is done with it
21:00 < compsman> i had to let dogs out
21:00 < compsman> and was distracted
21:02 < slypknot> *we* have given you too many chances ..
21:04 < compsman> um?
21:04  * slypknot *is* bitter
21:04 < compsman> okay
21:05 < slypknot> you ready now ?
21:09 < slypknot> compsman: there are people waiting for you
21:09 < compsman> who?
21:10 < slypknot> dick#
21:10 < compsman> i just see you trolling
21:10 < slypknot> you see me trolling
21:10 < slypknot> did your meds come in yet ?
21:11 < slypknot> you got the ganja ?
21:11 < slypknot> did you smoke my ass
21:11 < slypknot> ?¿???
21:12 < slypknot> we is still awaiting your actual pronlem
21:12 < slypknot> problem*
21:13 < slypknot> omg
21:13 < slypknot> that delete key is a saviour
21:14 < slypknot> and .. you PAY froot]
21:17 < slypknot> the reason you see *me* trolling .. is cos nobody else can be arsed
21:18 < slypknot> vlog me
21:23 < slypknot> BTW : you started this
21:23 < slypknot> compsman: ^^
21:29 < slypknot> godda say : forum nod or wot
21:29 < slypknot> !:£
21:30 < slypknot> attitude + integrity
21:31 < slypknot> + attitude +
21:32 < slypknot> + lunatic
21:32 < slypknot> + sounds good to me
21:33 < slypknot> + young (lock me up)
21:33 < slypknot> + take a chance
21:34 < slypknot> ecrist: ^^
21:37 < slypknot> every single person that has shown the slightest interest i have recommmended ,,
21:37 < slypknot> i am either the sadest person of all time
21:38 < slypknot> or other
21:38 < slypknot> i am screewed
21:40 < slypknot> get the fuck on with it
21:40 < slypknot> easyrsa
21:41 < slypknot> or any thing
21:41 < slypknot> kick me if that is it
21:41 < slypknot> ffs
21:47 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Read error: Connection reset by peer]
21:47 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
21:47 -!- mode/#openvpn [+o plaisthos] by ChanServ
22:30 < compsman> i am going bed goodnight, computer went sleep.
--- Day changed Tue Feb 28 2017
02:04 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
02:29 <+hyper_ch> where's krzee?
06:25 < MANpikol> !wellcome
06:25 < MANpikol> !welcome
06:25 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
06:25 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
06:28 < MANpikol> !1925
06:28 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
08:12 -!- mode/#openvpn [+b $a:kettlecalling] by ecrist
08:58 <+hyper_ch> https://team-sik.org/trent_portfolio/password-manager-apps/
08:58 <@vpnHelper> Title: TeamSIK Password-Manager Apps (at team-sik.org)
10:55 < monsterco> what is the client side and server side parameters to pump all traffc through tunnel?
10:56 < monsterco> I also want to know the same for a specific domain traffic as well and not the whole traffic
10:59 < DArqueBishop> !redirect
10:59 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
10:59 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
11:00 < rob0> what does "a specific domain traffic" mean?  Routing is done by IP address only, not by DNS names.
11:01 < monsterco> rob0 - for example only allow google.com search through tunnel
11:01 < rob0> right, can't do that ^^
11:02 < rob0> google.com and www.google.com resolve to MANY addresses, which vary each time you ask
11:03 < rob0> to control HTTP by names, you could possibly try a HTTP proxy like squid.
11:07 < dimaj> hey guys, is this a good place to ask a routing question?
11:11 < skyroveRR> dimaj: that's related to networking, hence ask in the ##networking channel :)
11:12 < dimaj> oki. thanks
11:27 < monsterco> what do i need to put for redirect on server side?
11:29 < DArqueBishop> !redirect
11:29 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
11:29 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
11:29 < rob0> see ^^ that flowchart
11:29 < rob0> and all the rest of that factoid
11:30 < monsterco> DArqueBishop - just put !redirect and that's all?
11:30 < monsterco> what is def1?
11:30 < monsterco> !def1
11:30 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
11:31 < monsterco> sounds a bit complicated
11:31 < monsterco> what is a simple line to get me started for now?
11:34 < rob0> yes, VPN redirection sure is complicated.
11:42 < DArqueBishop> monsterco: there is no "simple line". Not only do you have to add a line to your OpenVPN server config, you have to reconfigure your server's networking/firewall to allow the redirection.
11:43 < monsterco> DArqueBishop - yep, just taking care of that
11:43 < monsterco> what do i have to put on client side?
11:43 < DArqueBishop> Nothing.
11:43 < monsterco> windows picks up routing order how?
11:44 < DArqueBishop> Once the server pushes the gateway redirect, the client automatically adds the new entries to the routing table.
11:55 < monsterco> can openvpn traffic shape or limit the amount of bandwidth using a parameter?
11:56 < monsterco> I have client connecting and tunneling all traffic through server but I want to limit how much upload and download they can use
12:01 <@dazo> monsterco: there are some limited traffic shaping options ... but you might get more control and effect using tc with proper shaping policies
12:01 <@dazo> monsterco: you can look at --shaper
12:01 < monsterco> what is tc?
12:02 < rob0> dazo, o/
12:02 <@dazo> monsterco: one of the traffic shaping tools on Linux
12:02 <@dazo> rob0: hey!
12:03 < monsterco> @dazo - so without using those tools, openvpn doesn't provide anything?
12:03 < monsterco> i don't need much control under than set a limited bandwidth for uplaod and download
12:03 <@dazo> monsterco: well, there is --shaper ... but it is fairly limited in what it can do
12:04 <@dazo> monsterco: and if you have server with multiple VPN clients connected, I even believe --shaper on the server side will even cap all connected lients
12:04 <@dazo> plus --shaper only targets out-going traffic
12:05 <@dazo> monsterco: https://www.howtoforge.com/voip_qos_traffic_shaping_iproute2_asterisk ... one of many guides ... there might be far better official guides
12:05 <@vpnHelper> Title: QoS And Traffic Shaping For VoIP Users Using iproute2 And Asterisk (at www.howtoforge.com)
12:09 < monsterco> cap all clients is good
12:09 < monsterco> i want to test this to begin wiht
12:09 < monsterco> the links u gave me is for openvpn bandwidth limit?
12:13 <@dazo> nope, the link was for iproute2 + tc ... which should be fairly easily to spot when reading it
12:13 <@dazo> for --shaper, we have !man
12:13 <@dazo> !Man
12:13 <@vpnHelper> "Man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
12:13 < monsterco> what does this mean for example? "shaper 25000"
12:13 < monsterco> this is in bytes?
12:13 <@dazo> it's all in the man page
12:25 < monsterco> I get this error for using shaper: Options error: --shaper cannot be used with --mode server
12:25 < monsterco> what does this mean?
12:26 <@dazo> Exactly what it says ... your configuration setup cannot make use of --shaper
12:26 <@dazo> did you read the man page entry for --shaper?
12:27 < monsterco> i am in peer to peer model ssl tls
12:27 <@dazo> --mode server is not peer-to-peer mode
12:43 -!- Poster|y is now known as Poster
13:28 < pdobrogost> Hi guys!
13:28 < pdobrogost> When shutting down tunnel (with ctrl+c) I get "/usr/sbin/ip route del 10.96.0.0/16 \n RTNETLINK answers: Operation not permitted \n ERROR: Linux route delete command failed: external program exited with error status: 2" How can I fix this?
13:28 < pdobrogost> I use user piotr \n group nobody in config.
13:30 < rob0> you can't, but you can stop worrying.  The route deletion happens anyway when the interface goes away.
13:31 < pdobrogost> You drop root at the beginning and then it's lost forever, yes?
13:33 < rob0> it is, but in most cases that does not matter.  To fix the problem -- which is NOT a problem -- you can leave out "user" and "group".  And THEN you could have a real problem.  So don't do that.
13:34 < pdobrogost> Understood. It would be helpfull if openvpn would output such information when it happens.
13:34 < pdobrogost> Has anyone tried to use networkd with openvpn's interface/
13:43 < pdobrogost> When I started tunnel I got this "/usr/sbin/ip route add 10.93.0.0/16 via 10.92.32.1 \n RTNETLINK answers: Network is unreachable" However when I tried again all were fine. Any hints to what might be the cause?
13:43 < pdobrogost> s/were/was/
13:54 < pdobrogost> ^ Anyone?
14:00 < pdobrogost> Next problem. After setting up tunnel with no errors, when I try to ping some host on remote LAN the ping hangs. Running strace (with sudo) shows it keeps receiving  error -1 EAGAIN (Resource temporarily unavailable). Why, oh why does it happen?
14:08 < pdobrogost> Hmm, although in the logs I see "--ifconfig/up options modified", ip addr shows openvpn's tun interface has no ip4 address. Why?
14:12 < ghost75> is openvpn server able to run on virtual machine with bridging?
14:13 < ghost75> when i connect to vpn i can only reach server
14:16 <@ecrist> ghost75: yes, it can, but bridging alone won't get more systems on the VPN network.
14:17 < ghost75> do i need to run nat on the virtual machine in order to connect to the whole internal lan?
14:34 <@ecrist> yes - if you're the vPN administrator, though, check out !iroute and !route
14:34 <@ecrist> there's a better way than NAT
14:43 < ghost75> ecrist: thats openvpn config http://pastebin.com/a5p34Tw4
14:44 < ghost75> maybe is something wrong there
15:10 < ghost75> hmm maybe esx with promiscous mode could be a solution
15:47 < taggart> given a "OpenVPN Static key V1" block, is there a command to get into on that key? like what settings were used
15:48 < taggart> for comparison, for the ca cert I can run something like: openssl x509 -in ca -text -noout
16:00 < klow> Hello,  I just installed openvpn 2.4 from the openvpn apt repo,  and Im using tunnelblick with openvpn 2.4 ,  and still getting the warning that >128 blocksize is being used,  vulnerable to sweet32 etc
16:00 < klow> I didnt specifiy cipher in client or server,  shouldnt it auto-negotiate something stronger?
16:00 < klow> i dont want to hard code cipher in server config until i can touch many client configs
16:01 < klow> I want to use aes-256-gcm where possible, which I believe should autonegotiate if I use >2.4 client/server
16:02 < klow> <128 blocksize rather
16:16 <@dazo> klow: iirc, it will complain if --cipher is not set (or set to a weak cipher).  But if the remote client 2.4 as well, you should see that the data channel cipher is AES-256-GCM or something like that
16:19 <@dazo> so --cipher on the server side is what is used against clients not supporting any tweaks at all.  But newer 2.3 clients should be capable of slowly migrating to new ciphers one-by-one if you start playing with --ncp-ciphers
16:19 <@dazo> on the server side
16:19 <@dazo> then you can just change --cipher on the clients to one of the --ncp-ciphers you've configured
16:19 <@dazo> and it should still work
16:20 <@dazo> once all clients have migrated over ... you can update the --cipher statement on the server side, and these warnings will go away
16:23 <@dazo> taggart: there's nothing interesting meta-data inside the "OpenVPN Static key V1" data ... it's just as interesting as the any private RSA key
16:25 <@dazo> The static keys are basically just generated by openvpn --genkey --secret $FILE
16:36 < taggart> dazo: ok, how do I determine the key size?
16:41 <@dazo> taggart: it's always 2048 bits key, which is split up into 4 keys of 512 bits each.  Where each of these keys today do not make use of maximum 256 bits.  How much of it being in use depends on the algorithms OpenVPN is configured to use
16:44 < taggart> dazo: and direction setting?
16:46 <@dazo> taggart: correct
16:47 <@dazo> there's some more details on the static key format here: https://community.openvpn.net/openvpn/wiki/327-changed-hex-bytes-in-the-static-key-the-key-still-connects-to-a-remote-peer-using-the-original-key
16:47 <@vpnHelper> Title: 327-changed-hex-bytes-in-the-static-key-the-key-still-connects-to-a-remote-peer-using-the-original-key – OpenVPN Community (at community.openvpn.net)
16:52 < taggart> dazo: great, that helps, thanks!
19:02 -!- alexandre9099_ is now known as alexandre9099
19:16 < mmlj4> question... with a tap interface, will every single broadcast packet be transferred across the VPN?
19:19 < ordex> mmlj4: when the packet is sent ofver the tap interface .. yes
19:19 < ordex> but not sure what you mean with "every single brd packet"
19:19 < ordex> broadcast packets are limited in a broadcast domain
19:20 < ordex> but this is a "standard" behaviour, unrelated to openvpn itself
19:24 < mmlj4> tap is layer 2, which implies broadcast domain
19:25 < mmlj4> I was hoping you'd tell me where was some intelligence built in, like a switch, maybe
19:26 < mmlj4> I guess I should just to TUN and stop worrying
19:27 < mmlj4> s/to/do/
19:31 <@dazo> mmlj4: everything what happens on a tap adapter gets sent to the remote site
19:31 <@dazo> mmlj4: so if you use IP routing over TAP ... only the packets which are routed over that interface + the broadcast traffic belonging to the broadcast domain of the tap adapter
19:33 <@dazo> mmlj4: if you do what is highly NOT recommended ... adding a TAP adapter to a bridge ... then the broadcast domain is extended to include all network interfaces in that bridge ... so if you have a local LAN with lots of broadcasts, that broadcast will hit the VPN tunnel
19:34 <@dazo> Using TUN gives the least overhead and have better performance than TAP ... as TAP transports Ethernet packets (which is why it can join a bridge) while TUN interfaces only transports IPv4 and IPv6 packets - which means smaller network packets + only packets really being routed over the TUN interface
19:39 < mmlj4> gr...
19:40 < mmlj4> the last I saw was:
19:40 < mmlj4> <dazo> mmlj4: everything what happens on a tap adapter gets sent to the remote site
19:40 < mmlj4> <dazo> mmlj4: so if you use IP routing over TAP ... only the packets which are routed over that interface + the broadcast traffic belonging to the broadcast domain of the tap adapter
19:40 <@dazo> <dazo> mmlj4: if you do what is highly NOT recommended ... adding a TAP adapter to a bridge ... then the broadcast domain is extended to include all network interfaces in that bridge ... so if you have a local LAN with lots of broadcasts, that broadcast will hit the VPN tunnel
19:40 <@dazo> <dazo> Using TUN gives the least overhead and have better performance than TAP ... as TAP transports Ethernet packets (which is why it can join a bridge) while TUN interfaces only transports IPv4 and IPv6 packets - which means smaller network packets + only packets really being routed over the TUN interface
19:40 < mmlj4> that's what I figured
19:41 < mmlj4> thanks, I'll just use TUN
19:41 <@dazo> that's the most sane choice!
19:41  * dazo gives mmlj4 a cookie
22:56 < Mr-Protocol> Due to the recent SHA1 mess. is this an issue i should look into changing? Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
22:56 < Mr-Protocol> Disclaimer: I'm not an openvpn guru
23:10 < Eugene> !sha1
23:11 < Eugene> Sigh
23:11 < Mr-Protocol> yeah i don't know how to change it to make it better
23:12 < Eugene> Mr-Protocol - tl;dr don't worry about it. Creating a SHA1 collision is still VERY expensive, and it would require an attacker to insert malicious traffic into your stream, maybe
23:12 < Eugene> Its not the same as recovering plaintext
23:12 < Mr-Protocol> yeah, i saw the collision is for a PDF that google put out
23:12 < Eugene> But yes, it is generally a good idea to use a stronger cipher whenever possible
23:12 < Eugene> And hashes
23:12 < Mr-Protocol> and they inject data somewhere in between the JPEG header and footer.
23:12 < Eugene> And longer keys
23:12 < Eugene> And everything
23:13 < Mr-Protocol> right, i just don't know how to change that setting
23:13 < Mr-Protocol> i see some sites say to use a ta.key
23:13 < Eugene> !man
23:13 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
23:14 < Eugene> !hardening
23:14 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
23:17 < Mr-Protocol> thanks, i have some reading to do
--- Day changed Wed Mar 01 2017
00:15 < compsman> hey
00:27 < pdobrogost> Hi all!
00:29 < pdobrogost> Has anyone tried to use networkd with openvpn's interface?
00:29 < pdobrogost> In log I see "--ifconfig/up options modified" but ip addr shows openvpn's tun interface has no ip4 address. However, setting it manually with ip addr add after tunnel is up succeeds. Why?
01:01 < mikenasr> Hello
01:04 < mikenasr> having an issue/misconfiguration regarding openvpn routing, i have 1 server, with 4 openvpn peer-to-peer configurations, they can all communicate wit each other ( using the remote lan ), however when i setup a remote access server, i am unable to reach non of my other lans behind the 4 site to site vpns on same server
01:05 < mikenasr> Can some one pinpoint a troublshooting method for this kind of issue, all my traffic from remote access clients are going through vpn, and tracerouting to the remote lans confirms that, added static routes to server, same issue, firewall allow all any any ...
01:19 < mikenasr> !goal, vpn routing issue
02:43 < julius> hi
02:49 < ghost75> is openvpn as different in terms of topology than standard openvpn? (i saw its using nat for private networks)
02:50 < julius> ive played around with link-mtu 1460 in both client and server config, looks like it breaks my setup. i can search in the firefox google input field. but whatever google result i click on...it takes forever (16s) last check for a page to load
02:59 < julius> why is that?
02:59 < julius> ghost75, openvpn is not different than standard openvpn..in fact, they are the same ;)
03:00 < ghost75> i was not able to setup tun inside vmware workstation with bridging, however it seems to be possible with openvpn as
03:05 < julius> as what?
03:21 < ghost75> access server (as)
04:17 <+hyper_ch> it should work with bridging IMHO in vmware
04:44 < ghost75> bridging in openvpn or in vmware?
04:45 <+hyper_ch> using briding in vmware and run a openvn server on the guest
04:45 < ghost75> i can only reach and pring the openvpn server from outside
04:45 < ghost75> -r
04:46 <+hyper_ch> no idea what you did
04:46 < ghost75> http://pastebin.com/a5p34Tw4 this is config
04:48 <+hyper_ch> and what network does it run on?
04:48 < ghost75> vpn client?
04:48 <+hyper_ch> no, the actual network
04:48 <+hyper_ch> not the vpn
04:49 < ghost75> 192.168.5.0 is lan
04:50 < ghost75> when i was connected i saw the route 192.168.5.0 over gateway 192.168.200.1 when doing route print
04:50 <+hyper_ch> !configs > ghost75
04:50 < ghost75> i could reach only 192.168.5.115 which is openvpn
04:50 <+hyper_ch> !config > ghost75
04:50 <@vpnHelper> Error: 'supybot.>' is not a valid configuration variable.
04:50 <+hyper_ch> argh... why isn't it working
04:51 <+hyper_ch> !configs
04:51 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
04:51 < ghost75> ?
04:51 <+hyper_ch> also mark what is server config and what is client config
04:51 < ghost75> paste where?
04:51 <+hyper_ch> in a pastebin
04:57 < EEzzekiel> Hi folks, anyone know how to run openvpn command with weechat in linux?
04:59 < ghost75> hyper_ch: http://pastebin.com/wR9dKkq1
05:02 < ghost75> is it possible to test openvpn on client when its in a teamviewer session?
05:06 <+hyper_ch> ghost75: your network settings look really weird to me... here's what I use:   https://paste.simplylinux.ch/view/1aaafcea
05:07 <+hyper_ch> the vpn runs there on 10.0.8.x and server is 10.0.8.1
05:07 <+hyper_ch> lines 37/38
05:07 < ghost75> u know whats tun2001 on client?
05:09 <+hyper_ch> tn2001?
05:09 <+hyper_ch> tun2011?
05:09 < ghost75> yes, i saw qnap is using in config
05:09 <+hyper_ch> ah, that's just the name
05:09 <+hyper_ch> on my notebook where I have multiple vpns running I even name them differently
05:10 < ghost75> without push gateway i think windows has problem to set gateway
05:10 <+hyper_ch> need also example with certs/keys integrated into conf?
05:11 < ghost75> no not needed
05:11 < ghost75> do you have also vm for openvpn?
05:11 <+hyper_ch> for named tun/if
05:11 <+hyper_ch> I use
05:11 <+hyper_ch> dev xxxxxxxxx
05:11 <+hyper_ch> dev-type tun
05:11 <+hyper_ch> then the interface shows up as xxxxxxxxx
05:12 <+hyper_ch> I have vpn server running on proxmox inside a kvm
05:12 < ghost75> with tun also?
05:12 <+hyper_ch> actaully I have 2 vpn servers running on two proxmox installations
05:12 <+hyper_ch> yes
05:12 <+hyper_ch> the config above is from one such setup
05:13 < ghost75> do you think teamviewer will work on remote side for testing vpn client?
05:13 <+hyper_ch> depends onhow it's setup
06:06 < sachinaddy> Hi. I want to setup OpenVPN in my 3 shops. I want to know the prerequisites for server setup.
06:30 < ghost75> hyper_ch: what is 10.0.8.0 in your example?
06:34 <+hyper_ch> ghost75: hyper_ch  the vpn runs there on 10.0.8.x and server is 10.0.8.1
06:36 < ghost75> i thought server and push route needs to have different subnets
06:38 <+hyper_ch> I push the routing for the vpn
06:38 <+hyper_ch> telling the clients that all connections to 10.0.8.x need to pass through the vpn server
06:41 <+hyper_ch> I have no idea where you get your configuration fro
06:41 <+hyper_ch> !confgen
06:41 <@vpnHelper> "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/, or (#3) you must run this in bash
06:51 < ghost75> so server lan means the normal network?
06:51 <+hyper_ch> no idea what you mean by that
06:52 < ghost75>  -l   - Enables routing the Server LAN over the VPN. Must be quoted network                                               netmask.
06:52 <+hyper_ch> best to use
06:52 <+hyper_ch> !confgen
06:52 <@vpnHelper> "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/, or (#3) you must run this in bash
06:52 < ghost75> yes this is inside
09:04 -!- NotSecwitter is now known as Extremist
09:05 -!- Extremist is now known as NonSecwitter
09:05 -!- NonSecwitter is now known as Jihadist
09:05 -!- Jihadist is now known as NonSecwitter
09:06 -!- NonSecwitter is now known as TruckFump
09:22 < skyroveRR> TruckFump. LOL
09:22 < TruckFump> :D
10:53 < Night_Elf> Hi all. I was wondering, we suppose I have a machine with 3 public ip addresses and each of them can be used to access the intrnet. There I install openvpn server and then someone connects to it with a client. Is it possible to randomise the ip address the client will use? Randomly selecting one of the three that the box already has?
10:58 < daemon> Night_Elf, would be done on firewall level not vpn level
11:00 < Night_Elf> daemon: I see. But then, if the box has internet access via 3 ip addresses (different interfaces or alieses to the same physical one) how does the server pick which to use?
11:01 < rob0> That's not too difficult in Linux/iptables, but why would you want to do that?
11:02 < rob0> The server will use the address to which you are doing source NAT (SNAT or MASQUERADE in Linux).
11:02 < Night_Elf> rob0: I work in an isp and some customers of ours want have asked of the possibility so their sessions are randomised from a pool of 3 to 10 ip addresses. I have no clear idea why.
11:03 < Night_Elf> But yes, I will actually see to have this done with some iptables and source nat.
11:03 < Night_Elf> Thank you for the clarification. :)
11:05 < rob0> let's hope those customers aren't spammers or scammers :)
11:05 < rob0> but even if they are, 3-10 is a small pool, too small for snowshoe
11:08 < Night_Elf> rob0: I am with you in both asumptions. If they are scammers we probably will cut them off anyhow. If we do this definitely I would want to ask a bit more, or maybe keep an eye on how they use these connections for a week or two.
11:09 < rob0> good idea
11:10 < rob0> maybe if you can count what sort of ports they are hitting
11:11 < Night_Elf> yeap, indeed. With an eye on ports 25 and 465
11:12 < rob0> 465 is deprecated, 587 replaced it almost 20 years ago.  And those won't be readily abusable.  They might try brute force SASL AUTH attacks, though.
11:13 < rob0> Just as they might also try on IMAP or POP3; figuring that successful auth there will be usable for SMTP.
11:14 < Night_Elf> I hope not. But then yes I can't really know for sure. It's a bit tricky to tell these days.
11:14 < rob0> all you'd care about would be the number of new connections to different hosts.
11:15 < Night_Elf> Yet, old or obsolete the above, it's still good to keep an eye on them. Maybe it's script kiddies who have been reading results from google searches and now want to experiment. Heh.
11:15 < Night_Elf> You're right at that.
11:15 < rob0> a normal user of IMAP will send a bunch of packets back and forth, but few NEW connections and maybe only to 3-4 accounts
11:16 < rob0> but a slew of NEW connections to any SMTP port, 25, 465 or 587, is definitely suspicious.
11:16 < rob0> you could even rate limit those in your firewall :)
11:18 < Night_Elf> haha, yes. But as this is something we still don't have, I'll probably only watch the counters initially, and then if something like that indeed is what will happen, ratelimiting with new connections for every a certain amount of time is what I was thinking as well.
11:19 < rob0> that's just to slow the spoilage of your IP reputation.  If they really are spamming, they need the boot.
11:19 < Night_Elf> And I'll need to read some iptables manual pages too. Oh well.
11:20 < Night_Elf> I know. But sales have proven kind of... slow, here. :D
11:21 < Night_Elf> they take the decision on what to do. We can encorage and provide proof though.
11:22 < rob0> spamming customers' money does not help the bottom line.  It hurts.
13:12 < pdobrogost> Good evening all!
13:13 < pdobrogost> Has anyone tried to use networkd with openvpn's interface?
13:13 < pdobrogost> In log I see "--ifconfig/up options modified" but ip addr shows openvpn's tun interface has no ip4 address. However, setting it manually with ip addr add after tunnel is up succeeds. Why?
13:42 < ghost75> https://community.openvpn.net/openvpn/wiki/265-how-do-i-enable-ip-forwarding <- is this all needed on debian linux?
13:42 <@vpnHelper> Title: 265-how-do-i-enable-ip-forwarding – OpenVPN Community (at community.openvpn.net)
13:42 < ghost75> i forgot to enable ip forwarding but the server is still not forwarding anything :<
14:03 < julius> ive played around with link-mtu 1460 in both client and server config, looks like it breaks my setup. i can search in the firefox google input field. but whatever google result i click on...it takes forever (16s) last check for a page to load
14:04 < julius> back to a config without that parameter and it works fine....why does it break so horrible?
14:10 < zoredache> !xca
14:10 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa., or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA
14:10 -!- Captain_Beezay is now known as Kovter
14:34 < ghost75> julius: https://openvpn.net/index.php/open-source/faq/77-server/271-i-can-ping-through-the-tunnel-but-any-real-work-causes-it-to-lock-up-is-this-an-mtu-problem.html
14:34 <@vpnHelper> Title: I can ping through the tunnel, but any real work causes it to lock up. Is this an MTU problem? (at openvpn.net)
15:01 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 260 seconds]
15:07 -!- mode/#openvpn [+o rob0] by ChanServ
15:07 < julius> ghost75, thanks...still i would like to know why this completely destroys connectivity
15:08 < ghost75> i just learned this hard way https://secure-computing.net/wiki/index.php/Graph
15:08 <@vpnHelper> Title: Graph - Secure Computing Wiki (at secure-computing.net)
15:08 < julius> ghost75, yes that is all that is needed to enable forwarding
15:09 < ghost75> a route is needed on gateway
15:09 < julius> true
15:09 < julius> well, the machine itself of course needs a route to reach the internet
15:09 <@rob0> there you go, yw Guest94295
15:09 <@rob0> but DO get an account before you try to come back again
15:10 < ghost75> the vpn client had the route
15:10 < julius> what was your scenario again ghost?
15:11 < ghost75> nothing special, openvpn not on gateway
15:11 <@rob0> ghost75, it's impossible to say what the problem is without some information
15:11 < ghost75> problem was i could reach only vpn server from vpn client
15:11 < pdobrogost> What is the reason I get "RTNETLINK answers: Network is unreachable" when openvpn client calls ip route add? This happens only from time to time.
15:11 <@rob0> indeed you must activate IP forwarding before any forwarding is done
15:12 < ghost75> ip forwarding was active but still not working
15:12 < ghost75> then i did this and was good https://community.openvpn.net/openvpn/wiki/NatHack
15:12 <@vpnHelper> Title: NatHack – OpenVPN Community (at community.openvpn.net)
15:12 < pdobrogost> I guess this might be because openvpn is unable to set ip on its interface in the first place...
15:13 -!- mode/#openvpn [+e *!*@87.19.254.216] by rob0
15:13 < Guest94295> Hi guys, after configuring openvpn I run ./build-ca and get this output
15:13 < Guest94295> error on line 145 of /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
15:13 < Guest94295> 139635643471512:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:584:line 145
15:13 < pdobrogost> And this might be because I put openvpn's interface under networkd in turn.
15:13 < pdobrogost> Not sure. Would like to hear from someone using networkd
15:14 < `yo> hello, is it possible to fix this from config file ?
15:14 < `yo> WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
15:14 < Guest94295> I uncommented and changed to AES-256 already
15:15 < julius> ghost75, openvpn not on gateway could mean a lot
15:15 <@rob0> !sweet32
15:15 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32
15:15 < ghost75> not installed on gateway
15:15 <@rob0> yo, looks like the error message tells you exactly what to do.
15:15 < julius> ghost75, maybe you could take paper and pen and draw us your network setup.....a photo from the drawing can be uploaded to postimage.org
15:15 < julius> its worth your time
15:16 < ghost75> is really not that complicated setup
15:16 < ghost75> just a box in lan with openvpn server
15:16 <@rob0> and you want to access the LAN from clients?  No redirection?
15:17 <@rob0> See, the topic says you should tell us:
15:17 <@rob0> !goal
15:17 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:18 <@rob0> !serverlan
15:18 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
15:18 < julius> ghost75, yeah...its not complicated because your sitting in front of it. "just a box in lan with openvpn server " could mean a) client and server are in the same lan or b) they are not
15:18 < ghost75> b)
15:18 < Guest94295> rob0 the #145 line is commonName_default = $ENV::KEY_CN
15:18 < Guest94295> idk what to do
15:18 < ghost75> vpn server - gateway - internet - gateway - vpn client
15:19 < Guest94295> it's for a server
15:19 < julius> ok
15:20 < julius> ah wait, its already working
15:21 < Guest94295> rob0: is this because I left KEY_COUNTRY and stuff blank? Like ""
15:24 < julius> Guest94295, i would try adding random data there for testing
15:25 < julius> rob0, even if you have all the routes setup....isnt: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE    always needed on the server if you want your cleints to be able to reach the internet over it?
15:26 < julius> when using redirect-gateway
15:26 <@rob0> I don't use easyrsa, but I know the commonName_default is not important, it is merely what openssl offers to you as the commonName
15:27 < Guest94295> julius· I did it. Didn't work
15:27 < julius> says here: https://community.openvpn.net/openvpn/wiki/NatHack      that is a "hack"
15:27 <@vpnHelper> Title: NatHack – OpenVPN Community (at community.openvpn.net)
15:27 < Guest94295> I followed this guide
15:27 < Guest94295> https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8
15:27 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Debian 8 | DigitalOcean (at www.digitalocean.com)
15:27 <@rob0> I'd probably use SNAT, not MASQ, but indeed, for RFC1918 addresses to reach the Internet, they need a form of source NAT at the external router.
15:27 < julius> Guest94295, sorry...im just a user as yourself
15:28 < Guest94295> except I changed IPs from OpenDNS to DNSCrypt.eu servers and block cipher from Bloefish to aes256
15:29 < julius> paste the error
15:29 < julius> but i really have to go...so tired
15:30 < Guest94295> error on line 145 of /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
15:30 < Guest94295> 140286279906968:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:584:line 145
15:49 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
15:49 -!- mode/#openvpn [+o syzzer] by ChanServ
15:54 -!- Vampire0_ is now known as Vampire0
16:42 < brendlefly62> !welcome
16:42 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
16:42 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
16:42 <@vpnHelper> you
16:51 < brendlefly62> !goal
16:51 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:00 < brendlefly62> !goal I want to access the subnets behind the server and have "seamless" nameservice and dhcp support for my machines on both sides of the server
17:00 < KNERD> My goal is to get the OpenVPN client on DD-WRT to allow the clients connected to the router to connect to VPN clients outside the LAN. Anyone here have knowledge with that? The DD-WRT channel is dead
17:03 < brendlefly62> GOAL: I would like to access the subnets behind the server (my home network) from "external" locations and have "seamless" nameservice and dhcp support for my machines on both sides of the server
17:04 < brendlefly62> !ask
17:04 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
17:05 < KNERD> yes, and I asked
17:18 < KNERD> brendlefly62: oh, that is easy
17:19 < KNERD> add this to the server conf   topology subnet
17:20 <@dazo> !dd-wrt
17:20 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN, or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783, or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536, or (#4) And the
17:20 <@vpnHelper> security focus still seems to need improvements: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=279467 (hint: dd-wrt company does not do this effort + no reference to any security fixes)
17:20 < brendlefly62> !topology
17:20 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
17:20 <@dazo> !serverlan
17:20 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
17:21 < KNERD> no serverlan here
17:21 <@dazo> brendlefly62 needs !serverlan
17:21 < KNERD> oh
17:22 < brendlefly62> !serverlan
17:22 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
17:22 <@dazo> brendlefly62: but I would strongly recommend *against* dhcp over VPN (that implies briding + TAP, which is a rats nest) ... rather let OpenVPN provide an IP address for a VPN subnet ... and do normal standard routing
17:22 <@dazo> !howto
17:22 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
17:23 <@dazo> brendlefly62: #3 ^^^  that should get you started on most common details
17:23 <@rob0> yes, ditto, why do you think you want DHCP over VPN?
17:24 < brendlefly62> dazo: I want to have seamless nameservice on both sides of the server (e.g. clients "outside" to be able to refer to other machines "inside" by name rather than by ip)
17:25 <@rob0> That's easy,
17:25 <@dazo> brendlefly62: that's resolved by pushing DNS server IP address to your clients .... for window/osx clients that should normally work out-of-the-box, same for Linux with OpenVPN started via NetworkManager
17:25 <@rob0> !dnsmasq
17:25 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
17:25 <@dazo> brendlefly62: otherwise, linux clients needs help from an --up script to update /etc/resolv.conf
17:26 < KNERD> yeah... that dd'wrt helper hint is not useful in my case because I am using it as a client , not as a server. It seems all the guides I read just assume all clients connected to the router would just start being able to bing to the server, which I cannot
17:26 <@dazo> brendlefly62: or ... you can do what rob0 says (I would definitely trust him!), and look into split-dns with dnsmasq
17:26 <@rob0> KNERD, then yours is:
17:26 <@rob0> !clientlan
17:26 < KNERD> the router can ping to the VPN server, and all clients connected to the router can ping the router VPN address
17:26 <@dazo> KNERD: then you need clientlan
17:26 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
17:26 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
17:26 <@dazo> heh
17:26 < brendlefly62> I am running dnsmasq on the server, too.  My server conf does push dns and route...
17:27 < KNERD> dazo: ahh--thanks
17:27 <@rob0> brendlefly62, so get your nameservers to work together and leave resolv.conf alone
17:27 <@rob0> This assumes of course that you control routers on both sides of the tunnel.
17:28  * dazo need to get home now
17:28 < brendlefly62> @rob0: I control only my home router
17:28 <@dazo> but rob0 is a knowledgeable person
17:29 < KNERD> Handy flowchart...saws to fix the firewall
17:31 <@rob0> brendlefly62, if the dnsmasq on your end can query the nameserver on the other end, and you're not doing something silly like trying to use the same netblock or domain name on both sides, this might do what you need.
17:31 <@rob0> the other option is as dazo described, hacks to edit resolv.conf
17:34 < brendlefly62> @rob0: Thanks.  I have had to hack a script to run on vpn start to switch up resolv.conf on the client.  However, the server has no a priori knowledge of the location of the other end - it could be starbucks where I connect from my android phone and use ssh... or it could be my brother's house, where I use my laptop.
17:35 <@rob0> and you want to resolve names on YOUR end, don't care about brother or *$?
17:35 < brendlefly62> the resolv.conf fix gets me access to my name server, but it does not tell it about the client -- so other machines cant see the client by name
17:36 < brendlefly62> and client-to-client by name does not work
17:37 <@rob0> look at how I set up the Linux road warriors in my little readme
17:37 -!- Kovter is now known as Captain_Beezay
17:38 < brendlefly62> @rob0:  thanks - lots of info here for me to become more familiar with -- much appreciated
17:41 < brendlefly62> KNERD:  Thanks - I will also check out topology subnet, along with clientlan, serverlan, and rob0's readme (just a little homework, haha)
17:42 < KNERD> sure thing
17:50 < KNERD> yes...i found it for DD-WRT... clients connected to the router can not ping the VPN server -->  iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
17:51 < KNERD> typo.. CAN NOW PING
18:16 < brendlefly62> @dazo: Thanks for your pointers, too.  I'll definitely check those resources out.
22:52 < nsgn> Hello folks. I've got a TAP tunnel between two sites, both on 500+mbps fiber. Both ends hosted by dedicated Xeon servers of recent breed. I'm suffering from severe asymmetry of throughput.
22:52 < nsgn> 40x400mbps
22:53 < nsgn> I'm positively stumped as to why this is the case.
22:53 < nsgn> Direct to internet speed tests on both sides net 500+mbps symmetric.
22:53 < nsgn> Pings remain low at all times direct to net as well as over this openvpn link, even when hitting the 40mbps
22:54 < nsgn> Struggling hard at the moment to comprehend why so off balance.
23:43 < nsgn> whoops, got kicked when i changed connections. Any ideas on the severe asymmetry I'm seeing on this tunnel?
--- Day changed Thu Mar 02 2017
03:22 < damongant> was tls-cipher removed or renamed?
03:22 < damongant> Options error: Unrecognized option or missing or extra parameter(s) in server/pi.conf:66: tls-cipher (2.4.0)
03:34 <@plaisthos> *extra paramter*
03:34 <@plaisthos> probably your problem
03:41 < damongant> tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
03:41 < damongant> I'm sure this used to work, hm
03:46 <@plaisthos> yeah :)yes
03:46 <@plaisthos> yes
03:46 <@plaisthos> older version ignored anything after the first argument
03:46 <@plaisthos> newer version actually complain
03:46 <@plaisthos> !tls-cipher
03:46 <@vpnHelper> "tls-cipher" is (#1) http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users, or (#2) To prevent the use of export ciphers or other insecure ciphers use tls-cipher DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA, or (#3) ECDH ciphers require OpenVPN 2.4+
03:47 <@plaisthos> and you shouldn't require a specific cipher suite unless you really know what you are doing
03:50 < pdobrogost> Hi guys!
03:51 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has quit [Quit: ZNC - http://znc.sourceforge.net]
03:51 < damongant> ah, I see, any specific reason I shouldn't pick a known-good cipher? (I got that one from https://community.openvpn.net/openvpn/wiki/Hardening I think?)
03:51 <@vpnHelper> Title: Hardening – OpenVPN Community (at community.openvpn.net)
03:51 < pdobrogost> Is there a way to have client use tun interface "as is" without setting any of its params like IP address?
03:52 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
03:52 -!- mode/#openvpn [+v hyper_ch] by ChanServ
05:04 < thinner> I have some issues with v2.4 and IPv6 disabled on the network interface. Using --proto udp causes a fatal error, which is reasonable. But it still doesn't work if I use --proto udp4. Any ideas?
09:23 < Pricey> Howdy! I upgraded a box from openwrt to lede, maintaining the old configuration. Since then half the time my server spams "TCP/UDP packet too large on write to" and no packets make it to the client. Random sequences of reconnects seem to fix it again until "next time". Hoping for some help?
09:27 <+hyper_ch> changing mtu size?
09:29 < Pricey> Just about to paste all versions/log, but server has gone from 2.3.6 to 2.4.0. Client remains https://github.com/schwabe/ics-openvpn, not sure what version it's based on.
09:30 < Pricey> hyper_ch: Which parameter/where would you suggest that?
09:30 <+hyper_ch> not even sure if that helps
09:31 < Pricey> I did try mssfix on the client, but that just lowered the maximum logged on the server...
09:31 <+hyper_ch> https://www.sonassi.com/help/magestack/setting-correct-mtu-for-openvpn
09:31 <@vpnHelper> Title: Setting correct MTU for OpenVPN | Magento Hosting by Sonassi (at www.sonassi.com)
09:31 < Pricey> Yep, that one.
09:33 <+hyper_ch> !logs
09:33 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
09:33 <+hyper_ch> !configs
09:33 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
09:37 < Pricey> Will do..
09:42 < Pricey> Here're the config from server & client: https://gist.github.com/PriceChild/f9f22a9c9168291a9eaa7803ffc482ef
09:42 <@vpnHelper> Title: client · GitHub (at gist.github.com)
09:46 < Pricey> Trying to grab a log... it's succeeding atm so trying to get it to fail.
09:50 -!- Vampire0_ is now known as Vampire0
09:53 < Pricey> I've added a sanitised verb 4 start & connect log to that gist now. Not in a failed state though annoyingly.
10:54 < SviMik> still having problem with tap/tun
10:54 < SviMik> with TAP I get downloading speed 17mbit/s, while TUN shows me 0.2mbit/s
10:54 < SviMik> wtf?
10:54 < SviMik> server is same, client is same, and the URL for speed testing is same
10:56 < SviMik> both configs use tcp
10:58 < SviMik> Wireshark shows a lot of Dup and Retransmissions on vpn interface when using TUN
10:59 < SviMik> but that's impossible to get any packet loss on vpn link, because the vpn transport is TCP
10:59 < SviMik> again, wtf?
11:21 < Pricey> It's just failed again and I've captured the log https://gist.github.com/PriceChild/f9f22a9c9168291a9eaa7803ffc482ef Slightly different circumstances for this failed connect but not sure if that's relevant. Annoyingly I have to disappear afk for a few hours.
11:21 <@vpnHelper> Title: client · GitHub (at gist.github.com)
11:39 < Pricey> "link-mtu 1601" - well that doesn't look right...
12:55 < SviMik> server 10.116.208.0 255.255.240.0
12:55 < SviMik> MULTI: bad source address from client [192.168.1.150], packet dropped
12:55 < SviMik> just... lol...what...HOW???
12:56 < SviMik> how it's even possible to get bad source address with TUN?
13:00 < Eugene> SviMik - easily with routing....
13:00 < SviMik> 192.168.1.150 is my home network IP, how it even leaked to VPN server log?
13:00 < Eugene> Pricey - "sanitised" = we're not going to bother reading what you changed
13:01 < Eugene> !configs
13:01 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
13:01 < Eugene> SviMik ^
13:01 < SviMik> argh... okay, okay
13:02 < Eugene> Also, Windows?
13:02 < SviMik> win client, centos server
13:03 < Eugene> Is .150 the client's IP?
13:03 < SviMik> yes. it's wifi interface IP
13:03 < Eugene> Tada
13:03 < SviMik> but not VPN interface IP
13:03 < Eugene> Windows is using that address for the source IP for some reason
13:03 < Eugene> Thats it
13:04 < Eugene> Why? Because Windows is dumb about source address selection
13:04 < Eugene> You can just ignore those messages
13:04 < SviMik> isn't it a security problem at least?
13:05 < Eugene> Not in any meaningful way
13:05 < SviMik> shouldn't openvpn fix the src address, at least in TUN setup?
13:06 < Eugene> Nope, its not openvpn's job to tell a program what source IP to choose, perform NAT, or make routing decisions
13:06 < Eugene> openvpn is a tunnel
13:06 -!- mode/#openvpn [+o ordex] by ChanServ
13:06 < SviMik> or maybe that shall be done by Windows TAP driver?
13:06 < Eugene> Nope, its a faux-ethernet driver
13:07 < Eugene> Turn down your log verbosity and stop worrying
13:07 < SviMik> okay... then I'm back where I started
13:07 -ChanServ:#openvpn- ecrist set flags +AOefiorstv on ordex
13:08 < Eugene> <SviMik> but that's impossible to get any packet loss on vpn link, because the vpn transport is TCP
13:08 < Eugene> This is wrong. Using tcp for the transport makes packet loss WORSE
13:08 < Eugene> !tcp
13:08 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay
13:08 < SviMik> >Sometimes you cannot avoid tunneling over tcp
13:08 < SviMik> ^ this
13:09 < Eugene> I don't know what would cause a difference in speed like you're describing between tun vs tap, but I suspect you're doing something wrong in your configs(which I still don't see)
13:09 < SviMik> so, lets move straight to the next part...
13:11 <@ecrist> SviMik: were you able to reproduce?
13:12 < SviMik> Eugene what do you expect to find there? I can paste the configs, but I'm pretty sure there is nothing that can make that kind of trouble. Usually openvpn either works or not
13:12 < Eugene> !secret
13:12 <@vpnHelper> "secret" is (#1) funny that people use free programs, consult free help for them, run a business with them, but are restricted to say what they do., or (#2) See also !topsecret
13:12 < Eugene> !topsecret
13:12 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust., or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice.
13:13 <@ecrist> I don't understand the "help me fix my problem," "no you can't see my configs" attitude
13:13 < Eugene> Me neither, that's why I stopped caring
13:13 < Eugene> You get what you pay for with free support, etc
13:15 < SviMik> ecrist yes, I'm reproducing it 3 days already. but with one server only, can't reproduce with other servers though
13:15 < SviMik> even if all servers use the same config
13:15 <@ecrist> ok, you'll either need to share configuration and logs, or go somewhere else.
13:18 < SviMik> okay. that's not a !secret of course, some people are just lazy to do that, especially if they are 100% sure the problem isn't there
13:18 < SviMik> but if you insist you need to see that...
13:19 <@ecrist> SviMik: do you have any idea how many people come in here and exclaim "i'm 100% sure it's not XYZ" and when they FINALLY BEGRUDGINGLY show us their configs and logs, it turns out to exactly be XYZ
13:21 < vectr0n> whats openvpn's standpoint on still using SHA1 for auth algo?
13:21 < Eugene> !sha1
13:21 < Eugene> Dangit, twice now
13:21 < vectr0n> lol
13:21 <+hyper_ch> sha1 doens't exist anymore in openvpn - it seems
13:21 < Eugene> Its used for the --auth alg
13:21 < vectr0n> ^
13:22 < Eugene> But thats fine and not even close to susceptible to the google-style attack
13:22 < SviMik> ecrist I'll pay you 20$ if you find something in my config that straightly caused the problem described. no kidding. now give me some time to grab and paste everything...
13:22 < Eugene> Producing a single SHA1 collision under those specific circumstances(attacking just `sha1sum`) takes a lot of electricity($$$)
13:22 < vectr0n> Eugene, oh i know im just curious what their standpoint is on it.. not yours.. sorry :)
13:22 < Eugene> Doing it live, multiple packets per second, while MITMing, is not feasible
13:23 < Eugene> But yes, you should use a stronger hash
13:23 < Eugene> !hardening
13:23 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
13:23 < Eugene> It is not a good idea to use SHA1 for the x509 certs, but that isn't openvpn's problem either
13:24 < Eugene> And it is still impossible to recover plaintext from a SHA1 hash
13:24 < Eugene> If you want an official statement then #openvpn-devel or the mailing list is a better place to ask
13:24 < Eugene> But seriously, the sky is not falling
13:25 < vectr0n> im well aware of how it all works, i dont need you to explain something i already know, as mentioned i was looking for openvpn's standpoint on the topic not a random user in #openvpn, ty tho
13:25 <+hyper_ch> Eugene: seems you don't know Bruce Schneier ;)
13:25 -!- mode/#openvpn [+o Eugene] by ChanServ
13:25 <@Eugene> I am not a random user
13:26 <@Eugene> I am Eugene
13:26 <@Eugene> hyper_ch - Bruce is a smart guy, but often misses the big picture
13:26 < vectr0n> you arent openvpn either.. was looking for a statement/topic/post from ovpn.. again ty.. but no thx
13:26 <@Eugene> Cryptography is great and all, but rubber hoses still break it
13:26 < vectr0n> nothing is fool proof and never will be
13:27 <@Eugene> Especially not fools
13:27 < vectr0n> nothing is ever secure in 2017 either
13:27 < vectr0n> if someone wants something, they will find a way to get it
13:27 <@Eugene> Yup, and breaking the crypto is the dumb way to do it
13:27 < vectr0n> it is what it is
13:27 <@Eugene> !shotgun
13:27 <@vpnHelper> "shotgun" is (#1) the most effective form of physical security, or (#2) <hyper_ch> shotgun security? <EugeneKay> If you try to physically attack my network, I chase you with a shotgun.
13:27 < vectr0n> lol
13:28 <+hyper_ch> is that shotgun registered?
13:28 < DArqueBishop> !wrench
13:28 <@vpnHelper> "wrench" is https://xkcd.com/538/
13:29 <@Eugene> I don't own the shotgun referenced in that quote anymore. I live in Seattle nowadays and my apartment doesn't have room for a big safe
13:29 <@ecrist> vectr0n: we recommend you don't use SHA1
13:29 <@ecrist> and we are updating defaults in an upcoming version of OpenVPN to use a more secure hashing algorithm
13:29 <@ecrist> but, the sky isn't falling
13:30 <@ecrist> also, if you come into #openvpn, expect "random user" to reply.
13:30 < vectr0n> i dont use sha1, i was looking for the standpoint and have been told many times clearly.. got it.. altho dont care anymore it is what it is
13:30 <@Eugene> Cool story br0
13:31 < vectr0n> been using sha256 for awhile for auth algo ;)
13:31 < SviMik> Eugene ecrist Server configs: https://paste.ee/p/vZ8o2 https://paste.ee/p/N5fQD
13:31 < SviMik> (you may condemn the tap and bridging as long as you want -- just note that problem is with tun setup, ok?)
13:31 <@Eugene> ecrist - really, changing a default? I thought that was verboten, at least that's the reason I was given for not making subnet the default...
13:31 < SviMik> (and the tap works fast and with no problem on same machine)
13:32 <@ecrist> Eugene: the server side is going to negotiate at some point
13:32 <@ecrist> the code might already be in
13:32 <@Eugene> Will that work with old clients?
13:34 < SviMik> Eugene ecrist need the client configs too?
13:38 <@ecrist> why does tun server has tls-cipher DEFAULT and TAP config doesn't?
13:39 <@Eugene> Because its definitely not the configs that are the problem /s
13:40 < SviMik> ecrist I barely remember it. Perhaps, for mikrotik routers. Don't bother, I already made sure that's not the source of the problem by running the test without that line.
13:41 < SviMik> also I made sure that different lzo option is not the source of the problem too.
13:41 <@ecrist> I don't see your logs from client and server
13:41 <@ecrist> SviMik: but both of those things could potentially change performance
13:42 <@ecrist> also, why are you using TCP?
13:42 < SviMik> ecrist I tested them both separately and together, and made sure it is not.
13:43 < SviMik> ecrist 1) mikrotik can't UDP. 2) most proxy servers can't UDP.
13:43 < SviMik> we have some users with 1) or 2)
13:44 < SviMik> not my test case though. I'm testing from Windows and without proxies.
13:45 < SviMik> ecrist Client configs: https://paste.ee/p/Ui0RX https://paste.ee/p/KHg58
13:52 < SviMik> ecrist here is the TUN server log with max verb level: https://paste.ee/p/1gKua
13:54 < SviMik> ecrist I thought the "MULTI: bad source address" means something wrong, but Eugene said not to warry about it. Except that I can't see any anomalies
13:54 < SviMik> s/warry/worry
13:58 < SviMik> ecrist And the client log: https://paste.ee/p/25DzK
14:00 <@ecrist> SviMik: I need to see the entire log, from the client connection all the way to "initialization complete"
14:00 <@ecrist> on both ends
14:01 < SviMik> ecrist the client log is complete. for server, just a sec
14:06 < SviMik> ecrist the complete server log: https://paste.ee/p/X7wFi
14:11 <@ecrist> why is verb on client so low?  Can you turn that up?
14:12 < SviMik> ecrist level?
14:12 < SviMik> verb 4 is current
14:13 < SviMik> 5 just adds the WrWr as I remember
14:13 < SviMik> ecrist need that?
14:13 <@ecrist> no
14:18 < SviMik> the same config template is used on all servers, but the problem appeared on one server only. that's why I *guess* the problem is not the config itself
14:18 <@ecrist> sure, and I don't see anything other than what I've already pointed out
14:18 <@ecrist> could be some rate limiting with the provider on that link?
14:18 < SviMik> I have also tried to swap the ports to make sure the ISP is not tampering with 995
14:19 < SviMik> and looks like it's not, the TUN setup still barely works
14:21 < SviMik> (I could start whistling the X-Files theme if wasn't so tired already...)
14:23 < SviMik> ecrist If I, say, give you the client configs, could you test on your machine?
14:24 <@ecrist> try a new server at that location?
14:26 < SviMik> ecrist by location you mean same datacenter, or same city?
14:36 <@ecrist> same datacenter
14:36 < SviMik> ecrist I have tried another server in the same city but different datacenter, the tun and tap speeds are almost equal
14:38 < SviMik> ecrist don't have other servers in that datacenter... :(
14:38 <@ecrist> at this point - blame the data center and move on. :)
14:39 < SviMik> but I need some proof... and I can't get any
14:40 < SviMik> ecrist I can't blame it especially since the port swapping didn't help...
14:41 < SviMik> probably I can try just to reinstall the server to make sure it is not a software fault
14:48 < SviMik> TAP: http://www.speedtest.net/result/6097537357.png
14:48 < SviMik> TUN: http://www.speedtest.net/result/6097545171.png
15:38 < Pricey> Eugene: oh, should i keep my private keys in there? ;-)
15:45 < pdobrogost> Hi guys!
15:46 < pdobrogost> As I was unable to get OpenVPN interface working I posted question "IP address removed from network interface managed by systemd-networkd" (http://unix.stackexchange.com/q/348766/5355).
15:46 <@vpnHelper> Title: openvpn - IP address removed from network interface managed by systemd-networkd - Unix & Linux Stack Exchange (at unix.stackexchange.com)
16:13 <@Eugene> What distribution is that? Looks more like a systemd issue to me....
17:28 < tpw_rules> hello all. i cannot get openvpn to talk through my socks5 proxy
17:29 < tpw_rules> the proxy works fine in firefox, but i get like "WARNING: Bad encapsulated packet length from peer (47872), which must be > 0 and <= 1500 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]"
17:29 < tpw_rules> and the connection never succeeeds
17:30 < tpw_rules> i'm using TCP mode
18:20 < arha> i have an openvpn server and on the same machine i have a bridge that i use to assign virtual IPs to lxcs
18:20 < arha> i'm not sure exactly what I'm doing wrong, but the same configuration which worked exactly the same before having the bridge, stopped working after adding it. I can accessthe lan, but NAT + masquerading to the internet does not work anymore
18:20 < arha> i updated iptables to do -i tun0 -o eth0 related, accept and the otherway round
18:22 < arha> and also have another rule that anything from -o tun0 -s 10.8.0.0/24 is masqueraded
18:23 < arha> as far s I can tell, accessing random sites by IP works; but DNS seems to fail
20:42 < kitsune1> openvpn-devel
20:45 < brokensyntax> Evening all.
--- Day changed Fri Mar 03 2017
01:00 < theraspberry> Hi, my linux openvpn client does not automatically override my /etc/resolv.conf to point to the DNS server though the tunnel
01:01 < theraspberry> I had this working on another host, but for the life of me cant find out or remember how I did it.
01:01 < theraspberry> I have resolvconf installed, I remember that was one of the points.
01:54 < pdobrogost> Eugene: It's fedora 25. Yes, it is basically systemd issue but as it surfaced while using OpenVPN I thought someone here might be interested or already witnessed such behavior.
06:15 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has quit [Quit: ZNC - http://znc.sourceforge.net]
06:19 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
06:19 -!- mode/#openvpn [+v hyper_ch] by ChanServ
09:06 < jasonwc> Hi， I hardened my OpenVPN install last night to enforce TLS 1.2 and ECDHE with AES-256-GCM used for the data channel.  All that worked but I ran into an issue attempting to use tls-crypt rather than tls-auth with the Android client.
09:07 < jasonwc> tls-crypt works fine between my Debian server running 2.4.0 and my Windows client running 2.4.0.  However, it does not work with the latest Android client.  I receive an error "TLS Error: tls-crypt unwrapping failed"
09:07 < jasonwc> I am forced to go back to tls-auth.  Is this simply a limitation of the Android client software?
09:11 <+hyper_ch> JasonO: what openvpn version is your android client using?
09:13 < jasonwc> oh, it looks rather old.  OpenVPN Connect 1.1.17 (build 76), build date is May 24, 2016
09:13 < jasonwc> but it should update automatically via google play
09:13 < jasonwc> it is the latest version on Google Play
09:17 <+hyper_ch> that's why, doesn't have tls-crypt yet
09:17 <+hyper_ch> same here
09:17 < jasonwc> Oddly, it claims to have AES-GCM support which was also added in 2.4
09:17 < jasonwc> for data channel encryption
09:19 < jasonwc> My logs show AES-256-GCM for data channel encryption and the latest TLS1.2 cipher suite with ECDHE, AES-256-GCM, and SHA384
09:20 < jasonwc> AES-GCM for data channel and ECDHE are new to 2.4, aren't they?
09:20 < jasonwc> From changelog:"Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack support and more seamless connection migration when client's IP address changes (Peer-ID). Also, the new --tls-crypt feature can be used to increase
09:20 < jasonwc> users' connection privacy."
10:12 < jasonwc> OpenVPN seems to reconnect much faster now (upgraded from 2.3.2 from Debian stable to 2.4.0 in backports). Is it due to some kind of TLS session resumption?
11:05 <@dazo> jasonwc: lots of the socket code have been revamped and the reconnect stuff is simplified, and now using the same reconnect mechanism across normal, socks and http proxy connection methods ... in particular this also covers setting time-out settings and other related options
11:43 -!- plai [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
11:43 -!- mode/#openvpn [+o plai] by ChanServ
11:45 -!- Netsplit *.net <-> *.split quits: @plaisthos
11:45 -!- nitdega_ is now known as nitdega
11:46 -!- bandroidx_ is now known as bandroidx
11:50 < jasonwc> @dazo  Thanks for the info
17:17 < Zilon> !welcome
17:17 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
17:17 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
17:18 < Zilon> !goal
17:18 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:19 < Zilon> !ask
17:19 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
17:20 < Zilon> !route
17:20 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
17:20 < Zilon> !howto
17:20 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
17:21 < Zilon> !1925
17:21 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
17:21 < Zilon> !tap
17:21 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the protocol
17:21 <@vpnHelper> uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
--- Day changed Sat Mar 04 2017
01:43 -!- Ekho- is now known as Ekho
02:02 -!- F2Knight is now known as F2Knight[away]
03:23 < mrpops2ko> 'Recursive routing detected, drop tun packet to xxxx'
03:23 < mrpops2ko> what issue is it detecting? that packets are wanting to go to a gateway? whats wrong with that?
07:06 < n-st> hi, i'm trying to route traffic to a certain ipv6 subnet through a tunnel, but it isn't getting through…
07:07 < n-st> specifically, i want to ping CLIENT's dummy0 interface from SERVER: https://paste.debian.net/hidden/b15c0e4f/
07:07 < n-st> tcpdump shows the icmp6 packets going into tun0 on SERVER, but another tcpdump on CLIENT doesn't show them coming out
07:08 < n-st> oddly, the other way around works: when i ping SERVER's ens32 address from CLIENT (notice the route for that ip), i even get replies to the ping
07:38 < wingnut> hi, is it possible to create a network bridge with wireless+TAP ?
07:44 < wingnut> on windows 7
09:48 < brokensyntax> Hey all, I'm setting up a laptop on Ubuntu 16.04 and I'm having some trouble getting the DNS options work work. Anyone setup a client to use a particular DNS when it makes a tunnel on the current version of Ubuntu?
10:22 <@rob0> there are lots of ways to kludge DNS solutions.  Some people use hacks like resolvconf.  I used dnsmasq,
10:22 <@rob0> !dnsmasq
10:22 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
10:23 <@rob0> Works great with Linux road warriors.
10:25 < brokensyntax> Thanks rob0
10:27 < brokensyntax> I just know the old dhcp-option DNS a.b.c.d didn't want to work even with the up/down commands in the client config, so I'll look at how to do it with dnsmasq :D
11:01 <@rob0> That dhcp-option is Windows-only, because the Windows DHCP client is providing service to a non-DHCP-capable interface.
11:02 <@rob0> Other OS' DHCP clients are not pretending that a tun interface can do DHCP.
11:05 < wingnut> Hi, has anybody ever created a network bridge with WiFi+TAP ?
11:06 <@rob0> wingnut, your question was about Windows, and there's probably no reason why you can't bridge them.  BUT:
11:07 <@rob0> 1. Bridging is usually a bad idea; and
11:07 <@rob0> 2. You are not likely to find Windows help here (or anywhere, I bet.)
11:09 < wingnut> rob0: hi, yes i know it is about windows .. but i figure somebody here may have tried it .. personally my W7Hope will not allow me to bridge the wifi but I have found a util which may help
11:11 < wingnut> I'm gonna try this: https://sourceforge.net/projects/networkbridgingutility/files/latest/download
11:22 -!- F2Knight[away] is now known as F2Knight
12:38 -!- F2Knight is now known as F2Knight[away]
13:53 < tammy_> re removed my default gateway and added one through my tunnel using route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.8.0.5 When I do this this new route gets created and it's sketching my out: tor3.malwr.org <my local gateway ip> 255.255.255.255 UGH 0 0 0 eth0
13:55 < tpw_rules> on my 16.04LTS server openvpn doesn't start correctly on boot. its service is enabled with my config and it starts great when i do systemctl start after boot has finished. here are the logs: http://pastebin.com/tDHKnUS7 top is after boot, bottom is after running "systemctl start openvpn@server-tcp"
14:33 < wingnut> tpw_rules: requires=network-online.target
14:35 < tpw_rules> wingnut: ah that did it. thank you
15:06 -!- F2Knight[away] is now known as F2Knight
15:15 -!- JasonO- is now known as JasonO
15:15 -!- rax-Y is now known as rax-
15:16 -!- DrCode_ is now known as DrCode
16:24 -!- F2Knight is now known as F2Knight[away]
17:43 -!- alexandre9099_ is now known as alexandre9099
19:08 < KaiForce> So I have about 30 OpenVPN servers, and historically I created a PKI on each one.  I'd like to throw all that out, and use a central RootCA.  I have three questions:  is there any tool I can use to help me do this (I was going to script the creation of the client certs) and do I create the servers certs the same way I did before?  Third question:  do I have to copy the revoked list to all...
19:08 < KaiForce> ...the servers?
19:12 < wingnut> KaiForce: easyrsa3 no yes
19:14 < KaiForce> wingnut: ok thank you.  EasyRSA is what i've used, I have a good idea on how to script it.
19:14 < wingnut> use v3.x
19:14 < wingnut> Ieasyrsa
19:14 < wingnut> !easyrsa
19:14 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA, or (#4) Source checkouts available from the github project.
19:14 < wingnut> easy
19:20 < KaiForce> thank you sir (maam)
19:22 < wingnut> KaiForce: no problem :)
19:26 < KaiForce> When I set these up before, I didn't follow any standard so I have about thirty different configurations.  I updated the cipher on all of them the last few days and it became apparent that I'd be better off trashing what I have and starting over.
19:50 <@rob0> For simpler access control on a server than using a CRL, use a ccd and --ccd-exclusive with a filename of each valid commonName.
19:50 <@rob0> it can be empty if you don't need any client-specific settings.
20:14 < KaiForce> rob0: thanks, I don't think a CRL will be hard to manage, I can update everything whenever I issue a cert
20:15 <@rob0> sure, but it's nice IMO to have access control right there on the server, too
20:16 <@rob0> rather than having the delay of fetching a new CRL from the CA
--- Day changed Sun Mar 05 2017
01:18 < sunrunner20> is there a way to specify a secondary authentication in openVPN?
01:18 < sunrunner20> i'm not finding a google result for it
01:19 < sunrunner20> I want to use a duo 2fa radius proxy as primary, but if it can't connect to that, to fall back to the unproxy'd radius server
04:12 < skyroveRR> Why do you need secondary authentication?
05:00 -!- F2Knight[away] is now known as F2Knight
05:01 < daemon> sunrunner20, if you fallback to a non proxy then 2sa is useless
05:01 < daemon> may as well not be there atall
05:01 -!- F2Knight is now known as F2Knight[away]
08:29 < KaiForce> If I establish an OpenVPN connection, then remove all the files associated with that connection (keys, configuration, etc) will that connection stay up, or will it fail?  I'm replacing all the keys and configurations I have, and and I have one device that is behind a firewall that I won't be able to access except via the VPN link.
08:58 <@rob0> I think by "files associated" you might mean the client config, cert and key, and those files should never have been on the server in the first place.  If you remove them from the client I am not sure; the cert and key might be needed for periodic TLS renegotiation.
09:04 -!- Vercas_ is now known as Vercas
09:04 < n1md4> hi.  i have a pfsense box running an openvpn server, with dedicated nameserver specified.  problem is the client's are not picking up the nameservers.  any ideas here?
09:35 < KaiForce> rob0: by "files associated" I meant every file read by OpenVPN when it starts up.  ta, ccd, config, certs, etc.  I want to wipe them all, but continue to use the connection if possible.  Otherwise, I need to alter my plan to update that box on site.
09:52 < KaiForce> I'm trying it on a server/client machine here, guess I'll see what happens.
09:55 < KaiForce> n1md4: i've never pushed a nameserver - is that what you are trying to do?  One possibility is that the client doesn't have rights to modify the nameserver, but that's just a guess on my part
09:56 < n1md4> hm good point ... it is the nameserver that's leaking dns, but i was thinking gateways ... feels very client side in that case, and could be a permissions.  it's just set in network-manager, but appears to being ignored.
09:56 < KaiForce> If that were the case, maybe the client connection log would show the failure to update
10:14 < KaiForce> one other thing on DNS - dns won't keep trying servers until one knows about the host - if a DNS server responds, even with host unknown, the query attempt is over at that point.  Again, I'm not sure exactly what you are seeing, but something to be aware of
11:41 -!- F2Knight[away] is now known as F2Knight
12:15 -!- alexandre9099_ is now known as alexandre9099
12:58 < Manis> Hi. As soon as I connect to more than one VPN at the same time I get a "Socket bind failed on local address [undef]: Address already in use" error. What could this be?
13:02 < mjt> can't you guess it yourself? :)
13:02 < Manis> Well I'm wondering which address it is referring to.
13:03 < mjt> the one which you specified :)
13:03 < Manis> ?
14:46 < sunrunner20>  daemon not a fallback if 2fa fails, fallback if first auth server fails to respond
14:52 < cornfeedhobo> hello
14:52 < cornfeedhobo> i'm running into something i haven't seen before
14:52 < cornfeedhobo> Cannot load CA certificate file .... (no entries were read)
14:55 -!- batrick_ is now known as batrick
15:15 < andrico> Yo
15:16 < andrico> is the website cert slightly old for everyone else?
15:16 -!- F2Knight is now known as F2Knight[away]
15:18 < cornfeedhobo> same here
15:20 < cornfeedhobo> well, this is stupid. these cert pairs are created by easyrsa
15:21 < cornfeedhobo> Whelp, in case anyone decides to come around:  I'm running CentOS 7, installed openvpn through epel, CA and server pair generated by easyrsa3
15:31 < cornfeedhobo> openvpn version 2.3.14
17:02 < cornfeedhobo> well, i have tried executing openvpn directly, as well as turning up the verbosity. nothing of value
18:41 -!- F2Knight[away] is now known as F2Knight
20:11 < sunrunner20> anybody around right now that can answer how to setup a secondary authentication server if the primary _does not respond_ not _primary sends an auth failure_
20:12 < sunrunner20> primary has 2fa, and i know going to secondary if it does an ordinary failure is moot
20:12 < sunrunner20> I'm' interested in "virtual machine hosting proxy has crashed"
20:13 < sunrunner20> and still haveing emergency login
21:26 -!- F2Knight is now known as F2Knight[away]
22:06 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has left #openvpn ["Konversation terminated!"]
23:04 -!- F2Knight[away] is now known as F2Knight
--- Day changed Mon Mar 06 2017
00:07 -!- F2Knight is now known as F2Knight[away]
00:27 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
00:27 -!- mode/#openvpn [+v hyper_ch] by ChanServ
02:32 < compsman> okay so is any ready to hellp to fix this udp problem?
02:50 < Celmor> I'm getting "TLS Error: cannot locate HMAC in incoming packet from [AF_INET]{client_ip:port}
02:57 < compsman> mac address?
03:31 < Celmor> nah, it seems to be because tls-auth is missing
03:45 < theraspberry> SSL cert expired *.openvpn.net
03:45 < theraspberry> Monday, March 6, 2017 at 5:22:38 AM
04:13 < Celmor> getting "TLS Error: TLS key negotiation failed...", "TLS Error: TLS handshake failed..." and  "SIGUSR1[soft,tls-error] received, client-instance restarting" https://i.imgur.com/SFcEBW2.png
04:14 < Celmor> anyone got any pointers where to start solving this?
04:23 < theraspberry> Celmor: looks like your self-signed cert isn't being validated by the client.
04:31 < Celmor> I have a ca.crt and a client.crt and both are specified in my ovpn file...
04:32 < Celmor> how can I manually verify the crt then?
04:42 < theraspberry> I'm not too good with this, but. CA is supposed to sign the client key, which then is validated when connecting to the server
04:44 < Celmor> thanks, founs my mistake
04:46 <+hyper_ch> typo?
04:46 < theraspberry> Celmor: awesome :D
04:51 < skamath> !serverlan
04:52 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
04:52 < skamath> !clientlan
04:52 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route
04:52 <@vpnHelper> for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
05:34 < mjt> btw, anyone tried to run openvpn with the same IP addresses "inside" and "outside" tunnels?
05:35 < mjt> so that only traffic between openvpn instances is not routed to the tun device
05:35 < mjt> (and related ICMP too)
05:56 -!- allizom1 is now known as allizom
06:07 < ke4nhw> I need a little help. I have had openvpn running on my centos 7 server for some time now, using a configuration file vpnsvr.conf. Today I copied that file to another file, ares-rt.service, and made changes (different port number, different subnet, different client config directory, and different log files. I tried starting it and it failed.
06:07 < ke4nhw> And just like that...
06:09 < ke4nhw> I didn't edit the damn interface from tun0 to tun1. Is there a way to setup a configuration file so that it will auto-increment for future reference, something like tun+ or tun(i) or something, or is it best to explicitly assign that in the config file?
06:22 <@plai> it should automatically if you don't specifiy anything explicit
06:22 <@plai> i personally use something tun-foo tun-bar
06:23 <@plai> to have the config name in my interfaces
06:44 -!- allizom1 is now known as allizom
07:00 < wingnut> The certificate for swupdate.openvpn.net expired on March 5, 2017.
07:13 <+hyper_ch> wingnut: I guess no Let's Encrypt with auto-renewal in effect there ;)
07:36 < Celmor> can I use relative paths in my .ovpn file? i.e. 'ca ".\\ca.crt"'
07:37 <+hyper_ch> yes... but is that a relativ path? it looks weird
07:37 <+hyper_ch> also you can integrated the cert directly into the config if you want
07:42 < Celmor> . stands for current dir, \ has to be escaped, so yeah, is a relative path but I get "Cannot load certificate file .\vel.csr"
07:43 < Celmor> if I now replace them with absolute dirs so it should find them, iirc there was a script or openvpn option to process the ovpn and replace these references with their contents (what you described)
07:43 < Celmor> how did that work exactly again?
07:45 < Angs> I am getting "VERIFY ERROR: depth=1, error=self signed certificate in certificate chain" error when my client tries to connect to the server https://paste.debian.net/918362/ I read on the net that issue is ca.crt at the server is not same as at the client side. I removed all the certificates on both server and client. then run ". ./vars; ./clean-all; ./build-ca; ./build-server-key server; ./build-dh;./build-key client;" I copy ca.crt; client.key; client.crt to
07:45 < Angs> the client, but I still get the same error. Here is my server.conf https://paste.debian.net/918365/ and client.conf https://paste.debian.net/918364/
07:46 < Angs> can anyone help me to understand what is wrong? spelling of the directories are correct on the .conf
07:47 < Angs> do I need to remove update-resolv-conf on both client and server side?
07:48 < Angs> I removed, it didn't help
07:59 < wingnut> Angs: you must also stop + start server + client to load new ca/cert/key
08:00 < Angs> wingnut, thanks it works now :)
08:00 <+hyper_ch> Celmor: I use this script to generate my conf files:  https://paste.simplylinux.ch/view/fa44a62b
08:00 < wingnut> lol
08:01 <+hyper_ch> as you can see, you just need tags  <ca>,,,,</ca> for example
08:01 <+hyper_ch> and key-direction 1 is important on clients
08:01 <+hyper_ch> on server it's     key-direction 0
08:02 <+hyper_ch> just adjust teh "template" part to your needs ;)
08:21 < Celmor> hyper_ch, already done but can't find unix2dos
08:23 <+hyper_ch> Celmor: not sure if you need that. That's just to convert linux line break to windows ones in case you want to use the config on windows (or openvpn connect in android).
08:23 <@rob0> most editors and GNU tr(1) can do that
08:23 < Celmor> I am on windows and using bash on windows
08:24 < Celmor> I tried apt-get install unix2dos
08:24 < Celmor> in linux subsystem / ubuntu for windows
08:25 <+hyper_ch> Celmor: oh... hmmm... if it's not avaialble, no idea... but it was just to show cou how to get certs and key inside the confige.... I just use it for autmation
08:25 <@rob0> nano(1) gives an option to save a text file as DOS text
08:25 <+hyper_ch> you could probably rewrite that to bash
08:25 <@rob0> or just paste into notepad, I suppose
08:25 <+hyper_ch> Celmor: the package is called dos2unix IIRC
08:25 <+hyper_ch> apt-cache search dos2unix
08:26 <+hyper_ch> or you could use sed to do the conversion
08:27 < Celmor> I can do the conversion with notepad++
08:27 <+hyper_ch> http://www.microhowto.info/howto/convert_the_line_endings_in_a_text_file_from_unix_to_dos_format.html         sed 's/$/\r/' < input.txt > output.txt
08:27 <+hyper_ch> with sed you can automate it
08:27 <@vpnHelper> Title: microHOWTO: Convert the line endings in a text file from UNIX to DOS format (at www.microhowto.info)
08:28 <+hyper_ch> or search for dos2unix package
08:28 < Celmor> if the script exits with no output and 0 exit code it was successfull, right?
08:28 <+hyper_ch> yes
08:28 <+hyper_ch> you can easily see if you have an according conf file
08:28 <+hyper_ch> I have that script in the keys folder of easyrsa
08:29 <+hyper_ch> and then just run it   ./autoMagic NAME
08:29 <+hyper_ch> where name is the name of the keyfile
08:31 <+hyper_ch> and adjust the template part to your desired config
08:32 -!- F2Knight[away] is now known as F2Knight
08:36 < Celmor> "Cannot load private key file [[INLINE]]" https://i.imgur.com/BVFT0ES.png
08:37 <+hyper_ch> do you have that file?
08:38 < Celmor> isn't it what is inline in that image (and which I partly covered)?
08:38 <+hyper_ch> where do you get that message?
08:40 < Celmor> http://pastebin.com/raw/dU25cubc
08:41 < Celmor> hmm "OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch"
08:42 <+hyper_ch> seems there's an different issue
08:42 < Celmor> seems like it's easier to generate a new configuration with new keys and such than trying to get an existing one working
08:53 < Celmor> getting syntax errors when executing .\clean-all from this guide https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide#CertificatesandKeys
08:53 < Celmor> http://pastebin.com/raw/5f8Hfe1D
08:55 <+hyper_ch> no idea
08:56 < Celmor> the windows guide is so broken...
08:56 < Celmor> getting "# WARNING: can't open config file: /etc/ssl/openssl.cnf" (which obviously is no windows path
08:56 < Celmor> !help
08:56 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
08:56 <+hyper_ch> s/guide//   fixed it for you :)
08:57 < Celmor> well, company I work for sells windows software so using windows is kinda a requirement
08:57 < Celmor> what's the best up-to date guide to create openvpn config/key pair etc.?
08:58 < Celmor> I can do it in linux too, as long as the guide works
08:59 <+hyper_ch> how about you run easyrsa from the linux subsystem
08:59 <+hyper_ch> only openssl wold need to be installed there I think
08:59 <+hyper_ch> https://community.openvpn.net/openvpn/wiki/EasyRSA3-Insecure-PKI
08:59 <+hyper_ch> or: https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
08:59 <+hyper_ch> depends if you want to create keys and csrs by your customers or not
09:00 <@rob0> I'd check to see if adequate entropy exists there; that's a common problem with virtual machines.
09:00 < sbraz> hyper_ch: looks like the cert for community.openvpn.net isn't properly set up, quite ironic
09:01 <+hyper_ch> sbraz: it has expired
09:01 <+hyper_ch> 13:58:43 wingnut  The certificate for swupdate.openvpn.net expired on March 5, 2017.
09:01 <+hyper_ch> 14:11:15 hyper_ch  wingnut: I guess no Let's Encrypt with auto-renewal in effect there ;)
09:01  * hyper_ch pokes dazo
09:07  * DArqueBishop chuckles.
09:20 < Celmor> I'll do the openvpn key creation stuff on my home pc
09:20 < Celmor> which has linux (non virtualized)
09:21 <+hyper_ch> linux <3
09:21 <+hyper_ch> can't you just ssh into your home pc?
09:21 < DArqueBishop> Celmor: that's generally the best policy. I use a Linux VM to generate my router's VPN certs and keys.
09:21 <@rob0> Sounds good.  Ideally a user generates his/her own key, but we can't expect that from non-techie people.
09:22 <+hyper_ch> DArqueBishop: and of course that vm is fully encryptred, right?
09:22 <@rob0> DArqueBishop, see above re: entropy.
09:22 <+hyper_ch> doesn't easyrsa use space noise for entropy?
09:24 < Celmor> I am ssh'ed into my home pc, currenly accessing this irc client via vnc which I use through an ssh tunnel
09:24 < DArqueBishop> hyper_ch: it is.
09:25 < DArqueBishop> rob0: I'd have to look into it. It's a VirtualBox VM running CentOS 7.
10:09 < KaiForce> comp-lzo:  I can't find any good resources on whether I should have this on or not.  My VPNs carry a little bit of A/D replication traffic, but the most important traffic is VOIP related.  Anyone know of any resources I can look at?  My proposed config is http://pastebin.com/KEMRXM7B - I'm rolling this out to 30 machines so I'd like to get it right the first time.
10:14 <@dazo> KaiForce: I'd recommend to have at least just have --compress (don't need any additional arguments).  If you decide later on to enable compression, then you can push this from CCD files on the server and don't need to touch client configs
10:14 <@dazo> --comp-lzo is deprecated in favour of the newer --compress algorithm
10:17 < KaiForce> Ok, thanks, I'll take a look.  My original PKI I set up for 10 years, and some of those certs expire in October.  I haven't changed much since I rolled it out, just added new clients / servers and upgraded software.  I'm taking a good look at this so I can have another 10 years of not doing anything with it :)
10:19 <@dazo> KaiForce: just noticed that --compress arrived first in v2.4 (I thought it was v2.3, but was wrong)
10:20 <@dazo> KaiForce: however, --comp-lzo no  should give the same effect as --compress without arguments
10:21 < KaiForce> ok, thanks dazo.  I'm on 2.3.12
10:22 <@dazo> you should at least try to get up to 2.3.14 ... and consider 2.4
10:23 < KaiForce> I'm on a Leaf distro, so I'll upgrade when it is available.
10:41 -!- F2Knight is now known as F2Knight[away]
10:58 < sunrunner20> If this sounds like a bad/moot idea, I'm explaining it poorly. I'd like openvpn to fail to a secondary radius server if the primary radius server does not reply within x seconds. Not 'use denied' but 'no response received'
10:59 < sunrunner20> Specifically, I've got a duo auth proxy setup for a third auth factor (user+key+duo) and would like just key+user if duo server is offline (my server, the proxy is already set to fail safe if duo is offline)
11:14 <@dazo> sunrunner20: that is something your radius authentication plug-in/module needs to take care of .... Very simplified, OpenVPN just calls the plug-in/module with the user provided credentials and waits for a "Pass" or "Fail" response
11:15 <@dazo> OpenVPN have no way to control how the authentication happens - which backends is used, etc; that is entirely up to the plug-in itself to handle
11:47 < bovis> I'm trying to set up a client/server connection between a linux/windows machine, respectively. Receiving this error when trying to connect: https://bpaste.net/show/d50b0675c129
11:47 < bovis> I suspect it may have something to do with my using the linux server also as the CA. But I have no way around that to test at the moment.
11:48 < bovis> Otherwise, I'm new, and stumped for how to proceed.
11:49 -!- F2Knight[away] is now known as F2Knight
12:22 <@rob0> It looks like you used the signing cert (the CA cert) as the client cert, maybe?
12:26 < bovis> rob0: I guess that's possible. This is my first go-around.
12:27 < bovis> They have entirely different names though, so I'm not sure how I would have made the mistake
12:33 < bovis> A fresh start may prove worthwhile.
13:33 < a1fa> hello - i have an openvpn server that is unable to push default gw - instead its pushing 0.0.0.0/0 dev tun0
13:33 < a1fa> i need to override this via client "route" "0.0.0.0" "128.0.0.0" "gateway" 1
13:34 < a1fa> but its complaning for 128.0.0.0 128.0.0.0
13:34 < a1fa> not sure if it is openvpn client or network manager
13:34 < Eugene> !redirect
13:34 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
13:34 < Eugene> !def1
13:34 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
13:34 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
13:35 < Eugene> 0.0.0.0/0 *is* the "default gateway" route - that's the whole IPV4 internet
13:35 < a1fa> Eugene: nods
13:35 < a1fa> except when its in your L2
13:35 < a1fa> i tried redirect-gateway def1 in openvpn client config
13:35 < a1fa> it didnt do anything
13:36 < a1fa> it didnt even create those two routes
13:36 < Eugene> I'm doubtful
13:36 < a1fa> i promise
13:36 < a1fa> not sure if network-manager-openvpn stripped it
13:37 < a1fa> my guess is it gets stripped on import
13:38 < Eugene> !networkmanager
13:38 < Eugene> !ubuntu
13:38 <@vpnHelper> "ubuntu" is dont use network manager to configure your vpns! get it working via commandline and then import to network manager if you want to use it.
13:38 < Eugene> :v
13:42 < a1fa> Eugene: it worked with manual invocation
13:42 < Eugene> That makes it a networkmanager problem
13:42 < a1fa> +1
13:42 < a1fa> !dns
13:42 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns
13:42 < a1fa> !overrideDns
13:44 < a1fa> now i just need to over-ride client dns :)
13:44 < a1fa> because this vpn server is not providing anything
13:45 < a1fa> !dhcp-iotuib
13:45 < a1fa> !dhcp-option
13:50 <@dazo> Alesk13: which openvpn version?
13:50 <@dazo> oh ... networkmanager ....
13:51 <@dazo> Alesk13: sorry!  I meant a1fa
13:53 <@dazo> a1fa: in regards to networkmanager ... you should be able to tweak that by adding some settings to the configs in /etc/NetworkManager/ .... I don't recall those details though, but 'man NetworkManager.conf'  might give you some clues
13:54 < a1fa> dazo: gave up on it ;)
13:54 < a1fa> dont mind typing openvpn vpn.conf
13:54 < a1fa> just got another problem with DNS now
13:54 <@dazo> a1fa: which distro are you on?
13:54 < a1fa> connecting to vpn this way breaks DNS
13:55 < a1fa> ubuntu 16.10
13:55 < a1fa> dns is handled by -- ring ring -- networkmanager ;(
13:55 <@dazo> a1fa: if you're on openvpn v2.4 ... you can put your config into /etc/openvpn/client/ ... and then do:  systemctl start openvpn-client@vpn
13:55 <@dazo> (which looks for /etc/openvpn/client/vpn.conf)
13:55 < a1fa> coo
13:56 < a1fa> so -- network manager has a local dns server on 127.0.1.1
13:56 <@dazo> if you want to start openvpn automatically, just replace "start" with "enable"
13:56 < a1fa> when i connect to openvpn, i can no longer get to 127.0.1.1 ;)
13:56 <@dazo> !? ... odd
13:56 < a1fa> it makes sense because of 0.0.0.0/1
13:57 <@dazo> ahhh!  of course
13:57 < a1fa> hoping this wont be a problem for mac clients too
13:57 <@dazo> nope ... that is a typical ubuntu artefact, imo
13:58 < a1fa> speaking of macs - what client should i be using?
13:58 <@dazo> Tunnelblick is successfully used by many mac users
13:58 < a1fa> thats what i'm using at the moment
13:58 < a1fa> before i build an access server
13:59 <@dazo> (plus the maintainer pays attention to our mailing lists and we have a fairly good dialogue whenever things isn't working)
13:59 < a1fa> who builds the access server?
14:00 < a1fa> SNI would be a great feature ;)
14:06 <@dazo> what would be the benefit of SNI on openvpn?  I have heard a few saying that, but none have come up with a really good reason for it
14:06 <@dazo> (most have just been misguided misunderstandings)
14:07 < a1fa> only for the portal side - obscuring the portal from drive by attacks
14:08 <@dazo> a1fa: then you should look at adding --tls-auth or --tls-crypt ... then openvpn server drops all packets which does not pass the HMAC verification - which with UDP means the port looks like it is closed by drive-by attackers
14:08 <@dazo> ahh!  you mean in the access server webUI
14:08 < a1fa> yeah
14:09 <@dazo> okay, well, file a ticket on that through the customer portal ...
14:09 < a1fa> sounds good.. who do i contact on licensing?
14:09 <@dazo> but ... with that said ... you can probably hide the access server portal behind an nginx revers proxy with SNI enabled
14:10 < a1fa> dazo: thats the plan, but it breaks vpn over 443 :)
14:10 < a1fa> god forbid endusers have to type in :8443
14:10 < a1fa> always questions "why do we have to do :8443" - lol@endusers
14:10 <@dazo> meh
14:11 <@dazo> okay ... I obviously don't know enough about the access server :-)
14:12 < a1fa> speaking of AS - i got an aws sizing question - would this be a good place to ask
14:12 < DArqueBishop> a1fa: technically everything Access Server is offtopic here.
14:12 < DArqueBishop> !as
14:12 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
14:12 <@dazo> this channel is primarily for the community side of OpenVPN (the core openvpn) ... the access server is a closed source product built on top of the core OpenVPN
14:12 < a1fa> DArqueBishop: fair enough.. :)
14:12 < a1fa> i'll hop on over there - thank you all for the assistance
14:27 < a1fa> dazo: the default behavior with ca cert provided will prevent MITM?
14:28 < a1fa> but will allow MITM if another cert is signed by the same CA, right?
14:32 <@dazo> a1fa: that's correct, in regards to the openvpn server .... if the client certificate is not signed by the same CA the server have in it's --ca, then it is being rejected
14:32 < a1fa> most excellent :)
14:32 <@dazo> a1fa: same with the other way around ... the client will reject any servers which is not signed by the same CA the client have in its --ca
14:33 <@dazo> (which is why commercial (or letsencrypt) certificates MUST NOT be used with OpenVPN)
14:34 < a1fa> self signed all the way :)
14:34 <@dazo> :)
14:34 < a1fa> now if i could only find a way to self-manage otp ;)
14:34 <@dazo> and ... don't put the CA private key on a publicly available server .......
14:35 < a1fa> i was going to write a rails app to manage google oath tokens, and do ldap+oath over radius - but decided it just better to spend a few hundred a year and now worry about it
14:36 < a1fa> s/now/not/
14:54 < __rob> hello
14:55 < __rob> using openvpn-connect on android, and I want to connect via a socks5 proxy
14:55 < __rob> in the UI the only proxy option is for HTTp
14:55 < __rob> I have tried adding socks-proxy xxx.xxx.xxx.xxx port to the config file
14:55 < __rob> looking at the log on the android phone this doesn't seem to be respected
14:55 < __rob> if that is indeed the correct setting..
14:56 < __rob> the same setup works fine with the openvpn-gui on windows
16:34 -!- davimore_ is now known as davimore
--- Day changed Tue Mar 07 2017
02:17 < cbauer> it seems openssl on windows now requires "/etc/ssl/openssl.cnf", as I can't create such path on windows I can't do any of the rsa key generation stuff to use openvpn...
02:19 < pdobrogost> Hi all!
02:19 < cbauer> hi
02:19 < pdobrogost> How can I "simulate" openvpn server sending specific dhcp-option?
02:24 < cbauer> no idea
03:27 -!- F2Knight is now known as F2Knight[away]
03:58 < pdobrogost> In config file 'setenv foreign_option_X "dhcp-option some value"'
04:46 < cbauer> what are dh parameters (stored in a dh1024.pem file) for?
05:40 < Night_Elf> Hi all. Maybe this is a simple question, but I am stuck. I have setup a server, and I have also setup a client. I use linux for both, I can connect with the client to the server and all works. Now I want to test it by using a windows client.
05:41 < Night_Elf> The linux client uses the 3 files 'ca' 'cert' and 'key' with absoulte paths to them. I have come to understand that for the windows client, it is possible to combine the linux client config file and these other 3 files into one single .ovpn file. But How can I do that?
05:42 < Night_Elf> As I am testing I would want to use the exact files that the linux client has, as I know they work. But where can I read on how to combine them into one single .ovpn file ?
05:59 < donnib> Hi
06:00 < donnib> my home ISP has ipv6 and i have set it up at home, my work isp has no ipv6, i have an openvpn tunnel setup, can i get ipv6 at work thru my openvpn ?
06:14 <@dazo> cbauer: the dh1024.pem (which really should be as large as the private key, but that's a different story) is a large prime number which is sent to the client upon connection.  This is a crucial part of the key exchange process, where both sides derives a shared symmetric encryption key through the Diffie-Hellman algorithm  ... https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
06:14 <@vpnHelper> Title: Diffie–Hellman key exchange - Wikipedia (at en.wikipedia.org)
06:15 < rmbeer> hello
06:15 <@dazo> hi!
06:15 < rmbeer> i use this: https://www.gnutls.org/manual/html_node/Echo-server-with-X_002e509-authentication.html#Echo-server-with-X_002e509-authentication and https://www.gnutls.org/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html#Simple-client-example-with-X_002e509-certificate-support
06:15 <@vpnHelper> Title: GnuTLS 3.5.10: Echo server with X.509 authentication (at www.gnutls.org)
06:16 < rmbeer> how to make all files certificates? in internet only found the tutorial for make a 5 files: ca.crt, ca.key, ia.crt, ia.key and ia.crs. and now only need two file .pem for client.
06:17 < cbauer> dazo: so used after authentication via Public key cryptography for the session itself?
06:17 <@dazo> rmbeer: have a look at either Easy-RSA (part of the OpenVPN project) or XCA ... you need a CA tool to establish your own certificate management ... those two are fairly straight forward "packages" which does all the magic for you
06:18 < rmbeer> dazo, i use openssl for this, not is useful?
06:19 <@dazo> rmbeer: you generally need a CA key with a self-signed CA certificate (which is derived from the CA key).  Then you produce server and client keys and generate Certificate Signing Requests (CSR) - that is basically the private key's public key component with some meta data .... then the CA private key is used to sign the CSR, which results in an Certificate, which includes the meta data from the CSR plus information about whom signed the CSR
06:20 <@dazo> rmbeer: Easy-RSA uses openssl under the hood as well .... it is useful, but really cumbersome to use unless you have some experience with CA management - and even then it tends to be tricky to use
06:20 <@dazo> cbauer: the DH parameters is actually used as part of the PKI crypto
06:22 < rmbeer> dazo, hummm, i'm more familiar with openssl, can't use a script that have cumbersome.... also not found the scripts in the web site
06:23 <@dazo> rmbeer: https://github.com/OpenVPN/easy-rsa
06:23 <@vpnHelper> Title: GitHub - OpenVPN/easy-rsa: easy-rsa - Simple shell based CA utility (at github.com)
06:23 < rmbeer> dazo, then i need a CA from other site web? (download)
06:25 <@dazo> rmbeer: the CA certificate on one side must be from the same issuer as the remote side's certificate is signed by .... so if both sides is signed by the same CA, then you need the same CA certificate on both sides
06:26 <@dazo> rmbeer: also, the server/client components do not need access to anything else than CA certificate, server/client private key and certificate ... and the server is highly recommended to have a locally generated DH parameters file
06:27 <@dazo> (neither server nor client need access to any CA private keys, CSR files or any other related files ... the CA is completely "third party" to those)
06:28 < rmbeer> uh, then yes, with "third party" is a special site web dedicated to CA
06:29 < cbauer> does anyone here have experience with building/generating ca / key pairs on windows? this is my experience http://pastebin.com/raw/kahM9Xdp
06:31 <@dazo> rmbeer: I don't follow what you mean with "site dedicated to CA" ... the CA is in effect just a bunch of files, which ideally is off-line and inaccessible until you need to sign a new CSR
06:32 <@dazo> rmbeer: this can be provided as a service (like Comodo, Verisign, Letsencrypt) etc ... which in many cases may be appropriate (as their CA certificates are distributed in lots of OS and browsers) ... and in some cases, like OpenVPN, you should never use such a public CA service
06:33 <@dazo> cbauer: I don't have much of any Windows experience (last real experience was back around year 2000) ... but you might find XCA easier to use ... and we have a few templates available for XCA too
06:33 <@dazo> !xca
06:33 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa., or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA
06:34 <@dazo> (click on the "Attachment" button ... and download the openvpn-template.xdb file ... open it with the XCA software)
06:46 < ghost75> do i need to put client cert also on openvpn server?
06:46 <@dazo> ghost75: nope ... the server needs server cert, key, ca cert and dh parameters
06:46 <@dazo> (--cert, --key, --ca and --dh)
06:46 < ghost75> thx
06:47 <@dazo> ghost75: the server only needs those 4 files ... nothing more ... all the other CA files should never be stored the VPN server at all
06:47 < ghost75> i am adding client certs because i think may be not good idea to rely only on pam authentication
06:48 <@dazo> using PAM + certificates does indeed provide one more authentication factor
06:48 <@dazo> so, yeah, that is generally a good idea to have
06:48 <@dazo> but also please consider to add --tls-auth (or if all your clients can be v2.4 or later, --tls-crypt)
06:49 < ghost75> is it ok to use duplicate-cn option?
06:49 <@dazo> for some it is perfectly fine ... for others it's a no-no .... depends on the security regime you have
06:49 < tx> if you are using a common certificate, that's what you have enabled.
06:50 <@dazo> I personally do not use duplicate-cn ... and all my devices have separate certificates, despite I'm using the same username/password
06:50 < ghost75> saves time when generating client certs
06:50 < tx> We used the option until we started using an automated system for managing them with our staff.
06:50 <@dazo> that means if my cell phone is lost/stolen ... I can revoke only that certificate and only that device is blocked from connecting
06:51 < donnib> no ideas guys around my ipv6 question ?
06:51 <@dazo> ghost75: it saves time right now .... but later on, when you need to renew or revoke, it causes more work
06:51 <@dazo> donnib: yes you can
06:52 < ghost75> i am using easy-rsa to create certs, kind of work but ok...
06:52 <@dazo> donnib: '--redirect-gateway ipv6' ... look at that in the man page
06:53 <@dazo> !man
06:53 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
06:57 < rmbeer> dazo, i'm here in openvpn, but this seem more like a virtual machine... not for download any CA certs....
06:58 <@dazo> Night_Elf: don't use absolute paths ;-) ... that's one approach.  The other approach is to use inline files .... so --key become <key>[contents of the completekey file]</key> ... and the same for --cert, --ca, etc
06:58 < donnib> @dazo and that is enough for the client to get an ipv6 address ?
06:59 <@dazo> donnib: no, you need to configure IPv6 on the tunnel as well .... so allocate a subnet of you IPv6 range to the VPN ... and use --server-ipv6 $IPV6_SUBNET)
07:00 < donnib> @dazo i see, i got /48 range from my ISP
07:01 < donnib> @dazo and i run openvpn inside a edgemax ubiquiti router, how can i tell the router that this is for openvpn and the rest it can use ?
07:03 <@dazo> donnib: it's all about routing
07:04 <@dazo> when you use --server-ipv6 ... openvpn will setup an IPv6 route which routes all IPv6 packets within that subnet to its tun/tap adapter
07:05 <@dazo> but generally speaking, splitting up the /48 subnet into several /64 subnets is generally a good idea
07:05 < rmbeer> dazo, any other site web of CA free?
07:05 <@dazo> rmbeer: question yours parse do not
07:05 < rmbeer> ok :(
07:06 < cbauer> does this xca application automatically use a CA, sign certs and such or only create key pairs?
07:07 < cbauer> I opened the openvpn-template.xdb from the openvpn webpage but as I would first try to build a ca as per normal guide I couldn't find anything about it
07:08 < ghost75> server key files with chmod 600 and owner root when i use user openvpn in config?
07:11 < donnib> @dazo i just found this article https://community.openvpn.net/openvpn/wiki/IPv6 and it's stated "Recommended A routed IPv6 network block that will reach the host configured as the OpenVPN server" is that what i have when isp provides /48 prefix ?
07:11 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net)
07:11 <@dazo> cbauer: first you need to generate a CA key and a self-signed certificate.  Then you use this to create new certificates, and you choose your new CA to use for signing the certificates
07:13 <@dazo> donnib: yes, so the ISP routes the /48 subnet to your router .... then your router/firewall/VPN server can route smaller subnets (like /64) to different interfaces
07:13 <@dazo> so the VPN can have it's own /64 subnet inside the /48 subnet
07:13 <@dazo> your WLAN can have a different /64 subnet ... and if you have a DMZ, that can be a third /64
07:14 <@dazo> (and with a /48 subnet, you can divide that into 65536 /64 subnets)
07:14 < bendikz> Hi. Does OpenVPN Connect for iOS support latest OpenVPN 2.4?
07:14 < cbauer> so like this I take it? https://i.imgur.com/Q3uYLrp.png
07:15 < cbauer> while replacing only {NAME OF CA} I suppose
07:15 <@dazo> bendikz: it supports many features of OpenVPN 2.x .... but not all the new features of v2.4 (like --tls-crypt)
07:15 <@dazo> cbauer: correct
07:15 < donnib> @dazo got it so i just have to configure the router to take out a /64 for OpenVPN interface then i am in the "Recommended" setup
07:15 < bendikz> dazo, but for a pretty general installation of the server, it *should* work?
07:16 <@dazo> donnib: correct
07:16 <@dazo> bendikz: yes
07:16 <@dazo> bendikz: OpenVPN Connect (Android/iOS) is fairly feature complete with OpenVPN v2.3
07:16 < ghost75> is there any way to block users ticking the save password option?
07:16 <@dazo> (OpenVPN Connect uses the new OpenVPN 3 code base, which is a complete re-write)
07:17 <@dazo> ghost75: nope
07:17 < ghost75> oh :<
07:17 <@dazo> ghost75: well, you can implement 2FA authentication ... that would make the "save password" option useless
07:18 < donnib> @dazo: i am curios what does this mean "Warning operating netblocks smaller than /64 might break some network features." i mean a /64 is a huge bulk of addresses, why use such a big block
07:19 < cbauer> do I also need to "Generate a new key" when creating that CA? apparently it names it the same as I named the CA https://i.imgur.com/xkuGhDR.png
07:19 <@dazo> donnib: yeah /64 is large ... but /48 == /64 * 65536 .... so I wouldn't worry about that it's large
07:20 <@dazo> you have enough anyhow ;-)
07:20 < donnib> @dazo but i was more curios why the warning about "break some network features" which and why i don't understand.
07:21 <@dazo> donnib: on a more serious note ... there are people using /112 for VPNs ... but in general, using /64 avoids lots of possible obstacles in the longer run (even though that is probably more aimed towards physical networks, where you have stateless auto configuration and such, deriving IPv6 addresses out of MAC addresses)
07:21 <@dazo> if you use TAP (which we don't recommend anyhow), I would probably not go smaller than /64
07:22 < donnib> @dazo ok thx
07:22 <@dazo> that's because TAP operates on OSI Layer 2, where Ethernet frames are passed over the tunnel ... so the traffic routing also considers MAC addresses
07:23 <@dazo> TUN operates on L3 and only targets IP packets (that is IPv4 and IPv6), so there it is purely routed by IP addresses
08:39 < julius> hi
08:40 < julius> when using cipher none shouldnt i be able to see "traffic" that is not encrytped on ppp0 with tcpdump -i ppp0 ?
08:41 <@rob0> ppp0?
08:42 <@rob0> is that what carries your tunnel?
08:43 < julius> yes
08:43 < julius> its a dsl connection, ppp0 got a official ipv4 address
08:44 <@rob0> tcpdump is going to be able to see packets whether encrypted or not.  As for seeing into the payload, it's there, but tcpdump might not be able to make any sense of it.
08:44 < julius> ah ok
08:44 < julius> maybe wireshark?
08:45 < julius> wireshark says the packet type is: P_DATA_V2
08:46 <@rob0> I don't know, depends if they have built-in openvpn support, I guess, and I doubt that would be a much requested feature.
08:46 < julius> but still only displaying garbage when running: wget lala.de
08:47 < julius> i actually dont need to see the traffic, but i would like to match the ports with tc....from the communication in the vpn packets
08:48 <@rob0> if you sniff your tun interface, these sniffers will be able to understand the payloads
08:49 < julius> true
08:55 < ghost75> verify-x509-name xxx name
08:55 < ghost75> is this xxx as cn ?
09:04 < ghost75> ok working
09:33 < ghost75>  TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
09:34 < ghost75> i get this when using this on server/client
09:34 < ghost75> tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
10:13 < DArqueBishop> Stupid question: how do I "refresh" an expired CRL?
10:15 < rmbeer> the "certtool --generate-crl" need/use something configuration files?
10:15 < DArqueBishop> Let me rephrase.
10:15 < DArqueBishop> Stupid question: how do I "refresh" an expired CRL using easy-rsa?
10:16 < rmbeer> DArqueBishop, my question is more stupid that your! >:D
10:30 < aleph-TA> does anyone have an idea as to why my DNS would stop working around every 5 hours while using openvpn in a network namespace?
10:32 < MacGyver> Client getting DHCP update from a LAN DHCP server overriding DNS servers?
10:35 < aleph-TA> i'm not sure how to check if that's the case or why it would do that. on my router the DHCP leasetimes look longer than 5 hours
11:24 -!- F2Knight[away] is now known as F2Knight
11:24 -!- F2Knight is now known as F2Knight[away]
11:25 -!- F2Knight[away] is now known as F2Knight
11:43 <@rob0> DHCP clients usually renew at half the lease time.  Also, they usually log what they are doing and when they are doing it.
11:43 < skyroveRR> \o rob0
12:39 < sandspike3> Does utilizing user groups with subnet access controls require openvpn-as?
12:39 < sandspike3> Would like to utilize radius auth with framed-pool attribute to pass group membership info back to openvpn, which would match up the group and apply group subnet restrictions.
12:40 < sandspike3> I've looked at radius post auth scripts which looks like it would work. Are there options in openvpn community for user groups?
12:40 -!- Vampire0_ is now known as Vampire0
12:43 < ghost75> sandspike3: i saw that ldap plugin can utilize groups
12:47  * ghost75 wonders if openvpn is the only solution able to push routes to clients
13:30 < bovis> I have an openvpn connection working between a linux host and windows client. I can ping each side, and port 1194 is open on my firewall and router. A game I'm trying to play over the VPN appears to be listening on a different port (2300). Do I also need to open that port to multiplayer the game? At the moment, I can't make a connection between the two sides in the game.
13:39 < Celmor> does the argument for tls-cipher have to be the same exact same in the clients conf file as for the server?
13:40 < Celmor> it looks like an array, so I figure it should be enough to just "use" one in the clients config, righ?t
13:40 < aleph-TA> rob0: i see, looks pretty much on point from checking the syslog. do you have any suggestions for fixing the DNS issue? i have dns info in a resolv.conf for the namespace but i guess it ignores that when it breaks
13:44 < signo-> @Celmor, that should be fine
13:45 < signo-> Celmor ^^
13:59 < Celmor> I have 'tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA' in the servers config but tls-cipher is commented out in the clients config, would it choose something compatible automatically?
14:18 < Celmor> does it matter which dh.pem  ta.key I use or are they "bound" to some of the other files?
14:18 < Celmor> and if so, how do I verify them?
14:20 <@rob0> aleph-TA, you're wanting to resolve names and addresses inside the VPN, which are otherwise behind NAT?
14:20 <@rob0> If so, this is what I do:
14:20 <@rob0> !dnsmasq
14:20 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
14:21 <@rob0> I don't let resolv.conf change, just point it to "nameserver 127.0.0.1", and dnsmasq knows where to send queries based on the domain name.
14:27 < aleph-TA> thanks, i'll look into that when i have time later today
14:34 <@dazo> rob0: wireshark actually dissects the openvpn protocol fairly well these days
14:34 <@rob0> oh, okay.  So why couldn't he see what he was trying to see?
14:35 <@dazo> ghost75: don't play with --tls-cipher unless you know what you're doing .... that is a highly advanced option, where the defaults is absolutely reasonable these days
14:36 <@dazo> sandspike3: have a look at !eurephia ... that might be an alternative for you
14:36 <@dazo> sandspike3: for radius ... you need to do some additional hackery (which I don't know much about)
14:38 <@dazo> Celmor: --tls-cipher is an advanced feature ... unless you know how that impacts the SSL/TLS handshake, I recommend using the default value (if you are on a reasonable new openvpn release)
14:38 <@dazo> (the defaults there are more than reasonable enough)
14:38 < Celmor> thanks
14:38 < Celmor> does it matter which dh.pem and ta.key I use or are they "bound" to some of the other files?
14:40 <@rob0> I suppose "dh.pem" is the dhparam, but what is "ta.key"?  I can't tell what you are asking.
14:41 < Celmor> for tls-auth iirc
14:41 <@rob0> Each server/client has to have its own cert and the key that created the CSR.
14:42 <@rob0> In addition everyone needs to have the CA's cert, which signed the CSR to create the certs.
14:44 <@dazo> Celmor: the DH parameters should ideally only be as large as the server key.  There are nothing connecting that to any other files
14:45 <@dazo> Celmor: in regards to --tls-auth/--tls-cipher, the key used there must be identical on both all clients and servers ... but otherwise there are no ties to any other files
14:46 <@dazo> duh ... I meant --tls-crypt! (not --tls-cipher in this context)
14:47 < Celmor> how do I get the length of the server key? only ta.key has the length in bits in the header
14:47 < Celmor> server key looks longer than ta,key though
14:48 <@rob0> you didn't answer what ta.key is
14:48 <@dazo> ta.key is fixed at 2048 bits ... server key cannot be directly compared to ta.key; the container format is very different
14:48 < Celmor> --tls-auth
14:48 <@rob0> oh, so you did
14:48 <@dazo> Celmor: you can get an idea of the server key length by looking at the certificate .... openssl x509 -noout -text -in $CERT
14:49 < Celmor> and fo r the dh parameters?
14:49 <@dazo> you'll see a line fairly high up which says something like:  "Public-Key: (xxxx bit)"
14:50 <@dazo> that I've never tried to extract any info about .... there's no harm regenerating that file from time to time, so I've just done that instead
14:51 <@dazo> oh ... openssl dhparam -text -in dh.pem  ... that works!
14:51 < Celmor> openssl is buggy on windows for me
14:51 < Celmor> for generating stuff
14:52 <@dazo> so use a decent OS ;-)
14:53 < Celmor> that says 2048 bit for the dh.pem, the crt has 2048 bit written above the the public key
14:54 <@dazo> that's good!  as long as the dh param is at least the same size as the crt public key, then you are as safe as you can be on this area (until the next logjam, heartbleed, sweet32, etc, etc issue appears)
14:55 <@dazo> dh.pem should anyway be _at_least_ 2048 bits these days
14:56 < Celmor> what would happen if I were to use the same crt and key file for client and server? would openvpn complain or would it just be insecure but silent
14:56 <@rob0> no, don't.  Why would you want to?  What benefit is that?
14:56 < DArqueBishop> Hey dazo, got a stupid question for you. Using easy-rsa 2.x, how can one refresh the CRL file?
14:56 <@dazo> Celmor: hmm ... depends on your configuration ... it is not recommended at all
14:57 <@dazo> DArqueBishop: good question! I have no clue ;-)  I generally use XCA these days .... but have you tried just running the crl generation script once again?
14:58 < DArqueBishop> I suppose I could, but it requires a cert's common name to run, and I only have one revoked cert.
14:58 <@dazo> ahh
14:58 <@dazo> I see
14:58 <@dazo> just poking at those scripts now
14:58 < DArqueBishop> Then again, I suppose I could kill the crl.pem file now and rebuild it.
14:58 < Celmor> I know I shouldn;t just wondering if it could work
14:59 <@dazo> DArqueBishop: openssl ca -gencrl -out new-crl.pem -config $KEY_CONFIG   (presuming you have already sourced ./vars)
14:59 <@dazo> that should give a new CRL file named new-crl.pem
15:00 < Celmor> dazo, thanks for the help
15:00 <@dazo> Celmor: you're welcome!
15:02 < DArqueBishop> dazo: blah, it pukes because commonName_default is undefined in openssl-1.0.0.cnf.
15:04 < DArqueBishop> Ah, setting $KEY_CN fixed it.
15:04 < DArqueBishop> Thanks!
15:05 <@dazo> yw!
15:09 < sandspike3> dazo: thanks, hadn't seen eurephia before, although not sure it'll do what I need. Can you confirm if openvpn community supports local groups like openvpn-as does?
15:10 < sandspike3> then rules for groups
15:11 <@dazo> sandspike3: the standard openvpn community version cares nothing about user authentication beyond certificate based authentication ... for anything else, it needs plug-ins or scripts ... which OpenVPN AS adds and wraps up in a webUI
15:11 < ghost75> dazo: yes i stick back to default
15:11 <@dazo> (OpenVPN AS builds upon OpenVPN community edition ... and older release these days, but community regardless)
15:13 < sandspike3> dazo: hm, k thanks, that helps ... I have radius post auth scripts that are working with openvpn-as
15:14 < sandspike3> dazo: just not sure how to translate the 'groups' (and their associated subnet rules) that are defined in openvpn-as to openvpn-comm
15:14 < sandspike3> dazo: looked at the .db files in my -as , I see them defined in there, so it's a config value somehow. Just not seeing how they'd be defined in -comm
15:19 < sandspike3> dazo: http://pastebin.com/e5MWVRef
15:19 <@dazo> sandspike3: I haven't read the EULA for OpenVPN AS ... but it might be you break it by poking too much into those corners of AS ... OpenVPN AS is proprietary ... only the community OpenVPN is truly open source
15:20  * dazo generally knows nothing about AS though
15:20 < sandspike3> dazo: meh, config dump is normal backup procedure, plain text
15:27 <@dazo> fair enough ... I didn't know what you were doing or how :)
16:49 < Celmor> is there anything preventing me from running an openvpn server and connecting with a client on the same machine to it?
16:58 -!- mezgani is now known as p
16:58 -!- p is now known as p3rror
16:58 < Eugene> Nope, go for it. You'll surely break your routing table but it should connect
17:26 -!- mezgani is now known as p3rror
17:55 < Night_Elf> Hello all. I came across this topic and posts here. https://forums.openvpn.net/viewtopic.php?f=17&t=11220  They are regarding using one of multiple public ip addresses that are available at the server.
17:55 <@vpnHelper> Title: HOW TO: RANDOM IP CONNECT TO YOUR MULTI-IP OPENVPN SERVER - OpenVPN Support Forum (at forums.openvpn.net)
17:56 < Night_Elf> I can understand the logic of the cripts, but can someone tell me what is that variable "$ifconfig_pool_remote_ip" ? Where does it come from, how is it there at the IPTABLES rule ?
17:56 < Night_Elf> scripts*
18:14 < Celmor> I'm hosting an openvpn server on linux, a successfully conected client can only ping IPs from the local LAN of my PC
18:15 < Night_Elf> It seems that variable is passed to the scripts by the client-connect and client-disconnect directives, so google tells me.
18:19 < Night_Elf> Celmor: You mean some remote client, after connecting, can only ping the server itself and some other computers on your lan ?
18:21 < Night_Elf> Celmor: I'd think you have activated ip forwarding, but you lack an iptables masquerade rule.
18:25 < Celmor> I do have it
18:25 < Celmor> -A POSTROUTING -s 10.0.0.0/8 -o eth1 -j MASQUERADE
18:27 < Celmor> packets incoming on 10.8.0.1 from 10.8.0.6 get answered with "destination unreachable (port unreachable)" ICMP
18:27 < Night_Elf> Celmor: You might need to check the traceroute outputs from the remote clients.
18:27 < Night_Elf> And also see if some other firewall rule blocks it.
18:31 < Celmor> but "SENT CONTROL"/'PUSH_REPLY' and such is set up correctly then?
18:36 < Night_Elf> Celmor: I can't be sure. I am not that good in all this. I asked a question here myself earlier and am waiting as well. :)
18:38 < Celmor> the packets are really traversing my chains strangely
18:38 < Celmor> now I made pings work but other packets like DNS requests still don't get forwarded
18:39 < Night_Elf> Celmor: You could try to disable all chains and keep them simple at first, to get it working with a minimum.
18:39 < Night_Elf> I mean set all default policies to ACCEPT and then flush and expunge all, and activate masquerading manually, and see what happens.
18:43 < Night_Elf> Celmor: of course, if other funnctionality of that server depends on some firewalling rules, then you migh not want to reset all rules.
18:44 < Celmor> already reset them
18:45 < Celmor> http://ix.io/oNV
18:45 < Celmor> still doesn't work
18:47 < Celmor> http://ix.io/oNW
18:50 < Night_Elf> I can't be of much help at this point.
19:08 -!- F2Knight is now known as F2Knight[away]
19:27 < Celmor> tcpdump: https://ptpb.pw/iNyl
20:41 < aleph-TA> rob0: i'm taking a look at the dnsmasq info you sent earlier and i'm not fully sure it's what i'm wanting since i'm not well versed in networking. what i'm doing is running openvpn in a network namespace in order to isolate traffic in the namespace to the vpn while everything else just connects normally
20:46 < redlegion[m]> I like that "your problem is probably firewall" in the topic. I just had such an issue and managed to figure it out client side without access to the AP or firewall.
20:48 < redlegion[m]> I'm currently on a public network and was experiencing tons of disconnects. Switched from UDP to TCP; same issue. Then switched to port 443. No interruptions whatsoever. Sysadmins must universally assume TCP on port 443 is HTTPS traffic.
20:49 < Eugene> The RST packet comes from somewhere ;-)
20:49 < Eugene> It hasn't been as much of an issue recently(past few years), but we used to get a LOT of people who didn't understand that "cannot establish connection" means that your packets aint' getting through
20:49 < Eugene> And somehow blame openvpn rather than their firewall
20:49 < Eugene> ¯\_(ツ)_/¯
20:57 < redlegion[m]> OpenVPN is easily my favorite tool.
22:21 -!- F2Knight[away] is now known as F2Knight
22:54 < Hulio> hi guys
23:06 < Eugene> !ask
23:06 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
--- Day changed Wed Mar 08 2017
02:46 -!- F2Knight is now known as F2Knight[away]
03:05 < dionysus69> how do i regenerate same certificate? i know the name of the certificate
03:05 < dionysus69> HDD the client cert was installed on is lost, now I need cert with same name to use on different pc
03:15 <@danhunsaker> Use the normal certificate generation process with the existing name?  Revoking a cert doesn't revoke the name, just the specific cert.  You can use that same name on as many certs as you want/need.
03:18 < dionysus69> ok thanks :)
03:18 < dionysus69> I ll try that now
03:19 < dionysus69> danhunsaker: all it matters is that the filename and the common name are the same right?
03:20 < dionysus69> i just dont want to create a duplicate cert for 1 location
03:20 < dionysus69> plus I am extra careful because I have screwed up whole infrastructure in the past xD
03:20 <@danhunsaker> Filename only matters for the config to be able to find it.
03:20 < dionysus69> oh I see, so the the common name is the only unique identifier in this case
03:21 <@danhunsaker> As to CN, I'm not sure what all your system uses it for, but if you make it the same, the rest should fall in place, yes.
03:21 <@danhunsaker> Indeed.  Most use cases only care about the CN, or possibly the SAN.
03:22 <@danhunsaker> Though I haven't seen an OpenVPN setup that uses SANs.
03:24 < dionysus69> omg I got some error
03:24 < dionysus69> failed to update database txt_db error number 2
03:25 < dionysus69> could not find C:programfiles/openvpn/easy-rsa/keys/*.old
03:25 < dionysus69> am in trouble? and I havent deleted anything
03:28 <@danhunsaker> Does that folder exist?  Are there any `.old` files in it?
03:28 < dionysus69> no there are no old files
03:28 < dionysus69> in fact the cert I wanted created, was created
03:28 < dionysus69> as I know openvpn cares for index.txt file and uses it as db right? and it is there
03:29 < dionysus69> but I have no idea why it searched for .old, never seen that warning
03:41 <@danhunsaker> Did you generate this cert on the same machine that you generated teh old one on?
03:44 < dionysus69> yes of course
03:44 < dionysus69> btw, if I wanted to, I'd have to just move whole easy-rsa folder to different machine and it should work right?
04:11 < P4k3> Im pretty sure that message is normal?
04:50 -!- dionysus70 is now known as dionysus69
04:54 <@danhunsaker> My guess, then, is that it was expecting to find a copy of the previous version (since it had recorded issuing an earlier cert with that CN) in that folder, to run a check of some kind against it.  It doesn't sound like a fatal error, so much as a housekeeping one.
04:55 <@danhunsaker> And yes, moving the easy-rsa folder should move all the configuration and database files with it.
04:56 <@danhunsaker> (so long as you haven't reconfigured things to store files outside the easy-rsa folder, of course)
07:42 < rapha> hi!
07:42 < rapha> i get "TUN/TAP dev /dev/net/tun: No such device (errno=19)" even though /dev/net/tun exists, is ug+rw and owned by nobody:nogroup which openvpn is supposed to run at. What else could be the problem?
07:45 < rapha> (and yes, it's node 10:200, too)
07:46 < BtbN> does your kernel support tun/tap?
07:52 < rapha> BtbN: hmm ... indeed ... tun: Unknown symbol __sk_attach_filter (err 0) ... how do you get support in debian_
07:52 < rapha> s/_/?
07:53 < BtbN> load the module for it. But I'm pretty sure the standard Debian kernel comes with tun support
07:53 < rapha> BtbN: that's what happens in dmesg when i do modprobe tun
07:53 < BtbN> your kernel or the module are somehow broken then
07:54 < rapha> :(
08:33 < KaiForce> !ovpnuke
08:33 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
08:38 < rapha> BtbN, solved it! The machine just required a reboot :)
09:07 < rapha> bye!
09:33 < KaiForce> !sweet32
09:33 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32
09:46 < ghost75> if otp is used and computer goes to standby, user wakes up, it will ask again for key right?
09:49 <@rob0> OTP has nothing to do with it; "sleep" means the connection ends, so yes, openvpn will need to reestablish a connection on resume.
10:11 <@danhunsaker> Which will usually also mean the OTP needs to be supplied again as well, but might not if your script(s) enabling OTP is/are designed to cache that kind of thing somehow.  Most aren't.
10:12 <@rob0> if OTP accepts the same passphrase again, that's a broken implementation of OTP :)
10:13 <@dazo> rob0: not necessarily ... if --auth-token is pushed by the server and the client does not wipe that one, that can be used for session resumption in these cases
10:14 <@dazo> that means the server accepts that authentication token (which is to be random of some kind) as an already authenticated client
10:14 <@rob0> On the server side, is there any distinction between "client goes to sleep" and any other type of client disconnect?
10:15 <@dazo> *but* if the server side have closed the session (which most likely happens when clients suspends), then it needs a full authentication including new OTP
10:16 <@dazo> no, not really ... the server side can differentiate between "unknown/new" sessions (requiring full authentication) and "open" sessions, which are sessions not considered dead/closed by the server
10:17 <@dazo> so if a server allows an open session to not have any traffic at all for 8 hours ... then client can very well suspend and reconnect as long as the session identifiers are still the same (which means the openvpn client process cannot stop running)
10:20 <@dazo> that said ... such long "open" sessions are currently only of academic interest ... I haven't tried using such a long --ping-restart on the server side
10:21 <@danhunsaker> They alse aren't terribly secure, partially for the above reasons.
10:21 <@danhunsaker> *also
10:21 <@dazo> yupp
10:22 <@danhunsaker> You generally want it to be long enough that a network hiccup won't force a full reauth, but not so long that it can be abused.
10:22 <@danhunsaker> (Obviously.)
10:23 <@danhunsaker> Also, by "cache that kind of thing", I don't mean caching the OTP itself, but rather the "I checked this successfully!" status.
10:23 <@danhunsaker> Though admittedly, that wasn't readily apparent in how I phrased it.
10:24 <@dazo> :)
10:24 <@dazo> As I usually say: "Read my intention, not my words" :)
10:24 <@danhunsaker> Ah, if only.  :D
10:24 <@dazo> ;-)
10:25 <@dazo> nah ... I need to head out for some food now :)
10:26 <+hyper_ch> dazo: not everyone has mastered the art of mind-reading-over-the-internet yet
10:26 <@danhunsaker> I haven't even figured out mind reading...
10:32 <@rob0> I have figured out mind reading, and you guys should be ashamed of yourselves!
10:47 -!- F2Knight[away] is now known as F2Knight
11:02 <@danhunsaker> Pfft.
11:52 < ghost75> auth-gen-token is nice one
11:53 < ghost75> so on windows client i can use up script with regedit in order to delete cached passwords but on mobile clients?
12:02 <@dazo> ghost75: well, that is just as long as the user on the client side discovers the config file ... duplicates it and removes the --up statement
12:03 < ghost75> yes, assuming most users are not able to find out
12:03 <@dazo> ghost75: enforcing clients to behave in a particular way is usually just a waste of time, as it so easily ends up in over-engineered solutions which is too easy to circumvent
12:04 < ghost75> on mobile clients its really not so good if the has cache password and looses his phone
12:04 <@dazo> ghost75: what will rather work is to have a strong user policy .... "Don't do this, or else you'll be fired if you break our policy"
12:05 <@dazo> ghost75: mobile devices should always be encrypted with a strong password lock
12:05 < ghost75> you mean lock screen?
12:05 <@dazo> where the password lock strength is governed by some management tools  (ActiveSync have as part of the protocol for example)
12:05 <@dazo> yes
12:06 <@dazo> ActiveSync also have the possibility to remotely wipe a device once it gets online
12:06 < ghost75> well no activesync available
12:07 <@dazo> there are similar tools available too
12:08 <@dazo> so then you can have a user policy stating: "To get VPN access on mobile devices, the device must be enrolled into system XYZ where security parameters are controlled centrally"
12:09 <@dazo> the challenge with making openvpn enforce such things from the server side is that the code is open source and there exists plenty of alternative clients which can circumvent settings
12:09 <@dazo> using a management tool will be far harder to circumvent
12:12 < ghost75> and btw. auth-gen-token option together with google authenticator will keep session on reconnects ?
12:13 <@danhunsaker> Depends on the nature of the reconnect.
12:13 < ghost75> example energy saving
12:13 <@danhunsaker> As we discussed earlier when you first asked about it.
12:13 <@dazo> if the session is considered closed by the server side, then the client need to do a full re-authentication
12:14 <@danhunsaker> If the system is asleep long enough, the session will time out.
12:14 < ghost75> full reauthentication means new otp i guess
12:15 <@danhunsaker> Yes.
12:18 < ghost75> which parameter on server can be used in order to modify closing time, is it reneg-sec ?
12:19 <@dazo> --ping-restart (often via --keepalive in many configurations)
12:19 < ghost75> i see
14:30 < zamba> why is the default txqueuelen set to only 100?
14:30 < zamba> shouldn't that safely be increased to like 1000?
14:30 < zamba> i'm seeing quite a lot of dropped packets on the tun0 interface
14:30 < zamba> and tcp throughput is pretty bad
14:35 <@danhunsaker> zamba: That's TCP inside the tunnel, yes?
14:35 < zamba> danhunsaker: i'm doing ftp inside the tunnel, yes
14:36 <@danhunsaker> TCP on the outside is slow by nature, and strongly disrecommended.
14:36 < zamba> the openvpn tunnel is realized using udp, yes
14:36 <@danhunsaker> Checking mostly reflexively.  :-)
14:38 -!- Vampire0_ is now known as Vampire0
14:39 < zamba> so, what are you saying about txqueuelen?
14:39 <@danhunsaker> I suspect some of the defaults are intended to be less than ideal to encourage properly learning and configuring things.
14:39 <@danhunsaker> That is, I think you're supposed to set that one manually in your config(s).
14:43 < zamba> but this is a setting that you can tweak on either side without having to reflect the change on the other?
14:44 -!- Nehal3m is now known as Beetlejuice
14:44 -!- Beetlejuice is now known as Nehal3m
14:45 <@danhunsaker> I'll have to defer to the man page for that one.
14:53 < zamba> hehe
15:39 < zamba> someone mentioned something about setting sndbuf and rcvbuf to 0
16:56 < ghost75> reneg-sec on client same as on server or 0 ?
20:38 < sunrunner20> i've enabled 2fa on my openVPN tunnels through a RADIUS server, but every so often I have to reauth, I'd say every 40min ish. anybody know what setting I have to change to stop that?
21:44 -!- F2Knight is now known as F2Knight[away]
21:57 -!- F2Knight[away] is now known as F2Knight
22:00 < sunrunner20> did I miss a response?
22:24 < kitsune1> sunrunner20: Either increase --reneg-sec or use --auth-gen-token (needs 2.4 -- see the man page)
22:25 < sunrunner20> kitsune1, sweet. I'll look at that. I'm using PFsense so it'll have to be an extra option
--- Day changed Thu Mar 09 2017
03:36 -!- F2Knight is now known as F2Knight[away]
03:55 < jvava> very suffering, I can not download from turbobit.net with openvpn, any Idea?
04:06 < cbauer> site shouldn't matter when using a vpn, except if server is filtering
04:08 < jvava> I guess it is filtering
04:09 < jvava> you know, after gfw, I even can not visit tuibobit.net without openvpn help, so can I let openvpn hide my ip?
04:09 < jvava> and if is it using ssl protocol?
04:10 < cbauer> openvpn functions on a lower level, if you create vpn connection, connect as a client to the vpn server and use it as your gateway you are essentially using the servers internet connection
04:11 < cbauer> what you access and which protocols you use shouldn't matter if the server isn't explicitly filtering them
04:11 < cbauer> if you can establish a successfull SSL connection with via signed certificates you can be sure the vpn server can't do a MITM attack
04:12 < jvava> when I open google.com, It know where I come from,
04:13 < cbauer> check if your gateway and DNS is set to the vpn server (i.e. 10.8.0.1)
04:14 < jvava> oh, I set dns as 8.8.8.8
04:14 < jvava> tonight I will set it to 10.8.0.1,
04:14 < jvava> maybe it will help me
04:14 < jvava> thank you, cbauer
04:14 < cbauer> still, google shouldn't see who you are if you made a DNS request but then connect to the resolved IP through the vpn connection
04:15 < jvava> maybe the browser tell the server my lang
04:15 < cbauer> I would do a traceroute/tracert to make sure what path your packets are taking
04:15 < cbauer> well, if it's just the language it recognizes, there are a bunch of ways to do that
04:16 < cbauer> the OS, the browser, user agent, IP....
04:16 < cbauer> javascript, plugins...
04:16 < jvava> yes
04:16 < cbauer> check myip.is
04:17 < cbauer> or better yet http://ipleak.com/
04:17 <@vpnHelper> Title: IPleak.com - IP leak test (at ipleak.com)
04:17 < cbauer> and disable WebRTC  in your browser
04:17 < jvava> ok, I will try
04:18 < cbauer> but as I said openvpn functions on a lower level there shouldn't be much be able to leak your IP, really only if your routes are messed up
04:18 < cbauer> or if the OS/application tells the internet server who you are
04:19 < jvava> I see
04:27 < haaning> The key part of a client ovpn config file, is it possible to encrypt that and have the client discover that the key is encrypted as part of another layer of security?
04:27 < haaning> [..] and have the client software* discover [..]
04:50 < haaning> Anyone know if that's possible? I even encrypt it using the same cipher and the same password as I use for XAUTH
06:12 < |Mike|> re!
11:03 < OCNIOS> Hello!
11:04 < OCNIOS> Anyone here willing to help me with setup on an Ubuntu server?
11:04 < OCNIOS> I think I created some files incorrectly
11:04 < nacelle> openvpn on ubuntu?
11:06 <@rob0> !welcome
11:06 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
11:06 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
11:06 <@rob0> !goal
11:06 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:06 <@rob0> OCNIOS, ^^ and read the /topic\
11:06 < OCNIOS> !goal I would like to access the internet over a VPN, and set up OpenVPN on Ubuntu
11:07 < OCNIOS> I'm following along with https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
11:07 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com)
11:08 <@rob0> The bot simply gives responses to commands.  It doesn't read and store what you say to it.
11:09 < OCNIOS> Ah ok
11:09 < OCNIOS> http://pastebin.com/raw/eKUCw7i2
11:09 < OCNIOS> I think I have some duplicate files, I want to keep that DIR as clean as possible.
11:10 < OCNIOS> I think I figured it out
11:34 < OliverUK> Hiya, quick question, can I use the computer certificate in the Windows certificate store for the authentication?
11:43 -!- F2Knight[away] is now known as F2Knight
11:45 < OCNIOS> Can anyone take a look at this with me? http://pastebin.com/raw/eCCJNA88
11:46 < skyroveRR> Oh, systemd stuff.
11:57 < nacelle> OCNIOS: did you read it?  what's "systemctl status openvpn@server.service" say?
11:58 < nacelle> did I read it?
11:58 < nacelle> you put that there
11:58 < nacelle> ha.
11:58 < nacelle> did you enable it?
11:58 < OCNIOS> I'm super super new at this
11:59 < OCNIOS> I've never done any of this before, so probably not
11:59 < OCNIOS> and I have no idea how to
11:59 < nacelle> you have to do a few things when loading a new systemctl script
11:59 < OCNIOS> is it in system.conf?
11:59 < nacelle> 1) systemctl daemon-reload
11:59 < nacelle> 2) systemctl enable openvpn@server.service
12:00 < nacelle> 3) _then_ you get to do: systemctl start openvpn@server.service
12:00 < nacelle> the logs you pasted indicated step 2 wasnt done
12:00 < nacelle> " Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; ..."
12:00 < nacelle> (I put in the ...)
12:01 < OCNIOS> hmmm
12:01 < OCNIOS> thank you that helped, but it still fails
12:03 < nacelle> whats the status say now?
12:06 < nacelle> (and its ok to be first time at systemd, you cant be disgusted with it until you really do ;-))
12:13 < OCNIOS> It's not even writing to the log file (that I can tell)
12:14 < OCNIOS> openvpn.log (i turned append on)
12:15 < OCNIOS> http://pastebin.com/raw/K6mDJVn8
12:15 < OCNIOS> I'm in /var/log$ but I don't see the openvpn.log file
12:17 < OCNIOS> AHA!
12:17 < OCNIOS> found .log file
12:17 < OCNIOS> Thu Mar  9 18:10:17 2017 daemon() failed or unsupported: Resource temporarily unavailable (errno=11)
12:24 < msn> if I connect to a openvpn network and access another vpn client does all data go thruogh the server?
12:24 < msn> client1->client2 access happens direct or client1->vpn server->client2
12:26 < OCNIOS> nacelle http://pastebin.com/raw/8B5DyU0Y
12:28 < msn> OCNIOS: you would get better logs if you add log statement to the config
12:28 < nacelle> OCNIOS: i imagine your openbsd config itself is broken.   try getting it started by hand without using systemd.
12:28 < msn> log: status.log and log-status
12:29 < msn> something like log: /var/log/openvpn.log and log-status: /var/log/openvpn.log
12:29 < nacelle> does it start on its own if you run it that way?  openvpn --daemon /etc/openvpn/whatever.conf
12:29 < nacelle> etc.
12:29 < msn> and add verb 3 in the openvpn config then try running
12:30 < nacelle> oh you have to say --config when its with other options, poop
12:30 < nacelle> that would be: openvpn --daemon --config /etc/openvpn/whatever.conf
12:30 < nacelle> etc.
12:30 < OCNIOS> I want to pull my hair out
12:31 < msn> can you link your config if you posted it?
12:31 < OCNIOS> my server.conf file?
12:31 < msn> yes
12:31 < msn> if you can
12:33 < nacelle> OCNIOS: good puzzles do not immediately solve themselves :-)
12:33 < nacelle> they have thousands of pieces...
12:35 < OCNIOS> Yeah, I'm a sys admin, and this is why I stay away from the network side
12:35 < msn> networks are fun
12:35 < OCNIOS> I can't even copy/paste the dang conf file.....
12:35 < nacelle> its just practice
12:35 < nacelle> the more you do it, the more you get used to it, the more you know
12:35 < nacelle> the more you keep it scary, the more scary it becomes
12:35 < msn> paste it in pastebin again
12:36 < nacelle> I always think "someone else has done this, so why cant I?" and then if that doesnt work, breathing only through my nose for a while helps :-)
12:36 < OCNIOS> nano isn't letting me copy the whole thing
12:36 < nacelle> nano's copy is for within nano...
12:36 < msn> do cat
12:37 < msn> cat filename then copy from console
12:39 < OCNIOS> http://pastebin.com/raw/6UD43qNK
12:40 < msn> should enable topology subnet as it recommends
12:41 < nacelle> if thats the whole file, its messed up
12:41 < msn> OCNIOS: can you post the openvpn.log
12:41 < nacelle> if its cut and paste errors, I can accept that
12:41 < nacelle> that file has duplicated sections and the top comments are munged
12:42 < msn> yes
12:42 < OCNIOS> FML
12:42 < OCNIOS> yeah, the file is alll messed up
12:43 < nacelle> maybe redo it? its almost bone stock anyways
12:43 < nacelle> oh I see
12:43 < nacelle> t@orion:/etc/openvpn# sudo vi server.conf
12:43 < nacelle> you were doing... things to it
12:43 < nacelle> and copied that console session to us
12:43  * nacelle sighs
12:44 < OCNIOS> Yeah I screwed it up trying to copy it, bah
12:44 < nacelle> you gotta live your life for you, I aint gonna fuck it
12:44 < nacelle> (your FML is denied, sorry)
12:44 < msn> OCNIOS: try this http://paste.debian.net/919005/
12:45 < msn> or better yet http://paste.debian.net/919006/
12:45 < OCNIOS> msn: as the entire server.conf file?
12:46 < msn> yes
12:47 < msn> OCNIOS: if it fails post your openvpn.log
12:48 < OCNIOS> http://paste.debian.net/919008/
12:49 < msn> remvoe the last line i think it should be mute not omute
12:49 < nacelle> correct
12:50 < nacelle> mute 20
12:50 < nacelle> not omute 20
12:50 < msn> i didn't check the syntax just removed the clutter and duplication
12:51 < OCNIOS> http://paste.debian.net/919008/
12:51 < OCNIOS> same output, fails
12:51 < msn> after removing omute did you run try running it again?
12:51 < OCNIOS> Yes
12:52 < nacelle> you didnt remove it from the right file
12:52 < nacelle> oh
12:52 < nacelle> thats the old pastebin url
12:53 < OCNIOS> Its the same output but ill paste again
12:54 < nacelle> your config file still has the omute option in it if its the same output
12:54 < msn> it cant be same atelst the omute error should be gone
12:54 < OCNIOS> http://paste.debian.net/919011/
12:54 < OCNIOS> well, with that being the only difference i see
12:54 < nacelle> thats a different error
12:54 < nacelle> try "killall openvpn"
12:54 < nacelle> then try it
12:54 < nacelle> it looks like you have one running
12:54 < nacelle> where something is already in place on port 1194
12:55 < msn> netstat -ulnp
12:55 < msn> and ps ax |grep vpn
12:55 < nacelle> (which is the resource its complaining about, I imagine)
12:55 < msn> yeah most probably
12:55 < OCNIOS> killall isn't a recognized command
12:56 < msn> OCNIOS: first check if it running
12:56 < msn> ps ax |grep vpn
12:56 < msn> openbsd does not have a killall
12:56 < OCNIOS> 11261 pts/1    S+     0:00 grep --color=auto vpn
12:56 < msn> netstat -ulnp |grep 1194
12:56 < nacelle> he said this was on ubuntu
12:56 < nacelle> "he", sorry, not sure there, just english normalcy
12:57 < msn> ah k
12:57 < nacelle> they, even
12:58 < nacelle> maybe its that its not being run as root and trying to do teh chroot thing as a normal user?
12:58 < nacelle> (which wont work so well?)
12:58 < msn> yes
12:58 < OCNIOS> I'm in SSH logged in as root user.
12:59 < msn> run it without --daemon
13:01 < OCNIOS> oooo closer
13:01 < msn> logs
13:01 < OCNIOS> http://paste.debian.net/919013/
13:02 < msn> are you using a vps?
13:02 < OCNIOS> yes
13:03 <@rob0> "modprobe -v tun"
13:03 < msn> well then go into your vps control panel and enable tun device
13:03 < msn> its disabled by default
13:03 < msn> and do what rob0 said too
13:03 <@rob0> depends on provider, IIRC this is DO
13:03 < msn> most disable by default even though its just a click enable
13:04 < msn> try modprobe first then check your vps control panel
13:05 < OCNIOS> it was disabled in cpanel
13:06 < msn> :P
13:06 < msn> try after enabling and rebootng your vps
13:07 < nacelle> the DO guide needs to take out the key-direction 0 thing since its already on the tls-auth statement with a direction
13:07 < nacelle> well, not need, but its redundant
13:10 < OCNIOS> Very close, link incoming
13:10 < OCNIOS> http://paste.debian.net/919016/
13:19 < msn> remove the gid/uid from the fil
13:20 < msn> or comment i
13:20 < msn> it
13:20 < msn> then run it
13:23 < OCNIOS> msn I don't see gid/uid in server.conf
13:23 < msn> nogroup/nobody lines
13:23 < OCNIOS> ahhhh
13:24 < msn> should work now
13:24 < msn> rest i leave to you now, how you optimize or automate it further
13:25 < OCNIOS> It's ALIVE!!
13:25 < OCNIOS> Thanks!
13:36 < OCNIOS> hey msn
13:37 < OCNIOS> Is there any big reason to use "sudo systemctl start openvpn@server" VS "sudo nohup openvpn --config /path/to/server.conf"
13:37 <@rob0> If you want your OS/distro to manage the service, you should do it their way.  If not, run it directly.
13:38 < OCNIOS> ty
14:30 < OCNIOS> noooooo
14:30 < OCNIOS> OpenVPN core error: PolarSSL: error parsing ca certification : X509
15:04 -!- F2Knight is now known as F2Knight[away]
15:28 -!- alexandre9099_ is now known as alexandre9099
15:42 < OCNIOS> msn I still don't think it's working
16:23 < OCNIOS> NOW it's working
16:31 -!- Vampire0_ is now known as Vampire0
16:57 -!- F2Knight[away] is now known as F2Knight
19:26 < Simy> !welcome
19:26 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
19:26 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
19:27 < Simy> !goal
19:27 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:28 < Simy> My goal is to use a VPS's public facing IP as my servers IP hosted from home with one of two connections.
19:30 < Simy> Is this a bit too complicated for a first timer? I've been googling for examples but I haven't found much yet. It seems this isn't a common enough goal.
19:38 < Simy> Does anybody know how to setup something like this?
19:40 <@rob0> I have done it
19:41 < Simy> Will it work as I expect it too? My goal is to have 2 ISP's and provided at least one is up, my server is accessible from the VPS's IP.
19:41 <@rob0> just bind the IP address to the peer and enable proxy ARP
19:41 < Simy> My networking knowledge is a bit lacking, but can that be done with redundant connections?
19:42 <@rob0> oh, the dual uplinks will complicate things
19:42 < Simy> Yeah, I thought so. :(
19:43 < Eugene> Yes, too complicated for the first time
19:43 < Eugene> !lartc
19:43 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux, or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
19:43 < Simy> What would you recomend as far as reading material to get me up to speed?
19:43 < Eugene> You will need policy routing at a minimum ^
19:44 < Simy> Er, I was thinking more of what books will I need to be able to read to gain the required understanding? Ideally, kindle books.
19:44 < Simy> I got part way through a VPN examples book, but I think Its a bit above me right now.
19:45 < Eugene> God, I don't even know anymore. O'Reilly books are pretty good?
19:46 < Simy> Actually let me ask a different question. Currently I'm working on the comptia A+ cert, then I'll be going on to network+. Will I in the process of getting the network+ cert gain the required understanding to pursue this again later?
19:47 < Eugene> "Hahaha, certifications"
19:47 < Simy> Yeah I know :/
19:47 < Simy> Company is paying for, and wants me to get it. They sign my checks...
19:48 < Simy> I honestly don't trust the A+ book I'm reading from mike meyers, its so... pro windows.
19:50 < Simy> Eugene, does  aquick look at this book sound like it would do it? https://www.amazon.com/TCP-IP-Network-Administration-Administrators-ebook/dp/B0043EWVH4/
19:51 < Eugene> Yeah, that one is a good primer
19:51 < Eugene> My honest recommendation is production experience
19:51 < Eugene> If you want to buy O'Reilly books, don't do it through amazon though
19:51 < Simy> Hence the home lab :)
19:52 < Simy> I host my own email and have for awhile, I've just made it more complicated recently. :)
19:52 < Eugene> Their website lets you "upgrade" from a print to ebook copy for $5
19:52 < Eugene> http://www.oreilly.com/register/
19:52 <@vpnHelper> Title: O'Reilly Media - Register Your Books (at www.oreilly.com)
19:52 < Eugene> Just put in the ISBN of the print copy you "own"(as listed on the Amazon entry....), and enjoy
19:53 < Simy> I don't mind paying for it, I like kindle books. I've thrown out the vast majority of my other books for taking up too much space.
19:54 < Eugene> Similarly, but I also know what it costs to print an epub
19:55 < Simy> oh but wait, Amazon Kindle is a "special" format... ::rolls eyes:: maybe it costs more to e-print :/
19:58 < Simy> I appreciate y'all taking the time to point me in the right direction. Have a great day.
20:06 < rebekah> are there anyways to use openvpn that doesnt require an entire pki... i am thinking about something similar to how i use public/private keys to ssh servers... (authorized_keys, etc)... is that possible?
20:08 -!- Vampire0_ is now known as Vampire0
20:10 < Eugene> Sure; that's exactly what static-key mode is
20:10 < Eugene> You're limited to two peers, typically a client + server
20:10 < Eugene> Other common setups include a simple PKI(CA, server cert) and --auth-user-pass, usually with a LDAP plugin or similar
20:11 < rebekah> two peers isnt quite enough unfortunately
20:11 < Eugene> You can even use a public CA such as Let's Encrypt if you like; openvpn doesn't care so long as it passes the x509 checks
20:11 < Eugene> (it is a good idea to do at least CN= checking when using a public PKI)
20:13 < rebekah> ive never setup openvpn, so pardon my ignorance, but say you are doing a sort of central server, does each client in the servers certificate and vis versa?
20:13 -!- F2Knight is now known as F2Knight[away]
20:13 < rebekah> like, do you have installed the server cert on each client, and each client cert on the server?
20:14 < rebekah> or does openvpn just check that the certs are signed by the right CA or something?
20:15 < rebekah> or does that question not make sense lol >.>
20:15 < Eugene> It entirely depends upon how you set it up. The "textbook" implementation has a single CA, and each server+client cert is signed by that CA. Server(s) check that the client presents a valid cert, and the clients verify the same about the server they're connecting to
20:15 < rebekah> valid as in, signed, correct info in it basically?
20:15 < Eugene> Yeah
20:15 < Eugene> You can omit the --ca check on the server side; in that case only the clients will check that the server has a valid cert. You should require authentication thorugh another method(eg, --auth-user-pass) before accepting client connections
20:16 < Eugene> This is much simpler, but then you need to manage a backend
20:16 < rebekah> so if valid means its signed by the right CA and your CA is lets encrypt, anyone could make a cert and get on your vpn?
20:16 < Eugene> A LE cert would only be marked with the necessary x509 bits for a server cert; not a client.
20:16 < Eugene> Your clients should still be configured to verify that the cert presented is for the hostname they're expecting(eg, myserver.mydomain.com)
20:17 < Eugene> If this is your first time using openvpn I highly recommend starting with the "reference" full-cert method before you get adventurous
20:17 < rebekah> hmmm... i feel like i need to do some more reading
20:17 < Eugene> !book
20:17 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) a troubleshooting guide for OpenVPN by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
20:20 < rebekah> i guess in my head i would be minting certs/keys for clients as needed, i would installed the private key on the client, and have the public key on the server so only those pairs could connect
20:22 < Eugene> That's roughly how x509 PKI works, excepting that you need to add a signing step
20:22 < rebekah> right
20:22 < rebekah> okay, maybe it is what im thinking it is then lol
20:22 < Eugene> You can actually re-use a SSH private key(its just a RSA key....) to create a x509 certificate
20:22 < Eugene> Have your clients generate a CSR based upon the key, sign it, and return the .crt with a .ovpn config file
20:22 < Eugene> Tada
20:24 < rebekah> yeah, i think i can manage... its really just for personal use... tunnelling with ssh has its problems lol
20:25 < rebekah> a whole PKI just feels like a bit much for my needs, but sounds like thats my only real option
20:33 <@rob0> how many tunnels do you need?
20:34 <@rob0> I once set up a mesh network of static-key mode hosts, so that each of 6 had a direct tunnel to all the others.
20:35 < rebekah> 5 or so?
20:36 <@rob0> 5 all to one endpoint?
20:37 <@rob0> or some kind of interconnection?
20:38 < rebekah> well its a mix-and-match of mobile devices, latops, and computers
20:38 < rebekah> which i doubt i would have the vpn on my phone enabled all the time, for instance
20:38 <@rob0> if all to one endpoint, you'd probably want to go for the PKI
20:38 < rebekah> oh and a vps
20:38 < rebekah> i was going to setup the vps as a server and just connect everything to it
20:45 < msn> if I connect to a openvpn network and access another vpn client does all data go thruogh the server?
20:45 < msn> client1->client2 access happens direct or client1->vpn server->client2
20:46 -!- F2Knight[away] is now known as F2Knight
20:46 -!- F2Knight is now known as F2Knight[away]
22:09 <@danhunsaker> msn: If the only way they know how to find each other is through the VPN (and if you're using their VPN addresses, that's the case), then it'll be through the VPN server, because that's the only way they *can* communicate.
22:12 <@rob0> rebekah, if more than one client is at the same site/location, you don't need a separate tunnel for each.  A single connection per site can do it, even with --redirect-gateway.
--- Day changed Fri Mar 10 2017
02:55 < compsman> could anyone here help with my mtu i am sorry i still have not got it resolved i been busy, and i would like it to just dont understand it at all. i am sorry.
03:00 < compsman> i been ytrying solve it for long time now):
05:51 < FlyingWal> !welcome
05:51 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
05:51 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
05:52 < FlyingWal> !goal
05:52 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:53 < FlyingWal> !goal How can I get the vpn server gateway without setting the routes
05:54 < FlyingWal> !route
05:54 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
05:55 < FlyingWal> !goal
05:55 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:56 < FlyingWal> Any idea how I (client) can obtain the server's gateway without having the routes set up?
05:58 < FlyingWal> I know about "route-nopull" for not getting the gateway pushed by the server, but how can I find out the gateway afterwards?
06:06 <@danhunsaker> It'll still set one or more routes for traffic that's meant to go across the VPN.  A VPN is entirely useless unless there's at least one route sending traffic through it.  It won't be a default route (what "gateway" generally means to users), but it'll still be set.
06:07 <@danhunsaker> So look for routes that send traffic over the VPN tunnel interface.  The destination address there should be your "gateway" address.
06:07 < Pricey> !1925
06:07 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
06:08 < FlyingWal> Thanks, let me check that
06:19 < FlyingWal> Mmmh, thing I am trying to setup, is to route just the traffic of 1 user to the vpn and leave all other traffic untouched
06:20 < FlyingWal> After connecting to the cpn I got the following route added:
06:20 < FlyingWal> 10.200.199.0    0.0.0.0         255.255.255.0   U     0      0        0 tun0
06:21 < FlyingWal> so gateway should be 10.200.199.0, right?
06:21 < FlyingWal> sorry 10.200.199.1 I meant
06:25 <@danhunsaker> I'm trying to figure out what order those values are presented in...
06:27 < FlyingWal> one second
06:27 < FlyingWal> Kernel IP routing table
06:27 < FlyingWal> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
06:27 < FlyingWal> 0.0.0.0         134.119.3.254   0.0.0.0         UG    0      0        0 eth0
06:27 < FlyingWal> 10.200.199.0    0.0.0.0         255.255.255.0   U     0      0        0 tun0
06:27 < FlyingWal> 134.119.3.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
06:29 <@danhunsaker> Huh.  It's trying to send all traffic destined for 10.200.199.0/24 to 0.0.0.0...  That's weird.
06:30 <@danhunsaker> Guess that means instead of giving a gateway, just route it over the tunnel interface.
06:30 < FlyingWal> well see if I skip the option route-nopull and get a gateway it looks like that
06:30 < FlyingWal> Kernel IP routing table
06:30 < FlyingWal> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
06:30 < FlyingWal> 0.0.0.0         10.200.194.1    128.0.0.0       UG    0      0        0 tun0
06:30 < FlyingWal> 0.0.0.0         134.119.3.254   0.0.0.0         UG    0      0        0 eth0
06:30 < FlyingWal> 10.200.194.0    0.0.0.0         255.255.255.0   U     0      0        0 tun0
06:30 < FlyingWal> 2.113.251.130  134.119.3.254   255.255.255.255 UGH   0      0        0 eth0
06:30 < FlyingWal> 128.0.0.0       10.200.194.1    128.0.0.0       UG    0      0        0 tun0
06:30 < FlyingWal> 134.119.3.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
06:31 < FlyingWal> not 2.113.251.130 but 62.113.215.130 (copy/paste missed the 6)
06:31 <@danhunsaker> Ah, right.  "Default" gateway for the interface; just says "hey, this subnet is on the other side of this interface".
06:32 <@danhunsaker> So yeah, there isn't a mechanism for it, then.
06:33 < FlyingWal> mmmh - well I am a programmer an not that far into routing, I just have to make sure the scripts use the vpn instead of the common internet uplink
06:33 <@danhunsaker> You can guess, but you can't guarantee, that .1 is your gateway.
06:33 < FlyingWal> humm
06:34 < FlyingWal> see I found that howto http://blog.sebastien.raveau.name/2009/04/per-process-routing.html and this seemed a good solution to me
06:34 <@vpnHelper> Title: Tricks of the Trade: Per-process routing (at blog.sebastien.raveau.name)
06:34 < FlyingWal> to have a distinct user routed over the vpn and leave the other traffic untouched
06:35 <@danhunsaker> Well, we have a standard answer for things like that, but you won't like it.
06:36 < FlyingWal> haha I bet
06:36 <@danhunsaker> !blog
06:36 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
06:36 < FlyingWal> well it doesn't even has something to to with openvpn, just a routing issue - my problem is how to find out the gateway if I set the option route-nopull
06:37 < FlyingWal> if I spare the option, I get a new default-gate and all traffic is routed to the vpn
06:37 < FlyingWal> therefor the server is no more reachable under it's common IP
06:38 < FlyingWal> I have no influence on the vpn-server provider and the gateways and subnets change almost every connect
06:38 <@danhunsaker> Well, the VPN server is.  It sets a route for itself explicitly.
06:39 < FlyingWal> So w
06:39 < FlyingWal> ya
06:39 <@danhunsaker> !both
06:39 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
06:39 < FlyingWal> *yikes* I know ;)
06:40 < FlyingWal> so last question, is there an option/switch to obtain the gateway information of the server but not having the routes set up?
06:40 < FlyingWal> like pull-route-but-dont-set ;)
06:40 <@danhunsaker> The server side should have an option for setting up a split-tunnel connection instead of a global default gateway.
06:41 <@danhunsaker> You might look at scripting...
06:41 <@danhunsaker> !script
06:41 <@vpnHelper> "script" is (#1) See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR, or (#2) to see all vars available to a script, you can env > /tmp/env, or (#3) if using bash you can put exec 2>&1 in the first line of your script and it will send all error
06:41 <@vpnHelper> output to your openvpn log. set -x as well to show your commands as they are executed
06:41 < FlyingWal> Ok I'll give this a try
06:41 < FlyingWal> thanks for the help
06:44 <@danhunsaker> Of course.
10:22 -!- F2Knight[away] is now known as F2Knight
10:35 < sarthor> Hi, I have Dlink ip phone DPH400SE, I want connect this IP phone with my Openvpn server, while it support Openvpn, but I am unable to find any manual, how to upload openvpn config files. I clicked on brows, and tried to upload, but says error, please let me know if some one knows, how to configure IP Phone for Openvpn. Thanks.
10:43 < DArqueBishop> sarthor: where are you seeing that it supports OpenVPN? According to the user manual it only supports L2TP.
10:44 < sarthor> DarkSector: I can see L2tp and Openvpn listed under "VPN"
10:46 < sarthor> DarkSector: here is the image of my phone web UI https://ibin.co/3F6GsrZuj7Th.png
10:46 < DArqueBishop> sarthor: your best bet is probably going to be to contact Dlink support for assistance.
10:48 < DArqueBishop> This is the first time I've ever heard of an IP phone supporting OpenVPN, and even their own documentation is pretty iffy. Like I said, your best bet is to contact Dlink support for assistance.
10:49 < sarthor> DArqueBishop: OK.
10:56 < ruied> DArqueBishop, Many grandstream phones have it and yealink has it for serveral years... It works nice
10:57 < RM982> !welcome
10:57 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
10:57 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
10:58 < RM982> good afternoon, what client do you guys suggest for windows 10?
10:59 < DArqueBishop> RM982: I use the standard OpenVPN build.
11:00 < DArqueBishop> !download
11:00 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn, or (#2) in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs
11:00 < RM982> thanks mate
11:11 < modernbob> anyone know why on my mac using texual and openvpn why the server klines me and won't let me join channels but on this windows box not a problem
11:17 <@rob0> modernbob, this might be a question better suited to #freenode, but it sounds like that IP address might be shared with other IRC users; there is a limit per IP address unless running an identd.
11:18 <@rob0> If others are using the VPN for IRC abuse, your IP address might be blocked for that.
11:18 < modernbob> hmm, ok... i will switch and see whats up.. thank you
11:24 < moderntoast> that appears to be the problem. server
11:42 < RM982> so MOTD says TAP is not needed, but when I try the connection the client complains about TAP not installed
11:42 < RM982> I'm following this article: https://wiki.debian.org/OpenVPN
11:42 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org)
11:42 < RM982> the unnencrypted way
11:43 < RM982> Fri Mar 10 14:37:29 2017 There are no TAP-Windows adapters on this system.  You should be able to create a TAP-Windows adapter by going to Start -> All Programs -> TAP-Windows -> Utilities -> Add a new TAP-Windows virtual ethernet adapter.
11:48 < RM982> the client config has this lines  remote ip_of_my_vps  dev tun1   ifconfig 10.9.8.2 10.9.8.1
11:49 < RM982> full client log http://pastebin.com/sPryDEge
11:53 < RM982> it seems it is reported as a bug....any other client I can try?
12:03 -!- Vampire0_ is now known as Vampire0
12:30 < OCNIOS> msn
12:30 < OCNIOS> you around?
12:30 < OCNIOS> http://paste.debian.net/919168/
12:31 < msn> did you pass nsCertType=server while creating the certs?
12:31 < msn> and post your server.conf again
12:33 < OCNIOS> http://paste.debian.net/919169/
12:33 < OCNIOS> I don't remember passing nsCertType=server
12:37 < msn> check your certificate
12:37 < msn> ah you have to add verify line in the vpn
12:39 < OCNIOS> in server.conf?
12:40 < msn> ns-cert-type server
12:40 < Celmor> can clients connecting to the same server instance see each other?
12:40 < msn> add this to server.conf
12:43 < msn> OCNIOS: wait don't add that
12:43 < OCNIOS> Ok
12:43 < msn> your client probably has that statement
12:43 < msn> can you check?
12:47 < OCNIOS> msn http://paste.debian.net/919172/ ?
12:47 < OCNIOS> Is that what you're looking for?
12:48 < msn> did you use easy_rsa to generate certificates?
12:50 < OCNIOS> https://www.cyberciti.biz/faq/howto-setup-openvpn-server-on-ubuntu-linux-14-04-or-16-04-lts/
12:50 < OCNIOS> Yes, easy-rsa
12:52 < OCNIOS> I *briefly* had it working yesterday by following this guide: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 THEN following the one above. I tried to do that same process today to get it up and running but I'm getting a totally different error than I was running into yesterday.
12:52 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com)
12:54 < msn> OCNIOS: did you use easy_rsa to generate certificates?
12:55 < OCNIOS> Yes
12:55 < msn> OCNIOS: if not remove this from remote-cert-tls server from client
12:55 < msn> try removing that line
12:55 < OCNIOS> from the server.conf file?
12:55 < msn> client
12:56 < msn> is the server already running?
12:56 < OCNIOS> It is paused
12:56 < msn> what changed i thought it started yesterday
12:57 < OCNIOS> The vmachine got wiped
12:59 < OCNIOS> msn certificate verify failed
13:00 < OCNIOS> I can just go through all the steps again and see what happens
13:00 < msn> k
13:21 < OCNIOS> msn - thanks for putting up with me
13:21 < OCNIOS> I fixed it
13:36 < ||JD||> hi, how to force server listen in a tcp port when starting it from cli (no config file)
13:39 <@rob0> You'd probably have to show us what command line you're currently using so we could show you what to change.  Also, TCP is a bad idea if you can avoid it.
13:39 <@rob0> !tcp
13:39 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay
13:41 < ||JD||> it seems windows built in client does not allow anything else than tcp 1723
13:41 < ||JD||> anyway I think I got it
13:41 <@rob0> um, "built in client" is not openvpn
13:41 <@rob0> !pptp
13:41 <@vpnHelper> "pptp" is (#1) PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
13:41 <@vpnHelper> read about why to not use pptp, or (#2) Why not to use it: http://en.wikipedia.org/wiki/Pptp#Security, or (#3) https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
13:42 <@rob0> so you asked the wrong question.  Changing openvpn to TCP won't make it work with pptp clients.
13:43 < ||JD||> don't worry I got this
13:43 < Eugene> Windows does not have a built-in OpenVPN client.
13:44 <@rob0> good
13:44 <@rob0> I promise I won't worry
13:44 < Eugene> Windows has support for other technologies, such as PPTP and SSTP that look similar to openvpn, but they are not openvpn.
13:44 -!- mode/#openvpn [-o+vv rob0 Eugene rob0] by rob0
13:45  * Eugene removes pants from rob0 
13:45 <+rob0> liar liar pants on fire
13:46 <+rob0> there was a funny news story last day or 2 about a lawyer in an arson trial, and his pants DID catch on fire: phone battery meltdown in his pocket
13:46 <+rob0> and his client was convicted
13:46 <+Eugene> Nope, it was an ecigarette
13:47 <+Eugene> Original story, before it got facebook reposted http://www.miamiherald.com/news/local/crime/article137317553.html
13:47 <+Eugene> Its amusing seeing how stories become urban legends
13:50 <+rob0> oh, maybe I misread or misremembered
13:55 < OCNIOS> well hello NonSecwitter
13:55 < NonSecwitter> well hello
17:36 < gmh> !welcome
17:36 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind
17:36 <@vpnHelper> openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
20:38 -!- F2Knight is now known as F2Knight[away]
20:44 < sunrunner20> if I specific reneg-sec on the server, do I really need to apply it to the client configs?
22:09 < sunrunner20> go go gadget amazon prime
22:10 < sunrunner20> just ordered stuff
22:10 < sunrunner20> will be here tommorow
22:13 < sunrunner20> https://www.amazon.com/gp/product/B01MYS6GDQ/ref=atv_feed_catalog?tag=rottetomao_aiv_mv-20
22:13 < sunrunner20> looks like tonights entertainment
22:28  * sunrunner20 puts robes and wizard hat on
22:28 < sunrunner20> oh, wrong channel
22:28 < sunrunner20> sorry guys for the off topic
--- Day changed Sat Mar 11 2017
02:02 < sliddis> hello is there a openvpn gui for ubuntu?
02:38 < sliddis> I saw there is a network managaer plugin for openvpn. But how do I translate the openvpn.config file to something network manager likes? I extracted the -----BEGIN PRIVATE KEY----- MI.... key.key, user.crt and ca.crt parts of the config file and imported ...  like this ? http://imgur.com/a/f3KEo
02:38 <@vpnHelper> Title: Imgur: The most awesome images on the Internet (at imgur.com)
05:37 -!- Vampire0_ is now known as Vampire0
07:36 <@danhunsaker> sliddis: We don't have anything to do with Network Manager, and still recommend not using it to configure OpenVPN connections (it should use OpenVPN configs directly rather than trying to build its own, overriding server admin decisions).
07:36 <@danhunsaker> That said.
07:36 <@danhunsaker> !nm
07:37 <@danhunsaker> !netman
07:37 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list, or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/
08:35 -!- mezgani is now known as p3rror
10:17 < yotux> I am trying to get to a ip address from a vpn, but when entering the ip local network blocks address
10:18 < yotux> is there a vpn setting that I am missing
12:55 -!- F2Knight[away] is now known as F2Knight
15:02 < Azrael_-> hi
15:05 < Azrael_-> i'm using ifconfig-pool-persist but the ips of the clients still changed when the server was offline for 1-2h and came back online. is there a way to control the ip-assignments like a dhcp-server and make the lease virtually permanent (e.g. valid for multiple years)?
15:50 < compsman> anyone here know mtu udp?
16:14 < revri> can you suggest me any forum that could help me out with setting up vpn (without support) through openvpn, i know this channel is for openvpn support only
16:44 -!- david is now known as Guest20392
16:52 < compsman> so i am an 1492 mtu pppoe user how should i go for my vpn mtu?
16:52 < compsman> i am very new at this sorry
17:02 <+Eugene> compsman - the default will auto-detect; leave it alone unless you have tested & verified that you have a MTU issue
17:03 <+Eugene> Read about mssfix as well
17:14 -!- F2Knight is now known as F2Knight[away]
21:39 -!- chantra_ is now known as chantra
21:39 -!- JasonO- is now known as JasonO
22:28 < sunrunner20> what do I do to control the number of times openVPN attems to authenticate?
22:28 < sunrunner20> eg, I have Duo 2FA installed. if It attempts 10 times I'm locked out for 90min
22:28 < sunrunner20> how do I limit it to 9?
22:42 < fnljk> sry i dno much bout this, but ifnot obvious may b get more input if could elaborate some more on authentication / login currently in use and eventual any unusual settings,   locked out how, what u've tried or not already, if suspect anywhere it could be solved best (like,at some other point in the authentication chain....)  or such mayb..hmh..
23:41 < skcin7> !welcome
23:41 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
23:41 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
--- Day changed Sun Mar 12 2017
00:05 < skcin7> !goal
00:05 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:08 < skcin7> I can successfully connect to my VPN server on my MacBook with: "sudo openvpn --config client.ovpn"
01:09 < skcin7> However, when I connect (via ssh) to a remote Ubuntu box, and type the same "sudo openvpn --config client.ovpn", the VPN connection attempt fails. Any ideas why?
01:09 < skcin7> Keep in mind it's the same client.ovpn being used on both computers.
03:03 < Azrael_-> hi
03:03 < Azrael_-> i'm using ifconfig-pool-persist but the ips of the clients still changed when the server was offline for 1-2h and came back online. is there a way to control the ip-assignments like a dhcp-server and make the lease virtually permanent (e.g. valid for multiple years)?
06:18 < andi> Hi, I did setup a openvpn cluster. Is it possible to configure the timeout the client tries to connect to the unreachable node before it tries the other node?
07:09 < jiquera> I'm about deploy openvpn to a few dozen users (in a domain), 2.4 has some minor issues with domains and access to conf files. Is there already a release date for 2.4.1?
11:43 < Ofg> !welcome
11:43 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind
11:43 <@vpnHelper> openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
12:59 < Azrael_-> i'm using ifconfig-pool-persist but the ips of the clients still changed when the server was offline for 1-2h and came back online. is there a way to control the ip-assignments like a dhcp-server and make the lease virtually permanent (e.g. valid for multiple years)?
13:10 < sunrunner20> kitsune1, belated thank you, reneg-sec did the trick
13:11 < sunrunner20> are there any major security concerns about setting it too high?
13:33 <+rob0> !static
13:33 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder, or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range, or (#5) See also: !addressing
15:19 -!- Hello71_ is now known as Hello71
19:39 < sunrunner20> where do i find the results of mtu-test?
20:42 < josh-debian-test> !goal
20:42 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:43 < josh-debian-test> !welcome
20:43 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route
20:43 <@vpnHelper> for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person
20:43 <@vpnHelper> helping you
20:44 < josh-debian-test> !goal 'I am looking for a tool for breaking certificates out of a .ovpn file and leaving me with certs and .conf files'
20:52 < nacelle> I could write such a thing but i've not heard of it.  A short exercise for a bash, awk or python script imo.
20:53 < nacelle> https://gist.github.com/seebk/bb94a7fd70d4cc454aaa someones started for ya
20:53 <@vpnHelper> Title: Extract embedded certificates and keys from OpenVPN config files · GitHub (at gist.github.com)
20:53 < nacelle> (I cannot speak to teh quality of that code, it seems scary at first glance)
20:53 < nacelle> like wheres the def()? hehehe
--- Day changed Mon Mar 13 2017
03:03 -!- Vampire0_ is now known as Vampire0
03:27 -!- cbauer is now known as celmor_mobile
04:17 < Celmor> how do I ignore control message pushes that would change the routes on my client? I don't want to use the server as a gateway, only want to make direct connection to the server
04:18 < msn> hmmm which is your client OS?
04:20 < msn> for linux if you are using NEtworkManager, there is a check box saying only use vpn for clients on this entwork
04:21 < msn> for command line, yuo can write a post-connect script which deletes the new route and restores the old route
04:25 < Celmor> windows
04:25 < Celmor> server is linux
04:31 <+rob0> why are you pushing --redirect-gateway if you don't want to redirect the gateway?
04:32 <+rob0> "Doc it hurts when I do this."  "So don't do that!"
04:39 < Celmor> well, I want everyone else to be able to use the openvpn server as a gateway, but I as the owner of the server merely want to administrate it via that config
04:39 < Celmor> is there no openvpn command or something I can put in the config file to ignore the redirect-gateway push?
04:41 <+rob0> don't use --pull
04:42 <+rob0> or,
04:42 <+rob0> !ccd
04:42 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
04:42 <+rob0> have a specific ccd file for that client
04:42 <+rob0> there are plenty of ways to do it
04:47 < Celmor> "don't use --pull" how? at least in my config file there is no such thing
04:51 <+rob0> --client is a macro
04:52 < Celmor> I'm using --config
04:57 < Celmor> if I were to use ccd I would have to create such for each client that uses the server as a gateway? is it not possible the other way around, create only such for one that doesn't use it as a gateway?
05:04 <+rob0> !ccd-exclusive
05:04 <+rob0> --ccd-exclusive requires each client to have a CCD file, if not set, not required
05:05 <+rob0> OTOH --ccd-exclusive lets you have a server-side access control, so that's worth considering.
05:07 < Celmor> but the ccd file still only adds commands/options to the server configuration?
06:17 < |Mike|> Celmor: and pushes routes/.. to the clients
07:47 < Paraxial> my 10 year old CA expired today, currently our VPN is foobar'd
07:47 < Paraxial> im trying to renew it using these instructions, having no luck though: http://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal
07:47 <@vpnHelper> Title: openssl - Certification authority root certificate expiry and renewal - Server Fault (at serverfault.com)
07:59 < Celmor> |Mike|, well, I want a way to not do these pushes for certain clients
08:20 <+rob0> Paraxial, haha, BTDT
08:20 <+rob0> it's a mess indeed
09:22 < Paraxial> it turns out we distribute the key within the client configs too, so i'm just redoing it
09:22 < Paraxial> since we've got pfsense in now too i'm just doing it within that instead
09:29 <+rob0> if you had the original CSRs you could sign those again and just distribute new certs
09:30 <+rob0> easy-rsa doesn't save those, IIRC
09:34 <@dazo> it's possible to regenerate the CSR from a CRT, iirc
09:35 <@dazo> openssl x509 -noout -x509toreq .... that's a starting point
09:38 <@dazo> Paraxial: ^^^
09:38 <@dazo> (of course, CA key rotations isn't a bad thing from a security perspective ... but it is intrusive and a more cumbersome process)
09:40 <+rob0> true, but also from a security perspective, no one but the user should have access to her key
09:41 <@dazo> yeah
10:05 < Paraxial> thanks, i'll take a further look if pfsense doesn't provide me with joy though so far so good
10:06 <+rob0> hmm?  Do you mean you are genrating keys and signing certs on a pfsense router?
12:02 < AdagioT> Hello! I'm having trouble with the Management Interface and real-time notifications. >CLIENT:DISCONNECT messages don't seem to be appearing when I disconnect my clients. I've tried using both UDP and TCP for the server, to no success
12:15 < dougquaid> Is it possible to have my username and password in my client config or does it have to be in a separate file?
12:44 -!- Alchemy is now known as daemon
13:05 <@dazo> dougquaid: I think OpenVPN v2.4 allows inlining of username/password .... unless my memory fails me badly
13:35 < Celmor> ]
13:36 < Celmor> I've got "client/IP:port SIGUSR1[soft,ping-restart] received, client-instance restarting"  in the server logs, what does this mean?
13:37 < Celmor> could it be that the client is reconnecting after sleep or something like that?
13:50 <+Eugene> Yup. Read about --ping-restart in the man page
13:50 <+Eugene> That is a normal reconnection attempt
14:04 < gringotts> Hello, I'm setting up openvpn with PAM authentication. My question is, do I still need to use add certs to the openvpn server if i am using ldap auth?
14:09 <+Eugene> gringotts - user-password authentication(via --auth-user-pass and a PAM/LDAP/whatever backend) and x509 client certificate verification(via --ca on the server) are independent: you can do one, both, or neither(dont do this)
14:09 <+Eugene> openvpn doesn't care
14:10 <+Eugene> To answer your question better: yes, it is a pretty normal setup to skip client certs when using a LDAP backend. How do you want it to be? ;-)
14:12 < gringotts> I guess my understanding with pam auth is still a little hazy. So I would still need server certs but can fully bypass server certs if I use PAM?
14:13 <+Eugene> Assuming you mean client certs, yes, that's pretty normal.
14:13 <+Eugene> Cert-based rollouts are good for computers(no human interaction), such as site-to-site links. User-pass rollouts are good for, well, users. They're dumb and don't understand certificates
14:13 <+Eugene> !book
14:13 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) a troubleshooting guide for OpenVPN by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
14:14 <+Eugene> There's some good recipes ^
14:14 < gringotts> server, client*
14:14 < gringotts> yessssssss
14:14 < gringotts> thanks you!
14:19 < gringotts> Eugene: I had no idea you could do an anonymous vpn service
14:19 < gringotts> Thats crazy
14:19 < gringotts> Lol thanks for the info
14:20 <+Eugene> Not a good idea ;-)
14:20 < gringotts> For sure, It's just that it kinda defeats the purpose of vpn lol
15:03 < Celmor> Eugene, from the log output, as this is often the last message for a while until finally "TLS: Initial packet" is displayed, this is the server more or less terminating the connection, but what does " client-instance restarting" mean then? there is a client-instance in the server for receiving connections from clients?
15:39 <+Eugene> Celmor - the server maintains a "connection" for each client that connects. If it times out or a new client connection replaces it, then it is killed-off
15:59 < Celmor> that far I got myself, I just don't know what it means by "client-instance restarting" exactly
21:08 < lkthomas> hey all
21:08 < lkthomas> my openvpn client could connect to openvpn server just fine and access 10.0.0.0/24 network without problem
21:08 < lkthomas> but anything beyond 10.0.0.0/24 network can't be reach
21:08 < lkthomas> should I use push route ?
--- Day changed Tue Mar 14 2017
02:36 < cbauer> how do I disable the setup of network routes on the client?
02:40 < cbauer> nvm, found https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway
02:40 <@vpnHelper> Title: IgnoreRedirectGateway – OpenVPN Community (at community.openvpn.net)
03:40 -!- Vampire0_ is now known as Vampire0
03:58 < absynt> any advice how i would test a managment-interace-parser beside emulating the interface my self with nc or something?
04:30 -!- vamiry_ is now known as vamiry
05:04 -!- vamiry_ is now known as vamiry
05:18 < _ADN_> Hi Guys
05:19 < _ADN_> can openvpn be install in a docker swarm?
05:19 < _ADN_> in docker containers they work fine but when I try to move it to swarm it is not possible because of the --cap-add NET_ADMIN
07:19 < KaiForce> I'm trying to configure my clients to continuously attempt to reconnect in the event a disconnect occurs for any reason, but what happens sometimes is the client just dies instead.  I don't see this question answered on the web - just other similarly confused users.  I'm on Linux and it may have something to do with the interaction between the privilege downgrade and the persist options?  My...
07:19 < KaiForce> ...client config is http://pastebin.com/eMmLK219
07:30 <@plai> !LOG
07:30 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
07:31 <@plai> !log-file
07:31 <@plai> !logfile
07:31 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
07:31 <@plai> KaiForce: logfile would be more interesting
07:31 < KaiForce> plai: ok, I can recreate this I think
07:32 < KaiForce> based on my config, infinite attempts to reconnect should be working??
07:32 <@plai> that is the default, yes
07:33 < KaiForce> ok thanks plai, I will set verb to 5 and try to recreate this problem
07:35 -!- david is now known as Guest1590
07:35 < cbauer> can I specify a custom route in my config to be added when connecting to the server?
07:36 <@plai> yes
07:36 <@plai> see route command
07:38 < cbauer> plai: can a value for that command be replaced depending on what IP the server side of the tunnel gets?
07:38 <@plai> cbauer: have you read the manpage already?
07:39 <@plai> !man
07:39 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
07:40 < cbauer> I would change that text, clicking that links opens the URL including the trailing ',' and therefore get a 404 error
07:41 <@plai> that seems client specific
07:41 <@plai> my client does not include the ,
07:42 <@plai> but thanks
07:42 < cbauer> at least my irc client (kvirc) does that
07:42 < cbauer> asked in their channel if that behavior is normal
07:43 <@plai> !learn man you can also do 'man openpvn' on a Unix system with OpenVPN installed
07:43 <@vpnHelper> (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
07:43 <@plai> !learn man as 'man openpvn' on a Unix system with OpenVPN installed
07:43 <@vpnHelper> Joo got it.
07:45 < cbauer> is a --option-name always also accepted in the config as 'option-name'?
07:45 < cbauer> at least those that make 'sense'
07:45 <@plai> yes
07:45 <@plai> always :)
07:45 < cbauer> the order does matter?
07:45 < cbauer> on which line in the confnig
07:46 < cbauer> config*
07:46 <@plai> for most options it does not matter
07:46 <@plai> for route it is the order in which the routes are added
07:49 < cbauer> i.e. for 'auth-nocache' or 'route-nopull' which I've just added to my config
07:50 <@plai> unless explicitly stated order does not matter
07:52 < cbauer> ok, thanks
07:54 <@ecrist> order doesn't matter for routes, either - the system will take the lowest cost most direct route
07:54 <@plai> ecrist: unless you have routes with dns names that need to be resolved ;)
07:54 <@ecrist> wtf?  who does that?
07:55 <@plai> sometimes I do
07:55 <@plai> route www.foo.bar vpn_gateway
07:55 -!- plai was kicked from #openvpn by ecrist [shame on you]
07:55 -!- plai [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
07:55 -!- mode/#openvpn [+o plai] by ChanServ
07:55 <@plai> hey!
07:55 <@plai> that is useful
07:55 <@plai> instead of hardcoding ip addresses
07:56 <@plai> or route pass.telekom.de net_gateway
07:56 <@ecrist> www.foo.bar is going to lead you to a false sense of security
07:56 <@plai> (my lte traffic website)
07:56 <@ecrist> think of all the site CDNs and such that won't get globbed into that VPN transit
07:56 <@plai> where connections need to be over non vpn connection
07:56 <@plai> ecrist: I know
07:59 <@ecrist> I didn't even know you could use a DNS name in your routing table.
07:59 <@ecrist> Is that a linux thing?
07:59 <@plai> ecrist: no openvpn resolves the name for you
08:04 <+rob0> you can use a name, but it has to resolve to exactly one IP address
08:05 <+rob0> well, I don't know what happens if it resolves to two or more
08:27 < FlyingPersian> hi. I've setup openvpn in a FreeNAS jail and I basically copied over the install from an older jail, in which it worked perfectly fine. Now, in the new jail, I can successfully connect with my clients, but I cannot ping any of the IPs outside the vpn subnet, thus my normal home network. I'll post my logs and configs in a sec
08:29 < FlyingPersian> server.conf: http://pastebin.com/B04TtM6e
08:31 < FlyingPersian> openvpn.log: http://pastebin.com/HtTewq7d
08:33 < FlyingPersian> client.ovpn: http://pastebin.com/umUf11yS
08:33 < FlyingPersian> let me know if you need more
08:35 < FlyingPersian> firewall: http://pastebin.com/HtTewq7d
08:36 < FlyingPersian> line 253 of the log ends with an error
08:38 < FlyingPersian> startup: http://pastebin.com/ZDy76q7P
08:39 <@ecrist> FlyingPersian: net.inet.ip.forwarding -> 1
08:39 < FlyingPersian> where?
08:39 <@ecrist> sysctl
08:39 < FlyingPersian> so I should add this to the startup script?
08:39 <@ecrist> also, make sure the traffic is allowed in the firewall rules.
08:40 <@ecrist> FlyingPersian: log in via ssh and run:  sysctl -a | grep forwarding
08:40 < FlyingPersian> net.inet.ip.forwarding: 1
08:40 < FlyingPersian> net.inet.ip.fastforwarding: 0
08:40 < FlyingPersian> net.inet6.ip6.forwarding: 0
08:40 <@ecrist> ok, so that works
08:40 <@ecrist> now, make sure your firewall allows the traffic 
08:40 < FlyingPersian> http://pastebin.com/wZ23QH98
08:41 < FlyingPersian> sorry, posted the wrong link to the firewall
08:41 < FlyingPersian> firewall should be fine
08:41 < FlyingPersian> the firewall rules are called on every boot
08:42 < FlyingPersian> in the log, the command at line 250 seems to fail
08:42 < FlyingPersian>  /sbin/route add -net 192.168.178.8 10.8.0.1 255.255.255.0 <-- this command
08:42 <@ecrist> do you have natd running?
08:43 < FlyingPersian> ehm
08:43 < FlyingPersian> it doesn't show up in top
08:43 <@ecrist> ipfw requires natd
08:43 <@ecrist> also, that command looks backwards
08:43 < FlyingPersian> the firewall seems to be fine, hang on
08:44 <@ecrist>  /sbin/route add -net 10.8.0.1 255.255.255.0 192.168.178.8
08:44 <@ecrist> in order for ipfw to successfully nat traffic, the natd service is required.
08:44 < FlyingPersian> root@vpn:/openvpn # ipfw list
08:44 < FlyingPersian> 00100 nat 1 ip from 10.8.0.0/24 to any out via epair4b
08:44 < FlyingPersian> 00200 nat 1 ip from any to any in via epair4b
08:44 < FlyingPersian> 65535 allow ip from any to any
08:44 < FlyingPersian> okay and how do I make natd start?
08:45 <@ecrist> !notovpn
08:45 <@ecrist> :)
08:45 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn.
08:48 < FlyingPersian> hang on, need to reboot the entire server
08:48 < FlyingPersian> stupid tun and epair keep changing when I reboot the jail only
08:49 < FlyingPersian> oh I think I need to activate NAT in the jail settings then :P
11:27 < pos> Using the easy-rsa scripts, is it possible to sign a certificate with multiple CNs? like domain.tld and www.domain.tld?
11:31 < pos> subject alt names, ofc
11:31 < asand> I'm having terrible performance problems after updating my windows client. 2.4.0 & 2.3.14 are really bad. Rolling back to 2.3.10 is OK. I have not bisected further. Does this ring any bells with anyone?
11:35 <@plai> no
11:50 <@ecrist> nope
11:56 < asand> Let me try to re-phrase the problem - After just a few network connections traffic seems to stall. Loading or refreshing a single web page will work, but trying to do multiple things at once seems to cause all connections to block.
12:11 <@ecrist> what protocol is your VPN using?
12:12 < asand> UDPv4 to PIA
12:16 <@plai> !vpn-support
12:16 <@plai> !factoids
12:16 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
12:17 <@plai> See also
12:17 <@plai> !vpnproviders
12:17 <@vpnHelper> "vpnproviders" is (#1) A list of VPN providers you really need to be careful with ... https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa, or (#2) Not convinced? See !pure
12:18 <@plai> argh
12:18 <+rob0> both
12:18 <@plai> !paidvpn
12:18 <@vpnHelper> "paidvpn" is We are very reluctant to help you if you use a (commerical) VPN provider since we do not want to be their unpaid support team. See also !both
12:18 <+rob0> !both
12:18 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
12:19 <+rob0> that said, sounds like this could be of interest on the -devel list
12:25 < asand> fair enough...
12:42 <+rob0> did you contact PIA support yet?
13:12 < IamPloprof>  Hi, I cannot add a new vpn using a .ovpn file in Fedora 25 using the network manager, I get the following error Error: Key file contains the line 'client' which is not a key-value pair,group, or comment. However I can manually connect to the vpn using the command line with openvpn. Any advice ?
13:17 <@ecrist> who is PIA?
13:35 <+rob0> private internet access?
13:36 <+rob0> IamPloprof, since openvpn works, your problem is with NM, and we don't recommend nor support NM here.
13:37 < IamPloprof> ok fair enough thank you
13:37 < skyroveRR> IDK how people live with software like NM...
13:37 <@ecrist> !netman
13:37 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list, or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/
14:07 -!- Vampire0_ is now known as Vampire0
14:12 < UbAh> I hope this is an acceptable place to ask for help.  My CA and server certs expired, and i was able to renew my ca cert using the old ca key in the hopes I wouldnt have to update all the user keys.  For the server.crt I tried "openssl req -new -config /etc/openvpn/server.conf -keyout server.key -out server.req" but it complains about the config file so thats not what was used to make it originally with the build script
14:13 < UbAh> where does the original conf get stored when you create the keys using the initial build tools
14:48 <@dazo> !forget netman
14:48 <@vpnHelper> Error: 2 factoids have that key.  Please specify which one to remove, or use * to designate all of them.
14:48 <@dazo> !forget netman *
14:48 <@vpnHelper> Joo got it.
14:49 <@dazo> !learn netman as NetworkManager can in some environment be challenging, but these days it usually works fine.
14:49 <@vpnHelper> Joo got it.
14:50 <@dazo> !learn netman as NM will not work too well with server configurations, it is aimed at client configurations and is sensitive to the overall network connectivity and requires a logged in user session
14:50 <@vpnHelper> Joo got it.
14:51 <@dazo> !learn netman as If OpenVPN works from the command line but not NM, see this wiki: https://wiki.gnome.org/Projects/NetworkManager or ask on #nm
14:51 <@vpnHelper> Joo got it.
14:51 <@dazo> !netman
14:51 <@vpnHelper> "netman" is (#1) NetworkManager can in some environment be challenging, but these days it usually works fine., or (#2) NM will not work too well with server configurations, it is aimed at client configurations and is sensitive to the overall network connectivity and requires a logged in user session, or (#3) If OpenVPN works from the command line but not NM, see this wiki:
14:51 <@vpnHelper> https://wiki.gnome.org/Projects/NetworkManager or ask on #nm
14:55 <@dazo> !forget netman *
14:55 <@vpnHelper> Joo got it.
14:55 <@dazo> !learn netman as NetworkManager usually works fine, but can have some challenges in som env
14:55 <@vpnHelper> Joo got it.
14:55 <@dazo> !learn netman as Ensure you run a reasonably recent NM version
14:55 <@vpnHelper> Joo got it.
14:55 <@dazo> learn netman as NM is aimed at client configurations and requires a logged in user session and is sensitive to instable unstable networks
14:55 <@dazo> !netman
14:55 <@vpnHelper> "netman" is (#1) NetworkManager usually works fine, but can have some challenges in som env, or (#2) Ensure you run a reasonably recent NM version
14:56 <@dazo> learn netman as NM is aimed at client configurations and requires a logged in user session and is sensitive to instable unstable networks
14:56 <@dazo> !netman
14:56 <@vpnHelper> "netman" is (#1) NetworkManager usually works fine, but can have some challenges in som env, or (#2) Ensure you run a reasonably recent NM version
14:56 <@dazo> !learn netman as NM is aimed at client configurations and requires a logged in user session and is sensitive to instable unstable networks
14:56 <@vpnHelper> Joo got it.
14:56 <@dazo> !netman
14:56 <@vpnHelper> "netman" is (#1) NetworkManager usually works fine, but can have some challenges in som env, or (#2) Ensure you run a reasonably recent NM version, or (#3) NM is aimed at client configurations and requires a logged in user session and is sensitive to instable unstable networks
14:56 <@dazo> !learn netman as If OpenVPN works from the command line but not NM, go to #nm or https://wiki.gnome.org/Projects/NetworkManager
14:56 <@vpnHelper> Joo got it.
14:56 <@dazo> !netman
14:57 <@vpnHelper> "netman" is (#1) NetworkManager usually works fine, but can have some challenges in som env, or (#2) Ensure you run a reasonably recent NM version, or (#3) NM is aimed at client configurations and requires a logged in user session and is sensitive to instable unstable networks, or (#4) If OpenVPN works from the command line but not NM, go to #nm or https://wiki.gnome.org/Projects/NetworkManager
15:10 < _ADN_> I have the file ipp.txt on the server but the client is not taking the address specify there
15:10 < _ADN_> any ideas
15:14 < _ADN_> changing the ipp.txt it always assign to my client two IPs above it
16:18 < TheJudge> hello all:)
16:19 < TheJudge> i just installed openvpn client on windows7
16:19 < TheJudge> and iexplorer not working
16:19 < TheJudge> on mac in working but here no
16:19 < TheJudge> any clue?
21:20 -!- poster is now known as Poster
22:20 < chandoo> hi
22:20 < chandoo> is this firewall easy to use at home network? "Fortinet Fortigate 60 Firewall"
--- Day changed Wed Mar 15 2017
00:31 <+Eugene> chandoo - openvpn is not a firewall; I don't believe that fortinet firewalls support openvpn, and they are not open-source platforms. Sorry.
03:06 -!- Vampire0_ is now known as Vampire0
05:06 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
07:27 -!- vamiry_ is now known as vamiry
07:59 < wasutton3> So i've got a linux server running as my openvpn server, and a dd-wrt router working as a client. DDWRT has an option for "hash algorithm" (currently set to SHA-1). I havn't been able to find any matching setting on the server side that uses SHA1, is it a client only configuration?
08:17 < cbauer> what's 10.8.0.1 for if I only need the IP of the endpoint of the vpn server (10.8.0.9 if I have a 10.8.0.8/30 network)
08:17 <+rob0> why are you using /30?
08:18 <+rob0> !/30
08:18 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
08:19 < DArqueBishop> !topology
08:19 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
08:41 < cbauer> because it seems to be still the default in the windows client
09:33 < wasutton3> in the openvpn docs, i see references to "ccd" is that the client configuration file?
09:33 < DArqueBishop> wasutton3: yes.
09:33 < wasutton3> ok
09:33 < DArqueBishop> Or, rather...
09:33 < DArqueBishop> Wait.
09:34 < DArqueBishop> !ccd
09:34 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
09:34 < wasutton3> ah, gotcha
09:35 < DArqueBishop> Sorry, misunderstood your question.
09:35 < wasutton3> no worries.
09:53 < wasutton3> what should the permissions for the ccd directory and files be?
10:06 -!- poster is now known as Poster
10:19 <+rob0> rwx for root, r-x for the openvpn --user or --group, either --- or r-x for others (your choice)
10:20 < wasutton3> gotcha
10:20 -!- DeathShot_ is now known as DeathShot
11:13 -!- BrianBlaze420 is now known as BrianbBlaze420
11:14 -!- BrianbBlaze420 is now known as BrianBlaze420
12:34 -!- |Mike| [mike@phrack.nl] has quit [Ping timeout: 240 seconds]
15:35 < _ADN_> Hi Guys
15:35 < _ADN_> Management port
15:36 < _ADN_> is there a way to check the port 1194 is up?
15:37 < _ADN_> from management tool there is no specific place where it is said the port 1194 is up
15:46 <+rob0> The only sure way to test udp/1194 is with an authorized openvpn client.
15:47 < vasundhar> How to configure a openvpn server, that itself is an openvpn client for another openvpn
15:47 <+rob0> I guess that question would depend on what problem you encountered when trying it?
15:49 < vasundhar> rob0 is that in response to me ?
15:49 <+rob0> It's quite possible to have multiple openvpn instances on the same machine.  Why not?
15:54 < vasundhar> My Existing SSH seems to be getting dropped as I connect openvpn as client
15:56 <+rob0> if the client instance pulls a --redirect-gateway, sure, there are problems.  You redirected the gateway.
15:57 <+rob0> but ... I have no way to know this!  I can't read your mind.
15:57 <+rob0> Did you read the /topic?  It's very useful.
15:58 < vasundhar> TAP/bridging is almost always a bad idea - This part ?
16:32 < jdipierro> !welcome
16:32 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
16:32 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
16:33 < jdipierro> !howto
16:33 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
17:05 -!- david is now known as Guest26501
19:28 < rocktop> I would like to convert my server to be a vpn access point could anyone guide me ?
21:23 < compsman> hey, how everyone?
21:25 < compsman> i read that mssfix is for tcp correct?
--- Day changed Thu Mar 16 2017
05:45 < cbauer> could it be that openvpn is not sending packets through the tunnel that don't have the tap devicece's IP address as the source?
05:45 < cbauer> https://i.imgur.com/npOuaWb.png
07:39 <@ecrist> cbauer: it doesn't quite work that way
07:40 <@ecrist> at the application level, communication will need to be made with XYZ external host.  The application puts together the data, and passes it to the kernel
07:40 <@ecrist> the kernel handles the routing table lookup to determine the lowest cost route to the destination
07:41 <@ecrist> the source IP is typically only defined once a route has been selected on a multi-homed system.
07:42 < cbauer> the source IP should be static and only changed if a SNAT is used
07:42 < cbauer> from my understanding
07:46 <@ecrist> not necessarily
07:46 <@ecrist> for example, if you make a connection to localhost, the system will set the source address to the localhost address
11:01 < a1fa> is it possible to check remote openvpn certificate using openssl command or openvpn?
11:03 <@dazo> Alesk13: what do you mean with "remote certificate"? .... do you have a copy of it?  Or you want to validate/dump the certificate used by the remote side?
11:04 <@dazo> (validate/dump ... on the fly during connection, I mean)
11:05 < a1fa> dazo: wonder if it is possible to see remote certificate without knowing anything about the box
11:07 <@dazo> a1fa: on the server side, you can deploy a --tls-verify script, where you get a lot of the details as env. variables in that script.  This can be extended to use --tls-export-cert, where you declare a directory the client certificates can be read during the life time of the --tls-verify script too
11:11 < a1fa> how about client side dazo?
12:03 <@dazo> a1fa: no such features exists there, afair
13:58 -!- poster is now known as Poster
14:01 < wasutton3> would it be wise to have a CA on a VPS somewhere? or should that be in a more controlled environment?
14:05 <+rob0> no and yes.  Not just for security, but because virtual machines have no native source of entropy.
14:09 < wasutton3> that is true. I was eyeballing AWS, and it seems that they don't have an entropy problem
14:09 < wasutton3> https://security.stackexchange.com/questions/44241/how-can-you-securely-generate-keys-on-aws
14:09 <@vpnHelper> Title: key management - How can you securely generate keys on AWS? - Information Security Stack Exchange (at security.stackexchange.com)
15:11 -!- mode/#openvpn [+b *!*@gateway/web/irccloud.com/x-cpoecyiomudgbjrq] by ChanServ
15:11 -!- cek was kicked from #openvpn by ChanServ [Banned: soliciting money, general douche-baggery]
16:36 < ljvb> yo
17:06 < ljvb> hmm.. can the non commercial version be load balanced for HA...
17:25 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has quit [Quit: ZNC - http://znc.sourceforge.net]
17:26 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
17:26 -!- mode/#openvpn [+v hyper_ch] by ChanServ
19:02 < ljvb> lively bunch tonight
20:50 < sunrunner20> is t here documentation somewhere that lists what events are listed at what log levels?
20:51 < sunrunner20> I'm not sure how to phrase my google query to find results for that
20:52 <@ordex> sunrunner20: errlevel. is probably your best documentation
20:52 <@ordex> errlevel.h
20:52 < sunrunner20> was hoping not to have to dig though source code
20:52 < sunrunner20> oh well
20:53 < sunrunner20> splunk has 53k openVPN events for today and there were only two active clients
20:54 < sunrunner20> granted my phone generates 20+ events everytime I think about it
21:04 <@ordex> sunrunner20: sound slike the verbosity level is quite high, no ?
21:04 < sunrunner20> set to 3 I think
21:04 < sunrunner20> let me check
21:04 <@ordex> btw, this source file is a mere list of levels
21:05 <@ordex> could be copy/pasted in a wikipage without being changed (almost)
21:05 <@ordex> sure
21:11 < sunrunner20> yea
21:11 < sunrunner20> 3
21:35 < sunrunner20> ordex, read that, unfortunately it left me with more questions than answers.
21:46 < sunrunner20> what are the risks of --mute-replay-warnings ?
21:47 < sunrunner20> anything byond the obvious 'can't see somebody trying a replay attack'
21:52 < sunrunner20> well thats a first
21:52 < sunrunner20> just got my 'lets play car shuffle' from my BIL
21:53 < sunrunner20> I park behind his track car, apparently he needs it tomorrow. So I dropped my keys off on the kitchen table.
21:55 < sunrunner20> I trust that he can manage not to fuckup his old car parking it in the neighbors driveway
22:00 < sunrunner20> oh
22:00 < sunrunner20> wrong channel
--- Day changed Fri Mar 17 2017
01:56 < DarkSector> Hello! If I have a ubuntu VM running on my Mac (host) in bridged configuration, should I install OpenVPN in bridged mode? Or is it meant for the device that does the bridging (In this case, my mac)?
02:15 < zZap-X> i have created 2x openvpn servers, 1x for WLAN users and 1x for WAN users, however, when i run both servers at the same time, 1x of the servers will not connect the clients, depending on what server started first
02:15 < zZap-X> if i run the servers 1 at a time, they work fine
02:15 < zZap-X> both servers use the same tunnel network: 10.10.3.0/24
02:16 < zZap-X> should each server use a different tunnel network?
04:17 < cbauer> for some reason the openvpn client times out or just doesn't function anymore after some time until I press enter in the terminal window I started it from after which it printed this: https://ptpb.pw/GeNm
04:17 < cbauer> and the connection seemed to work again (dropped shortly after then and now works again)
04:22 < cbauer> I connect to my irc server through that connection, this is the output of that session (see time codes and *Connection* messages) e
06:49 < _ADN_> the ipp.txt file assign a /30 so if I assign a "fix" ip it will always assign the ipp.txt IP + 2
06:50 < _ADN_> is there a way to avoid this? or is it through ccd?
07:09 <@ecrist> !topology
07:09 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
07:27 <@ecrist> _ADN_: that as directed at you
07:28 < _ADN_> ok
07:28 < _ADN_> thanks ecrist
07:28 < _ADN_> toppology subnet
08:58 < KaiForce> I'm about to replace a PKI for a bunch of servers, and I seem to remember something about not running a root CA on a VM.  Before I generate all these keys, is that recommendation related in any way to the quality of the keys it would generate, or is it more because of securing the CA?
09:02 <+rob0> possibly both.  A VM has no native source of entropy.  If your crypto random numbers are guessable, the whole PKI might possibly be compromised.
09:07 < cbauer> depends on the hypervisor, for qemu you can use virtio for the entropy source using paravirtualization
09:15 < KaiForce> It is on ESXi, however I could easily move it to a physical box to gen the keys.
09:19 < cbauer> do that
09:37 < cbauer> I see "[Server-PC] Inactivity timeout (--ping-restart), restarting" in the log, where is that inactivity timeout specified? I have an irc connection open with usually pings through the tunnel so how can it timeout?
09:59 < bAldur01> !welcome
09:59 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
09:59 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
12:39 < mjt> hi. I'm trying to establish an openvpn connection between a phone and our linux server. the prob is that there's almost no data being received from the phone, except of rare "UDPv4 READ [53] from [AF_INET]46.242.74.230:35137: P_DATA_V1 kid=0 DATA len=52" and "IP packet with unknown IP version=15 seen" - that's the only data being received from the device, What can be the prob, something wrong with the encrypt
12:39 < mjt> ion perhaps?
12:40 < mjt> (and the device reconnects periodically, too)
12:42 < mjt> http://paste.debian.net/922349/ -- it warns about mismatched parameters
12:43 < mjt> but it looks more like the other end didn't provide any parameters at all
12:51 < mjt> compression, the phone forcibly enables compression
14:21 < mad93> !welcome
14:21 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
14:21 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
14:25 < mad93> Hi, I'm trying to figure out some connection issues with a bunch of clients and I've enabled log verbosity to 5. After some clients connections I've a line full of WRwr (150k chars and growing up). Seems like it'll never end. You know what I could check?
14:27 < klow> Heya .. for lz4 compression ,  should a 2.4+ client and server autonegotiate that if I dont specify the compression type?
14:32 <@ecrist> mad93: setting to verb 5 enables those messages
14:32 <@ecrist> verb 5 is not what you should set for a normally operating VPN
14:32 <@ecrist> verb 4 is typically sufficient for troubleshooting.
14:34 < mad93> I'm trying to figure out why from 200 clients, 30 go dark simultaniously, just don't know what to look
14:34 <@ecrist> mad93: what do their client logs show?
14:34 < mad93> TLS handshake failed
14:35 < mad93> received, client-instance restarting
14:35 <@ecrist> so, that sounds like a connection timeout
14:35 <@ecrist> how many clients do you have on a single server?
14:35 <@ecrist> the max recommended is about 200, depending on hardware
14:35 < mad93> XD
14:35 <@ecrist> OpenVPN is massively single-threaded
14:35 < mad93> 195
14:36 <@ecrist> so, if you have a slow-ish processor, it might not be getting to the end of the queue fast enough
14:36 < mad93> 150 on one port and 50 on another
14:36 < mad93> I've setup a second server on the same machine, it's a bad solution
14:36 < mad93> ?
14:36 <@ecrist> no, again, depending on the hardware
14:38 < mad93> I don't see a heavy cpu performance, less tha 1% from openvpn usally
14:38 <@ecrist> so that's not likely the issue.
14:38 <@ecrist> in order to help we'd need to know more
14:38 <@ecrist> !logs
14:38 < mad93> top stats are 0,76 1,05 1,14 (just restarted the openvpn instance)
14:38 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
14:39 <@ecrist> um, that's not 1%, that 76%, 105%, 114%
14:39 < mad93> yeah sorry, was talking only about openvpn load
14:39 < mad93> there are a java program and a mysql server too on this server
14:39 <@ecrist> how many CPUs?
14:40 < mad93> 4 cores
14:40 <@ecrist> cat /proc/cpuinfo | grep -c processor
14:41 < mad93> Xeon E3-1220v3
14:42 < filleoku1> Hi! I'm wondering if it's possible to configure the iOS client to use a HTTP-proxy _inside_ of the tunnel? I want to use it for debugging purposes of an application
14:43 <@ecrist> filleoku1: cart/horse
14:43 <@ecrist> that's like eating your own stomach
14:44 < filleoku1> How come? I'm on a locked down network which don't allow LAN-connections, so I'm using the VPN to connect my iOS-device with my computer where I'm running the proxy
14:45 < filleoku1> (With LAN-connections I mean local communication between two clients, hence the need to go via the VPN)
14:47 < mad93> @ecrist logs with the error from server side http://pastebin.com/6Ch4td1P
14:48 < mad93> with the errors on the client side.... are on ranges to 50 to 1000 Km don't have access to them right now (the ones giving problems)
14:48 <@ecrist> mad93: it looks like things just timed out
14:49 <@ecrist> I don' see anything obviously wrong in the logs
14:49 < mad93> yeah... what is strange is the 30 clients or so going dark at the same time
14:50 <@ecrist> that's what leads me to believe a threading issue
14:50 < mad93> they are located at kilometers of distance from each one (hundreds), so they not share 'local' problems
14:50 <@ecrist> but at some point there is network convergence
14:50 <@ecrist> unless your VPN server is infinitely multi-homed
14:52 < mad93> I understand your point, we have an average to 35 to 50 clients disconnected by horrible connections
14:52 < mad93> suddenly became 100, but I've rebooted the openvpn several times and at some point I've recovered those clients
14:52 <@ecrist> My suggestion is to reverse your thinking - don't focus on what your problem isn't, open up to what your problem might be, until you rule it out
14:55 < mad93> I've checked also the firewall (physical one) looking for droped or blocked packages, but no luck
14:56 < mad93> one reason could be due cpu load? Not fast enought to give response?
14:56 < mad93> I can try to shutdown other services if this is possible cause
15:00 <+rob0> what is a "physical firewall"?  There are only software firewalls, some which give you full control, some which don't.
15:04 < MacGyver> rob0: Untrue, physical firewalls exist. Different context, though.
15:04 <+rob0> hehe, well, yeah
15:04 < BtbN> Well, they are just black boxes with an unknown firewall software on it.
15:04 < MacGyver> That's not what I meant.
15:05 <+rob0> in a car, the engine compartment and passenger compartment are separated by a physical firewall
15:09 < mad93> rob0 just saying its a dedicated machine, not a software program on the server
15:18 < Zachdr1234> Hello, is there anyone here that can help me fix openvpn? For some reason my client can't connect to the internet after connecting to the server
15:19 < Zachdr1234> I posted this on reddit, is has more details about my situation
15:19 < Zachdr1234> https://www.reddit.com/r/OpenVPN/comments/5zywn8/cant_connect_to_the_internet_through_openvpn/
15:19 <@vpnHelper> Title: Can't connect to the internet through openVPN : OpenVPN (at www.reddit.com)
15:23 <+rob0> !redirect
15:23 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
15:23 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
15:23 <+rob0> ^^ flowchart
15:25 < Zachdr1234> thanks for the reply
15:25 < Zachdr1234> how do i enable nat?
15:26 < Zachdr1234> !nat
15:26 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
15:26 < Zachdr1234> !linnat
15:26 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
15:28 < Zachdr1234> Okay so I've used the iptables, I've forwarded port 1194, and I amd using push "redirect gateway def1"
15:48 < Zachdr1234> Could anyone help me? I tried ip forwarding but it still wont work for some reason.
15:49 < klow> did you enable ipv4 forwarding ?
15:52 < Zachdr1234> klow: that worked! I thought I did that before but I guess I did something wrong. Thank you so much I've been trying to figure this out for hours
15:52 < Zachdr1234> Will I have to enable that in the future?
16:03 < klow> I have always put the echo ipv4_forwarding or whatever it is into my up.sh script
16:03 < klow> but im not 100% sure if thats the correct process
16:04 < klow> hey all,  Im  trying to enable lz4 compression and Im unsure if I need to enable it on server,  client, or both.  Im using 2.4.x server and clients mostly (but also the iOS client) ..  is this all possible ?
16:53 < crised> I just set up an openvpn server, I connect with ubuntu as a client, I can ping the www, but can't browse, any ideas?
18:44 < ak2766> good morning/afternoon/evening/night
18:45 < ak2766> i'm having a problem with openvpn on ubuntu 16.04 (fresh install) whereby the I connect to remote server but the tunnel doesn't get an IP Address
18:45 < ak2766> anyone seen this before?
18:50 < ak2766> here's the error in the the logs - http://pastebin.com/9y4bQSwC
18:50 < nacelle> klow and Zachdr1234: most people put that setting in /etc/sysctl.conf so that it persists through reboots
18:51 < nacelle> (true for Linux and the BSDs)
18:52 < nacelle> ak2766: does the UID/GID in use have permissions to write to the tun0 device?
18:54 < ak2766> nacelle: the odd thing is that if I attempt to reconnect several times, I'll eventually get an ip address...
18:54 < ak2766> but mostly, i connect (I get the notification on the desktop that I'm connect), but ip l l tun0 shows no ip and interface in down state...
18:55 < nacelle> oh ok not that then, do you have conflicting route statements maybe?
18:56 < zoredache> ak2766: I see lots of `write to TUN/TAP : Input/output error (code=5)` errors, I am not certain,  but I think that is some kind local permissions error?
18:56 < nacelle> !welcome
18:56 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
18:56 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
18:57 < nacelle> !goal
18:57 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:57 < ak2766> none at all - I do have a script that does stuff after I connect (in /etc/network/if-up.d) - but no conflicting routes...
18:57 < nacelle> are you using tap?
18:57 < nacelle> it says tun
18:57 < nacelle> but.. thats weird.
18:58 < nacelle> would be asier to just see your configs I think :-)
18:58 < nacelle> oh I see the tun thing, its right there
18:58 < nacelle> (line 14 even)
18:59 < ak2766> frankly, I simply installed the openvpn packages and configured vpn via the gui - but from reading a little, i believe it to be tun as tap seems to be for site-to-site vpn - correct if I'm wrong please...
18:59 < nacelle> its tun
18:59 < nacelle> your output one line 14 shows that on the server
18:59 < nacelle> would be easier to just see your config file on a pastebin if possible
18:59 < ak2766> since i've configured via gui, where's the config file saved?
19:00 < nacelle> somewhere in /etc/openvpn?
19:00 < nacelle> https://help.ubuntu.com/community/OpenVPN
19:00 <@vpnHelper> Title: OpenVPN - Community Help Wiki (at help.ubuntu.com)
19:01 < ak2766> one sec...
19:01 < nacelle> https://help.ubuntu.com/lts/serverguide/openvpn.html
19:01 <@vpnHelper> Title: OpenVPN (at help.ubuntu.com)
19:01 < nacelle> going off those, I dont run it on ubuntu myself, but thats not your problem, just a config issue somewhere I think
19:02 < ak2766> i only see one file in /etc/openvpn - update-resolv-conf
19:02 < ak2766> and only arguments listed in /etc/default/openvpn
19:03 < zoredache> I get the GUI seems like it would be nice and all, but just scrap that network manager junk and use a text editor.
19:04 < ak2766> nothing in /var/lib/openvpn either
19:04 < ak2766> zoredache: i hear you, but sometimes the GUI makes us all lazy in the end...
19:05 < nacelle> what are the arguments in the /etc/default/openvpn file?
19:05 < ak2766> nacelle: let me do some reading on nm-openvpn and get back shortly...
19:06 < zoredache> nacelle: on a deb/ubuntu system that file is used by the systemd service or init script to specify which vpn configs from /etc/openvpn to autoload.  By default it will be everything.
19:06 < nacelle> thank you.  I would make a suggestion to use a static config file so you know whats going on in the face of upgrades and the dist maintainers changing vpn settings on the server side, but ymmv.
19:06 < nacelle> zoredache: I get that
19:06 < nacelle> thats why I want to look at it :-)
19:07 < zoredache> I am still betting it is a permissions issue given all the error=5 stuff spamming the logs
19:07 < nacelle> if that was so the occasional connection wouldnt work
19:07 < ak2766> ok - let me paste that file...
19:07 < nacelle> my guess, from some bad googling, is that its related to having two conflicting push route statements in the server config
19:08 < nacelle> (assuming that it really did connect at some point, etc.)
19:10 < ak2766> here you go: http://pastebin.com/Bv8tR3th
19:12 < ak2766> nacelle: that route conflict might indeed be correct - as I see in the logs the ip i normally get - 10.64.192.65 - but it doesn't apply - weird as...
19:15 < nacelle> hrmm thats definitely not enough for what i'm thinking.  weird.
19:15 < nacelle> (in the config/settings dump/etc.)
19:15  * nacelle shrugs
19:17 < ak2766> ok - I've been trying to reconnect and after 5 attempts, I connected just fine - then disconnected and tried to reconnect again, and it failed...
19:18 < ak2766> I'll have them restart the SoftEther VPN server on the other end to see if it can be resolved...
19:28 < nacelle> oh i thought you were setting up both the client and the server
19:30 < nacelle> http://www.linuxquestions.org/questions/linux-networking-3/networkmanager-openvpn-issue-865094/ try that maybe
19:30 <@vpnHelper> Title: [SOLVED] NetworkManager OpenVpn issue (at www.linuxquestions.org)
19:30 < nacelle> not that that solves anything
19:30 < nacelle> but shows you how to get more debugging info on your client side
19:31 < nacelle> are the 10.x ip addresses on line 14 indicating that you're attempting to specify your private IP before connecting?
19:40 < ak2766> nacelle: rebooting the server end did not fix the problem...
19:40 < ak2766> and before the clean install of ubuntu 16.04 (i ran out of disk space), vpn was working just fine...
19:41 < ak2766> nacelle: thanks for the linuxquestions link - will head on over right away...
19:41 < ak2766> will report back with solution..
19:44 < nacelle> would like to see the enhanced debug logs
21:59 < ak2766> nacelle: i've just realized in my previously paste that I was tailing the logs for openvpn so missed some possibly important information in the paste - see updated link: http://pastebin.com/8cTr6Ay6
22:05 < ak2766> and here's a successful connection: http://pastebin.com/hjh5vqYW
--- Day changed Sat Mar 18 2017
00:15 < ljvb> stupid iphone client won't route my traffic :/
00:46 < daemon> ljvb, thats what you get for using apple products ;)
00:53 < ljvb> I also have an S7
00:53 < ljvb> my personal one, iphone is work one
00:55 < ljvb> still does not explain why I can connect, connect to all local lan resources, and have never been able to route out the the general internet.. ever on the ipnone.. never a problem with the android, laptops and other clients connecting
02:36 -!- alexandre9099_ is now known as alexandre9099
04:12 < julius_> hi
04:12 < julius_> looks like i need to restart openvon to accept chantes to ccd files, is that true?
04:23 < Annie72> !welcome
04:23 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
04:23 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
04:30 < Annie72> !goal sleep for now
04:42 < julius_> my openvpn is already running and working, i changed the ccd file for one of the clients and restarted the client processs...but it still got the old "redirect-gateway" which was defined in its ccd file
04:42 < julius_> why is that?
04:42 < julius_> i did not restart the server process
05:00 -!- vamiry_ is now known as vamiry
08:22 -!- Vampire0_ is now known as Vampire0
08:56 -!- vamiry_ is now known as vamiry
10:33 < zx2c4> WireGuard is in GSoC now, if any of you want to make some money this summer -- https://www.wireguard.io/gsoc/
10:33 <@vpnHelper> Title: Google Summer of Code - WireGuard (at www.wireguard.io)
10:42 < SpaceBass> Hey folks - I'm trying to get avahi working over my site-to-site tunnel. I have the tunnel interface set as the only allowed interface in avahi's conf but it doesn't seem to bind/register. Any tips?
10:44 <+rob0> well, um, that seems like a strange "need".  The point of avahi is autoconfiguration of networks, whereas VPNs always require some manual configuration.
10:44 < SpaceBass> rob0, can you say more about why it's strange?
10:45 < SpaceBass> I think of the point of avahi is broadcasting services, not autoconfiguration of networks
10:45 <+rob0> a tun interface isn't broadcast-capable
10:46 < SpaceBass> Which is the point of an mDNS reflector like avahi, right?
11:45 < bAldur01> hello, what vpn provider can you recommend? I'm searching for a fast and stable one.
12:15 -!- |Mike| [mike@2001:19f0:5001:21c::3] has joined #openvpn
12:31 < BtbN> Rent a VPS and install OpenVPN on it.
12:31 < BtbN> bAldur01 ^
12:35 <+rob0> the problem with that might be to have adequate bandwidth, assuming that to you, "vpn provider" means redirected gateway.
12:36 <+rob0> but yeah, I have only ever been my own VPN provider, so I can't recommnd any
12:50 < BtbN> well, you're not going to sustain crazy high bandwidths via OpenVPN anyway
14:14 -!- F2Knight[away] is now known as F2Knight
15:29 -!- F2Knight is now known as F2Knight[away]
15:51 < _FBi> !seen krzee
15:51 <@vpnHelper> krzee was last seen in #openvpn 5 weeks, 1 day, 2 hours, 9 minutes, and 50 seconds ago: <krzee> !speed
17:37 -!- F2Knight[away] is now known as F2Knight
18:56 -!- F2Knight is now known as F2Knight[away]
19:01 -!- F2Knight[away] is now known as F2Knight
19:03 < |Mike|> _FBi: I have him on LinkedIn if it's urgent.
19:14 < casserole> anyone on
19:14 < casserole> ?
19:16 < |Mike|> Yep.
19:16 < |Mike|> State your question please.
19:18 < casserole> what free vpn is good for p2p
19:22 < |Mike|> Google...
19:22 < |Mike|> This channel is an OpenVPN support channel casserole.
19:22 < |Mike|> See /topic
19:52 <+rob0> heehee
21:24 -!- eb0t_ is now known as eb0t
22:16 -!- F2Knight is now known as F2Knight[away]
--- Day changed Sun Mar 19 2017
00:30 < ljvb> sup
08:49 < jordanca> !welcome
08:49 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
08:49 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
08:52 < jordanca> !goal
08:52 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:53 < jordanca> I would like the list of --tls-ciphers suported on Android.
11:43 < Hrki> hello, i connected to win server which have openvpn server, but on client pc i cannot join domain for that server
11:44 < Hrki> i got AD DC for domain cannot be contacted
11:47 < Hrki> The error was: "DNS name does not exist."
11:47 < Hrki> (error code 0x0000232B RCODE_NAME_ERROR)
11:48 < sovereignentity> No PIA sutpport here righ
11:53 < sovereignentity> right
12:23 < |Mike|> sovereignentity: PIA?
12:23 < |Mike|> Hrki: did you push the domainname?
12:25 < |Mike|> Hrm, I didn't read your question properly :x
12:26 < |Mike|> https://blog.lan-tech.ca/2012/07/25/how-to-join-a-windows-domain-using-a-vpn/
12:26 <@vpnHelper> Title: How to join a Windows Domain using a VPN | LAN-Tech Network Management (at blog.lan-tech.ca)
12:55 < Hrki> |Mike|: strange
12:55 < Hrki> i restart vpn service
12:55 < Hrki> and it works
12:55 < Hrki> i connected domain successful :)
12:55 < Hrki> "joined" :D
12:55 < |Mike|> did you make changes in the mean time?
12:55 < Hrki> maybe because on server is two vpns (one server, and one client)
12:55 < Hrki> |Mike|: no
12:56 < Hrki> that thing bother me because, 4 month ago i joined domain without problem
12:56 < Hrki> and today that problem jumped
12:56 < |Mike|> what did the log tell you?
12:57 < Hrki> The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "acme.local":
12:57 < Hrki> The error was: "DNS name does not exist."
12:57 < Hrki> (error code 0x0000232B RCODE_NAME_ERROR)
12:58 < Hrki> - The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals.
12:59 < Hrki> but nevermind
12:59 < Hrki> now it works like charm
12:59 < Hrki> is there any trick to speedup vpn connection
12:59 < |Mike|> read the last sentence btw :)
13:00 < |Mike|> don't use a vpn haha
13:00 < Hrki> will be faster if i dont use encryption? :D
13:00 < |Mike|> def. but that's not why you're using a vpn, correct?
13:00 < Hrki> i need vpn to access company data, security isnt priority
13:01 < Hrki> rather then TV or RDP :)
13:01 < |Mike|> data security isn't a priority?
13:01 < Hrki> nahh :)
13:01 < Hrki> no one will hack me
13:02 < |Mike|> you could disable encryption to increase speed
13:02 < |Mike|> are you using tun or tap?
13:03 < Hrki> tun
13:05 < |Mike|> you'll reach higher speeds without encryption then
13:08 < Hrki> cipher none
13:10 < |Mike|> speed increased?
13:12 < Hrki> second
13:12 < Hrki> i have one noob question
13:12 < Hrki> if i disable cipher
13:13 < Hrki> what is purpose of user key and cert?
13:21 < |Mike|> none, you're vulnerable to mitm imho
13:21 < |Mike|> unless you run an tls server
13:24 < Hrki> i get
13:25 < Hrki> thx :)
13:25 < Hrki> but connection is now increased
13:33 < Hrki> |Mike|:
13:33 < Hrki> ca ca.crt
13:33 < Hrki> cert server.crt
13:33 < Hrki> key server.key
13:33 < Hrki> dh dh.pem
13:33 < Hrki> isnt that settings for TL ?
13:33 < Hrki> *TLS
13:34 < |Mike|> !tls-auth
13:34 <@vpnHelper> "tls-auth" is "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to
13:34 <@vpnHelper> make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
13:37 < Hrki> i see, i get that suggestion when i use AES ciphers
13:38 < Hrki> ok beside MITM attacks
13:39 < Hrki> can somone connect server without .ca .key and .crt (user one)
13:41 < |Mike|> Nope
13:41 < |Mike|> unless you have ldap in use with username/passwd and/or ca.crt
13:52 < Hrki> ldap :)
13:52 < Hrki> i always wondering what is that
13:55 < Hrki> never mind
13:57 < Hrki> so .key/.crt is diffie-hellman key exchange which is use to login user in system?
13:59 < wasutton3> is it bad practice to put openvpn on the same machine as the ca server?
14:04 -!- Vampire0_ is now known as Vampire0
14:32 < wallbroken> !blog
14:32 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
15:05 < moviuro> Hi all. I'm seeing numerous errors in all the logs of all my machines (PID_ERR replay-window backtrack occurred [3] [SSL-5] [000_011222223344455666778888999>>>>>>>>>>>>>>>>>>>EEEEEEEEEEEEEE] 0:12308 0:12305 t=1489947063[0] r=[-1,64,15,3,1] sl=[44,64,64,528]) and have no idea about their influence nor cause
15:06 < moviuro> (2.4 Linux or 2.3 OpenBSD clients with 2.4 FreeBSD server)
15:09 < moviuro> from what I remember, this kind of messages I didn't get before 2.4
15:11 < moviuro> hmm, nevermind. I saw thos errors too starting in August 2016
15:12 < KaiForce> exit
15:29 -!- F2Knight[away] is now known as F2Knight
17:49 -!- F2Knight is now known as F2Knight[away]
19:55 < |Mike|> moviuro: update! :-D
19:55 < |Mike|> wasutton3: no, why should it?
20:16 < wasutton3> why should it what? be bad practice to put the CA on the vpn server?
20:17 < |Mike|> how else?
20:18 < wasutton3> my only thought would be you want to power down the CA when you aren't actively creating keys, seeing as how the vpn server has the relevant copies of the certs
--- Day changed Mon Mar 20 2017
01:49 < moviuro> |Mike|: but everything is up-to-date on their respective platforms!...
02:32 <+hyper_ch> moviuro: what's the issue?
02:33 < moviuro> numerous PID_ERR replay-window backtrack occurred [52] [SSL-0] [0000000000000000000000000000000000000000000000000000_00000000000] 0:476759 0:476707 t=1489956139[0] r=[-1,64,15,52,1] sl=[54,64,64,528] and Recursive routing detected, drop tun packet to [AF_INET] XXX.XXX.XXX.XXX:1194
02:46 <+hyper_ch> no idea... sounds like some routing issue
03:01 < moviuro> yeah, but it's really a stupid setup. Nothing, really, can go wrong. Client is 192.168.0.17, gets 10.21.0.X address from VPN, along with IPv6 and that's pretty much it
03:01 <+hyper_ch> !configs
03:01 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
03:02 < moviuro> I'll be back after work
03:09 < cbauer> why vpn tunnel always seems to 'collapse', I'm connecting from windows with the openvpn client to linux openvpn server, when it disconnects I see no new output in the terminal window openvpn is running in, it only re-establishes the vpn tunnel once I press enter in the terminal window openvpn client is running in
03:20 <+hyper_ch> cbauer:
03:20 <+hyper_ch> !configs
03:20 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
03:24 < cbauer> client: config https://ptpb.pw/wcss , openvpn version 2.4.0
03:25 < cbauer> currently have no access to server
03:25 < cbauer> rest I already posted
03:25 < cbauer> and there are no ccd files
03:26 < cbauer> openvpn version on server is latest, I know that much
03:33 < cbauer> what does "Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])" mean? getting that on the client with above posted config
03:59 < cbauer> and now I get " write UDP: No buffer space available (WSAENOBUFS) (code=10055)"
04:07 <+hyper_ch> config looks fine
04:09 <+hyper_ch> seems like the server wants to push a route?
04:23 < cbauer> yeah but I want to ignore those and add my own (I don't want to use the vpn tunnel for internet access)
04:24 < cbauer> what does the latest message I posted mean?
06:43 -!- Vampire0_ is now known as Vampire0
07:53 < |Mike|> cbauer: https://support.microsoft.com/en-us/help/196271/when-you-try-to-connect-from-tcp-ports-greater-than-5000-you-receive-the-error-wsaenobufs-10055
07:55 < cbauer> kind of stupid windows default
07:55 < cbauer> thanks
07:55 <+hyper_ch> so the whole problem is with windows
07:55 <+hyper_ch> cbauer: why not upgrade to Linux?
07:55 < cbauer> I'm running linux at home (that's where the openvpn server is running) but I can't change the OS on the workstation at work
07:56 <+rob0> bummer
07:56 < cbauer> trying to use WSL (bash on ubunto on windows) but can't connect to anywhere from inside that bash
07:56 < cbauer> only ping
07:57 < cbauer> although a UDP connection might work...
07:57 < cbauer> but the default port limit probably applies to WSL as well
07:57 <+rob0> it's Windows software, so yes, subject to what the OS does
07:59 < cbauer> I can "outsource" some of my work to a linux machine via VNC/X2Go to connect to my linux pc at home that I have fullscreen on my other monitor but for that I still need openvpn working on windows
08:00 < cbauer> maybe "openvpn GUI" works better than using it in cmd...
08:01 <+rob0> isn't the gui just a frontend to the same openvpn.exe?
08:04 < cbauer> maybe it changes some configuration stuff like the port limit, set ENV vars for openvpn to use, etc
08:05 < |Mike|> might be easier to just use TeamViewer imho.
08:20 < cbauer> I don't want a VPN tunnel just for screen sharing
08:21 < cbauer> and if X2Go encryptes itself too (X protocoll through SSH tunnel)
09:20 -!- BrianBlaze420 is now known as BrianBlaze
11:34 -!- F2Knight[away] is now known as F2Knight
13:00 < Tavis> I have a bunch of client vpn users working great.  Just added a new user and when that user connects they can’t hit the dns servers on our network.  I spent some time diagnosing the issue and found that if another user logs in on that same computer they can connect to the dns servers fine.  Then tested on another client machine with same result.  New user can’t hit the dns server but any other user can.  Then notic
13:00 < Tavis> that the new user gets the same ip every time.  I shut all firewalls off on the dns servers for testing and still same result.  I am baffled.  Has anyone seen anything like this before?
13:16 < Poster> Tavis: If the new user is using Windows, make sure that the connection is being launched with administrative access.  UAC will block route additions otherwise
13:17 < Tavis> Poster: i have and have verified the routes are exactly the same no matter what user is logging in with the exception of the change in interface ip of course.
13:18 < Poster> Only other thing I can think to check is overlaping IP ranges
15:02 -!- remirol is now known as lorimer
--- Log closed Mon Mar 20 15:22:17 2017
--- Log opened Tue Mar 21 08:27:55 2017
08:27 -!- Irssi: #openvpn: Total of 278 nicks [7 ops, 0 halfops, 5 voices, 266 normal]
08:27 -!- mode/#openvpn [+o ecrist] by ChanServ
08:27 -!- Irssi: Join to #openvpn was synced in 3 secs
08:31 <@dazo> |Mike|: configure WINS
08:31 <@dazo> |Mike|: and then you push the WINS server from the OpenVPN server to your clients
08:37 < cbauer> is someone her using openvpn-gui?
08:37 <@dazo> cbauer: most windows users uses that one
08:38 < cbauer> I'm trying to have it automatically establish a connection upon login, can't seem to find how
08:39 < plasma_> hi
08:39 < plasma_> Tue Mar 21 14:34:41 2017 SIGUSR1[soft,ping-restart] received, process restarting
08:39 < plasma_> Tue Mar 21 14:34:41 2017 Restart pause, 5 second(s)
08:39 <@dazo> cbauer: have you tried to put the configuration file (.ovpn) inside the Startup folder?
08:39 < plasma_> is it possible to reduce that 5 seconds delay?
08:39 < plasma_> i cant find the option in the client.conf
08:40 < cbauer> you mean %appdata%\microsoft\windows\startmenu\programs\startup?
08:40 < cbauer> plasma_: openvpn gui allows one to set that
08:40 <@dazo> cbauer: probably ... I have no idea, as I'm no Windows user
08:40 < plasma_> cbauer: i dont use guy
08:40 < plasma_> s/guy/gui
08:41 <@dazo> plasma_: no, I believe that is fixed
08:41 < plasma_> pitty
08:41 < cbauer> dazo: but you mean the windows startup folder to 'execute' the .ovpn file upon login, correct?
08:41 <@dazo> plasma_: or actually, it is changed dynamically ... no need to try every 5 seconds for several hours ... then the the connect retries happens more seldom
08:41 < plasma_> so i would have to change the source :P
08:42 <@dazo> cbauer: correct .... otherwise, I believe you can start the openvpn-gui with an argument providing the config file
08:42 <@dazo> plasma_: but ... why is 5 seconds too long?  WHen you have that error, it means you have connectivity issues
08:42 < plasma_> well i have very shitty wifi here which drops too often, i allready set keep-alive settings in server.conf but the 5 seconds delay on the client additionally is a bit annoying
08:43 < plasma_> dazo: i do have ;)
08:43 < cbauer> dazo: tried that one, --help and /? is ignored and the application is just started
08:43 <@dazo> plasma_: well, not really sure it will help much to be honest
08:44 <@dazo> cbauer: try to shoot an e-mail to openvpn-user@lists.sf.net ... (you need to subscribe) ... there's plenty of Windows users on that ML who have done similar things
08:44 -!- e_xistens3 is now known as e_xistense
08:44 < cbauer> :/
08:44 < DArqueBishop> cbauer: does it have to be tied to the user? If not, you could just set the service to run automatically in services.msc.
08:44 < cbauer> that's why I asked if a openvpn-gui users is in this channel
08:45 < cbauer> DArqueBishop: I did something like this for "openvpn --config ..." but that seems to have issues
08:45 <@dazo> cbauer: there are Windows users here too ... but it's probably a bit too early to get responses from them
08:45 < cbauer> as in connection drops egvery now and then until I press enter in the terminal window
08:46 < cbauer> dazo: depends on the time zone I guess
08:46 < DArqueBishop> cbauer: I use OpenVPN-GUI, but it's because I use the VPN on demand. If I was going to need it to launch when I logged in, I'd just set the OpenVPN service to start automatically in services.msc.
08:46 <@dazo> the problem with using openvpn.exe directly is that it is completely unmanaged .... so if that process dies, you won't necessarily notice immediately
08:47 < cbauer> DArqueBishop: I have OpenVPNServiceInteractive, OpenVPNServiceLegacy and OpenVpnService in my services, former is started
08:48 <@dazo> OpenVPNServiceInteractive is used by the GUI
08:48 <@dazo> OpenVpnService is the new service
08:48 < cbauer> dazo: I don't have a problem of it dying, I have a problem of the connection dropping and openvpn not "noticing" or something until I press enter in the terminal window it is running in
08:48 <@dazo> OpenVPNServiceLegacy is the old service, preceded by by OpenVpnService
08:49 <@dazo> cbauer: --daemon?
08:49 < cbauer> I have a task scheduled which would restart it, if it ends
08:49 < cbauer> haven't used --ademon
08:49 <@dazo> but using the service is by far the best way
08:49 < cbauer> partly because I wanna be able to access the log easily
08:49 <@dazo> --log
08:49 < DArqueBishop> !keepalive
08:49 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected., or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode, or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive, or (#4) Also beware of --auth-nocache for automated reconnects
08:49 <@dazo> (or --log--append)
08:49 < cbauer> I know, but I meant have a realtime display of its messages
08:50 < cbauer> more or less
08:50 < cbauer> didn't have any disconnect issues yet when using it via openvpn-gui
08:50 <@dazo> well, log files are updated on-the-fly .... in Linux I can do: tail -f /var/log/openvpn.log ...
08:50 < cbauer> I'll notice it immediately because then I get disconnected from my irc server
08:51 < cbauer> dazo: I know about that one too, but I'm on windows
08:51 < cbauer> even if there's a tail utility in windows, I doubt it would be as native and efficient as under linux
08:51 <@dazo> the logging code is identical on both .... but you can also enable the management interface, telnet to it and start real time log watch that way too
08:52 < cbauer> management interface?
08:52 <@dazo> --management
08:53 <@dazo> (the GUI uses that one for lots of the things you see)
08:55 < cbauer> found the option for openvpn-gui, it is --connect file.ovpn
09:34 <+hyper_ch> dazo https://archive.fo/53Cbd
09:34 <@vpnHelper> Title: 1348902 - I don't want the notice of insecure password/log-in on my website. You do not have permission to put it there. We have our own security process and have never had a problem. (at archive.fo)
09:41 < lindi-> is there some debug mode that'd let me see what openvpn sends over the wire (including passwords)? I'm trying to find out why challenge response works via stdin but somehow fails with management interface
09:53 < cbauer> just use wireshark or tcpdump if you want to see what's leaving your network interface
09:53 < lindi-> cbauer: but that's encrypted, not very useful for debugging?
09:54 < cbauer> well, you asked for what  gets "send over the wire"
09:55 < lindi-> cbauer: yep, but without encryption please :)
09:55 < cbauer> maybe if you were to specify a proxy
09:56 <@dazo> hyper_ch: haha ... priceless!
09:56 <+hyper_ch> seems, some user already removed the plaintext password tables through sql-injection
09:56 <+hyper_ch> https://arstechnica.com/security/2017/03/firefox-gets-complaint-for-labeling-unencrypted-login-page-insecure/
09:56 <@vpnHelper> Title: Firefox gets complaint for labeling unencrypted login page insecure | Ars Technica (at arstechnica.com)
09:56 <+hyper_ch> not even CC data was SSLed
09:57  * dazo gotta run ... will check more closely later on
09:58 < cbauer> FF displaying "insecure log-in" is actually a problem for the company I work for too, it's misleading if the site actually uses proper SSL
09:59 < cbauer> i.e. if you connect to a server on your own network for which a server on your network is the CA of the certificate it offers I suppose
10:01 < lindi-> cbauer: I guess I'll just modify openvpn_encrypt() to log the bytes to a file
10:01 < cbauer> sure, try that
10:25 < lindi-> I see my username and IP packet contents there but not my password
11:16 < jordanca> !topology
11:16 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
11:21 < jordanca> Hi, I can currently either implement --topology subnet or p2p. Does it make a difference in terms of performance which is used? I would have thought that p2p is more correct because the link its self is point to point but I am concerned client to client traffic will have to hit the server routing table each time.
12:06 < |Mike|> dazo: thanks.
13:37 < nstinson> Hello. I could use some help with OpenVPN running on SQL Server. Port forwarding is configured and the server is available remotely (I can remote desktop and access SQL Server ports which are forwarded), but when I check netstat -a I do not see port 1194 listening
13:37 < nstinson> The port is open on the Windows Firewall. The OpenVPN Service is running (I have restarted it a few times and the Firewall service after adding rules for the ports).
13:37 < nstinson> What causes OpenVPN to actually start listening on port 1194?
13:42 < korozion> nstinson: I don't do a lot of windows servers, but was OpenVPN run with escalated permissions?
13:43 < nstinson> When you say was it run... All I have is the service running. Do I also need to launch a software?
13:43 < nstinson> When I launch the gui, it places a little icon in the running programs which is OpenVPN GUI
13:43 < nstinson> to me it seems like there needs to be something running which will cause it to start listening
13:44 < nstinson> I'm just not sure what
13:44 < nstinson> it seems I am missing an easy, obvious step
13:45 < nstinson> I can post a log file if I need
13:47 < korozion> I'm not much with windows servers
13:47 < nstinson> :(
13:47 < korozion> basically the server process needs to be running and listening on 1194
13:47 < korozion> UDP iirc
13:47 < nstinson> as near as I can tell, it should be
13:47 < nstinson> but nothing shows listening
13:47 < nstinson> and I have no idea why
13:52 < nstinson> any recommendations for an IRC chat that might could help with the Windows portion/
13:53 < daemon> nstinson, #windows afaik
13:53 < daemon> I can't recall if its ##windows #windows or #microsoft or ##microsoft
13:54 < daemon> they helped me out with a few issues with win10 though
13:54 < nstinson> well thus is interesting
13:54 < nstinson> I outputted the full netstat -a -b to a log file so I could check the processes and found..
13:54 < nstinson>  [openvpn.exe]
13:54 < nstinson>   UDP    0.0.0.0:1434           *:*
13:55 < DArqueBishop> ... why on God's green earth would you have a VPN server running on a database server, especially one like SQL Server?
13:55 < nstinson> so it's actually listening on a different port...
13:55 < nstinson> not my hardware. Just how it's configured. *shrugs* only one server on the network and need to get a VPN connection working
13:56  * DArqueBishop shrugs.
13:56 < nstinson> it is a pain though
13:57 < nstinson> would be helpful if it was a Linux server
13:57 < DArqueBishop> I would highly recommend they invest in a separate box. It doesn't even need to be a server; pfSense router/firewall devices support OpenVPN, IIRC.
13:57 < nstinson> it's hard to convince county government to buy anything :-p
13:58 < DArqueBishop> Just remind them of the magic three letters.
13:58 < DArqueBishop> "DNC".
14:02 < nstinson> I read that wrong,   UDP    0.0.0.0:1194           *:*
14:02 < nstinson>  [openvpn.exe]
14:03 < nstinson> so it is configured for the port, it just doesn't show LISTENING
14:09 < nstinson> in fact, it has no STATE
14:24 < nstinson> ok, so totally divorced from the Windows portion of this... I notice this... my server.ovpn file has port 1194 and proto udp
14:45 < nstinson> and by default it has ;local a.b.c.d
14:45 < nstinson> When I leave it at that and have the service running, I check netstat and it shows UDP 0.0.0.0:1194           *:*      openvpn.exe     which means that the port is open on one of IP addresses on the machine. Looking below this I see  [openvpn.exe]   UDP    [::]:1434              *:*
14:45 < nstinson> so it doesn't appear to be tied to an IP address
14:45 < nstinson> err 1194. Wrong row again
14:46 < nacelle> its open on all addresses on the machine on udp port 1194
14:46 < nacelle> not just one IP
14:47 < nstinson> ok so that's what the :: means?
14:47 < nstinson> so now it's figuring out why the STATE is nonexistent instead of LISTENING :-\
14:47 < nacelle> no thats ipv6 indicating the whole space
14:47 < nstinson> ah, ok
14:47 < nacelle> this isnt openvpn related fwiw
14:47 < nacelle> networking 101 in windows
14:47 < nstinson> I'm trying to figure out where the problem is though.. on Windows or the OpenVPN config
14:48 < nacelle> windows.
14:48 < nacelle> openvpn is up and listening on udp 1194, so something is in the path blocking otherwise
14:48 < nacelle> i just like to blame windows ;-)
14:48 < nstinson> yeah WIndows does that a lot :-p
14:48 < nstinson> ok so this seems to indicate it should be open and listening
14:49 < nstinson> however, I can't telnet 1194 on the server. So that seems to indicate to me that 1194 isn't open.
14:49 < nacelle> nope, telnet is to tcp ports
14:49 < nstinson> ahh ok
14:49 < nacelle> just test it with a client already
14:49 < nstinson> I wondered if that was the case
14:50 < nacelle> and look at logs
14:50 < nacelle> sorry for being anxious
14:51 < nstinson> ok, on the client device, I right click on the client.opvn and "Start OpenVPN on this config file"
14:51 < nacelle> udp is tricky to test, because, often, if you're just sending a rubbish packet, you get no response even if the daemon is up and listening
14:51 < nstinson> in the text, I see some errors...
14:51 < nacelle> so you have to pretty much try to do as the service would expect
14:52 < nacelle> (not always, of course, but ymmv)
14:52 < nstinson> ROUTE: rout addition failed using CreateIpForwardEntry: Access is denied [status=5 if_index=37
14:52 < nstinson> later it says
14:52 < nacelle> gots to be administrator or root or whatever I imagine
14:52 < nstinson> ERROR: Windows route add command failed [adaptive]: returned error code 1
14:52 < nstinson> yeah, I am running as an admin user in Windows..
14:52 < nacelle> sorry to hear
14:53 < nstinson> but I still probably need to launch this as administrator or whayever
14:53  * nacelle shrugs and nods in a way that gets you try that out ;-)
14:53 < nstinson> cha-ching
14:53 < nstinson> I tried through the GUI.. right click and then client -> then connect
14:53 < nacelle> macrosooft wandows weef sekuritah teeknowlojees
14:53 < nstinson> and it connected!
14:54 < nacelle> hawt
14:54 < nstinson> :D
14:55 < nstinson> so that's a good start
14:56 < nstinson> when I try to ping the 10.8.0.0 IP (which should be the server), I get TTL expired in transit
14:56 < nacelle> your server is probably not 10.8.0.0
14:56 < nacelle> its probably 10.8.0.1
14:57 < nstinson> ah, so it is
14:57 < nstinson> I misread that opvn file
14:57 < nacelle> its ok
14:58 < nstinson> "The server will take 10.8.0.1 for itself"
14:58 < nstinson> didn't see that little line :-o
14:58 < nacelle> theres a lot of lines, easy to miss one or two the first couple times through it
14:59 < nstinson> thanks for tha help :D
14:59 < nstinson> I'll try the SQL and other connections now
14:59 < nacelle> fwiw, you did everything, I just pushed
14:59 < nacelle> you already knew what to do :-)
14:59 < nstinson> hah that's helpful
15:00 < nacelle> learning is hard sometimes just because of the risk
15:00 < nacelle> like you dont want to bork your sql thing
15:00 < nacelle> so you have all this extra consideration going on that can bog ya down
15:00 < nstinson> indeed
15:02 < nacelle> I love using containers and vms to figure things out, then I either distill what I did into my notes or I compress the image, but usually I end up tossing it and making a new one when i need it later.  A couple images managed to survive my dorkery over the years, but there have been thousands that lived for a day or three at most.
15:02 < nstinson> I do need a good VM setup for this customer
15:02 < nstinson> I'm not really in charge of their infrastructure though
15:03 < nacelle> thats what I do for someone I fixup their vpns and firewalls for
15:03 < nacelle> i have a clone of their infrastructure on a spare pc at the house that's all vms and containers
15:04 < nacelle> even down to the vms having em nics so that I can load the exact same pf.conf
15:04 < nstinson> having a clone would be very nice
15:59 < warbaque> I have 3 virtual machines (openvpn server, client and a machine in vpn network) https://bpaste.net/show/2a908962ceb2 I can't ping VM2 from VM3 or vice versa, what am I doing wrong?
16:12 < warbaque> VM2 does get requests but replies aren't sent through VM1
16:13 < zoredache> .c did you enable routing  in the OS  on your openvpn server?
16:16 < zoredache> oh, nevermind, you seem to be trying to use tap (why?)  It might be useful if you included your vpn server/client config
16:18 < zoredache> !tunortap
16:18 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
16:18 <@vpnHelper> rooted/jailbroken) support only tun
16:20 < warbaque> tap for testing purposes and academic curiosity (I understand differences between tun and tap), server conf: https://bpaste.net/show/42db6ee27c84
16:50 < bigredradio> I have a push route directive in my conf file, but it does not seem to work. I have two networks behind my VPN that I am trying to access. I can get to only one of the networks. Anyone setup this type of configuration?
17:35 < |Mike|> bigredradio: configs?
17:35 < |Mike|> what's shown in the logs?
17:35 < |Mike|> !logs
17:35 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
17:35 < |Mike|> !configs
17:35 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
17:36 < bigredradio> Mike--, I think the issue is the clients on the unreachable network cannot route back to VPN tun interface
17:36 < bigredradio> Thanks
17:39 < warbaque> zoredache: I can't figure out what else should I add
17:41 < zoredache> Unfortunately, I am not sure.  I never use tap
17:43 < zoredache> In your packet captures where you targetting the bridge interface?
17:43 < warbaque> what about packet captures?
17:44 < zoredache> how were you doing the captures exactly?  Just a tcpdump?
17:47 < warbaque> those were with tshark, but I've also run tcpdump, e.g. tcpdump on vm2 when running ping on vm1: https://bpaste.net/show/3ae291297486
17:49 < zoredache> right, mostly I am curious if you made sure that tshark/tcpdump was using the br0 interface and not the enp0s8 interface.
17:49 < zoredache> tcpdump/tshark likes to default to the first interface, even if that doesn't make sense.
17:50 < warbaque> on dumps were on br0(vm1), enp0s8(vm2), and tap0(vm3)
17:52 < zoredache> I mean in one sense the problem is obvious.  Your arp replies from vm2 are not getting back to vm3.  I just have no idea why.  The fact that you don't see them arp replies on  vm1 though is part that is confusing me.
17:53 < warbaque> that's what confuses me also :/
17:57 < zoredache> In your hypervisor is the 192.168.0 and 192.168.2 on separate virtual switches or vlans?
17:59 < warbaque> those are vbox internal networks
18:00 < warbaque> so they have their own virtual adapters
18:10 < warbaque> vm2 can get vm3 mac
19:23 < warbaque> zoredache: figured it out, I forgot to allow promiscuous mode from the adapter settings
19:37 < skered> Comparing two openvpn servers, one running on UDP:1194 and other TCP:443, why would one disconnect on first
19:37 < skered> HMAC auth error?
19:38 < skered> It appears I'll get these HMAC errors when behind an given network.  Switch and the go away.
19:39 < skered> Would you suspect there's some fucky networking going on when connected to the (what appears to be) the problematic network?
19:50 < skered> Appears to be an MTU mismatch?
19:52 < _ADN_> if mtu mismatch the openvpn should launch a warning I thinkkkk ooon the logs
--- Day changed Wed Mar 22 2017
00:03 < R0b0t1> Hello, how do I report a bug?
00:03 < R0b0t1> I've looked at the website but don't understand trac
00:04 <@ordex> R0b0t1: just create an account and there you have the button new bug/ticket
00:04 < R0b0t1> I believe it's a potential security issue - whatever it is allows potential denial of service, but the attacker might already need to have an account
00:04 < R0b0t1> Hmm
00:04 < R0b0t1> I'll look for that again
00:04 < R0b0t1> Oh it's up in the title bar
00:04 < R0b0t1> thanks!
00:04 <@ordex> yap
00:04 <@ordex> :)
00:04 <@ordex> np
00:17 < R0b0t1> Shiny new bug for whom it may concern, https://community.openvpn.net/openvpn/ticket/857
00:17 <@vpnHelper> Title: #857 (Connection attempt from Windows client causes server computer network lockup for SSH connections.) – OpenVPN Community (at community.openvpn.net)
00:17 < R0b0t1> and good night
01:19 < Toordog> Hi, I don't understand why I receive these error in my logs: openvpn ovpn-server[13495]: user1/65.92.xx.yy:53431 MULTI: bad source address from client [fe80::e8e6:e9a9:1234:1234], packet dropped
01:19 < Toordog> 65.92 is my client public IP
01:20 < Toordog> i just use the VPN to pass all my traffic through it (gateway), i have no LAN connecting through the VPN.
07:36 < andrew-ii> !welcome
07:36 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
07:36 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
07:50 < _ADN_> Hi Guys
07:51 < _ADN_> I have this on ubuntu:
07:51 < _ADN_> inet addr:10.10.100.6  P-t-P:10.10.100.5  Mask:255.255.255.255
07:51 < _ADN_> this on fedora:;
07:51 < _ADN_> inet 10.10.100.46  netmask 255.255.255.255  destination 10.10.100.45
07:52 < _ADN_> why do I get that difference?
07:55 < skered> _ADN_: I didn't see any warnings/errors for MTU mismatch.  However, would openvpn check the local interface vs the openvpn tun's MTU?  But assuming it's not that I was also reading some corruption in the network packet midflight.
07:56 <@dazo> _ADN_: most likely due to different versions of net-tools ... which are mostly considered deprecated, as it reports things differently
07:56 <@dazo> _ADN_: try to use iproute2 instead: $ ip addr show
07:56 < skered> If it means anything ssh also would break connection with a broken pipe and a new (to me) error message.  I'll retry the problematic network again today
07:57 < skered> However, I think the ssh message was also some what related to openvpn's HMAC error.  Keep in mind this was ssh not inside openvpn so I'm guessing it's the network less client/server/openvpn.
07:58 <@dazo> skered: regarding the disconnect behaviour between UDP and TCP on HMAC errors ... that's most likely due to the difference between the UDP and TCP protocols
07:59 <@dazo> skered: UDP is stateless, while TCP is stateful.  That means that on TCP the OS layer goes through a set of handshakes before the TCP connection is sent to the application (OpenVPN) ... so there will be a connect/disconnect on TCP
08:00 <@dazo> skered: With UDP the packet is sent directly to OpenVPN ... so OpenVPN doesn't need to respond, it can just read the complete packet and do the HMAC check ... if it fails, it just silently drops the packet
08:00 < skered> Ok, that's what I was expecting with TCP.  I just need to maybe track down why it's happening to begin with.  It's possible I can move one of the servers back to UDP.
08:00 <@dazo> skered: so when HMAC fails on TCP, the connection needs to be closed ... which isn't needed at all with UDP
08:01 <@dazo> skered: primarily use UDP
08:01 <@dazo> !tcp
08:01 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay
08:05 < skered> I think that's why I ended up using TCP for this one server.  Some locations just wouldn't play nice with UDP openvpn and TCP solved it.  But I will look at moving back to UDP.
08:07 < skered> Can I single instance of openvpn listen on both ports?
08:07 < skered> Or would you just run a second instance?
08:07 <@dazo> yeah, some times the ISPs really mangles UDP .... IMHO, ISPs not managing to handle UDP traffic properly should be abandoned ... it's their ******* job to ensure you have a functional connection through their network, regardless of protocols.  If they can't manage that, they s*** at their job
08:08 <@dazo> skered: you need to run separate processes as of now ... OpenVPN doesn't handle multiple ports/protocols currently
08:08 <@dazo> (there are some work in the pipe improving this, but it is far far from done)
08:10 < _ADN_> just wondering the different outputs
09:15 < _ADN_> From hardening OpenVPN: Today, OpenVPN does not support TLS-ECDHE-* or more exotic cipher-suites as there is no elliptic curve support currently.
09:15 < _ADN_> is this still True
09:15 < _ADN_> ?
09:51 < _ADN_> for the peer the issue was the topology ... I put topology subnet
09:51 < _ADN_> and it should ne net30 (or commented out)
09:52 < _ADN_> still doubting about TLS-ECDHE
09:55 < _ADN_> cd -
10:02 <@plai> _ADN_: 2.4 should support them
10:02 <@plai> !ecdh
10:06 < _ADN_> ChangeLog: Add support for elliptic curve diffie-hellmann key exchange (ECDH)
10:14 < _ADN_> Thx plai
10:20 <@plai> _ADN_: Mar 22 16:12:05 hermes ovpn-aead-v6[938]: 131.234.198.112 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
10:20 <@plai> between 2.4 client and server
10:31 < _ADN_> yes I am on 2.3.14
10:31 < _ADN_> so can not use EC yet
12:13 < R0b0t1> Hello, I submitted a bug yesterday that I can no longer find on the tracker. It's fine if it was removed but I see no email implying it was ever interacted with.
12:14 < R0b0t1> Is it still in limbo before submisison on my other computer? It was given a number and everything so I figured it was submitted.
12:28 < R0b0t1> It is my hope it wasn't deleted and it was hidden due to a possible security issue, but if there's any way to check I'd appreciate it.
13:03 <@ecrist> R0b0t1: any idea what ticket number it was?
13:03 <@ecrist> also, which site did you submit it to?
13:05 < R0b0t1> ecrist: 857, submitted to community.openvpn.net
13:05 < R0b0t1> https://community.openvpn.net/openvpn/ticket/857 - no browser at the moment, but if it's there I'm going to look very silly. It didn't show up under the filters for bugs I had submitted.
13:05 <@vpnHelper> Title: #857 (Connection attempt from Windows client causes server computer network lockup for SSH connections.) – OpenVPN Community (at community.openvpn.net)
13:05 < R0b0t1> Yeah dangit
13:22 <@ecrist> it's there
13:22 <@ecrist> I doubt you've found a bug, though.  I use SSH all the time via openvpn on windows
14:52  * brokensyntax having trouble getting Ubuntu 16.04 to use specific DNS server when on vpn.
14:55 <+rob0> perhaps your syntax is broken?
15:04 < brokensyntax> :P
15:04 < brokensyntax> Often is ;D
15:58 < _ADN_> hi guys
15:58 < _ADN_>  reneg-sec = 60 and I get this error TLS Error: local/remote TLS keys are out of sync
15:58 < _ADN_> if reneg-sec = 0 I do not get that error
15:58 < _ADN_> the renegotiation does work properly ... any advice?
16:12 < ghostboarder> sup guys, quick q....where is the openvpn config file stored on a raspberry pi? anyone?
16:13 < ghostboarder> i need to add aroute
16:14 <+rob0> That's a hardware platform, not an OS, and perhaps an answer could be found sooner by asking your OS/distro's channel?
16:15 < ghostboarder> ok fair enough
17:59 < brokensyntax> ghostboarder: Or at the very least stating your RPi's OS ;) "find /  |grep ovpn" ?
18:39 <@ecrist> ghostboarder: the open source openvpn doesn't store it's config anywhere, it simply takes command line arguments, or at least one --config argument that points to the config
18:39 <@ecrist> different distributions may wrap init scripts/etc that "put it somewhere"
19:33 -!- Vampire0_ is now known as Vampire0
19:43 < vectr0n> shouldnt /topic be updated to 2.4.1 current? :)
20:49 < _ADN_> web is updated so far when memail was send
22:03 < ghostboarder> oh hey guys.....haha ok well its raspbian i know that...
22:38 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
22:38 -!- mode/#openvpn [+o krzee] by ChanServ
22:45 < sms> Hey how's it going everybody
22:49 < sms> I'm looking at the OpenVPN3 API right now and I'm wondering if the config file it's asking for is referring to an .ovpn file
22:56 <@ordex> sms: yes, the file has to be a .ovpn
22:57 <@ordex> (if that's what you are asking)
22:58 < sms> Oh alright, just making sure. Because I went and looked up 'openvpn config' and saw there's client and server .config files as well
--- Day changed Thu Mar 23 2017
01:16 -!- funnel_ is now known as funnel
01:52 < sms> How do I go about using openvpn3 API in my C++ project, when I try compiling with g++ it can't locate the .hpp file (no matter if I include it with -I or link directly to it in the import) ?
03:05 -!- alexandre9099_ is now known as alexandre9099
04:33 < Toordog> i just use the VPN to pass all my traffic through it (gateway), i have no LAN connecting through the VPN.   I'm unable to send email out or to retrieve my email when connected to VPN.
05:47 < _ADN_> whats is needed to the reneg-sec to work?
05:48 < _ADN_> I added the value to 60 and get TLS Error: local/remote TLS keys are out of sync
05:48 < _ADN_> if put to 0 the user is not kick out
07:43 < _ADN_> Anybody have run OpenVPN inside Docker?//
07:44 < _ADN_> I am having problems on the FWD
07:44 <@dazo> _ADN_: if you manage to get an OpenVPN connection established, then I'd recommend you to check the Docker community how to enable packet forwarding
07:45 < _ADN_> ok thx dazo
07:45 <@dazo> _ADN_: once the connection is established, the rest is basically depending on the OS itself
07:45 < _ADN_> yes the connection is establish and openvpn working fine
07:45 < _ADN_> probelm is on the packets FWD
07:48 <+rob0> heh, not likely that the Docker community will know how to use Docker, though :)
08:09 < masin> !welcome
08:09 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
08:09 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
08:10 < masin> !goal
08:10 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:11 < masin> !goal I would like to access the LAN behind a client (router).
08:11 < masin> !ask
08:11 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
08:13 < masin> !goal
08:13 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:13 < masin> !paste
08:14 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
08:14 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
08:14 < masin> !configs
08:14 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
08:17 < masin> I would like to access the LAN behind a client (router).
08:18 < masin> I followed the How-To https://openvpn.net/index.php/open-source/documentation/howto.html#scope and the instructions on https://community.openvpn.net/openvpn/wiki/RoutedLans.
08:18 <@vpnHelper> Title: HOWTO (at openvpn.net)
08:19 < DArqueBishop> !serverlan
08:19 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
08:21 < masin> !route
08:21 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
08:21 < masin> !tcpip
08:21 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
08:21 < masin> !clientlan
08:21 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
08:21 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
08:22 < DArqueBishop> Ah, you did say client.
08:22  * DArqueBishop isn't entirely awake yet.
08:23 < masin> clientlan: for a lan behind a client: ip forwarding enabled on client. route on server? configured in server.conf, but not shown when entering "route" at commandline.
08:23 < masin> or will openvpn handle such routes internally without telling the kernel?
08:24 < masin> server pushes routes to clients. traffic will be routed through vpn server: 172.16.66.0     172.16.39.1     255.255.255.0
08:25 < masin> but the client routing to the lan has 172.16.39.10. is this correct how it is pushed currently?
09:28 < masin> The link https://openvpn.net/faq.html#firewall in the howtos doesn't lead to its intended target.
09:28 <@vpnHelper> Title: FAQ – OpenVPN Community (at openvpn.net)
09:47 < danci1973> Hello... Can one use UTF-8 characters in SSL certificate CN ? Or will there be problems?
10:25 < brokensyntax> Anyone used a CA for deploying user certs? Is there any advantage?
10:27 <@ecrist> brokensyntax: "used a CA?"
10:28 <+rob0> Client and server certs must be signed by a common CA in order to be usable in openvpn.
10:29 <+rob0> danci1973, did you try it yet?
10:33 < masin> brokensyntax: there shouldn't be any advantage as you have to tell openvpn which ca.crt to use nonetheless. if you don't trust yourself to keep you private key private there might be an advantage … but if I look at Comodo or StartSSL, it might not be that big …
10:34 < brokensyntax> masin: Thanks... kind of what I was thinking. We're deploying a standalone root CA in our environment right now. (I don't know all the details.) I was asked about using it to manager user keys, or having it sign an intermediary for the server that is going to create/manage user keys.
10:34 < DArqueBishop> masin: using a public CA like Comodo or StartSSL is, in fact, one of the most deeply idiotic things you can do.
10:35 < DArqueBishop> If you want your VPN to be secure, you need to create and use your own private CA.
10:36 < brokensyntax> Generally I've just created using the build-key scripts in the easy-rsa folder... so locally signed at the OpenVPN server... technically, I guess, making the OpenVPN server the CA, so no segregation of roles.
10:37 < DArqueBishop> brokensyntax: for security purposes, you generally want to keep your CA and your OpenVPN server on separate boxes.
10:37 < brokensyntax> *nod*
10:38 < masin> brokensyntax: in respect to security I'd recommend using a machine that's not permanently connected to the network for generating certificates and keys. but that might be a bit paranoid. it should suffice if the machine is in-house.
10:38 < brokensyntax> I'm used to Winblows environment... Generally I would build a standalone CA on a VM as root, after publishing intermediaries, take it offline and use those to publish enterprise... but that's all Windows land and not something I've ever used with OpenVPN.
10:39 < brokensyntax> So just... trying to refocus my thoughts.
10:39 <+hyper_ch> I do the same on linux
10:39 < DArqueBishop> Same.
10:40 < brokensyntax> ty hyper_ch
10:40 <+hyper_ch> setup debian, install easyrsa
10:40 <+hyper_ch> generate certs
10:40 <+hyper_ch> https://community.openvpn.net/openvpn/wiki/EasyRSA3-Insecure-PKI
10:40 <@vpnHelper> Title: EasyRSA3-Insecure-PKI – OpenVPN Community (at community.openvpn.net)
10:41 <+hyper_ch> (it's labelled insecure because everything is created on the ca and not client certs with csrs)
10:41 <+hyper_ch> here's the one where clients create their csrs:  https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
10:41 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net)
10:42 <+hyper_ch> also, I have a little script that will put keys and certs and ta into one config file
10:44 <+hyper_ch> https://paste.simplylinux.ch/view/3e427933
10:44 <+rob0> oohhhh, you meant a CA that you don't control ... that was not obvious to me
10:44 <+hyper_ch> you just need to set according defualt template options
10:46 <+rob0> DArqueBishop++ "one of the most deeply idiotic things you can do" :)
10:47 <+hyper_ch> rob0: ?
10:49 <+rob0> I'd call it "ignorant" rather than "idiotic", because ignorant goes away with a bit of understanding; idiot is forever. :)
10:49 <+hyper_ch> not quite sure what you're refering to :)
10:52 < brokensyntax> Appreciate all the help guys. I'm tired this morning, and haven't had to think about CAs in a while.
11:01 <+rob0> hyper_ch, 15:31 UTC, DArqueBishop
11:11 <@ecrist> sup guys? how goes?
11:12 <+hyper_ch> rob0: ah :)
11:33 < DArqueBishop> ecrist: it goes.
11:41 < dobbser> Hello - I've seen several guides which recommend a short renegotiation interval (reneg-sec). However, when i use this, it seems to cause an interruption in connectivity for a few seconds while the renegotiation occurs. Is this normal?
11:43 < dobbser> !ovpnuke
11:43 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
11:45 < eagles0513875__> hey all got a question seeing as there is no openvpn client for mac what kind of vpn tunnel does openvpn create/use
11:46 < dobbser> eagles0513875__: tunnelblick maybe
11:46 < eagles0513875__> as I am thinking maybe I can use the in built networking functionality in mac to setup the vpn tunnel
11:47 < dobbser> (tunnelblick is an OpenVPN client for OSX)
11:47 < eagles0513875__> thanks dobbser
11:47 < dobbser> there are better ones but they're not free
11:47 < eagles0513875__> :)
11:47 < eagles0513875__> dobbser: for me as long as I can make the connection that is fine.
11:47 < eagles0513875__> thanks for that dobbser  :)
11:48 <+rob0> uh, surely openvpn can compile on Mac?
11:51 < dobbser> rob0: I'm assuming a gui is required
11:55 < dobbser> also i don't think it does
13:00 < nacelle> a gui is not required for openvpn on a mac
13:00 < nacelle> but tunnelblick does exist
13:00 < nacelle> modern macs are bsd boxes
13:31 < daemon> nacelle, thats not really true
13:31 < daemon> well its true in the sence that playstation is BSD
13:31 < daemon> the code is so diversified from the original forked code base
13:32 < daemon> it can no longer really be identified as 'BSD'
13:32 < daemon> though its root are
13:35 < nacelle> your argument is weak sauce
13:35 < nacelle> https://en.wikipedia.org/wiki/Darwin_(operating_system)
13:36 < nacelle> https://github.com/ryoon/BSD-family-tree/blob/master/bsd-family-tree
13:36 <@vpnHelper> Title: BSD-family-tree/bsd-family-tree at master · ryoon/BSD-family-tree · GitHub (at github.com)
14:06 < ExoUNX> so on OpenVPN Connect on Android 6.0 I get "OpenVPN core error: crypto_alg: RSA-SHA384: not found"
14:06 < ExoUNX> is RSA-SHA384 really not supported?
14:07 < ExoUNX> Android 6.0 supports RSA-SHA384...
14:19 < eagles0513875__> hey guys is tunnelblick when you send all traffic over the tunnel unstable?
14:19 < eagles0513875__> i end up getting one way traffic outbound nothing back in
14:19 < eagles0513875__> and basically browser time outs etc occur
14:20 < ExoUNX> eagles0513875__ sounds like a tunnel issue
14:20 < eagles0513875__> on open vpn client i have on windows its stable
14:21 < eagles0513875__> then again i havent tried to send all traffic over the tunnel
14:21 < eagles0513875__> i used a script for debian to configure the tuennel
14:21 < eagles0513875__> ExoUNX: quick question should the tunnel be operating over tcp or udp as the script i used recommended udp
14:21 < eagles0513875__> could that be the issue
14:21 < ExoUNX> eagles0513875__ TCP would be more stable
14:21 < eagles0513875__> good to know
14:22 < eagles0513875__> so need to go back and reconfigure the server
14:22 < ExoUNX> eagles0513875__ TCP however has more performance loss, which may or may not affect you
14:22 < eagles0513875__> :-/ tradeoffs
14:46 < ExoUNX> any love on my question?
15:04 < akkad> where do you set cyphers for ssl?
15:46 < sms> Anybody here developed anything with the OpenVPN3 API?
15:49 < Toordog> i'm having problem accessing my email servers (sending, receiving) when connected to my OpenVPN server
15:52 < Toordog> here's my current firewall configuration. https://hastebin.com/ajiladojiw.css     If anyone have a better iptables rule set and don't mind to share, i'm interested.
15:52 <@vpnHelper> Title: hastebin (at hastebin.com)
15:58 <+Eugene> Toordog - can you access email servers(TCP:25) normally ? Its very common for ISPs to block that.....
15:59 <+Eugene> And is it just email traffic, or other protocols? Did you follow the flowchart?
15:59 <+Eugene> !redirect
15:59 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
15:59 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
16:43 < brokensyntax> Hmm, is there a flag that will move a vpn client to background after it's gotten the privkey password from me?
16:44 < brokensyntax> Normally I use nohup with my alias, but I'm switching all the keys/certs to passworded... so that's not gonna fly.
16:54 <+Eugene> That is an extremely client-specific question. Are you talking about the CLI `openvpn` client? You can background it in your shell, or use a --management interface, or specify a file to --auth-user-pass(possibly needing to recompile, depending upon your package), or.....
17:14 <@dazo> brokensyntax: normally, having --daemon in your config does the trick
17:18 < gmc> ok.. that was weird.. upgraded my openvpn client's mbedtls, which broke the connection.. it seemed to do everything ok, but no traffic going through
17:18 <@dazo> gmc: upgraded from which version to which version?
17:18 < gmc> after several hours debugging i saw openvpn on the client using 90% cpu.. gave up.. reverted the setup back to openssl.. works like a charm again
17:19 < gmc> dazo: 2.4.2 to 2.4.2_1 (the _1 is a freebsd specific version i think)
17:20 < gmc> i guess i should report this somewhere.. but 'm not quite sure wheree :)
17:20 < gmc> i'm on a bit of an unsupported setup with this client (armv5 freebsd)..
17:20 <@dazo> double check the release notes for mbed TLS first ... https://tls.mbed.org/tech-updates/releases/mbedtls-2.4.2-2.1.7-and-1.3.19-released
17:20 <@vpnHelper> Title: mbed TLS 2.4.2, 2.1.7 and 1.3.19 released - Tech Updates (at tls.mbed.org)
17:22 < gmc> i think i should just chalk it up as 'running unsupported platform, strange things gonna happen' and forget about it.. it might be any number of things, in any of the 20 or so projects that are involved in this constellation of software :)
17:26 <@dazo> in this case, as upgrading was from 2.4.2 to 2.4.2_1 - a FreeBSD update with the same mbed TLS base version, I'd report it to FreeBSD package maintainer
17:27 < gmc> who will likely tell me 'ah so you use poudriere to cross-compile a package repo for armv5, which is documented as unsupported by poudriere, and now you complain?' :)
17:28 < gmc> we'll see, i might report it just so it is on the record somewhere tomorrow..
20:19 < nategraf> Hello, I am running OpenVPN TAP bridge as part of a simulated L2 lab environment tunnels users in over the Internet. What I need to achieve full layer 2 access to a particular segment which is determined by the clients CN. I have a flawed design after a month or so of work, but have hit a roadblock. Any clever ideas?
20:46 < nategraf> I know one solution to my problems would appear if I can (transperently to the user) authenticate a client on a master server, then switcheroo with the server which actually provides the tunnel.
20:47 < nategraf> The best option would be to have a dedicated TAP interface serverside for each client, but I have seen some indication this is impossible
20:49 < nategraf> A third option I have thought of would be to control the internal routing table from a program I write myself and have, but I am not sure how feasible this is.
20:49 < nategraf> Does anyone have advice on any of these or another option?
20:51 <@ordex> nategraf: I have seen some VLAN patches floating around - not sure, but maybe that may help creating one TAP vlan per user ? you could have a look at that
20:52 <@ordex> note: this might be false :P
20:52 <@ordex> nategraf: you could also dinamically install iptables rule to allow a given IP only to reach certain networks
20:52 <@ordex> and drop the rest
20:53 <@ordex> (not sure this propoerly apply to your case?)
20:55 < nategraf> ordex: I have been keeping an eye out for the VLAN pacthes, but the only one I saw was described as having cobwebs 5 years ago. Do you know where I can find the one you are talking about?
20:56 <@ordex> nategraf: wait a sec
20:57 <@ordex> nategraf: https://github.com/OpenVPN/openvpn/pull/76 they were refreshed
20:57 <@vpnHelper> Title: Vlan patches v2 by ikelos · Pull Request #76 · OpenVPN/openvpn · GitHub (at github.com)
20:57 <@ordex> not sure it is still the same
20:57 < nategraf> The issue I am having with IP tables is that once it comes out of the TAP interface the only identifier I have is MAC address. This is fine until someone conflicts, then there is no way to resolve it when a user on the serrver-sdie LAN tries to talk to one of them
20:58 < nategraf> ordex: That one looks a lot newer! I'll read through all it provides
20:58 <@ordex> well, yeah, you must have a unique identifier
20:59 <@ordex> in any case, conflicting MAC addresses will break TAP anyway as it is a simple L2 thing, therefore I am not sure you need to care about that case
20:59 <@ordex> nategraf: cool :) let us know if it close to what you need - but it seems so by reading a commit msg on the fly
20:59 < nategraf> See, the issue is my system is for a security senario simulation, haha. So I EXPECT the MAC's to conflict
21:03 <@ordex> yeah, not saying they should not. just saying that if they conflict there are other things that break first, therefore the clients won't be able to talk to the associated network anyway. well, they will be able to send some packets still, so this might be important for your security scenario (dunno :D)
21:42 < nealshire> !welcome
21:42 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
21:42 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
21:46 < nealshire> !goal I want to set up a VPN on my home server that can bypass webfilters at my college
22:44 < Toordog> Eugene  <+Eugene> Toordog - can you access email servers(TCP:25) normally ? Its very common for ISPs to block that.....  ----------  I also own the mail server which is host in another VM on the same barebone server that my OpenVPN VM.   Without VPN, I can reach my mail servers without problem.
22:46 < Toordog> Eugene I also configured my OpenVPN to be a gateway : push "redirect-gateway def1 bypass-dhcp"
--- Day changed Fri Mar 24 2017
01:57 < danci1973> rob0: Regarding UTF-8 characters in SSL CN - I tried it later, and it gives problems...
04:29 < masin> DArqueBishop: I finally found the solution. OpenVPN was innocent, I messed up the interface configuration of two of our servers :-D
05:08 < andi> Hi, I do have a server-bridge setup and I'd like to change the network of the ip pool to use. I changed it from 172.16.245.0/24 to 172.16.246.0/24 by changing this line: server-bridge 172.16.246.1 255.255.255.0 172.16.246.50 172.16.246.80
05:08 < andi> However, when I reconnect to the VPN after restarting the service, I still get a 172.16.245.x address for my client.
05:08 < andi> What's wrong here?
05:09 < andi> I changed the startup script as well so the bridge does have 172.16.246.1 as ip.
07:45 < mrtnt> Is there a Windows TAP driver which supports /31 networks?
07:59 <+rob0> I guess you are talking about p2p mode, otherwise that's kind of silly.  Somehow you came to the idea that the tap driver is the problem, but that is incorrect.
08:14 -!- dougy [~dougy@openvpn/community/support/Dougy] has joined #openvpn
08:32 < mrtnt> rob0: when I try to connect to an OpenVPN server, then I receive a similar error: "There is a problem in your selection of --ifconfig endpoints [local=10.10.10.142, remote=10.10.10.143].  The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver."
08:33 < mrtnt> rob0: In other words, "remote" is the broadcast address in case of /30 network.
08:35 < DArqueBishop> mrtnt:
08:35 < DArqueBishop> !configs
08:35 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
08:35 <+rob0> Again, it's silly in a server/client context.  It only makes sense in a p2p context.
08:36 <+rob0> So the actual problem is YDIW
08:36 <+rob0> !ydiw
08:43 <+hyper_ch> YDIW?
08:43 <+hyper_ch> you do it wrong?
08:44 <+rob0> yep
08:44 <+hyper_ch> :)
08:44 < DArqueBishop> PEBKAC?
08:44 <+rob0> and it's kind of hard to see into the config beyond the --ifconfig mentioned in the one log message we saw.
08:55 < mrtnt> rob0: hmm..ok. I don't have access to server configuration, but client configuration is following: https://paste.debian.net/plainh/8fe9f75a
08:59 <+rob0> Connection aborted, it does not seem to like lynx.
09:00 <+rob0> Anyway, if you are connecting as a client to a server that wants to do /30, you have to do what the server wants.
09:00 < DArqueBishop> mrtnt: why don't you have access to the server config?
09:01 <+rob0> AGAIN, "/31" (it's not really /31, it is a point-to-point link) only makes sense in p2p mode.
09:02 <+rob0> I'd also suggest to the server admin that s/he is 10 years out of date by using that silly /30 junk.
09:04 < mrtnt> DArqueBishop: because I don't manage this server. Unfortunately it belong to another company.
09:06 <+rob0> You have no choice but to use a config that is compatible with the server to which you are connecting.
09:08 < mrtnt> rob0: in client logs I see that "Received control message: 'PUSH_REPLY,topology net30,...,ifconfig 10.10.10.142 10.10.10.143" so basically the one who manages this server needs to change for example from "ifconfig 10.10.10.142 10.10.10.143" to "ifconfig 10.10.10.141 10.10.10.142".
09:08 < mrtnt> ..or drop this "topology net30".
09:09 <+rob0> !/30
09:09 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
09:09 <+rob0> !net30
09:09 <@vpnHelper> "net30" is (#1) https://community.openvpn.net/openvpn/wiki/273-qifconfig-poolq-option-use-a-30-subnet-4-private-ip-addresses-per-client-when-used-in-tun-mode explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology
09:09 <+rob0> !topology
09:09 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
09:21 < mrtnt> rob0: ok, thanks! So I was correct that if "net30" needs to be used, then server needs to be configured in a way that it pushes "local" and "remote" addresses which are not network or broadcast addresses?
09:22 < dougy> wow, i haven't used mIRC in so long
09:22 <+rob0> they might have multiple problems in the server config.  Perhaps it should have been a p2p config.
09:27 < mrtnt> rob0: ok, thanks!
09:43 < DArqueBishop> mIRC is still a thing?
09:56 < ExoUNX> so on OpenVPN Connect on Android 6.0 I get "OpenVPN core error: crypto_alg: RSA-SHA384: not found"
10:42 < brokensyntax> ExoUNX: Interesting, what device, OS, and provider?
10:43  * brokensyntax spinning up a new oVPN server... Deb... Ubuntu... CENT... Arch... what to build.
11:05  * brokensyntax settles in on Debian as it's more widely used in the office.
11:13 < ExoUNX> brokensyntax LG G4, Android 6.0 (LG modified,) and T-Mobile
11:13 < ExoUNX> brokensyntax I think it's H811 model
11:16 < ExoUNX> brokensyntax Debian and make sure you use 2.4!
11:19  * brokensyntax digs through playstore comments.
11:25 < brokensyntax> https://openvpn.net/index.php/component/content/article/119-faq-openvpn-client/533-connect-android-release-notes.html
11:25 <@vpnHelper> Title: OpenVPN (at openvpn.net)
11:26 < brokensyntax> I'm thinking try it with the force aes-cbc directive and view results. (Not sure how to set said directive.)
12:14 < fahmad> hello, can someone tell me is there anyway to upgrade openvpn as without backing up databases ?
12:18 <+Eugene> !as
12:18 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
12:18 <+Eugene> fahmad ^
12:18 <+rob0> oh, I was reading "as" as as, but it's "AS" :)
12:19 <+rob0> too bad we don't have that bit of info in the /topic ;)
12:20 < fahmad> Ok
12:50 < ljvb> craptastic.. netflix just added lighstail to the block list..
12:51 < ljvb> so.. how do I exclude a specific host behind a gateway with an openvpn connection to a VPS where I send all my traffic as the default route
12:52 < ljvb> just need to exclude the IP of my TV
13:16 <+Eugene> ljvb - you need policy routing to do that.
13:16 <+Eugene> !lartc
13:16 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux, or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
14:21 < dougquaid> I'm setting up a new server and I don't want to do so insecurely. What is a good cipher to choose?
14:29 < BrianBlaze> Mar 24 15:24:15 bradVPN ovpn-server[2236]: 24.202.233.112:13901 TLS Error: reading acknowledgement record from packet
14:29 < BrianBlaze> how do I troubleshoot this... I feel like I am so close yet so far lol
14:29 < BrianBlaze> can't connect to my server :(
15:00 < kantlivelong> is there a way for openvpn client to execute a script when connected to the server? said script needs access through the gateway
15:04 < BrianBlaze> that probably has more to do with the script than anything
15:06 < kantlivelong> BrianBlaze: im using pfsense and it does have an up command specified but i need to add my own and dont want to modify the system file
15:06 < kantlivelong> doesnt look like i can specify multiple :/
15:08 < kantlivelong> i mean i guess i could
15:10 < kantlivelong> eh doesnt work either it seems. mayb theres a delay
15:13 < mauvehed> is there a known issue with the package repos for debian?
15:14 < mauvehed> while attempting to follow https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
15:14 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net)
15:15 < mauvehed> I receive errors while attempting to apt-get add the gpg key
15:15 < mauvehed> ERROR: The certificate of 'swupdate.openvpn.net' is not trusted.
15:15 < mauvehed> ERROR: The certificate of 'swupdate.openvpn.net' hasn't got a known issuer.
15:26 < BrianBlaze> ah I got it <3
15:26 < BrianBlaze> lol
15:35 < ExoUNX> brokensyntax same issue
15:36 < ExoUNX> brokensyntax and I don't find RSA-SHA384, seemed like the most secure option on the list for <2.4
15:36 < ExoUNX> I don't find RSA-SHA384 insecure*
17:49 -!- alexandre9099_ is now known as alexandre9099
19:37 < oaks> I have an open vpn client running on ubuntu 14. The uname -a output is, Linux ainur 4.4.0-66-generic #87-Ubuntu SMP Fri Mar 3 15:29:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux. My problem is that the static IP setting is not working for this one client. I set the static ip in the open vpn server administration page for the user in question. But, the client still uses a new and different ip every time it
19:37 < oaks> connects. I have re-set the connection dozens of times, and I'm having to reconfigure my dns each time to ensure connectivity to my science team. This is costing us time. Can you please tell me why this ubuntu instance wont accept a static ip configuration from the Openvpn server running on AWS? I am launching the client via command line with a client.ovpn file.
19:57 -!- a1fa is now known as d1ck
19:59 -!- d1ck is now known as a1f
19:59 -!- a1f is now known as a1fa
--- Day changed Sat Mar 25 2017
10:47 -!- dougy [~dougy@openvpn/community/support/Dougy] has quit [Ping timeout: 256 seconds]
11:22 < mauvehed> So nobody has any idea why the swupdated.openvpn.net servers are throwing cert errors?
11:22 < mauvehed> Nobody else is encountering this?
11:53 <+rob0> "swupdated.openvpn.net" is NXDOMAIN
11:53 <+rob0> "swupdate.openvpn.net" is the commercial download site, which people in this channel are unlikely to ever use.
11:54 <+rob0> One of those two probably explains why nobody else is encountering it.
12:02 <+rob0> well, not NXDOMAIN, as it appears stupid Cloudflare has broken that.  They say some record exists at that name, but I can't find what it is.  Not A, AAAA, CNAME, DNAME, MX, NS, PTR, SPF, nor TXT.  If you ask for "any" you get their HINFO, but if you ask for HINFO, it's not there.
12:09 <+rob0> oh, maybe it's an empty non-terminal
12:11 <+rob0> nope, probably not, as tested with some unlikely names under it :)
15:07 < sparx> any recommendations on where i can read up (rtfm) on port based routing (w/ MASQ) to a openvpn site-to-site tunX ? (better to use server/ifconfig?, which ip to use as router in fwmark's table?, double MASQ?)
15:21 <+Eugene> "port based routing" ? Like, TCP/UDP ports?
15:22 <+Eugene> openvpn is at its basic core a daemon for setting up secure p2p / s2c tunnels. It has the ability to add routing directives for you, but if you want fancy stuff then you should just do it yourself
15:22 <+Eugene> In particular anything involving marked packets / policy-based routing
15:22 <+Eugene> !lartc
15:22 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux, or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
15:40 < sparx> thanks, yes, trying to redirect one tcp port away from default gw to a openvpn site to site and out to inet, found something w/ fwmark, but having trouble getting the MASQ to work right
15:55 < sparx> Eugene: thank you! that last link reminded me of rp_filter , which was the last step to get it working. thanks!
16:21 -!- poster is now known as Poster
18:45 < mauvehed> rob0: so nobody here uses the repo's from https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos ? That's what you're telling me?
18:45 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net)
18:47 < mauvehed> the fact that very repo's published by openvpn are throwing cert errors isn't alarming to anyone else?
18:52 <+rob0> perhaps tone down the drama a bit?
18:52 <+rob0> I use the openvpn from my distro, can't speak for what anyone does or does not do.
18:54 <+rob0> and you said "swupdated.openvpn.net" on your first dramatic entrance; that name does not resolve.
18:57 <+rob0> I get a valid Digicert-CA-signed cert valid until 2020 on https://swupdate.openvpn.net/
18:57 <+rob0> so if you're getting cert errors, no, that is not alarming to me.
20:21 < _ADN_>  whats is needed to the reneg-sec to work?
20:21 < _ADN_> I added the value to 60 and get TLS Error: local/remote TLS keys are out of sync
20:21 < _ADN_> if put to 0 the user is not kick out
--- Day changed Sun Mar 26 2017
02:21 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
02:38 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
02:38 -!- mode/#openvpn [+v RBecker] by ChanServ
04:53 -!- Vampire0_ is now known as Vampire0
10:01 -!- dougy [~dougy@openvpn/community/support/Dougy] has joined #openvpn
11:13 < Randomass> Hi
11:15 < Randomass> !goal
11:15 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:10 -!- aerbax_ is now known as aerbax
16:17 -!- sunrunner20_ is now known as sunrunner20
17:09 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Disconnected.]
17:10 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:10 -!- mode/#openvpn [+v s7r] by ChanServ
17:35 < _ADN_> !reneg
17:35 <@vpnHelper> "reneg" is (#1) by default (in client/server mode) openvpn will renegotiate the tls key hourly. this can be adjusted with the --reneg option, or (#2) this should not be disabled as it is important for !forwardsecurity
17:36 < _ADN_> !forwardsecurity
17:36 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can not decrypt past traffic, or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured
18:09 < thereyougo> can I ask about privatetunnel.com service here ?
18:10 < thereyougo> !sweet32
18:10 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32
20:35 < thereyougo> I run openvpn and after 2 minutes I got reconnected and this message:
20:36 < thereyougo> Inactivity timeout (--ping-restart), restarting
20:36 < thereyougo> what could cause it and how to not timeout ?
20:36 < thereyougo> is there  some option ?
20:42 < dougy> hello krzee and ecrist
--- Day changed Mon Mar 27 2017
01:39 <+hyper_ch> !configs
01:39 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
02:37 < mjt> hi. when comp-lzo=adaptive, and one of the peers switches to no compression or back to lzo compression, is thee anything in the (debug) log?
07:46 < _ADN_> auth-user-pass and reneg-sec is not compatible?
07:47 < _ADN_> I have a plugin that ask a two password checks
07:47 < _ADN_> Error --> TLS Error: local/remote TLS keys are out of sync
08:54 < ExoUNX> I'm gonna have to chalk this up as an error with OpenVPN Connect on Android
08:55 < ExoUNX> how do I submit a bug report for OpenVPN Connect, I'm here - https://community.openvpn.net/openvpn/report/17
08:55 <@vpnHelper> Title: {17} Active OpenVPN Connect Tickets by Version – OpenVPN Community (at community.openvpn.net)
08:56 <@ordex> !as
08:56 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
08:56 <@ordex> ExoUNX: ^^
08:57 < ExoUNX> aww, I'm kind of sad OpenVPN Connect isn't part of the open source segement
08:57 < ExoUNX> segment *
08:59 <@ordex> I know there is another app being opensource, but hten it's up to you
08:59 <@ordex> *then
11:50 < errqre> Is there a way to assign the client the same address on the vpn as it would pull locally?
11:51 < errqre> I'm rather new to this - server is on debian, the client is an android phone
12:00 < ExoUNX> so OpenVPN Connect really falls under "paid?"
12:00 < ExoUNX> I only see Private Tunnel
12:00 < ExoUNX> their paid VPN solution
12:01 < errqre> !welcome
12:01 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
12:01 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
12:03 < ExoUNX> errqre what do you mean? I'm a bit confused by your question
12:04 < ExoUNX> errqre are you asking to assign static IPs on the client side?
12:04 < DArqueBishop> ExoUNX: it does, though it's fully capable of connecting to open source OpenVPN servers.
12:05 < DArqueBishop> I use OpenVPN Connect on my iOS devices to connect to my VPN server.
12:05 < ExoUNX> DArqueBishop is OpenVPN for Android a better alternative?
12:05 < ExoUNX> DArqueBishop that's an off-topic question of course
12:06 < DArqueBishop> ExoUNX: I don't use Android, so I can't answer that.
12:06 < ExoUNX> Is there an open source alternative to OpenVPN for iOS/Android?
12:06 < DArqueBishop> OpenVPN for Android is open source, I believe. There isn't an open source version for iOS due to App Store restrictions.
12:07 < DArqueBishop> errqre: do you mean the same IP address altogether, or an IP address in the local subnet?
12:08 < DArqueBishop> The answer to the former is "no", and the answer to the latter is, "Yes, through bridging, though in most cases you don't really want to do that."
12:08 < DArqueBishop> It would help if we knew why you were asking.
12:09 < errqre> I had a lengthy reply that I just cleared out, you answered it - I was looking for #1
12:10 < errqre> So the tun requires a separate subnet. I'll have to make my scripts smarter to find out if the phone is connected locally or across the vpn.
12:49 < PGNd> Is there an openssl 1.1 compatibility effort/branch for OpenVPN yet?  I did find a Sep 2016 thread that said N/A ... but no newer comments.
12:50 < PGNd> Any status/info?
14:08 < oaks> hey, can anyone tell me why my open vpn ubuntu client wont accept its static ip? i have configured the server to give that user a static ip but it alwasy gets one from the dhcp range. any advice?
15:27 < oaks> yo yo yo, put down da blow and let me know
15:28 < errqre> OpenVPN isn't starting. I have the config file right (I think), and sudo systemctl restart openvpn shows 'stopped' and 'started' in syslog, but there's no process, the port is closed, and there isn't another interface with the 10.8 address
15:36 < errqre> Got it: sudo su -; openvpn --config /path/to/config told me what the issue was
16:09 < nacelle> oaks: maybe turn up logging on both sides to see if there are specific rejection messages, etc.?
17:07 <@dazo> errqre: which distro are you on?
18:06 -!- dougy [~dougy@openvpn/community/support/Dougy] has quit [Ping timeout: 258 seconds]
20:32 -!- plai [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 240 seconds]
20:33 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
20:33 -!- mode/#openvpn [+o plaisthos] by ChanServ
21:04 < thereyougo> anyone here ?
21:06 < thereyougo> I use some putlic VPN service and I got config file config.ovpn for openvpn, so I run the command: "openvpn --config config.ovpn" and for every VPN connection it gives me different ip adresses, is there a way to choose some particular ip address from the list ?
21:07 <+rob0> ask your provider
21:08 < thereyougo> I mean the config file contains this line: "remote node01.vpnhosting.com 1194 udp" so as I understand it first resolves "node01.vpnhosting.com" to ip and then uses that ip, so should I just replace that name with actual ip I want inside that config file ?
21:08 -!- alexandre9099_ is now known as alexandre9099
21:08 < thereyougo> can I not change config file and use some command line option instead ?
21:08 <+rob0> oh.  Sure, that should work, unless for some reason known only to your provider, it might not.
21:09 <+rob0> maybe they are changing the addresses for that record, for example
21:10 <+rob0> --remote on the command line overrides "remote" lines in the config file, IIRC
23:54 < thereyougo> thanks
23:56 < thereyougo> by the way if the line in config looks like:
23:56 < thereyougo> "remote node01.vpnhosting.com 1194 udp"
23:56 < thereyougo> so on command line I should use:
23:57 < thereyougo>  --remote "remote node01.vpnhosting.com 1194 udp"
23:57 < thereyougo> or its something like:
23:57 < thereyougo> --remote "node01.vpnhosting.com" --port 1194 --protocol "udp" ?
23:57 < thereyougo> rob0:
--- Day changed Tue Mar 28 2017
02:20 < thereyougo> why auth-token option is undocumented ?
02:22 < thereyougo> on that page http://community.openvpn.net/openvpn/wiki/SWEET32
02:22 <@vpnHelper> Title: SWEET32 – OpenVPN Community (at community.openvpn.net)
02:23 < thereyougo> it says its undocumented
03:09 <@ordex> thereyougo: hm, maybe the page is old
03:11 < thereyougo> yes, because its also says 2.4 is not yet released and the only way to get it is from git
03:11 < thereyougo> by the way you think its still safe to use openvpn-2.3.11 ?
03:14 <@ordex> quite old, no? if you want to use 2.3, you should use the latest release
03:14 <@ordex> where important bugfixes have been squashed in
03:15 < thereyougo> it give me VPN, so it works  is it so bad ?
03:17 <@ordex> you might be exposed to critical bugs
03:17 <@ordex> then it's up to you to decide
03:17 <@ordex> you can do whatever you want :P
05:40 < mrtnt> OpenVPN server pushed me following routes: https://paste.debian.net/plainh/00f0852b However, for some reason, Windows does not seem to use correct route. How to explain this behavior? Or is it possible that 10.7.3.146 and 10.7.3.129 are the same machine and thus the routing issue is in my VPN provider network?
07:24 < lg188> Hello?
07:26 < lg188> !welcome
07:26 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
07:26 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
07:27 < lg188> !goal create subnets on one interface
07:27 < lg188> !goal
07:27 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:37 <+rob0> you're telling humans your goal, not a machine; you will have to elaborate
07:38 <+rob0> not '!goal <whatever>' - the bot doesn't understand that
07:42 < lg188> Okay, Eh well simply put, I have two groups of clients, one consinsts of "servers" and the other of users. I need the users to be able to connect to the servers.
07:43 < lg188> But the catch is that the server should not be able to iniate any connection
07:44 < lg188> I currently try to do that with two subnets, and try to route between them, and using iptables to filter out the traffic
07:47 < lg188> rob0: or was that too elaborate?
07:49 <+rob0> what problem did you encounter?
07:50 <+rob0> Only catch when firewalling openvpn is that you must not enable:
07:50 < lg188> So far the routing doesn't work out of the box
07:50 <+rob0> !client-to-client
07:50 <@vpnHelper> "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other
07:50 <@vpnHelper> clients
07:51 < lg188> So client to client overrides the kernel routing
07:51 < lg188> take makes a _lot_ of sense
07:53 < lg188> The routing aside, the clients don't recognise the subnets I'm not sure if I'm not forgetting anything
07:54 < lg188> so they don't know where to put their traffic on
07:54 < lg188> if it's outside their own subnet
07:54 <+rob0> !serverlan
07:54 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
07:55 <+rob0> This ^^ flowchart might help
07:55 < lg188> !ipforward
07:55 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
07:55 < lg188> Mhm, I use one interface currently
07:57 < lg188> I mean a client, right
07:57 < lg188> it recognises it's own subnet, but not the other
07:57 < lg188> so it doesn't get sent on the tun0 interface
08:02 < ashka> hi, how can I add a local route when using redirect-gateway def1 ? I'd like 224.0.0.0/24 to be on the local network
08:17 < _ADN_> !linipforward
08:17 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
08:38 < lg188> Okay, so I managed to get the traffic to work, I'm pretty sure my iptables config is faulty
08:38 < lg188> Any tips for that?
08:48 <+rob0> #Netfilter /topic has some guidance, and that channel is probably a better place to proceed
08:55 < lg188> Okay, thank you for helping me. you saved me from doing something impossible :0
08:55 < lg188> :) *
08:57 < MacGyver> How can anyone save someone from doing something that is impossible to do in the first place? ;)
09:28 < jim-p-work> Quick question: On the community downloads page, for 2.3.14 the -I6xx installers are linked at -I601, but the -I0xx installers are -I002. The -I602 installers are at http://swupdate.openvpn.org/community/releases/ - Is there some reason those are not linked on the download page? I couldn't find any info on the forum/changelog/etc.
09:28 <@vpnHelper> Title: Index of /community/releases/ (at swupdate.openvpn.org)
09:29 < jim-p-work> Didn't know if they were considered harmful or problematic in some way or if it was an oversight.
09:52 <+rob0> perhaps there is no automation of the wiki?
09:52 -!- dougy [~dougy@openvpn/community/support/Dougy] has joined #openvpn
09:57 <+rob0> lg188, ^^ !linipforward, above
09:58 < mipo01> hi, I would like to ask what is the meaning of Last ref in ROUTING TABLE status. Thanks!
09:58 <+rob0> I don't know where you are seeing that.
09:59 < mipo01> In openvpn-status.log file or management console
10:01 < lg188> thanks rob0
10:01 < mipo01> I guess is somehow related to activity of routing table but I am more curious what exact event is triggering the update of this timestamp
10:04 < mipo01> i tried to google it but mo luck
10:06 < mipo01> usually all the clients has this time stamp up to date with current time but I have one with last week time stamp
10:39 < mipo01> still searching, it's not even mentioned in manual
10:45 < jim-p-work> Look at the source, it appears to be the last time openvpn looked up the route
10:45 < jim-p-work> https://github.com/OpenVPN/openvpn/blob/4cd4899e8e80efae03c584a760fd107251735723/src/openvpn/multi.c#L1106
10:45 <@vpnHelper> Title: openvpn/multi.c at 4cd4899e8e80efae03c584a760fd107251735723 · OpenVPN/openvpn · GitHub (at github.com)
10:45 < jim-p-work> https://github.com/OpenVPN/openvpn/blob/4cd4899e8e80efae03c584a760fd107251735723/src/openvpn/multi.c#L1185
10:45 <@vpnHelper> Title: openvpn/multi.c at 4cd4899e8e80efae03c584a760fd107251735723 · OpenVPN/openvpn · GitHub (at github.com)
10:57 < mipo01> jim-p-work: Thanks a lot ;)
10:58 < wknapik> hi
11:00 < wknapik> when i create tun device using openvpn --mktun and pass --user foo --group foo, user foo still doesn't have permission to set the tx queue length on that device.
11:01 < wknapik> when running openvpn as user foo, that causes "ERROR: Cannot set tx queue length on tun666 : Operation not permitted (errno=1)"
11:01 < wknapik> ioctl(5, SIOCSIFTXQLEN, {ifr_name="tun666", ifr_qlen=100}) = -1 EPERM (Operation not permitted)
11:01 < wknapik> am i missing something here ?
11:02 < wknapik> weren't the --user/--group switches supposed to allow me to do this as an unprivileged user ?
11:03 < wknapik> the same problem occurs when i just use ip/ifconfig as that user (ip link set dev tun666 txqueuelen 100)
11:08 < mjt> well, that's a kernel thing, no?
11:10 < wknapik> mjt everything eventually boils down to a kernel thing
11:10 <+rob0> the only way I know to do that is to start as root, use capabilities
11:10 < wknapik> mjt but the openvpn man page says for --user: Optional user to be owner of this tunnel.
11:11 < mjt> and?
11:11 < wknapik> mjt is that really happening ?
11:11 <+rob0> such as how named(8) does it, keeping only the capability of binding a privileged port
11:11 < mjt> wknapik: as you figured out, not every option can be set
11:11 < wknapik> rob0 the whole point of what i'm doing is not to run as root. i'd rather not set txqueuelen at all, than run as root.
11:12 < mjt> so don't set it? :)
11:12 < wknapik> ;/
11:12 < mjt> or you can set it before
11:12 < mjt> probably, I don't know
11:12 < wknapik> mjt so you're saying this is correct/expected behavior
11:12 < wknapik> ?
11:12 <+rob0> ownership of a tun device does not impart superuser capabilities to the owner.
11:13 <+rob0> so, yes.
11:13 < mjt> sigh. If you want a manpage to be correct to last bit and cover every tiny issue, I'm not with you, I've more interesting things to do :)
11:13 < wknapik> rob0 so there will be no better way to handle this, than to run `ip' as root after the device is created ?
11:14 < mjt> I'm sorry if that look sharp.. not intended :)
11:14 < wknapik> mjt no worries ;]
11:14 < wknapik> btw, systemd doesn't allow you to set txqueuelen in the .netdev file, so you have to find a place to run a script as root to set it.
11:15 < mjt> systemd .netdev does not allow many things
11:15 < wknapik> ye, apparently ;/
11:15 < mjt> i had to switch to old good ways back from .netdev
11:16 <+rob0> Not knowing the requirements, I am unable to advise on the best way to proceed.
11:18 < wknapik> that's ok
11:18 < wknapik> thanks to both of you
11:18 <+rob0> yw
11:19 < wknapik> i guess some advice could eventually be added to the UnprivilegedUser wiki, since everyone running as an unprivileged user will see this error message
11:19 < mjt> I guess it's not often when openvpn is started as non-root
11:19 <+rob0> maybe few are needing to set tx queue length
11:19 < wknapik> rob0 openvpn does it blindly
11:19 < wknapik> rob0 on startup
11:20 < wknapik> so even if you don't care about the setting, you'll see the error message
11:39 < wknapik> does anyone here know how relevant the setting actually is ? openvpn does it unconditionally.
11:40 < wknapik> i only found one "natural language" entry in the openvpn source about this: Configure Linux tun/tap driver to use a more sensible
11:40 < wknapik>   txqueuelen default.  Also allow explicit setting
11:40 < wknapik>   via --txqueuelen option (Harald Roelle).
11:40 < wknapik> is Harald here by any chance ?;]
11:44 < wknapik> well, not quite unconditionally, but at least by default
12:18 <@ordex> wknapik: why do you want to change the txqueuelen ?
12:18 < wknapik> ordex openvpn wants to change it
12:19 < wknapik> ordex look at your own openvpn log and you'll see it too ;]
12:20 <@ordex> naughty boy :P will check
12:46 < nb> why does openvpn windows prompt me for username/password when I am using SSL?
12:46 < nb> it seems to require that i type *something* in, but it will proceed no matter what I type in
14:07 < lg188> I think I have my routing on my server config wrong, because the traffic only sends between the server and the clients. the clients can't ping to each other at all
14:24 < DArqueBishop> lg188: do you have "client-to-client" in your server config?
14:41 < |Mike|> .
15:11 -!- Vampire0_ is now known as Vampire0
15:23 < lg188> DArqueBishop: I removed it because it messed with iptables
15:23 < DArqueBishop> It's needed for clients to be able to communicate with one another.
15:23 < DArqueBishop> !c2c
15:23 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
15:23 <@vpnHelper> behind other clients
15:24 < DArqueBishop> Or maybe not.
15:24  * DArqueBishop shrugs.
15:24  * DArqueBishop idles once more.
15:28 < lg188> I appreciate it though
16:21 < simplisity> Hi. I have a remote AWS VPC environment on 192.168.0.0/16.  I would like to run a OpenVpn (TUN) from the office to the VPC.  Problem is that due lack of planning, the office is also on 192.168.0.0/16 .  Is there a way to work around this?
16:25 < nacelle> you could nat everything into another private /16 and know that its that way, but its a kludge.
16:26 < nacelle> like when using the vpn, you would access 172.16.0.1 and it would nat to 192.168.0.1 in your VPC
16:26 < nacelle> but thats not... ideal.
16:36 < simplisity> nacelle, so, i am trying to determine if i should invest the time in rebuilding the remote network on a different subnet.  My hunch is that I should.
17:32 < nacelle> I think so
18:01 <@dazo> DArqueBishop: --client-to-client is only needed if you want OpenVPN to be the router ... and IIRC, it only works with TAP (or was it TUN, I always mix them in this context) ... without it, you need to allow the forwarding on the OS level, including opening up the firewall for traffic coming in and going out at the tun/tap adapter
18:15 < daemon> simplisity, renumber one of the lans
18:15 < daemon> it will be alot less headache
18:15 < simplisity> daemon, unfortunately, AWS does not allow that
18:16 < daemon> simplisity, not that I would demand your wrong but that would be bloody suprising
18:16 < daemon>  /16 is pretty big mind you
18:16 < daemon> you sure they both need the full /16
18:16 < daemon> most lans are /24's
18:17 < daemon> large office?
18:17 < simplisity> that is a good point... many AWS services require that 2 "zones" be provisioned for purposes of failover/redunancy/etc... so, i have each zone as a /24 within the /16 network.
18:17 < simplisity> the office network has maybe 500+ devices
18:18 < daemon> configure the office lan as a /20 or so and use the unused subnets as the /16's on your AWS zones?
18:18 < daemon> would have no issues then
18:18 < simplisity> i dont have any control over the office lan.. i can only control the AWS network
18:19 < simplisity> although i do agree that would have been a good idea
18:19 < daemon> hmm
18:19 < daemon> tricky one
18:19 < simplisity> heh yeah.. im paying the price for poor planning on this one
18:20 < simplisity> i should have thought of this before i made the AWS network
18:20 < simplisity> but now, we are are about 40 servers deep into the aws system
18:21 < simplisity> and the AWS docs basically say "sorry you are screwed. start over!"
18:21 < daemon> I have an idea I *THINK* no idea how viable this is as I do not use AWS
18:21 < daemon> can you add a second vpn, that connects to your office that is number 10.0.0.0 or something else
18:21 < daemon> so that each server has a secondary access ip?
18:23 < daemon> not ideal, but its the least hacky solution I can think of
18:23 < daemon> also splits your work traffic (aws vpn) away from your office traffic which may be useful for various things at some point
20:07 < nacelle> using 10.0.0.0/16 to match the 192.168.0.0/16 is asking for the same problem down the road :-)
20:08 < nacelle> i'd just renumber the AWS stuff into high order 10.x or 172.x
--- Day changed Wed Mar 29 2017
03:21 < lg188> Is there something I need to consider with routing on the same tun interface on the server?
03:21 < lg188> I already took out client-to-client to allow the iptables to function
04:20 < lg188> !goal I want configure routing on a client
04:21 < lg188> (because it seems like it doesn't work)
04:26 < lg188> Yeah, so the 10.0.0.0 subnet hosts don't get configured to sent 10.1.0.0 to the tun0
04:27 < lg188> I used `iroute 10.0.0.0 255.255.0.0` on my office config
04:27 < lg188> and `iroute 10.1.0.0 255.255.255.0` on my other
05:41 < bluudz> hello everyone. Anyone could help me for a minute.
05:41 < bluudz> Just started my vpn server, but when I'm connecting to it I'm getting warning about weak cipher
05:42 < bluudz> WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
05:42 < bluudz> Not sure how to exactly improve the strenght of it.
05:43 < bluudz> Server is on Debian 8 and loggin in from win client machine
05:50 <@plaisthos> !sweet32
05:50 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32
05:51 <@plaisthos> read that link
05:58 < thereyougo> how to connect to VPN client from outside ?
05:59 < lg188> how do you mean outside thereyougo ?
06:00 < thereyougo> Client -> VPN server -> Inernet
06:00 < thereyougo> from Internet to Client
06:01 < thereyougo> I heard about port forwarding, so one need to use iptables or its about settings in VPN server config ?
06:01 < thereyougo> I mean can Client receive connections from Internet ?
06:01 < thereyougo> he is visible only by his VPN ip so nothing can be done ?
06:02 < lg188> Yeah, it's possible
06:02 < lg188> I think with nat or ethernet bridging
06:02 < lg188> depending on what you expect
06:03 < thereyougo> so openvpn server doesn't have any options for that ?
06:03 < lg188> It does, I just don't know myself
06:03 < lg188> Sorry
06:05 < thereyougo> you are sorried
06:05 < lg188> I think you mean forgiven
06:06 < thereyougo> sorriedsorriedsorriedsorriedsorriedsorriedsorried
06:06 < thereyougo> wasn't intentional
06:06 < thereyougo> my paste buffer stuck
06:07 < lg188> eh, Okay
06:18 < tx> right..
06:24 <@plaisthos> thereyougo: that is outside of openvpn's scope
06:24 <@plaisthos> that is just "normal" IP routing/forwarding/NAT
06:25 <@plaisthos> E.g. if you give your clients public IP addresses and route them normally they are reachable from the outside without any change
06:34 < bluudz> Hello guys. Anyone could advice me how to change cipher on server/client to avoid SWEET32? I'm new into openvpn settings and want to be sure not to screw anything.
06:41 <@ordex> !sweet32
06:41 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32
06:44 < lg188> one of the clients thinks the other subnet needs it's traffic to be on eth0 instead of tun0
06:44 < lg188> what am I missing?
07:10 < lg188> I have to manually add ip addr add 10.1.0.0/24 dev tun1 for it to recognise
07:14 <@plaisthos> see route
07:14 <@plaisthos> and push
07:14 <@plaisthos> e.g. push "route 10.1.0.0 255.255.255.0 vpn_gateway"
07:17 < lg188> I have a server with 10.0.0.0, route with 10.1.0.0 and a push with both of those
07:17 < lg188> is that the right way?
07:27 < lg188> nope, somehow the servers in 10.0.0.0/16 don't get the right routing table still
07:38 < lg188> plaisthos: still nothing...
08:01 < lg188> Oh well, I just added a custom up script that adds it
08:10 < DArqueBishop> bluudz: it's pretty straightfoward. On the config files for the server and clients, simply set the cipher parameter to something stronger, like "cipher AES-256-CBC".
08:30 < bluudz> <DArqueBishop> And what config files are those? .ovpn files?
08:31 < DArqueBishop> ... yes,
08:36 < lg188> Is  there a tool to turn certificates into a ovpn file?
08:38 < DArqueBishop> lg188: cut and paste?
08:38 < DArqueBishop> Er, copy and paste.
08:39 < DArqueBishop> That's pretty much what I did to add the certs/keys in-line to my OpenVPN configs.
08:39 < lg188> well, I need to automatise it
08:57 <@dazo> lg188: ovpn file is a configuration file ... certificates are most commonly text files with PEM formatted data
08:57 <@dazo> lg188: they are not the same ... but you need both
08:58 <@dazo> you can however embedd PEM data into .ovpn configs ... look for the "INLINE FILE SUPPORT" in the man page for more info
08:59 < lg188> dazo, that was what I was aiming for
08:59 < lg188> but i was hoping there was  a tool to streamline the process
09:39 < bluudz> Hmm anyone has an idea whats causing Wed Mar 29 16:34:59 2017 read UDP: Connection reset by peer (WSAECONNRESET) (code=10054) ?
10:19 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 246 seconds]
10:25 < bluudz> Is there any massive difference running ovpn via UDP/TCP? Apparently the error I'm getting is because UDP is not handling the traffic well.
10:25 < bluudz> Could I just switch to TPC?
10:25 < bluudz> TCP*
10:26 <@ordex> bluudz: UDP is preferred, but if you are having troubles .. well then I think you should try to switch
10:26 <@ordex> although I'd suggest to try understanding why it does not work (maybe some firewall does not like the traffic)
10:47 < bluudz> There is only UFW and that is set correctly to have 1194/UPD open
10:47 < DArqueBishop> !tcp
10:47 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay
10:47 < bluudz> Strange is that I have restarted server before and it was connecting fine, but now its doing same error again
10:51 < bluudz> Also I have second VPN server which I have set very same and that one is working ok.
11:17 <+rob0> Looks like the peer, or some firewall between you and the peer, is limiting the UDP.
11:17 < bluudz> Only 1194 port has to be open right?
11:18 < bluudz> I'm checking against the setting of my other VPN server and everything seem to be set up same
11:19 <+rob0> server:1194 --> client:random-high-port
11:19 < bluudz> What does random high port mean?
11:19 < bluudz> That could be the problem
11:19 < bluudz> But why would it work with other VPN server is mistery
12:07 < DArqueBishop> The first question would be, "What's different about the one that works?"
12:16 < kOiki> hello
12:17 < kOiki> May I ask if there is a way to reload a server instance config without kicking out all connected users?
12:18 < kOiki> google didn't help me on this and a systemctl reload openvpn kick everybody out
12:20 < zoredache> don't think so.
12:21 < kOiki> hum that's always anoying to kick users out
12:26 < bluudz> <DArqueBishop>I'm trying to figure that out last two hours. Don't see any difference in settings.
12:57 < kOiki> !welcome
12:57 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
12:57 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
12:58 < kOiki> !goal
12:58 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:59 < kOiki> !goal I would like to reload an instance without kicking out the clients
13:32 <+rob0> !seen krzee
13:32 <@vpnHelper> krzee was last seen in #openvpn 6 weeks, 4 days, 23 hours, 50 minutes, and 38 seconds ago: <krzee> !speed
14:06 < HankMoody> Wow, krzee has been gone a cool minute.
14:13 <+rob0> out of character for him
14:15 < HankMoody> Very much so, I've been in and out of here quite a few times and this is the fist time I can recall not seeing him in here.
14:20 <+rob0> When lilo (freenode founder) died, his IRC client was still running, connected, like a ghost.
14:21  * nacelle misses lilo
14:21 <+rob0> Not that krzee has died ... he wouldn't do that. :)  But sometimes I wonder, "what if," and how would we know?
14:23 < HankMoody> Totally. I've been looking for a guy I met on here something like 11 years ago and nobody in the IRC channel has seen him in a long ass time and his AIM client is still up, but I never got any messages back.
14:24 < nacelle> a million years ago, during the time of efnet and a linux irc network having weird feuds and frequent ddos induced netsplits, chanops takeovers and such... lilo and I discussed having a regulated network where folks could just get out their ideas, and still have folks around to take care of the nuisance folks who will show up.  it would require somethign to handle nick registrations and the like.
14:24 < nacelle> i'm glad we had that conversation
14:27 <+rob0> it mostly works well!  Still have the pea-brained attackers trying to mess it up, but overall it holds up.
14:32 < andocromn> I'm having as issue starting an openvpn server.  the log shows Error: private key password verification failed
15:09 < _ADN_> !masquerade
15:11 < _ADN_> on the tun0 I have 10.11.100.X and on the eth0 from the host 10.100.11.X
15:11 < _ADN_> I need to add this line for it to work
15:12 < _ADN_> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
15:12 < _ADN_> can I keep the tun0 address all the way (for the internal network)0
15:31 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
15:31 -!- mode/#openvpn [+v s7r] by ChanServ
15:42 <@dazo> _ADN_: sounds like your routing or firewalling is not correct if you need such a crude MASQ hack
15:42 <@dazo> !serverlan
15:42 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
15:42 <@dazo> !clientlan
15:42 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
15:42 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
15:44 <@dazo> _ADN_: but to answer your last question, yes, you can keep the VPN addresses all the way ... even LAN addresses behind VPN clients and VPN server; it just needs proper routing and firewalling
17:11 < _ADN_> ok
17:12 < _ADN_> thx for the info
17:12 < modernbob> I have been using openvpn for a few weeks. so does openvpn share web or other data with anyone
17:15 < _ADN_> !route_outside_openvpn
17:15 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
17:17 < modernbob> TAP/bridging is almost always a bad idea   <-- i see this in my network settings
17:43 < _ADN_> !route
17:43 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
17:57 < Algernop> ?factoids
17:57 < Algernop> !factoids
17:57 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
18:42 < magyar> hi, how can I force the client to route all the traffic through the openvpn server?
18:58 < Eugene> !redirect
18:58 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
18:58 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
19:25 < magyar> thank you Eugene
22:09 -!- ShapeShifter499 is now known as ShapeShifter500
22:11 -!- ShapeShifter500 is now known as ShapeShifter499
23:27 -!- alexandre9099_ is now known as alexandre9099
--- Day changed Thu Mar 30 2017
00:20 -!- K1rk_ is now known as K1rk
03:31 < dakar> how can i make computer names (netbios?) resolve to ips on a network accessible through openvpn?
03:31 <+hyper_ch> dakar: when you create a new client cert you have to give it a name
03:31 <+hyper_ch> I think you can ping those names
03:32 <+hyper_ch> not sure if that helps
03:32 <+hyper_ch> also, you can push the openvpn servers IP as dns server
03:32 <+hyper_ch> and if the server has the resolution in the hosts file for example it can ping them
03:32 < dakar> it's not about dns, it's something else that i'm not sure the name of
03:33 < dakar> when you have a computer on the same LAN with a name work-pc, that usually resolves to the lan ip of that computer, regardless of the DNS
03:33 < dakar> openvpn technically creates a secondary lan that you're part of, but the computers there aren't accessible like that
03:34 <+hyper_ch> I fail to see the problem
03:35 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
03:35 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
03:35 -!- mode/#openvpn [+v s7r] by ChanServ
03:35 <@dazo> dakar: what you describe sounds like the SMB name resolver (Windows file sharing), that is limited to within the same subnet (unless you add some SMB proxies) .... If you rather use WINS, then that works very well across subnets out-of-the-box
03:36 < dakar> i'll look into that.
03:36 <@dazo> (If I have understood things correctly, newer Windows versions do deprecate WINS in favour of DNS as well ... but I believe that requires a properly configured AD)
03:37  * dazo is no real Windows user ... just knows a few things about the "tip of the iceberg" :)
03:37 <+hyper_ch> I'm glad dazo is so Windows proficient and knows what dakar talks about
03:37 <@dazo> heh :)
03:38 <@dazo> hyper_ch: that's just flashback of the trauma years I was forced to maintain Windows clients :-P
03:39 <+hyper_ch> "maintain" - optimistic choice of expression
03:39 <@dazo> lol ... true .... you know how it is with memories?  Each defeat is remembered as a glorious moment :-P
03:40 <+hyper_ch> yeah.. I never got rejected by girls... it was always me who rejected them.... ;)
03:40 <@dazo> :-D  _exactly!_
05:43 <+hyper_ch> dazo: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096 --> why are those groups more resistant to attacks than randomly generated ones?
05:43 <@vpnHelper> Title: Security/Server Side TLS - MozillaWiki (at wiki.mozilla.org)
05:49 <@dazo> hyper_ch: that I don't know ... syzzer, do you know?  ^^^
05:50 <+hyper_ch> if that is true, then shouldn't the ovpn wiki advise to use those instead?
05:54 < lg188> How do you tell opevpn to give a host in a specific subnet?
05:55 < lg188> because I had it yesterday, but today it stopped working
05:55 <+hyper_ch> to give a host in a specific subnet?
05:59 < lg188> to give an ip to a host*
06:00 < lg188> depending on the cn
06:00 <+hyper_ch> !ccd
06:00 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
06:00 <+hyper_ch> you can do it there
06:00 < lg188> Yeah, I have the ccd set up
06:01 <+hyper_ch> e.g.   ifconfig-push 10.0.8.7 255.255.255.0
06:01 < lg188> but I don't know how to get it to give all users with a specific cn to be in a different subnet
06:01 <+hyper_ch> and the filename in the ccd must much the cert host name
06:01 < lg188> so one cn, one subnet
06:01 <+hyper_ch> no idea there
06:01 < lg188> not just statically link the ip
06:03 < lg188> Something like an ip pool I guess
06:04 < lg188> but last time I tried that it complained that the statement couldn't be combined with the server statement
06:33 < lg188> rob0: any idea?
09:07 < lg188> or anyone else?
10:01 -!- moderntoast is now known as modernbob
12:27 < SineDeviance> hi all. i've setup an openvpn server and it's running, but i cannot connect to it from my client. i get "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)"
12:51 < SineDeviance> nevermind, i figured it out
13:03 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 276 seconds]
13:03 -!- simplisi- is now known as simplisity
13:05 -!- Guest16289 [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
13:05 -!- mode/#openvpn [+o Guest16289] by ChanServ
13:07 < SineDeviance> exit
13:07 < SineDeviance> whoops. sorry!
13:43 -!- Netsplit *.net <-> *.split quits: @Guest16289
13:44 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
13:45 -!- mode/#openvpn [+o dazo] by ChanServ
18:29 < Daemonik> I am attempting to use OpenVPN 2.4.1 on MacOS and Amazon Linux.   OpenVPN server is running on Amazon Linux.    When I run OpenVPN client on another Amazon Linux instance, the OpenVPN client creates a tunnel interface but does not bring the tunnel interface up and does not assign an IP.
18:29 < Daemonik> I have a directive in the OpenVPN server config "server 10.80.0.0 255.255.0.0"
18:31 < Daemonik> When I manually run "ifconfig tun2 inet 10.80.0.3 netmask 255.255.0.0 up" on the system the OpenVPN client is running on, I am able to connect to daemons running on the OpenVPN server at 10.80.0.1
20:09 < studi__> I seem to be having an issue downloading a torrent using openvpn.. are there proxy settings i need to set on bittorrent?
20:10 <@ordex> studi__: openvpn is just another network interface (like using wifi instead of Ethernet), no need to set a proxy
20:11 <@ordex> Daemonik: does the log say anything ?
20:11 < studi__> interesting.  Torrents will download when VPN is disabled. But will have no traffic when connected. not even the metadata will download.
20:12 <@ordex> studi__: maybe there is some firewalling on the VPN server ?
20:12 < studi__> OpenVPN should allow p2p traffic?
20:14 < studi__> i also tried a couple different torrent programs. same issue.
20:14 <@ordex> studi__: per se it does not block anything
20:14 <@ordex> it is just a tunnel interface
20:14 <@ordex> the problem must be on top of it
20:14 < studi__> hmm...
20:15 <@ordex> did you check if there is any firewall rnning on the VPN server thay may block torrents?
20:16 < studi__> im actually not sure how to check.
20:17 < studi__> i would think windows would be fine ( as it works with VPN off)
20:18 < studi__> and i do have access to the internet with it enabled... just not with torrent clients
20:18 < studi__> i just assumed it was a port issue.
20:21 < mattwj2002> hi all
20:21 < mattwj2002> :)
20:32 -!- poster is now known as Poster
--- Day changed Fri Mar 31 2017
00:45 < eagles0513875> hi guys where does openvpn gui on windows store the imported configs for ones tunnel
01:05 < HankMoody> eagles0513875: By default it should be in "C:\Program Files\OpenVPN\config\client.ovpn"
01:05 < eagles0513875> thanks HankMoody will check and let you know
01:05 < eagles0513875> HankMoody: its not there
01:05 < eagles0513875> its just a readme
01:07 < HankMoody> one second let me power up my Windows laptop
01:07 < HankMoody> I'm assuming Win10 right?
01:07 < HankMoody> And I guess I should have clarified further, this is for OpenVPN CLIENT right?
01:12 < eagles0513875> HankMoody: win 10 64bit
01:12 < eagles0513875> openvpn gui
01:12 < eagles0513875> i couldnt find the client to download in all honesty
01:13 < HankMoody> https://openvpn.net/index.php/download/community-downloads.html
01:13 <@vpnHelper> Title: Community Downloads (at openvpn.net)
01:17 < eagles0513875> god the website needs some major work done i could hardly read the text of for the different options
01:18 < eagles0513875> thanks for that link btw HankMoody
01:19 < HankMoody> No problem. Dropping your client.ovpn file in there should be pretty self explanatory. On my Win10 machine I tossed it in my user's My Documents or whatever the hell Microsuck calls it now.
01:20 < eagles0513875> lol
01:20 < eagles0513875> then what about mac shame there is no client for it as i have mac's as well
01:20 < HankMoody> Use Tunnelblick on OS X
01:20 < HankMoody> What I use.
01:23 < HankMoody> But, that's it for me. Tired, gonna go play some Madden and go to bed, good luck and if you still need help in the morning I'll be back on about 1100GMT probably.
01:28 < eagles0513875> HankMoody: ok thanks im using tunnelblick on osx too
01:28 < eagles0513875> thanks
03:29 < lg188> hiy
03:36 < lg188> is there any way to see in the logs if the server sends the ccd config ?
03:37 < lg188> because apparently it doesn't assign an ip to one of them
04:25 < lg188> Actually, the configuration totally ignores my ccd
04:28 < ld50> !welcome
04:28 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
04:28 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
04:43 < lg188> this isn't a goal, this is a problem
04:44 < lg188> but whatever, it won't hurt
04:44 <+hyper_ch> what names do the files in your ccd have?
04:44 <+hyper_ch> !configs
04:44 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
04:45 < lg188> the cn names of the certificates
04:46 < lg188> !ccd
04:46 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
04:47 < lg188> does it have to be the relative directory or is a full path okay?
04:48 <+hyper_ch> both works
04:49 < lg188> does it say anything different when it uses the ccd file?
04:49 < lg188> in the logs?
04:49 <+hyper_ch> !configs
04:49 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
04:51 < lg188>  https://paste.pound-python.org/show/npNBkg4JBFquYmFSUzbz/
04:52 <+hyper_ch> the ccd?
04:53 < lg188> Yeah, It seems to be ignored, but I'm trying to see if it actually is
04:53 <+hyper_ch> you didn't post the ccd
04:53 < lg188> it's just ifconfig-push 10.0.0.6 10.0.0.5
04:54 < lg188> different ips for the office one
04:54 < lg188> first 0 is a 1
04:56 <+hyper_ch> first 0 is a 1?
04:56 < lg188> 10.1.0.6 10.1.0.5
04:57 <+hyper_ch> and shouldn't the entry rather be  ifconfig-push 10.1.0.6 255.255.255.0 ?
04:57 < lg188> !ifconfig-push
04:57 <+hyper_ch> also weird that you have the server in a different subnet than the clients
04:57 < lg188> https://openvpn.net/index.php/open-source/documentation/howto.html#policy
04:57 <@vpnHelper> Title: HOWTO (at openvpn.net)
04:58 <+hyper_ch> e.g. I have
04:58 < lg188> says to use the pair thing, not a netmask
04:58 <+hyper_ch> server 10.0.8.0 255.255.255.0
04:58 <+hyper_ch> push "route 10.0.8.0 255.255.255.0"
04:58 < lg188> The server is supposed to be on 10.0.0.1
04:58 <+hyper_ch> what is 10.0.0.1?
04:59 < lg188> an ip address
04:59 <+hyper_ch> no idea
05:00 < lg188> very confusing
05:04 <+hyper_ch> works fine for me:  https://paste.simplylinux.ch/view/5ee149cd
05:05 < lg188> I'm glad your configuration works for you
08:08 < wingnut> hi, can the server use different per client --reneg-sec ?
08:16 < mva> hi there!
08:18 < mva> advice me, please, if it is okay to just drop user's key from keydir (and restart openvpn) to forbid access, or it is really necessarily to generate CRLs? :)
08:20 <@ecrist> mva: dropping the key from the keydir will have no affect on openvpn
08:21 <@ecrist> there's two things you can do to block a user from access
08:21 <@ecrist> 1) revoke their certificate via the CRL
08:21 <@ecrist> 2) leverage CCD entries and add "DISABLED" to the entry for that user.
08:22 <@ecrist> 3) utilize a separate --client-connect script that disconnects users that have disabled accounts.
08:22 < mva> ok, thanks // Although, I didn't fully understand about CCD, but I'll go to read about that. Thanks again.
08:23 <@ecrist> ccd == --client-config-dir
08:23 <@ecrist> this is a directory that has configuration files that are unique to specific clients
08:23 < mva> Although, just blitz-question: so, it is no way to just make openvpn to forget about some user like they was never added? :)
08:23 <@ecrist> the files are named to match the CN of the user certificate.
08:23 <@ecrist> no, there's no way except for the CRL
08:24 < mva> ok, thanks :)
08:24 <@ecrist> OR, you could start an entirely new CA and certificate chain.
08:25 <@ecrist> and in the CCD entry, you need "disable" not "DISABLED"
08:25 <@ecrist> see the --disable option in the man page.
08:26 <@ecrist> fwiw, this is specifically talked about (with examples) in the Mastering OpenVPN book JJK and I co-authored.
08:26 <@ecrist> !books
08:26 <@ecrist> !book
08:26 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) a troubleshooting guide for OpenVPN by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
08:26 <@ecrist> !forget book 3
08:26 <@vpnHelper> Joo got it.
08:27  * DArqueBishop doesn't understand the reluctance towards a CRL.
08:27 <@ecrist> !learn book as Troubleshooting OpenVPN (April, 2017) by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
08:27 <@vpnHelper> Joo got it.
08:31 < lg188> Oh wow
08:31 < lg188> That's the future
08:31 < lg188> nice
08:31 <@ecrist> lg188: I just got my copies of the book this week.  They officially start shipping tomorrow.
08:32 < lg188> Interesting
08:33 < DArqueBishop> ecrist: Congrats. :-)
08:36 < wingnut> hi, can the server use different per client --reneg-sec ?
08:37 <@ecrist> wingnut: see the man page
08:38 < wingnut> a simple yes or no would suffice ...
08:39 < wingnut> and the man page does *NOT* answer the question
08:40 <@ecrist> sure it does
08:40 <@ecrist> Also, keep in mind that this option can be used on both the client and server, and whichever uses the lower value will be the one to trigger the renegotiation. A common mistake is to set --reneg-sec to a higher value on either the client or server, while the other side of the connection is still using the default value of 3600 seconds, meaning that the renegotiation will still occur once per 3600 seconds. 
08:40 <@ecrist> The solution is to ...
08:40 <@ecrist> ... increase --reneg-sec on both the client and server, or set it to 0 on one side of the connection (to disable), and to your chosen value on the other side. 
08:41 <@ecrist> So, if you bother to read that, the answer is "yes"
08:41 <@ecrist> with caveats
08:55 <+hyper_ch> ecrist has TARDIS-capabilities :)
09:19 < jsyn> Is it possible to bridge two subnets where one is being used by OpenVPN for a routed VPN (TUN)? I see in the docs on openvpn.net that the VPN server subnet (192.168.1.x) must advertise to the client subnet (192.168.2.x) with a config of `push "route 192.168.1.0 255.255.255.0"`, but I'm still not able to see 192.168.1.2 on the 192.168.2.x client. Did I miss a step?
09:19 < jsyn> ref: https://openvpn.net/index.php/open-source/documentation/howto.html#scope
09:19 <@vpnHelper> Title: HOWTO (at openvpn.net)
09:22 < wingnut> the man page does *NOT* answer the question of if the server can use different --reneg-sec per client
09:22 < wingnut> but I will take your 'yes' as that it can
09:23 < hlysig> Is there any way to force clients (some magic config lines) to force dns changes that are pushed from the server?
09:23 < hlysig> Without up/down scripts.
09:24 < jsyn> ( Logs for my config in question above can be seen here: https://pastebin.com/raw/a81E6qF7 )
09:30 < wingnut> hlysig: is that a linux client ? if so you should find /etc/openvpn/update-resolv-conf to do that via client --up/--down
09:30 < hlysig> What about osx clients?
09:30 < hlysig> Given that I want to support both?
09:30 < wingnut> sorry, don't know
09:31 < hlysig> ok, thanks
09:31 < wingnut> you could try that on OSX as well
09:31 < wingnut> let me know what happens :)
09:31 < wingnut> then I'll know too
09:31 < hlysig> I installed the client via Homebrew, and these script did not ship with that.
09:32 < wingnut> ok .. then i really don't know
09:39 < wingnut> 4jsy: have you read http://openvpn.net/index.php/open-source/documentation/howto.html#scope
09:39 <@vpnHelper> Title: HOWTO (at openvpn.net)
09:39 < wingnut> jsyn: ^^
09:41 < jsyn> wingnut: yep. that's what I referenced above
09:43 < wingnut> jsyn: you are confusing the terms: bridge and route .. it is really one or the other not both
09:44 < jsyn> ah. so you can _only_ bridge with TAP? Is there any way at all to expose servers on one subnet to the other? I thought that was when the doc meant by "expand the scope of the VPN so that clients can reach multiple machines on the server network, rather than only the server machine itself"
09:44 < jsyn> as in, client on 192.168.2.x can reach 192.168.1.2 if it is advertised somehow
09:45 < jsyn> so if it is the terminology i'm getting lost at, is it possible to route from one subnet to the other?
09:52 <@ordex> jsyn: yes and this is mostly unrelated to openvpn (unless the subnet is behind a client)
09:53 <@ordex> assuming you have a subnet A behind the server, then it's matter of routing and ibjecting routes properly (there is NAT involved, possibly on both sides (?) but depends on your exact setup)
09:53 <@ordex> !route
09:53 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
09:54 < DArqueBishop> !serverlan
09:54 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
09:56 < jsyn> Thanks guys. You've given me a lot of new avenues to look into. I was following a DD-WRT guide and am coming from a PPTP setup prior, so this is immensely helpful (if not more dense)
10:00 < DArqueBishop> jsyn: if it helps, the one "gotcha" I find people tripping over is that if the OpenVPN server is not the default gateway on the subnet it's trying to push to clients, then that default gateway needs to be told to send traffic for the VPN subnet to the OpenVPN server.
10:06 < jsyn> DArqueBishop: that makes sense. I was trying to access my router (the VPN server host) at the VPN server address (192.168.2.1), so it makes sense that it wouldn't be there when you mention this
10:19 < jsyn> DArqueBishop: is there an easy way to test that the `push "route 192.168.1.x 255.255.255.0"` works? should it be as simple as being able to load a resource from that subnet?
10:19 < jsyn> (looking at the flow chart you provided)
10:23 <@ordex> jsyn: ping a host in that subnet ..
10:23 <@ordex> that's the easiest test you can do when trying to reach something
10:25 < jsyn> ah. total packet loss. guess it isn't working the way i'd hoped.
10:26 <@ordex> I'd agree
10:39 < wingnut> jsyn: with DD-WRT there us usually some kind of bridge built in to the router but you can still run openvpn without --server-bridge + tap .. just use --server tun as usual
11:25 < jsyn> follow-up: something was haywire in my iptables on the VPN server.. running `iptables -F; iptables -I FORWARD 1 --source 192.168.2.0/24 -j ACCEPT` got everything working just fine. now I'm trying to slowly figure out which of the pre-existing rules is causing the issue
11:34 -!- IMATE is now known as zz_IMATE
11:45 -!- zz_IMATE is now known as IMATE
11:53 < sibiria> !welcome
11:53 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
11:53 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
11:57 < sibiria> !goal i'd like to know if there's some way to have openvpn still being able to delete/restore routes/interfaces when running as unprivileged user, as it insists on doing that because it thinks options changed between reconnects
11:59 < sibiria> my client has a set of two <connection> it tries indefinitely until one works. if i gently close the server it connected it, it moves on to the next <connection> perfectly fine in redundant fasion
12:00 < sibiria> but when its connection times out from some network problem, openvpn screws up and can't move on, eventually just exiting
12:02 < sibiria> because it insist a bunch of pulled options changed on restart
12:03 < sibiria> and that it "will need to close and reopen tun/tap devices", which is where it shits itself
12:06 < wingnut> sibiria: lol
12:11 < sibiria> wingnut: got anything more constructive? :)
12:30 < wingnut> sibiria: "shits itself" is very difficult to diagnose ..
12:33 < sibiria> it exits with failure because it wants to restore ROUTE_GATEWAY and it doesn't have permissions for doing that
12:33 < sibiria> as it's running as nobody/nobody
12:33 < sibiria> https://pastebin.com/raw/DTxdBEdX
12:33 < wingnut> oh
12:34 < wingnut> there is a plugin called down-root.so i believe
12:34 < sibiria> i can't understand why openvpn fails with manipulating the routes and the tunnel interface when the connection times out, but manages to do it just fine and move on to the next <connection> when it's the server closing it gently
12:34 < wingnut> once you drop privs openvpn cannot remove the routes
12:34 < sibiria> yeah, understood
12:35 < sibiria> it should have permission to manipulate the interface it brought up, as it sets an address for it and adds routes
12:35 < sibiria> but on a timeout, that very same action fails
12:36 < wingnut> you are using --user + --group which drop privs but they do not get retored without the plugin
12:37 < wingnut> so .. if the vpn goes then the process will fail
12:37 < sibiria> yes
12:37 < sibiria> technically, the vpn goes away when i close the connection on the server side, too
12:38 < sibiria> openvpn has no problems establishing the next <connection> in that case
12:38 < sibiria> how come?
12:39 < wingnut> !logs
12:39 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
12:39 < sibiria> it's up there
12:39 < sibiria> the pastebin.com link
12:44 < wingnut> NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
12:44 < wingnut> and pow !
12:49 < sibiria> yes, i'm aware of that. it's bound to happen as openvpn moves on to the next <connection>
12:51 < sibiria> the question remains, why does it need to close/reopen tun in this case, when the connection times out, but not when *i* close the connection?
12:52 < sibiria> when i simulate a network failure by closing the server on the opposite end, openvpn happily moves on to the next configured <connection> which will also result in different options
12:53 < wingnut> i doubt that is true .. but if you want to paste a complete log i'll take a look
12:54 < wingnut> remove your private data
12:55 < sibiria> true? i've toyed around extensively with this to make sure it's as redundant as can be and it works just fine
12:55 < sibiria> i can't simulate it right now because the client machine needs steady access to the VPN on the other end right now
12:56 < sibiria> the two redundant openvpn servers in my end handle a random number of clients each, and even operate on different subnets, so at the very least ONE pushed detail is different each time (what's being fed to ifconfig)
12:58 < sibiria> i solved the problem for now by simply making systemd restart the service on failure. clumsy, but it works
12:58 < wingnut> i reasonable sure that would cause the same error
12:58 < wingnut> but i could be wrong ..
13:01 < sibiria> i'll take a look at that down_root.so module, thanks for the advice on that
13:01 < sibiria> have a nice one
13:08 -!- IMATE is now known as zz_IMATE
13:13 < ender`> the new OpenVPN GUI notification area icon is too similar to the Windows 10 network icon
13:13 < Daemonik> I want to use OpenVPN to access my LAN when I am outside of my LAN.   I want my OpenVPN daemon to be running at all times so I am "always on" my LAN even when I am away.    However, when I am on my LAN, how can I prevent unnecessarily routing to my LAN through my OpenVPN tunnel?
14:11 < ender`> Daemonik: where's your openvpn server running?
14:12 < ender`> if it's on your router, the easiest is to disable access to OpenVPN port from LAN
14:28 < Daemonik> ender`: I have an OpenVPN daemon running on a Linux box here on my office LAN.    I want my users to be able to go between their home and this LAN.   The OpenVPN daemon runs on their system at all times.
14:29 < Daemonik> I just tested what happens when an OpenVPN server does "push route 172.2.0.0/16 255.255.0.0" to my OpenVPN client (running on my LAN) and resources on my LAN are still accessible on my machine.   In this test, 172.2.0.0/16 is my LAN, and the OpenVPN server is not on my LAN.   I think things will just seamlessly work okay any way.
15:31 < wingnut> ecrist: Options error: option 'reneg-sec' cannot be used in this context (CCD)
16:09 < lordarkmemo> Hi, i set a vpn tunnel (tun) between a server (cloud-ubuntu) and client (laptop-mint).  I use the authentication (tls) and everything works perfectly.  But when i disconnect the vpn and reconnect again i lose the internet access, not the tunnel.  I have to restart the laptop to regain access to internet.
16:16 < lordarkmemo> there is any option that i have to set/unset to avoid internet connection?
16:18 < wingnut> !welcome
16:18 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
16:18 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
16:19 < wingnut> !1925
16:19 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
16:21 < wingnut> !networkmanager
17:23 < CheckYourSix> Hi all. I'm getting no internet after I connect to OpenVPN.
20:03 < ExtraSteve> Is it possible to be connected to a Cisco VPN (via anyconnect) while also being connected to an OpenVPN?
20:04 < ExtraSteve> My cisco network has a specific subnet, so I was thinking I might be able to do some clever routing so anything directed to 192.168.200.* gets routed to the cisco network
20:04 < ExtraSteve> And then everything else goes through the openvpn
20:04 < ExtraSteve> But I'm not certain of how to set up that kind of routing... or if it's even possible
20:18 -!- Vampire0_ is now known as Vampire0
20:29 < DArqueBishop> ExtraSteve: in my experience, the likely scenario is that once AnyConnect connects, it will redirect all internet traffic through itself. You may end up looking at a conflict anyway.
20:31 < ExtraSteve> I actually kinda have it working right now...
20:31 < ExtraSteve> It's a PITA, but it works :p
20:34  * DArqueBishop nods.
20:44 < ExtraSteve> Apparently I can connect via anyconnect first, reset dns (because mac), then connect to openvpn afterwards
20:44 < ExtraSteve> Can't go the opposite way around though
20:45 < ExtraSteve> cisco refuses to connect and it clobbers the routing table when it attempts to
20:45 < ExtraSteve> Which kills openvpn
21:57 < nacelle> use one virtual machine with cisco vpn and another vm with the openvpn vpn :-)
22:04 <@ordex> ExtraSteve: on linux ?
--- Day changed Sat Apr 01 2017
00:48 -!- sunrunner20_ is now known as sunrunner20
01:12 < SteveDeFacto> Is airvpn better than strongvpn?
01:29 <+hyper_ch> 42
02:05 < nacelle> yes and no and also maybe
02:07 < HankMoody> In running an OpenVPN server & client at the same time, I haven't gotten past the obvious (if not difficult in this case) hurdle of being able to log into the server when I am connected to an external VPN server (my monthly I get with my usenet membership). The external client connection is on port 8888 and my VPN server is the default 1194 (I've tried changing the port but it makes no difference).
02:13 < nacelle> try changing the servers tun device?
02:14 < nacelle> they're probably conflicting
02:14 < HankMoody> Yep, I've got the server at tun10 just to make sure it will never conflict.
02:15 < HankMoody> client just grabs the lowest one and goes with it. I've got issues of it connecting after I disconnect from the first attempt, but I'll figure that out after I get this sorted.
02:17 < nacelle> does the usenet vpn tunnel everything?
02:20 < HankMoody> I believe so. As far as setting it up via openVPN the only things other than pointing to the server key I just have to enter the user/password and specify port and TCP connection.
02:21 < HankMoody> Also when I turn off the VPN, bandwidth I/O stops entirely then picks back up.
02:28 < nacelle> that probably wont work then if the usenet thing tunnels everything
02:28 < nacelle> you packets would come in to the box but the response would go out the tunnel route, no?
02:31 < HankMoody> Yeah, I got to thinking on that, I wonder if I can just tunnel a few different processes and leave part of the connection open. Would they come in, or would it just block everything? e.g. if I tried to just ssh in I would get endless timeouts.
02:32 < HankMoody> I guess I'll have to install a NIC specifically for the server portion of it. I hope I've got enough PCI slots for it.
02:33 < nacelle> why another nick?
02:33 < nacelle> nic
02:34 < nacelle> you can just adjust the route I believe
02:34 < nacelle> or try maybe not tunneling everything
02:34 < HankMoody> Oh shit, if there's a way to adjust the route, then I'm in.. I found this exact same question on Stack Exchange but I just didn't fully grasp what some of the values he added to iptables were
02:34 < HankMoody> Let me find the link....
02:35 < HankMoody> http://unix.stackexchange.com/questions/352841/openvpn-client-and-server-on-same-machine-server-doesnt-allow-connections-whe/355218#355218
02:35 <@vpnHelper> Title: iptables - OpenVPN Client and Server on same machine - Server doesnt allow connections when client is connected - Unix & Linux Stack Exchange (at unix.stackexchange.com)
02:36 < nacelle> [ usenet dojo ]---(( internet-of-cats ))---[ your router ]---[ vpn server/client ]
02:37 < nacelle> [ openvpn client ]---(( /// cats \\\ ))
02:37 < nacelle> notice how both the openvpn client and the usenet dojo are on the left side of your router?
02:37 < nacelle> everything from your server will go out that same router
02:38 < HankMoody> yeah I understand how routing works. I've got a bunch of forwarding setup inside the router, I just don't understand how IPtables can help me do that.. I've never even really comprehended what the hell it does; but I do know it can be/is used as a firewall for the system.
05:03 -!- davimore__ is now known as davimore
08:32 < HankMoody> ..
08:34 -!- davimore_ is now known as davimore
10:58 < nacelle> rules for packets as the pass into or out of the box
10:58 < nacelle> so to speak
10:58 < nacelle> you can transform them, block them, accept them, etc.
11:01 <@ordex> HankMoody: ^^ I think it was for you :)
11:03 < nacelle> oh right its been a few hours sorry, yes that was
12:38 < sunrunner20> does anybody see anything wrong with this config? https://www.dropbox.com/s/qzfisnly3zs9lbh/openvpn.zip?dl=0 Symptomps are I can pass traffic through the 192.168.0.2 gateway, but can't _access_ the gateway
12:39 < sunrunner20> DNS or interface
12:42 < |Mike|> you can't reach 10.8.0.1?
12:43 < |Mike|> or 192.168.0.2?
12:44 < sunrunner20> 192.168.0.2
12:45 < sunrunner20> its the default gateay, I can get internet through it
12:45 < sunrunner20> but any services _on_ the box are no go
12:45 < |Mike|> but it's on a different subnet imho
12:45 < sunrunner20> nno
12:46 < sunrunner20> that config should be handing out 192.168.0.240-249 addresses
12:46 < sunrunner20> or is it 225
12:46 < |Mike|> the dropbox .zip is horrible to read on windows
12:48 < sunrunner20> download it and extract it? or here: https://gist.github.com/sunrunner20/e778ad5f8fa1856f80165be923decefa
12:48 <@vpnHelper> Title: server3.conf · GitHub (at gist.github.com)
12:50 < sunrunner20> ignor ethe last line
12:50 < sunrunner20> was an attempt at a fix that completely didn't work
12:58 < sunrunner20> well
12:58 < sunrunner20> i've gotta head out for a while
12:58 < sunrunner20> PM me if anything comes up
14:06 < ExtraSteve> ordex: sorry for the delay: macos
14:34 < zxd> hi
14:34 < zxd> where can I read about port-share
14:34 < zxd> my organization only allows http/https connections to a proxy that also allows only connections to 443 or 80
15:04 < zxd> hi
15:05 < zxd> how to configure private tunnel to use local http_proxy
15:25 < katakaio> zxd: If you're trying to connect to an openvpn server thru an http proxy, start here: https://openvpn.net/index.php/open-source/documentation/howto.html#http
15:25 <@vpnHelper> Title: HOWTO (at openvpn.net)
15:49 < synfinatic> so i'm trying to figure out why my openvpn server is not forwarding traffic from behind my openvpn client (a dd-wrt).
15:49 < synfinatic> if I NAT traffic on my dd-wrt to be the IP of the PtP link, it will forward
15:50 < synfinatic> i have the client-config-dir entry for my dd-wrt on the server and the server seems to be learning about the network behind it
15:50 < synfinatic> i see the traffic from behind the dd-wrt when I tcpdump on the tun0 interface on the server
15:52 < synfinatic> i did a nice long post on forums.openvpn.net but still waiting for a moderator to approve it
15:53 < synfinatic> anyone with any ideas/suggestions?   with the iroute entry not showing up in the OS routing table and no errors even at log level 6, I'm not sure what to do next
15:56 < katakaio> synfinatic: your dd-wrt is the client, but your server is *behind* the dd-wrt?
15:56 < synfinatic> dd-wrt is the vpn client.  server is totally different network
15:56 < synfinatic> there are clients behind the dd-wrt which don't have openvpn
15:56 < katakaio> Ah, ok. That makes much more sense!
15:57 < synfinatic> so yeah, it works fine if I double NAT, but seems that routing would be better
15:59 < synfinatic> basically i want wifi clients behind the dd-wrt to access the internet via the VPN so they appear to be the openvpn server
16:01 < katakaio> synfinatic: That's beyond my expertise...but it sounds like it might be appropriate for #dd-wrt
16:01 < synfinatic> well the problem is on the server end.  i see the traffic on the server come in on the tun0 interface, but openvpn isn't routing it to eth0
16:02 < katakaio> Hmm. When that happens to me, iptables is usually my first stop
16:10 < synfinatic> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
16:10 < synfinatic>  pkts bytes target     prot opt in     out     source               destination
16:10 < synfinatic>     0     0 ACCEPT     all  --  tun0   eth0    172.16.2.0/24        0.0.0.0/0            ctstate NEW
16:10 < synfinatic>  162K  147M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
16:10 < synfinatic>  2348  187K ACCEPT     all  --  tun0   eth0    10.8.0.0/24          0.0.0.0/0            ctstate NEW
16:12 < synfinatic> as far as I can tell, that means openvpn isn't forwarding the packets from the network behind the dd-wrt (172.16.2.0/24)
16:23 < katakaio> synfinatic: Do you have net.ipv4.ip_forward=1 set in your sysctl.conf file?
16:28 < katakaio> If that checks out, the next stop is to see if/how you've set up masquerading
16:31 < synfinatic> yep, i have ip_forward enabled
16:31 < synfinatic> Chain POSTROUTING (policy ACCEPT 1580 packets, 185K bytes)
16:31 < synfinatic>  pkts bytes target     prot opt in     out     source               destination
16:31 < synfinatic>  4191  449K MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
16:33 < synfinatic> as I said before, if I enable NAT on the dd-wrt to rewrite my client's to appear to come from 10.8.0.5 (PtP interface on the dd-wrt for the VPN) everything works
17:55 < synfinatic> oh, i figured it out.  i needed a 'route 172.16.2.0 255.255.0' in my server config
18:13 < |Mike|> synfinatic: hehe, nice that you solved it yourself :-)
18:13 < synfinatic> yeah.  finally.  don't want to admit how long it took me :)
18:14 < |Mike|> we've all been there, done that ;-)
18:18 < synfinatic> ok, one more reboot of my dd-wrt to make sure I got this all dialed in...
20:13 < |Mike|> aye.
22:02 < pakcjo> Hello, I'm trying to connect to a server and it fails telling me that the server's certificate was self signed... Is there a way to by pass this?
22:30 < HankMoody> nacelle: Sorry it's been all day, been busy. Thank you for elaborating on that earlier (iptables) at some point in time would you have a few moments to perhaps assist me with setting iptables up to try and get the client/server feeding the packets their proper way?
23:34 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
23:36 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
23:36 -!- mode/#openvpn [+o krzee] by ChanServ
--- Day changed Sun Apr 02 2017
01:18 < nacelle> i'm not a pro with routing tables
01:18 < nacelle> i'm also sick, but sure, ask away
01:19 < nacelle> ehrm, routing domains
01:19 < nacelle> routing tables yes
01:19 < nacelle> i may be too sick to be of much use
01:24 < eagles0513875> hey guys i have the latest version of the windows client and all i have to connect with is the openvpn gui and i cant find where it puts the imported connections so I can remove them
01:42 < eagles0513875> hi nb
10:11 < rizonz> hi guys, I see some issues lately on my client losing the set DNS servers from openVPN and getting the DNS servers from the local router again
10:13 <@ordex> rizonz: maybe the dhcp client resets them after the lease time ?
10:17 < rizonz> ordex: could be, but that would be on the ovpnserver side ? sometimes it happens really a couple of times after eachother
10:17 <@ordex> rizonz: dhcp from your router I meant
10:17 < rizonz> and I need to reconnect and sometimes the connect is slow as well, hangs or doesn't give DNS at all showing the logs, so I need ot reconnect again and then it's fast
10:17 <@ordex> well, that might be another problem
10:17 <@ordex> first I'd focus to understand on what is overwriting the DNS server
10:18 < rizonz> yeah I'm curious
10:18 <@ordex> and to me it sounds like the dhcp client gets a new lease from the router (but I might be wrong)
10:18 <@ordex> the system log should clarify that
10:18 <@ordex> when you see the change, you may check the log and see if there is any dhcp activity (Assuming that you normally see it)
10:19 < rizonz> on the client or in the ovpn log on the client ?
10:21 < rizonz> don't see a thing in windows about, only my dns errors
10:35 <@syzzer> dazo, hyper_ch: those *might* be better.  But the fact that openvpn has always advised to use random parameters did block the logjam attack (https://weakdh.org/)
10:35 <@vpnHelper> Title: Weak Diffie-Hellman and the Logjam Attack (at weakdh.org)
10:36 < lorimer> things i hate today: windows routing tables
10:38 <@syzzer> if I were to advise someone right now, I'd follow the trend to use the larger IETF groups, and advise them to use ffdhe3072. (the security gain of 4096 is not so clear, but it is does cost you performance)
13:22 <+hyper_ch> syzzer: ffdhe3072?
14:34 < mator> so, still 2 instances of openvpn on different protocols? udp vs tcp
15:14 < mator> how do i get out of linear mode of ipv6 network allocation to clients? (starting from 1000)
15:14 < mator> ::1000
17:35 -!- F2Knight is now known as F2Knight[away]
18:51 < TheAbraxas> Anyone around? I'm having some difficulty setting up an OpenVPN server on windows - it looks like the documentation i have refers to an easy-rsa version which is no longer bundled with the project?
18:52 < TheAbraxas> and then when I downloaded the easy-rsa stuff from github it looks like it's not compiled
18:52 < TheAbraxas> so my main question is can I use cert manager on windows to generate my certs or would that not be importable to OpenVPN and, if not, are there any good resources for figuring out how to do the config with the standalone easyrsa?
18:52 < TheAbraxas> article which appears to be dated: https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide
18:52 <@vpnHelper> Title: Easy_Windows_Guide – OpenVPN Community (at community.openvpn.net)
--- Day changed Mon Apr 03 2017
00:31 < xz> hi there, I'm new to openvpn world. Just installed openvpn on server and on client, I run on server: sudo openvpn --dev tun1 --ifconfig 10.9.8.1 10.9.8.2 and on client: sudo openvpn --remote <SERVER-IP> --dev tun1 --ifconfig 10.9.8.2 10.9.8.1
00:31 < xz> everything seems smooth
00:31 < xz> but my browser still shows client ip instead of server ip
00:31 < xz> I thought it would be plug&play
01:06 <@ordex> xz: routing it's plug&play when it's configured properly :P
01:06 <@ordex> if there is no routing entry telling your traffic to go through the vpn, it won't go on its own
01:06 <@ordex> there is an option in openvpn to set this up for you. you may want to read about --redirect-gateway in the man
01:06 <@ordex> !def1
01:07 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
01:07 <@ordex> xz: ^^^
01:48 < xz> ordex: tried with '--redirect-gateway' and '--redirect-gateway def1' and browser doesn't pick it up
01:49 < xz> ordex: ssh also dead
01:55 < xz> ordex: I don't understand it. From VPS I can easily for instance ping google.com. From my laptop I can do the same. Once I set up VPN on both, VPS (server) and laptop (client), I no longer have internet access.
01:56 < xz> ordex: --redirect-gateway adds entries to 'ip route' so in theory everything is fine
01:58 < xz> ordex: that's the log on client: https://pastebin.com/tzsSEuKc
02:43 <@ordex> xz: is the server configured to behave as a gateway for the clients ?
02:43 <@ordex> this is not something that openvpn can take care of. it's your server configuration that needs to be properly setup
02:59 < xz> ordex: what would that be? routing table?
02:59 <@ordex> xz: when you have a GW in a network, it needs to allow forwarding and usually provide NAT
02:59 <@ordex> you can find this online, it is not about the VPN at all
02:59 <@ordex> it's something you would do when configuring a GW in a LAN
03:00 < xz> ordex: is it like turning my VPS into the router?
03:00 <@ordex> yap
03:00 <@ordex> for the network behind the VPN basically
03:00 < xz> ordex: so the keyword here is 'how to turn VPS into gateway' ?
03:00 <@ordex> !nat
03:00 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
03:01 <@ordex> maybe this can help :)
03:01 < xz> ordex: alright, I will try that
03:01 <@ordex> xz: is not necessarily about "VPS", but yes, those are pretty much ok I believe
03:01 <@ordex> xz: if you read the message above, you have other commands you can use to ask the bot about more info
03:57 -!- Alchemy is now known as daemon
09:09 <+hyper_ch> !reneg-sec
09:13 -!- Captain_Beezay is now known as \-__-_____----_
09:16 <+hyper_ch> dazo: who writes the openvpn android client?
09:16 <+hyper_ch> for some reason on LineageOS 14.1 with OVPN client activated, I can't download from playstore anymore
09:19 <@dazo> hyper_ch: which one?  openvpn connect or "openvpn for android"?
09:19 <+hyper_ch> dazo: openvpn connect
09:20 <+hyper_ch> this only happened when I started using LineageOS 14.1 (Android 7.1)... before I was using Cyanogenmod (Android 6)
09:20 <@dazo> that's the openvpn corp people ...
09:20 <+hyper_ch> so is openvpn for android better?
09:21 <+hyper_ch> openvpn connect was just simple to use.. embed keys/certs in the file and point to it
09:21 <@dazo> openvpn connect is based upon the openvpn 3 code base, with a close source GUI on top of it.  The "openvpn for android" uses the openvpn 2.3 code base, and the GUI is completely open sourced (and available via F-Droid as well as Play Store)
09:21 <@dazo> openvpn 2.4 code base!!!!
09:21 <@dazo> actually, openvpn git-master to be honest
09:25 <+hyper_ch> so also 3.x code base? oO
09:26 <@dazo> hehe ... nope ... git master is what will become openvpn 2.5
09:26 <@dazo> openvpn3 is a completely different code base, even a different code reops
09:26 <@dazo> repos
09:26 <+hyper_ch> oh I see
09:28 <@dazo> openpvn 2.x is written in C ... OpenVPN 3 Core (which the more "official" name is), is more like a C++ library providing OpenVPN functionality ... but OpenVPN 3 clients can connect to 2.x servers, unless you're using some really special 2.x features
09:30 <+hyper_ch> dazo: I've only used the openvpn connect client on droid this far :) never had issues
09:30 <+hyper_ch> except now with lineageos 14.1 / android 7.1
09:30 <+hyper_ch> everything seems to work, except can't download from playstore hwne openvpn is running
09:30 <+hyper_ch> really weird though
09:31 <@dazo> I can check out internally if anyone have seen this issue
09:31 <@dazo> otherwise, please file a bug for this ... it is odd
09:32 <@dazo> which Connect version do you run, hyper_ch?
09:33 <+hyper_ch> v1.1.17 build 76, 3.0.12
09:33 <@dazo> thx!
09:33 <+hyper_ch> may 24, 2016
09:34 <+hyper_ch> file bug where?
09:34 <+hyper_ch> !bug
09:34 <@ecrist> hyper_ch: trac
09:34 <@dazo> that sounds old though ....
09:34 <+hyper_ch> current playstore version
09:34 <@dazo> (but that can be the a reference to the Core, not the UI)
09:51 <+hyper_ch> dazo: btw, you've seen this https://be5invis.github.io/Iosevka/ ?
09:51 <@vpnHelper> Title: Iosevka (at be5invis.github.io)
09:52 <+hyper_ch> pongering to use it as default
09:58 <@dazo> hyper_ch: font?
09:58 <+hyper_ch> yep
09:58 <+hyper_ch> I think it looks nice.. .saw it on hacker news on saturday I think
09:59 <@dazo> ahh ... Wll, don't care much about fonts unless I need to do some design work somewhere .... which is very seldom
09:59  * dazo likes daemons, running in the background doing magic stuff
09:59 <+hyper_ch> but for coding it look snice :)
10:00 <@dazo> Emacs fonts looks nice too :-P
10:00 <+hyper_ch> Demons run when a good man goes to war
10:00 <@dazo> that's demons ... not dAemons :-P
10:00 <+hyper_ch> dazo: :)
10:01 <+hyper_ch> Night will fall and drown the sun
10:01 <+hyper_ch> When a good man goes to war
10:01 <+hyper_ch> daemons is like demons but with a spelling error
10:01 <@dazo> http://www.differencebetween.com/difference-between-daemon-and-vs-demon/
10:01 <@vpnHelper> Title: Difference Between Daemon and Demon (at www.differencebetween.com)
10:02 <+hyper_ch> ha, never knew the origin of daemon
10:02 <@dazo> ;-)
10:02 <+hyper_ch> thought it ws just a spelling error for demons
10:02 < DArqueBishop> hyper_ch: it's not daemons you need to worry about. It's cloister wraiths.
10:02 <+hyper_ch> you mean the Weeping Angels?
10:02 <@dazo> nope ... in the *nix world, it has been daemon since the very beginning ... I've even been annoyed by some magazines writing it as dæmon
10:03 < DArqueBishop> Nope, the cloister wraiths.
10:03 <+hyper_ch> using the æ makes the magazine appear smarter
10:03 < DArqueBishop> I'm guessing you haven't seen the end of series/season 9?
10:04 <+hyper_ch> I've seen it all
10:04 <+hyper_ch> From the first doctor to the current one
10:04 <@dazo> hyper_ch: or silly ... if you're a native using æ quite commonly (like Danish, Icelandic and Norwegian)
10:04 <+hyper_ch> now I remember the cloister wraith
10:04 < DArqueBishop> I guess I should have said "sliders". ;-)
10:05 <+hyper_ch> there aren't so many daneish, icelandic, norwegians out there
10:05 <+hyper_ch> I watched Baker when I was little
10:06 < DArqueBishop> My first was Tom Baker, too. They were showing reruns of him on local public TV, while in the UK Colin Baker was the Doctor.
10:06 < DArqueBishop> I was 11 when I was first introduced to Doctor Who.
10:06 <+hyper_ch> well, I was little... ddn't know english... but it had aliens and roboters and stuff :)
10:07 <+hyper_ch> and it aired sunday morning on sky channel
10:07 <+hyper_ch> with he-man, g.i. joe, transformers and other cartoons :)
10:08 <+hyper_ch> inspector gadget
10:08 <+hyper_ch> I think it was sky... it's been too long though
12:07 < MK__> How is it possible to solve this error when running configure on OpenVPN?
12:07 < MK__> checking for SSL_CTX_new... no
12:08 < MK__> configure: error: openssl check failed
12:08 < MK__> This check passes: checking for OPENSSL... yes
12:17 < wasutton3> so im running an openvpn client on ddwrt. I'd like to route certain ip addresses (such as netflix) around the vpn. I've got the line "route 174.129.0.0 255.255.0.0 net_gateway" in my config. Is this sufficient?
12:30 <@ecrist> wasutton3: if all of netflix's CDN systems reside in that class B, sure.
12:31 < wasutton3> ecrist, well they all don't :P but i have multiple lines
12:31 < wasutton3> the only other side is with ipv6, for which i have route-ipv6 2a00:86c0::/32 net_gateway
12:36 < Eugene> !routebyapp
12:36 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination., or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
12:36 <@vpnHelper> policies you set. For Linux, read about !lartc
12:36 < Eugene> I would not recommend using IP-based routing for Netflix, because of the size+scope of their CDN IPs(they are not all inside of Netflix-registered space)
12:37 <@ecrist> (which is why I pointed it out)
12:37 < Eugene> You're going to have a better experience with a SOCKS proxy
12:37 < Eugene> Also, their IPv6 ideas are.... interesting.
12:37 < Eugene> I get why they block tunnel brokers, but it is a crappy user experience
12:39 <@ecrist> Eugene: a crappier user experience is netflix losing access to the content because the rights holder didn't like how they protected the geographical distribution
12:39 < Eugene> Shrug, I just cancelled my account, and used my neighbor's instead. Then he cancelled his for the same reasons
12:40 < Eugene> Now I watch all of my media the old fashioned way
12:40 < Eugene> (DRM-unencumbered, saved to persistent local storage, and with the viewer of my choice)
13:26 < wasutton3> Eugene, i would normally do the same, but my wife is not as technical as I am. The problem is we have multiple devices
13:34 < Village> !welcome
13:34 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
13:34 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
13:35 < Village> !howto
13:35 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
15:10 -!- \-__-_____----_ is now known as Captain_Beezay
16:56 < Kazfd> Hey, can someone let me know how to revert a change I did in OpenVPN-AS on the command line? I changed the server from multi-daemon to UDP but hit OK too quick and it set 443/udp, now can't get into the admin panel which is on 443/tcp :(
16:57 < Kazfd> done a net stat and it is listening on 443/udp. :/
17:07 < BtbN> see topic
17:07 < BtbN> also, 443/udp should not affect 443/tcp at all
17:12 < Kazfd> Well, the AdminUI no longer comes up and it was on 443/tcp. Not sure what has happened. I've messaged in the -as channel as well but yet to hear anything, sorry!
20:57 < lioux> !welcome
20:57 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
20:57 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
20:58 < lioux> !goal pipe specific programs/hosts through OpenVPN on linux using namespace and iptables
20:59 < lioux> I have 2 hosts behind a router which I want using VPN. I won't touch the router cause it doesn't have the processor power. I'm running a VPN inside a namespace on host A for split tunneling = only some programs will be funneled through the VPN. This is current configuration https://pastebin.com/41Z3YhGe on host A. First, what do you suggest I do to make sure that nothing comes back through the VPN (internet to my box) unless it's a "rep
20:59 < lioux> ly" to a stablished connection. What iptables rules should I apply? Second, how would I go about making a single program from host B go through the VPN inside host A?
22:31 < ReimuHakurei> !welcome
22:31 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
22:31 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
22:31 <@vpnHelper> you
22:35 < ReimuHakurei> !goal I want a LAN-only point-to-point VPN between one of my servers, and my local network. I want the server to act as if it was plugged in to my local network (ie: I want its' VPN interface to grab an IP from my local router's DHCP server). Because my home connection is behind CG-NAT, only the server can accept incoming connections, not any machines on my local network.
22:36 < ReimuHakurei> oh derp
22:36 < ReimuHakurei> !goal
22:36 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:36 < ReimuHakurei> I want a LAN-only point-to-point VPN between one of my servers, and my local network. I want the server to act as if it was plugged in to my local network (ie: I want its' VPN interface to grab an IP from my local router's DHCP server). Because my home connection is behind CG-NAT, only the server can accept incoming connections, not any machines on my local network.
23:48 < Eugene> That's bridging mode, and thar be demons
23:59 < ReimuHakurei> mm
--- Day changed Tue Apr 04 2017
00:00 < nacelle> what protocols/etc. are you using where you need that?
00:02 < ReimuHakurei> Well, two goals: since i'm behind CG-NAT, being able to access stuff on my local network when not at home would be nice. Additionally, said server has a /48 of IPv6 allocated to it, and I'd like to do a 6in4 tunnel between said server, through OpenVPN, to my router.
00:18 -!- n-st- is now known as n-st
00:19 -!- dave0x6d_ is now known as dave0x6d
00:22 -!- vader-_ is now known as vader-
01:01 < Eugene> You don't need bridging to do that
01:01 < Eugene> Make the server hand out a /64(or /56 or whatever) to the client(your home router)
01:01 < Eugene> Set up DNS resolution to access the server's vpn address
01:01 < Eugene> Tada
01:34 <+hyper_ch> hi Eugene
01:38 -!- alexandre9099_ is now known as alexandre9099
05:05 < Village> Hello, can i have secure 3 ways ( 3<<<->>>3 ) OpenVPN system? I have DS server
05:25 < Village> !goal
05:25 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:27 < Village> !goal I would like to access the internet over my vpn
05:44 < Village> !goal I wanna have connection between Server VPN and Client side
06:12 -!- SCHAAP137 is now known as SCHAPiE
06:16 <@dazo> !redirect
06:16 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
06:16 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
06:16 <@dazo> Village: ^^
06:16 <@dazo> (!goal isn't a command, it's just a factoid to help you unto the right path when asking questions here)
06:17 < Village> understand
06:18 < Village> you know server <- client and all like normal internet
06:25 < Village> !def1
06:25 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
06:26 < Village> !man redirect-gateway def1
06:26 < Village> !man
06:26 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
06:27 <@dazo> Village: get an openvpn configuration working where you can ping the VPN IP addresses successfully from both sides ... then add the clues !redirect provides
06:27 <@dazo> !howto
06:27 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
06:27 <@dazo> #3 might be a reasonable place to start
06:28 < Village> i will try thank you
06:29 < Village> dazo how i can install it?
06:29 < Village> OpenVPN on Ubuntu, thta i can user configure from 3?
06:34 < Village> checking for lz4.h... no
06:34 < Village> LZ4 headers not found.
06:34 < Village> LZ4 library or header not found, using version in src/compat/compat-lz4.*
06:34 < Village> checking git checkout... no
06:34 < Village> configure: error: lzo enabled but missing
06:34 <@dazo> ehm ... apt-get install openvpn?
06:34 < Village> When i try install it on ubuntu .configure says that
06:34 <@dazo> why compile it yourself+
06:34 <@dazo> ?
06:34 < Village> oh this , i'm try from package thank you
06:35 < Village> because look from tutorials
06:35 <@dazo> none of the official OpenVPN howtos tells you to compile your own openvpn
06:35 <@dazo> in general, that's a bad idea unless you want to maintain and update it manually whenever we release new version
06:40 < throstur> is it possible to have 2 vpn connections at the same time? when I try it, connecting to the 2nd one kicks me from the 1st one
06:41 <@dazo> throstur: yes, that is generally working fine ... how do you start your VPN tunnels?
06:42 <@dazo> (I've some times used 3 tunnels ... where two of them have been redirected via the third one)
06:46 < Village> now i install by apt-get install openvpn
06:46 < Village> so from where i can edit config now?
06:47 < throstur> dazo: I start them with `sudo openvpn dest_file [options]`, where options is empty for one of the connections and  --auth-retry interact --up /etc/openvpn/update-resolv-conf.sh --down /etc/openvpn/update-resolv-conf.sh --script-security 2 for the other
06:48 <@dazo> throstur: then it shouldn't be an issue at all running multiple tunnels  (NetworkManager still only allows to manage one running VPN connection)
06:49 <@dazo> throstur: but you need to consider how you start these tunnels and which of them redirects the traffic and how that happens
06:49 <@dazo> (how you start == in which order)
06:53 < Village> hm, so if i wnat fot three connections i must run
06:54 < Village> root@80s:~# sudo openvpn vpnonfig.conf
06:54 < Village> Options error: In [CMD-LINE]:1: Error opening configuration file: vpnonfig.conf
06:54 < Village> Use --help for more information.
06:54 < Village> maybe vpn off how can i run it?
06:54 <@dazo> Village: well, that is one way to do it ... (do you have vpnconfig.conf in the current directory?)
06:54 <@dazo> Village: which version did you get installed?  v2.4.1?
06:56 < Village> at i fon'tthink so becuase i don't configure it yeat /etc/openvpn/vpnconfig.conf
06:56 < Village> hm i installed after apt-get update
06:57 < Village> i don't what version
06:57 <@dazo> apt-get didn't tell you version?
06:57 <@dazo> (sounds odd)
06:57 < Village> i don't look closely
06:58 <@dazo> Village: if you're on v2.4.1 and your ubuntu is a systemd based version ... place the config under /etc/openvpn/client (or for server configs /etc/openvpn/server) ... and start it using: systemctl start openvpn-client@CONFIGNAME  .... then you can see how it runs using 'systemctl status openvpn-client@CONFIGNAME' ... or the log: journalctl --since today -u openvpn-client@CONFIGNAME
06:58 < Village> so tell me when i have conf and put i to dir how commands must look for one connection
06:59 < Village> sudo openvpn dest_file [options]
06:59 <@dazo> I just did ....
06:59 < Village> and next connection ?
06:59 <@dazo> Village: if you're on v2.4.1 and your ubuntu is a systemd based version ... place the config under /etc/openvpn/client (or for server configs /etc/openvpn/server) ... and start it using: systemctl start openvpn-client@CONFIGNAME  .... then you can see how it runs using 'systemctl status openvpn-client@CONFIGNAME' ... or the log: journalctl --since today -u openvpn-client@CONFIGNAME
06:59 <@dazo> Change CONFIGNAME to the name of your configuration file, without the .conf extension
07:00 < Village> i use for server side
07:00 <@dazo> the switch openvpn-client@ to openvpn-server@
07:00 <@dazo> then*
07:00 < Village> hm not eay
07:01 <@dazo> read !howto #3 as a starting point ... put the configuration file into the proper /etc/openvpn/{client,server} ... and start the tunnels
07:01 < Village> easy
07:02 <@dazo> if that's too hard for you .... perhaps VPN isn't something you should fiddle with
07:02 < Village> hm, why i must make client is client was phone , windows
07:02 <@dazo> VPNs isn't easy ... you need to understand networking properly to make good use of it
07:03 <@dazo> you need -client if you want to configure a VPN client ... if you don't want to configure a VPN client on your Ubuntu box, then don't do that
07:06 < Village> If i just want connect to Ubuntu Server from Windows ?
07:08 <@dazo> You will need to have both client and server configuration files ... but *where* you place them depends on which role each of your devices plays
07:13 < Village> my device be like server side
07:14 < Village> Hm, maybe can you give your configs like examples and there i can change by my and then be sipmple
07:14 <@dazo> Village: No.  It is ALL explained here: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
07:14 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net)
07:15 <@dazo> Village: if you're not willing to put some efforts into this yourself, then I'll stop answering
07:15 <@dazo> !spoonfeed
07:15 <@vpnHelper> "spoonfeed" is We'll gladly help with troubleshooting and answering questions, but we won't do the work for you. There are plenty of consultants out there who would be more than willing to take your money to fix your problems for you.
07:16 < Village> ok i will make  it and show you you look or good
07:17 < Village> and i must have ca ?
07:19 <@dazo> *sigh*
07:19 <@dazo> READ!
07:19 <@dazo> https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
07:19 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net)
07:23 < ExtraSteve> lol, I love freenode
07:27 < Village> first lines of server proto udp
07:27 < Village> proto tcp-server
07:27 < Village> port 1xxx
07:27 < Village> listen 163.xxx.xxx.xxx
07:27 < Village> and now sertificate, it's hard?
07:27  * Village going smoke
07:28 <@dazo> Village: you didn't read
07:28  * dazo ignores Village
07:30 <@dazo> deep.night.80s.lt has address 163.172.47.148
07:31  * dazo got bored for a sec ... might be Village's IP address
07:33 <@ordex> the 80s were not bad though
07:34 <@dazo> hehe ... nope :)
08:43 < dougy> hi dazo
08:52 < DArqueBishop> dazo: I'm at the point now where I put a VPN server on the same level as a mail server. Running one may sound like a good idea, but it requires a requisite level of knowledge that makes it anything but newbie-friendly.
08:54 <@dazo> DArqueBishop: that's not unreasonable .... well, I happen to run multiple of both VPN and mail :-P
08:55 < DArqueBishop> dazo: same.
11:36 < timmmaaaayyy> i have multiple openvpn instances at work.  roughly 180 users connected to each.  everything is good.  however a few remote offices are experiencing super slow connect times.  logs show roughly 20 seconds between initial packet and CRL check OK.  that only takes one second for the users that aren't having issues.  https://gist.github.com/kornface13/cff07a04e0941833c84816cf6a97735a#file-gistfile1-txt-L11-L12
11:36 <@vpnHelper> Title: gist:cff07a04e0941833c84816cf6a97735a · GitHub (at gist.github.com)
11:37 < timmmaaaayyy> any ideas?  is the client somehow checking CRL also (and just timing out)?
11:49 <@ordex> timmmaaaayyy: do clients connecting to the same instance experience the same issue ?
11:49 < timmmaaaayyy> they experience it on both openvpn instances
11:49 <@ordex> but only that client?
11:50 <@ordex> the other clients are fine?
11:51 <@ordex> timmmaaaayyy: generally, I'd suggest to increase the verbodity level on both client and server and replicate the issue. the log may show what is going on
11:52 < timmmaaaayyy> i might have to start up a new server instance to do that.  i can't bump up the current one
11:52 < timmmaaaayyy> most other clients are fine.  i'm not sure any everyone or just a few people at this location are seeing the same issue
11:52 < timmmaaaayyy> some complain some don't.....
11:53 < timmmaaaayyy> looks like all users at this location from what i can tell
11:53 <@ordex> ah this is different
11:54 <@ordex> how big is the CRL ?
11:54 <@ordex> the size of the CRL might be the culprit of the slowdown, although 20 seconds is really a lot
11:54 <@ordex> I'd still suggest to increase the verb level at least on the client and see what you get there. it may give some hint
11:56 < timmmaaaayyy> its tiny.  24K.  but even if it was huge, wouldn't that affect all users?
11:56 < timmmaaaayyy> increased client verb level to 7.  nothing in there stands out at all.
11:56 < timmmaaaayyy> should i post that?
11:57 < timmmaaaayyy> i'm most liekly going to need to do this on the server side
12:00 <@ordex> timmmaaaayyy: when you have the pause, there is nothing happening ?
12:00 <@ordex> likely yes, the server side might reveal more
12:00 <@ordex> timmmaaaayyy: btw, what version of openvpn are you using?
12:02 < timmmaaaayyy> let me match up times exactly and see what the client is doing.  mostly just READ and WRITE udp packets
12:02 <@ordex> timmmaaaayyy: you can paste it somewhere if you want to share it
12:02 < timmmaaaayyy> client : OpenVPN 2.3.14 x86_64-apple-darwin server: OpenVPN 2.3.7 x86_64-redhat-linux-gnu
12:03 <@ordex> (remember to wipe sensitive info)
12:03 <@ordex> ok
12:04  * ordex hides for a bit
12:05 < timmmaaaayyy> client log: https://gist.github.com/kornface13/8a7cfc73a36df01bd15ec48fd0bca000
12:06 <@vpnHelper> Title: gist:8a7cfc73a36df01bd15ec48fd0bca000 · GitHub (at gist.github.com)
12:22 < rco> I've got an iroute option for a client that works when I manually add routes after the connection is established by that client. I can't get those routes to add automatically, though. Should that route directive go in the ccd for that client or in the main server config?
12:29 < rco> Got it to work by manually specifying the gateway (I assumed it would assume the client that the iroute belonged to was the gateway).
12:29 < rco> But it is pushing that route to the client, still, which the manual indicates it shouldn't be doing.
12:39 < timmmaaaayyy> ordex: got better logging on the server side.  i'm seeing alot of :  ACK output sequence broken: [36] 32 33 34 35 messages
14:14 <@ecrist> !book
14:14 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) Troubleshooting OpenVPN (April, 2017) by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
14:16 <@ecrist> !learn book as Troubleshooting OpenVPN (April, 2017) by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
14:16 <@vpnHelper> Joo got it.
14:16 <@ecrist> grr
14:16 <@ecrist> !forget book 4
14:16 <@vpnHelper> Joo got it.
15:19 < simbalion> Hi, I'm trying to set up OpenVPN on a Windows 2012 server and it seems to be working, I have two clients one local and one remote and both can connect, they receive IP addresses on the 10.8.0.0 subnet, however I can't ping the server or either of the two hosts on that subnet from any of the 3 machines. I get "request Timed out". Can someone tell me what I'm doing wrong?
15:20 < simbalion> both clients are Win10
15:27 < simbalion> nvm I had to enable client-to-client on the server side
16:11 -!- remirol is now known as lorimer
20:39 -!- EmperorTom is now known as _quadDamage
21:36 -!- dougy [~dougy@openvpn/community/support/Dougy] has quit [Ping timeout: 268 seconds]
22:52 < errqre> statically assigning an ip to a client requires using the ifconfig statements in the server config?
22:54 < errqre> so instead of being able to say 'server 10.8.0.0 255.255.255.0', you need 'mode server' 'tls-server' 'ifconfig 10.8.0.1 255.255.255.0' 'ifconfig-pool'
22:56 < errqre> and push "topology subnet"
22:59 < errqre> or is openvpn "smart" enough to read the ccd directory and know now to assign an address specified therein?
--- Day changed Wed Apr 05 2017
00:28 < xz> hey guys, I have an OpenVPN server and client that I installed couple days ago. I'm able to connect client to server. However, I still need to set up routing tables to be able to use it like regular VPN service. Do you know some tutorial on how to set up routing tables on server to make it happen?
00:28 < xz> OpenVPN client resides on my laptop, OpenVPN server is on VPS
00:31 <@ordex> !nat
00:31 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
00:31 <@ordex> !ipforward
00:31 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
00:31 <@ordex> !def1
00:31 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
00:31 <@ordex> I'd suggest to read a bit of the above
00:32 < xz> ordex: I've got the 'def1' part done, now I'm enabling ip forwarding in /etc/sysctl.conf
00:32 < xz> ordex: and I will go from there
00:32 <@ordex> don't forget the nat part too ;)
00:38 < xz> ordex: ok, so ipforward is enabled in /etc/sysctl.conf
00:38 < xz> ordex: now I need to do last thing, nat
00:43 < xz> ordex: I found only two things so far to get NAT up and running
00:43 < xz> ordex: 1. push "redirect-gateway def1"
00:43 < xz> push "dhcp-option DNS 10.8.0.1"
00:43 < xz> 2. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
00:43 < xz> ordex: is that it?
00:45 <@ordex> maybe
00:45 < xz> ordex: nope, still didn't get web browser to work
00:45 < xz> ordex: it's hard to debug it, I don't really know where to look for stuff
00:53 < xz> why isn't there some step by step tutorial on how to set up VPN
00:53 < xz> openvpn hello world
00:53 < xz> it's 2017!
00:53 < xz> people drive electric cars
00:53 < xz> and do heart transplants
00:55 <@ordex> xz: there is
00:55 <@ordex> there is a lot of doc on the wiki
00:55 <@ordex> and the problem you are trying to solve is not even openvpn related, but it is a generic gateway setup
00:55 <@ordex> if you search online you find a lot of stuff, but you need to understand what you are doing
00:56 < xz> ordex: most of openvpn users need to tackle gateway configuration, I assume
00:59 <@ordex> I don't know
00:59 <@ordex> xz: it may also be that your firewall is conflicting with the forwarding
00:59 < xz> ordexd
00:59 < xz> ordex: I can ping server from the client
00:59 < xz> ordex: so that part is working
01:00 < xz> ordex: and I'm not using any encryption so far, it's all clear text
01:02 <@ordex> are you sure ip_forward is enabled?
01:02 <@ordex> are you sure the firewall is not blocking the forwarding?
01:03 <@ordex> is eth0 the uplink interface on the vps?
01:04 < xz> ordex: cat /proc/sys/net/ipv4/ip_forward returns 1
01:04 <@ordex> that's ok at least :)
01:07 < xz> ordex: that's my iptables, table nat https://pastebin.com/B75r68Cx
01:07 <@ordex> and what about the rule that you added ?
01:07 <@ordex> ah it's at the end
01:07 <@ordex> sorry
01:08 <@ordex> you should also check the filter table to see if any rule is blocking forwarding traffic (this is what I meant before)
01:09 < xz> ordex: that's the configuration https://pastebin.com/NDkZyiDF
01:11 < xz> ordex: and that's filter table, looks like nothing is there https://pastebin.com/MexNH29c
01:14 <@ordex> xz: am I wrong or the config file is not used when you launch the server ?
01:14 <@ordex> !howto
01:14 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
01:14 < xz> that's the ip route once server is started https://pastebin.com/kfik15q8
01:16 <@ordex> how about the client ?
01:18 < xz> ordex: https://pastebin.com/YpxTNze7
01:18 < xz> ordex: that's client ip route
01:19 <@ordex> yap, but given your IP configuration, why did you setup that MASQUERADING rule? looks like you are using a different network
01:19 <@ordex> [1338.28] < xz> 2. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
01:19 <@ordex> ^^^ here
01:20 < xz> ordex: true, I was jumping over multiple tutorials, and they used different ip addresses
01:20 < xz> ordex: let me fix that
01:25 < xz> ordex: ok, changed to: iptables -t nat -A POSTROUTING -s 10.8.8.0/24 -o eth0 -j MASQUERADE
01:27 < xz> ordex: hey, got it to work now!
01:28 < xz> ordex: iptables configuration was the problem apparently
01:28 <@ordex> you needed handholding, not a guide :P
01:28  * ordex goes driving his electirc car now
01:28 < xz> ordex: am I that bad, really?
01:28 < Eugene> I want a taco
01:29 < xz> ordex: well, to be honest, I didn't find one quick guide that woudl go through /etc/sysctl.conf, iptables, and /etc/openvpn/server.conf
01:30 <@ordex> https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN << this is quite extensive
01:30 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net)
01:30 <@ordex> still, it depends on your setup
01:30 <@ordex> there can't be a general guide for everybody
01:31 <@ordex> that's why you have paid services :P you pay and don't care about anything else
01:31 <@ordex> hehe
01:44 < xz> ordex: thanks for your help!
01:44 <@ordex> np
01:44 -!- mode/#openvpn [+o Eugene] by ChanServ
01:44 -!- mode/#openvpn [+v ordex] by Eugene
02:21 -!- mode/#openvpn [+o ordex] by ChanServ
02:30  * krzee gives Eugene a taco
02:31 < skyroveRR> \o krzee
02:31 <@krzee> hey!
02:32 < skyroveRR> How's you!
02:32 <@krzee> doing well
02:32 <@krzee> got a new house, been dealing with all sorts of repairs and whatnot
02:32 <@krzee> you?
02:32 < skyroveRR> Oh, awesome!
02:33 < skyroveRR> I'm doing great! :)
02:51 <@krzee> !book
02:51 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) Troubleshooting OpenVPN (April, 2017) by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
02:52 <@krzee> booya published!
03:27 < j_gaffer> hey guys, i'm having dns troubles with my installation, all the info is here: https://forums.openvpn.net/viewtopic.php?f=4&p=69282
03:27 <@vpnHelper> Title: OpenVPN + stunnel, having DNS problems.. - OpenVPN Support Forum (at forums.openvpn.net)
03:27 < j_gaffer> any help would be appreciated, thanks
04:39 < FlyingPersian> hi
04:39 < FlyingPersian> is it possible to access websites for which I need to be in my university's network with a TAP-VPN connection?
04:40 < FlyingPersian> they changed the VPN settings a while back and the new config is a TAP device. I figured that it had to be TUN tho
04:40 < FlyingPersian> plus the topic already states that using TAP is crap lol
04:47 <@ordex> mh not enough patience I'd say
07:43 < tiny> Hello. I need to log VPN connections. Is there some sort of functionality integrated into a VPN server that enables simple querying about connected users?
08:01 <@dazo> tiny: Look at the !man pages ... search for --managment ... or another alternative, --status
08:01 <@dazo> !man
08:01 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
08:02 <@dazo> tiny: that covers _querying_ .... if you need to maintain a log of connected users .... see if --log/--log-append contains what you need (or the default syslog)
08:03 <@dazo> tiny: if you want something more specialized, consider using --client-connect, --client-disconnect and/or --learn-address ... which can call scripts doing the logging for you
08:04 < tiny> dazo: ty
08:05 <@dazo> yw!
09:17 < tiny> Hi again. I suppose --management option can "listen" only on one IP/Unix domain socket?
09:18 < tiny> It's not possible for example to listen on unix socket and some other IP socket?
09:23 <@dazo> tiny: nope ... how other solve that is that they have their own management service which serializes all such requests in a separate process and that process talks to openvpn
09:23 < tiny> Yes, this is the way to go...
09:24 <@dazo> the way the management interface is in this aspect, is actually by design ... to avoid more attack vectors.  If you have a management tool running already, others can't abuse it.
09:25 < tiny> I see ... I wanted a "clean" pfsense box (with openvpn) but I guess I'll need to hack a custom package of some sort. Some python script or something like that on it so I can talk to openvpn management interface trough it...
09:26 < tiny> Ok, thanks again
10:25 < errqre> So if I uncomment the client-config-dir and specify a static assignment there, does openvpn know not to assign that address to other clients, or am I setting myself up for an ip conflict?
10:38 < daemon> hey all I want to create a vpn with no encryption, how would I go about it
10:51 <@dazo> daemon: --cipher none
10:52 <@dazo> errqre: you need to use --ifconfig-pool to define your own pool, and then assign VPN IP addresses outside the pool scope, otherwise you might get caught up in IP address conflicts
10:56 < daemon> dazo, cheers thank you
11:08 -!- poster is now known as Poster
11:14 < daemon> I am doing a peer to peer link, at the moment my 'vpn' server is 10.0.0.1 which is perfect, but my client is 10.0.0.5 which is not, I am using openvpn to replace a solution that was a bit flaky, so I need the client to be numbered 10.0.0.2
11:14 < daemon> so I do not have to cock about with alot of firewall rules :)
11:14 < daemon> how can I force this behaviour?
12:04 -!- db` is now known as db
12:05 -!- db is now known as Guest94484
12:06 < daemon> ah got it working
12:06 < daemon> but packet passing seems to not work
12:07 < daemon> is there some special flag I need to set to tell openvpn to 'forward' packets
12:11 <@Eugene> !/30
12:11 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
12:11 <@Eugene> !topology
12:11 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
12:11 <@Eugene> daemon ^
12:14 < daemon> Eugene, oh I know about the ccd and push routes and such, the issue I have is a little weirder, https://paste.ee/p/C6oVm
12:14 < daemon> that is correct 10.0.0.2 holds 172.31.33.0/24
12:14 < daemon> I can ping 10.0.0.2 but not 172.31.33.1
12:14 < daemon> even though the routing table on 172.31.33.1 shows 10.0.0.0 via 10.0.0.1
12:15 < daemon> infact a tcpdump on both sides of the interface for icmp
12:16 < daemon> shows when I try to ping 172.31.33.1 tun1 on the originator is seen
12:16 < daemon> but it never arrives at the destination
12:16 < daemon> at all
12:17 <@Eugene> I'm clearly not awake enough to read
12:18 <@Eugene> I've gone though it three times now and my head is just full of numbers
12:18 <@Eugene> Sorry, I'm usually at least some good
12:18 < daemon> :)
12:18 < daemon> it is an odd one
12:18 < daemon> I been playing about with lots and tunnels and such first time I have ever seen such a strange routing anomaly
12:31 < kantlivelong> anyone here use OpenVPN with NetworkManager? It doesn't seem to add DNS entries any more since an update
12:38 < rkantos> tosta siikajärvestä ku menis tie kokonaan ympäri niin olis hieno: http://4e.fi/r6
12:39 < rkantos>  ^^disregard
12:40 < phoo1234567> I'm sure this comes up all the time but I can't find any web reference to help me with a Windows OpenVPN server issue.
12:40 < phoo1234567> After a "successful" connect, there's no entry in the Windows routing table for the 10.8.0.0 subnet.
12:41 < phoo1234567> The only thin I notice in the log is a "NOTE: FlushIpNetTable failed on interface" message.
12:41 < phoo1234567> https://pastebin.com/KgVPYqRh
12:41 < phoo1234567> Cna anyone point me to any more Windows Server HOWTOs?
12:42 < phoo1234567> All of the authentication seems to work fine but the ifconfig on the server side seems to go awry.
12:42 < phoo1234567> The client behaves as expected but can't contact the server side interface.
12:42 < phoo1234567> And an ipconfig /all only shows the Bridge device.
12:43 < phoo1234567> I deleted and re-added the tap device and it shows up fine in the Network and Sharing Center.
12:44 < phoo1234567> The bridge gets it's correct IP address and the machine seems to behave normally on the local network.
13:02 < phoo1234567> Oh, boy, do I feel silly...  I guess only the ethernet bridged mode requires a bridge.
13:02 < phoo1234567> I had originally created a bridged ethernet VPN and then switched to a routed topology.
13:03 < phoo1234567> I'm sure it will be fine once I remove the bridge.
13:03  * phoo1234567 apologizes for the noise
13:25 < phoo1234567> Well, _duh_, ...  Works fine now.
13:54 < daemon> anyone able to offer some insight?
14:41 -!- davimore_ is now known as davimore
14:44 < rdg> I'm launching an openvpn instance in AWS.. running a useradd $username and then usermod -p mysha512password   .. but i still can't log in to the web console to get my profile.. what else is needed?
14:44 < rdg> i logged in as my openvpn admin to give my user permissions as well
14:48 < DArqueBishop> !as
14:48 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
14:48 < daemon> Eugene, any chance you have come around a little and can lend a hand I still am having the same problem but cannot see any rational reason for it
14:48 < daemon> I even thrown up a gre tunnel  between the hosts with the same routing table
14:48 < daemon> and that can pass traffic back and forth so whatever it is, its something related to openvpn
17:02 < cybex_> hi all, I need my openvpn instance to run on a certain interface. This interface's IP is e.g. 10.0.0.1, which I specify in server.conf as "local 10.0.0.1". However when starting the server instance, I get:
17:02 < cybex_> TCP/UDP: Socket bind failed on local address [AF_INET]10.0.0.1:2999: Cannot assign requested address
17:03 < cybex_> followed by Exiting due to fatal error
17:03 < cybex_> thoughts on this?
17:03 < nacelle> is there something already listening ?
17:04 < cybex_> npoe, ss -l and netstat -tulpn [2999 ] report nothing is listening
17:05 < cybex_> what I did is correct? the interface IP is the same IP that is placed into "local a.b.c.d" in the server.conf?
17:08 <@dazo> cybex_: does it work without --local?
17:10 < cybex_> it seems to start fine based on logs when disabling the local option
17:11 < cybex_> I haven't tested it yet fully, still need to setup iptable rules and port forwarding
17:16 <@dazo> cybex_: then I believe  10.0.0.1 is not a good IP address to use ... it must point at an exiting and configured IP address on one of your networks.
17:18 < cybex_> dazo, my apologies. I used 10.0.0.1 as an example since it was short. If it is an address issue, the real ip of my nic is 192.168.8.254.
17:27 <@dazo> anyhow ... if it works without --local, it is the IP address which is the issue
19:31 <@krzee> !botsnack
19:31 <@vpnHelper> "botsnack" is Om nom nom!
23:14 -!- guampa_ is now known as guampa
23:15 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 246 seconds]
23:16 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
23:16 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Day changed Thu Apr 06 2017
01:15 < mjt> hi. p2p mode works just fine in windows since at least windows vista (where netsh has been introduced), if it weren't blocked explicitly in openvpn. What's the reason it is blocked there?
01:31 <@krzee> what do you mean by p2p mode is blocked in openvpn?
01:31 <@krzee> it's not...
01:31 <@krzee> !p2p
01:31 <@vpnHelper> "p2p" is "statickey" is (#1) you can use static keys by using --secret </path/to/key> or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info
01:42 < mjt> when i try to set it, windows client rejects it explicitly
01:42 < mjt> er
01:43 < mjt> p2p topoplogy
01:43 < mjt> when the tap device is configured as pointopoint interface
01:44 < mjt> on win it is configured with /32 netmask and adding interface routes
01:45 < mjt> vpnHelper can learn other meaning of p2p ;)
01:46 < mjt> rebooting one moment please...
01:50 < mjt> ..back
01:56 <@krzee> !goal
01:56 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:56 <@krzee> dont tell me how you wish to accomplish the goal, tell me what the actual goal is
02:00 < mjt> krzee: is that directed to me?
02:01 <@krzee> yes
02:01 <@krzee> maybe i can help if i know what you're trying to accomplish
02:01 < mjt> well, there are really multiple usages of p2p topology, isn't it? I just asked why it is explicitly blocked on win
02:02 <@krzee> ok if thats all you want, i dont know
02:03 <@krzee> if you want help achieving the goal that leads you to want that, feel free to answer my question
02:03 < mjt> fixing it in code is easy
02:03 < mjt> after that it just works on win too
02:03 <@krzee> i guess you could ask on the trac if youd like
02:03 <@krzee> !trac
02:03 < mjt> if it's implemented on linux why it isn't implemented on win when all what's needed is to remove the check and add device route
02:03 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker., or (#2) if you have a forum login, use that for trac, its the same database.
03:15 < Slashman> hello, I am using openvpn server 2.3.14-jessie0 and today I need the daemon to listen to IPv6 as well as IPv4 address, I found https://community.openvpn.net/openvpn/wiki/IPv6 but  it's about IPv6 inside the tunnel, which is not what I want, any pointer if it's possible to have the deamon listen to v4+v6?
03:15 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net)
03:32 < Slashman> okay found it, proto udp6 listen to both stacks
04:20 < ak2766> hi all
04:20 < ak2766> I have an interesting problem
04:21 < ak2766> when I first connect to openVPN, it comes up with the remote gateway as my default gateway
04:21 < ak2766> if I forget to remove that default route after login, and ssh into remote hosts, the route to that remote host gets added to a table that I cannot find
04:22 < ak2766> even after removing that default gateway, and disconnect from that remote host, all future connections want to go via the remote gateway
04:22 < ak2766> how can I view openVPN routing table?
04:23 < ak2766> I've tried `ip xfrm policy` but nothing is listed there - i guess that is only for ipsec policies..
04:24 < ak2766> I'm running ubuntu 16.04 lts
04:38 < ak2766> got the answer - there is another route entry in the main table to remove - I was only removing 0/128.0.0.0 - there's also 128.0.0.0/128.0.0.0
04:41 < ak2766> I was getting confused by the fact that the other system I tried to access, the first octed fell below 128. hence I quickly assumed it's just that host I had accessed before removing the vpn default route...
04:54 < jarco_> Hello, I have just configured openvpn on my server and connected to it with my linux desktop client. The only problem I am having is that the server is located in a country I do not speak the language of. Is there any way I can make my browser or openvpn report my country as my own?
04:59 <+hyper_ch> not really sure what you mean
06:06 < mjt> no one's asking openvpn for a country :)
06:06 < jarco_> hyper_ch, I mean, if I go to google for intance I get the german version. But I am in belgium
06:06 < jarco_> the vpn is in germany
06:07 <+hyper_ch> then change your browser accordingly
06:08 < mjt> and check if your browser actually goes over opvenvpn connection, too
06:08 < jarco_> it does  :)
06:08 < mjt> (tho it's unrelated)
06:09 <+hyper_ch> seems openvpn is working
06:09 <+hyper_ch> so your browser needs fixing
06:11 < jarco_> probably, in firefox you cnt set it to prefer a specific countries locale and extention. So I will have to add a customised one I guess. I was just qurous if openvpn had a "thin" to do this
06:11 <+hyper_ch> why would openvpn have to do a thing with that?
06:12 <+hyper_ch> if you run too much js
06:12 <+hyper_ch> it will analyze your locale etc and where your ip comes from and present catered content
06:12 <+hyper_ch> so, openvpn is working just fine
06:12 < jarco_> Yes it is :)
07:33 < pothepanda> hi, im trying to setup a an ethernet bridge, client connects to server, i can see Init sequence completed, but after that ping to anything is dead. can anyone help with how to config the "server-bridge" directive ?
07:34 < dakar> is there a way to easily alternatve the 'default' openvpn windows client?
07:34 < dakar> as in, visually
07:36 < mjt> alternatve?
07:37 < dakar> alternate
07:37 < dakar> modify
07:37 < dakar> customize
07:37 < dakar> additionally, change default behaviour, like reconnecting and things
07:39 < pothepanda> anyone? what im really trying to figure out is if server-bridge first argument should be the dhcp server/gateway inside the network, cause thats what i use and still there is no ping on any ips after connecting
07:41 <+hyper_ch> why doesn't windows have systemd?
07:41 < dakar> same reason has BSOD
07:41 < dakar> it has*
07:42 <+hyper_ch> I mean managing ovpn with system is is straight forward
07:42 <+hyper_ch> then only issue I still have is when I mount a remote network over the vpn connection and turn off the computer, it will first cut the vpn connection and then try to umount the remote share
07:42 <+hyper_ch> which causes a 180s timeout
08:55 < kawaxi> are you guys aware if there is a problem related with openvpn and bash-completion?
08:57 <@dazo> kawaxi: nope ... and that's strictly a bash-completion issue, not openvpn ... we don't provide any bash-completion scripts, that's the distro/bash packagers doing
08:58 < kawaxi> I figured... thanks man!
08:58 <@dazo> yw!
09:15 -!- D5_ is now known as D5
09:18 < DArqueBishop> <hyper_ch> why doesn't windows have systemd?
09:18 < DArqueBishop> Because it has services.msc.
10:28 <@dazo> pothepanda: why do you want to bridge?
10:28 <@dazo> !bridge
10:28 <@vpnHelper> "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man), or (#4) also see !whybridge
10:28 <@dazo> !whybridge
10:28 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun., or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#3) See also !tunortap
10:28 <@dazo> pothepanda: ^^^ (!whybridge)
11:34 < pothepanda> dazo: so as to use windows shares and run dos applications :D
11:47 < DArqueBishop> pothepanda:
11:47 < DArqueBishop> !wins
11:47 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
11:47 < DArqueBishop> ... that wasn't what I expected.
11:48 < DArqueBishop> Anyway, if you run a local WINS or DNS server, you can use that for system name resolution and thus no longer need broadcasting.
11:48 < DArqueBishop> (Aka, you can access Windows shares across the tunnel.)
11:51 < pothepanda> think that would be better? i dont know really :/
11:52 < pothepanda> it works now, i had to push the dns server on clients and its ok
11:54 < DArqueBishop> Really, unless you absolutely need broadcast traffic to go across the VPN, tunneling is ALWAYS better.
11:55 < pothepanda> Ay :) thanks :)
13:22 -!- xistens3 is now known as e_xistense
15:56 < James_Epp> Anyone in the channel with experience on QNAP devices with the built in OpenVPN service? This thing is killing me. I don't suspect firewall issues, as the router between the ISP and QNAP unit when port forwarded to a different computer, running a dummy daemon on UDP 1194 resolves correctly, but does not when the same UDP 1194 forward is redirected to the QNAP LAN IP address.
16:43 < pylearner> having trouble getting openvpn setup and running trying to install server following this guide https://www.howtoforge.com/tutorial/how-to-install-openvpn-on-centos-7/
16:43 <@vpnHelper> Title: How to install OpenVPN Server and Client on CentOS 7 (at www.howtoforge.com)
17:16 < nacelle> James_Epp: when you say lan ip, are you indicating that it has some other address too?
17:17 <@dazo> !howto
17:17 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
17:17 <@dazo> pylearner: rather use the official openvpn howtos ... those are usually better maintained and accurate to the latest versions of openvpn
17:18 <@dazo> pylearner: if you're completely new to openvpn ... look at #3 above
17:18 < James_Epp> nacelle: Well, I mean between the /dev/tun and the external IP address. Funny enough, further testing/experimenting shows that when I forward TCP 8080 and 443 in an attempt to get to the QNAP's web interface from an external connection, it also fails. So something else is the culprit, not openvpn. We're crossing fingers on a firmware upgrade in the future.
17:18 <@dazo> !serverlan
17:18 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
17:18 <@dazo> James_Epp: ^^^
17:19 < pylearner> dazo ok
17:19 < pylearner> thanks
17:21 < James_Epp> dazo: That has all been setup. I don't find that flowchart very useful tbh
17:21 < James_Epp> My symptom is I get TLS timeout, 60 seconds or whatever. It's probably firewall, but I'm not sure to what extent. Testing is difficult due to lack of time and assets for this job/project.
17:43 < nacelle> James_Epp: https://pastebin.com/xdKP5s9x   does your setup basically resemble that?
17:43 < nacelle> and are you redirecting to the 10.0.0.2 IP?  or some _other_ address?
17:44 < James_Epp> nacelle: Holy crap, you took the time to draw an ASCII art for me? You are a saint. Yes and no. tun is on 10.8.0.0/24 IIRC and my "LAN" is 192.168.1.0/24. But yes, that
17:45 < James_Epp> I am redirecting ISP-provided IPv4 address using firewall to 10.0.0.2 in your ascii art example
17:46 < nacelle> I put the pro in procrastination
17:46 < James_Epp> If I run the dummy daemon on 10.0.0.3 (windows) with UDP 1194 I can get through connections external of that ISP entirelly.
17:46 < James_Epp> nacelle: lol
17:46 < nacelle> also i just learned asciiflow.com which was actually some of the easiest diagramming i've done.
17:46 < James_Epp> Haven't rebooted firewall yet, frankly. I know I should, but it's not my network to just kill whenever I feel like it :/
17:46 < James_Epp> OMG that's a great website. I'm bookmarking that.
17:46  * nacelle glares at acquired by microsoft variants of visio
17:47 < nacelle> omnigraffle is still my preferred thing atm
17:48 < nacelle> the qnap might have restrictions within itself that is causing drops.  i dont know why changing the redirect in the firewall wouldnt work.
17:49 < nacelle> like it might have "only talk to my lan", etc. or might not have the default gateway set right, or might just be its dns isnt resolving and its being fussy.
17:49 < James_Epp> I think it's the QNAP doing something weird. We are hoping to upgrade the firmware but I need to have the failed HDD replaced before I do that.
17:49 < nacelle> (I dont know qnap, but I have seen many things)
17:49 < James_Epp> nacelle: Default gateway is definitely correct, we have the NAS updating a DDNS hostname.
17:50 < James_Epp> which means DNS service is working correctly. I was SSH'd in earlier today and pinged goo.gl for some reason and it resolved.
17:50 < James_Epp> But for now I'm trusting motd. "Your problem is probably firewall. Really" xD
17:51 <@dazo> "TLS timeout, 60 seconds" is in 99.9% of all cases tied to firewall issues
17:51 < James_Epp> or wrong IP address, or service not up in general.
17:52 < James_Epp> s/IP\ address/host
17:52 <@dazo> try to use tcpdump ... on the lan between your router/fw and qnap box ... and see what happens there
17:52 < James_Epp> how would tcpdump help me "between" them?
17:53 <@dazo> to see what happens on that network segment
17:53 < James_Epp> Isn't tcpdump supposed to be ran on a device running the daemon's or otherwise accepting/transmitting/receiving the packets?
17:53 <@dazo> if it is dead ... it means the port nat is wrong
17:53 <@dazo> tcpdump is dumping network traffic on a given network interface
17:53 < James_Epp> I also don't have a machine on that network with tcpdump.
17:53 < James_Epp> tcpdump is *nix only, right?
17:54 <@dazo> not really ... but there's wireshark too
17:54 <@dazo> or ... poor-mans tcpdump is to (ab)use iptables -j LOG
17:55 <@dazo> tcpdump -ni eth0 .... is for iptables like:  iptables -i eth0 -m conntrack --ctstate NEW -j LOG --log-prefix "tcpdump: "
17:55 < James_Epp> Your suggestions bring me back to "a man is only as good as his tools" and I am so inept at using wireshark/iptables/tcpdump for network troubleshooting. I hate troubleshooting networks. Too damn complicated. I feel like IP has failed us.
17:56 <@dazo> then you should not consider VPN at all .... if normal networking is hard to troubleshoot, VPN isn't any easier
17:57 < James_Epp> I can usually do troubleshooting. But VPN adds a lot of layers of complexity all at once. NAT/Firewall Rules/routing/tunnels/interfaces/software firewalls, it never ends.
17:57 <@dazo> well ... it doesn't need to be that complicated .... put openvpn on your main fw/router
17:57 < James_Epp> And worrying about if a user is behind a hotel or public WiFi/LAN and then you end up running OpenVPN on TCP443 or something equally inadequate.
17:58 < James_Epp> dazo: Not an option.
17:58  * dazo shrugs
17:58 <@dazo> then you want it more complicated
17:59 < James_Epp> I don't. I just wish I had more experience for having done this stuff. I wish I had more hours in the day and less people bugging me.
17:59 <@dazo> well ... experience comes by doing things like this ;-)
17:59 <@dazo> more hours ... yeah, I would need 42 hour days
18:00 < James_Epp> I also miss my drive. This used to be my hobby, now I want to quit everyday.
18:01 < nacelle> can you run tcpdump on the firewall?
18:01 <@dazo> yeah, why not?
18:02 <@dazo> depends on the firewall, naturally ... if tcpdump is available, there's nothing restricting you from doing that
18:02 < James_Epp> you can run tcpdump if your environment has tcpdump. My environment has no immediate, easy access to tcpdump. This environment is very not ideal.
18:02 < James_Epp> dazo: Not only if tcpdump is available, but if you have an adequate shell.
18:03 <@dazo> nah ... tcpdump can write pcap files ... so if you have a shell which allows executing programs, you should be good to go ;-)
18:04 < James_Epp> not all firewalls will have that though
18:04 <@dazo> meh ... sounds like a crappy fw
18:05 < James_Epp> so it's a big if. For instance, this crap environment I am working in has a consumer line linksys router/firewall and my only means of remote access to a capable shell is to windows notebooks via teamviewer or equivalent substitute. I'm going to go home now. Maybe wash my car. I'll stay in channel.
18:06 < James_Epp> the most linux thing on that network is the QNAP and it's shell is limited. probably just busybox.
18:06 <@dazo> it actually circles back to the "a man is only as good as his tools" quote .... crappy fw, leads to limited possibilities, requiring other tools if you can't replace the fw
18:07 <@dazo> oh .... 1am here ... time to call it a day :-P
19:42 < pylearner> ok my openvpn network assigned ip is 10.8.0.6 however the boxes on my network that i need to talk to i am unable to do so the network ip assignment for the machines on my network are 192.168.0.0
19:43 < pylearner> should i still be able to talk to those ip addresses though
19:43 < pylearner> do i need to put in an iptables routing for the 192.168.0.0/24
19:44 < pylearner> or something
20:29 < pylearner> so if i have vpn ip 10.8.0.6 and the computers on my network that i am vpn to use 192.168.0.0/24 how can i set a static route in windows to be able to have the vpn box to access the other machines
22:29 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has left #openvpn ["Konversation terminated!"]
--- Day changed Fri Apr 07 2017
00:47 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
00:47 -!- mode/#openvpn [+v hyper_ch] by ChanServ
02:23 < daemon> hey all, after openvpn is start and connected in a p2p topology
02:23 < daemon> how can I force the netmask to whatever I like
06:50 -!- davimore_ is now known as davimore
07:33 < Tengo> So quarkslab's audit of openvpn completed today, how long until the results are public?
07:35 < matlj> Hello everyone. I need help for a specific configuration case. I have a LAN NAT'd behind a pfSense firewall, that connect to a remote debian server which is directly connected to the internet (its only IP address is the public one). The VPN tunnel is ok (10.8.0.0 tunnel network). I want the LAN clients to talk to services on the debian host through the tunnel, and firewall public access to the server.
07:35 < matlj> Problem is, pfsense can connect to 10.8.0.1 (the tunnel interface of the debian host), but LAN clients cannot
07:36 < matlj> any idea ?
08:58 < James_Epp> matlj: I think you would use the route command. Like "route 10.8.0.1 255.255.255.255" on the client config or on the server config "push route 10.8.0.1 255.255.255.255" and hopefully the client will accept the route unless they have the no-pull switch.
08:59 < James_Epp> s/no-pull/route-nopull
08:59 <@dazo> Tengo: Are you referring to this one?  https://ostif.org/the-audit-of-openvpn-is-complete/
09:00 <@vpnHelper> Title: The Audit of OpenVPN is Complete OSTIF.org (at ostif.org)
09:00 < James_Epp> BUT on the other hand are your clients on the other end of the tunnel trying to talk to that debian host via the debian host's ""real"" LAN IP address or the /dev/tun IP address? If the latter, you may have to set all your services you want accessible to bind to that interface too if not already configured. But I'm just spitballing, honestly.
09:05 <@dazo> !serverlan
09:05 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
09:05 <@dazo> matlj: ^^
09:06 < James_Epp> dazo -- do you even sleep?>
09:06 <@dazo> James_Epp: sleeping is overrated!
09:07 < James_Epp> okay Ms. Thatcher.
09:11 < matlj> James_Epp: Thank you. I just found a solution using a static NAT rule on the client side
09:11 < James_Epp> matlj: Great to hear!
09:13 < matlj> I tried the route add before, but it blocked all traffic from the lan
09:17 < linux_hacks> How can we configure server that when client is connected to VPN server it will be able to see the client network..
09:18 < DArqueBishop> linux_hacks:
09:18 < DArqueBishop> Er.
09:18 < DArqueBishop> Oh, I read it right.
09:18 < DArqueBishop> linux_hacks:
09:18 < DArqueBishop> !clientlan
09:18 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see
09:18 <@vpnHelper> !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
09:20 < linux_hacks> @vpnHelper I will go through that
09:21 < linux_hacks> @vpnHelper thanks for the help.
09:22 < DArqueBishop> !botsnack
09:22 <@vpnHelper> "botsnack" is Om nom nom!
09:23 < linux_hacks> so my vpnclient can see the network of the VPN server but one of the host in VPN network not able to see the client connected to it
09:24 < linux_hacks> *not able to see the client network connected to it
09:24 < James_Epp> !ccd
09:24 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
09:30 < linux_hacks> oh basically its an extension after the client connection initiation?
09:36 < scj643> Anyone ever got openvpn working with a chromebook?
09:38 < Slashman> !block-outside-dns
09:51 < yengas> hey guys. i'm behind a network that blocks non 80/443 ports and filters dns requests
09:51 < yengas> if i use online dns lookup websites to get ip addresses of the websites i would like to enter, and add them to hosts file
09:51 < yengas> i can enter the websites, and if i activate openvpn over stunnel4, i can use non 80/443 ports too
09:52 < yengas> but i can't still resolve dns lookups for blocked websites
09:52 <@dazo> !redirect
09:52 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
09:52 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
09:53 <@dazo> yengas: ^^^... get your tunnel running with redirect, then switch your local DNS resolver to a publicly accessible one
10:06 < yengas> okay so i was trying to edit the network configuration from the network manager
10:06 < yengas> it worked when i started the vpn and then edited the /etc/resolv.conf
10:09 <@dazo> yengas: as you are using network-manager ... why not just provide the DNS server there?  That way network-manager updates resolv.conf ... but you might have to turn off "automatic" in the DNS section
10:10 <@dazo> the reason is that network-manager may decide to rewrite resolv.conf at some point ... and it doesn't care too much for manual edits ... and it is like that because well, it is supposed to manage your network configuration
10:13 < yengas> i tried editing the configuration of the wifi access point to point to public dns servers and picked automatic dhcp addresses only
10:14 < yengas> however /etc/resolv.conf doesnt change that way, and i don't understand why but all dns requests fail even though nmcli shows the dns addresses set correctly
10:14 < scj643> Any good tools to help with generating a server.conf?
10:18 <+hyper_ch> !confgen
10:18 <@vpnHelper> "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/, or (#3) you must run this in bash
10:18 <+hyper_ch> scj643: see above
10:18 <@dazo> yengas: VPN configurations in NM have their own DNS setting
10:19 <@dazo> scj643: the openvpn configuration files are usually 10-15 lines ... so it usually takes longer time writing/learning a confgen tool than to write it from scratch
10:19 <@dazo> openvpn isn't rocket science if you know networking basics
10:19 < scj643> It is if you are on a chromebook
10:19 < scj643> As the client
10:19 <@dazo> that doesn't make sense
10:20 < scj643> I have to have pam auth
10:20 < scj643> as well as key auth
10:20 <@dazo> so? ... that's just adding 'auth-user-pass' to the client config file
10:20 <@dazo> !--
10:20 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
11:17 < James_Epp> Bye channel!
11:30 <@ecrist> wow, we have almost 300 users in here
11:30 <@ecrist> I remember when we hit 100, and 200
11:52 < tx> Let's celebrate at 300 exactly.
11:58 < scj643> ChromeOS that's locked into secureboot mode is evil
11:59 < scj643> They don't have a proper implementation of openvpn
12:02 <+hyper_ch> ecrist: I think most users just accidentally clicked a link and ended up here
13:39 <@Eugene> Ban all users
14:27 <@ecrist> starting with YOU
14:28 -!- Irssi: #openvpn: Total of 292 nicks [10 ops, 0 halfops, 3 voices, 279 normal]
15:34 < jamesl> !welcome
15:34 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
15:34 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
15:35 < jamesl> !goal
15:35 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:36 < jamesl> I would like to access the internet over my VPN, I can successfully negotiate a connection between the client and server but no packets can be sent or received, even to IP addresses. Established connections work, but not new ones. I am using port 443 and TLS negotiation is successful. How can I connect to the Internet?
15:37 < DArqueBishop> !redirect
15:37 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
15:37 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
15:42 < jamesl> I am using "
15:42 < jamesl> push "redirect-gateway def1 bypass-dhcp"
15:42 < jamesl> " and have enabled ip forwarding in sysctl.conf. I'll check my iptables setup
16:00 <@dazo> jamesl: any reason you add bypass-dhcp?
16:00 < jamesl> I read a tutorial online saying to add it
16:00 <@dazo> on the openvpn.net sub-domain?
16:01 < jamesl> no, on digitalocean
16:01 <@dazo> okay ... don't trust everything you read on the net .... I hope you looked at the man page describing it?
16:02 < jamesl> yes, it seemed like bypass-dhcp didn't do anything bad, so I decided to leave it in
16:02 <@dazo> rather take the opposite approach ... if you see you really need it, then leave it
16:04 <@dazo> otherwise ...
16:04 <@dazo> !blogs
16:04 <@dazo> !blog
16:04 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
16:04 <@dazo> !howto
16:04 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
18:15 < |Mike|> ujah!
--- Day changed Sat Apr 08 2017
03:39 -!- sunrunner20_ is now known as sunrunner
03:45 -!- sunrunner is now known as sunrunner20
07:48 -!- david is now known as Guest64416
10:10 -!- alexandre9099_ is now known as alexandre9099
11:04 < nategraf> !ovpnuke
11:04 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
12:28 < kantlivelong> is there a way to work around openvpn dropping but the service still being up?
12:28 < kantlivelong> the gateway is clearly down but the service still runs
13:14 < mjt> kantlivelong: you aren't expressing your prob clearly. it is either running or not, what _is_ "service" and what _is_ "gateway" and what _is_ "dropping" ?
14:46 < JuPaname> you need free shell account ? contact me PM
15:07 < SpaceInvaders> Hi
15:07 < SpaceInvaders> my computer and my wife's computer (both running OpenVPN on linux) suddenly started getting TLS Handshaking errors completely stopping networking activity.  It seems to happen to both systems at the same time.  Restarting the OpenVPN client immediately resolves the problem
15:08 < SpaceInvaders> I'm using OpenVPN to connect to privateinternet access.  It connect successfully but then i run into this problem.
15:09 < SpaceInvaders> I was hoping to get some troubleshooting pointers because when i search most of the stuff i find seems to point to troubleshooting if you are running a server and I'm  just running a client to connect to pia
15:09 < SpaceInvaders> It's been very frustrating as it seems to be happening every 10 or 15 minutes (at a guess)
15:09 < SpaceInvaders> one time, earlier today, I sat and waited it  out.  It kept failing and then eventually reconnected.
15:11 < nacelle> sounds like a firewall state table that doesnt handle udp well
15:12 < SpaceInvaders> local? remote? or do I need tcpdump to figure that out?
15:12 < nacelle> I would guess local, like your nat firewall at home if that's what's happening
15:12 < SpaceInvaders> heh i just got google fiber
15:12 < nacelle> if you have the option of trying a tcp vpn connection, do that.  see if it lasts a lot longer.
15:13 < nacelle> if so that helps pinpoint it
15:13 < SpaceInvaders> I don't think pia supports tcp.  I seem to remember seeing that.  I'll check
15:13 < nacelle> could be something as simple as you're also running torrents and happen to be eating up the state table of your home firewall
15:13 < nacelle> but i'd look there
15:13 < SpaceInvaders> ok thanks!  I'll check into both
15:14 < SpaceInvaders> well my wife's system isn't running torrents and she's having what may be the exact same problem
15:19 < nacelle> any system will overload the common gateway you're going through
15:19 < nacelle> i'm guessing thats the point thats severing it at the same time
15:19 < SpaceInvaders> meaning the google fiber box?
15:19 < nacelle> but i could be way off :-)
15:19 < nacelle> whatever provides your internet
15:19 < SpaceInvaders> I gotta start somewhere :)
15:20 < SpaceInvaders> thank you !
15:45 < Melio> how do i test the speed of my vpn connected network via the linux console
15:45 < Melio> I want to test it among multiple worldwide hosts to determine which ones are fastest to the sites I use
15:45 < SpaceInvaders> http://www.thinkbroadband.com/download.html
15:45 <@vpnHelper> Title: thinkbroadband :: Download Test Files (at www.thinkbroadband.com)
15:46 < Melio> so just download something and see how fast it goes. is there a loggable speed of the download metric?
15:46 < SpaceInvaders> How are you planning to DL?
15:46 < Melio> I.e. size over speed, over time = x
15:46 < Melio> I can use wget i suppose
15:46 < Melio> lemme see what wget uses
15:46 < SpaceInvaders> which provides that detail
15:46 < Melio> or paremeters i can get a return on
15:47 < SpaceInvaders> unless you use a very old version of wget
15:47 < Melio> I doubt it.
15:47 < SpaceInvaders> no, there was a time wget didnt provide dl metrics
15:47 < Melio> so the largest file seems a bit overdoing it
15:48 < SpaceInvaders> I think they count on your discretion.
15:48 < Melio> I'm at 30mb connection. so i think 200mb for 1 minute should work
15:49 < SpaceInvaders> I seem to remember they also offer an upload option
15:49 < Melio> I'm going to test tcp and udp to see if one is faster on each server i think
15:49 < Melio> that would be cool at least if it was significant
15:50 < Melio> otherwise waste of test time
15:50 < Melio> I'm thinking about doing a metric log to read and reset a default connection
15:50 < nacelle> I found udp vpn transport should be about 2x as fast as tcp over a long distance
15:50 < Melio> multiple server test, then find fastest basicly and set it to defualt
15:50 < nacelle> fwiw.
15:51 < nacelle> (maybe around 1.7x really)
15:51 < Melio> yeah but one is stateless the other isnt
15:51 < Melio> so you got error correcting issues.
15:51 < Melio> so it slows it down
15:51 < nacelle> both are stateful deary.
15:52 < Melio> by the router protocols
15:52 < Melio> but it makes them work harder at the peers
15:52 < nacelle> right, thats why you skip on tcp
15:52 < Melio> good idea
15:52 < nacelle> (thats why udp vpn is faster)
15:52 < Melio> I'll remove that option
15:52 < nacelle> tcp == lots of overhead, duplicated and potentially out of sync states, etc.
15:53 < Melio> also, i appreciate the affection of being called deary
15:53 < nacelle> (where the tcp state can be out of sync with the vpn state because tcp says "ooh, retransmit that one packet plz", etc.)
15:53 < Melio> my wife calls me dingbat
15:53 < Melio> ;)
15:53 < Melio> I'm deleting my tcp config files
15:53 < nacelle> i'm learning not to say what i was taught to say as a school boy, but it is not easy and definitely not as fun
15:53 < Melio> I'm not going to bother testing them
15:54 < Melio> I wasnt trained to say the right things or wrong things . i just have to learn over time .. still learning
15:54 < nacelle> the only time tcp really seems to help is when its over a long distance and the providers are arbitrarily dropping udp they dont know
15:54 < Melio> all i know is when to shutup, and when to bark
15:54 < nacelle> which i've seen from someone in austrailia connecting to someone in california
15:55 < SpaceInvaders> woof
15:55 < Melio> if that occurs. i might change to tcp from that vpn service host
15:55 < Melio> but i'll keep that in mind as to why
15:55 < Melio> can i ask a question about dns and vpn?
15:55 < nacelle> its rare, but when it happens and you need to get stuff done, its nice to have the "slow" tcp backup
15:55 < Melio> or is that a multipart answer
15:55 < nacelle> just ask
15:56 < Melio> in my case, I have multiple vpn hosts
15:56 < SpaceInvaders> you *should* ask questions about dns and vpns
15:56 < Melio> about 370 of them
15:56 < SpaceInvaders> wow
15:56 < nacelle> asking to ask is an internet faux pas ;-0
15:56 < SpaceInvaders> %
15:56 < SpaceInvaders> ^^
15:56 < nacelle> thats a bit!
15:56  * nacelle tries to consider that many
15:56 < Melio> ok so the vpn connection - does it use my client configuration dns, or does it use my system dns setting, or does it use the router/modem setting
15:56  * nacelle tucks into the fetal position
15:56  * SpaceInvaders posts past 65535 for FATAL ERROR
15:57 < Melio> nacelle:  that's why i have to run a script to find the best choices without sitting there and feeling the sluggish and forcing a human random select with frustration
15:57 < Melio> I can pop that script to run with chron. determine what is best and just pop any ties together by order of test sequence
15:58 < nacelle> Melio: your vpn uses your client configuration, which might say "use the system dns", which might be set to accept the dns from the route/modem's dhcp server.
15:58 < Melio> ok but if the openvpn ovpn file states a specific DNS, does my modem change it when data goes out?
15:58 < nacelle> as is the case when one is tunneling a subnet or two and not going for the whole internet over the tunnel
15:58 < SpaceInvaders> https://www.bestvpn.com/blog/31750/a-complete-guide-to-ip-leaks/
15:58 <@vpnHelper> Title: A Complete Guide to IP Leaks - BestVPN.com (at www.bestvpn.com)
15:59 < SpaceInvaders> Melio--a good read 4 u :)
15:59 < Melio> i called it dns leaks
15:59 < Melio> but same thing i guess
15:59 < nacelle> but usually its going to be that you want the dns to be provided over the tunnel if you're trying to hide stuff
15:59 < nacelle> right
15:59 < Melio> i'm talking to my vpn provider about getting dnscrypt installed
15:59 < nacelle> Melio: seems like the provider would have some way of doing that for ya, no?
15:59 < Melio> of course. I know the owner personally
16:00 < SpaceInvaders> and u have to ask?
16:00 < Melio> It's not my expert knowledge
16:00 < SpaceInvaders> If I knew hefner id get laid every weekend.....
16:00 < Melio> not nessicarily
16:00 < SpaceInvaders> i think i made my point
16:00 < nacelle> :-)
16:00 < Melio> only if you were adorable by the women
16:00 < Melio> it's not a good analogy
16:01 < SpaceInvaders> correct.  it is an excellent analogy
16:01 < Melio> big ugly fat dudes only hang out. they don't actually get laid at hughe's place
16:01 < Melio> anyhow. the topology is PC(vpn)---MODEM---(vpn host) --internet
16:01 < Melio> where exactly does vpn dns at, and which controls it
16:02 < SpaceInvaders> read the URL
16:02 < Melio> ok brb
16:02 < SpaceInvaders> it will help you with knowledge and refine your questions
16:03 < SpaceInvaders> nacelle I changed config
16:03 < Melio> ok i'm going to test this ipleak test against my vpn. brb
16:03 < SpaceInvaders> I downloaded the newer PIA config for OpenVPN and NetworkManager which seems to have resolved the issue
16:03 < SpaceInvaders> omg Melio RTFM
16:03 < SpaceInvaders> don't stop at the 1st link
16:04 < SpaceInvaders> given the latest PIA config resolves the problem i suspect server changes impacted my clients using the original config they provided
16:05 < Melio> I am RTFM
16:05 < Melio> that's why i'm not responding.
16:05 < SpaceInvaders> not if you're typing here
16:05 < Melio> I have two screens like any normal geek
16:06 < Melio> so i'm not leaking dns
16:07 < Melio> I use random user agents in my browser to screw up cache cookies
16:07 < Melio> it's really fun
16:07 < Melio> so it's seeing a mac, and I don't run mac so that's accurate
16:08 < Melio> i have to change the plugin names tho
16:09 < Melio> they won't run on a user agent like firefox for mac. so I should probably fake those too
16:12 < Melio> ok. so the dns does infact come from the vpn host
16:14 < nacelle> I used to say I was coming from a sega dreamcast or "my neighbors garage door opener"
16:14 < nacelle> now thats actually plausible :(
16:14 < Melio> you don't change useragents to test websites
16:14 < Melio> I have an app for chrome you could try out that I didnt write
16:14 < Melio> but it lets you choose one or make your own
16:14 < Melio> Chrome UA spoofer
16:15  * nacelle shakes his head
16:15 < nacelle> thats allright, thanks
16:16 < Melio> it's not a bad plugin. just a suggestion
16:17 < Melio> https://chrome.google.com/webstore/detail/random-user-agent/einpaelgookohagofgnnkcfjbkkgepnp?hl=en this one is random
16:17 <@vpnHelper> Title: Random User-Agent - Chrome Web Store (at chrome.google.com)
16:19 < Melio> is there a openvpn connection tester script you know of that already allows for multiple hosts?
16:33 < Melio> k i found a github project called speedtest-cli
16:33 < Melio> Command line interface for testing internet bandwidth using speedtest.net  https://github.com/sivel/speedtest-cli
16:33 <@vpnHelper> Title: GitHub - sivel/speedtest-cli: Command line interface for testing internet bandwidth using speedtest.net (at github.com)
16:34 < Melio> it'll let you select one o hundreds of servers from a list it downloads initially on run
16:34 < Melio> that done could be piped into a file with --simple output
16:34 < Melio> or --cvs
16:35 < yarddog> are one vpn recommended over another vpn other than openvpn in here? (just curious, not always watching in here) :)
16:35 < Melio> --csv i mean
16:35 < Melio> yarddog: there are hundreds of comparison sites
16:35 < yarddog> i know
16:36 < Melio> the metric, is usually. price, what security they have. what reviews they have by users. and if they lie about tracking, or if they have reliability issues.
16:36 < yarddog> i was just wondering if it is done in here at all
16:36 < Melio> there is always the possibility of bias reviews anywhere
16:36 < yarddog> indeed
16:36 < Melio> just a reminder :)
16:36 < yarddog> ive had good luck with AirVPN so far
16:37 < Melio> to mean, how i access vpn is what i want
16:37 < Melio> i prefer openvpn compatibility
16:37 < Melio> not some silly android app
16:37 < Melio> or windows client that's customized. but not functional with a openvpn app
16:37 < yarddog> Air is openvpn
16:37 < Melio> then that's a good thing.
16:38 < Melio> if you know what you want from a service. do good research
16:38 < yarddog> i like no disconnects
16:38 < yarddog> dependable
16:39 < Melio> I was just talking about building a script that connects, test a speed with a few servers or whatever i designate, disconnects, and goes on to another vpn connection. and so on
16:39 < Melio> something a lot of reviewers don't do
16:39 < Melio> but someone may post speeds
16:39 < Melio> like.. vpn w/ and without
16:40 < Melio> and now i'm learning that IP leaks, and dns leaks. might be a problem with your vpn host
16:40 < yarddog> https://airvpn.org/
16:40 <@vpnHelper> Title: AirVPN - The air to breathe the real Internet (at airvpn.org)
16:40 < Melio> so you won't know if that's an issue. unless you look once your connected and paying for the service
16:40 < yarddog> can check ipleak.net
16:41 < Melio> the other thing you want to make sure you are eyeballing is how long it takes to connect
16:41 < Melio> it's nice to just flip a switch and be on it
16:42 < Melio> i'm setting up my modem to be connected to the service, but it only allows one configuration
16:42 < Melio> so i'm doing a script that'll scan speed/test and rewrite the configuration for it
16:43 < Melio> toggle the network for a moment and restart the network so it's on a nice clean connection
16:43 < Melio> I'll add randomizer to it later, once i find the hosts with the most
16:46 < Melio> the output of the speed test from this python script is simple
16:46 < Melio> 4769,Broadcasting Center Europe SA,Luxembourg,2017-04-08T21:31:17.548941,508.4781964907523,155.037,17743086.028388586,8236222.226588943
16:47 < Melio> output is bits apparnetly
--- Day changed Sun Apr 09 2017
00:00 < daemon> hey guys I want a tunnel with no encryption but I still want authentification its a p2p topology
00:00 < daemon> I tried 'cipher none' but that appears to disable both
00:00 < daemon> what should I look at
00:18 < daemon> ah got it working
00:18 < daemon> is there anyway I can make it so the p2p tunnel only the client needs to know the servers address?
00:19 < daemon> ah got it
00:28 < daemon> when using a 'secret' file what actual 'encryption' does the channel its self use
00:28 < daemon> is the secret simply used for authentification
00:44 < daemon> ah ha all good apart from one thing!
00:44 < daemon> on the end point I have this:
00:44 < daemon> route 172.31.33.0 10.0.0.2
00:45 < daemon> because I want to be able to access that lan via that gateway, the command its self is fine but openbsd adds it as:
00:45 < daemon> or openvpn rather
00:45 < daemon> Sun Apr  9 06:36:00 2017 /sbin/route add -net 172.31.33.0 10.0.0.2 -netmask 10.0.0.2
00:45 < daemon> it should be netmask 255.255.255.0
00:45 < daemon> how do I get it to add it like I want
00:48 < nacelle> route 172.31.33.0 255.255.255.0
00:48 < nacelle> https://community.openvpn.net/openvpn/wiki/RoutedLans
00:48 <@vpnHelper> Title: RoutedLans – OpenVPN Community (at community.openvpn.net)
00:49 < daemon> ah got it all folkds cheers
00:51 < nacelle> woo!
02:23 < JuPaname> hi
07:06 -!- alexandre9099_ is now known as alexandre9099
09:39 -!- poster is now known as Poster
11:24 < GamingX> I'm trying to use PiVPN to setup OpenVPN on my Pi, but I'm having connecting to it. I've forwarded the port on the router as well, but when I try to connect to it, it sorta freezes at this line UDP link remote: [AF_INET]IP
11:25 < GamingX> I'm wondering if I skipped something while setting it up
11:25 < GamingX> The TLS key negotiation and the handshake falls as well
11:33 < GamingX> Anyone has pointers on it ?
11:49 < count_noobula> testing
11:51 < count_noobula> !welcome
11:51 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
11:51 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
11:51 <@vpnHelper> you
11:52 < count_noobula> !goal 'I would like to access the internet over my vpn'
11:53 < count_noobula> !howto
11:53 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
11:53 < count_noobula> !ask
11:53 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
12:06 < DArqueBishop> count_noobula:
12:06 < DArqueBishop> !redirect
12:06 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
12:06 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
12:10 < count_noobula> thank you DArqueBishop. I will check it out... still going through the irc etiquette, too; hence the name, noobula.
12:11 < count_noobula> !redirect
12:11 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
12:11 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
12:14 < count_noobula> !dns
12:14 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns
12:14 < count_noobula> !pushdns
12:14 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like
12:14 <@vpnHelper> OpenVPN for Android and OpenVPN Connect will happily accept push dhcp-option
12:16 < count_noobula> !def1
12:16 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
12:16 < count_noobula> !ipforward
12:16 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
12:17 < count_noobula> !linipforward
12:17 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
18:06 < ArtGravity> !welcome
18:06 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
18:06 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
18:07 < ArtGravity> !goal
18:07 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:08 < ArtGravity> !goal I want openvpn-auth-ldap plugin to bind
18:12 < ArtGravity> I trying to add openvpn-auth-ldap to an already working OpenVPN setup and running into a failure to bind using ldaps
18:13 < ArtGravity> I've checked the bind dn using ldapsearch. It is working there.
--- Day changed Mon Apr 10 2017
01:23 < bbbenji> goodmorning
01:24 < bbbenji> I have a problem where the internet does not work after connecting to my VPN. This only happens from my office computer. Works fine at home or on mobile data. What could be wrong?
07:27 <@krzee> bbbenji:
07:27 <@krzee> !redirect
07:27 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
07:27 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
07:27 <@krzee> use the flowchart?
07:28 < bbbenji> thank you kkrzee
07:31 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Read error: Connection reset by peer]
07:31 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
07:31 -!- mode/#openvpn [+o plaisthos] by ChanServ
07:34 < bbbenji> !dns
07:34 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns
08:10 < bbbenji> according the the flow chart i have a problem with DNS. Although I already have google dns servers configured and everything works from other networks
08:26 <@krzee> bbbenji:  so you can ping 8.8.8.8 but not google.com while connected to the vpn?
08:30 < bbbenji> that is correct
08:31 <@krzee> what os?
08:31 <@krzee> (client side)
08:33 < bbbenji> macos sierra
08:33 < bbbenji> same as at home, which works
08:33 < bbbenji> using tunnelblick
08:33 < bbbenji> different ISP
08:34 <@krzee> open a command prompt and type this:
08:34 <@krzee> scutil --dns | grep 'nameserver\[[0-9]*\]'
08:35 <@krzee> show me the output, see !paste if you have 5 lines or more
08:35 < bbbenji> while connected to vpn im assuming
08:35 <@krzee> yes pls
08:35 < bbbenji> brb, will d isconnect me
08:35 <@krzee> although both would be cool too
08:39 < bbbenji> @krzee weird, same if im connected or not
08:39 < bbbenji> nameserver[0] : 194.204.152.34
08:39 < bbbenji>   nameserver[0] : 194.204.152.34
08:39 <@krzee> thats not google dns servers!
08:39 <@krzee> its probably your ISP nameservers and probably only works while using your ISP
08:40 <@krzee> then when you route out of your vpn, you arent using your ISP, so they block requests to their nameservers for recursive queries
08:41 < bbbenji> i see
08:41 < bbbenji> can i get aroudn this?
08:41 <@krzee> because theres a way to use recursive nameservers for a 60x amplification attack, the easiest way to stop abuse is by limiting recursive dns to your netblocks... people like google who run public recursive dns servers mitigate abuse in other ways
08:41 <@krzee> sure, theres a couple ways
08:41 <@krzee> you could tell the vpn to set the nameserver, or you could manually just set the client to use a public recursive nameserver
08:42 <@krzee> or you could go into your router and set it to give a public recursive nameserver direct in dhcp
08:42 < bbbenji> i will look into having my VPN set the nameservers
08:42 <@krzee> i guess the laziest is to just go set it in the client os
08:43 <@krzee> ok, that would be:
08:43 <@krzee> !pushdns
08:43 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for
08:43 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option
08:43 <@krzee> and then in tunnelblick you set it to use the nameserver, its an option in there
08:43 <@krzee> i dont use osx anymore so i cant find it for you, but it's not hard to find
08:43 < bbbenji> thanks you, you have helped more than enough so far
08:44 <@krzee> you're welcome
08:47 < bbbenji> @krzee looks like my VPN should already be pushing DNS and tunnelblick setting them...
08:47 < bbbenji> server.conf
08:47 < bbbenji> push "dhcp-option DNS 8.8.8.8"
08:47 < bbbenji> push "dhcp-option DNS 8.8.4.4"
08:48 <@krzee> then you may not have tunnelblick set to accept it
08:48 < bbbenji> http://imgur.com/a/fPERR
08:48 <@vpnHelper> Title: Imgur: The most awesome images on the Internet (at imgur.com)
08:49 <@krzee> set to verb 4, reconnect, show me the client log
08:51 < bbbenji> https://pastebin.com/YcMM0n6x
08:53 <@krzee>                                         WARNING: Ignoring ServerAddresses '8.8.8.8 8.8.4.4' because ServerAddresses was set manually
08:54 <@krzee> this is a decision made by tunnelblick, unrelated to openvpn
08:54 <@krzee> you see, in unix (osx is a unix) openvpn doesnt set dns, but rather it passes the info as variables to an option --up script
08:54 < bbbenji> im assuming that the DNS is set manually on the router here
08:55 <@krzee> tunnelblick has one built in, at /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh
08:55 <@krzee> (as seen in your log)
08:55 < bbbenji> yes
08:55 <@krzee> yes, the router is giving the dns server to the client via dhcp, but you can also set it manually in the client's os
08:56 <@krzee> http://osxdaily.com/2015/12/05/change-dns-server-settings-mac-os-x/
08:56 <@vpnHelper> Title: How to Change DNS Server Settings in Mac OS X (at osxdaily.com)
08:57 <@krzee> lol your log actually knew the problem
08:57 <@krzee>                                         DNS servers '194.204.152.34' were set manually
08:57 <@krzee>                                         DNS servers '194.204.152.34' will be used for DNS queries when the VPN is active
08:57 <@krzee>                                         NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
09:03 < bbbenji> I got everything working @krzee
09:03 < bbbenji> thanks again for your help
09:03 <@krzee> np
09:54 <+hyper_ch> krzee: dazo: finally filed a bug regarding systemd, mounted shares through the openvpn and powering off  https://github.com/systemd/systemd/issues/5719
09:54 <@vpnHelper> Title: Umount networked mounts before cutting of the network connection · Issue #5719 · systemd/systemd · GitHub (at github.com)
10:01 <@dazo> hyper_ch: do you do the network fs mounting through systemd mount units or /etc/fstab?
10:01 <+hyper_ch> fstab
10:02 <@dazo> hyper_ch: good :) ... that means it's something with the ordering ... do you also use the openvpn-client@.service unit file for the client VPN profiles?
10:03 <+hyper_ch> no idea... the nixos config file does it automagically
10:03 <+hyper_ch> dazo https://github.com/sjau/nixos/blob/master/configuration.nix#L379
10:03 <@vpnHelper> Title: nixos/configuration.nix at master · sjau/nixos · GitHub (at github.com)
10:05 <@dazo> hmmmm ... meh .... I have no ides what that is or does (I can guess, of course, based on the config ... but... yeah, nothing too useful)
10:05 <+hyper_ch> no idea if it creates any systemd service units thingies
10:05 <+hyper_ch> systemd is just a big mystery to me
10:06 <+hyper_ch> I guess it does make service files
10:08 <@dazo> hyper_ch: 2 lines systemd crash course:  1)  systemctl $VERB $SERVICE  ($VERB={start,stop,status,enable,disable}, $SERVICE=openvpn-{çlient,server}@CONFIGNAME ..... 2) journalctl [-b | --since=$DATE] -u $SERVICE .... $DATE={2017-01-01,today,yesterday}
10:09 <+hyper_ch> dazo: the problem is systemctl status openvpn-client@xxx doesn't show anything
10:09 <@dazo> that's basically all you need to know to be able to manage as system on the same level as most sysv/upstart systems ... in fact 2), is way harder in those old methods, as you need to grep files in /var/log
10:09 <+hyper_ch> however locate openvpn
10:09 <+hyper_ch> shows stuff like    /nix/var/log/nix/drvs/i4/l8j6v5ay0ir588kqyb7ryifs77yaix-unit-openvpn-rp.service.drv.bz2
10:09 <@dazo> eeek
10:10 <@dazo> ehm .... and the nixos guys claims:  "The Purely Functional Linux Distribution" ... I guess it works if you don't try to do anything special or want to try to understand it
10:12 <+hyper_ch> I do think it uses systemctl but not sure
10:14 <+hyper_ch> a journalctl dump showed this:   Apr 09 09:31:13 subi openvpn[1254]: Sun Apr  9 09:31:13 2017 us=259463   config = '/nix/store/qq2k8ag35nkpw08agn6wwdr68qbpp760-openvpn-config-rp'
10:14 <+hyper_ch> so I assume it does run unit files
10:29 <@dazo> hyper_ch: well, it just depends on *which* unit file, and whom it comes from ... if it is the upstream openvpn unit file, we might have done something wrong ... if it is something nixos specific, they might have done something wrong
10:30 <+hyper_ch> I have no idea what you just said
10:31 <@dazo> hyper_ch: the unit files are systemd versions if init.d shell script ... a unit file is just a simple ini-file which lists dependencies and how systemd can manage that particular service
10:33 <@dazo> hyper_ch: so if nixos uses exactly the same unit files we ship in the OpenVPN project, we might be one part to blame for this not functioning .... if nixos have their own unit file instead, they're silly and stupid not using the upstream OpenVPN unit files, as then they could blame us
10:35 <+hyper_ch> dazo: I still have no idea what the unit files are or where they are
10:35 <+hyper_ch> and I also had that problem on ubuntu with systemd
10:36 <@dazo> hyper_ch: 'systemctl status' ... that should list all running units ... grep for openvpn, and you might get a step further
10:36 <+hyper_ch> https://paste.simplylinux.ch/view/12188588
10:37 <@dazo> hyper_ch: okay ... systemctl status openvpn-h-b.service ?
10:37 <@dazo> (but this really looks like something hand-brewed by nixos)
10:38 <+hyper_ch> https://paste.simplylinux.ch/view/dc55125f
10:38 <@dazo> cat /nix/store/kj1b23078zri34sxi6kqmfsypr5pq54l-unit-openvpn-h-b.service/openvpn-h-b.service
10:39 <+hyper_ch> https://paste.simplylinux.ch/view/4c2e04c7
10:39 <@dazo> oh dear
10:39 <+hyper_ch> ?
10:39 <@dazo> this is completely different from any unit files I've ever seen for openvpn
10:41 <+hyper_ch> how so?
10:41 <@dazo> hyper_ch: I'd guess upstream systemd will just close this as "not a bug" and tell nixos to do it correctly .... becuase here there are no dependency listed, except "after=network.target" ... which should probably be: "after=network-online.target"
10:41 <+hyper_ch> due to atomic upgrades, each package is stored in a seperate sha256 path
10:41 <+hyper_ch> dazo: the same happens on ubuntu
10:42 <@dazo> that's fine enough ... but the contents of it is .... well, not what I'd expect ... and very much nixos specific
10:43 <@dazo> hyper_ch: okay, on Ubuntu ... did you use openvpn@.service or openvpn-client@.service?   The former (openvpn@.service) is something Ubuntu have cooked together and is known to have issues .... there also exists openvpn.service, which tries to simulate the old init.d openvpn init script, and it might be even worse
10:43 <@dazo> (the same goes for Debian, too though)
10:45 <+hyper_ch> I don't recall.. it's been a long time since I switched back to nixos
10:46 <@dazo> I could rant more about nixos ... this patch: https://github.com/NixOS/nixpkgs/blob/277e7119be926b4fcdf4e73654490caaf350b3e1/pkgs/tools/networking/openvpn/systemd-notify.patch   ... is completely unnecessary with openvpn v2.4.0 (and even more so in v2.4.1 which have even more systemd improvements)
10:46 <@vpnHelper> Title: nixpkgs/systemd-notify.patch at 277e7119be926b4fcdf4e73654490caaf350b3e1 · NixOS/nixpkgs · GitHub (at github.com)
10:48 <+hyper_ch> dazo: you should start using nixos and become maintainer for openvpn ;)
10:48 <@dazo> in fact, it may actually make things a bit worse, as it makes OpenVPN tell systemd "I'm okay" ... and then a few lines down, it's an error check - where v2.4 actually tells systemd FAILURE!
10:48 <@dazo> hyper_ch: heh ... no way, I have Fedora packages, that's enough for me ;-)
10:48 <+hyper_ch> ditch fedora
10:48 <+hyper_ch> come to the nix side of Linux :)
10:49 <+hyper_ch> I know you want to
10:49 <@dazo> no way, Fedora EPEL is part of that ... and is used by _real_ Linux distributions (RHEL/CentOS/Scientific Linux) ;-)
10:50 <+hyper_ch> I have no idea what this notify patch even does
10:52 <@dazo> it was needed in openvpn 2.3 (even though it is faulty there, and the sd_notify() call should come later) ... when the unit file for OpenVPN uses Type=notify, it allows OpenVPN to call sd_notify() to tell systemd if it is okay or not
10:52 <+hyper_ch> so that patch should be removed from 2.4?
10:52 <@dazo> In OpenVPN v2.4, we implemented sd_notify() calls a few places and switched to Type=notify .... this also removes the need to mess around with PID files and such crap
10:52 <@dazo> hyper_ch: completely
10:53 <+hyper_ch> I think I can get this done
10:53 <+hyper_ch> so, gotta go
10:53 -!- F2Knight[away] is now known as F2Knight
10:54 -!- F2Knight is now known as F2Knight[away]
10:54 -!- F2Knight[away] is now known as F2Knight
10:54 <@dazo> hyper_ch: this is poor package maintenance, just switching the version number in the packaging file ... and not reviewing what kind of changes (https://github.com/OpenVPN/openvpn/blob/v2.4.0/Changes.rst, search systemd) have happened and review which patches are still required or not
10:55 <@dazo> and ... Changes.rst *is* packaged in the tarball we ship
10:55  * dazo stops the rant :)
10:59 < skyroveRR> I was just starting to enjoy it...
10:59 <@dazo> lol
13:49 < gthank> !welcome
13:49 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
13:49 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
13:50 < gthank> !goal troubleshoot a connection that never completes
13:50 < gthank> !goal
13:50 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:51 < gthank> I want to troubleshoot a connection that won't complete
13:52 < DArqueBishop> gthank:
13:52 < DArqueBishop> !logs
13:52 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
13:52 < DArqueBishop> !configs
13:52 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
13:52 < gthank> !logfile
13:52 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
14:16 < gthank> Thanks, DArqueBishop
14:16 < gthank> Found the logfiles, and it's a TLS Handshake failure, so I'll work on that.
15:09 < rco> I'm trying to use the iroute directive to have a client route a subnet in combination with push "route..." to tell other clients how to route that subnet. The documentation states that OpenVPN won't push a route to a client if that client has an iroute matching it, but I'm seeing it push the route to the iroute client regardless.
15:10 < rco> I have the route and push "route..." lines in the primary server config file, and the iroutes in the client-config-dir.
16:21 <+hyper_ch> dazo: looking forward to your pull request ;)
17:14 < rollinDyno> Hi, I'm using a vpn provider and can't figure out how to set it up on my linux machine. I have an template for the client conf file but I can't figure out what my ca and key files should be. I've downloaded a .crt file from the server and I think that's the cert.
18:57 <@dazo> hyper_ch: please pull down this and get a decent distro!  https://www.centos.org/download/ .... well, it's a pull request!
18:57 <@vpnHelper> Title: Download CentOS (at www.centos.org)
19:47 -!- F2Knight is now known as F2Knight[away]
20:07 -!- F2Knight[away] is now known as F2Knight
--- Day changed Tue Apr 11 2017
01:43 <+hyper_ch> dazo: https://github.com/NixOS/nixpkgs/issues/24817
01:43 <@vpnHelper> Title: OpenVPN - unnecessary patch · Issue #24817 · NixOS/nixpkgs · GitHub (at github.com)
02:08 <+hyper_ch> dazo: https://github.com/NixOS/nixpkgs/commit/e09b950f5423904562c98e31417683a2b5560ea7
02:08 <@vpnHelper> Title: openvpn: remove no longer correct systemd-notify.patch · NixOS/nixpkgs@e09b950 · GitHub (at github.com)
02:11 < philosopher-king> Good morning everyone
02:11 <+hyper_ch> hi
02:11 < philosopher-king> I have 2 laptops
02:11 < philosopher-king> with open vpn installed
02:12 < philosopher-king> one is running Windows 10 pro
02:12 < philosopher-king> the other is running Arch Linux
02:12 < philosopher-king> when I connect to my vpn server on Linux I get 400-600Mb/s down and 40-50Mb/s up
02:13 < philosopher-king> When I connect with Windows I get 30-80 Mb/s down and 30-40Mb/s up
02:13 < philosopher-king> I'm using the same cat 6 cable
02:13 < philosopher-king> on both laptops
02:13 <+hyper_ch> (so best to upgrade your win 10 to linux)
02:13 < philosopher-king> lol
02:14 < philosopher-king> yah, I like to live on the dark side sometimes ;)
02:15 <+hyper_ch> I assume the Win 10 CPU is equally powerful to the Arch one?
02:15 < philosopher-king> Yah, the Windows 10 is a newer laptop with an i7 cpu
02:15 < philosopher-king> 24GB RAM
02:16 <+hyper_ch> don't know :(
02:16 <+hyper_ch> but just to rule out any hardware issues
02:16 <+hyper_ch> could you run arch from a live usb stick and test speeds that way on the win 10 comp?
02:16 < philosopher-king> Could it be the TAPI driver for Windows?
02:16 < philosopher-king> Sure I never thought of doing thast
02:17 < philosopher-king> taht
02:17 < philosopher-king> that
02:17 <+hyper_ch> tapi driver are for phone stuff... I doubt that would interfere... but who am I to know
02:17 <+hyper_ch> well, unlikely it's a hardware issue but it can be ruled out easily with a live distro
02:18 < philosopher-king> Ok I just booted Arch on my Win 10 and did a speed check 620Mb/s down 42Mb/s up
02:19 <+hyper_ch> so that's about the same as on th arch comp
02:19 < philosopher-king> yah it's great
02:19 <+hyper_ch> so, no hardware issue
02:21 <+hyper_ch> hmmm, you run the openvpn server as well, right?
02:23 <+hyper_ch> a thing you could try is add mssfix 0  to both server and client and set sndbuf and rcvbuf
02:23 <+hyper_ch> not sure if that will change anything on windows though
02:24 < philosopher-king> actually, I'm using private internet access vpn
02:24 < philosopher-king> but i'm not using their desktop app just the config files for open vpn
02:27 <+hyper_ch> so you can't alter the server config?
02:28 < philosopher-king> alas no
02:36 <+hyper_ch> then I don't konw what you can do... you could try to add mssfix 0   and    sndbuf 0     rcvbuf 0   on the client but not sure if that has any effect
02:36 < philosopher-king> ok i'll give it a try
02:36 < philosopher-king> thanks for your help
02:37 < philosopher-king> it's strange that the software for linux is superior to win
02:40 <+hyper_ch> why strange?
02:41 < philosopher-king> because openvpn is developed by the same org? for both win and linux
02:42 <+hyper_ch> I thought ovpn was first developped for linux
03:20 -!- F2Knight is now known as F2Knight[away]
05:55 < zxd> hi
05:55 < zxd> is there a document explaning how to configure openvpn client/server to work with a openvpn client connecting using a https proxy
06:04 < zxd> !welcome
06:04 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind
06:04 <@vpnHelper> openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
06:09 < raul_> strange bug
06:09 < raul_> openvpn client date reset to 1970.
06:10 < raul_> openvpn server rejected connection always except once.
06:11 < raul_> I have no time to debug the thing, but i suspect it's deep shit.
07:29 < twyK_> Hello, i have a problem with openvpn server, when i connect i get "WSAECONNRESET" error but if i tcpdump port 1194/udp i can see request coming to my server
07:31 < twyK_> If i search on the net i can't find nothing that can help me, i tried creating certificate 3 times, and with different methods
07:42 < philosopher-king> Good morning everyone
07:45 < philosopher-king> I have 2 laptops.  1 runs Arch Linux while the other has Windows 10 Pro.  Both have openvpn installed.  On Linux when I connect to privateinternetaccess.com's vpn I get 600Mb/s down and 50 Mb/s up while connecting to the same server on Windows I get 50Mb/s down and 30Mb/s up.  What could be causing such a discrepancy?
07:48 < twyK_> That could be caused by the laptop itself
07:48 < twyK_> how do you connect to your isp? ethernet, wifi?
07:49 < philosopher-king> I'm using the same cat 6 ethernet cable for both laptops to test with
07:49 < daemon> same network card?
07:50 < philosopher-king> I booted with a live linux iso on my win 10 laptop which has a i7 cpu and 24GB ram and got around 600Mb/s
07:50 <@dazo> twyK_: "WSAECONNRESET" usually indicates a connectivity issue before certificates are involved ... so you see the connection attempt on your server from the client ... but do you see the server trying to respond back to the client?
07:50 < zxd> not clear how to use user-agent option
07:50 < zxd> --http-proxy-option user-agent "chrome blah"
07:50 < zxd> like this?
07:51 < zxd> if connecting via http how will it know if the proxy is https or http
07:51 <@dazo> philosopher-king: that is most likely due to issues with the Windows TUN/TAP driver :/
07:51 < philosopher-king> ah is there a work around?
07:51 < twyK_> dazo: no, i see only packets are coming
07:51 <@dazo> philosopher-king: which version of the tap driver do you use?
07:52 < philosopher-king> i think it's 0.9.2
07:52 <@dazo> twyK_: that means OpenVPN isn't responding to those packets ... which can be firewall related on the server, using wrong port number ... or server in UDP mode with --tls-auth/--tls-crypt enabled
07:52 < daemon> philosopher-king, I have NO IDEA if this would work .... but could you not spin up a linux or bsd client in virtualbox in give it an ethernet in bridged mode and use that as a gateway from the windows box?
07:52 < philosopher-king> the one bundled with openvpn
07:52 < daemon> no idea if it would work and it would be hacky spectacular :P
07:52 < daemon> but meh
07:53 <@dazo> philosopher-king: which openvpn version?
07:53 < philosopher-king> 2.4
07:54 < philosopher-king> It's been a while since I coded in c; usually I work with java
07:54 < philosopher-king> maybe I could take a look at the code for the TUN driver
07:55 <@dazo> philosopher-king: https://github.com/OpenVPN/tap-windows6
07:55 <@vpnHelper> Title: GitHub - OpenVPN/tap-windows6: Windows TAP driver (NDIS 6) (at github.com)
07:55 < philosopher-king> cool
07:55 <@dazo> philosopher-king: OpenVPN 2.4 on Windows should be one of the I60x installers ... which bundles the driver I pointed you at
07:58 < twyK_> dazo: Hardware Firewall is disabled, and ufw allow connection to 1194/udp. Server is in UDP mode but without tls-auth/tls-crypt enabled. And the port is correct.
07:59 < twyK_> Maybe on openvpn logs i can find something?
08:02 <@krzee> zxd: https://community.openvpn.net/openvpn/ticket/594   https proxy support is a feature that doesnt exist (yet?)
08:02 <@vpnHelper> Title: #594 (HTTPS (SSL) proxy support) – OpenVPN Community (at community.openvpn.net)
08:04 <@krzee> twyK_:
08:04 <@krzee> !configs
08:04 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
08:04 <@krzee> !logs
08:04 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
08:05 <@krzee> verb 5 please
08:10 < zxd> krzee: openvpn provides the encryption I guess https would be redundant no ?
08:12 < zxd> it says https proxy could help bypass openvpn blocks how a http proxy server knows it's talking to openvpn?
08:12 <@krzee> zxd: true, https proxy would be useful to hide that it's openvpn i guess
08:12 <@krzee> although obfsproxy should be better for that
08:12 <@krzee> !obfs
08:12 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols, or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation, or (#3) in client/server mode an admin can know that openvpn is being used.
08:12 <@vpnHelper> in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
08:14 < zxd> !forwardsecurity
08:14 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can not decrypt past traffic, or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured
08:14 < twyK_> krzee, thanks i resolved, was checking syslog and i found that my server.conf was full of unknowns character at the end of file
08:15 < twyK_> thanks to you too dazo
08:15 <@krzee> ^M?
08:15 <@krzee> prolly edited the config in windows, need dos2unix
08:16 < twyK_> no, characters was like blocks
08:16 <@krzee> control chars, prolly ^M
08:16 < zxd> why in forwardsecurity one can tell it's openvpn protocol, the negotation of new keys every hour isn't encrypted aswell?
08:16 < twyK_> i edited only on my server with vim
08:17 <@krzee> the control channel can be seen negotiating the certs
08:18 <@krzee> tls-crypt stops the certs from being seen, but still the openvpn protocol can be seen as openvpn
08:22 < zxd> thansk
08:24 <@krzee> np
08:37 < zxd> it says when using --secret file [direction]  When the direction parameter is omitted, 2 keys are used bidirectionally, one for HMAC and the other for encryption/decryption.
08:37 < zxd> do I need to create 2 keys when using static keys?
08:38 < zxd> I created only 1 key with openvpn --genkey --secret openvpn.key
08:40 <@dazo> zxd: no, only one key ... which must be securely copied to the other host
08:40 <@dazo> zxd: the static key consists of several keys .... so the direction argument just tells openvpn which of the "sub keys" to use
08:41 <@dazo> and which to expect from the remote side
08:41 < zxd> what do they mean by 2 keys are used bidirectionally  they generate two keys from the single static key I provide?
08:41 < zxd> ah
08:52 < skyroveRR> krzee: o.o
09:07 < zxd> Options error: Bad http-proxy-option or missing or extra parameter: 'user-agent'
09:07 < zxd> I have in config file:  http-proxy-option user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
09:08 < zxd> what a I doing wrong
09:13 < zxd> ah so stupid
09:13 < zxd> user-agent is the example
09:13 < zxd> for the agent name
09:14 < MacDefender> Hi, Haven't used OpenVPN yet but I just looked up the man page and it might have to be   http-proxy-option AGENT user-agent '...'
09:15 < MacDefender> Or no, it should be http-proxy-option AGENT '...'
09:45 < zxd> trying to connect using a http proxy, in verbose mode it reports connecting to the proxy then requesting CONNECT to the openvpn server however it resets the connection afterwards
09:45 < zxd> https://ctrlv.it/id/23651/2777749953
09:45 <@vpnHelper> Title: CTRL+V - paste it (at ctrlv.it)
09:47 < sagatak> zxd: what does the server side log (do you have access to check?)
09:47 < zxd> yes
09:47 < zxd> but I need to disconnect from IRC to get there
09:47 < zxd> one moment
09:58 < sagatak> zxd: okay, let me know
10:07 < zxd> f
10:07 < zxd> it works now
10:07 -!- F2Knight[away] is now known as F2Knight
12:40 -!- F2Knight is now known as F2Knight[away]
13:08 -!- poster is now known as Poster
13:33 -!- catalase is now known as catalase-
13:34 -!- catalase- is now known as catalase
14:38 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Read error: Connection reset by peer]
14:38 -!- plai [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
14:38 -!- mode/#openvpn [+o plai] by ChanServ
15:58 < sarthor> Hi, I have several pfsense servers where I am running openvpn, today my clients are not connecting with different openvpn servers, they are on different ISPs here is the logs  https://pastebin.com/tLMvKxtv
23:41 -!- sur3_ is now known as sur3
23:42 -!- sur3 is now known as Sur3
23:44 < Sapio> hello, anyone out there?
--- Day changed Wed Apr 12 2017
00:56 <@krzee> !ask
00:56 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
05:02 < Fudge> hi what do i have to do on my gateway to allow everything behind my gateway to access clients on my openvpn serveR?
05:03 <@dazo> !serverlan
05:03 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
05:07 <+hyper_ch> dazo: https://github.com/systemd/systemd/issues/5719#issuecomment-293519551
05:07 <@vpnHelper> Title: Umount networked mounts before cutting of the network connection · Issue #5719 · systemd/systemd · GitHub (at github.com)
05:23 <@dazo> hyper_ch: yeah, saw that ... makes sense in from my point of view as well
05:24  * dazo had forgotten about the _netdev trick though
06:37 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 260 seconds]
06:37 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
06:37 -!- mode/#openvpn [+v s7r] by ChanServ
07:17 <+hyper_ch> dazo: now I have to wait for newer systemd :(
07:24 <@dazo> hyper_ch: not just that ... the nix openvpn service unit files needs to be updated to do the proper dependency tracking too (using network-online.target)
07:25 <+hyper_ch> well, you've seen yesterday how quickly they react :) took like 30min :)
09:35 -!- vamiry_ is now known as vamiry
09:47 <@ecrist> systemd is the deveil
09:47 <@ecrist> devil
09:48 <@ecrist> !systemd
09:48 <@ecrist> !learn systemd as the devil!
09:48 <@vpnHelper> Joo got it.
09:48 <@ecrist> !systemd
09:48 <@vpnHelper> "systemd" is the devil!
10:05 <@krzee> :D
10:06 <@krzee> im so behind on that stuff
10:21 -!- poster is now known as Poster
10:37 <@dazo> !learn systemd as At least for those who wants keep living in the past ....
10:37 <@vpnHelper> Joo got it.
10:42 < DArqueBishop> Heh.,
11:11 < johnfg> hi folks
11:11 < johnfg> I've used openvpn for years, and love it.  No problems and has always configured easily.
11:12 < johnfg> Running the server on debian, and 4 clients of different sorts, including windows.
11:15 < johnfg> One question: I'm getting ready to add client5.  Seems like every time I go to add a new client, I have to start with the . ./vars, then ./clean-all, ./build-ca, etc.
11:17 < johnfg> Does this not affect the older clients in some way?  I.e., is it proper to have to copy all the server.crts to the old clients and such?
11:22 < Fjorgynn> ohai
11:22 < Fjorgynn> !welcome
11:22 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
11:22 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
11:22 < nb> johnfg, don't do ./clean-all
11:22 < nb> ./clean-all resets everything
11:23 < nb> just do . ./vars and ./build-key or whatever it is
11:23 < nb> i forget the exact command to generate a new client cert
11:23 < Fjorgynn> I've got openvpn on my asus router, should I create a separate account for each device (pc, phone, tablet)?
11:23 < johnfg> nb: just ./build-client client#,
11:24 < nb> yes
11:24 < nb> . ./vars and then ./build-client client#
11:27 <@dazo> johnfg: you should never do ./clean-all ... that really wipes your old CA ... only run that when you want to start from scratch
11:28 <@dazo> s/old CA/current CA/
11:28 < johnfg> Ok, thanks guys.  I'll make sure everything's good with the server before generating client5.
11:28 <@dazo> johnfg: and you don't need to copy anything to the server ... you just need to copy out the key and cert for the client
11:29 <@dazo> (plus the CA cert)
11:33 < johnfg> dazo: Unless by my mistakenly doing things over again, thus almost starting from scratch, I need to copy the ca.crt back to the server from one of the clients.
11:34 <@krzee> Fjorgynn: it's not really accounts, it's cryptographic login credentials
11:34 <@krzee> Fjorgynn: and yes, you should create separate certs for each client
11:34 <@dazo> johnfg: if you have done ./clean-all ... you need to regenerate the server.key/cert as well
11:52 < LargePrime> !welcome
11:52 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
11:52 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
11:53 < LargePrime> !goal
11:53 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:54 < LargePrime> !goal 'I would like advice on VPN provider.'
11:55 < LargePrime> !goal
11:55 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:55 < LargePrime> I would like advice on VPN provider.
11:59 <@krzee> thats not really what we do
11:59 <@krzee> we help people run their own servers
12:00 <@krzee> we'd be more likely to provide support to whatever provider you go with than know about the providers out there
12:00 <@krzee> however, openvpn technologies runs a service, i bet they're good
12:00 <@krzee> you can find it at www.openvpn.net or probably in #openvpn-as
12:01 < _ADN_> recently install 2.4.1 on the server side and the client on 2.3.X latest
12:06 < _ADN_> plugins is not working
12:23 < _ADN_> well was not copying all the files from the plugins
12:33 < _ADN_> so my issue
12:48 -!- ketas is now known as ketas-
13:38 < farchord> Well hello everyone! :) I got a pretty elaborate question.
13:39 < farchord> So essentially, I have a Linksys Wrt3200ACM router, which right now I'm waiting on newer drivers to finish my project, so I'm trying to, in the mean time, figure out a solution to a small problem
13:39 < farchord> To start, I'd like to mention that my project is about losing my ISP-provided FTTN hub and use my own stuff for it.
13:39 < farchord> For reference, my ISP is Bell in Canada (Bell Fibe)
13:40 < farchord> So I got me an SFP to Ethernet media converter, plugged it in the router on the wan port, then plugged TV on port #4 and my computer on port #1 and installed OpenVPN. I setup the VLans (34 and 35), and after 10 hours of screwin' around, it works.... at about 95%.
13:41 < farchord> VOD works, TV works, rebooting works... only thing that doesn't, is it's internal apps.
13:41 < farchord> 'Connection timed out'
13:41 < farchord> And before anyone mentions anything, firewall is set to allow everything
13:41 < farchord> I figured I'd set rules once everything is working
13:42 < farchord> So my question is, anyone here has some experience with Mediaroom-based ISP devices? Maybe specifically Bell Fibe?
13:43 < farchord> And err by openvpn I meant OpenWRT. I keep messing up those 2 names
13:43 < farchord> Crrraaaap wrong channel damnit
13:54 < Fjorgynn> va?
14:24 < johnfg> hi guys
14:25 < johnfg> quick question before I leave for 2nd job.
14:25 < johnfg> I did have to do all over because of my earlier error.
14:26 < johnfg> But when I start with `openvpn --config server.conf`, it gives this error: Options error: --dh fails with 'dh2408.pem': No such file or directory
14:26 < johnfg> Even though dh2048.pem is in /etc/openvpn.
15:09 < Celmor> is there a way to use openvpn without a tap/tun device?
15:09 < Celmor> because those are apparently unsupported in my environment
15:35 < MichaelGG> Is it correct that on windows only a TAP driver is available?
15:52 < nacelle> no, openvpn comes with a tuntap windows driver
15:56 < nacelle> I have windows tun users in any event, i'm not 100% sure about what client software they have.
16:05 < MichaelGG> hm. Cause I only see "TAP-Windows" adapter and such
16:07 < nacelle> have you installed openvpn on a windows machine?
16:07 < DArqueBishop> MichaelGG: that adapter supports both tun and tap.
16:07 < MichaelGG> ok cool
16:08 < nacelle> _whew_ thank you DArqueBishop!
16:08 < MichaelGG> are there any docs on it?
16:08 < MichaelGG> I'm looking for the equivalent of a tun device that I'd get on Linux
16:08 < MichaelGG> like how do i open it and configure it etc
16:09  * DArqueBishop shrugs.
16:09 < DArqueBishop> I'm sure there's documentation, but as far as configuration goes in OpenVPN it's configured the same way in the conf/ovpn file as it would be in Linux.
16:10 < nacelle> all I do is pass the same openvpn config to the windows people after they install openvpn, and it works, where the openvpn config has "client" and "dev tun0" in it
16:11 < nacelle> maybe give it a go at this point :-)
16:11  * nacelle adds "try out windows openvpn" to his list of things to see about doing
16:38 <@dazo> MichaelGG: the naming of Windows TAP is somewhat historical ... and also factual true.  Windows itself only supports TAP mode natively, but our driver emulates TUN mode and passes network packets as if it was TAP packets to the Windows kernel
16:38 <@dazo> (for Linux, macOS and *BSD, that's different as those kernels do support TUN mode natively)
16:39 <@dazo> In regards to alternatives ... I don't know of any ... it's more that other projects uses the Windows TAP driver we ship in their own projects
16:40 <@dazo> the driver itself can be found here: https://github.com/OpenVPN/tap-windows6
16:40 <@vpnHelper> Title: GitHub - OpenVPN/tap-windows6: Windows TAP driver (NDIS 6) (at github.com)
16:56 < MichaelGG> dzothanks
16:56 < MichaelGG> dazo, thank you
19:24 < xdexter> Hello, it's possible my openvpn server access my client? I have route but i can't ping
19:50 < johnfg> But when I start with `openvpn --config server.conf`, it gives this error: Options error: --dh fails with 'dh2408.pem': No such file or directory
19:50 < johnfg> Even though dh2048.pem is in /etc/openvpn.
19:50 < johnfg> And this is running on debian jessie.
20:16 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 256 seconds]
20:17 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
20:17 -!- mode/#openvpn [+o dazo] by ChanServ
23:50 < TheDcoder> !welcome
23:51 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
23:51 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
23:51 < TheDcoder> !1925
23:51 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
23:52 < tx> !2324
23:52 < tx> :(
23:52 < TheDcoder> !goal I would like to make my VPN a SOCKS proxy tunnel
23:54 < TheDcoder> "2324" is RFC 2324 - Hyper Text Coffee Pot Control Protocol - https://tools.ietf.org/html/rfc2324
23:54 <@vpnHelper> Title: RFC 2324 - Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0) (at tools.ietf.org)
23:54 < tx> well
23:54 < tx> that took forever.
23:54 < TheDcoder> :P
23:54 < tx> Perhaps vpnHelper is running over an iodine tunnel
23:55 < TheDcoder> So... I want to use my VPN as a SOCKS proxy... possible?
23:56 < tx> a proxy and a VPN are not one and the same.
23:57 < tx> I would use something like SSH to initiate a socks proxy
23:57 < tx> you could make this host only accessible over a VPN
23:57 < tx> but SSH already offers encryption
23:57 < TheDcoder> yeah I know that they both are different things
23:57 < TheDcoder> but... I want to use VPN for a single application, not for my whole computer
23:58 < TheDcoder> I don't own the VPN server so... I can't SSH
--- Day changed Thu Apr 13 2017
03:12 < zxd> hi
03:13 < zxd> is there some ping/timeout/keepalive I can activate to test the tunnel to have openvpn tear down or close the socket and return to LISTEN mode
03:13 < zxd> cause right now it's on ESTABLISHED and I have no process of openvpn in LISTEN mode
03:13 < zxd> using p2p mode
03:14 < zxd> via http proxy
07:02 -!- alexandre9099_ is now known as alexandre9099
08:02 -!- Dougy [~dougy@openvpn/community/support/Dougy] has joined #openvpn
08:46 <@krzee> zxd, --keepalive
--- Log closed Thu Apr 13 10:06:44 2017
--- Log opened Thu Apr 13 10:06:52 2017
10:06 -!- Irssi: #openvpn: Total of 296 nicks [11 ops, 0 halfops, 3 voices, 282 normal]
10:06 -!- mode/#openvpn [+o ecrist_] by ChanServ
10:07 -!- Irssi: Join to #openvpn was synced in 38 secs
10:13 -!- XJR-9_ is now known as XJR-9
10:15 -!- Netsplit *.net <-> *.split quits: @krzee
10:15 -!- rax-Y is now known as rax-
10:15 -!- BtbN_ is now known as BtbN
10:15 -!- bandroidx_ is now known as bandroidx
10:17 -!- MuffinMe- is now known as MuffinMedic
10:17 -!- dan-- is now known as dan-
10:19 -!- r00t^2_ is now known as r00t^2
10:20 -!- You're now known as ecrist
10:38 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Quit: ZNC - http://znc.in]
10:38 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
10:38 -!- mode/#openvpn [+v RBecker] by ChanServ
10:57 -!- SineDeviance is now known as CosineDeviance
10:58 -!- CosineDeviance is now known as SineDeviance
11:36 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
11:36 -!- mode/#openvpn [+o plaisthos] by ChanServ
11:36 -!- plai [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 252 seconds]
11:37 -!- kantlive- is now known as kantlivelong
12:03 < arha> hey thete
12:04 < arha> what is the first packet sent to/from an openvpn server when connecting? i m in an internet resteicted country and i think openvpn was blocked this morning
12:05 < arha> i tried various workarounds; changing tcp/udp, port - inclusing using some very common ports like 443 or 53
12:05 < arha> it seems to work only through an http proxy, so i'm 90% sure it detects something in the inital connection strings
12:06 < arha> it is blocked after receiving 26 bytes, always, regardless of server (i have multiple) and only from this location; if i try accessing them outside this country, the connection succeeds
12:08 < BtbN> Normal TLS handshake
12:17 <@dazo> nope ... not normal TLS handshake
12:17 <@dazo> all OpenVPN packages are encapsulated by a few extra bytes, identifying the packet as a control channel packet (where TLS handshakes happen) and data channel packets (where tunnelled network traffic goes)
12:18 <@dazo> so that signature is fairly easy to detect
12:21 < arha> any chance that can be updated tovsomething else without rebuilding
12:22 < arha> ah yes... all I see in themlogs remotely is "initial packet from IP" and then nothing
12:25 < Windy> does openvpn access server support traffic shaping?
12:25 <@dazo> !obfs
12:25 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols, or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation, or (#3) in client/server mode an admin can know that openvpn is being used. in
12:25 <@vpnHelper> static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
12:31 <@dazo> arha: ^^ see the !obfs ... that will most likely help you in the best possible ways
12:47 < johnfg> hi folks
12:48 < johnfg> I've got server and 2 clients working normally, after redoing everything from the start.
12:48 < johnfg> However, I'm not getting the client on centos 7 machine to start with systemd.
12:49 < johnfg> I can start it manually, no problem, openvpn --config client.conf.
12:49 < johnfg> I asked for some help at #centos, but haven't gotten any.  the client used to start fine, for a few years, to be exact.
12:50 < johnfg> But after redoing the ca.crt, and the clients, now it won't start at boot.
12:53 < johnfg> I can show the output of systemctl status openvpn@client.service, if you like to see it.
13:06 < segwent> !logs
13:06 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
13:37 <@dazo> !learn systemd as Have troubles with OpenVPN and systemd? Try reaching out to dazo
13:37 <@vpnHelper> Joo got it.
13:37 <@dazo> !systemd
13:37 <@vpnHelper> "systemd" is (#1) the devil!, or (#2) At least for those who wants keep living in the past ...., or (#3) Have troubles with OpenVPN and systemd? Try reaching out to dazo
13:55 < segwent> !systemd
13:55 <@vpnHelper> "systemd" is (#1) the devil!, or (#2) At least for those who wants keep living in the past ...., or (#3) Have troubles with OpenVPN and systemd? Try reaching out to dazo
13:55 < segwent> systemd Rocks !
14:09 <@krzie> Windy:
14:10 <@krzie> !as
14:10 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
15:59 < unholycrab> tunnelblick doesn't seem to work with MFA. can anyone recommend a VPN client that doesn't suck, which supports MFA tokens ?
15:59 < unholycrab> the openvpn client sucks don't recommend that
16:00 < unholycrab> !welcome
16:00 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
16:00 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
16:00 < unholycrab> lol wtf
16:01 < Dougy> unholycrab: wat
16:01 < unholycrab> Dougy: looking for an alternative client to stay connected to my openvpn server
16:02 < unholycrab> i was happy with tunnelblick until we implemented MFA
16:06 < Dougy>  get a better OS
16:06  * Dougy giggles
16:08 < unholycrab> true
16:23 <@dazo> unholycrab: what's wrong?  what kind of MFA?
16:24 < unholycrab> dazo: 6 digit MFA token
16:24 <@dazo> several places I've seen using OpenVPN + MFA actually put the OTP code after the password, all going together in the password field
16:24 <@dazo> (not only seen, I've used it daily in a former job too)
16:24 < unholycrab> i don't want to use the openvpn client
16:24 < Dougy> thats interetsting
16:24 <@dazo> unholycrab: shouldn't that work with tunnelblick too?
16:24 < unholycrab> dazo: whoa thats weird
16:25 < unholycrab> im going to try it
16:25 <@dazo> nope, not really ... that's quite common practice many places with OTP
16:36 < Dougy> veeam gets me wet
16:45 < nullsign> question
16:45 < nullsign> since nordvpn uses openvpn...
16:45 < unholycrab> you're a question
16:45 < nullsign> can anyone suggest the way to use openvpn with AWS?
16:45 < nullsign> ideally, some sort of splittunneling
16:46 < nullsign> so a 2nd interface on the instance routes everything thru openvpn's tun
16:47 < nullsign> or is the only way to just disable the defeault gw config part and just selectively route netblocks thru tun0 ?
16:47 < nullsign> it's not ideal, but im sure that would work
16:48 < nullsign> anyways, came to ask the #openvpn braintrust
16:52 < nullsign> hrm.. crickets...
16:52 < segwent> !redirect
16:52 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
16:52 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
16:53  * segwent chirrups
16:53 < nullsign> vpnHelper: cute.. but.. not really relevant to me?
16:53 < segwent> it is all routing
16:54 < nullsign> right, i was asking if there was a better suggestion than 'disable default gw changes in openvpn config and selectively route thru tun'
16:54 < nullsign> your image implies, there is not
16:54 < nullsign> which is cool.
16:54 < nullsign> but you could just say that?
16:55 < segwent> you realise your question is incomplete .. ?
17:00 < nullsign> segwent, how?
17:01 < nullsign> segwent, I'm asking for architecture advice.
17:06 -!- alexandre9099_ is now known as alexandre9099
17:07 -!- SineDeviance is now known as OverSineThousand
17:07 -!- OverSineThousand is now known as SineDeviance
17:29 < segwent> nullsign: would that be server or client side interface ?
17:29 < segwent> ^^ for example
17:29 < nullsign> it's server side
17:30 < segwent> then it is simple routing
17:30 < segwent> client side would be more complex
20:03 <@krzie> nullsign: whats your goal
20:03 <@krzie> !goal
20:03 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:03 <@krzie> oh you want
20:03 <@krzie> !larc
20:03 <@krzie> !splitroute
20:03 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/viewtopic.php?t=7175#p8056 to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet, or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
20:20 -!- remirol is now known as lorimer
--- Day changed Fri Apr 14 2017
03:39 < Merley> Good morning! Could someone perhaps point me to a guide for disabling my VPN for Netflix? OpenVPN+Windows 10, that is. Whatever I search for seems to only point towards guides as to which VPN services work with Netflix..
03:39 < Merley> Or perhaps give me an idea what to actually search for. :P
05:22 < andi> Hi, I'm using a KVM virtualization platform to virtualize VMs. On some of them an openvpn service is running. I'd like to secure the platform with ebtables so the VMs can only use the defined ip addresses to communicate through their vnet interfaces. Can you tell me how I could configure ebtables to use the external and internal ip address? I think there are problems if theres an internal server behind the vpn where the vpn server is used as gateways, ...
05:22 < andi> ... too.
07:19 < |Mike|> Merley: disable redirect-gateway ;-_
07:19 < |Mike|> ;-)
08:20 < c|oudy> Hello!
08:21 < c|oudy> Is OpenVPN avaible for Linux?
08:24 < mjt> it's native linux application, developed on linux and ported to other platforms
08:25 <@ordex> mjt: you scared him :P
08:25 < mjt> heh
08:25 < mjt> sorry :)
08:50 < LargePrime> lol "Is OpenVPN avaible for Linux?"
08:52 < mjt> another scared away user :)
09:04 <@ordex> :D
09:04 <@ordex> not your fault this time
09:35 < nullsign> hrm..
11:25 < michelem> hello folks! I have a minimalistic TLS-based VPN setup, but the endpoints can't ping each other. During setup, I get "Fri Apr 14 16:04:18 2017 us=812076 vpnsuncal/1.2.3.4:11641 MULTI: bad source address from client [::], packet dropped" — but even the VPN endpoint addresses don't work
11:25 < michelem> https://dpaste.de/BNdo <— here's the summary, if anybody would be willing to take a look
11:34 < michelem> nevermind, that went fixed by explicitly setting the topology
11:48 < michelem> the other problem I experience is, only the 1st client to connect to the TLS-based server can make traffic. Other clients do get a proper IP (different from the first client), but cannot ping the server
12:21 < michelem> got the problem: openvpn does not add the route for addresses beyond the first client
12:51 < brianx> is there a way to dump the internal routing table in openvpn?
12:53 < brianx> i have a packet that tcpdump says goes in the tun at one end and doesn't come out the tun at the other end and i'm having trouble diagnosing it.
12:53 < michelem> brianx: increase verbosity until you see messages like "Learn: 10.8.0.3 -> ..."
12:54 < brianx> michelem: thank you.
13:08 < brianx> michelem: i'm all the way to 15 and the only learn i get is: learn_address_script = '[UNDEF]'
13:09 < michelem> brianx: you should already get that with "verb 5" or so. If you've been grepping, make sure to omit the IP
13:09 < brianx> just using grep -i learn /var/log/syslog
13:10 < michelem> what happens if you grep for "->" ?
13:11 < brianx> way too much.  reducing to verb 6
13:20 < brianx> verb 6 and grep -i "openvpn\[6408\].*\->" /var/log/syslog gives:
13:20 < brianx> openvpn[6408]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
13:21 < michelem> version?
13:22 < brianx> OpenVPN Version: OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
13:23 < brianx> did get https://ghostbin.com/paste/q99et
13:23 < brianx> that's the most recent pid and grep -i "openvpn.*192\.168\." /var/log/syslog
13:24 < michelem> I don't know then. I just get that message. Consider scaling down verb and reading manually. At somepoing after "Peer Connection" you'll see the assignment
13:24 < michelem> already with "verb 4"
13:26 < brianx> i saw some pattern so greped for grep -i "/sbin/ip\|PUSH" /var/log/syslog
13:26 < brianx> the pastebin is updated with that.
13:27 < michelem> don't grep, read. With verb 4 it's some 30 lines
13:28 < brianx> ok, setting verb 4
13:31 < brianx> ROUTE_GATEWAY <my.public.net>.1/255.255.255.0 IFACE=eth0 HWADDR=00:50:56:93:27:d9 seems to be the problem.
13:33 < brianx> that's the internet interface.  my bigger picture issue is that i have forwarded an external port to an internal host with dnat.  a forwarded syn packet from the public internet gets lost in the vpn.  a syn packet to the same internal host from the machine running openvpn reaches the internal host.
13:34 < brianx> tcpdump shows it go in one tun and not come out the other.
13:37 < skyroveRR> \o/ brianx !
13:37 < skyroveRR> :D
13:37 < skyroveRR> How are you man? Still having the issue, I see
13:37 < brianx> hey skyroveRR o/
13:38 < brianx> yes.
13:38 < skyroveRR> Paste your vpn config.
13:40 < brianx> https://ghostbin.com/paste/qv5pe
13:45 < skyroveRR> ...
13:45 < skyroveRR> Man, too tired to help.
13:45 < brianx> mee too.
13:45 < brianx> i should give this a rest.
13:47 < brianx> i'll be back next week.
13:48 < brianx> thanks to you both.
16:46 < A_Pickle> But I've disabled my firewalls on both client and server!
16:46 < A_Pickle> So, I have a theory:  Does OpenVPN not like it if the Issuer email and the Subject email are the same?
16:47 < A_Pickle> Common Names are different, but I did make the email addresses the same, which may have been stupid on my part.
16:48 < A_Pickle> Never mind.  It clearly doesn't care about that, since I've got certs from a working VPN that have the same email address for all levels of the certificate hierarchy.
16:52 < FlyingPersian> hi. I've just been trying to use my VPN connection to my home network, but it isn't working both on my phone and laptop, so the config must be flawd. my phone says "IPv4 tun routes: 192.168.178.0/24 via 10.8.0.1"
16:52 < FlyingPersian> does that look right? my home network is on 192.168.178.0 and my VPN subnet is on 10.8.0.0
17:17 < A_Pickle> That doesn't sound awful
17:17 < A_Pickle> But I'm not sure, as I don't usually use phones with OpenVPN yet.
17:43 < brianx> FlyingPersian: nothing wrong with mixing private network ranges, in fact they have to be different networks always and it doesn't matter how different.
17:52 < FlyingPersian> hm
17:52 < FlyingPersian> the thing is that my networks aren't connected, although they should be
17:52 < FlyingPersian> when I set everything up it worked fine, haven't used it since then
17:52 < FlyingPersian> I should be able to ping the 192.168.178.0 network
17:52 < FlyingPersian> and now I can't access my server to check the config
22:29 < eckirchn> hello all
22:30 < eckirchn>  got a question, not directly related to fedora but to openvpn, would anyone be familiar?  It might be basic routing knowledge I am lacking
22:31 < eckirchn> I am looking to understand why the sever is not routing data to the local network, it appears to only be routing data to the outside world
22:31 < eckirchn> my server.conf file
22:32 < eckirchn> https://paste.fedoraproject.org/paste/Y41wCjPRNOyGvkZSHgW9-15M1UNdIGYhyRLivL9gydE=/
23:36 < eckirchn> answer resolved, however avahi is not working at the client side
--- Day changed Sat Apr 15 2017
07:45 < D5> Does service openvpn@vpn-name restart work on systems with no systemd ?
07:45 < D5> Does "service openvpn@vpn-name restart" work on systems with no systemd ?
07:46 < D5> **
07:53 -!- krzie is now known as krzee
08:50 < iheartlinux> is it possible to execute: openvpn remote.ovpn --remote some.url.com ?
09:27 -!- MuffinMedic is now known as Evan
09:27 -!- Evan is now known as StudMuffin
09:27 -!- StudMuffin is now known as MuffinMedic
09:42 < iheartlinux> nvm, I just put everything in a script
10:44 < pylearner> need help with fixing my routing
10:45 < pylearner> I can vpn to my network but i cannot access any of the machines on my network i am getting assigned a 10. address my machines on my network are 192.168
10:57 < |Mike|> ehm
10:58 < |Mike|> you probably need something like this; push "route 192.168.2.0 255.255.255.0"
10:58 < |Mike|> plus you'll need masquerading
10:59 < |Mike|> -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
11:01 < |Mike|> pylearner:
11:10 <@krzee> aka
11:10 <@krzee> !route
11:10 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
11:11 <@krzee> iheartlinux: totally possible, but when you use more --options than just the config, you need --config
11:11 <@krzee> !--
11:11 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
11:12 < iheartlinux> tnx krzee
11:17 < |Mike|> krzee: yeah exactly :-)
11:31 <@krzee> |Mike|: actually pylearner should not need NAT
11:32 <@krzee> he only does if he has no access to the default gateway for the lan to add a route, and theres a few target machines on the lan so he doesnt want to add routes to each one
11:32 <@krzee> you may have been thinking of a redirect setup
11:42 -!- alexandre9099_ is now known as alexandre9099
13:01 < pylearner> krzee, and |Mike| sorry I was away what exactly do I need there seems to be conflicting ideas and also thanks for the help
17:57 -!- mezgani is now known as p3rror
19:12 -!- mezgani is now known as p3rror
19:51 < Ravenmire> OK...I think I figured it out. whatsmyip reports a swedish IP. tun0 is on 172.27.234.58. tun0 has to be in a private block, but the IP that whatsmyip reports is what it looks like from the outside. Right?
19:52 < Ravenmire> Oh, I'm on Manjaro Linux, latest.
19:53 < Ravenmire> The network icon doesn't have a lock on it. Is that because of the tun0 address?
19:53 < Ravenmire> Done.
19:54 < Ravenmire> Bottom line: am I on the VPN?
19:58 <@krzee> Ravenmire: are you in sweden
19:59 <@krzee> if not then id say its probably the vpn ip :-p
19:59 <@krzee> but you do generally get a rfc 1918 lan ip from the vpn, and then if redirecting internet they NAT your traffic out
19:59 < Ravenmire> I'm not in Sweden. So there. Looks like it's working.
20:00 < Ravenmire> krzee, Ah.
20:01 < Ravenmire> How can I get the lock on the system tray icon for warm fuzzies?
20:02 <@krzee> sorry im not sure what you're talking about
20:02 <@krzee> what program makes said lock?
20:02 <@krzee> whats it mean?
20:02 <@krzee> i mean... you can give a custom app a lock icon, then run it :D
20:02 <@krzee> lol
20:03 < Ravenmire> Network Manager Applet.
20:03 <@krzee> oh god i hate netman
20:03 <@krzee> just dont use it for configuring the vpn
20:03 <@krzee> if you wanna use it, import your working openvpn config
20:04 < Ravenmire> Oh...OK. Thanks for the warning. I went in and edited the config file and brought things into reality.
20:04 < Ravenmire> Then used command-line openvpn to bring it up.
20:04 <@krzee> yep thats the way
20:05 <@krzee> then if you want netman, i believe you can import your config
20:05 < Ravenmire> OK...if this works I'm set. I prefer the command line over a GUI.
20:06 <@krzee> id like netman if it were done differently
20:06 <@krzee> like, i like the idea
20:06 <@krzee> i liked tunnelblick in osx, for example
20:06 < Ravenmire> krzee, That's true of a lot of software.
20:07 < Ravenmire> I don't think programmers use their own software enough.
20:08 <@krzee> 1 thing im sure of is the openvpn devs do!
20:08 < Ravenmire> Heh...
20:09 <@krzee> im currently connected to 7 vpns :D
20:09 < Ravenmire> When I worked as a call-center programmer, I'd watch the operators and ask them how I could improve it.
20:10 < Ravenmire> Another time, I asked a user the same thing. The response? "Well, if this report were double-spaced it would be a lot easier to user. A one-line change.
20:10 <@krzee> you work with asterisk or freeswitch?
20:11 < Ravenmire> EDGE
20:12 < Ravenmire> krzee, What on earth can more than one VPN be used?
20:12 < Ravenmire> s/What/How/
20:12 <@krzee> i dont default route over any of them
20:12 <@krzee> i use them to access different lans or darknets
20:12 < Ravenmire> Round-robin?
20:13 < Ravenmire> Oh...OK.
20:13 <@krzee> although i do have a socks proxy in one of them for redirecting *some* internet
20:14 <@krzee> i dont open much to the internet in the name of having a small surface area, so i need to access most of my services inside vpns
20:14 <@krzee> attack surface*
20:15 < Ravenmire> I think I understand.
20:15 < Ravenmire> Someday, this will all hang together.
20:16 <@krzee> whatchya mean?
20:16 < Ravenmire> Is it possible to run a web site through a VPN, or do I have to use eth0 et ux?
20:16 < Ravenmire> I'll understand it.
20:16 <@krzee> of course man, you just use the vpn ip in the webserver config
20:17 < Ravenmire> The lightning bolt phenomenon.
20:17 <@krzee> or if it binds to * its already setup and you just gotta connect to the vpn ip in yhour web browser
20:17 < Ravenmire> Accompanied by a head slap.
20:17 < Ravenmire> How about the IP of the router?
20:17 <@krzee> maybe it could help to think of it like this:
20:17 <@krzee> when you run a vpn server, you are making a new virtual lan
20:18 <@krzee> all the clients can talk to eachother (if you choose so) over the new lan subnet
20:18 <@krzee> and you can choose to setup routing so that the VPN subnet can route to the lan that any vpn node is on
20:18 <@krzee> !route
20:18 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
20:18 <@krzee> thats a doc i wrote up on how that works
20:19 <@krzee> its not a walkthrough, it's meant to help you understand
20:19 < Ravenmire> OK...I was in the forest, looking at the bark on the trees. Now I'm over the forest for another view.
20:19 <@krzee> you understand how a normal routing table works?
20:20 <@krzee> thats kind of mandatory for this stuff, you need a basic understanding of networking
20:21 < Ravenmire> ...and that's what I need, a basic understanding of networking :)
20:21 <@krzee> i bet #networking has a decent guide on how routing tables work
20:21 <@krzee> its most specific match counts
20:21 < Ravenmire> Um...I'm great at assembler???
20:21 <@krzee> wow, not me!
20:22 <@krzee> :D
20:22 <@krzee> ill bbiab, wife just got home
20:22 < Ravenmire> k. tnx
20:22 < Ravenmire> I won't tell you which machine, though...
--- Day changed Sun Apr 16 2017
00:08 < cluelessperson> hey guys, I'm using openvpn at home and I'm getting this error
00:09 < cluelessperson> When my rother tries to connect rhough this game
00:09 < cluelessperson> Sun Apr 16 00:13:37 2017 Travis/172.87.136.84:49208 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #738 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
00:10 < cluelessperson> My brother and I both are connected via OpenVPN, he's on a windows machine.
00:10 < cluelessperson> His game will download the map, but can't connect to me
00:20 < cluelessperson> so yeah, I'm stuck with these repeating errors
02:18 -!- Olufunmilayo is now known as Linux_Stalin
02:31 -!- alexandre9099_ is now known as alexandre9099
04:06 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 260 seconds]
04:08 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
04:08 -!- mode/#openvpn [+o syzzer] by ChanServ
04:11 -!- Tyklol is now known as Tykling
04:58 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 258 seconds]
05:13 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
05:13 -!- mode/#openvpn [+o syzzer] by ChanServ
06:47 < xtz> Someone should update the topic. Latest release is 2.4.1.
06:47 < xtz> Mar 22nd, 2k17
07:35 < dragonsl> Hi. Does openvpn set pushed DNS correctly in android 5 above
07:39 -!- dazo changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire /topic || Current Release: 2.4.1 (22 Mar 2017) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || Your problem is probably firewall. Really || TAP/bridging is almost always a bad idea || Vulninfo: !heartbleed !poodle !ovpnuke !sweet32 || Patience is a virtue
07:40 <@dazo> dragonsl: hard to say ... which variant of the android app are you using?  OpenVPN Connect or OpenVPN for Android?
07:41 < dragonsl> Tried both apps, faced same issue
07:41 < dragonsl> dazo
07:42 <@dazo> dragonsl: then it depends on server and client configs
07:43 <@dazo> I've used OpenVPN for Android on CM12 and CM13 ... without any issues with DNS not being handled correctly
07:43 <@dazo> !configs
07:43 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
07:44 < dragonsl> https://codeword.xyz/2016/09/08/solving-openvpn-dns-issues-on-android-clients/
07:44 <@vpnHelper> Title: Solving OpenVPN DNS Issues on Android Clients (at codeword.xyz)
08:35 < roasted_> Not sure if this is an applicable place to ask, but my knowledge of the certificate process is a little limited so figured I'd try. I was in the process of setting up openvpn on my home server again. Did it once before, but this time stumbled across Nyr's github script to help automate it (I'm assuming some of you folks may be familiar with it? Seems quite popular). The interesting thing is Nyr's script works fine, however I don't recall the
08:35 < roasted_> script asking me for country, common name, etc during the cert creation process (something I did in the past). I didn't see any entry of those phrases within the script itself. I suppose it's.. 'possible' to leverage certs without that info?
08:50 <@dazo> roasted_: a certificate is actually just a public file bundled with some meta data (subject, location, country, etc, etc) which is signed by a CA
08:50 <@dazo> the CA certificate is used to verify that the signature is correct
09:00 < roasted_> dazo: so it's really the contents/core part of the cert that matters, and less about the "US/State/County" metadata that matters - yes?
09:11 <@dazo> roasted_: the meta data is important the regards to identifying the client or server
09:11 <@dazo> roasted_: but it isn't necessarily important in regards to the security itself
09:12 <@dazo> roasted_: however, be careful with those scripts "simplifying" openvpn setups ... configuring openvpn isn't that hard, and with those scripts you place a lot of the security understanding to others
09:12 < roasted_> dazo: I understand openvpn setup isn't that hard. The problem is I haven't done it in a few years, and as I look up guides, I don't feel as though I've found two guides that are alike, much less somewhat similar. Makes it difficult.
09:12 <@dazo> oh ... typo in my initial statement ... a certificate is actually just a public key bundled with meta data
09:14 < roasted_> the one thing that makes me feel better about this script is the fact that I can compare old configs/setup vs what the output of this script creates
09:15 <@dazo> roasted_: for CA management, there's a lot of various tools ... a good GUI version is XCA ... and the command line version we support (and develop) in the OpenVPN community is Easy-RSA ... latest version 3 can be found here: https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Readme.md
09:15 <@vpnHelper> Title: easy-rsa/EasyRSA-Readme.md at master · OpenVPN/easy-rsa · GitHub (at github.com)
09:15 < roasted_> and seeing similarities makes me think I was close, and kind of backs up my confidence in using it a bit. By hey, I'm not an expert, so...
09:15 <@dazo> The generic OpenVPN official "getting started howto"  can be found here: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
09:15 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net)
09:17 <@dazo> basically, there are 3 "parts" which needs to be configured in OpenVPN ... Encryption (in essence --cipher/--auth), Authentication (the CA side) and Network (the TUN/TAP and VPN IP addresses)
09:17 <@dazo> !blog
09:17 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
09:17 <@dazo> (it
09:17 <@dazo> (!blog a harsh statement ... but unfortunately too often found to be true :/)
09:19 < roasted_> dazo: I'll look into it more. I admittedly did start on openvpn docs but honestly I didn't find much direction with what I needed for what setup I was after. :/
09:19 <@dazo> what kind of setup are you after?
09:19 < roasted_> perhaps with a fresh night sleep it may make more sense.
09:19 <@dazo> :)
09:19 < roasted_> I just have a home server and want openvpn to fly. That's about it.
09:20 < roasted_> just want to hit network manager on my linux clients, select VPN, and connect up so I can ssh home/etc
09:20 <@dazo> in 99.9999% of all cases I've seen here in this channel ... most can do fine with so called "routed TUN" ... which means you configure  --dev tun and use --route ... and --push "route ..."
09:21 <@dazo> your use case fits very well into the routed tun setup
09:21 <@dazo> and the "getting started with openvpn" how-to should really help you getting towards that direction
09:24 < roasted_> thanks. I'll definitely look into it.
09:24 < roasted_> the fact the nyr github script seems to use easy-rsa makes me think it's not doing any weird voodoo, but just helping automate the typical openvpn setup.
09:25 < roasted_> I read through the script several times to look for red flags before running it. But like I said, far from an expert. :P
09:29 < haaning__> If I were to ask for help with changing my openvpn connection to support WAN traffic, what would I need to supply on the serverside? Currently LAN traffic is allowed only. Handy client info here:
09:29 < haaning__> https://pastebin.com/HCucTZVr
09:32 <@krzee> openvpn flies every time i get on airplane internet
09:33 <@krzee> haaning__: what do you mean by "support wan traffic" ?
09:33 <@krzee> you saying you want a client to redirect their access to the internet over the vpn?
09:37 < haaning__> krzee: Yes, apologize for the vague description
09:37 <@krzee> !redirect
09:37 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
09:37 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
09:37 <@krzee> your server is linux?
09:38 < haaning__> krzee: linux, yes, openwrt, can't remember what that is based on more specifcally though
09:38 <@krzee> !linnat
09:38 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
09:38 <@krzee> openwrt will already have ip forwarding enabled in the sysctls, but you may need to enable it in the firewall as well
09:39 <@krzee> on my openwrt i always clear their firewall and start over, the default is so ugly
09:39 < haaning__> krzee: their default is really ugly indeed. I went the dirty way and modified it instead.
09:40 <@krzee> i made rc.local load mine with iptables-restore
09:40 < haaning__> thats smart :)
09:40 <@krzee> it's really the only way i could deal
09:41 < haaning__> lol
09:41 <@krzee> i demand a legible firewall!
09:41 <@krzee> anyways, when you use -I it inserts to first rule, so as long as we keep rules specific enough to break nothing else, we're all good
09:42 <@krzee> !linipforward
09:42 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
09:42 <@krzee> iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE    (assuming eth0 is your device connected to the internet)
09:42 <@krzee> iptables -I FORWARD -i tun+ -j ACCEPT
09:42 <@krzee> and in the client config add:   redirect-gateway def1
09:44 < haaning__> redirect-gateway def1 was not in my config. But I remember trying to do ip_forwarding before, maybe the client side edit is all I need to do checking real quick
09:44 <@krzee> you need both firewall rules as well
09:45 <@krzee> and the nat rule also assumed your vpn subnet was 10.8.0.0/24
09:46 <@krzee> in fact from your client info you posted you did have that config option (maybe being pushed from the server?)
09:47 < haaning__> So in my particular case:
09:47 < haaning__> iptables -t nat -I POSTROUTING -s 10.1.1.1/24 -o eth0.2 -j MASQUERADE
09:48 <@krzee> sounds bout right
09:48 < haaning__> iptables -I FORWARD -i tun+ -j ACCEPT
09:48 <@krzee> and the other one too, which you can paste exactly as i gave it
09:48 <@krzee> yep
09:48 < haaning__> yes
09:48 <@krzee> tun+ makes the rule match all tun interfaces
09:49 <@krzee> so tun0 tun1 etc etc
09:49 < haaning__> I figured it was some regexp type
09:49 < skyroveRR> Hi krzee :)
09:49 <@krzee> hey sky
09:49 < haaning__> I might dc, trying this
09:49 < skyroveRR> How are you doing?
09:49 <@krzee> good
09:49 <@krzee> yourself?
09:50 < haaning__> Huh.. What could I have missed? No throughput out
09:50 <@krzee> haaning__:
09:50 <@krzee> !redirect
09:50 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
09:50 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
09:50 <@krzee> see flowchart
09:51 <@krzee> last link ^
09:51 <@krzee> thing is, i dont want to see your firewall, even though it may be the problem lol
09:51 <@krzee> cause openwrt :D
09:53 < haaning__> krzee: I respect that haha
09:53 < haaning__> krzee: Appreciate it too :)
09:53 <@krzee> wheres the flowchart end up?
09:54 < haaning__> Currently at "is ip forwarding enabled"
09:54 < haaning__> Need to be certain that it is
09:54 <@krzee> on openwrt, it is
09:55 < haaning__> In that case...
09:55 <@krzee> cant say about the firewall, but the command i gave you should have done it
09:55 < haaning__> I mean, NATing is enabled for the 192.168.1.0/24
09:55 < haaning__> but for the 10.1.1.1, not sure
09:55 <@krzee> that was the iptables command i gave you
09:56 < haaning__> Ah, haha :)
09:56 < haaning__> apparently firewall issues then..
09:57 < haaning__> Maybe something I defined conflicts with your added rules?
09:58 <@krzee> iptables-save -c
09:58 <@krzee> i dont wanna look, but i will =/
09:58 <@krzee> lol
09:58 < haaning__> <3
09:58  * krzee orders more eye bleach
09:59 < haaning__> brace yourself
10:01  * krzee buckles seatbelt
10:05 < haaning_> krzee: Sorry, timed out. And regarding the firewall: It's bad. Really bad. Embarassed to post this..
10:06 < haaning_> https://pastebin.com/4sbM7p9V
10:07 <@krzee> we can see your nat rule never got hit
10:08 <@krzee> !logs
10:08 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
10:16 <@krzee> your forward rule has plenty of hits tho
10:18 < haaning_> krzee: ahh great observation
10:19 < haaning_> The NAT rule, that would be the masquerade one-liner you sent me right?
10:19 <@krzee> right
10:20 < haaning_> Any suggestions on how to debug why it doesn't get hit?
10:24 <@krzee> not really, firewall is too ugly :(
11:30 < kerio> hi all, i'm faced with a silly issue
11:30 < kerio> whenever i disconnect from a client, the server also closes
11:30 < kerio> i'd like for that to not happen
11:30 < kerio> am i doing it wrong somehow?
14:04 < Ravenmire__> !logfile
14:04 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
14:12 < Ravenmire__> Does OpenVPN need to be started as root?
17:09 < daemon> Ravenmire, yes
17:09 < daemon> Ravenmire, though it will then drop perms and become another user at your choice
17:09 < daemon> openvpn requires the permission to adjust or create virtual interfaces
17:11 < Ravenmire> I did some research (imagine that!). OpenVPN can be run as non-root, but there are caveats. Better to run as root, methinks.
17:12 < Ravenmire> Oh...better run as another user.
18:30 < Ravenmire> Sun Apr 16 18:55:07 2017 us=107848 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #7428318 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
18:31 < Ravenmire> I don't believe I want to --no-replay. Perhaps adjust the --replay-window?
18:34 < Ravenmire> --mute-replay-warnings may cover up something.
19:18 <@krzee> you on wifi Ravenmire?
19:20 < Ravenmire> Hmm...I don't believe so. How can I tell? I have a Wi-Fi router but hook to it via RJ-45. tun0 may be a different story, though.
19:21 <@krzee> just ignore the replay warning
19:32 < Ravenmire> Is that courting disaster?
19:35 < Ravenmire> Second problem: Sun Apr 16 18:55:07 2017 us=107887 PID_ERR large diff [76] [SSL-0] [0000000000000000000000000_______________________________________] 0:7428395 0:7428319 t=1492383307[0] r=[-4,64,15,180,1] sl=[8,64,64,528]
19:37 < Ravenmire> krzee, I got the Tanenbaum book. ;)
20:05 <@krzee> https://forums.openvpn.net/viewtopic.php?t=10905
20:05 <@vpnHelper> Title: lots of "bad packet ID (may be a replay)" warnings - OpenVPN Support Forum (at forums.openvpn.net)
20:06 <@krzee> wanna show me your logs?
20:58 < Ravenmire> OK...what is the default location? If there is none I'll specify a destination in the config file.
20:58 < anotherus3r> Hi
20:58 <@krzee> !logfile
20:58 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
20:59 < anotherus3r> Do I have to iptables -A INPUT -i tun+ -j ACCEPT or iptables -A INPUT -i tap+ -j ACCEPT?
21:00 <@krzee> ...are you using tun or tap?
21:00 <@krzee> probably should be tun
21:00 < anotherus3r> eth0, lo and tun0
21:01 <@krzee> so tun
21:01 < anotherus3r> So I have to iptables -A INPUT?
21:02 <@krzee> depends on your firewall config, but it wont hurt
21:02 <@krzee> if INPUT was already default to accept then you wouldnt need to
21:02 < anotherus3r> Could I paste iptables -L for you to look?
21:03 <@krzee> why not a channel that supports firewalls?
21:03 <@krzee> like #netfilter
21:03 <@krzee> and btw you should look at iptables-save instead of iptables -L
21:04 <@krzee> really like i said, you can just add that rule, it wont hurt anything
21:05 <@krzee> and if you can connect to your vpn and ping the vpn ip, you dont need it
21:23 < anotherus3r> Do I really need a DHCP client? It creates problems with my internet connection when I run the OpenVPN. /etc/resolv.conf keeps resetting itself. The machine has not rebooted
21:45 < Ravenmire__> krzee, I added this line to client.ovpn; log  /var/log/VPN/Celo/Ravenmire/SW1. When I start it asks for the user name and password then goes to sleep.
--- Day changed Mon Apr 17 2017
02:38 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Quit: ZNC - http://znc.in]
02:44 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
02:44 -!- mode/#openvpn [+o syzzer] by ChanServ
07:24 -!- marlinc_ is now known as marlinc
08:50 < |Mike|> krzee: true dat.
08:52 < |Mike|> Ravenmire_: yes
09:34 < TehStuzz> !goal
09:34 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:35 < TehStuzz> !welcome
09:35 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
09:35 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
09:40 < TehStuzz> Hey guys, I'm using the digitalocean ubuntu 16.04 guide to installing openvpn and I've ran into a problem. When trying to start openvpn (sudo systemctl start openvpn@server) it tells me that it's failed "daemon() failed or unspported: Resource temporary unavaible (errno=11)" Could you help me figure out what's wrong?
09:41 <@krzee> TehStuzz: did you check the logs?
09:42 < TehStuzz> The status log? Or is there another log?
09:49 <@krzee> !logfile
09:49 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
09:49 < TehStuzz> Sorry, thanks
09:50 <@krzee> np
09:56 < TehStuzz> @krzee Set it to verb6, output is here https://pastebin.com/Jgb18jbG, when I start it with just sudo 'openvpn server.conf' I get the following output in the log https://pastebin.com/baNX2py3 but then I cannot do any commands in the terminal, so I don't know if it starts correctly
09:59 <@krzee> verb 4 please
09:59 <@krzee> verb 6 is too verbose
09:59 <@krzee> actually in this case its fine
09:59 <@krzee> whats wrong? looks like it started fine to me...
10:00 <@krzee> connect a client to it?
10:00 <@krzee> what do you mean you cant do any commands to terminal?  did you background openvpn with daemon?
10:06 <@krzee> openvpn runs in the foreground unless sent to the background with the daemon option
10:06 <@krzee> Ravenmire_: you need to know that too i think ^
10:06 < TehStuzz> Can I start it with screen? I just tried to but it shows as load/inactive(dead) when I do status from somewhere else
10:07 <@krzee> screen? why?
10:07 <@krzee> just put daemon in the config
10:09 < TehStuzz> Just put daemon the config anywhere?
10:11 <@krzee> on its own line
10:11 <@krzee> !--
10:11 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
10:13 < TehStuzz> When I do sudo service openvpn serverv.conf now, nothing happens, service says it's inactive, but the logs say initalisation sequence complete
10:13 < TehStuzz> I guess it's running?
10:14 <@krzee> ps auxw|grep vpn
10:14 <@krzee> sorry i dunno systemd or whatever, but i do know openvpn
10:14 < TehStuzz> !paste nobody    1608  0.0  0.2  43556  2644 ?        Ss   11:07   0:00 openvpn server.conf wessel    1690  0.0  0.0  11228   880 pts/2    S+   11:10   0:00 grep --color=auto vpn
10:15 < TehStuzz> Oh sorry I thought that would paste it
10:15 <@krzee> thats just grep
10:15 <@krzee> oh thats 2 lines
10:15 <@krzee> seems to be running
10:16 < TehStuzz> Alright thank you! I'll continue with the rest of the guide and I'll see if it works :)
10:16 <@krzee> cool np =]
10:39 < TehStuzz> I got it working, thanks again @krzee !
11:00 < anotherus3r> hi i just installed debian jessie and installed openvpn. But when Im connected to openvpn my internet connection doesnt work, Do you know why?
11:00 < anotherus3r> http://paste.debian.net/928064/
11:01 < anotherus3r> here is my openvpn.log
11:01 < DArqueBishop> anotherus3r: is the server properly configured?
11:02 < DArqueBishop> !redirect
11:02 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
11:02 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
11:02 < anotherus3r> DArqueBishop: Im not the vpn provider
11:02 < anotherus3r> I just downloaded the files from vpn provider
11:03 < DArqueBishop> !both
11:03 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
11:03 < DArqueBishop> You need to contact your provider's tech support.
11:04 < anotherus3r> DarqueBishop: Im the computer owner
11:04 < anotherus3r> If this makes any sense
11:06 < DArqueBishop> ... not really, because it's kind of irrelevant.
11:06 < DArqueBishop> AFAICT, the issue is going to most likely be at the provider end, if not at least involve them. You need to contact them for assistance.
11:09 < anotherus3r> DArqueBishop: I can ping the inet addr that I get from tun0
11:09 < DArqueBishop> Then it's almost certainly a provider issue.
11:10 < anotherus3r> I can ping 8.8.8.8
11:11 < anotherus3r> So its not dns problem?
11:14 < anotherus3r> yea
11:14 < anotherus3r> I just changed dns servers and it works
11:14 < anotherus3r> so what should it be?
11:15 < anotherus3r> Can it be the DHCP software?
11:20 < anotherus3r> How do I prevent DHCP to change dns servers?
11:20 < anotherus3r> I think I found the issue DArqueBishop
11:34 < lasdam> not sure if trolling or not
11:57 < anotherus3r> lasdam: me?
12:05 < lasdam> anotherus3r: yes, you're jumping from channel to channel, ignoring 90%+ what people are telling you, switching your irc nicknames up, endlessly ask the question "and what is that/how do you do that?" over and over like you have no interest in doing any work yourself, I don't know. I'm triggered
12:10 <@dazo> anotherus3r: No, it has nothing to do with DHCP servers/software in this context ... OpenVPN doesn't really use that.  And DArqueBishop told you to get support from your VPN provider.  They are really the ones who can help you here
12:10 <@dazo> This channel are primarily for those who maintain their own VPN servers
12:11 < anotherus3r> dazo: I guess the DHCP software keep changing my DNS server, why do you think dont
12:11 < anotherus3r> ?
12:11 <@dazo> It's somewhat similar to ask for network support from the guy you bought the network cable ... instead of asking your ISP
12:11 <@dazo> anotherus3r: not necessarily
12:12 <@dazo> but openvpn doesn't care about DHCP .... so if it is, it's your default network configuration which is at fault
12:13 <@dazo> if you've used any kind of blogs as the "setup tutorial" that can just as well be to blame ... because
12:13 <@dazo> !blog
12:13 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
12:13 < lasdam> the question is, anotherus3r: why are you still asking this question here instead of to your VPN provider?
12:15 < anotherus3r> lasdam: Because I not belive its a VPN server issue.
12:16 -!- anotherus3r was kicked from #openvpn by dazo [Seek help with your VPN provider]
12:27 < anotherus3r> why kick?
12:27 <@dazo> To make you understand we're serious when we're telling you to seek help with your VPN provider.  Consider that a warning.  Next time it will be permanent.
14:01 < TehStuzz> Quick question: does anyone know why my actual IP still shows up in teamspeak when openvpn is enabled? When I check whatsmyip or dnsleak it shows the vpn ip and dns servers
14:03 < ExoUNX> TehStuzz are actually routing all traffic through the VPN ?
14:03 < ExoUNX> TehStuzz and are you using Windows, macOS, or Linux?
14:04 <@krzee> TehStuzz: without knowing what teamspeak is or how it works thats hard to answer
14:04 <@krzee> looks like voip, i do voip over vpn often
14:04 < TehStuzz> I'm using windows, the server is running Ubuntu 16.04, I used this guide to set openvpn up https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04, I have push "redirect-gateway def1 bypass-dhcp" and push "dhcp-option DNS 208.67.222.222" in my server.conf
14:05 < TehStuzz> and yeah, Teamspeak is voip software, I host the server for it on the same machine
14:05 < TehStuzz> so I believe with those options it should force all traffic right?
14:05 <@krzee> that should have clients use the server for their traffic
14:07 < TehStuzz> It's not really a big problem, but it made me wonder whether I actually set everything up correctly
14:08 < TehStuzz> I just noticed that in this IRC it does show me connecting from the VPN, so that part works I guess :P
14:10 <@krzee> open teamspeak after connecting the the vpn
14:10 <@krzee> it might do some sort of nat discovery
14:10 <@krzee> and the app might be reporting the ip that clients report, as opposed to where traffic comes from
14:10 <@krzee> voips goofy like that ;]
14:13 < TehStuzz> Hmm just closing and opening doesn't work, I'll try restarting my pc and connecting before starting teamspeak, BRB
14:16 < TehStuzz> Well, that didn't work :P
15:17 < Vladimirski> !welcome
15:17 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
15:17 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
15:17 <@vpnHelper> you
15:23 < Te3-BloodyIron> I have an openVPN server setup with pfSense for doing bridged tap interfacing. Works in Windows, but my Linux client is having issues obtaining an IP through the tap
15:23 < Te3-BloodyIron> I suspect it's a configuration issue on my Linux client, but I'm not sure what to do, I've been googling plenty to try and find a solution, no luck so far
15:23 < Te3-BloodyIron> the closest I've seen is it complains about no config for ifupdown, but the device should be ephemeral though?
15:31 <@dazo> !bridging
15:31 <@vpnHelper> "bridging" is (#1) Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you, or (#2) See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
15:32 <@dazo> Te3-BloodyIron: ^^^ ... see that, including the URL in #2 ... and then answer a simple questiion first: Why do you want to bridge?
15:33 < Te3-BloodyIron> bridging is already setup and works for Windows clients
15:33 < Te3-BloodyIron> and I need it for some of the remote IT work I do, as I need to be in the same IP range and sometimes need to be able to handle broadcasting
15:33 < Te3-BloodyIron> the issue I have is on the Linux client end
15:34 < Te3-BloodyIron> currently my tap0 device isn't getting an IP and I suspect it's a configuration issue on my client as it says ifupdown configuration not found
15:38 <@dazo> I'm going to move on if you won't take an advice .... bridging is in the  very most cases here on this channel the wrong solution, and can lead you into those troubles you have now
15:39 <@ecrist> !logs
15:39 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
15:40 < Te3-BloodyIron> lol, me wanting to configure it a particular way is me not taking advice? alright man
15:41 < Te3-BloodyIron> if you don't want to help, so be it
15:41 < Te3-BloodyIron> but please don't construe that as a falsehood that I don't want to take help
15:41 < Te3-BloodyIron> I've been using it for over a half a year now in Windows and I'm fed up not having it going in Linux so I'm trying to solve that
15:41 <@dazo> Te3-BloodyIron: lets turn it around ... bridging is darn complicated ... and those who fully understands why they need bridging very seldom come here, because they understand how they should fix it by them selves
15:42 < Te3-BloodyIron> yes, and sometimes people still need help even if they are those people
15:42 <@dazo> Te3-BloodyIron: the vast majority of those coming to this channel with bridging troubles have no understanding of why they need bridging and the complexity behind it ... thus they have troubles
15:42 < Te3-BloodyIron> yes
15:42 < Te3-BloodyIron> so?
15:42 < Te3-BloodyIron> does that by default mean I don't have good reasons to use it?
15:43 < Te3-BloodyIron> just because I got stuck with my client?
15:43 < MacGyver> Te3-BloodyIron: Which part do you have handling your DHCP?
15:43 <@dazo> So helping out in these cases are waste of time ... as most of these ones who are clever switch to routed tun setups far quicker than solving the bridging by adding layers of extra hacks
15:43 < Te3-BloodyIron> the openVPN server is within a pfSense instance, and the bridge passes the DHCP requests along to my main gateway on the private network, which is what I want
15:43 < MacGyver> Te3-BloodyIron: My tap setup just has openvpn to *only* set up the tunnel. Everything else is handled by the normal tools, dhcp servers and clients which are written for that purpose.
15:43 <@dazo> Te3-BloodyIron: which is why I asked:  Why do you want to bridge?
15:43 < Te3-BloodyIron> then don't help me dazo
15:43 < Te3-BloodyIron> I don't care if you disagree with my method
15:43 < Te3-BloodyIron> plenty of others do
15:44 < Te3-BloodyIron> and if we're going to talk about wasting time
15:44 < Te3-BloodyIron> lecturing me is doing just that
15:44 < Te3-BloodyIron> bridging works way better for me than the alternative
15:44 < Te3-BloodyIron> so
15:44  * dazo moves on ....
15:44 < Te3-BloodyIron> yes
15:44 < Te3-BloodyIron> thank you
15:44 < Te3-BloodyIron> MacGyver, alright, so what are you getting at here?
15:44 < MacGyver> Te3-BloodyIron: I'm asking what your configuration for that is.
15:45 < MacGyver> Te3-BloodyIron: To get a better idea of what could be the issue.
15:45 < Te3-BloodyIron> sorry to repeat myself, but config for specifically... which part?
15:45 < MacGyver> DHCP.
15:45 < Te3-BloodyIron> on the openVPN server?
15:46 < MacGyver> Well, you tell me. You have the bridge passing the DHCP requests to... what, exactly? Note that this may be a stupid question in the context of pfSense, I have no experience with that.
15:46 < Te3-BloodyIron> well, you don't know my setup, so I'm not going to say it's a stupid question ;P
15:46 < Te3-BloodyIron> okay so I have 2x pfSense systems
15:46 < Te3-BloodyIron> 1x is the VPN server
15:46 < Te3-BloodyIron> it passes the DHCP requests to the other pfSense box, which is the gateway for the private network, and it runs the DHCP server
15:46 < Te3-BloodyIron> does that clarify? :)
15:47 < MacGyver> Yes, it does. Any chance of you simply firing up a few tcpdumps or wiresharks and compare, see whether the DHCPoffers are actually reaching the client machine in the first place, and if not, diagnose where they're getting dropped?
15:48 < Te3-BloodyIron> sure, but I'm unsure which system I should be monitoring on
15:48 < Te3-BloodyIron> the client, the VPN server, or?
15:48 < Te3-BloodyIron> also I'm a bit rusty with my tcpdump so I would appreciate some recommended flags
15:52 < MacGyver> Start with the client; that's the one that doesn't seem to be getting a lease. Probably should filter on sourceport for DHCP.
15:52 < osja> !welcome
15:52 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
15:52 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
15:53 < Te3-BloodyIron> MacGyver, just run tcpdump, or any flags you would recommend?
15:53 < Te3-BloodyIron> since the interface is ephemeral, I assume I won't declare an interface?
15:55 < osja> !goal I would like to run a script on the client after connection is successful. On version 2.3.5-5+deb8u1. script-security 2 \ up /path/to/script does not work.
15:55 < MacGyver> Actually I would recommend you to only listen on the tap interface, and filter on udp port 67 or 68.
15:55 < MacGyver> My tcpdump is equally rusty.
15:55 < Te3-BloodyIron> but the problem is the tap device doesn't exist prior to connection
15:55 < MacGyver> Then simply restart the dhcp client that gets started after the connection comes up.
15:56 < MacGyver> After starting to listen.
15:56 < Te3-BloodyIron> tried that by hand, didn't seem to work
15:56 < Te3-BloodyIron> oh
15:56 < Te3-BloodyIron> er
15:59 < Te3-BloodyIron> gah gotta run to handle a chore, BBL
16:59 < brianx> !welcome
16:59 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
16:59 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
17:00 < brianx> !route
17:00 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
18:11 < FlyingPersian> hi
18:13 < FlyingPersian> I came in the other day cuz when I connected to my openvpn server I could not see anything on the 192.168.178.0 subnet (my home network). since I couldn't access my server.conf, I couldn't ask to see what's wrong with it, but now I can. I compared it to the sample conf and it looks fine to me: https://pastebin.com/BaxV3JwU
18:13 < FlyingPersian> can anyone tell my this why my clients couldn't see the 192.168.178.0 subnet?
18:13 < zoredache> what error do you get when you try to traceroute to an address within that network from a client?
18:13 < FlyingPersian> wait a sec
18:13 < FlyingPersian> I think I found the error already
18:14 < FlyingPersian> my firewall has the wrong virtual NIC
18:14 < FlyingPersian> I think the NIC for my jail changed
18:14 < HankMoody> Groovy, let us know if that fixed it. If not... well let us know :P
18:15 < FlyingPersian> okay no that wasn't it
18:15 < FlyingPersian> do you mean ping by traceroute zoredache ?
18:15 < |Mike|> traceroute ^^
18:15 < zoredache> nope, I mean traceroute when I say traceroute.
18:15 < zoredache> on windows tracert
18:15 < FlyingPersian> well I haven't done that :P
18:15 < FlyingPersian> on android?
18:15 < zoredache> hrm there are some apps you can install that do a traceroute I think.
18:16 < zoredache> I am an iOS user though.
18:16 < FlyingPersian> I'm home right now, so I am where my VPN is a.k.a. I have access to the home network
18:16 < FlyingPersian> yeah there is, hang on
18:16 < zoredache> I guess what error when ping m ay be useful.
18:16 < FlyingPersian> ping just returns a timeot
18:17 < |Mike|> traceroute....
18:17 < zoredache> But you are able to ping the 10.8.0.1 address of the vpn server?
18:18 < FlyingPersian> yes
18:18 < FlyingPersian> and other clients
18:19 < FlyingPersian> okay I got it now
18:19 < FlyingPersian> it was indeed the firewall
18:19 < FlyingPersian> I forgot to run the commands after changing the firewall script
18:20 < FlyingPersian> thanks
21:51 -!- Dougy [~dougy@openvpn/community/support/Dougy] has quit []
23:39 < brianx> !redirect
23:39 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
23:39 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
--- Day changed Tue Apr 18 2017
02:29 < lg188> Good morning!
02:32 < lg188> !port
02:38 < eckirchn> morning
02:40 < lg188> Is it possible to have one openvpn instance to listen to different ports?
02:40 < lg188> or is it really required to run two instances and learn from each other?
02:43 < lg188> and not just ports, but also protocols
02:56 < eckirchn> lg188, curious why you ask?
02:58 < lg188> Because some of the clients might have a wrong firewall set up
03:00 < lg188> eckirchn: so we'd rather have a backup if the 1194 port fails
03:00 < eckirchn> lg188, hmm, the client would have to know that then too
03:01 < lg188> we know the client's config but not the internet between us and the client
03:02 < eckirchn> lg188, i use this as a home network access, so I HAVE to portforward or nothing will work.  not sure what "client means" as a server
03:03 < lg188> eckirchn: I'm not sure what you mean
03:08 < lg188> I'm using this for a project
03:08 < eckirchn> lg188, right, so are you asking about the client or server side?
03:08 < lg188> the server side now, but the client side I can edit as well
03:09 <@ordex> lg188: you could use the firewall (i.e. iptables) to perform port redirection and redirect all the ports you want to the one where openvpn is listening
03:09 <@ordex> not sure about systems other than linux, but on the latter this is doable with iptables and DNAT
03:10 <@ordex> lg188: as of now openvpn itself can't listen on multiple ports
03:10 < lg188> ordex: it's not that my server blocks it, but the internet in between might be filtered
03:10 <@ordex> yup understood
03:10 <@ordex> but iptables can be used for the redirection
03:10 < lg188> it depends on company policy
03:10 <@ordex> so it emulates like you are listening on multiple ports
03:10 <@ordex> but actually you have only one instance running
03:11 <@ordex> does it make sense ?
03:11 < lg188> Okay now's the catch
03:11 < lg188> it should be different protocols
03:11 <@ordex> no way then
03:11 <@ordex> you need at least one instance per protocol
03:11 <@ordex> + this redirect trick
03:11 < lg188> ah shucks
03:11 <@ordex> I was working on a patchset to allow all of this with one instance only, but it was non-trivial and the work remained in a proof of concept state
03:12 <@ordex> and not enough interest unfortunately
03:12 < lg188> Wait, how would that redirect even work ?
03:12 <@ordex> it's DNAT
03:12 <@ordex> iptables takes care of the port redirection
03:12 < lg188> I could just change the port in the config, no?
03:13 < lg188> if I have two configs for two instances
03:13 <@ordex> yes
03:13 <@ordex> the redirect is useful if you have one instance and you want to listen on other ports with the same protocl
03:13 < lg188> Okay
03:14 < lg188> I'm never getting this done by the end of may ( > . > )
03:14 <@ordex> :D
03:14 <@ordex> well, the redirect is not difficult
03:14 <@ordex> you can use DNAT or REDIRECT, check man iptables-extensions
03:15 < lg188> this is not the problem specifically, but I've had a lot changes to make
03:15 <@ordex> I see :)
03:15 < lg188> and it keeps on changing
03:15 <@ordex> that's not good
03:15 < lg188> I appreciate the responsiveness, otherwise I'd lost a day
03:16 <@ordex> np :) lucky that I Was here drinking mango :D
03:17 < lg188> Heh I need something to drink as well
03:21 < lg188> So, if there's two instances, I have to share data between them, right?
03:22 < lg188> otherwise they just create different networks, no?
03:22 < eckirchn> lg188, is this a linux install?
03:22 < lg188> yup
03:23 < eckirchn> lg188, so the question is do they "even have the port open"?  wouldn't you now that prior to deployment?
03:24 < eckirchn> lg188, I get the impression you are trying to install OpenVPN to hack, am I wrong?
03:24 < lg188> Eh, we should know. But there can always be mistakes made
03:25 < lg188> Hack? hell no
03:25 < lg188> the whole thing is me being a hack at the subject though
03:26 < eckirchn> lg188, then, if you are installing a vpn server, are you not authorized to do it? and how would the clients not be setup?
03:26 < lg188> the server is on a docker container, the clients are physical devices with just internet access
03:27 < lg188> not all of them want to change their security policy I reckon
03:27 < lg188> Maybe I'm getting this wrong from my boss
03:30 < lg188> The clients are set up, that's not the point, but we're going for reliability if one way doesn't work
03:34 < eckirchn> do you have a drawing?
03:36 < lg188> Eh somewhere
03:37 < lg188> it's quite outdated so I don't think it matter though
03:37 < eckirchn> lg188, it matters if you are asking for help, visual always helps.  it seems to me you are intermixing clients with servers
03:38 < lg188> Eh not at all
03:38 < eckirchn> "it seems to me"
03:39 < lg188> there's only one server ( so far) and there's clients that are deployed on site
03:43 < eckirchn> ok, so typically, incoming firewalls are on the server side, not the client
03:44 < lg188> Mhm you have a point there
03:44 < lg188> but we're going for a catch all sollution instead of fixing specific cases
03:46 < lg188> (the clients are inside another companies network, thus we depend on their policies)
03:52 < lg188> ordex: in any case, do you know if they instances share info by default?
04:09 < lg188> (I guess he finished his mango drink)
04:30 <@ordex> lg188: nope, openvpn does not share info between instances
04:32 <@ordex> lg188: but is also depends what you mean with "sharing", maybe yu don't really need them to talk to each other
04:36 < lg188> Maybe, I need the routing to work
04:37 < lg188> I have a pretty specific set up where I use a big ip-range for clients and a smaller one for staff clients that have a different routing
04:40 < lg188> ordex: so I dunno if it needs to, I just think it does
04:42 <@ordex> dunno, depends on the problem that you are trying to solve
04:42 <@ordex> you haven't stated that yet :P
04:48 < lg188> So I asked my supervisor and apparently the issue is that in a lot of locations the 1194 port is blocked
04:49 < lg188> so he wants me enable a 443 port as well
04:49 < lg188> me to*
04:50 < lg188> and make the clients default to the 1194/udp and when that fails, fall back to the 443/tcp
04:51 < lg188> if the fallback isn't possible we probably can find a way to make it a static one on the client side
05:02 <@ordex> lg188: given that you want to use tcp and udp then on the server side you definitely need to have two instances
05:02 <@ordex> lg188: on the client you can specify more remotes
05:02 <@ordex> check the man
05:02 < lg188> OH now that is handy
05:03 <@ordex> you never said that you didn't know how to do that on the client :P
05:04 < lg188> now I'm going to check if the server understands :)
05:04 <@ordex> well, the server "has to be ready" - there is not much it can understand
05:05 < lg188> Eh, fair point. I meant the routing part hah
05:05 <@ordex> :P
06:04 < hid3> Hello everyone. My OpenVPN connection seems to be weak. I am on wireless, connecting to a host which has got 100 mbps true connectivity. Over the wireless + openvpn, the total speed I get is ~1200 kilobits per second. My OpenVPN runs on 1194 port, UDP. If I disconnect from VPN and do a speedtest, it is around 10 megabits per second or so.
06:05 < hid3> I suspect that UDP connectivity is not the best case for this (possibly a traffic shaper somewhere in between?)
06:05 < hid3> Do you guys have any suggestions on what to try? TCP/80 port is occupied on my server so I can't do on it..
06:14 < |Mike|> What's the key strenght hid3?
06:18 < |Mike|> and what's your wifi signal strenght?
06:44 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 240 seconds]
06:47 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
06:47 -!- mode/#openvpn [+o syzzer] by ChanServ
07:01 < lg188> great something broke in my routing, and I'm connecting them both to the udp port
07:02  * lg188 burrows himself into the ground like an ostrich
07:28 < eckirchn> hid3, you are running encrtyption, you won't get true 100mbs, not to mention, few wireless installs get even close to the mbs they claim
07:30 < eckirchn> hid3, how do you know what your wireless bandwidth is?   just have a wifi router than can do XXX bps doesn't mean that your neighbors aren't running a microwave, or than 3 of the 4 neighbors aren't using the same channel, or worse, someone inserting themselves inbetween the channels.
07:31 < eckirchn> hid3, eliminate the wireless and go hardwired, if you can, and then test. WIFI, at least in the US, with all the IOT devices, is becoming a big issue.
07:34 < lg188> I switched to ethernet myself, have double the download speed than over wifi
07:35 < eckirchn> lg188, then your issue is WIFI, you are running encrypted, so it WILL slow your speed down
07:36 < lg188> I wasn't talking about openvpn, just confirming the general slowness of wifi
07:36 < eckirchn> lg188, if you can hardwire in, and wifi in, then why would you vpn in?
07:36 < eckirchn> lg188, you are in the openvpn room
07:36 < lg188> Fair enough
07:37 < eckirchn> lg188, yes, wifi is SLOW, it is what it is, it's SLOW
08:03 <@dazo> eckirchn: there is an overhead using VPN .... but from 10Mbit/s to 1.2Mbit/s is a bit too drastic
08:03 <@dazo> hid3: you should look carefully at your OpenVPN logs, both on server and client side ... to see if there are some warnings or issues reported there
08:06 <@dazo> hid3: that speed loss is not common on most well configured OpenVPN tunnels ... On a 10Mbit/s connection getting 8-9Mbit/s is not uncommon ... but there are a lot of various factors involved .... and also note that if you have 10Mbit/s downstream but only 2Mbit/s upstream ... then getting more than 2Mbit/s on the tunnel will not be too easy  (you might under ideal situations get more in the "downstream" direction, but VPNs depends on upstream
08:06 <@dazo> speed too)
08:06 < eckirchn> dazo, hid3, that's assuming the wifi could ever meet 10Mbs, note he said 100mbs
08:07 <@dazo> eckirchn: he also said speed test without VPN gave him 10Mbit/s ... 100Mbit/s is probably just the local WIFI, not the ISP speed
08:07 < eckirchn> dazo, i run ssh mounts across a 100 and 1000 mbs connection, the encryption comes at a cost
08:08 < eckirchn> dazo, nope is is comparing the two internally, so the WIFI should be the weak link, to many people trust their wifi, which is also likely encypted
08:08 <@dazo> yes ... but with OpenVPN, it is possible to get more than 1.2Mbit/s of a 10Mbit/s link (given it is 10Mbit/s up- and downstream)
08:08 < eckirchn> dazo, again WIFI is SSLOOOWWW
08:08 < eckirchn> dazo, you are living in ideal, not real world
08:09 <@dazo> I've had 80Mbit/s VPN connections work perfectly well over WLAN which indicated 100Mbit/s connection
08:09 <@dazo> switching to wired sped it up to 90Mbit/s
08:10 < eckirchn> dazo, your penis is large, congrats, doesn't mean that just because your penis is large over your connection, that someone else doesn't suffer... WIFI is radio frequency, it is by FAR from reliable, compared to a solid wire connection.
08:10 <@dazo> but yes, the success rate depends a lot on the ISPs on both sides of the tunnel
08:11 -!- eckirchn was kicked from #openvpn by dazo [Watch your mouth]
08:12 < eckirchn> ok dazo  sorry to offend you, but your ignorance of wifi tech, called for the comments
08:13 <@dazo> eckirchn: you should probably know that I've been doing OpenVPN for about 10 years ... over wired and wireless nets ... so I think I am quite capable of understanding the issues with VPNs over various types of links
08:13 < eckirchn> dazo, nothing he was talking about had to do with ISP, but if you want to continue to comment on ideals, do be it.  I say good luck getting 100mbs over any home network, even with only a few nodes. it doesn't happen
08:14 < eckirchn> dazo, but you lost the fact the issue has nothing to do with openvps
08:14 < eckirchn> daze, again, yes, you'r OPENVPN is large here, I get it, but you should read first, regardless of your EXPERIENCE
08:16 < eckirchn> i bow to you, Sieg Heil senior dazo
08:17 < eckirchn> all things being equal, the wifi was the issue, dazo, perhaps other issues on the wifi, like wifi encryption, wifi signal strength, wifi bandwidth, wifi interference, etc...
08:17 <@dazo> eckirchn: Why do you think I disregard the 100Mbit/s statement and focus on the 10Mbit/s?
08:18 <@dazo> Read the message from hid3, it states that clearly
08:18 <@dazo> and it is fully possible to get a better connection than 1.2Mbit/s on a link which tackles 10Mbit/s outside the VPN
08:19 <@dazo> And for the last arrogant and disrespectful Sieg ... comment ... consider that the last warning.
08:20 < eckirchn> dazo you say again " it is fully possible to get a better connection than 1.2Mbit/s on " how can you justify that?
08:20 < eckirchn> dazo, do you know the network he is on, do you know the density of the neighborhood and other wifi signals?
08:21 <@dazo> based on many years of experience here on this channel, on mailing lists and being doing OpenVPN development for quite a few years too?
08:21 < eckirchn> dazo, so be it, but I live in the real world, and wifi has noting to do with openvpn
08:21 <@dazo> if you get 10Mbit/s outside the VPN ... you can get more than 1.2Mbit/s .... it is the matter of TWEAKING the configuration to work optimally
08:22 < eckirchn> dazo you just keep proving the same point
08:22 <@dazo> *sigh*
08:22 < skyroveRR> Use lower grade encryption.
08:22 <@dazo> MTU
08:23 <@dazo> check logs for replay warnings
08:23 <@dazo> if fact ....
08:23 <@dazo> !gigabit
08:23 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
08:23 < skyroveRR> JJK?
08:23 <@dazo> that tells a lot about tweaking and optimizing openvpn links
08:23 < skyroveRR> HMM.
08:23 <@dazo> JJK - Jan Just Keijser
08:23  * skyroveRR notes the link
08:23 <@dazo> !book
08:23 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) Troubleshooting OpenVPN (April, 2017) by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
08:24 <@dazo> JJK/Jan knows a lot about tweaking and improving OpenVPN
08:24 < skyroveRR> :)
08:29 < lg188> These links will come in handy later on
08:41 < pokmo> hi
08:41 < pokmo> i'm running an openvpn server on a shared host. it's been working all this time but suddenly today it has stopped me pinging outside as a client
08:41 < pokmo> i, the client, can ping the server though
08:41 < pokmo> on the server, pinging outside is fine
08:42 < pokmo> does anyone know this might be the case?
08:42 < pokmo> here's my conf https://dpaste.de/gguN
08:44 <@ordex> pokmo: NAT/forwarding has been disabled ?
08:45 < hid3> dazo, eckirchn: sorry, been AFK. No I can't eliminate wireless and test with wired. But it's certainly related to OpenVPN. If I do a donwload from one specific site with openvpn, it is slow. If I disconnect, it is fast...
08:45 <@ordex> pokmo: do you still have the server as default route ?
08:45 < pokmo> ordex, hmm how do i check?
08:45 <@ordex> pokmo: how did you set it up ?
08:46 <@ordex> hid3: have you tried doing a test from the VPN server to the specific site to see what's the speed on that link ?
08:46 < hid3> ordex: yes. Full 100 megabits/s connectivity
08:46 < pokmo> ordex, here's my iptables if that helps https://dpaste.de/t1HP
08:46 <@ecrist> hid3: if you get 100Mbps without a VPN, you will get slightly less than that inside the VPN
08:47 <@ecrist> probably closer to 90Mbps
08:47 <@ordex> pokmo: is SNAT enough to enable NAT? I always use MASQUERADE - not sure if SNAT keeps track of connections
08:47 < hid3> I am okay if I'd get say 10 megabits/s. But not ~1200 kbps
08:47 <@ecrist> hid3: what kind of hardware?
08:47 < eckirchn> hid3, are the wireless and the wired going to the same point?  that matters.
08:48 < hid3> ecrist: on server or client?
08:48 < hid3> eckirchn: I can't go wired. This is at my enterprise office, they don't offer wired connections for personal devices. Again, if I just disconnect from VPN, the download from the same site gets FAST
08:49 < pokmo> ordex, but should the route's destination be the local or external IP?
08:49 <@ordex> pokmo: what do you mean with "route's destination"?
08:50 <@ordex> pokmo: and those rules seem to overlap, no ?
08:50 <@ordex> pokmo: maybe -v will show more interesting information (i.e. the interfaces)
08:50 < eckirchn> hid3, can you eliminate the wifi connection?  from what I have read, I can't eliminate that.
08:50 < pokmo> ordex, yeah, but does it matter if they overlap?
08:50 <@ecrist> hid3: what is your test case?
08:51 < hid3> No, I cannot. No wired conenctivity offered
08:51 <@ordex> pokmo: well, the others are useless, only the firts wine
08:51 <@ordex> wins
08:51 < hid3> ecrist: what do you mean a test case?
08:51 <@ecrist> what method are you using to test download speed/
08:51 < pokmo> yeah
08:51 < hid3> oh. It's a download from HTTP
08:51 <@ecrist> from where?
08:51 <@ecrist> to where?
08:51 <@ordex> pokmo: still, what are you trying to achieve with that SNAT rule?
08:52 < hid3> from a linux mirror to my laptop's desktop
08:52 < hid3> I'm downloading an ISO
08:52 < pokmo> ordex, oh i just had to delete the first two routes
08:52 < pokmo> ordex, now it's working
08:52 < pokmo> do you know why this might be the case?
08:52 <@ecrist> so, without the VPN you're download the file directly from the server to your machine, right?
08:53 <@ecrist> and with the VPN, the download is routing from your laptop, to VPN server, to server hosting the ISO, right?
08:53 < pokmo> ordex, hmm not too sure. i followed https://github.com/Nyr/openvpn-install/blob/master/openvpn-install.sh#L328
08:53 <@vpnHelper> Title: openvpn-install/openvpn-install.sh at master · Nyr/openvpn-install · GitHub (at github.com)
08:54 <@ordex> pokmo: it was setting the wrong IP in the packets I guess
08:54 <@ordex> but I don't know where those IPs are coming from. I guess it is the public IP of the server?
08:54 < pokmo> ordex, but internal IP works but not external?
08:54 <@ordex> pokmo: it depends how the uplink looks like
08:55 <@ordex> where the server is getting its uplink and how
08:55 < hid3> ecrist: yeah, absolutely right. Mirror<-> VPN server connectivity is 100 mbps at all times of the day. my laptop<->mirror (or the VPN server itself, using HTTP protocol) is about 30 megabits/s ofver Wifi (no vpn)
08:55 < pokmo> ordex, yeah 185.164.138.18 is the external IP
08:55 <@ordex> pokmo: external means assigned to the uplink interface? of the server does not have that IP assigned?
08:56 <@ecrist> hid3: in that case, you shouldn't expect more than ~25Mbps if your numbers are accurage
08:56 <@ecrist> accurate*
08:56 < hid3> yea, OK! But I am not even getting 10 megabits/s or even close to that...
08:56 < hid3> I'm seeing ~1200 kbps
08:57 <@ordex> hid3: are you sure you are downloading from the same mirror as your VPN server would? just to avoid that your laptop is picking a mirror that is further away from the VPN server
08:57 <@ordex> ideally you should use the IP of the mirror, to be sure it is always the same among the tests
08:57 <@ecrist> what kind of hardware is your VPN server?
08:58 < pokmo> ordex, hmm no, i don't think so. that's just the IP from whatsmyip
08:58 < pokmo> ordex, here's my ifconfig https://dpaste.de/6hoW
08:58 <@ecrist> and do you see performance differences if you disable encryption (but still use the VPN)?
08:59 <@ordex> pokmo: then your "external" IP is 192.168.42.182
08:59 <@ordex> you can't set the public one if the server hasn't got it assigned
08:59 <@ecrist> that doesn't look like an external IP
08:59 <@ordex> ecrist: external in the sense of address used for the uplink
08:59 < pokmo> ordex, but isn't that the internal IP?
08:59 < pokmo> right
08:59 <@ecrist> ah
08:59 < pokmo> it's shared hosting
08:59 <@ordex> yap
08:59 < pokmo> so i guess you're right
09:00 < pokmo> 192.168.42.182 is what's assigned to my instance
09:00 <@ordex> that is the IP that outgoing packets need to have as source when leaving the host
09:00 <@ordex> otherwise on the next hop something wrong will happen
09:00 < pokmo> yep. makes sense
09:00 < pokmo> so what's this tun0 interface that openvpn needs?
09:00 <@ordex> somebody at some point will do NAt again and convert that to the public IP
09:00 < pokmo> the encrypted tunnel?
09:00 <@ordex> pokmo: that's the tunnel
09:00 < pokmo> with ip 10.8.0.1
09:00 <@ordex> yes
09:01 <@ordex> that's your VPN network
09:01 <@ordex> that's the interface used to talk to the clients
09:01 < pokmo> so all packets coming in from my 'venet0' get forwarded to 'tun0'?
09:01 <@ordex> not all, but only does matching NAT'd connections originated behind tun0
09:02 <@ordex> s/does/those/
09:02 < pokmo> right
09:02 <@ordex> this is plain NAT mechanism, you can find document sonline explaining it even when the VPN is not there
09:02 <@ordex> the concept is the same
09:02 <@ordex> *documentS
09:04 < pokmo> thanks
09:08 < hid3> ordex: Yes, I'm 100% sure. I use the IP to download form...
09:09 <@ordex> ok
09:09 <@ordex> pokmo: np
09:09 <@ecrist> hid3: there is also going to be a limit to the upload speed of your VPN server
09:11 < hid3> UP/down limits are the same, 100 mbps, I have tested that multiple times
09:12 <@ecrist> you didn't answer my hardware question, or my question about encryption
09:12 < hid3> hardwa- the client side or server side?
09:12 <@ecrist> both
09:12 <@ecrist> they both apply here
09:12 < hid3> regarding the encryption - how do I check it?
09:13 <@ecrist> did you try disabling encryption to see if performance improves?
09:13 < hid3> server - Intel Xeon E3 1265Lv2, 12 GB ram, 1 GBPS NICs, debian OS. Client side Lenovo T400s, 8 GB RAM, SSD, WirelessN
09:13 < hid3> Laptop with windows 7
09:14 <@ecrist> what cipher are you using?  that processor support AES-NI, so you should be using a cipher that can leverage the hardware
09:15 <@ecrist> !configs
09:15 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
09:15 <@ecrist> !logs
09:15 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
09:16 < hid3> server config: https://pastebin.com/98E6QV6E
09:19 < hid3> and the logs for today:
09:19 < hid3> https://pastebin.com/5autyVkL
09:20 <@ordex> hid3: just for my curiosity, have you tried performing the same test but using the VPN server as "mirror" and downloading the file from there? that should eliminate quite some variables too. but do it after checking cipher and other things..
09:21 < hid3> yes, I have tried downloading from the openvpn server itself (also http procotol). It's slow. And for ciphers, I'm not a big expert of that....
09:21 <@ecrist> hid3: for the logs, we need to see one connection.  we want to see the startup of the server, then a connection of a client
09:22 <@ecrist> if your download from the VPN server is slow, then a transit *through* the vPN server will be slow
09:22 < hid3> alright, will restart openvpn server and reconnect then in a few minutes...
09:24 <@ordex> hid3: exactly because of what ecrist said, you can simplify your test case and always use the VPN server for the download - this way you avoid adding complixity to the problem..
09:24 <@ordex> *complexity
09:28 < hid3> here are the logs of the service restart and me reconnecting: https://pastebin.com/sQUNa3yP
09:38 < hid3> Any suggestions for further steps to take?
09:49 <@ordex> hid3: I'd personally test with iperf and udp on the laptop<->vpn server path. with and without vpn
10:02 < hid3> For testing purposes, I changed the port to tcp 1194
10:02 < hid3> The speed increased about 5 times
10:02 < hid3> so either UDP protocol is losing ltos of packets, or those arseholes are limiting UDP traffic...
10:03 <@dazo> hid3: that is quite plausible ... also try testing with --mtu-test .... to see if there are some tweaks to be done there too
10:04 < hid3> hm...
10:04 <@dazo> but ... some ISPs/links are known to have bad handling of UDP packets of "unknown" types ... openvpn often falls into those categories
10:05 < hid3> is TCP worse than UDP (in general, for openvpn, not for my particular case)?
10:05 < hid3> Why does openvpn default to udp protocol at all?
10:05 <@dazo> !tcp
10:05 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay
10:06 <@dazo> hid3: basically, if you have lots of packet loss .... TCP over TCP can in many cases render the tunnel useless as it the communication inside and outside the VPN is filled with "resent" packets
10:07 < hid3> alright. As for --mtu-test, how do I exactly activate it? Should it put that variable in server config and reload the daemon? Or client side also needs some adjustments?
10:07 <@dazo> hid3: add it to your client config and start the tunnel
10:08 <@dazo> in 3-5 minutes, you'll have some interesting log data
10:08 < hid3> only to client? Not the server?
10:09 <@dazo> hid3: I'll admit its ages since I used it ... but afair, client is enough
10:09 < hid3> as for --tcp-nodelay, can't find that in documsnts (or I'm blind..)
10:09 <@dazo> running it on the server may provide some useful data on the server side too ... but I don't necessarily think that's needed now
10:10 <@dazo> hid3: you might be blind ... as I'm looking at it right now :-P   that's a server config ... which will push that setting to clients as well
10:11 <@dazo> https://paste.fedoraproject.org/paste/~~a7f-7r6g6vIBmfurIGD15M1UNdIGYhyRLivL9gydE=
10:12 < hid3> socket-flags TCP_NODELAY  <- If I'm right, then this is what needs to be appended to server's config..
10:14 <@dazo> hid3: yes ... and client config
10:14 <@dazo> hid3: but ... if just adding --tcp-nodelay to server config, it is pushed to the client automagically
10:18 < hid3> great, will experiment with all of this on upcomming days
10:19 < hid3> tcp over tcp seems bad but....
10:20 <@dazo> hid3: if you can't make udp work, tcp is still better than dead slow udp .... but ... also have a look at --fragment and --mssfix ... but those must be seen in context of the --mtu-test results ... that may be what you need for decent udp performance as well
10:20 <@dazo> (however, if the link between server and client have no packet drop ... then tcp can work quite well)
10:23 < hid3> is there any chance that running openvpn on a different UDP port might give different results? Which port should I try? 53 is busy...
10:24 <@dazo> hid3: it might work better on a different port.  But which port which goes better is really hard to tell.  You could try the 5060-5069 range, which is commonly used for VoIP, thus might have better QoS
10:25 < hid3> any ideas which port does Cisco VPN use?
10:26 <@dazo> hid3: but my gut feeling is that you need to pay good attention to the --mtu-test results .... to see where the borderline is for fragmentation.  In some nets I've had to use --fragment 1200 --mssfix  to get decent performance
10:28 < red-lichtie> Hi. I'm getting the following in my server log "MULTI: bad source address from client [10.100.235.185], packet dropped". The address is from my mobile phone provider so I have no control over it as they have a NATed network. Question is, what, if anything can I do about it?
10:29 <@dazo> !configs
10:29 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
10:29 <@ecrist> hid3: port 500, generally, for IPSec.
10:30 < hid3> great. Yet another one to try...
10:31 < hid3> Thansk for your helps, ideas and suggestions. Today My working day is over, glad I've nailed the problem down to the protocol. Will do more experimets tomorrow with all of this...
10:32 <@dazo> hid3: keep us in the loop! ;-)  Glad we could help!
10:34 < SkyCaptain> hey guys, I am having an issue where I want to connect to a VPN server with a VPS as client, but when I do so, it tunnels all the traffic (including my SSH connection), and makes the instance inaccessible
10:34 < SkyCaptain> from Googling I've seen that's possible to set up a static route, but I'd rather just whitelist all SSH traffic
10:34 < SkyCaptain> is there a recommended way to deal with this issue?
10:34 < red-lichtie> Here is the conf as dazo requested: https://gist.github.com/anonymous/456470193c6026bf1a910078a137dece
10:34 <@vpnHelper> Title: OpenVPN 2.4.1 · GitHub (at gist.github.com)
10:34 <@dazo> !redirect
10:34 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
10:34 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
10:34 <@dazo> SkyCaptain: ^^^
10:35 <@dazo> SkyCaptain: you might need to _not_ use --redirect-gateway
10:35 < SkyCaptain> thanks dazo, I will check it out
10:35 < SkyCaptain> dazo: I had some success with route-nopull (allows me to connect the VPN without killing my connection)
10:35 < SkyCaptain> but it still has my original public IP, which kind of negates the purpose
10:35 < SkyCaptain> redirect-gateway is not present in the ovpn file I'm using
10:36 <@dazo> SkyCaptain: --route-nopull is somewhat related to --redirect-gateway
10:36 <@dazo> SkyCaptain: oh, that can be pushed from the server
10:36 <@dazo> !logs
10:36 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
10:37 < SkyCaptain> I don't have access to the server logs since I am using a service (PIA)
10:37 < SkyCaptain> but let me see if I can get the client logs
10:37 < SkyCaptain> !logfile
10:37 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
10:38 <@dazo> red-lichtie: you might need to look into this:  https://openvpn.net/index.php/open-source/faq/79-client/317-qmulti-bad-source-address-from-client--packet-droppedq-or-qget-inst-by-virt-failedq.html
10:38 <@vpnHelper> Title: "MULTI: bad source address from client , packet dropped" or "GET INST BY VIRT: [failed]"? (at openvpn.net)
10:39 <@krzee> !splitroute
10:39 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/viewtopic.php?t=7175#p8056 to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet, or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
10:39 <@krzee> SkyCaptain: ^
10:39 < red-lichtie> dazo: I did look at that, but I can't create a ccd file for a dynamic ip address can I?
10:41 < SkyCaptain> krzee: this is similar to what I found earlier, but the problem is that I need to connect to the server from several different IPs
10:41 <@dazo> red-lichtie: the crux of your issue is that some packets are routed into the tunnel, which could be related or not related to the tunnel ... OpenVPN server doesn't know - so it drops them by default
10:41 <@krzee> SkyCaptain: either way you need 2 routing tables and ip rule
10:41 <@dazo> red-lichtie: you might be right that those packets shouldn't be on the tunnel ... then you will need to look more carefully at the client side routing table
10:41 <@krzee> SkyCaptain: then you make it so traffic that came to you targeting your inet ip uses the routing table that has the gateway for your inet ip
10:42 < red-lichtie> dazo: This is going to be interesting :-)
10:42 <@krzee> SkyCaptain: its called policy routing
10:43 <@dazo> red-lichtie: the --client-config-dir + iroute trick tells OpenVPN that "this client have a subnet X.X.X.X/YY behind it, so packets to that subnet must go via this particular client"
10:43 <@krzee> !iroute
10:43 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
10:44 < red-lichtie> dazo: I have no idea what IP address the client will get, I travel a lot and my phone gets various addresses depending on the country / provider
10:44 <@dazo> red-lichtie: but I don't have enough details of your setup to fully understand why you see that .... but in most cases, ccd + iroute is the right solution
10:44 <@dazo> red-lichtie: start with providing client config as well + 'ip route show'  (or route -n9
10:45 <@dazo> route -n
10:45 <@krzee> somewtimes a misconfigured app sends traffic over tun but with eth0 ip as well
10:45 < red-lichtie> I'll go through all the configs again, maybe my firewall is doing something to the packets as well
10:46 <@krzee> does the multi error have your eth0 ip or another ip from the lan?
10:47 < red-lichtie> it has the IP from my mobile phone
10:48 <@dazo> the VPN client is running on phone or on laptop connected to phone?
10:48 <@krzee> is openvpn running on your mobile phone?
10:48 <@krzee> haha right
10:48 <@dazo> heh
10:48 < red-lichtie> On the phone, OpenVPN for Android at the client
10:48 <@dazo> but, krzee got a good point though
10:49 <@krzee> ok so the vpn is running on the same device, tells me its a misconfigured app
10:50 <@krzee> you can safely ignore it unless you're having an actual problem
10:50 <@krzee> <red-lichtie> dazo: I did look at that, but I can't create a ccd file for a dynamic ip address can I?      <--- that had me wondering
10:50 <@krzee> lol
10:51 <@dazo> red-lichtie: and I'd trust krzee's advice ... he's got lots of experience on that front
10:51 <@dazo> krzee: good catch! :)  I actually didn't think about that detail
10:51 <@krzee> thanks brochacho
10:52 <@dazo> :)
10:53 < red-lichtie> OK, you lost me. my client get the IP address "10.8.0.38" (vpn address) but the log says "10.100.235.185" (provider address).
10:54 <@krzee> tl;dr, you can safely ignore those MULTI warnings
10:54 <@krzee> in your case they are caused by some app misbehaving and sending packets over tun0 with your src from your other interface
10:54 < red-lichtie> Can I disable them? They flood my log.
10:55 <@krzee> i cant help you with it, its totally unrelated to openvpn, youd have to figure out which app is doing it and how to stop it
10:55 <@krzee> however
10:55 <@krzee> there are options to mute stuff after a couple times
10:55 <@krzee> !man
10:55 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
10:55 <@krzee> --mute n
10:55 <@krzee> Log at most n consecutive messages in the same category. This is useful to limit repetitive logging of similar message types.
10:56 < red-lichtie> Thanks, I'll look for that mute option
10:56 <@krzee> look for? i just gave you it!
10:56 <@krzee> just pop it into your config
10:59 < red-lichtie> krzee: I meant in the config file, I didn't realize the the long command line option is the same as the config file option
10:59 <@krzee> !--
10:59 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
11:05 < red-lichtie> The mute option did the trick. Thanks for pointing out that it isn't a "real" issue but a client problem.
11:05 <@krzee> no problem
11:13 < SkyCaptain> thanks for your help, guys
11:14 < SkyCaptain> I'm gonna have to revisit this at a later time when I can really dig into Linux routing :S
11:14 < SkyCaptain> (guys and gals)
12:22 < varnent> Anyone had luck finding a VPS for a VPN that isn't blocked by Hulu?
13:07 <@ecrist>  rootbsd.net, vultr.com?
14:20 < varnent> ecrist: ty for suggestions - I may have found a sort of accidental solution with one I was testing
14:21 < varnent> but I'm going to test those out as well - just in case - and partly because I'm curious now :)
14:39 <@ecrist> what did I do?
14:39 <@ecrist> oh, VPS, sure!
14:40 <@ecrist> I use both of them, but I don't stream Hulu or Netflix via them.
14:47 < vectr0n> most large vpn/vps/dedicated hosts are all blocked by those services, i wish you luck trying to find one, lol
15:39 < brokensyntax> Hmm, using an intermediate, should I generate a chain to use on the server? I'm getting validation errors with just the intermediate CA cert. (Root is owned by our enterprise, not public.)
15:54 <@dazo> brokensyntax: have a look here: https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains
15:54 <@vpnHelper> Title: Using_Certificate_Chains – OpenVPN Community (at community.openvpn.net)
16:07 < brokensyntax> thanks dazo, I'll give this a look.
16:10 < brianx> how do i add a single host address reachable via one of my existing clients so that all hosts can reach it?  the client already has all it's linux side routing and can ping the target host.
16:10 < brokensyntax> Mine looks a lot like the intro image, ca -- sub {1..3} -- server and client both come from sub 3.
16:32 < brianx> is this still impossible 10 years later? https://openvpn.net/archive/openvpn-users/2007-10/msg00056.html  i have OpenVPN 2.4.0.
16:32 <@vpnHelper> Title: [Openvpn-users] Single server, multiple tun interfaces? (at openvpn.net)
16:44 < brianx> In 2017, is it now possible to have multiple clients on a single server-side UDP
16:44 < brianx> port, but with one tun interface per client?
17:04 <@dazo> brianx: a tun interface per client is not in the design scope of neither OpenVPN 2 nor OpenVPN 3 .... that said, it might be easier to implement it in OpenVPN 3, but I have not looked enough at that code to really know for sure
17:04 <@dazo> brianx: it is possible to have multiple clients connected to the same openvpn server instance (that arrived already in 2006 with OpenVPN 2.0)
17:05 < brianx> thank you dazo.  i guess for now i'll just use multiple instances to make this act more like ipsec but be compatible to all the client OS i need.
17:06 <@dazo> brianx: any reason you need the individual tun device?  what's the use case?
17:07 < brianx> dazo: i'm tired of fighting internal routing in openvpn.  linux routing works perfectly for me.
17:07 < brianx> dazo: is it safe to assume bridged mode is the most likely to blindly forward packets from one end to the other regardless of source or destination ip?
17:08 <@dazo> brianx: yes ... but bridging and VPNs are generally a bad combination .... as you need to filter out broadcast traffic to not choke the VPNs completely
17:08 <@dazo> brianx: for the irouting stuff you have a possibility to dynamically generate the CCD file through the --client-connect script hook though
17:09 < brianx> as long as linux gets to choose what goes in to the interface, i'm not expecting any broadcasts.
17:12 <@dazo> well, true ... but you'll need to do some ebtables filtering too then, to block broadcast traffic from clients too ... you never know what clients will do
17:14 < brianx> dazo: what i'd really like is for public port X on client A to be delivered to port X on host B and public port Y on client Q to be delivered to port Y on host B.  etc.  there are quite a few ports on several hosts.  also want the original IP from the person on the public internet to remain so that my hosts can tell who is talking to them.
17:16 < brianx> this is all pretty easy with point to point devices, but not all my clients are linux.  android specifically is such a pain.
17:18 < brianx> and i really love how the android client even handles selectively delivering requests from specific apps instead of just blindly forwarding everything.
17:25 <@dazo> brianx: you can use policy routing for that on Linux (that's essentially what Android uses under the hood, if I've understood android correctly) ... then with a --learn-address or/and a --client-connect script to populate the routing tables properly ... I had something quite similiar to the setup you describe on a site some years ago (until the VPN client was moved to a firewall and some other refactoring happened)
17:26 < brianx> so policy routing gets it to openvpn.  that part i have no trouble with.
17:27 < brianx> openvpn then needs all internet traffic to go to and from one specific end point.
17:28 < brianx> i can't seem to find a way to have replies exit through the same client that the request came from.  so far, i can't even receive requests from more than one client where the source ip is on the public internet.
17:28 <@dazo> ahh ... okay ... so that should be fairly simple
17:29 <@dazo> just a sec, I'll dig up a script
17:29 < brianx> the 2nd client with inbound public traffic gets MULTI: bad source address from client [x.x.x.x], packet dropped
17:30 < brianx> (at the moment, the 1st is also, but i think i know the solution to that)
17:31 <@dazo> so this is what I have used on a site directing traffic correctly:  https://paste.fedoraproject.org/paste/yJ6JzWsVWCPYXpVvzDzUvF5M1UNdIGYhyRLivL9gydE=
17:32 <@dazo> I've created the routing table "vpnrouteA" in /etc/iproute2/rt_tables
17:33 <@dazo> then that script is kicked off by a connect script ... which basically tells "all traffic coming from the local VPN IP to go via the REMOTE_VPN as default"
17:34 < brianx> and this runs on the client?
17:34 <@dazo> Yes, iirc, this is a client side script
17:35 <@dazo> (based on the $ifconfig_local variable)
17:35 < brianx> ok.  i think i have effectively equivalent rules, they deliver the packet to the tun interface and tcpdump sees it go in.
17:37 < brianx> but the far end gets "MULTI: bad source address from client [x.x.x.x], packet dropped" where x.x.x.x is the ip of the public client trying to come in.  i'm pretty sure one solution to this is to add 0.0.0.0 netmask 0.0.0.0 to the openvpn routing table.
17:37 < brianx> but that only (should) work with traffic coming in and going back out one client.
17:39 <@dazo> hmmmm .... when x.x.x.x refers to a public IP .... that indicates some unexpected routing
17:41 <@dazo> so ... you have a "visitor IP" hitting the public IP of your VPN /server/ ... which then forwards this to your VPN /client/ which is expected to respond back via the VPN server to the visitor?
17:42 < brianx> the visitor ip hits my client's public interface.  linux correctly dnats it to the internal host that can handle the request.
17:42 < brianx> the vpn drops it.
17:44 < brianx> i could probably source nat it and get it to be delivered, but then the target host doesn't know who is talking to it.  traffic from nigeria probably shouldn't be treated the same as traffic from canada. (and it's always nice to be able to log who's talking to you)
17:44 <@dazo> okay, good!  You most likely need the policy routing to be set up on the server side then .... as the packet goes correctly from visitor->vpn client->vpn server
17:45 < brianx> the packet gets dropped by openvpn before the server side ever gets to touch it.  tcpdump sees nothing and the MULTI: error shows up.
17:46 <@dazo> huh?  The MULTI: stuff appears in the client log?
17:46 <@dazo> what do you see on the tun interface on the client side?
17:48 < brianx> the MULTI: stuff appears in the server side log.  tcpdump on the client side tun shows my syn packet.
17:48 <@dazo> okay, good ... then I'm following a bit ....
17:48  * dazo ponders
17:49 < brianx> the linux side is easy. ;-)  i can do that.
17:49 < brianx> get the packet looking the way i need it to at the client side tun, no problem.
17:50 <@dazo> Yeah, I see the problem now ... it is actually OpenVPN itself which is lacking a more flexible iroute capability (which resembles the policy routing concept)
17:50 < brianx> yeah.
17:50 < brianx> exactly. :-)
17:51 <@dazo> iroute today does what you need, except it doesn't "track" which client it comes from - only which IP address which is behind a client
17:51 <@dazo> (or rather, which IP subnet is behind clients)
17:52 < brianx> so my solution was to be trying to get openvpn treat this all as a bunch of point to point links.
17:53 < brianx> that way i get the android goodness of openvpn and the routing is handled by linux.
17:53 < brianx> but it seems like that requires multiple instances.
17:54 <@dazo> yeah ... except that wouldn't really work either by just adding another tun/tap interface per client ... well it works if you start a separate process per client (which is what you currently need to do) .... but the openvpn routing engine would get in the way internally anyway, regardless of single tun/tap interface or multiple
17:55 < brianx> is there a way to disable the internal routing engine?
17:55 <@dazo> what would work, is to add a new iroute feature .... something like, --iroute-track-client .... which actually tracks which source IP address a comes from which client, and  then actually does the iroute stuff dynamic
17:55 < brianx> or since the public internet is only on one side, to add a 0.0.0.0 netmask 0.0.0.0 route?
17:56 <@dazo> no, that's not possible ... that's needed on the server side to actually know which openvpn client to send packets to
17:56 < brianx> if i run multiple instances, there's only one client per server.
17:57 <@dazo> with one client per server, you will circumvent this limitation
17:58 < brianx> so this will work...  one client per server, route that includes 0.0.0.0 0.0.0.0 and linux handles all the rest in it's routing.  policy and otherwise.
17:58 < brianx> right?
17:59 <@dazo> the 0.0.0.0/0 route sounds bad ... I'd try not using --server on the server side and use --tls-server and simpler peer-to-peer configuration .... that allows only a single client to connect too
17:59 <@dazo> on the client side, you use --tls-client instead of --client
18:00 < brianx> i'll have to look up --tls-client.  peer-to-peer configuration is also hopefully in the docs.
18:01 < brianx> dazo: thank you.  this has been a royal pain to figure out.  i'm used to leased lines and the few times i used cloud networks it was always with ipsec which was inherently point to point.
18:01 < brianx> well, i used stunnel too, but that is ptp too.
18:01 <@dazo> I'm taking this basically from memory now .... so might be some errors:   [server] openvpn --ca $CA --key $PRIVKEY --cert $CRT --dh $DH --tls-server --ifconfig 10.8.0.10 10.8.0.20 --dev tun  ..... [client] openvpn --ca $CA --key $KEY --cert $CERT --tls-client --ifconfig 10.8.0.20 10.8.0.10
18:02 <@dazo> oh, stunnel can surely be another painful chapter indeed
18:02 < brianx> lol, it wasn't..  this was a really simple ptp setup.
18:02 <@dazo> in the p2p config above ... notice the IP address switch between client and server
18:03 < brianx> yeah, i noted that.
18:03 < brianx> same as any ptp link should. :-)
18:03 <@dazo> yeah :)
18:03 < brianx> i've got to cook wifey dinner so i'll try this in a few hours and let you know.
18:04 < brianx> thank you for taking the time to figure this out with me.
18:04 <@dazo> the advantage of --tls-server/--tls-client is that you do get PFS ... strip that out with --ca/--key/--cert/--dh and put in --secret ... and you should have a static key p2p setup
18:04 <@dazo> you're welcome, brianx!
18:05 < brianx> i'm all for PFS.  i like the keys.
18:05 <@dazo> good! :)
19:49 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 240 seconds]
19:49 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
19:49 -!- mode/#openvpn [+o dazo] by ChanServ
20:00 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds]
20:05 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
20:05 -!- mode/#openvpn [+o mattock] by ChanServ
21:43 < Ravenmire> When I start openvpn and it doesn't complete, the terminal doesn't echo characters. How do I fix this?
21:46 < Ravenmire> Found it. "reset".
21:59 <@krzee> Ravenmire_: put daemon in the config
21:59 <@krzee> !daemon
22:00 < Ravenmire_> OK.
22:00 < Ravenmire_> !daemon
22:01 < Ravenmire_> How about "VERIFY KU ERROR"? Oh, let me look at it for a bit.
22:01 <@krzee> !learn daemon as openvpn starts in the foreground by default, with output going to the terminal. if you use --log then the output goes to the file instead of the terminal. with --daemon openvpn will go to the background after starting
22:01 <@vpnHelper> Joo got it.
22:04 < Ravenmire__> Certificate does not have key usage extension->VERIFY KU ERROR
22:06 <@krzee> do your configs have remote-cert-tls or ns-cert-type?
22:07 < Ravenmire__>  remote-cert-tls server
22:07 < Ravenmire__> The "server" is a holdover from ns-cert-type.
22:08 < Ravenmire__> krzee, the config file is so much better than the GUI!
22:13 <@krzee> if your cert has ns-cert-type style you need to use that
22:16 <@krzee> doesnt really matter which you use from a security perspective, they both do the same thing really
22:16 < Ravenmire__> BRB, :)
--- Day changed Wed Apr 19 2017
02:40 < lg188> Morning.
02:40 < lg188> So the openvpn instances I bind to two different tun interfaces, so the routing is broken
02:40 < lg188> s/I//
02:52 < lg188> do I need to like bridge them?
02:57 -!- vamiry_ is now known as vamiry
04:16 < rany_> Hello,
04:16 < rany_> How can I configure OpenVPN to change its settings depending on the IP address?
04:17 < rany_> I want to change the keepalive directive to be specific.
04:19 < rany_> I meant netblocks not IP address
04:19 < rany_> I'm not sure if thats even possible though
04:26 < lg188> the closest I understand you want something like ccd?
04:26 < lg188> !ccd
04:26 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
04:28 < rany_> lg188: so, setting it up depending on the IP address is not possible?
04:29 < rany_> !poodle
04:29 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has, or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
04:29 < rany_> !ovpnuke
04:29 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
04:29 < rany_> !sweet32
04:29 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32
04:30 < lg188> Not that I know of. But ccd can be used to give specific ips to specific common-names
04:31 < rany_> thank you lg188 <3
04:33 < lg188> You're welcome heh
04:37 < lg188> !brige
04:37 < lg188> !bridge
04:38 <@vpnHelper> "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man), or (#4) also see !whybridge
04:39 < lg188> So I guess it's impossible to bridge tunnel interfaces?
04:41 < rany_> lg188: what do you mean?
04:45 < lg188> I have the problem that I need two ports in two protocols to run
04:45 < lg188> for the server
04:45 < lg188> but it can't be done with one instance, so I need two
04:46 < lg188> but it seems like they can't route data between the instances
07:12 <@krzee> lg188: of course you can route data between instances, if you properly configure routing
07:13 <@krzee> !route
07:13 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
07:13 <@krzee> think of each tun as having it's own lan behind it
07:14 <@krzee> and no, you dont want bridging.
07:17 < lg188> Well, I technically have different subnets as well
07:18 < lg188> I'm postponing this for later, currently switching to tcp alone
07:31  * hyper_ch needs a book Routing for Dummies
07:35 <@krzee> hyper_ch: really?
07:35 <@krzee> i figured you had it all down
07:36 <+hyper_ch> me? nah... routing is like this big mystery... automagically I get it to work sometimes
07:36 <@krzee> you know how a routing table works?
07:36 <+hyper_ch> it uses very advanced forms of magic
07:37 <@krzee> take a look at netstat -rn
07:37 <+hyper_ch> theoretically I know how it works... basically I have no idea :)
07:37 <@krzee> it shows you target subnets, and gateways
07:37 <@krzee> that shows where your routes go, the most specific route wins
07:37 <@krzee> so like the default route is the least specific route
07:37 <@krzee> anything more specific overrides that
07:39 <+hyper_ch> as said, theoretically I know how it works
07:41 <@krzee> that doesnt even make sense as a statement
07:41 <+hyper_ch> it does to me :)
07:42 <@krzee> and the routing table makes sense to me... if you tell me what you dont get i can probably help you understand it
07:43 <+hyper_ch> well, as long as I don't have a problem I can't tell
07:44 <+hyper_ch> only when I encounter a problem again I can tell
07:47 <@krzee> if you want, grab me your routing table and ill ask you a few questions
07:47 <@krzee> what you cant answer ill try to help you with
07:58 < rdg> are there any AWS AMIs for OpenVPN that do well in a failover/autoscaling group situation?
07:59 < rdg> OpenServer-AS requires hands on configuration which isn't great
07:59 <@ecrist> I'm not aware of any, rdg
07:59 <@krzee> nope, gotta b uild the darknet by hand
08:00 <@krzee> actually i believe once upon a time there was a script that managed that stuff, i think it was called openmesher, but im pretty sure it made a complex network out of p2p links
08:00 <@ecrist> yeah, it did.
08:00 < rdg> sounds like it's more than I want
08:00 <@ecrist> It would be kind of neat to build an openvpn-based darknet.
08:01 <@krzee> ya same, thats why i build mine by hand
08:01 < rdg> I have a customer that wants two VPN connections available for their AWS VPC.. and they should relaunch of they die without any interaction
08:01 <@krzee> but fyi, last i tried i had to use p2p links just for the links that had ospf (via bird) running over them
08:01 < rdg> but they want to use local user management as well
08:02 <@krzee> relaunch after death != failover/autoscaling
08:02 <@krzee> thats just monitoring a process
08:02 < Ravenmire_> My d/l speeds are abysmal; 81 days to complete for a 300Mb file.
08:02 < rdg> krzee: it's the beginning of it
08:03 < rdg> You uploading to Mars, Ravenmire_ ?
08:03 <@ecrist> Ravenmire_: that is abysmal
08:03 <@krzee> mars, lol
08:03 <@krzee> !speed
08:03 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help., or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded), or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu), or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links, or (#5) less likely are issues with bad
08:03 <@vpnHelper> TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs), or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp), or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better., or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no), or
08:03 <@vpnHelper> (#9) a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them.
08:03 <@ecrist> rdg: old $work does OSPF and I think IGRP over p2p points.
08:04 < Ravenmire_> rdg: I believe so...
08:05 < rdg> hm. if OpenVPN is CPU bound and not multithreaded.. how do you work aroudn that
08:05 < Ravenmire_> i2p may be faster. And that's saying something.
08:06 <@krzee> rdg: by running more openvpn processes and splitting users amongst them (each process will get a cpu core)
08:06 <@krzee> poor mans load balancing ;]
08:06 < rdg> but the processes can't all bind to the 1 incoming port can they?
08:07 <@krzee> Ravenmire_: hows your speed to/from the server itself with the vpn and without the vpn? i use iperf for this
08:07 < BtbN> At least for TCP they could, but you don't want that.
08:07 < BtbN> So one UDP port per process it is
08:07 <@ecrist> rdg: faster processor, or load balancing across multiple instances of OpenVPN
08:07 < rdg> sorry, this gets beyond my linux/networking knowledge
08:07 <@ecrist> no, you can't all bind to the same port
08:07 <@ecrist> You can do your load balancing a few different ways
08:07 <@krzee> rdg: no, i guess you could do some iptables magic to make it do that, but better would be multiple --remote entries in the config and remote-random
08:08 <@ecrist> 1) DNS "faux" balancing
08:08 < rdg> ecrist: I'm bound by the ways of AWS... so it sounds like a cluster of smaller EC2 instaces / ELBs is the way..
08:08 <@krzee> the DNS one sucks sometimes, cause not all os resolvers do the same thing and openvpn listens to the OS's resolver
08:08 <@ecrist> 2) relayd, or some other proxy (haproxy)
08:09 <@ecrist> 3) multiple connection entries in your client configuration files
08:11 < BtbN> iptables magic with UDP won't work, as it's connectionless, and would distribute packages from the same OpenVPN-connection between the processes
08:11 <+hyper_ch> end of may I'll get upgraded from 150mbit to 1gbit
08:11 < BtbN> unless you use some kind of hasing based on the source IP and port
08:11 <@ecrist> relayd + pf would do it just fine
08:12 <@ecrist> ONE MORE REASON FREEBSD IS BEST
08:12 <@krzee> !bestos
08:12 <@vpnHelper> "bestos" is (#1) the best os for openvpn is the one you are most comfortable with, or (#2) FreeBSD. Always FreeBSD.
08:12  * hyper_ch heard that freebsd is dead
08:12 < rdg> how does freebsd play into that?
08:12 <@krzee> lol lol
08:12 <@krzee> nice addition
08:12 -!- hyper_ch was kicked from #openvpn by ecrist [da fuck?]
08:12 < rdg> i haven't used *BSD since... 2003
08:12 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
08:12 -!- mode/#openvpn [+v hyper_ch] by ChanServ
08:13 <+hyper_ch> nowadays you get kicked only because you heard a rumor? oO
08:13 <@krzee> unix is dead, long live unix
08:13 <@ecrist> hyper_ch: FreeBSD is not dead.  No where close.
08:13 <+hyper_ch> :)
08:14 <@ecrist> that "rumor" has been going around forever and just isn't the case.
08:14 <+hyper_ch> like the "year of the Desktop for Linux"?
08:14 <@ecrist> rdg: freebsd has the pf firewall available which will do UDP "connection" tracking
08:14 < rdg> ah
08:14  * ecrist shrugs
08:15 <@krzee> i hate udp connection tracking, for the record
08:15 <@ecrist> my primary work desktop is Red Hat
08:15 <@ecrist> krzee: why?
08:15 <@krzee> its a hack
08:15 <@ecrist> well,  yeah
08:15 <@ecrist> but it allows you to load balance things like openvpn connections
08:15 <@krzee> https://cdn.meme.am/cache/instances/folder654/500x/67220654.jpg
08:15 <@ecrist> and do failover
08:16 <@krzee> meh, i distribute my configs with like 20 remote entries
08:16 <@krzee> they can all resolve to the same couple til i add more
08:16 <@krzee> or forever
08:16 <@krzee> if i go past 20 i can start rr dns on each
08:16 <@krzee> poor mans failover, and it distributes amongst my N servers rather well too
08:17 <@krzee> in different locations, i may add
08:17 < DArqueBishop> Aren't the OpenVPN images in AWS Access Server instances?
08:18 < DArqueBishop> Of course, if I had scrolled back, I would have seen my question was kind of answered.
08:19 <@ecrist> krzee: I used to use relayd to failover outside connections in to our VPN cluster.
08:20 <@ecrist> relayd made it easy to pull one system down for maintenance and then stand it back up.
08:20 <@ecrist> OpenVPN mostly handled it gracefully.
08:20 <@ecrist> I really wish OpenVPN had connection tracking of some sort built in,though.
08:20 <@ecrist> like pf does for firewall state between pairs
08:21 <@ecrist> CARP + pf + pfsync was nice
08:21 <@krzee> ahh you mean a way to gracefully handoff when a machine goes down? freeswitch recently got similar
08:21 <@ecrist> I really enjoyed doing "major" maintenance on systems or uplinks with the rest of the world/company blissfully unaware.
08:21 <@ecrist> oh, they finally got that in?
08:22 <@krzee> ya i believe so
08:22 <@ecrist> barracuda was looking for developers recently
08:22 <@krzee> FS left barracuda
08:22 <@krzee> awhile ago
08:22 <@ecrist> oh?
08:22 <@krzee> barracuda doesnt even support their cudatels anymore
08:22 <@ecrist> so CudaTel isn't a thing?
08:23 <@krzee> well it is in my life, but ya not a thing really
08:23 <@krzee> i still have 3 lol
08:23 <+hyper_ch> I guess I really should have a look at the gigabit openvpn article that was published like a decade ago or so
08:23 <@krzee> (i didnt wanna be needed, so i got them for $work so theyd have a web interface and pro tech support
08:23 <@krzee> since i like vacations
08:23 <@krzee> !gigabit
08:23 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
08:23 <@ecrist> FS tried so hard for so long to only support Linux
08:24 <@ecrist> I kept pushing FreeBSD down their throats
08:24 <+hyper_ch> krzee: is that still current?
08:24 <@ecrist> finally they just embraced it.
08:24 <@krzee> hyper_ch: networking hasnt changed much, and it was written by JJK
08:24 <+hyper_ch> I don't know JJK
08:24 < Ravenmire_> OpenBSD?
08:24 <@krzee> jjk rocks
08:25 <@ecrist> no OpenBSD
08:25 <@ecrist> iirc, they still don't support mulitple cores
08:25 <@krzee> huh?
08:25 <@krzee> of course they do
08:26 <@ecrist> the kernel is single threaded, I believe
08:26 <@krzee> http://www.h-online.com/open/news/item/OpenBSD-5-2-arrives-with-improved-multi-core-support-1742192.html
08:26 <@vpnHelper> Title: OpenBSD 5.2 arrives with improved multi-core support - The H Open: News and Features (at www.h-online.com)
08:26 <@krzee> with an article date of 2012
08:26 <@ecrist> heh
08:26 <@ecrist> so, I stand corrected, but not by that  much
08:27  * krzee checks his $(date)
08:27 <@ecrist> < 5 years, I'll take it. :P
08:27 <@krzee> they beat openvpn by 5 years and counting :-p
08:27 <@ecrist> there are four key features I'd like OpenVPN to support
08:28 <@ecrist> 1) connection tracking/sync
08:28 <@ecrist> 2) More pushed configuration details/client config updates
08:28 <@ecrist> 3) multi-threading
08:28 <@ecrist> 4) multiple client pools within a single instance
08:28 <@krzee> 5) direct connections
08:29 <@ecrist> I think 4 is really dependent upon 3
08:29 <@ecrist> what do you mean?
08:29 <@krzee> 1sec finding my entry on the wishlist
08:30 <+hyper_ch> krzee: there's still your forum post where you said you're working on direct connections ;)
08:30 <@krzee> never said i could work on it
08:30 <@krzee> i said how it could be done
08:30 <+hyper_ch> one implies the other ;)
08:31 <@krzee> false
08:31 <@krzee> i can tell you how it can be done, i cant code c
08:31 < DArqueBishop> I'd like OpenVPN to support remote detonation of systems that are no longer authorized to access the server.
08:31 <+hyper_ch> you can't?
08:31 <+hyper_ch> oO
08:31 <@krzee> i only bash
08:31 <+hyper_ch> bash is awesome
08:31 <@ecrist> DArqueBishop: HMAC
08:31 <+hyper_ch> btw, what's tcp offloading?
08:32 <@krzee> DArqueBishop: you'll need a plugin for that
08:32 < DArqueBishop> (I never said it was a realistic feature request.)
08:32 <+hyper_ch> "remote detonation of systems"? oO
08:33 <+hyper_ch> don't you just need some semtex, a detonator and a cell phone for that?
08:33 <@ecrist> hyper_ch is now on a list
08:33 < lg188> replace the cell phone with a special package
08:33 < lg188> like wan
08:33 <+hyper_ch> I've always been on a list
08:33 <+hyper_ch> not just one but multiple ones
08:34 < lg188> E(thernet)D(etonation)P(ackage)
08:34 < lg188> s/wan/wol/
08:34 <@krzee> ecrist:  https://forums.openvpn.net/viewtopic.php?f=10&t=141
08:34 <@vpnHelper> Title: Idea for direct connections - OpenVPN Support Forum (at forums.openvpn.net)
08:36 <@ecrist> oh yeah
08:36 <@ecrist> really, you could still gate (authorize) the meshiness via the server.
08:37 <@ecrist> so, the server admin could determine if clients could direct connect.
08:37 <@krzee> well ya it could be a pushed option, especially now that we could ignore pushed options at a finer grained level
08:38 <@krzee> like how --keepalive  is a single option that expands to multiple, including some pushed
08:39 <@krzee> I love what syzzer added,   "Furthermore, I don't think you would need any extra routes. The kernel just sends its packets to the tun device. The openvpn client can then internally detect the destination and send it to the correct peer. Much like a TLS server currently does. Makes it much more transparent to the end user too."
08:53  * lg188 sighs
08:55 < lg188> I have an issue that I need to segregate two subnets and it feels really hacky to just manually assign ips to common-names
08:55 <@krzee> thats the best way aside from 2 servers with their own subnets on different ports
08:55 <@krzee> (accepting different clients)
08:56 < lg188> Actually
08:56 <@krzee> what you were hoping for is #4 on ecrists wishlist above
08:57 < lg188> if they're on different interfaces I can better route them
08:57 <@ecrist> You can do it if you configure the server line with a proper subnet, and dole out IPs via --client-connect script instead of using the built in IP assignment
08:58 < lg188> Mhm
08:58 <+hyper_ch> anything wrong with running two openvpn server instances on different ports?
08:58 < lg188> but the thing is, I'll have to add hosts later on
08:58 < lg188> so I'd rather not have to copy configs every time
08:59 < lg188> No, not at all
09:00 < lg188> I might have an idea
09:00 <+hyper_ch> server a uses 10.8.0.x and server b uses 10.9.0.x as example :)
09:01 < lg188> Yeah
09:01 < lg188> that's what I need
09:01 <+hyper_ch> two configs on the server
09:01 <+hyper_ch> alter a few things like the according subnet and maybe different certs
09:01 < lg188> it makes the configuration a little simpler
09:01 <+hyper_ch> and ports
09:01 <@krzee> ^ yep
09:01  * lg188 checks up with the boss
09:02 <+hyper_ch> for my voip vpn I can only use 2048bit keys as my snoms don't support larger keys
09:02 <+hyper_ch> for my data connection I do use 4096bit though
09:02 <@krzee> my snoms do
09:02 <@krzee> yours do too
09:02 <@krzee> :-p
09:02 <@krzee> what model you got?
09:02 <+hyper_ch> nah, 2048 is the max with them.. .they are old snom 370s
09:03 <@krzee> oh weak ass cpu
09:03 <+hyper_ch> I even have to use the custom vpn-enabled firmware since they removed openvpn from default
09:03 <+hyper_ch> last year
09:03 <+hyper_ch> I need to upgrade... pondering to get yealink t47
09:03 <+hyper_ch> that looks nice
09:03 <@krzee> you know why they did that?
09:03 <+hyper_ch> weakdh.org ?
09:04 <@krzee> i was rooting their snoms with 2 different methods that involved openvpn
09:04 <@krzee> 1) a weakness in their netcat logging method
09:04 <@krzee> 2) the scripting interface
09:04 <+hyper_ch> NOTE: Starting from 8.7.5.17 the VPN feature is now not enabled by default, in order to enable it you have to download the VPN patch from this page
09:04 <@krzee> yes, im telling you WHY they did that
09:05 <+hyper_ch> so it's your fault then?
09:05 <+hyper_ch> :)
09:05 <@krzee> kinda
09:05 <@krzee> -bash-3.2# uname -a
09:05 <@krzee> Linux (none) 2.6.37+ #1490 PREEMPT Tue May 6 11:07:43 CEST 2014 armv6l unknown
09:05 <@krzee> -bash-3.2# id
09:05 <@krzee> uid=0(root) gid=0(root)
09:05 <@krzee> thats an snom 760
09:05 <+hyper_ch> :)
09:06 <+hyper_ch> the 760 also looks nice
09:06 <@krzee> recently discontinued
09:06 <@krzee> i hate snom for that
09:06 <@krzee> they discontinued the 821, now the 760
09:06 <+hyper_ch> snom 370 - not so recently discontinued
09:07 <@krzee> i have to dev on the 765 now =/
09:07 <@krzee> not really looking forward to it either
09:07 <+hyper_ch> D765?
09:08 <@krzee> if they changed the cpu and i cant use my customized openvpn, im gunna be pissed
09:08 <@krzee> yes
09:08 <+hyper_ch> have you used openvpn on yealink?
09:08 <@krzee> https://www.secure-computing.net/wiki/index.php/Decompressing_Snom_Firmware
09:08 <@vpnHelper> Title: Decompressing Snom Firmware - Secure Computing Wiki (at www.secure-computing.net)
09:09 <@krzee> yes i have, but they dont support the scripting interface and i didnt like the phone itself much
09:09 <@krzee> i need the scripting interface
09:09 <+hyper_ch> what scripting interface?
09:09 <@krzee> !script
09:09 <@vpnHelper> "script" is (#1) See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR, or (#2) to see all vars available to a script, you can env > /tmp/env, or (#3) if using bash you can put exec 2>&1 in the first line of your script and it will send all error output to
09:09 <@vpnHelper> your openvpn log. set -x as well to show your commands as they are executed
09:10 <@krzee> their firmwares were easier to decode tho
09:10 <@krzee> i never would have been able to decrypt the snom firmware in the link above without root on it
09:11 <+hyper_ch> :)
09:11 <@krzee> btw the openvpn that ships with snom is insecure, as i point out in the above link
09:12 <+hyper_ch> but what can I do there?
09:12 <@krzee> well really the openssl, but the only protection against that is ta.key which is also no good in their openvpn version
09:12 <@krzee> not much, it took me forever to solve that
09:12 <@krzee> and definitely required root
09:13 <+hyper_ch> so what sip phone do you recommend for openvpn?
09:13 <@krzee> thats a tough one... i use snoms
09:14 <@krzee> and for mobiles, you must remember that nothing on a cell phone  can be secure
09:14 <+hyper_ch> android with openvpn connect? :)
09:14 <@krzee> nothing on any device with a mobile baseband is secure
09:14 <+hyper_ch> I know
09:14 <@krzee> for my mobiles i found an old android device that had no baseband
09:14 <@krzee> and i bought a shitton when they were still available'
09:15 < lg188> I can technically use the same keys for different servers, right?
09:15 <@krzee> sure you can
09:15 <+hyper_ch> lg188: not only technically but also practically
09:15 <@krzee> but then all clients can connect to both
09:15 <@krzee> you can also generate separate server keys and use both
09:15 < lg188> aha, there's where ccd-exclusive comes in handy
09:16 <@krzee> allowing clients to connect, but giving each server its own cert in the pki
09:16 <@krzee> well sure, but then you're back to managing ccd files
09:16 <@krzee> where as if you use 2 pki, then its just a matter of giving the user a cert from the right pki
09:16 < lg188> If I only need to touch a file with the common-name it's pretty easy
09:16 <@krzee> (and the matching config)
09:17 <@krzee> cool, whatever works for you i guess
09:18 <@krzee> thats not much different than copying a ccd file and changing the ip
09:18 <@krzee> but if it solves the issue for you, then go for it!
09:18 < lg188> well, it doesn't require any logic towards ip
09:19 <@krzee> !static
09:19 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder, or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range, or (#5) See also: !addressing
09:19 <@krzee> ifconfig-push 10.8.0.200 255.255.255.0
09:19 < lg188> I'd have to increment it each time
09:19 <@krzee> not much logic
09:19 < lg188> now it's literally just a file that needs to exist
09:20 <@krzee> yep
09:20 <@krzee> if i were you, thered be no file to exist either
09:20 <@krzee> it would be 2 pki and id just give the user his cert and config
09:20 < lg188> Mhm, fair enough
09:20 < lg188> can I generate a different pki with easy-rsa?
09:20 < lg188> but not dump the old one
09:21 <+hyper_ch> yes
09:21 <@krzee> you can have as many as you want, in their own dirs
09:21 <+hyper_ch> just copy easyrsa to a new folder
09:21 < lg188> oh mhm
09:29 < lg188> the problem is a bit that I need to deploy this to test this
09:29 <+hyper_ch> fire up a VM
09:57 <@dazo> rany_: it is possible to do magic based on IP addresses ... you'll need to look at --client-connect in the man page ... that kicks of a script on each (tls) authenticated client connect ... iirc, the last argument the given script is provided points at a file you can dump CCD entries into, such as specific --keepalive statements ... and there's a lot of env variables you can use to identify what to do
09:59 < lg188> I agree, but the networking is a bit weird
10:12 < eBie> hello
10:14 < eBie> recently my isp has been going on a banning spree, so once that started, i setup openvpn on my dedicated server and have been connected through that, no issues.. however 48 hours ago, it just suddenly stopped working.. is there anything i can do to work around what ever it is that they are doing? if they are doing anything that is..
10:15 < DArqueBishop> eBie:
10:15 < DArqueBishop> !logs
10:15 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
10:15 < eBie> !logfile
10:15 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
10:15 < DArqueBishop> Chances are, though, that you might need something like obfsproxy to get around whatever deep-packet inspection youyr government is forcing your ISP to use.
10:16 < eBie> DArqueBishop lemme grab the log files, how do i set verb to 4?
10:16 < DArqueBishop> eBie: you'd set it in the config file.
10:17 < eBie> client side? or server side?
10:17 < eBie> ahh
10:17 < eBie> i found it
10:17 < eBie> ok
10:17 < eBie> lemme do a connect and grab a verb4 log
10:17 < eBie> i might end up d/cing from here though so give me a second
10:23 <@dazo> !pastebin
10:23 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site, or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups, or (#3) If you're pasting config files, see !configs for grep syntax to remove comments, or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#5) <bibble> termbin is good.
10:23 <@vpnHelper> just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
10:28 < eBie> client-side log: https://pastebin.com/raw/9PCZmEHd    |    server-side log: https://pastebin.com/raw/TsJQA6A9
10:30 < eBie> !welcome
10:30 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
10:30 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
12:23 < eBie> DArqueBishop any decent guide for obfsproxy and openvpn setup?
12:25 < DArqueBishop> !obfs
12:25 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols, or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation, or (#3) in client/server mode an admin can know that openvpn is being
12:25 <@vpnHelper> used. in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
13:14 < deftjack> Any suggestions? https://paste.fedoraproject.org/paste/4Oc~PgEZS4kd8QpNHAa4RF5M1UNdIGYhyRLivL9gydE=
13:14 < deftjack> Interesting to note that this is my own openvpn server yet even with commercial ones (ie: NordVPN) my connections fail to work for similar reasons.
13:17 < deftjack> And I have the CA imported properly from what I can tell.
13:17 < deftjack> In the above case it is self-signed.
13:24 < DArqueBishop> deftjack: seeing the logs from the server side would help. If it's happening on multiple providers, though, something tells me that there might be a MITM attack/interference going on.
13:24 < DArqueBishop> (Just my opinion, which isn't worth all that much today. :-) )
13:24 < deftjack> Server side isnt saying much but LS Error: TTLS key negotiation failed to occur within 60 seconds (check your network connectivity)
13:25 < deftjack> This only happens from my linux client.
13:26 < deftjack> which, while possible, might be under attack or compromised seems far less likely considering how I secure it vs my windows 7 vm (testing) and windows 10 desktop for gaming. heh
13:26 < deftjack> It seems to me it doesnt like my CA.crt for some reason on the client. Anyhow, totally pulling that out of my butt if you will. =)
13:26 < DArqueBishop> That was an important bit of data you left out. ;-)
13:27 < deftjack> Nod. My bad.
13:29 <@Eugene> !blog
13:29 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
13:29 <@Eugene> !howto
13:29 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
13:29 <@Eugene> I am not going to even read a pastebin problem that starts with "I read a guide on _____"
13:30 <@Eugene> It sounds like you need to go cross-check your certificates, and make sure that they're signed correctly. `openssl verify` is the command you want.
13:31 < deftjack> heh. Was JUST doing that and while it says "OK" I also see "error 26 at 0 depth lookup:unsupported certificate purpose" just before the OK.
13:33 <@Eugene> Did you use easy-rsa or something else? It handles all of the certificate purpose flags for you
13:36 < mrjd1981> !clientlan
13:36 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route
13:36 <@vpnHelper> for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
13:36 < rob0> this should get you going on proper routing
13:37 < rob0> then perhaps you do the DNAT at the VPN server?
13:37 < mrjd1981> if the two servers can already talk to each other shouldn't the iptables work anyway?
13:38 < mrjd1981> i can hit both each way. 192.168.24.12 to 192.168.25.2, and vise versa.
13:38 < rob0> can the LAN mail server ping the remote VPN endpoint?
13:38 < mrjd1981> yes
13:39 < rob0> then perhaps you should do the DNAT at the VPN server?
13:39 < deftjack> Eugene: I used easyrsa exactly as is noted in the digitalocean howto.
13:40 < deftjack> With of course my own org, city, etc.
14:03 < Micc> I'm trying to setup an openvpn server with a bridge to my internal network from within a docker container. I'm running the container with --net=host and --cap-add=NET_ADMIN. Do I need to manually create the bridge device with brctl? I've thried creating br0 and putting my internal interface and tap0, but when I connect I still can't access the internal network over the vpn.
14:04 < Micc> I started with a tun server and that worked, but I've modified the config to use tap/bridge because I need my office LAN to have access to the datacenter internal network. Maybe there is a better way?
14:06 < DArqueBishop> Micc:
14:06 < DArqueBishop> !clientlan
14:06 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see
14:06 <@vpnHelper> !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
14:07 <@Eugene> You almost assuredly do not need/want bridging. IP traffic routes just fine. If you think you need bridging for some insane docker thing, I can assure you now that it won't work and you will end up crying if  you try to make openvpn do it.
14:11 < Micc> ok.
14:12 < Micc> So I'm not sure how I give openvpn in the docker container access to my internal network. It just uses the docker network 172.19.x.x
14:17 <@Eugene> Your docker application should have a default gateway that it uses to access the real network.
14:17 <@Eugene> Set up routing access
14:23 < Micc> the internal network doesn't have a gateway, there is no internet access for that network.
14:23 < Micc> So the openvpn server must listen on one IP but route to another.
14:24 <@Eugene> I maintain that Docker networking is insane and you will end up crying
14:24 < Micc> I can give the container access to the host network interfaces. I think I just need the correct config file for the openvpn server.
14:24 <@Eugene> Sorry, its not a tool that I'm very familiar with or think is a good idea.
14:24 <@Eugene> Yes, host network access is what I would suggest
14:25 < Micc> Can you point me to an example openvpn.conf file that would accomplish this?
14:27 < DArqueBishop> Why are you running OpenVPN in a container, anyway?
14:27 < Micc> my datacenter is running only CoreOS container linux.
14:27 < Micc> Everything I do is a container.
14:29 < Micc> Makes for easy duplication. Since I'll need to scale this setup to many machines.
14:30 < Micc> with host networking the openvpn server won't know the difference.
14:32 < deftjack> Seems a VM would provide far better for scalability unless you have containers that can migrate hardware without downtime. Of course this probably isnt the place for that discussion sorry. =)
14:33 < Micc> I'm pretty sure I can adapt the file I have to make this work.
14:35 < Micc> deftjack, I don't need that kind of zero down time. If someone gets disconnected and has to reconnect once in a few years, that's not bad.
14:36 < deftjack> Guess I like reliability combined with maintenance. The true purpose of HA.
14:38 < Micc> Maintenance usually becomes much easier if you put a good load balancer in front, but that's probably hard to do with vpn traffic, it's not a good fit for every situation.
14:38 <@Eugene> My 2c as an Application Architect: containers are just an unnecessary level of bullshit.. VMs already provide application separation(not in an escapable chroot), and you can do all the same image-based verbs on a VMDK just fine. The tooling also sucks way less
14:39 <@Eugene> But that's neither here nor there if you've already settled on Docker
14:39 <@Eugene> I don't think that openvpn is the right tool for the job you want. I would probably just run replication over the open internet using secured protocols(SSH, TLS wrapper, whatever)
14:43 < Micc> Is there an easy way to create an SSH tunnel between the two locations that would route the internal network traffic?
14:44 < deftjack> ssh -D + ip route?
14:45 < deftjack> Though I think that would me less reliable than a dedicate service, etc.
14:46 < Micc> It may be good enough just to do ssh port forwarding
14:48 < deftjack> Seems it would largely depend on application. I use dynamic forwarding all the time but if you need all traffic its going to likely be less reliable than a VPN and some applications are going to have issues.
14:49 < deftjack> EOD VPNs are superior to ssh tunneling in this regard in my experience.
14:50 < deftjack> When you add the complexity of the container networking layer onto a VPN though I personally "got nothing". =/
14:50 < Micc> what is EOD VPN?
14:50 < Micc> deftjack, that goes away by running it in host networking mode.
14:51 < deftjack> End of Day.
14:52 < deftjack> If Im not mistaken does that mode not still do port nat or similar?
14:52 < deftjack> Or are you granting the container full direct hardware access to the network?
14:54 < Micc> daftjack, full direct hardware access to the network.
14:54 < Micc> it will see all the interfaces and everything on the host and no proxy or nat in between.
14:55 < Micc> Anyways, thanks for the help guys. Time to get some work done.
14:55 < deftjack> scarey but ok.  Guess I would start looking at packet traces to see precisely what is going on.
16:44 < nbastin> Is there a way to get openvpn to create a tap interface for every connection, instead of once per daemon?
16:53 < MacGyver> What do you want to accomplish by doing so?
16:53 < MacGyver> (The short answer, afaik, is "no")
16:54 < nbastin> MacGyver: well what I'm most directly trying to accomplish is running fewer openvpn daemons and using fewer UDP ports.. :-)
16:55 < nbastin> MacGyver: we connect each client to their own port in an ethernet fabric
16:55 < nbastin> MacGyver: this works fine, but means I have to run one server per client (or at least, per isolated port)
16:56 < nbastin> MacGyver: which isn't actually so bad, except that it sucks up a lot of UDP ports when it wouldn't need to, for listening
16:56 < MacGyver> Could achieve something similar with just a single daemon, client isolation, and iptables then distributing, I think.
16:57 < nbastin> MacGyver: iptables doesn't provide sufficient L2 isolation (nor does ebtables, for that matter, but would be closer)
16:58 < nbastin> if 20 clients sent LLDP packets, the only way I can tell them apart is by the openvpn session, which I lose track of it I run only one daemon
17:00 < nbastin> (or STP, or any number of multicast L2 control protocols)
17:00 < brianx> nbastin: yes, but it requires multiple instances.
17:01 < nbastin> brianx: sure, I have multiple instances now, which works fine except for the listening port exhaustion problem...
17:01 < brianx> nbastin: there is no way to avoid the multiple instances or ports.  +1 for it existing though.
17:01 < nbastin> brianx: ok...maybe I'll put it on a list of things to loook into when I have free time.. :-)
17:02 < brianx> nbastin: google seems to indicate that this is an ongoing need, but the devs are of another opinion so we don't get it.
17:02 < nbastin> ah
17:02 < nbastin> that is less fortunate
17:02 < brianx> there are requests for this going back a decade.
17:03 < nbastin> I mean technically there's nothing preventing this, but if there's no desire to support the feature even a patch might not find a place
17:03 < brianx> you can always assign more than one ip to the interface so that you get more ports.
17:03 < nbastin> brianx: if I had more than one IP at some locations, sure.. :-)
17:03 < brianx> yeah, that is sometimes difficult.
17:03 < nbastin> esp. for v4-facing clients
17:04 < nbastin> if they can hit a v6 address then usually I have a lot to spare
17:04 < MacGyver> "usually"?
17:04 < daemon> nbastin, if your clients was static, you could use a firewall to map the inbound ports based on src-addr
17:04 < daemon> to something on localhost or an aliased private ip
17:04 < MacGyver> Implying you're ever in a situation where you *don't* have IPv6 space to spare?
17:05 < nbastin> daemon: yeah I was thinking about proxying the incoming connections before they hit the daemon as an option
17:05 < nbastin> MacGyver: there are a few places where I can't get more v6 space from the site admins (obviously a problem of policy, not allocation space)
17:06 < MacGyver> Sounds like a few admins need some attitude adjustment.
17:06 < nbastin> but when I tell them they need to allow incoming connections on 50000 ports, sometimes they won't do that for a large block of IPs.. :-)
17:06 < rob0> I need attitude adjustment
17:07 < daemon> rob0, ebay has pretty decent tools fairly cheap
17:09 < brianx> i'd like a altitude adjustment please.
17:09 <@Eugene> Put a rocket up your ass
17:13 < brianx> lol, i was more thinking a trip to the mountains.  i guess there is no need to be family friendly in this channel.
17:17 < rob0> Eugene would do that to his family.
17:17 <@Eugene> Children should not be allowed on the internet
17:17 <@Eugene> And if you take offense at profane language, fuck off. ;-)
17:18 < rob0> Neither should they have rectal rocketry, but that's a different issue.
17:27 < brianx> as an @, your choice about the format.  i have no objections.
17:28 <@Eugene> Oh, that's just like, my opinion, man.
17:28 <@Eugene> !blame
17:28 <@vpnHelper> "blame" is (#1) According to Bushmills, it's always krzee's fault, or (#2) According to krzee, it's always dazo's fault, or (#3) and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments, or (#4) cron2 says its always d12fk's fault (and sometimes the customers), or (#5) if it is crypto blame syzzer and plai for acking
17:48 < brianx> lol, nice.
19:12 < jacekowski> hi people, i'm struggling with reallly poor openvpn performance on a mobile connection
19:13 < jacekowski> when i open same web https webpage using ssh socsk forwarding it works decently, but if i do the same using openvpn i t just fails to work
19:13 < jacekowski> both  using tcp and udp mode in openvpn
19:14 < jacekowski> and with mtu set to 1000
19:14 < nacelle> thats a really low mtu fwiw
19:14 < nacelle> maybe try 1300?
19:14 < jacekowski> well, my actual mtu is around 1400
19:14 < nacelle> definitely try for something like 1360 then
19:14 < nacelle> 1340ish maybe
19:15 < jacekowski> but now i'm using tcp mode
19:15 < jacekowski> so mtu should not affect it
19:15 < jacekowski> yet still, i'm getting a ton of retransmissions inside the vpn
19:15 < nacelle> try udp with 1340 mss-mix
19:15 < nacelle> mss-fix
19:15 < jacekowski> didn't work
19:16 < jacekowski> with 1300
19:16 < nacelle> hrmm, maybe not packet size related but something else
19:25 -!- almostworking is now known as almst_mobile
19:25 -!- almst_mobile is now known as almostworking
22:24 < Guiri> Evening everyone.  I've setup OpenVPN in client mode but I'm having trouble with a behavior.  My IPTABLES *should* be routing only a specific user's traffic over the tun0.  And while I can ssh into the machine from the same subnet, I can't from my wireless, which is on a different subnet. This behavior only exhibits when the OpenVPN tun0 is up.
22:24 < Guiri> I was hoping someone more familiar with iptables might help me troublehsoot
22:41 < compsman> i am having issues where openvpn just stalls after hours being connected. i am little confused there is no log
22:42 < compsman> sometimes minutes
--- Day changed Thu Apr 20 2017
03:50 < lg188> do you need to push a route for the network your client is in?
03:53 <+hyper_ch> depends on what you wanna do
04:11 < lg188> I kinda forgot how the ip configuration works heh
04:11 < lg188> So I have two subnets and two servers for them
04:13 < lg188> But I was wondering if you have to do a `push "route 10.0.0.0 255.255.255.0"` if it's inside that network
04:13 < lg188> as in, does it automatically do that?
04:16 < lg188> hyper_ch: I kinda got confused since I was splitting the thing
04:16 <+hyper_ch> depends on what you wanna do
04:16 <+hyper_ch> you say what you keep wondering about
04:16 < lg188> Eh, do I start from scratch?
04:16 <+hyper_ch> but you don't say what your goal is
04:17 <+hyper_ch> !gola
04:17 <+hyper_ch> !goal
04:17 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
04:17 < lg188> My goal is that I need a pool for clients and a pool for staff
04:18 <+hyper_ch> and what should that pool do?
04:18 < lg188> the clients should not be able to reach anything specific unless the connection came from the staff pool
04:18 <+hyper_ch> what clients?
04:18 <+hyper_ch> I have no idea
04:18 < lg188> from the first pool
04:19 <+hyper_ch> should the clients be able to talk to one another?
04:19 < lg188> Nope
04:19 <+hyper_ch> should the clients be able to talk to staff
04:19 <+hyper_ch> should staff be able to talk to one another
04:19 < lg188> only when iniated by the staff
04:19 <+hyper_ch> shold staff be able to talk to clients
04:19 <+hyper_ch> should clients be able to use the internet through the vpn
04:19 <+hyper_ch> should staff be able to use the internet through the vpn
04:20 < lg188> it's completely internet less
04:20 <+hyper_ch> so staff needs routing to client subnet
04:20 <+hyper_ch> then staff can talk to client
04:21 < lg188> Yeah, I got a basic iptables script for that, which drops any new connections from the clients
04:21 <+hyper_ch> !subnet
04:22 <@vpnHelper> "subnet" is (#1) http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork, or (#2) Want a random subnet generator? See: !randomsubnet, or (#3) You may be looking for !toplogy
04:22 <+hyper_ch> !topology
04:22 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
04:22 <+hyper_ch> hmmm
04:22 <+hyper_ch> that's not it either
04:23 < lg188> brb
04:30 < murkx> hi, i got a problem, running a vpn server, and have some clients normally connected.. but now i got one who is behind an aftr gateway, and that client can't connect, not sure how i can help him though :/
04:32 < murkx> i can't see any connection attempts of that client in my server.log
04:32 <+hyper_ch> murkx: can you run the server on other, more common ports?
04:32 <+hyper_ch> e.g. 443 tcp would be good
04:32 < murkx> so you mean the gateway blocks the connection?
04:33 <+hyper_ch> in many corporate networks you can only use port 80, port 443
04:33 < murkx> i see, thank you so much hyper_ch !
04:33 < murkx> you saved me a lot of time
04:33 <+hyper_ch> it's just a guess
04:34 <+hyper_ch> murkx: or make an iptables rule that will forward port 443 to the normal openvpn port
04:34 <+hyper_ch> if you don't want to run two server instance
04:34 < murkx> that would be a problem, as 443 is already used
04:34 <+hyper_ch> 443 tcp is used?
04:34 <+hyper_ch> could try 443 udp
04:35 <+hyper_ch> 443 tcp is https
04:35 <+hyper_ch> since openvpn uses https
04:35 < murkx> i gotta verify that, one sec
04:35 <+hyper_ch> there would be a good chance that it will go through 443 tcp
04:35 <+hyper_ch> second best guess is 443 udp
04:35 <+hyper_ch> or 80 tcp
04:35 < murkx> actually seems to be open
04:35 <+hyper_ch> 80 udp
04:35 <+hyper_ch> 587 could als be an option (email submission)
04:36 < murkx> nice! so another instance on 443... but i have to change the client configuration too... i gotta figure out how to do that, as this would be the management tunnel and i think he/them don't have root-shell access
04:36 <+hyper_ch> I just guess he's in a network that won't allow many outgoing ports
04:36 <+hyper_ch> client configuration contains port and proto
04:36 <+hyper_ch> just port needs to be changed
04:37 <+hyper_ch> not sure what you mean with management tunnel
04:37 < murkx> anyway, you helped me a lot, i got some new ideas
04:37 <+hyper_ch> port 21 ftp
04:37 <+hyper_ch> por 993 email ssl
04:38 < murkx> i know the common ports ;), thank you hyper_ch
04:38 <+hyper_ch> not 993... it was something different
04:38 < murkx> just have to figure out how to change it on the client...
04:38 <+hyper_ch> your client has to try which ports he can use
04:38 <+hyper_ch> edit config file :)
04:39 < murkx> i would, but the machine is 30000km away ;P
04:39 < murkx> maybe a teamviewer session.. anyway, thanks!
04:39 <+hyper_ch> client is using windows?
04:39 < murkx> -
04:39 < murkx> gentoo
04:40 <+hyper_ch> sudo nano /etc/openvpn/client.conf
04:40 <+hyper_ch> or something like that
04:42 < murkx> yea, i configured the system ;) but didn't know about the gateway :P
04:43 <+hyper_ch> well, it's just an idea
04:43 <+hyper_ch> not sure if that's really the case
04:44 < murkx> i'll give it a shot
06:13 < yarddog> are somewhat offtopic links allowed in here?
06:22 <@dazo> yarddog: unless it distracts or disturbs currently on-going discussions, some off topic discussions are allowed ... but probably try to keep it technical ;-)
06:25 < yarddog> https://www.theregister.co.uk/2017/04/19/nsa_fbi_spy_on_us_for_our_protection/?page=1
06:25 <@vpnHelper> Title: We're spying on you for your own protection, says NSA, FBI • The Register (at www.theregister.co.uk)
06:25 <@dazo> I wouldn't call that off-topic even ;-)
06:26 < iheartlinux>   /quit
06:27 < yarddog> ok :)
06:30 <@dazo> "The intelligence agencies claim that it affects very few US citizens and so Congress has persistently asked what that number is: how many US citizens are included in the 702 database? [...] irst asked that question a year ago – April 2016. There is still no answer. [...] says that the agencies are "working to produce a relevant metric" to inform discussions."
06:31 <@dazo> Hmmm ... that sounds more like:  "How can we make it reasonable that 400+ millions US citizens are registered in that database
06:34 < yarddog> i'm just furious, ive gone to a vpn and tor over all this, plus a judge has a right to write a warrant for anywhere in the US
06:35 <@dazo> yeah, this is bad
06:35 < yarddog> yep
06:36 < yarddog> i feel like ppl that say 'i have nothing to hide, so i dont care' is like saying 'the first amendment dont apply to me as i have nothing to say'
06:38 <@dazo> that's basically what Snowden said too :) https://www.reddit.com/r/IAmA/comments/36ru89/just_days_left_to_kill_mass_surveillance_under/crglgh2/
06:38 <@vpnHelper> Title: SuddenlySnowden comments on Just days left to kill mass surveillance under Section 215 of the Patriot Act. We are Edward Snowden and the ACLU’s Jameel Jaffer. AUA. (at www.reddit.com)
06:39 < yarddog> that's probably where i got it from :)
06:39 <@dazo> heh :)
07:15 < TECFALL> I want to push routes from server but how do I delete a specific pushed route on the client side? Can you use nopull to not pull a single specific route?
07:42 -!- s7r_ [~s7r@openvpn/user/s7r] has joined #openvpn
07:42 -!- mode/#openvpn [+v s7r_] by ChanServ
07:42 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Disconnected.]
07:42 -!- s7r_ is now known as s7r
08:16 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Disconnected.]
08:19 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
08:19 -!- mode/#openvpn [+v s7r] by ChanServ
08:33 < brokensyntax> So, cert chaining fixed my issue yesterday, now TLS handshake timeouts... https://pastebin.com/e0VPWQGZ I'll have to look at what the server is seeing.
08:33 < brokensyntax> Still haven't gotten the new server working fully.
09:43 < anotherus3r> hi can I use more then one openvpn client on same system?
09:47 <@krzee> sure
09:47 < rob0> of course.  But be aware that clients which redirect the gateway will cause problems for other client (and server, and p2p) instances.
09:47 <@krzee> smallaptop ~ # ps auxw|grep [v]pn|wc -l
09:47 <@krzee> 5
09:47 <@krzee> im currently connected to 5
09:52 < rob0> showoff ;)
09:52 < brokensyntax> :P
09:52 < brokensyntax> anotherus3r: Essentially it comes down to route table management.
09:53 < rob0> If no two instances are trying to route the same networks, no problem.
09:57  * brokensyntax wracks brain over this damn TLS negotiation timeout.
09:58 < brokensyntax> Testing in office, so HW firewall not an issue, iptables accepting all udp on given ports. netstat says listening on the expected port, disabled winblows firewall on client...
09:59 <@krzee> !timeout
09:59 <@vpnHelper> "timeout" is if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or one of the ISPs blocks it
10:02 < brokensyntax> krzee: And as you can see I've eliminated all of the common causes :(
10:02 < DArqueBishop> brokensyntax: logs from the server would be useful.
10:04 < rob0> test name resolution if you are using it.  Try using the IP address instead.
10:09 <@krzee> brokensyntax: so tcpdump everywhere in between and see where its getting stopped
10:35 < lg188> Is it possible to find out which common name is associated with a certain ip?
10:35 < lg188> once the server is started
10:35 < lg188> (and a client is connected)
10:38 < lg188> OH, right, you can dump data like that to a file, right?
10:52 <@dazo> lg188: --status ... and/or --management
10:53 < lg188> That was with telnet, right?
10:53 <@dazo> lg188: --management, yes
11:14 < arunpyasi> Hello there, Can I access tcp protocols via UDP openvpn connection ?
11:16 < rob0> you need to understand the concept of a tunnel.  You get an IP address in that tunnel.  Any IP subprotocol will work in it.
11:18 -!- poster is now known as Poster
11:28 < arunpyasi> rob0, thanks for your answer
11:54 < arunpyasi> hello
12:12 < arunpyasi> How do I forward an IP cam's RTSP from client1 to server ?
12:24 < DArqueBishop> arunpyasi: if it's a port forwarding, you could do port forwarding from the server to the IP cam's port.
12:28 < arunpyasi> DArqueBishop, I need port forwarding from IP Cam's port to client's IP:554
12:28 < arunpyasi> DArqueBishop, how do I do that ?
12:29 < arunpyasi> DArqueBishop, http://dpaste.com/0499T1Z is what I tried with 10.8.0.2 as the ip of VPN client.
12:30 < DArqueBishop> I'm not sure I understand.
12:30 < arunpyasi> DArqueBishop, which part you didn't understand ?
12:30 < DArqueBishop> Is the IP camera separate from cam 1?
12:30 < DArqueBishop> s/cam 1/client 1/
12:31 < arunpyasi> DArqueBishop, the IP Camera has ip address 192.168.1.100 and the client NAT ip is 192.168.1.101
12:31 < arunpyasi> DArqueBishop, the IP it got from the tun is 10.8.0.2
12:31 < DArqueBishop> So, what exactly are you trying to accomplish here? Are you trying to make the IP camera accessible through the VPN?
12:32 < arunpyasi> DArqueBishop, yes please
12:32 < DArqueBishop> So, there are two options.
12:33 < DArqueBishop> The first is what you're attempting to accomplish, and have port 10.8.0.2:554 forward to 192.168.1.100:554.
12:33 < DArqueBishop> That's standard netfilter and really outside the scope of this channel.
12:34 < arunpyasi> DArqueBishop, I want 192.168.1.100:554 forwarded to 10.8.0.2:554
12:34 < arunpyasi> DArqueBishop, so, what is the second option ?
12:35 < brokensyntax> Boo, looks like an issue with client cert generation, now I'll have to rip apart this script from co-worker *whimpers*
12:35 < DArqueBishop> The second (and a better option IMHO) would be to make the entire LAN behind client 1 accessible to the VPN. The advantage is that you don't need to muck with port forwarding and can access the camera at its regular IP address. The disadvantage is that you need access to your LAN'
12:35 < DArqueBishop> Er, to your LAN's router to tell it to send any traffic for the VPN through client 1.
12:35 < DArqueBishop> !clientlan
12:35 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see
12:35 <@vpnHelper> !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
12:36 < brokensyntax> DArqueBishop: essentially turning client 1 into a VPN router/concentrator, and running a site-to-site.
12:36 < DArqueBishop> brokensyntax: in essence, yes.
12:37 < DArqueBishop> If you want to go with option 1, I'd recommend trying #netfilter.
12:38 < brokensyntax> only worth mentioning the essence of it, in that it may be worth moving it to a deciated client if you're security concious about what passes through Client 1 from Client-Lan1
12:38 < arunpyasi> DArqueBishop, the thing is, if I go with option 2, I will have ip conflicts as I will have multiple networks with IP 192.168.1.x :(
12:39 < DArqueBishop> arunpyasi: it's usually saner to use something other than 192.168.1.0/24 or 192.168.0.0/24.
12:39  * DArqueBishop hasn't used 192.168.1.0/24 in probably over a decade.
12:39 <@ecrist> !1918
12:39 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#3) See !5737 for addresses to use for examples and documentation, or (#4) See !conflict for common conflicting address spaces.
12:41 < arunpyasi> DArqueBishop, hmm
12:41 < arunpyasi> DArqueBishop, so, netfilter seems what I need to do !
13:23 < monsterco> I see these types of errors - what does this mean? am I getting disconnected or there is an issue in configs?: http://dpaste.com/25MC96F
13:24 < monsterco> http://dpaste.com/1WRYM4G
13:46 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Disconnected.]
13:49 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
13:49 -!- mode/#openvpn [+v s7r] by ChanServ
13:53 < monsterco> anyone?
13:53 < monsterco> What is this? TLS Error: TLS handshake failed
14:24 < brokensyntax> DArqueBishop: yeah I avoid .1/24 whenever possible.
14:25 < brokensyntax> .0.0, .1.0, and .2.0 are all defaults on various providers equipment and mfg devices.
15:38 -!- poster is now known as Poster
19:39 <@ordex> aloha
19:54 < ddaughtrey> !welcome
19:54 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
19:54 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
19:55 < ddaughtrey> Hello
19:59 < MacGyver> Now I'm curious.
19:59 < MacGyver> !1925
19:59 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
20:02 <@ordex> lol
20:40 -!- remirol is now known as lorimer
23:15 < arunpyasi> Hi everyone
23:15 < arunpyasi> DArqueBishop, hi
23:21 < arunpyasi> I am not getting a simple easy to follow guide on making the IP static, how do I do that ?
--- Day changed Fri Apr 21 2017
02:34 < zoredache> arunpyasi: not sure about guides, but the answer usually is to make sure  you are setup with a client config dir, then push a specific ip in the ccd
02:35 < zoredache> so something like `ifconfig-push 192.168.64.17 255.255.255.0` in the client config file for a specific client
04:12 < rany_> thanks dazo
06:04 <@krzee> !static
06:04 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder, or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range, or (#5) See also: !addressing
07:54 < Phrk_> Hello, i don't understand, i made a very simple python script on my server but i got a (--auth-user-pass-verify): external program exited with error status: 1
09:02 <@dazo> Phrk_: does your program exit with sys.exit(1) on failure and sys.exit(0) on success?
09:04 <@dazo> Phrk_: if so ... then you'll need to do some debugging on the values you receive from OpenVPN ... also check that --script-security is set correctly in your openvpn config too
09:08 < brianx> !tunortap
09:08 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
09:08 <@vpnHelper> rooted/jailbroken) support only tun
09:16 < mjt> !wins
09:16 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
09:41 < Phrk_> dazo, of course
09:42 < Phrk_> i have script-security 2
09:42 < Phrk_> i tried to make my script output a log file when used
09:42 < Phrk_> but it doesn't make a log
09:42 < Phrk_> so openvpn don't even launch the script
09:42 <@dazo> have you tried to run the script directly from the command line?
09:43 < Phrk_> of course it's works
09:43 <@dazo> okay
09:43 <@dazo> !logs
09:43 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
09:43 <@dazo> --verb 4 is crucial in case
09:44 < Phrk_> but i'm sure it's something simple, what is the usecase for script-verify ? just script-security ? and that's all ?
09:44 < Phrk_> Do i need to specify the --tmp file ?
09:47 <@dazo> !man   --script-security is fairly well documented there
09:47 <@dazo> !man
09:47 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
09:47 <@dazo> --tmp should point at a directory if used ... defaults to system tmp dir
09:50 <@krzee> --tmp matters more if you in a --chroot
09:50 <@krzee> otherwise system --tmp will probably work just fine
09:51 <@krzee> Phrk_: does your app have a valid shbang? is it +x?
09:53 <@krzee> if dropping permissions, does the user that you drop to have permission to run it?
09:53 <@dazo> oh and also +x access to the complete dir path to the script
09:54 <@krzee> ^^
09:55 <@dazo> and of course ... if this is on a system with SELinux .... there are even more access control restrictions which needs to pass
09:56 <@krzee> good call, that would be evident in system logs ^
09:56 <@dazo> I'm wondering if failed execution would even appear in openvpn logs .... otherwise, there's usually /var/log/audit/audit.log (if not found in /var/log/messages)
09:58 <@krzee> external program exited with error status: 1
09:58 <@dazo> true ... that does sounds like the script did run though
09:58 <@krzee> or failed shbang or perms
09:58 <@dazo> Phrk_: are you using --chroot?
09:58 <@krzee> also, what language is the script in?
09:58 <@dazo> Python
09:59 <@krzee> oh if it were bash id say to set -x and redirect stderr to stdout
10:00 < Phrk_> krzee, yes it is x
10:00 < Phrk_> and i don't using chroot
10:00 < Phrk_> the script and the user that openvpn is the same
10:00 < Phrk_> that openvpn use*
10:01 <@dazo> Phrk_: which OS?
10:01 <@dazo> and ... still .... !logs
10:01 < Phrk_> Debian
10:01 < Phrk_> 8
10:01 <@krzee> proper shbang to a valid exec?
10:01 < Phrk_> what do you mean ?
10:02 <@krzee> show me line 1 of your script
10:02 <@krzee> head -n1 <script>
10:02 < Phrk_> #!/usr/bin/env python3
10:03 <@krzee> hey dazo, should that work?
10:03 <@krzee> Phrk_: for testing can you set that to your actual python binary?
10:04 <@krzee> i know openvpn is more picky than the shell about the shbang
10:05 < rob0> try "/usr/bin/env python3", do you get a python shell?  (Exit it with Ctrl-D)
10:05 < Phrk_> yes rob0
10:05 <@krzee> whereis python3
10:05 < Phrk_> i don't know the default path of p3
10:05 <@krzee> that'll get you the path
10:05 < Phrk_> ah ok /usr/bin/python3
10:06 <@krzee> so change the first line to #!/usr/bin/python3
10:06 <@dazo> yesh, that shebang should work ... not considered safe any more (as it parses $PATH, which can be overridden by the caller), but should work
10:06 <@krzee> just to test
10:07 < Phrk_> i go back
10:07 <@krzee> if that doesnt work, i figure next is to see his config and log
10:08 <@krzee> and script
10:08 <@dazo> yeah
10:09 <@krzee> i see your address changed... is that a sign of success?
10:11 < Phrk_> nope just using a safe connection like that i doesn't need to reconnect every 5sec
10:11 <@krzee> so same error?
10:11 < Phrk_> 1min
10:12 <@krzee> after testing, if still same error please post your config, log, and script for us
10:13 < Phrk_> ok same error i will try
10:13 <@krzee> !pastebin
10:13 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site, or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups, or (#3) If you're pasting config files, see !configs for grep syntax to remove comments, or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#5) <bibble> termbin is
10:13 <@vpnHelper> good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
10:16 < Phrk_> one question
10:16 <@krzee> three answers
10:16 < Phrk_> if i get "TLS Auth Error: Auth Username/Password verification failed for peer" just after the auth-script failed, it is normal ?
10:16 < DArqueBishop> Seven caveats.
10:16 <@dazo> Phrk_: yes
10:16 < Phrk_> ok because the script didn't answer 1
10:16 <@krzee> ya totally, thats whats supposed to happen
10:17 <@krzee> that specific script must exit success for the password to be valid
10:17 <@krzee> thats how the script says the pass is valid
10:18 <@krzee> can you replace it with a python script that ONLY logs that it ran, and exits success?
10:18 <@krzee> and then be sure that the user who runs the script has permission to write to where its logging to
10:19 <@krzee> cause   <dazo> true ... that does sounds like the script did run though      <--- i feel the same
10:22 <@dazo> I often try to run the openvpn without --daemon and no --log (get console logging) and from the command line ... doing logging to stdout from the script ...
10:22 <@krzee> !script
10:22 <@vpnHelper> "script" is (#1) See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR, or (#2) to see all vars available to a script, you can env > /tmp/env, or (#3) if using bash you can put exec 2>&1 in the first line of your script and it will send all error output to
10:22 <@vpnHelper> your openvpn log. set -x as well to show your commands as they are executed
10:22 <@krzee> like !script #3
10:23 <@dazo> yeah, I sometimes even don't trust that #3 really happens :-P
10:23 <@krzee> then you get stdout stderr and a summary of every command ran
10:23 <@dazo> yeah
10:27 < Phrk_> ok here it is : https://gist.github.com/anonymous/38dcadfe60c15e26162741dcd5b4a481
10:27 <@vpnHelper> Title: Config openvpn · GitHub (at gist.github.com)
10:35 <@dazo> Phrk_: got logs as well?
10:36 < Phrk_> yes but what are you looking for ?
10:36 < rob0> the part you thought was insignificant ;)
10:36 < Phrk_> :)
10:37 < Phrk_> but the config is correct ?
10:37 <@dazo> Phrk_: we want logs from the point openvpn starts and until it stops running
10:37 <@dazo> configs at first glance looks good
10:37 <@dazo> (and by just saying that, I might find some issues :-P)
10:38 < rob0> we'd need the logs to know if a config is correct, in most cases
10:38 <@dazo> Phrk_: you might need --script-security 3, actually ... otherwise the script won't get the username/password .... I think the description in the man page might be somewhat misleading, but I'll have to test it to fully verify it
10:39 <@dazo> rob0++
10:42 < Phrk_> dazo, i think the 3 is for the variable auth
10:42 <@dazo> Phrk_: yeah, that's what the man page says ... but I need to fully verify it in the code
10:51 < Phrk_> here is the log from journalctl : https://gist.github.com/anonymous/47dc4318e7aa4b3d81ee6563a5bc64ae
10:52 <@vpnHelper> Title: LOG journalctl · GitHub (at gist.github.com)
10:52 <@dazo> that's far from a complete --verb 4 log ... and it is mangled
10:54 < Phrk_> oh where openvpn output his log with systemd ?
10:54 <@dazo> add --log /var/log/openvpn.log .... and pastebin that file completely, no mangling
10:54 < Phrk_> you mean the server or the client ?
10:54 <@dazo> server
10:57 < Phrk_> maybe  auth_user_pass_file = '[UNDEF]' ?
10:57 <@dazo> nope, that's fine on the server side
10:58 < Phrk_> file creation is automatic ?
10:58 <@krzee> auth-user-pass is the client
10:58 <@krzee> auth-user-pass-verify is the server
10:58 < Phrk_> ah ok
10:59 <@dazo> Phrk_: what krzee said ... the file name the server uses is generated on-the-fly just before calling the script
11:00 <@dazo> and the filename is somewhat randomized
11:00 <@krzee> [08:13] <krzee> can you replace it with a python script that ONLY logs that it ran, and exits success?
11:00 <@krzee> [08:13] <krzee> and then be sure that the user who runs the script has permission to write to where its logging to
11:00 <@krzee> did you do that?
11:00 < Phrk_> ok what is the path ? Maybe the script doesn't have the access
11:01 <@dazo> Phrk_: that's the --tmp-dir ... which usually is /tmp on *nix platforms
11:03 < Phrk_> i made a file.write('check log') at every step on my python script
11:03 < Phrk_> and i have no log.txt
11:03 < Phrk_> so there is a problem with the script
11:04 <@dazo> 'check log'?  with a space?
11:04 <@krzee> which is why im asking you to simplify the shit out of it
11:04 < Phrk_> the check log work i tested it with python3 auth.py
11:05 <@krzee> since you wont do what im asking im considering giving you a test bash script, and if that works calling it a problem in your script
11:05 <@dazo> Phrk_: also try to use an absolute path to that check log
11:05 <@krzee> wanna try that?
11:05 < Phrk_> krzee, yeah but sorry maybe i don't understood what you was asking
11:06 < Phrk_> ohhhh yeah dazo that probably the problem
11:06 <@krzee> make a 3 line script, first line shbang, second line echo to a file, third line exit success
11:10 <@krzee> after testing if dazo just solved the problem ;]
11:10 < Phrk_> FUCKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
11:10 < Phrk_> sorry
11:10 < Phrk_> it works now
11:10 <@krzee> dazo++
11:11 < Phrk_> well i don't really know why, i edited so much the auth script, a space somewhere
11:12 <@krzee> an extra space should have given an error when running from commandline, shouldnt it have?
11:13 < Phrk_> well, i don't understand
11:13 < Phrk_> why now it's working
11:16 <@dazo> unless you have a backup of the script failing so you can diff it ... then it's hard to tell what went wrong
11:16 <@dazo> (which is why I often do 'git init; git add . .... to at least have a reference point)
11:17 <@dazo> (once done, it's just to do   rm -rf .git/ ... and it's all clean again ... unless you want to start doing some dev tracking and start committing changes)
11:21 < Phrk_> anyway thx guys
11:22 < Phrk_> dazo, yeah i have git on local, but i started to edit the file directly on serv, my bad i was too nervous
11:35 < Phrk_> if on the server side i made a PUSH DNS
11:35 < Phrk_> on the client side i need to use --script-security 2 ?
11:47 <@dazo> Phrk_: if you're using --up on the client side, yes
12:16 < brianx> dazo: thanks for your help with --tls-client/--tls-server the other day. i have multiple instances but it works the way i want otherwise.  linux handles routing and the tunnels are just tunnels as needed.
12:18 < brianx> still struggling a bit with policy based routing, but that's just me and not the tools.
12:26 < Kyoku> i'm getting incredibly slow dns lookups when I use setenv opt block-outside-dns on windows client, anyone know a way to fix it?
12:27 < Kyoku> Using OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
12:29 < Kyoku> Config https://pastebin.com/b6RW3Nca
12:33 <@ecrist> krzee: I rated you a "1"
12:49 <@krzee> 1 out of 1?
12:49 <@krzee> :D
12:49 <@krzee> im not sure what you mean
12:50 <@ecrist> Packt sent me a survey
12:50 <@krzee> ohh that, i should do that soon
12:50 <@ecrist> I was teasing, but they asked me to rate the Technical Reviewer
12:50 <@krzee> im #1!
12:54 <@krzee> oh weird, they dont ask me about you
12:56 <@ecrist> sucker
12:56 <@ecrist> I'm a special snowflake
12:57 <@krzee> lol
12:57 <@krzee> i guess i reviewed all your chapters, they have what they want from me regarding you as an author
12:57 <@ecrist> true
12:58 <@ecrist> I'm still a special snowflake, though, right?
12:58 <@krzee> of course
12:58 <@ecrist> haha, sucker
12:59 <@ecrist> do you ever find yourself amusing?  I laugh at myself a lot.
12:59 <@ecrist> even if noone else is
14:05 <@krzee> all the time
14:05 <@krzee> lol
14:07 < rob0> I laugh at BOTH of you all the time. :)
14:08 < rob0> krzee, so, did you enjoy your 4-20 yesterday?
14:08 <@krzee> of course, still enjoying
14:08 < rob0> haha, good
15:22 < UmbraTytan> Anyone have experience with DDWRT/OpenVPN and route based bypass of the VPN? Like for netflix to work.
15:23 < rob0> !ddwrt
15:23 < rob0> !dd-wrt
15:24 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN, or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783, or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536, or (#4) And the
15:24 <@vpnHelper> security focus still seems to need improvements: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=279467 (hint: dd-wrt company does not do this effort + no reference to any security fixes)
15:25 < UmbraTytan> Accidently closed it out, sorry about that.
15:25 < rob0> !dd-wrt
15:25 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN, or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783, or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536, or (#4) And the
15:25 <@vpnHelper> security focus still seems to need improvements: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=279467 (hint: dd-wrt company does not do this effort + no reference to any security fixes)
15:27 < UmbraTytan> @rob0 well then, TIL. What would you suggest as an alternative to putting my entire network behind a VPN then?
15:27 <@dazo> UmbraTytan: consider openwrt (https://openwrt.org/ ) or lede (https://lede-project.org/ )
15:27 <@vpnHelper> Title: OpenWrt (at openwrt.org)
15:28 < UmbraTytan> @dazo, Thanks, I'll look at both of those after work.
15:28 <@dazo> UmbraTytan: to be honest ... with the security track the dd-wrt community and company have ... I would never dare to put it on a network with a public IP
15:29 < UmbraTytan> @dazo, I must have missed all of that, thanks for the headsup. I thought they were fairly privacy friendly. I'm gonna presume that openwrt has a fairly similar setup for making it use OpenVPN?
15:30 <@dazo> UmbraTytan: they do in deed talk that talk, but they don't walk it
15:31 < rob0> I think most of the openwrt people moved to lede
15:31 < rob0> so I would consider lede first
15:32 < UmbraTytan> Alright, well I will be swapping to one of the two tonight then. Thanks you two.  How do you setup a bypass in either of those?
15:32 < DArqueBishop> Agreed. The latest version of OpenWRT is 15.05.1 (IIRC), while LEDE is at 17.01.
15:32 <@dazo> Yeah, agreed .... but I think I read an LWN.net article a few months ago that they are beginning to try to find together again
15:32 < DArqueBishop> I moved from OpenWRT to LEDE a couple of months ago.
15:32 < UmbraTytan> So that 1 domain, for example netflix, would use my actual ISP versus my vpn, it's horrendiously slow on my VPN currently.
15:32 < rob0> Lede has a channel for help with their system.
15:32 < UmbraTytan> #lede I'll presume?
15:33 < DArqueBishop> #lede-dev.
15:33 < rob0> Linux is Linux, but there are details specific to the distro.
15:33 < DArqueBishop> !route-by-app
15:33 < DArqueBishop> Grm.
15:33  * DArqueBishop checks the factoid list.
15:33 <@dazo> DArqueBishop: did a full reflash, or upgraded from openwrt to lede via sysupgrade?  How much of the configs had to be redone?
15:33 < rob0> !factoids search route
15:33 <@vpnHelper> 'dlink_static_route', 'external_routes', 'iroute', 'ppp_defaultroute', 'route', 'route-nopull', 'route_outside_openvpn', 'route_outside_ovpn', 'route_override', 'routebyapp', 'router', 'splitroute', and 'winroute'
15:34 < DArqueBishop> !routebyapp
15:34 < rob0> !routebyapp
15:34 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination., or (#2) Alternatively, read up about Policy Routing to make routing decisions based on
15:34 <@vpnHelper> defined policies you set. For Linux, read about !lartc
15:34 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination., or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
15:34 <@vpnHelper> policies you set. For Linux, read about !lartc
15:34 < rob0> sorry
15:34 < rob0> very laggy connection here
15:34 < UmbraTytan> Cool my router is supported on lede.
15:35 < DArqueBishop> dazo: I used sysupgrade. I'm pretty sure I didn't have to change any configs.
15:35 < UmbraTytan> Thanks, I'll get lede running tonight, and then try again. Maybe reachout on lede-dev first. Thanks for the info everyone
15:35 <@dazo> cool!  Then that's what I'll be doing soon then :)
15:36 < UmbraTytan> !route_outside_openvpn
15:36 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
15:47 < UmbraTytan> Should I be fine to just flash from dd-wrt straight to lede?
17:14 < Kyoku_> !goal
17:14 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:14 -!- Kyoku_ is now known as Kyoku
17:24 -!- dazo [~dazo@openvpn/corp/developer/dazo] has left #openvpn ["Leaving"]
17:24 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
17:24 -!- mode/#openvpn [+o dazo] by ChanServ
18:46 < Kyoku> can anyone answer this please http://stackoverflow.com/questions/43553306/how-can-i-reduce-the-delay-caused-by-openvpn-block-outside-dns-option
18:46 <@vpnHelper> Title: vpn - How can I reduce the delay caused by openvpn block-outside-dns option? - Stack Overflow (at stackoverflow.com)
20:20 < dorp> Hello, I was wondering if it's possible to override/negate config options- by specifying a command-line option?
20:21 < dorp> For example, if I have a config file with --persist-tun ... is it possible to call openvpn with said config file, and add an command-line option to negate it? --no-persist-tun , or the like?
20:28 < rob0> command line options do indeed override what's in the config file
20:28 < rob0> but perhaps another option is to edit the config file
20:38 < dorp> rob0: Is it possible to negate an option?
20:40 < dorp> (I fetch the config files from a remote provider, so it would be easier if I could negate a specific option, instead of writing a script to strip options from the fetched config files)
21:03 < rob0> some options, sure
21:03 < rob0> others maybe not
21:03 < dorp> I see
21:04 < ExtraSteve> I've got a vpn tunnel set up on a private server - since I have multiple computers connected to it from different locations, can I connect them together on a "local" network?
21:04 < ExtraSteve> While also tunneling traffic
21:24 <@ordex> hi
21:24 <@ordex> ExtraSteve: sure
21:25 <@ordex> ExtraSteve: you wanna check "--client-to-client" in the man page
21:25 <@ordex> this is not like a "LAN", but allows IP communications between them all
--- Day changed Sat Apr 22 2017
08:40 < ExtraSteve> ordex: thanks!!
08:40 <@ordex> np
08:52 -!- DeathShot_ is now known as DeathShot
09:19 < idler> I'm having an issue with openvpn.. I have a server that until yesterday had 0 issues with openvpn for almost a year and yesterday i had to connect and restarted the service ( I assumed that the problem was the ram was almost at 100% usage ) and everything worked again. today I tried to connect and I get TLS handshake failed. no piece of software has changed either on the client or the server. neither has the firewall, I have also tested it with
09:19 < idler> netcat and I can send and receive data.
09:22 < idler> the server is on a eurpean country so droping TLS packets shouldn't be the problem....
09:27 < idler> so tcp works, udp doesn't
11:04 < idler> it seems my ISP is dropping TLS on UDP...
11:58 < ntldr> Is it okay to ask here question related to one service and how openvpn certs work?
12:23 < Knyaz> hello. from freeopenvpn.org i downloaded the config, but the password I cannot see
12:25 < ntldr> ew pia
12:49 <@krzee> ntldr:
12:49 <@krzee> !pki
12:49 <@vpnHelper> "pki" is (#1) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed specially as a server (see !servercert), or (#2) !certman for various PKI management tools, or (#3) see !intro-to-pki
12:51 < ntldr> krzee: https://cryptostorm.org/viewtopic.php?t=6792#p10769
12:51 <@vpnHelper> Title: mullvad.net - cryptostorm's community forum (at cryptostorm.org)
12:51 <@krzee> i have no interest in troubleshooting some providers setup
12:51 <@krzee> !provider
12:51 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team., or (#2) Please contact their support team.
12:53 < ntldr> k
13:11 < Elronnd> !welcome
13:11 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
13:11 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
13:14 < Elronnd> I'm having some trouble with the ios client.  I started an openvpn server by going into /usr/share/doc/openvpn/examples, removing the existing certs/keys and generating new ones with the script.  I copied the relevant ones into /etc/openvpn and started the server.  I changed the hostname in the example client.conf to that of my vps, changed the ext to .ovpn, and copied the relevant files over to where I
13:14 < Elronnd> could put them on my iphone with itunes.  But when I try to connect from the app, it tries for a while and then says that it timed out
13:17 < semitones> Hey y'all. I don't understand open vnc very well. Everything was working, but then I changed my IP distribution to 192.168.2.x and reset up everything. I put my gateway, DNS server, and wins server in the config as normal, but now I have problems accessing machines on the network and can't connect to the internet. Is there a magic command line fix I need to run
13:33 <@krzee> Elronnd: i dont suggest trying your first client connection with ios
13:33 <@krzee> first be sure the config and the server are working with a client on a more usable OS
13:33 <@krzee> then once you know everything works fine, go for ios
13:34 < Elronnd> good idea
13:34 < Elronnd> one sec
13:34 <@krzee> semitones: you probably broke your routing
13:34 <@krzee> semitones: it would help to know what you expect the vpn to do...
13:34 <@krzee> "but now I have problems accessing machines on the network and can't connect to the internet"
13:35 <@krzee> from that i assume you mean you cant access the lan behind the server or route to the internet
13:35 <@krzee> you never mentioned what 192.168.2.x is
13:35 <@krzee> but im sure you broke routing somewhere
13:35 <@krzee> if i was right on my assumptions, then try these flowcharts:
13:35 <@krzee> !serverlan
13:35 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
13:35 <@krzee> !redirect
13:35 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
13:36 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
13:37 < Elronnd> krzee: ok, I ran locally, and now it's stuck on "Sat Apr 22 11:31:54 2017 UDP link remote: [AF_INET]xx.xx.xx.xx:1194"
13:37 <@krzee> !timeout
13:37 <@vpnHelper> "timeout" is if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or one of the ISPs blocks it
13:37 <@krzee> general networking ;]
13:38 < Elronnd> hmmmm, on the server I see this
13:38 < Elronnd> Sat Apr 22 18:33:19 2017 Authenticate/Decrypt packet error: packet HMAC authentication failed
13:38 < Elronnd> Sat Apr 22 18:33:19 2017 TLS Error: incoming packet authentication failed from [AF_INET]207.192.244.2:37047
13:38 < Elronnd> related?
13:42 <@krzee> !hmac
13:42 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the tls
13:42 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
13:42 <@krzee> bbl
13:43 < Elronnd> yeah, I think I found it
13:54 < Elronnd> hmmm
13:54 < Elronnd> now there are no errors when I run it, but my public ip appears unchanged.  Shouldn't I look like I'm coming from my vps now?
13:58 <@krzee> not by default
13:58 <@krzee> !redirect
13:58 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
13:58 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
14:23 < Elronnd> okay, now when I start up  the client, I can't access the internet
14:51 < kerio> hello, what's the simplest way of setting up a point-to-point link? static key mode only supports -CBC
14:52 < kerio> would it work, for instance, if i put the other endpoint's self-signed certificate as a ca?
17:33 -!- haasn is now known as hanna
17:33 < jamesaxl> hi
17:34 < jamesaxl> thanks a lot for OpenVNP developer and also for the author of OpenVPN Cookbook - Second Edition by Jan Just Keijser
18:40 < Zabot> I've got an OpenVPN set up that works fine in TUN mode, but I need the VPN'ed clients to be on the same network and when I change to TAP mode everything breaks
18:42 < Zabot> Alternatively, I can't ping between VPN clients and local clients on the same subnet in TUN mode
18:49 < rob0> "need the VPN'ed clients to be on the same network," what does that mean exactly, and why?
18:50 < rob0> !serverlan
18:50 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
18:55 < Zabot> I'm alive, hexchat was being dumb
18:57 < Zabot> I've got an OpenVPN server running on the same subnet as some other machines (192.168.1.0/24), and I need VPN clients to also be on that same subnet
19:00 < rob0> I don't understand that need, also:
19:01 < rob0> !welcome
19:01 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
19:01 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
19:01 < rob0> see ^^ #8
19:02 < rob0> why can you simply route your VPN clients to the necessary subnet?
19:02 < rob0> s/can/can't/
19:03 < Zabot> You mean put the clients on a separate subnet and route the traffic?
19:24 <@krzee> jamesaxl: i like that book too =]
20:42 < Chuckoy> !welcome
20:42 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
20:42 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
20:43 < Chuckoy> !goal remote subnet is not accessible from clients after rebooting
20:44 < Chuckoy> !goal
20:44 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:45 < Chuckoy> Remote subnet is not accessible from clients after rebooting
21:29 < DasBonkers> Hello question would it be possible to setup a inverse split tunnel with OpenVPN on Windows? With it actually being feasible I want my gaming traffic to be outside my VPN but the rest in it.
21:30 < DasBonkers> basically everything except certain games csgo, overwatch (the ones were ping actually matter)
21:32 < DasBonkers> i know its a very generic question but is it even feasible to do so?
21:59 < semitones> Hey y'all. Is there a good procedur somewhere for troubleshooting DNS problems?
22:00 < semitones> I'm reading the logs and I can see that it's having trouble with my WINS server, but it also can't seem to find any internet websites
22:00 < Elronnd> are you sure it's a dns problem
22:00 < Elronnd> can you connect via ip directly?
22:03 < semitones> Um. I can connect to local IP addresses, but not internet ones so much
22:38 < semitones> For example, Elronnd, I can ssh into the server over the VPN connection. But I can't access purple.com
22:39 < semitones> I can even ping 8.8.8.8
22:41 < Elronnd> ok
22:44 < semitones> does that sound like dns to you or some other type of thing
22:49 < SynfulAck> Anyone know what I need to do to get routing working between local-lans when a node is connected to the vpn? After i invoke "sudo openvpn 'config-filename-goes-here.ovpn'" The connection is dropped.
22:50 < SynfulAck> Is there a parameter i can tac on like --route-metric 101 to make local traffic prefer routing through w/e. Or is it easier to just add a 2nd vnic?
22:54 < semitones> What
22:54 < semitones> What is TAP/Bridging and why is it a bad idea?
23:04 < semitones> Ok also, I can visit http://192.168.2.xx (IP of the VPN server) but I can't visit http://192.168.2.1 ???
--- Day changed Sun Apr 23 2017
00:12 < semitones> OOOOH
00:13 < semitones> what if my DNS server is blocking all the DNS requests from the VPN subnet???
00:20 < semitones> but would it block ping even?
01:08 < semitones> Hey all, I asked the folks at ##networking for help, and they did "ip route" and said my routing tables didn't look right for a VPN. Is there a way to doublecheck, and fix them?
02:53 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 258 seconds]
03:02 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
03:02 -!- mode/#openvpn [+o dazo] by ChanServ
06:27 < |Mike|> ehm...
08:23 < Vladimirski> test
08:23 < Vladimirski> When trying to connect to my openvpn server I get this error on the client: https://pastebin.com/inY9UX5n
08:23 < Vladimirski> Anyone seen this?
08:24 < Vladimirski> I have updated my openssl on the client to latest version
09:09 < Vladimirski> In the openvpn server config, it implies to not use one certificate to all client, but If they use a password every time they log in then it shouldn't be any security problem?
09:10 < Vladimirski> As I understand, pretty much all famous vpn tunnels use password and same certificate/file for all clients  no?
09:10 < kerio> it doesn't mean that they're doing things right :^)
09:10 < Vladimirski> Right
09:11 < Vladimirski> but I just can't see why it would be a problem, unless people have super computers to try to brute force the certificate
09:16 -!- lbft is now known as ______________
09:17 -!- ______________ is now known as lbft
09:58 < Legilmo> !welcome
09:58 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
09:58 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
10:08 < semitones> Hey all, I'm back with my routing question. I did "ip route" and it showed that my routes are not set up correctly. Is there a way to ask open VPN to fix those?
10:37 < Pavr> it has a route parameter
11:05 < Legilmo> !configs
11:05 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
11:06 < Legilmo> !ovpnuke
11:06 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
11:06 < Legilmo> !poodle
11:06 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has, or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
11:07 < Legilmo> !hardening
11:07 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
11:44 < kerio> why does openvpn configure a point-to-point connection on the tun device
11:44 < kerio> instead of a standard /24
11:46 < Pavr> !topology
11:46 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
11:54 < kerio> Pavr: istr it still configures a point-to-point topology on the tun nic
11:54 < kerio> it just adds a route for the rest of the subnet
13:13 < rob0> that is the nature of a tun interface: it IS point-to-point
13:25 < brianx> the sometimes great and sometime rough part of that point to point is that it's not always exactly to the other side, but to a openvpn routing nexus at the server end.
15:07 < grIskra> I've configured an OpenVPN server within a 192.168.0.0/24 LAN. The VPN is point-to-point operational, I can connect to the server from my home and the client gets a 10.0.0.0/24 IP address. I'd like to allow the client to reach to the server's LAN, but my home LAN uses the same subnet: 192.168.0.0/24. There is a way to access to the LAN without changing my home LAN subnet?
15:08 < kerio> search the man page for NAT
15:11 < grIskra> kerio: any tutorial about this? I'm already using NAT (PAT) on the router/gateway, in order to make the OpenVPN server be reachable from outside the Lan
15:12 < kerio> no i mean
15:12 < kerio> it's a thing that openvpn can do
15:12 < kerio> --client-nat
15:19 < grIskra> kerio: I can't find any tutorial, but from the man page it seems --client-nat is what I'm looking for
15:45 < SynfulAck> Does anyone here use Private Internet Access as their vpn and know how to allow local LAN-to-LAN traffic, instead of everything routing through the VPN?
15:46 < SynfulAck> This is on CentOS 7. Was thinking static routes have to be created.
16:17 < RoBo_V> Guys I have one doubt that when I connect openvpn from windows PC to my server, my virtual ethernet adapter get activated and when I check ip using cmyip it shows the ip of server. Do i am also browsing using server bandwidth ?
16:18 < RoBo_V> I'm not using internet im connected to via ethernet port ??
16:26 < Legilmo> !goal
16:27 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:32 < RoBo_V> I set up openvpn on raspberry pi to get all my ssh connections and my private cloud. For lan behind server.
16:33 < RoBo_V> I'm confused.
20:24 <@krzee> RoBo_V: what are you confused about?
20:57 < AlienCat> hello
20:58 < AlienCat> how do I remove a tunnel connection
20:58 < AlienCat> ifconfig shows tun1, I want it to go away
20:59 < jvava> OpenVPN server certificate verification failed : PolarSSL: SSL read error : X509 – Certifcate verification failed, e.g. CRL, CA or signature check failed
20:59 < jvava> on my android, openvpn connect 1.1.17
21:00 < jvava> can I disable the server certificate verification method?
21:32 < Ravenmire> I rebooted and brought up openvpn and got this message: "Sun Apr 23 22:20:50 2017 us=1117 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19", yet "#ls -l /dev/net/tun" -> crw-rw-rw- 1 root root 10, 200 Apr 23 22:15 /dev/net/tun"
21:35 < Ravenmire> Here's probably important part of client.ovpn:
21:35 < Ravenmire> dev tun
21:35 < Ravenmire> dev-type tun
21:38 < Ravenmire> This may be a player: ROUTE6: default_gateway=UNDEF
21:39 < Ravenmire> Nahhh...no IPV6...I think.
21:51 < nacelle> maybe make it say "dev tun0"
21:51 < nacelle> (thats how my client config is)
22:17 < xcko> hey I have an openvpn config for a client with multiple remotes specified, how can I configure it so that openvpn cycles through them when I lose a connection?
22:30 < xcko> would I use ping or resolv-retry?
22:48 <@ordex> xcko: if I am not wrong, cyclying should be the default behaviour
22:50 < xcko> hmmm okay well I thought that might be my problem but perhaps not. what happens is my connection will go down and the client fails to reconnect automatically. after manually restarting the process it works fine however.
23:50 <@krzee> xcko:
23:50 <@krzee> !keepalive
23:50 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected., or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode, or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive, or (#4) Also beware of --auth-nocache for automated reconnects
23:56 < xcko> thanks I'll give it a shot
--- Day changed Mon Apr 24 2017
00:14 < Ravenmire> nacelle, I changed to tun0; didn't change things. The log looks the same.
00:33 <@krzee> Ravenmire: looks like you dont have tun loaded into your kernel
00:33 <@krzee> either load the kernel module or compile it into your kernel
01:12 < jvava> since openvpn server has only self-signed certificate, whose depth is 0, how can the client disable verification of server certificate when the client always fail to verify server certificate ?
01:15 <+hyper_ch> client fails to verify server cert?
01:17 < jvava> yes, hyper_ch
01:17 < jvava> hyper_ch, this is log:
01:17 < jvava> OpenVPN server certificate verification failed : PolarSSL: SSL read error : X509 – Certifcate verification failed, e.g. CRL, CA or signature check failed
01:17 <+hyper_ch> no idea, I don't use polarssl
01:19 < jvava> the same configuration works happily under debian, just with a warning saying that: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
01:20 < jvava> but on android mobile, has this issue, by the way, the old version app does not.
01:21 < jvava> so I thought that new app maybe is verifing the poor server certificate, that's why I want try disable verification of server cert.
04:38 < deed02392> hi all
04:39 < deed02392> i'm getting connection reset errors, i've put verbosity up all the way and still not getting a clear reason: https://pastebin.com/1AN6mkUW
04:39 < deed02392> the last log output is Mon Apr 24 10:33:58 2017 TCPv4_CLIENT WRITE [15] to [AF_INET]:1194: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=1
04:40 < deed02392> then i get connection reset
05:00 < WhizzWr> Hey guys
05:02 < WhizzWr> I have small question: if I have openvpn conenction established, is it possible to access local services on the *server* from the *client*
05:03 < WhizzWr> i.e server : 188.1.1.1.1 <--> openvpn-server : 10.8.0.2 <--> open-vpn-client : 10.8.0.3
05:04 < WhizzWr> say I need to access, non-public ssh server in 188.1.1.1, how can I make it possible to I just do ssh user@10.8.0.2 from 10.8.0.3
05:05 < WhizzWr> !sweet32
05:05 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32
05:12 < WhizzWr> never mind. It readily works. I have just need to make sure sshd listen to 10.8.0.2
05:17 < |Mike|> !configs deed02392
05:17 < |Mike|> !configs
05:17 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
05:19 < deed02392> |Mike|, i don't have the server config unfortunately
05:23 < |Mike|> is the server alive and replies to ping?
05:44 < RoBo_V> krzee: that i just put openvpn server to access local network behind. But when I surf internet on client machine server bandwidth is being consumed.
06:14 <@dazo> WhizzWr: I'd recommend you to ensure sshd is able to start if the VPN tunnel is down ... and if that fails, let sshd listen to all IP addresses by default, and do the restriction in sshd_config, tcpwrapper (hosts.deny/hosts.allow) and/or iptables
06:18 < WhizzWr> dazo: ok thanks
07:40 <@krzee> RoBo_V: then you are using --redirect-gateway
07:40 < RoBo_V> What I need to use ?
07:40 <@krzee> RoBo_V: if that is the case then you did not learn about the config options you used, you must have used a walkthrough
07:40 <@krzee> need to use the manual and read about the options in your config
07:40 < RoBo_V> You are right
07:40 <@krzee> then you'll understand how it works better
07:41 <@krzee> !man
07:41 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
07:41 <@krzee> !walkthrough
07:41 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
07:42 < RoBo_V> Thanks krzee i will go through it.
08:19 < skyroveRR> o/ krzee
08:43 -!- poster is now known as Poster
09:09 < nbastin> does anyone know if there's an irc channel / mailing list for tunnelblick support?
09:10 < nbastin> ah there's a google group
09:16 < Ravenmire> krzee, I'm the tun/tun0 guy. Which module to load into the kernel? Or check for with lsmod?
09:26 < Ravenmire> I searched the net and got some pointers which I'm trying.
09:44 < sagatak> Ravenmire: $ /sbin/modinfo tun | grep ^descrip
09:44 < sagatak> description:    Universal TUN/TAP device driver
09:45 < sagatak> (linux 4.2.0)
09:45 <@dazo> Ravenmire: On Linux that module should be loaded automatically when needed ... if it doesn't, it smells like some container/openVZ stuff
09:46 < Ravenmire> Thanks, all!
09:48 < Ravenmire> sagatak, /sbin/modinfo tun | grep ^descrip: ⇒ "modinfo: ERROR: Module alias tun not found."
09:49 < Ravenmire> dazo, AFAICT, I'm using neither a container nor openVZ
09:50 <@dazo> Ravenmire: what are you using then?
09:50 < Ravenmire> bare-metal openvpn
09:50 <@dazo> which OS?
09:50 < Ravenmire> Manjaro Linux 4.9.22
09:51 < Ravenmire> <whine> It used to work. It doesn't after a reboot, </whine>
09:52 < Ravenmire> Any preferred pastebin for the log?
09:52 <@dazo> Ravenmire: your favourite pastebin ;-)
09:52 < Ravenmire> k
09:52 <@dazo> Ravenmire: never heard of that distro before (and I do see it's a spin-off from Arch) ... but it might be built into the kernel directly
09:53 <@dazo> do you have /dev/net/tun?
09:53 < rob0> zgrep TUN /proc/config.gz # if the kernel configuration is sane and didn't turn off that nice feature
09:53 <@dazo> if not ... and if 'lsmod | grep tun' doesn't give anything ... you have a b0rken kernel, most likely without tun support
09:54 < rob0> oops
09:55 < rob0> zgrep CONFIG_TUN /proc/config.gz # better results
09:55  * dazo have no idea where manjaro places a copy of the kernel config file .... /proc is worth an attempt, but no guarantee
09:55 < rob0> I still don't get why so many distros disable /proc/config.gz
09:56 < rob0> dazo, it is a kernel feature, a virtual file showing the current kernel's config
09:56 < rob0> RH disables it, duh.
09:56 <@dazo> it eats up a few KB of memory
09:56 < rob0> yes
09:56 <@dazo> RH is consistent in providing configs in /boot though
09:57 < rob0> and there's no assurance that what you find in /boot matches the running kernel
09:57 < Ravenmire> dazo: [Server NL1]#  ls -l /dev/net/tun
09:57 < Ravenmire> crw-rw-rw- 1 root root 10, 200 Apr 23 22:15 /dev/net/tun
09:57 < Ravenmire> [Server NL1]#
09:58 <@dazo> rob0: Can't speak for all distros ... but the matching config is lacking in /boot ... then the either rpm package is b0rken ... or someone deleted the config file (yum reinstall kernel, restores it)
09:59 <@dazo> Ravenmire: okay ... that's a good sign ... so no need to worry about the tun module ... that device should not be present without tun/tap driver loaded
09:59 < Ravenmire> A pastebin other than pastebin.com?
09:59 <@dazo> I like fpaste.org
09:59 <@dazo> !paste
09:59 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
09:59 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
09:59 <@dazo> a few other approaches there ^^
10:00 < rob0> Many VPS providers install their own kernel over what the distro provided, and I wouldn't trust them to have enough Clue to toss their .config in /boot
10:01 < Ravenmire> https://paste.fedoraproject.org/paste/m0LxhyVsWo-gXozt4x2gxl5M1UNdIGYhyRLivL9gydE=
10:02 <@dazo> yeah, but then you can shout at those VPSes not adding /proc/config ... some of them might remove it for "security reasons" too (which is most likely bogus anyway)
10:03 <@dazo> Ravenmire: you seem to have a connectivity issue first of all ...
10:04 <@dazo> Mon Apr 24 01:19:10 2017 us=637473 Server poll timeout, restarting
10:04 < Ravenmire> This is something!
10:04 <@dazo> Ravenmire: what does your server log say?
10:05 <@dazo> is the date and time set correctly on the client?
10:05 < Ravenmire> Wait a minute. 01:19:10 is last night.
10:05 < Ravenmire> I'm anal retentive about time. I believe so.
10:06 <@dazo> okay, that's one of the easy to forget issues ... which may result in odd connectivity issues ... if date/time is correct ... then server logs is needed
10:08 <@dazo> I see you have both UDP and TCP configured .... so the log line above is the UDP line ... the TCP connectivity hint is somewhat confirming this as well:
10:08 <@dazo> Mon Apr 24 01:18:57 2017 us=397788 Connection reset, restarting [0]
10:09 <@dazo> on a not directly related note ... you should fix this warning though:
10:09 <@dazo> Mon Apr 24 01:18:46 2017 us=550414 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
10:09 < Ravenmire> https://paste.fedoraproject.org/paste/orQG0wzU-dHhBRphqXTIFF5M1UNdIGYhyRLivL9gydE=
10:09 < Ravenmire> That's fresh off the griddle.
10:10 < Ravenmire> I did --remote-cert-tls; was told to use --ns-cert-type. I'll do it again.
10:11 <@dazo> Mon Apr 24 10:39:38 2017 us=646521 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
10:11 <@dazo> okay, that one is more of a challenge
10:12 <@dazo> here you actually get a successful connection to the server ... but can't configure your tun device
10:14 <@dazo> what happens if you run:  # openvpn --dev tun --mktun
10:14 <@dazo> ?
10:20 < Ravenmire> Im here.
10:20 < Ravenmire> [Server CH1]# openvpn --dev tun --mktun
10:20 < Ravenmire> Mon Apr 24 11:15:28 2017 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
10:20 < Ravenmire> Mon Apr 24 11:15:28 2017 Exiting due to fatal error
10:20 < Ravenmire> [Server CH1]#
10:21 < Ravenmire> And, sure enough, /dev/tun isn't there.
10:21 < rob0> /dev/net/tun
10:22 < Ravenmire> oh, THAT one. :)
10:22 < Ravenmire> [Server CH1]# l /dev/net/tun
10:22 < Ravenmire> crw-rw-rw- 1 root root 10, 200 2017-04-23 22:15:03 /dev/net/tun
10:22 < Ravenmire> [Server CH1]#
10:26 <@dazo> Ravenmire: I smell kernel troubles .... :/
10:26 < Ravenmire> I cannot disagree.
10:27 < Ravenmire> That explains everything.
10:27 <@dazo> which kernel did you run before and after the reboot?
10:29 < Ravenmire> [Server CH1]# mhwd-kernel -li
10:29 < Ravenmire> Currently running: 4.9.22-1-MANJARO (linux49)
10:29 < Ravenmire> The following kernels are installed in your system:
10:29 < Ravenmire>    * linux49
10:29 < Ravenmire> [Server CH1]#
10:29 < Ravenmire> I believe they're the same, but I'm not certain.
10:31 < Ravenmire> I"m on #manjaro at this very moment.
10:34 <@dazo> Ravenmire: run 'last reboot | head' ... then you might see the history of kernels
10:55 < nbastin> The docs claim that "status foo.log" in the server config will write a file showing current connections, which I guess it does, but is there no way to get it to show me the source IPs?
10:56 < Ravenmire> Rebooted: now the only error is: "Mon Apr 24 11:49:19 2017 us=507726 Certificate does not have key usage extension"
10:56 < Ravenmire> oh...is the "us" microseconds?
10:57 < Ravenmire> It's using the last IP address. So something's going well.
11:15 <@dazo> nbastin: have a look at --status-version
11:17 < nbastin> dazo: just as an openvpn cmd option?  my openvpn does not know this
11:17 < rob0> in the
11:17 < rob0> !man
11:17 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
11:17 < rob0> oh, must be a newer feature
11:17 <@dazo> no, --status-version should be at least a v2.1 feature
11:18 <@dazo> if using anything older than that .... well ....
11:18 < nbastin> ah it needs an argument and the error is...odd
11:18 < nbastin> can I set this in the config?
11:18 <@dazo> yes
11:18 <@dazo> !--
11:18 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
11:18 < nbastin> ah, good news
11:18 < nbastin> is there a description of the contents of versions 1/2/3 files?
11:18 <@dazo> I thought it was ... but can't find it .... but the higher number, the more info
11:19 < nbastin> heh, ok, will start with 3 and hope.. :-)
11:19 <@dazo> :)
11:22 < nbastin> dazo: hrm, the contents seem identical
11:25 < nbastin> it's updating the file, so it's not that it isn't rewriting it at all
11:26 < Ravenmire> Which takes precedence? --command line options or the configuration file? Command-line options seem reasonable.
11:26 < nbastin> order in the config file doesn't seem to matter
11:27 < nbastin> (didn't think so, but tried it anyhow)
11:29 < nbastin> ugh, it appears that version is irrelevant unless you're in multi-client server mode
11:31 < nbastin> I guess I can parse the log file to try to find the client IP
11:31 < Ravenmire> How to fix "Certificate does not have key usage extension"
11:32 < nbastin> Ravenmire: your cert needs to have the x509 keyusage extension populated in it
11:33 < rob0> generate a new cert
11:33 < Ravenmire> Okaaayyy.
11:40 < Ravenmire> The certs came from my VPN provider.
12:08 <@krzee> !provider
12:08 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team., or (#2) Please contact their support team.
12:09 < sjk> !welcome
12:09 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind
12:09 <@vpnHelper> openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
12:09 < sjk> !goal
12:09 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:18 < rob0> Ravenmire, did you send them a certificate signing request (CSR), or did they generate your key and send you the whole thing, key and cert?
12:19 < Ravenmire> The whole thing.
12:27 < rob0> yup, you have a support issue with them
15:31 -!- RoBo_V1 is now known as RoBo_V
17:30 < SynfulAck> Can someone be my openvpn jedi so i can be the padawan?
17:32 <@dazo> !ask
17:32 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
17:33 < SynfulAck> looks like dazo accepted the offer, now off to find a question.
17:33 < rob0> ^^ yes, and also see the /topic for help in getting started with your question.
17:34 < rob0> and "yes" referred to the factoid; I would not count on dazo or me to be around to answer.
17:35 < rob0> (I will, however, look in here later.)
18:06 < SynfulAck> rob0, viewer discretion is advised.
22:03 < nbastin> I know this isn't quite the right place, but does anyone know how to get tunnelblick to actually work with dhcp properly?  (over the VPN)
22:05 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Quit: ZNC - http://znc.in]
22:06 < nbastin> it gets an IP on initial connect, but it doesn't actually have the OS run a dhcp client (or put it under OS management), so the lease expires and the tap still holds the IP
22:14 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:14 -!- mode/#openvpn [+o syzzer] by ChanServ
22:33 < Pyro3d> Hi, I recently updated my openvpn client, and it's now refusing to connect with "VERIFY ERROR: depth=0, error=self signed certificate". I used easyrsa v2 to generate the certs, and the certs I had work with other clients. Server is 2.4.1 (FreeBSD 11), client is 2.4.1 (TrueOS).
22:42 < nbastin> Pyro3d: are you sure the ca cert is being found?
22:45 < Pyro3d> nbastin: I'm not seeing any log errors regarding the ca cert not being found, and the path is valid.
22:46 < nbastin> I mean, I don't know, but that seems like the type of problem that happens when paths change or certs get overwritten by mistake
22:48 < Pyro3d> Yeah, it's weird. I know TrueOS does weird things with it's boot environments, but the cert is still there, I can cat it.
22:50 < notmike> Having some difficulty setting up my vpn
23:06 < Pyro3d> nbastin: Well good news I regenerated my server cert with the mitm stuff and that fixed it. Thanks for the help.
23:07 < nbastin> Pyro3d: sure, for what it was worth.. :-)
23:10 < notmike> Would one of you mind looking at my configs? I am able to connect, but the server is not tunneling traffic out to the internet :/
23:10 < notmike> http://termbin.com/8bau
23:12 < Pyro3d> notmike: what os are you running under/have you allowed it to act as a gateway?
23:13 < notmike> I'm running linux. I'm pretty certain I set ip forwarding to on
23:15 < Pyro3d> Can you double check? :)
23:19 <@ordex> !ipforward
23:19 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
23:19 <@ordex> !nat
23:19 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
23:19 < notmike> Pyro3d: I think I had the wrong default interface listed.
23:20 < Pyro3d> notmike: in your firewall settings for nat?
23:23 < notmike> Yeah
23:23 < notmike> I had it set wrong, switched it to the right interface and now I have very slow vpn
--- Day changed Tue Apr 25 2017
03:36 < hid3> Hello everyone. How do I configure OpenVPN server to support aes-ni which my Xeon does?
03:44 <@dazo> hid3: normally the openssl picks up that automatically ... but you can use --engine aes-ni  (iirc)
03:47 < hid3> weird. I am setting up a fresh system, have transfered the working config from the old system, however, it doesn't seem to start at all. I use systemctl start openvpn, logs say it's started but nothing more. No process, no listening on the port, no nothing
03:48 <@ordex> hid3: tun module loaded? that does not depend on the config
03:49 <@ordex> have you tried launching openvpn manually from the console to see what error it prints out (there must be something)
03:52 < hid3> when launching from cmd line, it claims about missing .crt, .pem files. But no errors when starting from systemctl. I know the files are missing but I expect the systemctl way to print the same error too. However, there must be something else, possibly completely ignoring my config
03:54 <@ordex> hid3: if the problem is with the init system ... then I don't know
03:54 <@ordex> sorry
03:59 <@dazo> hid3: what does 'journalctl -u ....' say?
04:00 < hid3> Apr 25 11:40:59 test-deb systemd[1]: Starting OpenVPN service...
04:00 < hid3> Apr 25 11:40:59 test-deb systemd[1]: Started OpenVPN service.
04:00 < hid3> Apr 25 11:50:31 test-deb systemd[1]: Stopped OpenVPN service.
04:00 < hid3> Apr 25 11:50:48 test-deb systemd[1]: Starting OpenVPN service...
04:00 < hid3> Apr 25 11:50:48 test-deb systemd[1]: Started OpenVPN service.
04:00 < hid3> like that...
04:00 < hid3> nothing more
04:00 < hid3> same in syslog
04:00 <@dazo> this looks like a poor unit file, tbh
04:00 <@dazo> which openvpn version?  which distro?  how does the unit file look like?
04:00 < hid3> Debian 9, 2.4.0-4
04:01 < hid3> how do I check the unit file?
04:01 <@dazo> systemctl status will show the path to the unit file
04:02 <@dazo> oh ... systemctl cat $SERVICE  ...
04:02 < hid3> unit file here:
04:02 < hid3> https://pastebin.com/RtD9MBgq
04:03 <@dazo> ugh ... that is completely faulty for openvpn 2.4 .... try moving over to the openvpn-{client,server}@ unit files
04:03 <@dazo> configs needs to be in /etc/openvpn/{client,server} ... otherwise it's the same
04:04 <@dazo> then you do:  openvpn-{client,server}@CONFIGNAME
04:04 <@dazo> (where CONFIGNAME is the config filename without the .conf extension)
04:04 < hid3> hm..
04:04 <@dazo> ExecStart=/bin/true
04:04 <@dazo> ExecReload=/bin/true
04:04 <@dazo> those to lines does not start openvpn
04:04 < hid3> my config file is in /etc/openvpn/server/my.conf
04:04 < hid3> I've also noticed that!
04:04 <@dazo> okay ... systemctl start openvpn-server@my
04:04 < hid3> Why does that come with stock debian?
04:05 < hid3> great, this seems to give some errors
04:05 <@dazo> I dunno .... which is exactly why we in the upstream openvpn dev community is pushing towards getting *our* unit files distributed into distros ... as they work fine cross-distro and we ensure they are up-to-date against openvpn
04:05 < hid3> will it tro to start on system bootup?
04:06 <@dazo> journalctl --since today -u openvpn-server@my    <<< that should give more clues
04:06 < hid3> yeah, it gives
04:06 <@dazo> systemctl enable openvpn-server@my   <<< that enables that config at boot
04:06 < hid3> now I get the errors about miccing .crt and pems which is fine
04:07 < hid3> thanks a lot...
04:07 < hid3> I'm still old school, very used to classic init.d scripts
04:07 < hid3> that systemd is too new to me
04:07 <@dazo> these new unit files gives a far better control of each config individually
04:08 <@dazo> hehe ... fair enough :)   I used to be a harsh systemd critic  (even flamed Lennart with a mail subject: "One daemon to rule them all?") ... but I have changed my opinion once I got into the systemd universe
04:08 <@dazo> it is way better than any init.d stuff I've ever used (with almost 20y experience) ... I now find and solve issues way quicker and have much better control than ever before
04:09 <@dazo> so ... once you get over the learning curve, I bet you won't turn back :)
04:09 < hid3> let's hope so...
04:10 < hid3> Will ask in debian channel (after my lunch) if anyone has a clue regarding that /bin/true thing in unit file
04:11 <@dazo> I know they added quite some hacks to try to make transition from init.d to systemd more easy and "familiar" to old installs .... but I've seen several issues with that compat layer for openvpn
04:11 <@dazo> those I've helped over to the new openvpn-{client,server}@ approach have never come back to complain ... so I hope that's a good sign :)
04:12 <@dazo> OT ... but a few other systemd tricks .... 'systemd-analyze blame' .... and 'systemctl status'  (without any other arguments)
04:13 <@dazo> (if the last 'systemctl status' is not saying "State: running" ... then some unit files did not start .... running 'systemctl' without any more argument lists those in red)
04:47 < kallenp> Hi all. I have a problem with OpenVPN configuration. I am a beginner. I have configured my OpenVPN server and I can sucessfully connect from Windows to my Linux OpenVpn server. The iface on eth0 is 192.168.100.10/24 OpenVpn is on 10.8.0.1 peer 10.8.0.2. I have set in my server.conf push "192.168.100.0 255.255.255.0" and when I connect from my Windows box to the VPN, I can only ping to 10.8.0.0/24 and 192.168.100.10 but I cannot ping to 192.168
04:47 <@dazo> !serverlan
04:47 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
04:47 <@dazo> kallenp: ^^
04:57 <@dazo> kallenp: no PM on generic help, please
04:58 <@dazo> which distro do you use?
04:58 < kallenp> Debian 9
04:59 <@dazo> https://is.gd/71fNPT
04:59 <@vpnHelper> Title: Let Me DuckDuckGo That For You - LMDDGTFY (at is.gd)
04:59 < kallenp> ipforward is enabled
05:00 < kallenp> i set it in /etc/sysctl.conf to net.ipv4.ip_forward=1 and then reboot the box
05:00 <@dazo> good ... so then you need to look at firewalling
05:00 < kallenp> firewall is dosabled
05:00 < kallenp> disabled
05:01 <@dazo> so ... where do things stop working on this flow chart?  http://www.ircpimps.org/serverlan.png
05:01 <@dazo> (I'm ignoring the pesky detail about the stupidity of disabling a firewall, but that can be fixed once your VPN is functional)
05:04 < kallenp> I stop here: Can you ping the lan ip of the server - I say: YES and Can you ping another machine in the LAN - I say: NO
05:04 <@dazo> okay ... so do you have access to the LAN router?
05:05 <@dazo> and ... what about firewalling on the LAN box of IP address you try to ping?
05:05 < kallenp> no, I have access only to the Linux box where the OpenVPN server is running
05:05 <@dazo> so you have access to the box on the LAN at all?
05:05 < kallenp> yes
05:06 <@dazo> where is the VPN server located on the network?  before or after the default gateway?
05:07 < kallenp> there is a NAT 1:1 from public IP to the Linux, where the OpenVpn is running. eth0 is 192.168.100.10/24 and the tun0 is 10.8.0.1
05:07 <@dazo> [VPN client]---{internet}---<LAN-gateway>----[VPN-server]
05:07 <@dazo>                                            \-[LAN computer]
05:07 <@dazo> ?
05:07 < kallenp> all other stations are in 192.168.100.X
05:08 <@dazo> okay ... so then you must add a route on your LAN computer .... in Linux, that would most commonly be:  ip route add 10.8.0.0/24 via 192.168.100.10
05:09 < kallenp> OK, I will try it, give me 2 minutes
05:09 <@dazo> depending on the OS of your LAN computer you try to access, how to do that may differ .... but the concept is that it needs to be told that packets going to 10.8.0.0/24 (10.8.0.0-255) must go via your VPN server and not the default gateway
05:15 < kallenp> OK, I am logged in, I will try to test it
05:16 < kallenp> ip route add 10.8.0.0/24 via 192.168.224.10
05:16 < kallenp> RTNETLINK answers: File exists
05:16 < kallenp> 0.0.0.0         192.168.224.1   0.0.0.0         UG    0      0        0 eth0
05:16 < kallenp> 10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
05:16 < kallenp> 10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
05:16 < kallenp> 192.168.224.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
05:17 <@dazo> kallenp: you need to do that on the LAN box ... not your VPN serer
05:17 <@dazo> *server
05:17 < kallenp> ok, howto do it on windows client ? may i add this to the vpn client config globally ?
05:18 < kallenp> permanently
05:19 <@dazo> https://is.gd/1SlQ80
05:19 <@vpnHelper> Title: Let Me DuckDuckGo That For You - LMDDGTFY (at is.gd)
05:19 < kallenp> I canot push it to all clients throught configuration file ?
05:20 <@dazo> if you have access to your DHCP server, you can push that via DHCP
05:21 <@dazo> but the *easiest* solution is to add that route on your default gateway, which I already mentioned to you
05:22 < kallenp> ok, thanks for your time, i must study how it works, because I don't understand of this. Thanks.
05:22 <@dazo> !tcpip
05:22 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
05:52 < squeeb> Hey all, does anyone know if OpenVPN Access server supports authentication against SecureID? The only thing I can find is an unanswered forum post back from 2013
05:52 < squeeb> I know it can support RADIUS authentication, but getting that to actually work with an RSA authentication server is a PITA
05:53 <@dazo> squeeb: I think it needs to go via RADIUS ... but ... do you have strict SecurID requirements?  There's other more reasonable alternatives too
05:54 <@dazo> (standard TOTP/HOTP solutions, that is)
05:54 <@dazo> http://linotp.org/
05:54 <@vpnHelper> Title: LinOTP - - LinOTP - The Open Source OTP Solution (at linotp.org)
05:59 <@dazo> Here's a few more pointers including OpenVPN integration: http://linotp.org/howtos/howto-openvpn.html
05:59 <@vpnHelper> Title: OpenVPN: Integration with LinOTP - LinOTP - The Open Source OTP Solution (at linotp.org)
05:59 <@dazo> (both with and without RADIUS)
07:34 < tuxmartin> Hi, I have two connection section in client config. One for UDP and one for TCP. Is possible to change timeout? If UDP is blocked on firewall, client have to wait 60 seconds before connect to next connection.
07:34 < tuxmartin> <connection>
07:34 < tuxmartin> remote vpn.example.net 1194 udp
07:34 < tuxmartin> </connection>
07:34 < tuxmartin> <connection>
07:34 < tuxmartin> remote vpn.example.net 443 tcp
07:34 < tuxmartin> </connection>
07:37 <@dazo> tuxmartin: look at --connect-timeout and --server-poll-timeout  in the man page
07:37 <@dazo> !man
07:37 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
07:38 <@dazo> these are also valid inside connection blocks too, iirc
07:39 <@dazo> if fact, try to look up <connection>  in the man page, there might be some hits there too
07:40 < hid3> alright, now I have figured everyting out with configs. How do I make absolutely sure that openvpn in fact uses aes-ni?
07:40 <@dazo> hid3: try starting with --verb 4 ... I believe it is logged, but my memory may fail me
07:40 < hid3> it is with verb 4
07:41 < hid3> grep against /var/log/syslog returns a single line:
07:41 < hid3> Apr 25 15:32:01 test-deb openvpn[9121]:   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
07:41 < hid3> nto sure if it's the same as aes-ni
07:42 <@dazo> That should be fine with aes-ni .... it's AES (256 or 128 bits) with GCM authentication (instead of SHA*)
07:43 < hid3> excellent
07:43 < hid3> so seems it's using it by default
07:44 <@dazo> ehm ... NCP has nothing to do with --engine though
07:45 <@dazo> but if you're using an AES cipher, the aes-ni should be used by default if supported by the openssl lib
07:46 < hid3> any way to check/verify it?
07:47 <@dazo> peformance testing?
07:47 < hid3> if I specify "engine aes-ni" in the config file, it doesn't start: openvpn[9184]: OpenSSL error: cannot load engine 'aes-ni'
07:48 <@dazo> what does openvpn --show-engines list?
07:48 <@dazo> (but iirc, the openssl lib did some changes in regards to exposing aes-ni)
07:48 < hid3> Intel RDRAND engine [rdrand]
07:48 < hid3> Dynamic engine loading support [dynamic]
07:48 < hid3> ^-- those
07:49 <@dazo> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Encryption-OpenSSL_Intel_AES-NI_Engine.html
07:49 <@vpnHelper> Title: 3.3. OpenSSL Intel AES-NI Engine (at access.redhat.com)
07:51 < tuxmartin> dazo: thank you!
07:56 < hid3> looks like my openssl has got aes enabled
07:58 <+hyper_ch> krzee: https://www.xudongz.com/blog/2017/idn-phishing/
07:58 <@vpnHelper> Title: Phishing with Unicode Domains - Xudong Zheng (at www.xudongz.com)
08:41 <@krzee> hyper_ch: nice, thats a better explanation of it than what i read before
08:42 <+hyper_ch> :)
09:06 < JonTargaryen> hello
09:06 < JonTargaryen> i'm having trouble with openvpn on pfsene
09:14 <@ecrist> !ask
09:15 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
09:15 < rob0> also,
09:15 < rob0> !pfsense
09:15 <@vpnHelper> "pfsense" is (#1) dont use the web gui for configuring openvpn, you need to understand the config and logfiles, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
12:03 < julianoliver> i have a server with existing clients and am concerned about attacks against Blowfish-128. i would like to "push", say, cipher AES-256-CBC to each client as an option on initialisation rather than dispatching new *.ovpn files. is this possible?
12:04 < julianoliver> thankfully all connections are 'sheathed' in an existing layer of SSL/TLS (using stunnel), lowering the attack surface significantly
12:15 -!- david is now known as Guest27574
13:34 < julianoliver> i have a server with existing clients and am concerned about attacks against Blowfish-128. i would like to "push", say, cipher AES-256-CBC to each client as an option on initialisation rather than dispatching new *.ovpn files. is this possible?
13:39 <@krzee> julianoliver: only if the server and all clients are on 2.4
13:57 <@dazo> if upgrading server to 2.4, you can start migrating clients one-by-one ... even just by upgrading client configs from BF to AES
14:00 <@dazo> but to upgrade to server preferred cipher, it needs to be 2.4 on the client side
14:00 < julianoliver> krzee: ugh. ok, thanks for the info
14:01 < julianoliver> dazo: ok. not easy, all my clients are routers. would require full firmware reflash.
14:44 < Legilmo> !welcome
14:44 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
14:44 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
14:44 < Legilmo> !sample
14:44 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
14:45 < Legilmo> !sample help
14:54 < ole013> Hello all. I have a linux (centos) machine. I've installed openvpn with the option client-to-client. I have two machines on two different locations and I would like them to be able to communicate with each other through the vpn server. The two clients are connected fine (1st is 10.8.0.4, second is 10.8.0.8), they can ping the server fine but they cannot ping each other. What am I missing ? I suspect I'm missing parameters like route,
15:12 <@dazo> ole013: not directly related, but it helps the network  transparency a bit .... add --topology subnet  in your configs (I believe that can be pushed from the server)
15:12 <@dazo> !topology
15:12 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
15:20 < ole013> it was in fact related to the windows firewall. I've turned it off on both clients to check and now OK I can ping the other client. But I cannot (for instance) RDP the other client. Any idea that would explain why ?
15:29 -!- r00t^2_ is now known as r00t^2
15:32 -!- RoBo_V1 is now known as RoBo_V
15:51 < xx00__> i have a n00b question
15:52 < xx00__> is OpenWRT the firmware for a router?  And OpenVPN is an application?
15:53 < rob0> both are correct, but the openwrt project has forked; the new one is called "lede"
15:53 < vectr0n> yup, application/service
15:54 < xx00__> im buying a qualcomm router that i want to piggyback on my existing wifi router
15:55 < xx00__> ill be using AirVPN service
15:55 < xx00__> so i want to set up my VPN router with OpenWRT + OpenVPN
15:55 < xx00__> and set it up as a “client” connecting to the remote AirVPN servers?
15:55 < xx00__> is that correct?
15:55 < rob0> yeah, I would recommend lede over openwrt now
15:56 < xx00__> why?
15:56 < rob0> more activity and efforts have moved to the new project
15:56 < xx00__> is this a recent fork?  I haven’t read anything about lede
15:59 < xx00__> ah ok
15:59 < xx00__> i googled and am reading through this
15:59 < xx00__> i think the factory im ordering from only supports OpenWRT
15:59 < xx00__> so I will go with that for now
16:00 < xx00__> Is this the best channel for VPN queries?  #vpn seems empty
16:00 < vectr0n> for openvpn, yup
16:01 < xx00__> is there a setup explainer / walkthrough you recommend?  I’ve found a ton of stuff from googling, but it all kind of burns my n00b eyes
16:01 < rob0> !provider
16:01 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team., or (#2) Please contact their support team.
16:02 < xx00__> ah so i should ask my VPN service provider — in this case AirVPN
16:07 < rob0> definitely go to them for initial setup help.  Many of us here run our own servers and have never used one of these providers.
16:08 < xx00__> ah ok
16:08 < xx00__> you run your own servers in your same country?
16:09 < xx00__> i thought the point of VPN was to tunnel traffic elsewhere
16:09 < rob0> the point of VPN varies from user to user, I guess
16:09 < xx00__> what would be a use case for tunneling somewhere else domestic?
16:10 < rob0> the ones I have set up commercially were for remote and roaming users to have access to resources back in the office
16:10 < xx00__> ah ok
16:10 < xx00__> do you have much experience using VPN routers, rather than VPNing at the device level?
16:15 < xx00__> rob0: ?
16:16 <@dazo> so called VPN routers vs VPNing at device level is basically the same .... it's all software (firmware is also software) ... it's just the wrapping which is different
16:16 < xx00__> dazo: but i want to set up a router so my mom can easily use it
16:16 < xx00__> from what i understand, using a router can allow multiple devices to VPN more easily
16:18 <@dazo> configuring VPN on a router makes it more transparent for devices behind the router .... what being the best entirely depends on your needs, expectations and security demands
16:19 < xx00__> “behind” meaning e.g. my laptop?
16:19 <@dazo>  {internet}---[router]----[LAN]
16:19 < xx00__> my #1 goal is to make it as easy to connect as possible
16:19 <@dazo> so LAN is behind the router
16:20 < xx00__> in this case we are talking about [internet]——[wifi router]——[vpn router]———[LAN]
16:20 <@dazo> putting VPN on the router, starting automatically, can allow the VPN to be used by all devices on the LAN without configuring them
16:21 <@dazo> in that setup ... LAN can easily make use of the VPN.  WLAN devices may need some adoptions; either on the devices directly or on the WIFI router to make use of the VPN
16:22 < SynfulAck> dazo, is there a difference of difficulty setting up the vpn on the router vs device in a home network when trying to use split-exclude tunneling
16:22 <@dazo> define "split-exclude tunnelling"
16:22 < SynfulAck> dazo, " When configured to accept all traffic except traffic destined to a specific set of destinations, it is called a split-exclude tunnel." https://www.wikiwand.com/en/Split_tunneling
16:23 <@dazo> xx00__: I'd rather recommend you to have:
16:23 <@dazo> [internet]——[vpn router]—————[wifi router]
16:23 <@dazo>                          \———[LAN]
16:23 < xx00__> ohhh
16:23 <@dazo> that's an easier configuration
16:23 < xx00__> why is that
16:24 < xx00__> and if i want to shut off the vpn router and just use the regular internet, is it as easy as turning off the VPN router?
16:24 <@dazo> because wifi and LAN are on the same subnet, and the VPN router will be the default gateway ... so if you want WIFI or LAN clients to make use of the VPN or not, you only configure that on the VPN server
16:25 <@dazo> then you just stop the VPN process, and the traffic flows outside
16:25 <@dazo> it's all about basic network routing
16:25 <@dazo> !tcpip
16:25 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
16:25 < xx00__> so i could theoretically just turn off the VPN router
16:25 < xx00__> ?
16:25 <@dazo> not turn off, but stop the VPN process
16:25 <@dazo> remember, VPN is essentially just software
16:25 < xx00__> and i can do that from the VPN GUI
16:25 < xx00__> ?
16:26 <@dazo> I dunno ... do all cars have touch screens?
16:26 < xx00__> haha
16:26 < xx00__> sorry
16:26 < xx00__> i know im asking dumb questions
16:26 < xx00__> but i am really dumb in this area
16:26 < xx00__> let me rephrase that
16:27 < xx00__> if my VPN service provider as a GUI, can i just do it via that GUI?
16:27 <@dazo> xx00__: okay, to make your life less miserable ... you really need to read the !tcpip stuff, to understand network routing properly.  VPN is an advanced topic, and it is crucially important to have a firm grip on the topic of network routing
16:28 < xx00__> ok
16:28 < xx00__> i downloaded that PDF
16:28 <@dazo> secondly ... read through the "getting started" how-to
16:28 <@dazo> !howto
16:28 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
16:28 < xx00__> im going to read through chapter 3.1
16:28 <@dazo> but that might make more sense once you have the networking routing understanding
16:28 < xx00__> thank you so much
16:28 < xx00__> this is great
16:29 < xx00__> I’ll start with 3.1 from that PDF then go through the HOWTO
16:29 <@dazo> basically, you need to understand what a IP subnet is and how the network mask (prefix) influences the so called routing table
16:29 <@dazo> good!
16:29 < xx00__> do you mind that i’ve saved you in my buddy list
16:29 < xx00__> i promise to only ask you more questions after i am less ignorant
16:30 < rob0> what is a buddy list?  It's not relevant to IRC, I bet.
16:30 < xx00__> im using the colloquy client
16:30 < xx00__> it allows me to save specific users in addition to channels
16:30 <@dazo> SynfulAck: that was a lot of text to just say: basic TCP/IP routing
16:33 <@dazo> SynfulAck: so in a default OpenVPN configuration, you explicitly define which subnets are going to be passed on via the VPN.  (To make all traffic go via the VPN, you need to use --redirect-gateway explicitly)  ... if you only want some LAN/WIFI devices to access services when running the VPN server on a default gateway, you protect whom can access the VPN via the firewall on the default gateway/VPN server
16:36 <@dazo> If you choose the path of having the VPN server being a separate host on the LAN, then you need to either configure those other LAN/WIFI clients with routes to the specific subnets to go via the VPN.  This is needed to be done on each client (or via DHCP). *Or* you can add the specific routes to go over the VPN on the default gateway.  Either way, having a firewall on the VPN server is needed, to have full control over which LAN/WIFI clients may
16:36 <@dazo> access the VPN
16:36 < SynfulAck> dazo, I have zero access to PIA vpn which is redirecting all traffic. I havent read much into it yet but from what ive seen, atleast on the device level is to do something in iptables as u seem to be saying. WIP for later.
16:36 <@dazo> Lastly, you can configure VPN clients on each LAN/WIFI host independently ... but that is also quite a challenge if you have many clients to keep track of
16:37 <@dazo> SynfulAck: you can add --route-nopull or --pull-filter (OpenVPN v2.4) on the VPN client ... and then add the routes yourself
16:38 <@dazo> or ... if you want PIA to be the default, you can add explicit routing entries for those subnets you want outside the tunnel to go via your normal non-PIA gateway
16:38 <@dazo> again, understanding standard TCP/IP routing helps you to do exactly what you want
16:40 <@dazo> in regards to PIA being the default ... the OpenVPN config can contain lines like:   route x.x.x.x y.y.y.y net_gateway
16:40 < SynfulAck> Yeah i was previously working along the lines of adding routing entries, and nopull(less familiar).
16:40 <@dazo> (net_gateway is a "macro" which points at your systems local default gateway)
16:41 < SynfulAck> .ovpn config?
16:41 <@dazo> yeah
16:41 < SynfulAck> well damn that sounds easier to mess with then nmcli then. May have to try that next time.
16:41 <@dazo> that's a way how to explicitly route specific subnets outside the tunnel
16:42 < SynfulAck> should be pretty easy then since its just 1 /24 entry.
16:42 <@dazo> yeah, then it's pretty straight forward
16:43 <@dazo> xx00__: no problem with that ... just keep the questions in this channel .... if I'm not around, I can guarantee you that others in this channel can provide answers too
16:47 < xx00__> dazo: thanks :)
17:00 < Xi2> Is the bandwidth the same if I do a router to router vpn connection than if the the client connect to the vpn server directly?
17:03 < rob0> the difference is that a VPN connection on the router might include (redirect) ALL traffic rather than just one user's specific device.
17:03 < rob0> depends what your goal is
17:03 < Xi2> With both sites with a 100/100 connection, clients get about 2mb if connect directly to the server, I'm considering connect a router to the server but would I get aggregated bandwidth?
17:04 < nbastin> router-to-router is not going to have a performance penalty in and of itself, of course you have to take any actual traffic engineering into account to get you there
17:06 < Xi2> What I'm trying to understand is: Can I control the bandwidth alocated to OpenVPN?
17:07 < Xi2> If I'm going to route several clients through the VPN I should have more than what's typically alocated for a single client...
17:10 < rob0> To control the bandwidth of openvpn will depend mostly on your router and its OS.
17:12 <@dazo> Xi2: 2MB/s (that's ~16Mbit/s) on a 100/100 Mbit/s connection is very poor performance ... I'd expect you'd be capable of something around 80-90Mbit/s ... but you need to consider the ISP connection on both sides of the tunnel
17:13 < Xi2> I'm thinking on a OpenVPN virtual appliance separate from the router
17:14 <@dazo> again, both sides needs to be considered when it comes to performance .... virtual appliance can work fine
17:14 < Xi2> Is there settings/parameters on either end to control allocation?
17:15 <@dazo> nope, it's all about the OS ... openvpn itself is just a single executable
17:15 <@dazo> running on an OS
17:15 < Xi2> It would be a SmartOS zone, Solaris in essence
17:29 < aokfire> !welcome
17:29 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
17:29 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
17:29 < aokfire> !redirect
17:29 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
17:29 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
17:32 < aokfire> Ok... reading over this, I'm still a bit confused. I'm running a Debian server. Trying to setup OpenVPN to give both local network access and internet access to a laptop and a phone.
17:33 < aokfire> I'm wondering how I can set the provided IP to be either exactly what it is on the home network, or simply as part of my 192.168.2.0/24 subnet...
17:33 < aokfire> And also wondering why I can access the local network, but not the external network, with forwarding on... do I need to bridge anything?
17:33 < rob0> that should not be necessary
17:34 < aokfire> bridging is not necessary?
17:34 < rob0> no, it's not, but specifically I was speaking about using the same IP as you have on the LAN
17:34 < aokfire> It
17:34 < aokfire> iot
17:35 < aokfire> Sorry. It's more for consistency
17:40 < aokfire> ok I set it as server 192.168.2.0/24, so now the device gets an IP in that network. I'm unable to access local services now though...
17:40 < aokfire> No route to host
17:43 <@dazo> !serverlan
17:43 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
17:44 < aokfire> !route
17:44 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
17:44 < rob0> the serverlan flowchart ^^ helps a lot
17:45 < aokfire> ok so I have the push
17:46 < aokfire> But I still can't ping the server IP
17:47 < aokfire> And I'm not running a firewall atm... I know, foolish, but I just want to test without first
17:47 < aokfire> ip forwarding is on...
17:48 < aokfire> on my device I have a route to 192.168.2.4/30... in the config it's "route 192.168.2.0 255.255.255.0"
18:09 <@dazo> aokfire: is your VPN and LAN overlapping?
18:10 < aokfire> What do you mean?
18:10 < aokfire> Right now I have two settings that might be: server 192.168.2.0 255.255.255.0 ; push "route 192.168.2.0 255.255.255.0"
18:11 <@dazo> good, and your VPN client's IP address?
18:11 < aokfire> would either of those cause an issue? The devices connecting need to be in that subnet to access local services.
18:11 < aokfire> the client gets an address in the 192.168.2.0/24 subnet
18:11 < aokfire> an unused one. shouldn't overlap
18:11 <@dazo> you can not use overlapping subnets with routed VPN
18:12 <@dazo> so the VPN need to be something else, we often use 10.8.0.0/24 in our examples
18:13 < aokfire> Ok, so I can't have the VPN provide a client an IP from that subnet is what you're saying?
18:14 <@dazo> not from the LAN subnet (or any other subnets you want to access over the VPN)
18:14 < aokfire> Oh, huh... is there any way to allow that? All the LAN services restrict access to that subnet only
18:14 <@dazo> what kind of LAN services?
18:15 < aokfire> say ftp. on 192.168.2.0/24 network. It only allows connections from an ip in that subnet
18:15 <@dazo> why?
18:16 <@dazo> who put up that restriction?
18:17 <@dazo> really, the vast majority of TCP/IP based services handle routing across subnets without any issues ... it is how Internet is designed to work
18:17 < aokfire> Me
18:17 <@dazo> how did you add that restriction?
18:17 < aokfire> through configs for the services
18:17 < aokfire> so I mean yes I could change them, but...
18:17 <@dazo> yes, and that *is* the right thing to do
18:18 < aokfire> Is it really not possible to give the VPN Clients an ip from the subnet?
18:18 <@dazo> you can use bridging, which is the completely wrong solution and is a can of worm of other troubles ... bridging is definitely not the right solution for your setup
18:19 < aokfire> Fair enough, and as I've read yeah it sounds messy... so I guess I'll just add the exceptions.
18:19 <@dazo> another hack is to use masquerading, which makes all requests from the VPN look like it comes from the VPN server directly ... which removes transparency and possibility for more fine grained access control
18:19 <@dazo> it's not exceptions you need ... it is really the proper way how to configure TCP/IP based services
18:20 < aokfire> Proper way by allowing the subnets you mean
18:20 <@dazo> yes
18:20 < aokfire> ok
18:20 < aokfire> gimme a sec
18:27 < aokfire> Ok, dazo thank you for helping me so far :). Now I can access my local services. Added the exceptions and it's all good
18:27 < aokfire> Now the only remaining issue is that I cannot access external internet services... not sure what I'm missing. "Name not resolved", so I'm assuming DNS?
18:36 <@dazo> aokfire: you might need to masquerade the VPN subnet, like you do with your LAN ... so that traffic going out on the Internet from the VPN, looks like it comes from your VPN server instead on the Internet
18:46 < aokfire> ohh
19:38 < aokfire> dazo is there a way to masquerade without using iptables...?
19:38 < aokfire> I actually don't have it installed lol... I can but I'd prefer to try and get this working without a firewall first
19:42 < aokfire> And also you're right. Did a tcpdump and it's sending queries from 10.x out to the public net
19:50 < aokfire> Nevermind, got it to work, misunderstood that it's a separate firewall set :)
19:50 < aokfire> Woo, OpenVPN Works :). Now I have secure remote access to my server locally and to get my home IP :)
19:50 < aokfire> Thank you very much for the help dazo and rob0
19:58 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 240 seconds]
20:03 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
20:03 -!- mode/#openvpn [+o syzzer] by ChanServ
22:57 <@ordex> aokfire: I am not aware of any other way to install a masquerading rule
22:57 <@ordex> aokfire: you need iptables to instruct the nftables module in the kernel and that's the only user frontend afaik
--- Day changed Wed Apr 26 2017
00:11 < penguinpowernz> hey does anyone know why my tun0 interfaces are being created but not raised or IPv6 address assigned..?
00:11 < penguinpowernz> can't find anything on google...
00:11 < penguinpowernz> scoured over the man page
00:12 < penguinpowernz> updated both client and server to 2.4.0
00:14 < gehidore> !welcome
00:14 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
00:14 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
00:17 < gehidore> !goal
00:17 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
00:18 < penguinpowernz> !goal
00:18 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
00:19 < penguinpowernz> setup private network between server and clients, no routing needed
00:19 < gehidore> penguinpowernz prepend that with `!goal `
00:19 < penguinpowernz> !goal setup private network between server and clients, no routing needed
00:20 < gehidore> oh wait I misread it :P
00:20 < gehidore> you did good
00:20 < gehidore> I've been pounding my head on my desk too much I must have smudged my glasses
00:21 < penguinpowernz> lol
00:21 < penguinpowernz> that kinda day huh?
00:21 < penguinpowernz> slash night
00:25 < gehidore> so I've got a functioning openvpn instance no tap/bridging nonsense... after one of the updates between yesterday and 2 weeks ago (Arch Linux) gives me this error when started via `systemctl start openvpn-client@company` https://ptpb.pw/ME8R however when invoked via `openvpn /etc/openvpn/client/company.conf` it fires up fine, this is the service file I have that came with the package for openvpn 2.4.1
00:25 < gehidore> https://ptpb.pw/X8mf is this an issue to discuss here or to I need to bug the folks in #systemd?
00:26 <@krzee> gehidore: its ok to ask here, but i cant help with it
00:27 < gehidore> krzee can't help because?
00:28 <@krzee> i know nothing about systemd
00:28 <@krzee> i figure its fair game as a question tho since the devs seem to be shipping systemd scripts
00:28 < gehidore> fair enough, it /feels/ like a systemd issue to me but it also seems like the file ships from upstream openvpn :D
00:29 <@krzee> exactly, on both
00:29 <@krzee> haha
00:29 <@krzee> so stick around and ask when theres others, but maybe try a systemd channel too
00:30 < gehidore> and Ieither my google fu is weaker than it used to be or all search engines suck, I was unable to find a similar issue anywhere but again... search terms
00:30 < gehidore> krzee yarr I'll lurk until I figure this out at least, I'll poke #systemd while I'm at it
00:31 < penguinpowernz> here's my logs and config... so confused https://gist.github.com/penguinpowernz/08b32b9066d36addef3889be818a6864
00:31 <@vpnHelper> Title: client.log · GitHub (at gist.github.com)
00:32 < penguinpowernz> @gehidore got a link to the systemd service file?
00:33 < penguinpowernz> or is it just the one from the AUR package?
00:33 < gehidore> penguinpowernz core
00:33 < gehidore> and my second link is the service file
00:34 < penguinpowernz> ahh
00:34 < gehidore> I guess I could pull from testing and test that but I have a strong dislike for downgrades that result from such things...
00:35 < penguinpowernz> huh... openvpn support sdnotify
00:36 < penguinpowernz> did you try inlining the certs?  or rather store em in root?
01:17 < gehidore> penguinpowernz I'll try that in the morning, it's just entertaining that it's worked for well over 2 years this way and suddenly not
01:24 < notmike> Lady Stardust sang the songs of darkness and dismay
01:27 < penguinpowernz> oh damn that sucks
01:37 < penguinpowernz> anyone had success using ifconfig-ipv6-push to assign address to a client?
01:37 <@ordex> penguinpowernz: it does not work for you ?
01:37 <@ordex> penguinpowernz: not sure when i used it last time, but not sure why it would not work
01:39 < penguinpowernz> yea judging from the log it seems to give the IP to client: 'PUSH_REPLY,tun-ipv6,sndbuf 212992,rcvbuf 212992,ping 10,ping-restart 60,ifconfig-ipv6 fd47:6b90:xxxx:xxxx::100/64 fd47:6b90:xxxx:xxxx::,peer-id 0,cipher AES-256-GCM' (status=1)
01:40 < penguinpowernz> and i see this output from the learn-address script: update fd47:6b90:xxxx:xxxx::100 client
01:40 < penguinpowernz> but tun0 on either end is never set to UP nor does either get assigned an IP address
01:40 < penguinpowernz> even the server side...
01:40 < penguinpowernz> am I supposed to leave ipv4 networking on?
01:41 < penguinpowernz> cos i removed any ipv4 stanzas
01:42 < Hamy> I am using OpenVPN 2.4.0 . Even when I'm not specifying the "--float" option in server side, the server still pushes "peer-id" to the clients adding 3 bytes of overhead in each packet. Is this a normal behavior?
01:42 <@ordex> penguinpowernz: hmmm not sure to be honest - mabe you give it a try
01:46 < penguinpowernz> peer-id 0 Hamy ?  I'm seeing that go through and I'm using static addressing via CCD
01:46 < penguinpowernz> yea i think i will have to ordex
01:48 < penguinpowernz> 2.4.0 args for ifconfig-ipv6-push is ipv6addr/bits ipv6remote
01:49 < penguinpowernz> but when i put it that way the learn-address gives "add fd47:6b90:xxxx:xxxx:: dcfe07e123ac"
01:50 < penguinpowernz> hmmm seems to push the right IP (::100) to  the client though
01:53 < Hamy> penguinpowernz, yes it's the same peer-id. from what i understood it is used in the new data channel structure to keep track of clients for when they float: https://build.openvpn.net/doxygen/html/network_protocol.html
01:53 <@vpnHelper> Title: OpenVPN: OpenVPNs network protocol (at build.openvpn.net)
01:54 < Hamy> it effectively adds 3 bytes of overhead to each client packets. it seems to me that it should be off when the "--float" option is not specified in the serve configuration
01:55 < penguinpowernz> --float
01:55 < penguinpowernz> Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if --remote is not used). --float when specified with --remote allows an OpenVPN session to initially connect to a peer at a known address, however if packets arrive from a new address and pass all authentication tests, the new address will take control of the session. This is useful when you
01:55 < penguinpowernz> are connecting to a peer which holds a dynamic address such as a dial-in user or DHCP client.
01:55 < penguinpowernz> Essentially, --float tells OpenVPN to accept authenticated packets from any address, not only the address which was specified in the --remote option.
01:56 < penguinpowernz> hmmm.. I guess you'd have to dive into the source to check that behaviour...
01:57 < Hamy> yeah. but tbh it's bit too advanced for me. i'm hoping a developer could explain this
01:58 < penguinpowernz> right yea...
01:58 < penguinpowernz> have you tried the arg Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if --remote is not used). --float when specified with --remote allows an OpenVPN session to initially connect to a peer at a known address, however if packets arrive from a new address and pass all authentication tests, the new address will take control of the session.
01:58 < penguinpowernz> This is useful when you are connecting to a peer which holds a dynamic address such as a dial-in user or DHCP client.
01:58 < penguinpowernz> Essentially, --float tells OpenVPN to accept authenticated packets from any address, not only the address which was specified in the --remote option.
01:58 < penguinpowernz> shit
01:58 < penguinpowernz> Hamy have you tried the arg --single-session
01:58 < penguinpowernz> ??
01:58 < penguinpowernz> might help....? After initially connecting to a remote peer, disallow any new connections. Using this option means that a remote peer cannot connect, disconnect, and then reconnect.
01:59 < penguinpowernz> would suck for bad connections by the sound of it...
01:59 < penguinpowernz> also there is another channel with devs in it... I think that may be solely for development talk though, not support type things... I haven't been there.. I think it is #openvpn-devel
02:00 < Hamy> hmm, not actually. i have not. i will give it a try. thanks. the weird thing is that if i use 'pull-filter ignore "peer-id"' , in clients configuration, it works fine
02:01 < Hamy> thanks :)  guess i'll look into that channel as well
02:01 < penguinpowernz> here is the 2.4.0 man page btw https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
02:01 <@vpnHelper> Title: Openvpn24ManPage – OpenVPN Community (at community.openvpn.net)
02:01 < penguinpowernz> might be CTRL+F-ing through there a bit
02:01 < penguinpowernz> *might be worth
02:01 < penguinpowernz> if you didn't already...
02:01 < Hamy> yes. i've read pretty much all of it...
02:02 < penguinpowernz> ah yep
02:03 < penguinpowernz> sunuva bitch... you do need IPv4 enabled to get the tun0 interface up...
02:07 < Hamy> nope, using --single-session did not make a difference. it still pushes peer-id
02:08 < penguinpowernz> gutted
02:11 < penguinpowernz> man so much love from github PR's but it's unrequited from the OpenVPN team...
02:15 < penguinpowernz> gehidore: I saw some mentions of openvpn dropping root privs after starting... is it possible a newer version starting dropping privs before loading those certs?
02:16 < penguinpowernz> you would think it would give a different error message though...
02:17 < yang_> which key and what size would usually be sufficient for the upstream ISPs not being able to decode the traffic ?
02:21 < yang_> is there a good comparison chart of the keysizes etc.
02:30 < Hamy> yang_, when you say "key" i assume you mean cipher, right?
02:32 < yang_> yes
02:33 < Hamy> do not use ciphers with size less than 128bit and if you can, use the default ones in OpenVPN 2.4 (GCM ones). the overhead is lower than the CBC and they are very secure by todays standard
02:33 < Hamy> "The data channel now supports AEAD ciphers (currently only GCM). The AEAD packet format has a smaller crypto overhead than the CBC packet format, (e.g. 20 bytes per packet for AES-128-GCM instead of 36 bytes per packet for AES-128-CBC + HMAC-SHA1)."
02:33 < yang_> are higher ciphers more cpu intense to decode/sync and what about traffic and lag-latency
02:34 < Hamy> yes, they require more cpu (and possibly more ram?). the latency depends on how fast each side can process the traffic
02:36 < yang_> ok thank you for information. Are GCM keys only 128 bit keys ?
02:38 < yang_> this is probably setting "cipher AES-128-GCM"
02:43 < yang_> also will GCM ciphers work in older openvpn versions aswell ?
02:47 < Hamy> no, afaik GCM introduced in OpenVPN 2.4 . but the server should be backward compatible
02:48 < Hamy> to get full list of supported ciphers, use 'openvpn --show-ciphers' command
02:52 < yang_> and the keysize og 2048 bit along with that GCM cipher should be safe too ?
02:53 < yang_> og/of
02:57 < Hamy> ... i don't think there is any supported cipher which such size in openvpn. 256bits is the mex
02:58 < Hamy> like AES-256-GCM
02:59 < Hamy> i got a response from a developer regarding the peer-id option always being pushed to the client even when --float is not specified. i'm gonna paste it here incase anyone's interested
02:59 < Hamy> "--float has no effect on multipoint-servers, and never had ... and we have way too much conditional code, so we consciously decided "this feature is always-on" - it's good for performance as well, as the extra 3 bytes make the rest of the packet properly 32bit-aligned = better crypto performance"
03:18 -!- haasn is now known as hanna
04:54 < c-101> Hello there
04:54 < c-101> !welcome
04:54 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
04:54 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
04:54 < c-101> !route
04:54 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
04:55 < c-101> !1925
04:55 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
04:57 < c-101> !goal i would like to tie a CN to a very specific subnet source ip to make sure a user does not copy a certificate to a machine and uses it to login from outside local network (some users may acces remote, so firewalling all the OpenVPN is not an option)
04:58 < c-101> !goal
04:58 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:01 < c-101> !gwto
05:01 < c-101> !howto
05:01 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
05:08 < c-101> !ask
05:08 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
05:09 < c-101> !man
05:09 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
06:07 < c-101> solved it digging in the doc
06:07 < c-101> thanks
06:28 <+hyper_ch> krzee: already awake?
06:56 < Flotho66> good evening everyone,
06:56 < Flotho66> is it possible to a have specific IP's set to dede
06:57 < Flotho66> dedicated machine based on mac Adress
06:57 < Flotho66> mostly like DHCP leases
07:23 <+hyper_ch> you can set a ded. ip based on the cert
07:55 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Quit: ZNC - http://znc.in]
07:57 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
07:57 -!- mode/#openvpn [+o mattock] by ChanServ
07:59 <@krzee> hyper_ch: wassup
07:59 <@krzee> Flotho66:
07:59 <@krzee> !static
07:59 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder, or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range, or (#5) See also: !addressing
08:00 <+hyper_ch> krzee: how to detect mitm / ssl proxy server
08:00 <@krzee> in relation to openvpn?
08:18 < skyroveRR> Hi krzee
08:23 <@krzee> ohai!
08:24 < DArqueBishop> <hyper_ch> krzee: how to detect mitm / ssl proxy server
08:24 <@krzee> i dont really understand the question without more to it
08:24 <@krzee> like, are we talking about openvpn?
08:24 < DArqueBishop> Correct me if I'm wrong, but the easiest way to detect a MITM proxy would be if the cert fails validation.
08:24 < DArqueBishop> In OpenVPN, that is.
08:25 <@krzee> in openvpn or not in openvpn, yes
08:25 <@krzee> and openvpn specific, you can sign server certs specially
08:25 <@krzee> !servercert
08:25 <@vpnHelper> "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) or just use build-key-server in easy-rsa, or (#3) this will help with !mitm
08:25 <@krzee> !mitm
08:25 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: remote-cert-tls server in the client config
08:26 <@krzee> because if not, a client cert would pass the CA tests
08:26 < DArqueBishop> I had to undergo some security training for work yesterday, and they showed a video where they tried to describe how someone using a wifi interceptor could sniff your bank account credentials. I was like, " ... but how does that get around SSL?"
08:26 <@krzee> find a broken CA and get a valid cert?
08:27 <@krzee> find a CA that uses weak hashing algorithms?
08:27 < DArqueBishop> Right, but that wasn't mentioned. :-)
08:27 <@krzee> use the new method where you use a different language's characters and it still looks the same on the browser?
08:29 <@krzee> http://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html
08:29 <@vpnHelper> Title: This Phishing Attack is Almost Impossible to Detect On Chrome, Firefox and Opera (at thehackernews.com)
08:29 <@krzee> however, i have no idea what hyper is referring to... web ssl? openvpn? a proxy that he uses on purpose?
08:30 <@krzee> malicious mitm or corporate mandated?
08:30 <@krzee> etc
08:31 < DArqueBishop> Some would argue that "corporate mandated" would still count as malicious.
09:15 < sjk> hi. i'd like to to setup a vpn in a "remote worker" fashion between a couple of clients (raspbian) and my home network gateway (openbsd). no bridging, so tun.
09:16 < sjk> would you recommend using a combination of certs (generated with easy-rsa perhaps?) and local account auth?
09:18 <+hyper_ch> krzee: problem is already solved :)
09:24 <@dazo> DArqueBishop: you'd be surprised to see all those users just clicking "Okay!" if they're provided with a warning that the certificate is invalid, but you may confirm an exception .... or rather, you'd be surprised how many would not be stopped by this
09:25 < DArqueBishop> dazo: I've worked end-user support. Believe me, I wouldn't.
09:25 <@dazo> (and people even complain about HTST blocking users from their (missconfigured) web servers when the certs don't match ... HTST removes the override chance in Firefox at least, and I believe Chrome/Chromium too)
09:25 <@dazo> hehe :)
09:25 < DArqueBishop> I wouldn't even be making that observation if he had included a bogus cert warning.
09:27 < sjk> should one use easy-rsa or easy-rsa-old with openvpn 2.4.1?
09:27 <@dazo> for OpenVPN ... you can also add --verify-hash ... where you give the fingerprint to the L1 CA (the first CA signing the server certificate)
09:27 <@dazo> sjk: openvpn 2.4 works with any CA tool ... I'd advice you to use the new easy-rsa these days though, that code is being maintained and developed
09:28 <@dazo> or XCA if you fancy some GUI tool instead
09:28 < sjk> dazo: thanks!
09:38 < sjk> will openvpn 2.3.4 connect to a 2.4.1 server without trouble?
09:40 < DArqueBishop> sjk: yes.
09:40 < DArqueBishop> I have a 2.3.x client on my work desktop that connects to a 2.4.x server.
09:40 < sjk> DArqueBishop: thanks!
09:46 < sjk> when generating client certs (easyrsa build-client-full client.name), should one leave the pem pass phrases empty to be able to connect without manual intervention?
10:18 <@dazo> sjk: correct
10:19 <@dazo> (unless there is a 'nopass' alternative when creating the certificate .... I don't recall now.  PKCS#12 files works like that with an empty password at least)
10:26 < xx00__> You only ever need single core chipsets, right?
10:27 < xx00__> Multicore is useless from what i understand
10:30 < MacGyver> In the context of openvpn?
10:31 < MacGyver> Openvpn isn't multi-threaded last I checked, so it can only utilize a single core per process at any one time.
10:42 < xx00__> ok yes that’s what i understand
10:42 < xx00__> are three devices interacting with a router three processes?
10:42 < xx00__> or a single process
10:43 < xx00__> a VPN router that is
10:49 < MacGyver> That wholly depends on the openvpn setup on that router.
10:49 < MacGyver> Mostly, if they're connecting to a single port, it's going to be a single process.
10:50 < MacGyver> With multiple ports, can be multiple processes.
10:50 < MacGyver> And you can also do some network stack magic and round-robin it between different processes.
10:50 < MacGyver> Most of the time, though, this is a non-issue.
11:08 <@dazo> A single openvpn process can at least handle 140-150 clients at the same time on fairly simple hardware
11:08 <@dazo> (1GHz CPU)
11:10 <@dazo> where OpenVPN really gets into trouble, is when those 150 clients connects at the exact same time and do the re-negotiation at approximately the same time  (we have some patches being reviewed on the ML to spread that out with some type of randomness though)
11:10 < sagatak> dazo: provided the users are not about to log in :P
11:10 < sagatak> (depends a lot on the usage pattern, is my meaning)
11:10  * sagatak crawls back under his rock
11:10 < sagatak> dazo++
11:11 <@dazo> the TLS setup requires some CPU time, and each client is handled one-by-one .... so if that process takes 0.33sec ... you get 3 clients per second ... which means with 150 users, there might be ~50 seconds with lots of lagging in the traffic flow on the VPN
11:12 <@dazo> (0.33s is not an exact number of any type ... it's just a random number without any scientific background, but used to illustrate the problem)
11:13 <@dazo> likewise ... if you use user-password authentication which doesn't respond quickly and does not make use of the deferred auth feature (only for --plugin) ... then that will also slow down things further
12:05 < Chotaire> Hi all. Since the centos7 update of openvpn to version 2.4.1 I am unable to connect to a sophos xg firewall which is providing me with a static peer address. I see the following push message: "ifconfig 10.242.2.201 10.242.2.1" however openvpn is trying to issue the following invalid do_ifconfig command: /sbin/ip addr add dev tun10 10.242.2.201/-1 broadcast 255.255.255.255
12:06 < Chotaire> why would openvpn suddenly parse this push message with a netmask of /-1 ? what can I do about this?
12:12 <@dazo> Chotaire: ouch ... can you please provide a full --verb 4 log?
12:12 <@dazo> !logs
12:12 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
12:13 <@dazo> Chotaire: it sounds like there might be some mismatch between --topology and --mode p2p ... but need logs to confirm
12:14 <@dazo> Chotaire: and feel free to bug me about the Fedora EPEL packages for centos 7 .... I'm the new openvpn package maintainer in the Fedora world
12:16 < zamba> i'm using openvpn to create a layer-2 tunnel between to locations to run iptv
12:16 <@dazo> zamba: iptv ... what kind of protocols are involved for that?
12:17 < zamba> dazo: i'm not sure
12:17 < zamba> UDP for the transport, at least
12:17 < zamba> so i think it's packet drops that's causing this
12:17 <@dazo> depending on broadcast or multicast?
12:18 < zamba> dazo: how can i check that?
12:18 < zamba> i believe it's multicast
12:18 <@dazo> okay, I'd recommend you then to move up to --dev tun (layer-3) instead of tap (layer-2) ... and dig into routed multicast setup
12:19 <@dazo> less overhead, less broadcast noise and generally a better performing VPN tunnel ... but, routed multicast is the tricky thing for you in this case
12:20 < zamba> i was told i needed to use tap for this
12:20 <@dazo> by whom?
12:20 < rob0> probably by someone who didn't know about routed multicast :)
12:21 <@dazo> ;-)
12:21 < zamba> 239.192.1.x is a multicast address, right?
12:21 <@dazo> yeah, that smells like multicast
12:22 < Chotaire> dazo: https://pastebin.com/a0QyUtsE
12:22 <@dazo> zamba: oh wait ... hmmm ... I may confuse it ... https://en.wikipedia.org/wiki/Multicast_address
12:23 <@vpnHelper> Title: Multicast address - Wikipedia (at en.wikipedia.org)
12:24 <@dazo> ahh, no worries ... The 239.0.0.0/8 range is assigned by RFC 2365 for private use within an organization  (Administratively scoped IPv4 multicast addresses)
12:24  * dazo confused himself
12:27 < zamba> yeah, i can see my set top box joining and leaving multicast groups as i change channel:
12:27 <@dazo> Chotaire: I wonder if you've been bitten by some misconfiguration bug - which openvpn 2.3 silently allowed .... I see this in the PUSH_REPLY:  [...],topology subnet,[...],ifconfig 10.242.2.201 10.242.2.1
12:27 < zamba> 19:21:04.772957 IP 10.175.42.148 > 239.192.1.88: igmp v2 report 239.192.1.88
12:27 < zamba> 19:21:06.678485 IP 10.175.42.148 > 224.0.0.2: igmp leave 239.192.1.88
12:27 < zamba> 19:21:06.703085 IP 10.175.42.148 > 239.192.2.91: igmp v2 report 239.192.2.91
12:28 < Chotaire> dazo: there is no way to reconfigure this, unless i want to file a ticket with sophos which takes 2 years to fix.
12:28 <@dazo> Chotaire: I'd bring this up with your sophos firewall supplier/admin .... I know one of the guys in sophos which have worked on their openvpn implementation, I'll bring it up now!
12:29 < Chotaire> I am the admin and there is no supplier. i use the free version.
12:29 < Chotaire> previous reports were mostly ignored.
12:31 < Chotaire> does openvpn 2.3 have any vulnerabilities? in this case all I can do is downgrade to 2.3
12:31 <@dazo> Chotaire: fair enough ... I've anyhow just ping'd the guy .... I vaguely remember he spoke about a similar issue at the last hackathon we had ... but I don't recall the details about fixes or workarounds
12:32 < Chotaire> the only workaround is to not use a static peer address. but that's not an option for me.
12:32 <@dazo> do you have control of the ccd config files?
12:33 <@dazo> (for this client, that is)
12:33 < Chotaire> yes
12:34 <@dazo> if you can make the server push:  ifconfig 10.242.2.201 255.255.255.0  .... then that should work
12:34 < Chotaire> well... it's sophos xg.. let me see if I can even find useable config files in the shell
12:34 < Chotaire> can I make the client ignore this push message?
12:35 < Chotaire> and just set the static peer ip address on its own?
12:35 <@dazo> well, yes ... but as long as the openvpn server is configured for 'topology subnet' ... the ifconfig must have a netmask as the second argument
12:35 <@dazo> Look at --pull-filter
12:37 < Chotaire> I found openvpn.conf in /cfs/system/openvpn
12:37 <@dazo> okay, and look for 'client-config-dir' in that config
12:37 < Chotaire> that directory just has a file named "*" which has the content "disabled"
12:38 < Chotaire> the server has the config option "ccd-exclusive" and runs client-connect and client-disconnect scripts
12:38 <@dazo> okay ... so ccd stuff is handled more dynamically ... through --client-connect
12:39 < Chotaire> and yes, it has topology subnet
12:39 <@dazo> Then I'd recommend --pull-filter ignore "ifconfig"  +  --ifconfig 10.242.2.201 255.255.255.0  in your client config
12:40 < Chotaire> interesting client-connect script, wanna see it?
12:40 <@dazo> you cannot change 'topology subnet' on the server ... the only alternative which will work with multiple VPN clients is 'net30', which might break how the sophos firewall expects things to be
12:40 <@dazo> I can have a peek :)
12:41 < Chotaire> dazo: https://pastebin.com/zP1HpwsW
12:43 <@dazo> oh dear ... this should be re-written into something with native postgresql support :-P
12:44 < Chotaire> dazo: Apr 26 13:37:51 pomponio openvpn[5297]: Initialization Sequence Completed
12:44 < Chotaire> hero!
12:44 <@dazo> :)
12:44 < Chotaire> I *HATE* downgrading. you saved me from that.
12:45 < Chotaire> and I like sophos xg enough not to ditch everytime it's being weird.
12:45 <@dazo> Chotaire: As a Fedora EPEL package maintainer I hate that too ;-)  ... now you must just learn to use 'systemctl start openvpn-client@' ;-)
12:46 < Chotaire> uhm.. why is that?
12:46 < skyroveRR> What's the "@" sign for, dazo, at the end?
12:46 <@dazo> skyroveRR: what comes after the @ is the name of the configuration file
12:46 < skyroveRR> Oh.
12:47 <@dazo> skyroveRR: so instead of the old days where the init.d script kicked off all config files in /etc/openvpn ... you can now control each config individually .... and systemd actually manages and watches over each of these configs in parallel
12:47 < skyroveRR> Sounds complicated..
12:48 <@dazo> so 'systemctl status openvpn-client@CONFIG' gives the status for exactly that tunnel .... likewise, journalctl --range today -u openvpn-client@CONFIG gives today's logs of just that tunnel
12:48 < Chotaire> #  cat /etc/fedora-release ; openvpn --version
12:48 < Chotaire> Fedora release 25 (Twenty Five)
12:48 < Chotaire> OpenVPN 2.4.1 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 28 2017
12:48 < Chotaire> i love fedora too, if this is why you were telling me that :)
12:48 < Chotaire> ah, interesting.
12:48 <@dazo> heheh .... yeah, that's my work!
12:49 < Chotaire> oh, and you're also on lineageos. I run openvpn also on my OP3.
12:50 <@dazo> Chotaire: for the time being, stay away from F26 ... unless you have a chance to test openvpn on that first ... there's lots of challenges due to F26 moved to openssl 1.1, which openvpn does currently not support (work in progress)
12:50 <@dazo> Right now openvpn is built against mbed TLS on F26 ... which does not work smoothly for all users
12:51 < Chotaire> I am on rawhide sometimes but I only don't run next release normally.
12:51 < Chotaire> -only
12:51 <@dazo> nice! ... I haven't had time to upgrade my osprey to lineageos yet ... that's in my pipe too, currently running latest CM13, using "opnevpn for android"
12:52 < Chotaire> you should upgrade. last weeks build gave us android 7.1.2
12:52 <@dazo> nice!
12:52 < Chotaire> i wrote a hotspot hack for openvpn.
12:52  * dazo got 2 kids .... which eats up a bit too much of the spare time I have :-P
12:52 < Chotaire> it allows to use openvpn tunnels for hotspot clients :)
12:53 <@dazo> cool!  got it written down somewhere?  I've been missing that, actually
12:53 < BtbN> ... you need a hack for that?
12:53 < Chotaire> yep
12:53 < BtbN> sounds like a pretty normal feature of a router to me
12:53 < Chotaire> not for android
12:53 < Chotaire> T-Mobile and AT&T would kick google ass.
12:53 <@dazo> BtbN: yeah .... android is not a router OS .... so the ip stack is quite different
12:53 < Chotaire> thats why I never released it. I don't want ma bell kick in my door.
12:53 < Chotaire> hehe
12:54 <@dazo> heh
12:55 < nacelle> like you run your phone as an AP and you tunnel the wifi clients connecting to it?
12:55 <@dazo> Chotaire: have you discussed that with Arne Schwabe (plaisthos in this channel)?  (I just presume you use OpenVPN for Android) ....
12:56 < Chotaire> nah, never intended to discuss that. it's less a hack for openvpn than for android.
12:56 <@dazo> Chotaire: well, he might be interested .... maybe his door will be kicked in instead of yours ;-)
12:57 <@dazo> (and Arne is tall as a bear, so I would be more concerned about the guys kicking in his door than Arne himself!)
12:57 < Chotaire> i am not interested in anyone's door being kicked in, I have my reasons :)
12:58 <@dazo> pity :/
13:08 < BtbN> do you live in China or somewhere? Or why are you worried about getting your door kicked for using a VPN on your phone?
13:09 <+hyper_ch> isn't openvpn blocked by the Great Firewall of China?
13:09 < BtbN> How would they block specifically OpenVPN?
13:09 <+hyper_ch> DPI
13:09 < BtbN> how?
13:09 < BtbN> It's just TLS
13:09 <+hyper_ch> IIRC there are parts that make it recognizable
13:10  * hyper_ch eyes dazo, krzee, ecrist
13:10 < BtbN> put it on port 443 tcp, and you're pretty much indistinguishable from https, except for the long lasting connection maybe
13:10 < Chotaire> it doesn't behave like a https connection
13:10 < Chotaire> it can be very well detected
13:11 < rob0> wee have had lots of reeports of Chinese users having trouble
13:11 < Chotaire> hint: tunnel openvpn over https.
13:11 <@dazo> BtbN: not just TLS .... it's an openvpn header ... and if the opcode is of some values (control channel packets), the payload is TLS ... if data channel packets, it's "garbage" (encrypted data packets)
13:11 < rob0> as well as problems with my E key
13:11 <@dazo> BtbN: so you can profile the openvpn wire protocol
13:14 <@dazo> BtbN: if you run openvpn in static key mode ... then you can evade the GFW ... but the security of that is poorer, so you would need to put a different tunnel inside the static key tunnel .... or, what many users use -- obfsproxy
13:14 < BtbN> I guess UDP is not an option at all?
13:15 <@dazo> (openvpn in static key mode does not have a notion of data and control channels ... it's just pure symmetric encryption without a key rotation)
13:15 < rob0> Even static key mode can likely be detected by traffic patterns: this host ONLY talks to that host ONLY on this one UDP port.
13:15 <@dazo> with the static key approach, you can use UDP in theory ... but have no idea how well that fares through the GFW
13:18 < Chotaire> rob0: https://www.bestvpn.com/blog/5919/how-to-hide-openvpn-traffic-an-introduction/
13:18 <@vpnHelper> Title: How to hide OpenVPN traffic – an introduction - BestVPN.com (at www.bestvpn.com)
13:21 < rob0> "OpenVPN by default uses TCP port 1194, ..." no, that's not true.  Default --proto is UDP.
13:21 <@dazo> it just confirms !blog :-P
13:22 <@dazo> !blog
13:22 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
13:22 < Chotaire> haha
13:22 < Chotaire> dazo: thanks again, you're awesome. saved me from a lot of headache. I'll idle around.
13:26 < rob0> Scary thing is: bestvpn is a VPN provider ... they ought to know better.
13:27 <+hyper_ch> rob0: it's not good what they wrote?
13:30 < rob0> I scrolled through it, and there's no mention at all about why openvpn on TCP is not the best choice.  Otherwise it made sense.
13:31 <+hyper_ch> :)
14:26 < semitones> hi all! I was using an automated setup for openvpn, which worked until I changed my LAN IP distribution. Now I think I need to learn how to set it up correctly. If I can't ping the DNS server or the Router from my VPN client, could that be a firewall problem or is it a routing?
14:27 <@dazo> !howto
14:27 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
14:28 <@dazo> semitones: look at #3
14:28 <@dazo> semitones: hard to say if it's routing or firewall .... tcpdump can give some clues
14:28 < semitones> Thanks. I've read these. I've used tcpdump and I can see the outgoing ping requests, but I don't know how to interpret them
14:29 < semitones> (part of the thing is idk what the automated setup did and didn
14:30 <@dazo> tcpdump lists first source IP, then destination IP ... then there is the "packet type" which would with ping be either "ICMP echo request" or "ICMP echo reply" when the ping comes back ... if you only see one of these, something is going wrong
14:31 <@dazo> an example:
14:31 <@dazo> 21:24:39.632988 IP 10.35.7.2 > 10.35.7.1: ICMP echo request, id 13238, seq 1, length 64
14:31 <@dazo> 21:24:39.635368 IP 10.35.7.1 > 10.35.7.2: ICMP echo reply, id 13238, seq 1, length 64
14:31 <@dazo>                    SOURCE-IP   DEST-IP    PACKET-TYPE
14:32 <@dazo> so if the "ICMP echo request" hits the tun/tap interface, but go no further ... that indicates either firewalling on the remote side or bad routing there
14:33 <@dazo> then you need to do tcpdump on the remote side, and see where the packet disappears
14:36 < semitones> Ah, ok that was the part I was missing. Except I don't think I have access to that tool on my verizon router (maybe I do?) but there are a few things I need to check first
14:36 < semitones> for example, where is the config file where I'd add the line "push "route 192.168.1.0 255.255.255.0""
14:36 < semitones> (changing it to 192.168.2.0)
14:38 -!- Vampire0_ is now known as Vampire0
14:38 <@dazo> semitones: do a 'ps faxu' (or similar) on your server box ... (--push are used on server side) ... you will see the full command line of the openvpn process where the config resides
14:39 <@dazo> if not ... I'd bet it is under /etc/openvpn
14:50 < semitones> dazo, alright I've got it. Is a line commented out if it starts with ; ?
14:51 < gartral> hello all, I have two sites that I want to bridge, I noticed in topic that it's a bad idea, why is that?
14:52 < semitones> gartral, general idea is that it introduces more problems than it solves, but the openvpn website has good resources about bridging vs routing
14:53 < Ravenmire> !MirtheN Harry_Potter_Set_-_J._K._Rowling.epub
14:57 <@dazo> semitones: yes, semi-colon is a "remark"
14:58 <@dazo> !bridge
14:58 <@vpnHelper> "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man), or (#4) also see !whybridge
14:58 <@dazo> !bridging
14:58 <@vpnHelper> "bridging" is (#1) Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you, or (#2) See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
14:59 <@dazo> gartral: ^^  the url in #2 in !bridging gives a good overview
15:10 < semitones> dazo, is there any problem if I move the push "route 192.168.2.0 255.255.255.0" down to the extra options portion of the config file?
15:12 <@dazo> semitones: nope
15:12 < rob0> there are no "sections" in a config file; the entire thing is read
15:13 < semitones> kk so that's on now, but still can't ping
15:19 < gartral> ok, yes this isn't what I'm looking for i think, I have a server that I want to use as an exit node that all my traffic goes through but I also want the 2 sites to be on contigous network... this is likely harder than I'm thinking it will be..
15:19 <@dazo> gartral: not really ... it's all basic routing
15:20 <@dazo> !redirect
15:20 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
15:20 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
15:20 <@dazo> !serverlan
15:20 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
15:20 <@dazo> !clientlan
15:20 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
15:20 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
15:20 <@dazo> gartral: with proper subnet segmentation (each local LAN must have its own IP address scope - AKA subnet) ... the rest is all about routing
15:21 < gartral> dazo: it's not that simple, as some clients have keys for site A, and some for site B. but I want all inet traffic exiting through route A
15:21 <@dazo> gartral: yes, that's routing + firewalling
15:22 <@dazo> gartral: right now I am connected to a VPN server which provides me with a non-local public IP address ... and I access subnets from this host which goes via another VPN link to a secondary VPN server, which then again connects me to a LAN behind a VPN client connected to the second VPN server
15:22 < gartral> oh.
15:23  * gartral also has to figure out subnet hopping so servers can talk to each other accross the sites
15:23 <@dazo> [me]--{vpn-server+vpn-client}---[vpn-server-2]-----[vpn-client2]---{lan}
15:23 <@dazo> well, [me] is a vpn-client too
15:24 < gartral> obviously :)
15:24 < semitones> dazo, alright I'm getting things like this in tcpdump... so the machine at least knows something about the server... 16:17:43.812202 IP 10.8.0.6 > FIOS_Quantum_Gateway.fios-router.home: ICMP echo request, id 7, seq 10, length 64
15:24 <@dazo> semitones: try adding -nn to your tcpdumps ... that makes it easier to read :)
15:25 < semitones> and that's from doing tcpdump -i tun0
15:25 <@dazo> but yeah, your ping goes into the tunnel, it seems (hard to say, based on FIOS_Quantum_Gateway.fios-router.home ... which I just guess is the VPN IP address of the server)
15:26 < semitones> well I did ping 192.168.2.1
15:26 < semitones> so somehow it finds out that that translates to FIOS_Quantum...
15:26 <@dazo> that's called DNS resolver ;-)
15:26 < penguinpowernz> is there an up to date roadmap for OpenVPN?
15:27 <@dazo> (which may also include entries in /etc/hosts ... and mdns)
15:27 < penguinpowernz> the one on the wiki is talking about 2010 releases
15:27 <@dazo> penguinpowernz: not really ... what do you want to know?
15:27 < semitones> which is odd because the client can't ping the DNS host I've specified in the settings
15:27 < semitones> ooh
15:27 < semitones> so the server can ping the DNS
15:27 < semitones> but the client can't
15:27 < penguinpowernz> when IPv6 tunnel is coming... without need for IPv4
15:28 < semitones> which makes sense...
15:28 <@dazo> penguinpowernz: it's still on the todo-list ... not ETA as of yet .... it's a fairly intrusive change, as some of the IPv6 address pooling mechanism is based on the IPv4 one
15:28 < penguinpowernz> ah ok
15:28 < penguinpowernz> what is used for issue management ATM?
15:29 <@dazo> penguinpowernz: http://community.openvpn.net/
15:29 <@dazo> (which is really slow now .... unfortunately ... need to check that up again)
15:29 < penguinpowernz> ah yea
15:29 < penguinpowernz> it was OK last night...
15:29 < penguinpowernz> like 12 hours ago...
15:30 <@dazo> yeah, sometimes we're getting hammered with http requests
15:30 < semitones> Let's see -- is it normal to have to go into the router and tell it how to send the ping request BACK?
15:31 < penguinpowernz> could also be the 1990's issue manager :P hueheuheue
15:31 <@dazo> semitones: it might be ... depends on your overall setup
15:31 <@dazo> penguinpowernz: hehe ... nah, we've had people looking into the logs .... someone tries to index a bunch of files at once
15:31 < penguinpowernz> oh I see
15:32 -!- RoBo_V1 is now known as RoBo_V
15:33 <@dazo> (but it would be nice to move over to a self-hosted gitlab instance instead ... or something similar)
15:33 < penguinpowernz> yea man... i would be willing to help out with some grunt work.. migrating docs etc
15:33 <@dazo> mattock: ^^^^^^^
15:33 < penguinpowernz> :D
15:33 <@dazo> (he's the guy who manages all this stuff :))
15:33 < penguinpowernz> ah ok
15:34 <@dazo> but ... his plate is quite full these days, I believe .... but help would be appreciated
15:35 < penguinpowernz> yea I can imagine... how many devs work on OpenVPN?
15:37 < penguinpowernz> has anyone thought of putting openvpn on patreon to help support work on it?
15:37 < semitones> dazo, alright i'm setting up my router to add a route to send all vpn traffic to the vpn server. I'm just not sure what to put for the netmask...
15:38 <@dazo> penguinpowernz: we're about 10 active developers, give or take ... mixed community + corp people
15:38 < penguinpowernz> ah ok
15:39 < penguinpowernz> as in people who work for OpenVPN corporation?
15:39 < semitones> dazo, how do I know if I need 255.255.255.0 or 255.255.255.255?
15:40 <@dazo> penguinpowernz: the company is probably 20-30 people ... but only 4-5 are directly working actively with the community
15:40 < DArqueBishop> semitones: 255.255.255.255 is one address.
15:40 < penguinpowernz> ah ok
15:40 <@dazo> (but the company does a lot more than just this project ... but the project is an important piece in it all)
15:40 < semitones> DArqueBishop, is 255.255.255.0 ALL the addresses?
15:41 < penguinpowernz> ah ok
15:42 <@dazo> semitones: nope ... that is a subnet mask .... so 192.168.0.0 with 255.255.255.0 is a subnet which goes from 192.168.0.0 to 192.168.0.255
15:43 < semitones> whoa~!!! That's amazing
15:44 < semitones> I was excited because I thought that fixed my problem, but it doesn't still
15:46 <@dazo> semitones: if you add one more bit to 255.255.255.0, (255.255.255.0 == 1111 1111 1111 1111 1111 1111 0000 0000) then you get 255.255.255.128 ... which halves the scope to 0-127  (128 IP addresses) ... adding yet one more is another half .... the netmask decides how you split your network into subnets
15:46 <@dazo> so when we use the /24 notation ... that means 24 bits set (which is 255.255.255.0) .... /25 means 255.255.255.128
15:46 <@Eugene> Its turtles, all the way down.
15:46 <@dazo> hehe ... yeah :)
15:47 < semitones> alright :)
15:47 < semitones> so I can tell I want the router to route things for the entire 255.255.255.255 segment, so I put that in there
15:48 <@dazo> https://tr1.cbsistatic.com/hub/i/2015/06/03/e12590c5-0987-11e5-940f-14feb5cc3d2a/subnetting_c.png
15:48 <@dazo> 255.255.255.255 means only a single IP address
15:48 < semitones> My bad, I meant to say I put 255.255.255.0 in there -- but I still can't ping the VPN IP address from the LAN
15:48 <@dazo> yeah, with .0 (/24) that gives the complete subnet
15:50 < semitones> I have this in the routing table on my router now: http://paste.ubuntu.com/24462830/
15:50 < semitones> maybe there's a glaring mistake (like i don't know what the metric column is for)
15:51 <@dazo> semitones: the metric is just used to prioritize routes ... if you don't have overlapping rules (multiple possible paths), you don't need to worry about metrics
15:52 <@dazo> but that line you pastebinned ... that says that the 10.8.0.0/24 subnet goes via 192.168.2.157
15:52 < semitones> So that is the IP address of the VPN server
15:52 <@dazo> then this makes sense
15:53 <@dazo> !tcpip
15:53 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
15:53 < semitones> thanks
15:53 <@dazo> semitones: the 3.1 chapter goes quite into details on the routing ... can be a bit heavy ... but combined with what we've shared here, the pieces should fall into place
15:53 < semitones> so my current problem (and maybe this doc will help) is why my pings are still not getting through. Thanks dazo
15:54 <@dazo> semitones: there are 2 route paths to think of ... first is to get the packets from your VPN client to your LAN box ...  and then the second part is when the LAN box replies, it needs to have the proper return route ... it is the same stuff tackling both ways, but you need to think of both directions
15:57 < semitones> dazo, ok and there are also two firewalls to think of -- the iptables on the vpn box (i think it logs to dmesg? idk) and the firewall on the verizon box (idk how it works)
15:57 <@dazo> correct
16:03 < semitones> ok there's progress. I can now ping unidirectionally. My laptop is 192.168.2.175 and it can ping 10.8.0.6, but not the other way around
16:04 <@dazo> can also be firewall on your laptop
16:05 <@dazo> this is actually a good explanation of IP subnet calculation ... https://networkengineering.stackexchange.com/questions/7106/how-do-you-calculate-the-prefix-network-subnet-and-host-numbers
16:05 <@vpnHelper> Title: ipv4 - How do you calculate the prefix, network, subnet, and host numbers? - Network Engineering Stack Exchange (at networkengineering.stackexchange.com)
16:08 < nbastin> semitones: when you say you can ping unidirectionally, do you mean you see the echo request on the destination (via tcpdump or something), or do you mean the ping tool on your side actually reports a response?
16:09 < semitones> ping reports a response
16:10 <@dazo> then that route is actually in order
16:10 < nbastin> ok, so it's not a basic routing problem
16:10 < semitones> yes! celebrations are in order! And now, i'm thinking maybe there's a firewall either on the router or the laptop that's blocking incoming connections from 10.8.0.0
16:11 < nbastin> semitones: that would be a sortof odd stateful firewall, if it's tracking icmp echo but not allowing new connections
16:11 < nbastin> (not that this is impossible, of course)
16:12 < nbastin> semitones: does your laptop have a firewall of any sort on it?  You might just not be responding to icmp echo requests
16:13  * dazo bets on local firewall on laptop
16:13  * nbastin will not bet against that bet.. :-)
16:14 <@dazo> :)
16:16 < semitones> i'm gonna look for iptable logs but I'm pretty sure I haven't set up iptables
16:16 < semitones> the other problem is that 10.8.0.6 can't ping 192.168.2.1 or any other machine on the network
16:17 < nbastin> semitones: what is the laptop OS?
16:17 < nbastin> (I came in in the middle, sorry)
16:17 < semitones> nbastin, ubuntu linux, no problem :)
16:17 < nbastin> semitones: ufw is not enabled?
16:17 < semitones> honestly don't know. i've never looked at it
16:17 < nbastin> (I will not really claim to understand how this works, I use ubuntu a lot but never as a desktop)
16:18 < nbastin> networkmanager is an awful thing that hurts my brain
16:18 < nbastin> can you ping your laptop from something on the local LAN?
16:19 < semitones> trying that
16:20 < semitones> yes, ping works from the local lan
16:21 < nbastin> well this seems a little weird
16:21 < semitones> so we've ruled out the laptop firewall. Can we rule out the router firewall?
16:21 < nbastin> semitones: we can't rule it out, but this is getting more and more weird.. :-)
16:21 < nbastin> semitones: what is the topology?  maybe I missed something
16:21 < nbastin> like where are the ovpn endpoints, for starters
16:21 <@dazo> if your laptop is on a safe net (where you trust all other connected devices) ... you can do:  iptables -P INPUT ACCEPT; iptables -F INPUT .... that completely disables the firewalling on incoming packets
16:22 < nbastin> laptop - router - (ovpn) - router - dest?
16:23 < semitones> Ok, so the home network is 192.168.2.0. I have a VPN server living on 192.168.2.157. The openVPN assigned IP network is 10.8.0.0. My phone connects to the VPN over data, and gets assigned the IP address of 10.8.0.6.
16:24 < nbastin> VPN server is living on your local LAN?
16:24 < semitones> And sitting at my laptop, I could ping 10.8.0.6 and get a reply, but I couldn't go on my phone and ping 192.168.2.175 or any other computer
16:24 < semitones> nbastin, yes
16:24 < nbastin> your phone can ping things?  :-)
16:25 < nbastin> is your vpn server an appliance, or just a random linux box?
16:25 < semitones> nbastin, yeah, I have a terminal app. And it does work -- when I'm connected my phone to my wifi, I can ping the laptop
16:25 < semitones> nbastin, it's an openmediavault, which is based in debian
16:25 < nbastin> mostly, can you get a shell?
16:25 < semitones> it has gui for a lot of things, but the system is accessible
16:25 < semitones> I'm sshed into it now
16:25 < nbastin> I wonder if that thing is actually proxy arp and icmp-ing or something
16:25 < nbastin> and your phone is not really getting the echo request
16:26 < semitones> can we test that?
16:26 < nbastin> I mean I'm down to really weird problems at this point
16:26 < nbastin> yeah, we can
16:26 < semitones> Ok, my phone isn't connected to the VPN at this point, so can we expect that 10.8.0.6 will NOT reply>?
16:26 < nbastin> well, crap, maybe not
16:26 < nbastin> there's no real interface to tcpdump on here
16:26 < semitones> aand it doesn't reply :)
16:27 < nbastin> sure, but it wouldn't even if the router was playing proxy
16:27 < nbastin> which I don't think it is, as that is wacky, but it's possible
16:27 < nbastin> your openvpn on the vpn server has a tun interface?
16:27 < semitones> I've been listening to the tcpdump on the tun interface on 192.168.2.157 -- which sees the successful ping complete
16:28 < nbastin> ah phooey that tun interface is in the wrong network
16:28 < nbastin> (I was hoping to find a MAC)
16:28 < nbastin> but you're doing L3 vpn I guess
16:28 < nbastin> so we're probably never going to get a good answer to that problem
16:28 < nbastin> hrm
16:28 < nbastin> so that tcpdump, doesn't see an echo request from the phone?
16:29 < semitones> right, it sees the outgoing request from the phone, but nothing incoming
16:29 < nbastin> oh
16:29 < nbastin> well that we can defintiely work with
16:29 < nbastin> you see an echo request but no echo reply?
16:30 < semitones> what can we do with that? yes i'll copy it for you
16:30 < nbastin> well we can presumably trace that echo request across your lan
16:30 < nbastin> easier than we can trace a reply across your phone.. :-)
16:31 < semitones> 17:25:36.798187 IP 10.8.0.6 > 192.168.2.175: ICMP echo request, id 12, seq 2, length 64
16:31 < semitones> et cetera
16:32 < nbastin> ok, so tcpdump on your laptop interface facing the vpn server
16:32 < nbastin> oh I bet I know the problem
16:32 < nbastin> your vpn server isn't really your internet router?
16:32 < semitones> right it is not
16:32 < nbastin> hrm, although that wouldn't be the problem...
16:32 < nbastin> since you can ping in the other direction?
16:33 < semitones> this tcpdump is from 192.168.2.157 (which is the vpn server) I also have tcpdump on my laptop listening for 10.8.0.0 but it doesn't hear anything
16:34 < nbastin> have your tcpdump on the laptop listen for anything
16:34 < nbastin> (maybe filter out ssh if you are ssh'd into it or something)
16:34 < nbastin> you could also filter on ip proto 1 I think
16:35 < nbastin> so you have something like: https://www.dropbox.com/s/94fz6yjnwokr7tt/Screenshot%202017-04-26%2017.29.37.png?dl=0
16:35 < nbastin> ?
16:35 < semitones> looking
16:36 < nbastin> (that switch can be in the router, as like an AP or something, as a logical device)
16:36 < semitones> yeah that's pretty good
16:36 < nbastin> ok
16:36 < semitones> nice drawing
16:36 < nbastin> just trying to make sure I understand.. :-)
16:36 < semitones> there may be two switches, because I have a wifi access point that extends the main router
16:36 < nbastin> so your laptop has a route for 10.8.0.0/24 via 192.168.2.157
16:36 < semitones> but dhcp, etc., is all run from the main router
16:37 < nbastin> and 0/0 via 192.168.2.1
16:37 < nbastin> (0/0 is otherwise spelled as "default")
16:37 < semitones> so 0/0 means everything else (intertoobs, other LAN computers)
16:38 < semitones> well the laptop learned the route from 192.168.2.1 -- i put a routing rule in there
16:38 < semitones> so it goes laptop - router - vpn server - phone
16:40 < nbastin> sorry, was getting a beverage...
16:40 < nbastin> oh
16:40 < nbastin> hrm
16:40 < nbastin> really?
16:40 < nbastin> learned-from is different from using-as-next-hop
16:40 < nbastin> although it could explain the problem
16:41 < nbastin> you cannot tcpdump on the router?
16:41 < semitones> nbastin, sadly no
16:41 < semitones> it is a verizon fiox supplied router
16:41 < nbastin> because that seems like a good idea.. :-)
16:41 < nbastin> <-- tin foil hat man
16:41 < nbastin> ok, so....
16:41 < nbastin> what is your routing table on the laptop?
16:41 < nbastin> (ip route -n)
16:42 < semitones> it's terrible. when i can afford the upgrade i will
16:42 < nbastin> I don't blame you, don't worry.. :-)
16:42 < semitones> just in case you didn't see this -- I recently added this route to the router, which made the ping work halfway: http://paste.ubuntu.com/24462830/
16:42 < nbastin> oh good
16:43 < nbastin> if you can give me the route tables on the laptop and on the vpn server, that may solve it (hopefully)
16:43 < nbastin> although your fios router hoojie may be screwing the whole thing
16:43 < semitones> http://paste.ubuntu.com/24463086/
16:43 < nbastin> you already have a sortof wacky triangle routing issue
16:44 < semitones> (this is from the laptop)
16:44 < nbastin> hrm
16:44 < nbastin> ok I am beginning to understand
16:44 < nbastin> your laptop actually has no idea that 10.8.0.0/24 exists
16:44 < nbastin> (aside from through the router)
16:45 < nbastin> if the laptop sends packets to 10.8.0.0/24 through the router, but the vpn server responds, that is likely to cause problems
16:45 < nbastin> the laptop needs to have a route to 10.8.0.0/24 via 192.168.2.157, I suspect
16:46 < semitones> that makes it sound like the router needs to tell the LAN about 10.8.0.0
16:46 < nbastin> right so on the router, you have a route to 10.8.0.0/24 via 192.168.2.157
16:46 < nbastin> right?
16:46 < semitones> yeah, I do
16:46 < nbastin> right, but on the vpn server, it's doing NAT/PAT for the openvpn clients
16:46 < semitones> I'll take your word for it!
16:46 < nbastin> which means the vpn server knows how to reach 192.168.2.175 without going through the router
16:46 < nbastin> since it's directly connected to it
16:47 < semitones> that's true too
16:47 < nbastin> so it doesn't send a packet to the router
16:47 < nbastin> so what you have is echo request laptop->router->server->phone
16:47 < nbastin> but reply is phone->server->laptop
16:47 < nbastin> (triangle routing)
16:47 < nbastin> in this case it's mostly just asymmetric, but a special case of asymmetric.. :-)
16:48 < semitones> aah I see. Why isn't the laptop just accepting the ping reply?
16:48 < nbastin> the laptop is likely to be pretty unhappy about this
16:48 < semitones> (end goal here is to have the VPN clients be able to access the router, therefore the internet)
16:48 < nbastin> so, you are in wacky land now
16:48 < nbastin> if you do not have a strong grasp on ip routing.. :-)
16:49 < nbastin> basically the problem is you have two routers for a subnet, but you're also using default routing
16:49 < nbastin> (which only supports one router)
16:49 < nbastin> this is WAY oversimplifying things in general
16:49 < nbastin> so none of the rest of you lurkers go nuts.. :-)
16:50 < nbastin> so one thing to test
16:50 < nbastin> for the moment, but won't solve your ultimate goal
16:50 < nbastin> is on your laptop do this:
16:50 < nbastin> sudo ip route add 10.8.0.0/24 via 192.168.2.157
16:51 < nbastin> that may fix your ping
16:51 < nbastin> depending on other problems with your vpn server
16:52 < nbastin> although we may need your route table for your vpn server, which I'm not sure I have yet
16:52 < semitones> ok I'll try that. Yeah sounds like I need to read that IBM technical manual.
16:52 < semitones> http://paste.ubuntu.com/24463134/
16:52 < nbastin> well
16:52 < nbastin> it depends on whether you want to understand ALL IP ROUTING, or just enough to get this done.. :-)
16:52 < nbastin> I endorse the former, but the latter is more expedient.. :-)
16:52 < semitones> just enough for this ideally
16:53 < semitones> but eventually everything
16:53 < nbastin> well
16:54 < nbastin> so if you haven't done that route change yet
16:54 < nbastin> if you change your laptop tcpdump to be tcpdump -en -i wlo1 ip proto 1
16:54 < nbastin> that might help
16:55 < nbastin> (ip protocol number 1 is icmp)
16:56 < semitones> Ok, I did the route change, but it didn't seem to affect the ping behavoir
16:56 < nbastin> it appears that ip proto icmp will also work
16:56 < nbastin> change the tcpdump on your laptop at least, we really should be seeing the echo request at least
16:56 < semitones> changing the tcpdump..
16:56 < nbastin> on your vpn server, change your tcpdump to include -e
16:56 < nbastin> (so we can see the MAC addresses, which are controlling here on your lan)
16:57 < semitones> so I've got # tcpdump -e -i tun0 on the VPN server
16:58 < semitones> ok so I'll send the ping the working way first
16:58 < nbastin> ok
16:59 < nbastin> with that route in place I would expect the src mac for your request to be your laptop, and the dst to be your vpn server
16:59 < nbastin> (while the ip dst is still 10.8.0.6)
17:00 < nbastin> you might try using tcpdump -evn to get one level deeper of decode, and no wacky names for addresses
17:00 < semitones> ooh exciting stuff.... the tcp dump on the laptop sees the request/reply from the phone -- the phone just doesn't get it back
17:01 < nbastin> right, that's sortof what I expected
17:01 < nbastin> although less so now, but still.. :-)
17:01 < nbastin> but before...
17:01 < nbastin> I suspect that is what was happening
17:01 < nbastin> so now you have TRUE unidirectional icmp.. :-)
17:01 < semitones> i'm posting the first results http://paste.ubuntu.com/24463165/
17:01 < semitones> heh
17:03 < semitones> do I need to change my routing on my laptop back to removing the route to 192.168.2.157?
17:03 <@dazo> semitones: some routes is missing on the phone
17:03 < nbastin> not yet
17:03 < nbastin> I'm not sure, the phone reaches the laptop
17:03 <@dazo> unless I'm mistaken ... 192.168.2.0/24 should go via the VPN, right?
17:03 < nbastin> the path back is the problem
17:04 < nbastin> 10.8.0.0/24 should go via the VPN
17:04 <@dazo> right!
17:04 < nbastin> there's a massive rewrite problem
17:04 < semitones> all i can hope is that I don't have to configure the client routes any special way -- i hope that the VPN server handles that
17:04 < nbastin> wtf is 192.168.1.175?
17:04 < nbastin> I think you have a typo
17:04 < nbastin> in a config file
17:04 < semitones> where did I type that?
17:04 < nbastin> in the tcpdump from phoen to laptop
17:05 < nbastin> 192.168.1.175 shows up
17:05 < nbastin> which is obviously wrong
17:05 < semitones> oooooh
17:05 <@dazo> that's what made me believe something was wrong with the routing
17:05 < nbastin> so somewhere, that is typo'd.. :-)
17:05 < semitones> i see it now
17:05 < nbastin> dazo: thanks for making me look at that closer.. :-)
17:05 <@dazo> yw! :)
17:05 < semitones> thanks dazo!
17:05 < nbastin> I was building a new diagram, and was like wait wtf...
17:06 < semitones> so the rewrite problem is located...
17:06 < nbastin> you w ill still have a wacky triangle routing if you remove the route on the laptop, but if you fix the rewrite it should work
17:06 < nbastin> (you may get extraneous ICMP redirect messages from your router, but it will work)
17:07 < semitones> Ok! So to track down where that re-write is in the config, these are my thoughts
17:07 < semitones> check the server config on 157 first (look at every config file I can)
17:07 < semitones> then...? I'm not sure what to do
17:07 < nbastin> it seems like maybe openvpn
17:07 < nbastin> because your route tables are ok
17:07 < nbastin> so either on the phone or the vpn server
17:07 < semitones> so the server.conf?
17:08 < nbastin> try that first
17:09 < nbastin> I am MUCH better at ip routing than openvpn... :-)
17:09 < nbastin> (and L2 forwarding...)
17:09 < semitones> well i'm glad you were here to find the problem in tcpdump!
17:09 < nbastin> I can solve your networking problems, other people can hopefully fix your openvpn problems.. :-)
17:10 < semitones> i'm not seeing it in server.conf but I'll need to take it to the road :D (got a gig starting soon).
17:10 < nbastin> yeah so for tcpdump you want to be more accepting in things
17:10 < semitones> less filtering = more accepting?
17:10 < nbastin> so you can find misconfigurations by accepting maybe the protocol or app you want
17:10 < nbastin> versus the IP you want
17:10 < nbastin> (e.g. icmp versus 10.8.0.x)
17:10 <@dazo> !configs
17:10 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
17:11 < nbastin> somewhere you have 192.168.1.x typod instead of 192.168.2.x it seems
17:11 < nbastin> the question is where
17:11 <@dazo> oh ... I need to run :/
17:11 < nbastin> :-)
17:11 < nbastin> dazo: sorry for taking over, was trying to help you out as you help everyone.. :-)
17:12 < semitones> thanka!!!!
17:13 < semitones> I will be back! :D
17:16 < nbastin> semitones: I will probably be here.. :_)
17:22 < WhizzWr> yo guys, I've been reading about mtufix, fast-io, etc. Are those really works for optimzing performance..?
17:22  * nbastin has no idea, where are you runnign this that performance is a factor.. :-)
17:23 < nbastin> (well, mtufix might be something interesting, by the name at least)
18:14 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 255 seconds]
18:17 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
18:17 -!- mode/#openvpn [+o dazo] by ChanServ
18:39 < nbastin> dazo: not sure if you caught before, I didn't mean to run you over
18:40 < nbastin> you help everyone, I was trying to help out...
21:34 < DArqueBishop> nbastin: I'm sure he doesn't mind. :-)
22:06 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:15 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:15 -!- mode/#openvpn [+o syzzer] by ChanServ
23:57 < semitones> nbastin, hey' I'm back, i'm going to look into the client and server configs to try and find the rewrite
--- Day changed Thu Apr 27 2017
00:52 < yarddog> ive been connected to the same server for 4 days with no disconnects, one other vpn was always disconnecting for me
02:25 <+hyper_ch> !howto
02:25 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
04:03 <@dazo> nbastin: don't worry!  I'm happy you could help!  You did a great job too!
04:03 <@dazo> (and I had to run to catch a train, I just forgot about the time)
04:27 < madduck> has anyone figured out a smart way to manage iproute2 routing rules on clients using openvpn?
04:28 <@ordex> madduck: what do you exactly mean ?
04:28 <@ordex> are you referring to a know issue/problem?
04:28 <@ordex> *known
04:29 < madduck> no, just advanced routing, i.e. I need to push a default v6 route to hosts that already have a default v6 route, and add rules so that for packets, the right routing table can be used
04:30 <@ordex> madduck: oh alright, so you'd like openvpn to send table IDs along with routes so that on the client side it is possible to deal with policy routing accordingly?
04:31 < madduck> if that's the way to do it.
04:31 <@ordex> something along those lines
04:31 < madduck> i can also write up my own scripts
04:31 < madduck> but i like not reinventing wheels…
04:31 <@ordex> openvpn can inject routes, but I am not aware of such advanced handling being done internally
04:32 <@ordex> (and that would likely be a linux-only feature, but an interesting one I think)
04:43 < yarddog> does openvpn work on ios like an ipad?
04:43 < madduck> for me, ios still belongs to cisco ;)
04:45 < yarddog> my macOS is old and has been crashing some, i might have to go to an ipad pro, i really have little money
04:52 <@dazo> yarddog: You can run OpenVPN Connect on iOS devices
05:01 <+hyper_ch> "i really have little money" "i might have to go to an ipad pro" - sounds mutually exclusive
05:27 <@ordex> hyper_ch: lol
05:30 <+hyper_ch> ordex: you disagree?
05:30 <@ordex> I have no clue how much the ipad costs to be honest, and Idon't know what he meant with little money :) based onthe country of origin that could be quite different
05:37 <+hyper_ch> it costs more because of the fruit :)
06:02 <@dazo> I am just fascinated that people wants to buy a fruit someone have already had a bite of ... I mean if you do that IRL, the fruit gets rotten quite fast ... unless you eat it up ....
06:02 <@dazo> http://www.hdiphone6wallpaper.com/wp-content/uploads/Apple/Green%20Apple%20LOGO%2002%20iPhone%206%20Wallpapers.jpg
06:04 <+hyper_ch> but fruits are healthy :)
06:07 <@dazo> hyper_ch: if you eat them in time and don't let them sit an rot, yeah! ;-)
06:56 <@ordex> dazo: lol
06:56 <@ordex> :D
07:08 < nbastin> semitones: I'm back, sorry I fell asleep early last night.. :-)
07:40 <@ordex> nbastin: can't accept that!!
07:40 <@ordex> :P
07:49 < nbastin> heh
07:49 < nbastin> The naptrons were strong.
08:37 < notmike> How do I address changing host keys or bad routes when I connect to OpenVPN server from different locations?
08:39 < yarddog> my day for saying dumb things i guess as i did earlier, can openvpn run on windows?
08:39 <@ordex> yarddog: of course
08:39 <@ordex> notmike: host keys ?
08:40 < notmike> Yeah, that's really more of an ssh problem. Everytime I log in from a different subnet I get WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
08:40 <@ordex> ah
08:40 <@ordex> mh
08:40 <@ordex> that should happen when the key changes over the same IP
08:40 <@ordex> why is that the case ?
08:41 <@ordex> should the server retain the same key?
08:46 < kerio> are you "seeing" different servers on the same addresses?
08:49 <@ordex> that could be the case then
08:49 < DArqueBishop> Yeah, that's not an OpenVPN issue.
08:49 < kerio> the solution would be to use hostnames instead of addresses
08:50 < DArqueBishop> notmike: if you're connecting to the same SSH server from different locations and keep getting that error, then something is dreadfully wrong.
08:51 < notmike> DArqueBishop: I'll keep that in mind. I also have an OpenVPN issue. I can connect to the server, but when I tried to connect from a different subnet I couldn't even ping the host. Network unreachable, etc. I had to flush my routing tables.
09:04 < semitones> nbastin, hey, thanks for your help. I just woke up. So what are the chances that openvpn software is causing the ip rewrite error?
09:05 <@dazo> semitones: none ... openvpn does not do any mangling
09:05 <@dazo> If I would guess ... you have some SNAT/DNAT rules on some of your hosts doing that
09:06 <@dazo> unless it is just a silly typo in some config so the wrong IP address is used
09:06 <@dazo> but openvpn itself does never mangle or modify the packets
09:06 < semitones> i looked in the openvpn configs and don't see any typo there
09:06 <@dazo> pastebin the output of 'iptables-save'
09:07 < semitones> on which device do you think?
09:07 <@dazo> on the system where it is most likely to happen ... I don't recall your setup, so hard to tell
09:07 < nbastin> semitones: well it's not so much a rewrite but a misconfig somewhere
09:08 < nbastin> semitones: something in your topology thinks that 192.168.1 is your net instead of 192.168.2
09:09 < semitones> yeah. i have the feeling that it is the pi-hole that thinks that
09:09 < semitones> but lets look at iptables
09:11 < semitones> dazo, well, i guess unfortunately for me, iptables-save didn't turn up anything for any system
09:11 <@dazo> you might have to install it .... it should definitely not give an empty result
09:14 < semitones> dazo, it's already installed on two of the systems, which makes it seem like they just don't have any iptables set up. i'm installing on the last one
09:17 < semitones> aha found it.
09:17 < semitones> (the openmediavault server also has the weird property that the sudoer user can't run all the commands that root can run...)
09:18 < semitones> who was betting on firewall? http://paste.ubuntu.com/24466863/
09:23 < kerio> those rules are...
09:23 < kerio> redundant?
09:24 <@dazo> semitones: those rules looks hackerish .... can you provide an overview of your network layout again, and tell us on which host you found them?
09:25 <@dazo> These SNAT rules do rewrite traffic coming from 10.8.0.0/24  to look like it comes from 192.168.1.175
09:25 <@dazo> and the two last ones .... are ignored, as it is the first one which is hit
09:27 < semitones> hmm ok... i'm guessing that openmediavault software isn't perfect and this is left over from when the network WAS 192.168.1.1 and OMV had 192.168.1.175 as its IP
09:27 < semitones> https://www.dropbox.com/s/94fz6yjnwokr7tt/Screenshot%202017-04-26%2017.29.37.png?dl=0
09:27 < semitones> there's one more thing which isn't on this (very nice) topology map that nbastin made, which is a DNS server at 192.168.2.162
09:29 < nbastin> https://www.dropbox.com/s/db156qjt89qym8f/Screenshot%202017-04-27%2010.24.13.png?dl=0
09:30 < nbastin> (with DNS, for what it's worth.. :-))
09:31 < semitones> thanks! you've got the IP address in there too!
09:32 < semitones> I'm trying to find where iptables config lives to delete that old rule... it's not in ./etc/iptables...
09:32 < semitones> uuuuh forget that leading period
09:35 < semitones> nbastin, your flowchart program is nice
09:36 <@dazo> semitones: so ... where in that flowchart are these iptables rules found?
09:36 < semitones> dazo, i realized I didn't answer your question clearly -- this was found on the 192.168.2.157 machine, which is the openVPN server (aka openmediavault) which used to have the ip address 192.168.1.175
09:36 <@dazo> okay ...
09:37 < nbastin> semitones: omnigraffle, on the mac
09:37 <@dazo> so based on the discussions yesterday, where we moved to (a correctly) routed environment ... the SNAT rules are hacks, mostly added by users not understanding routing
09:38 <@dazo> So just do:  iptables -t nat -F POSTROUTING
09:38 <@dazo> if that works ... you'll need to figure out how to make that change permanent .... there are some tools saving the firewall states .... but I dunno how that's solved in your setup
09:39 <@dazo> (those POSTROUTING rules also contains a potential bug ... it does not match on out-going  device ... which means any packets from 10.8.0.0/24 gets SNATed, regardless of where it is going further)
09:39 < semitones> ok, thanks. so does the SNAT try to accomplish the routing rule I set up on the router (forward all 10.8.0.0 traffic to 192.168.2.157)?
09:39 <@dazo> where "going further" means which network interface
09:40 <@dazo> semitones: those SNAT rules looks like hacks to be honest ... and quite bad ones
09:40 <@dazo> semitones: SNAT actually rewrites the Source IP address from a 10.8.0.0/24 to 192.168.1.175 (in this case)
09:41 <@dazo> when the packet comes back to 192.168.1.175 (which must be a valid configured IP address on the same box), it gets "converted" back to the 10.8.0.0/24 address it originally came from
09:41 < nbastin> (sorry, in a mtg. right now, will try to get back to this soon if it's useful)
09:41 <@dazo> that's the concept of NAT - Network Addressing Table
09:42 < semitones> that's really weird. i know no one who lives here did that. But the openmediavault softwhere could do it?
09:42 <@dazo> hard to tell
09:42 < semitones> ok so thinking through this
09:42 < semitones> if openvpn clients live on the 10.8.0.0 network
09:43 <@dazo> but .... I really need to get some food now ... I've managed to post pone it for 90 minutes already .... and about to get dizzy ....
09:43 < semitones> does openvpn need to translate requests from 10.8.0.0 to requests coming from itself (192.168.1.175) say to get on the internet
09:43 < semitones> dazo, thanks for all your help! I really appreciate it
09:49 < nbastin> (NAT is network address translation, just to be more clear, and what most people think of as NAT is actually PAT, because they use it to share an IP across a larger number of clients)
09:49 < nbastin> linux perpetuates this problem by calling all PAT in iptables --nat, which is annoying
09:51 < nbastin> I don't think you need any kind of NAT or PAT between your openvpn clients and your actual LAN
09:51 < nbastin> they will need PAT to the internet, but your LAN already has that I suspect
09:52 < nbastin> for your internal networks (both openvpn and lan), you just need routing that works.. :-)
10:01 -!- Poster|w is now known as Poster
10:13 < semitones> nbastin, alright let's hope that the LAN handles PAT and the internet correctly. I am going to test pings now that iptables is set correctly for now -- and I'm writing the openmediavault people to let them know about this
10:14 < sbraz> hi, can i have a client-config script that generates ccd directives?
10:15 < sbraz> i have a huge number of clients and i'd like to stop creating one ccd file everytime i add a new client
10:18 < DArqueBishop> sbraz: why do you need them?
10:22 < semitones> nbastin, dazo, good news, I can ping from the phone, across the vpn, to computers on the LAN and internet IPs like 8.8.8.8
10:23 < sbraz> DArqueBishop: because i need to add one iroute per client
10:24 < semitones> I still can't browse the internet from my phone, and tcpdump is full of weird things like repeating ICMP requests for unreachable udp ports (http://paste.ubuntu.com/24467114/ -this was filtered to show only ICMP ports)
10:25 < semitones> but that is a problem for another time. Thanks for all your help!
10:33 <@dazo> nbastin: duh!  Of course, translation - not table!
10:33 <@dazo> as you can see, my blood sugar was alarmingly low! :)
10:36 <@dazo> sbraz: yes ... the last argument passed to the --client-connect script is a file name ... you can write all your ccd stuff to that file on-the-fly and exit with 0, then openvpn will treat that as a ccd file
10:37 < semitones> Alright! I can fix the DNS problems by deleting 192.168.2.162 from my openVPN config! It means I still see ads, but I can access the internet now from VPN! Whoohoo!
10:37 < semitones> It's still a mystery why specifying my own DNS server wasn't working, but that is a mystery I am happy leaving for another day
10:38 < semitones> thank you so much dazo, I learned so much
10:38 < semitones> and thank you nbastin for all your help making sense of everything
10:41 <@dazo> yw! ... learning these things are truly valuable when you play along with networking .... and most of this isn't even openvpn specific, this is mostly basic tcp/ip networking
11:09 < Pilfers> anyone know why my aws instance would suddenly lose routes?
11:09 < Pilfers> and openvpn would stop working
11:09 < Pilfers> also on amazon linux
11:09 < Pilfers> trying to stop/start the service doesnt give any logs
11:09 < Pilfers> service openvpn stop
11:09 < Pilfers> etc
11:09 < Pilfers> any input greatly appreciated
11:52 < nbastin> semitones: yey!  victoire?
13:06 < sbraz> dazo: that is awesome, i didn't think client-connect did that, i guess i didn't read the manpage properly :)
13:44 -!- chantra_ is now known as chantra
14:59 -!- notmike is now known as gucci
15:38 -!- gucci is now known as notmike
17:20 -!- patcable_ is now known as patcable
18:41 < catalase> hello
18:42 < catalase> i just swapped the network interface card on my ubuntu server running openvpn
18:42 < catalase> where do i need to change the value from eth0 to xxx <-- new interface id
18:48 < catalase> ok i found in the before.rules a spot to change eth0 to the corred nic id
18:48 < catalase> i am connected to the vpn, but internet is not coming through
18:49 < catalase> w0000 reboot solved it
19:58 -!- poster is now known as Poster
21:34 -!- gehidore is now known as man
21:47 <@ordex> morning
22:03 -!- man is now known as gehidore
22:37 -!- gehidore is now known as man
22:37 -!- man is now known as gehidore
23:39 < gehidore> moin
--- Day changed Fri Apr 28 2017
00:11 -!- parity_ is now known as Parity
01:01 < phr34k> question - i have a vpn worksite that uses openvpn but w/e i use the vpn all dns requests are routed to intranet
01:02 < phr34k> is there a way to seperate 'internal' i.e. something.work.com traffic from regulair 'external' traffic i.e. google.com
01:09 <@ordex> phr34k: that depends if your system allows yo to do that
01:09 <@ordex> phr34k: if that was my client, I'd use dnsmasq installed locally to redirect things to different DNSs
01:11 < phr34k> i'm on a windows 10 computer
01:11 <@ordex> but I am not sure how that could be "imposed" fromthe VPN server to everybody else
01:11 <@ordex> dunno how that works on windows :( sorry
06:49 < AndrejKralovic> hi  is here somebody who know about openvepn-status.log ?
06:50 < AndrejKralovic> i mean there was in information IP : pid
06:50 < AndrejKralovic> but after 2.4.0 is away pid
06:50 < AndrejKralovic> is possible to have it this inforpation back ... some switch in cfg ?
06:50 < AndrejKralovic> i need it as info about conected user ...
06:57 < AndrejKralovic> example
06:57 < AndrejKralovic> zilina-simonova,84.245.121.254:46151,6811576,13030770,Thu Apr 27 09:03:00 2017
06:58 < AndrejKralovic> 10.8.0.50,zilina-simonova,84.245.121.254:46151,Fri Apr 28 13:51:08 2017
06:58 < AndrejKralovic> there is public IP and : PID of connection
06:59 < AndrejKralovic> but in new version is without : pid ... and without it i  cannot identify which line is together .. at same time
06:59 < AndrejKralovic> somebody know about this changes in OpenVPC server?
07:00 < AndrejKralovic> !welcome
07:00 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
07:00 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
07:00 <@vpnHelper> you
07:09 < sagatak> is there a "magic" directive i can use to replicate step 1 of the "--redirect-gateway" directive (but not everything else)?
07:09 < sagatak> (1) Create a static route for the --remote address which forwards to the pre-existing default gateway. This is done so that (3) will not create a routing loop.
07:10 < sagatak> i have a nasty little second vpn client which doesn't play nicely with anything else (it wipes out all routes), so i'd like to use this so the openvpn client can regain access to my vpn server, after the nasty little thing has wiped everything out
07:17 <+hyper_ch> please do not query people
07:18 <+hyper_ch> if someone knows, they'll answer here
07:18 < AndrejKralovic> ok sorry
08:23 < semitones> nbastin: la victoire indeed! Although if you're curious about how a raspberry pi DNS server might fail in this configuration, stay tuned. Maybe in a few weeks I'll try to figure that out. Once my life normalizes for now :)
08:24 < semitones> My main goals for my VPN are 1. Safe browsing on public networks and 2. Administer stuff on my home network while I'm away
08:24 < semitones> And the DNS helps me with #1 by removing ads
11:23 < nbastin> semitones: you could also look at something more comprehensive like Privoxy for handling ads (and trackers)
11:24 < semitones> thanks for the tip nbastin
11:25 < semitones> that can run on the same box as openvpn i take it?
11:25 < nbastin> semitones: sure
11:25 < nbastin> semitones: you can configure it as your http/https proxy on your clients (you can also use it as a transparent http proxy, but not for https obviously)
12:53 < kerio> !1925
12:53 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
14:31 -!- poster is now known as Poster
16:21 -!- moviuro_ is now known as moviuro
16:42 -!- Vampire0_ is now known as Vampire0
20:58 < Kyoku> is there a flavour of linux that openvpn performs best on?
21:14 <@Eugene> I have never seen it benchmarked between OSes, but I don't think it will make that much of a difference
21:15 <@Eugene> Use what you like
21:16 < vectr0n> comes more down to the hardware wouldnt it?
21:17 <@Eugene> Yup. https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported
21:17 <@vpnHelper> Title: Are cryptographic accelerators supported - PFSenseDocs (at doc.pfsense.org)
21:18 <@Eugene> See also: `openvpn --show-engines`
--- Day changed Sat Apr 29 2017
12:00 -!- allizom1 is now known as allizom
14:47 < AndrejKralovic> someone who knows about openvepn-status.log ?
14:49 < txvln> !welcome
14:49 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
14:49 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
14:50 < txvln> !topology
14:50 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
14:51 < txvln> I'm trying to determine if --up scripts should be able to route traffic normally when connecting as a client.
14:52 < txvln> I've done a lot of testing, and I can reach things on the local machine (via curl), but I can't reach anything outside the local jail.
14:52 < txvln> Not the host, not the router, nothing. On the other hand, all of this works fine from the shell once openvpn is up.
14:52 < txvln> OS: FreeNAS 9.10 (based on FreeBSD). Running OpenVPN in a jail.
14:53 < txvln> Using route-up /path/to/script.sh in a config file.
14:55 < txvln> I have also checked routing (route show <destination>), tables (netstat -rn tun0), environment (uname -a), and others from inside the route-up script, and they all match the shell environment.
15:00 < txvln> Before I keep troubleshooting or consider the possibility this might be a bug, can anyone else fetch a resource with for ex Curl or Wget from inside a --route-up script, or should that even be possible?
16:45 < umoukun> hello all, I setup OpenVPN on my android tablet a long time ago, but i cant remember where to get a .ovpn file from.. any ideas?
16:45 < umoukun> cant seem to search for a match either
16:48 < nbastin> I mean you can find lots of ovpn files around, but they're unlikely to help you without some context
16:49 < umoukun> I just need the .ovpn file
16:49 < umoukun> and cant even find that
16:49 < nbastin> there isn't "the" .ovpn file
16:49 < nbastin> it is a file with your config options specific for the vpn you are using
16:49 < umoukun> then how do you start the client in linux, it says 'openvpn myconfig.opvn'
16:50 < nbastin> yes, but the .ovpn file is a standard openvpn config file, which could contain any variety of config options
16:50 < umoukun> and ... I cant seem to find it
16:50 < umoukun> https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/client.conf  ?
16:50 <@vpnHelper> Title: openvpn/client.conf at master · OpenVPN/openvpn · GitHub (at github.com)
16:53 < umoukun> ?
16:55 < umoukun> I dont think thats the config for some reason, it throws errors
16:55 < umoukun> seemed pretty easy when I did all this with android
16:55 < umoukun> I dont remember setting up shit
16:55 < nbastin> I think you are misunderstanding - the .ovpn is just "a file"
16:56 < nbastin> it has to contain the right information for *your* vpn
16:56 < umoukun> and that file probably has something in it
16:56 < nbastin> you can't just use a random one
16:56 < umoukun> so, what goes in the file?
16:57 < nbastin> umoukun: the parameters for your vpn
16:57 < umoukun> Right click on an OpenVPN configuration file (.ovpn) and select Start OpenVPN on this configuration file. Once running, you can use the F4key to exit.
16:57 < umoukun> Run OpenVPN from a command prompt Window with a command such as:
16:57 < umoukun> openvpn myconfig.ovpn
16:57 < umoukun> and where do I get a sample/example file for a vpn service?
16:57 < nbastin> umoukun: typically from your VPN service
16:58 < umoukun> I need a free one, I looked at vpngate
16:58 < umoukun> are you fucking impossible to answer a question or what man, WHERE DO I GET A SAMPLE/EXAMPLE FUCKING FILE
16:58 < umoukun> jesus
16:58 < umoukun> not that you will answer now, but you didnt the first three times, so fuck it
16:59 < nbastin> umoukun: you have to choose a service and then get one from them
16:59 < nbastin> the docs have tons of sample files, none of them will help you connect to a specific service
16:59 < umoukun> it'd be too fucking bad if you pasted a sample link
16:59 < nbastin> you already linked one...
17:01 < nbastin> there are a variety of examples in https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
17:01 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
17:01 < nbastin> there are others in https://openvpn.net/index.php/open-source/documentation/howto.html#examples
17:01 <@vpnHelper> Title: HOWTO (at openvpn.net)
17:01 < nbastin> unless you tell us what you're trying to do, it's unclear that any of those will actually help you
17:08 < nbastin> Well, my saturday has been validated...
18:00 < kerio> man, what a piece of shit
18:04 < nbastin> I get that sometimes our answers may not be immediately helpful, but they don't need to be foul about it
18:05 < nbastin> I can only type so quickly.. :-)
18:06 -!- rax-Y is now known as rax-
18:45 < Fudge> yeah that guy would be about 14
--- Day changed Sun Apr 30 2017
03:11 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
03:11 -!- mode/#openvpn [+o mattock1] by ChanServ
05:37 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 246 seconds]
06:22 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
06:22 -!- mode/#openvpn [+o mattock1] by ChanServ
07:30 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 260 seconds]
11:23 < WhizzWr> !ovpnuke
11:23 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
13:21 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Write error: Broken pipe]
13:21 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
13:21 -!- mode/#openvpn [+o vpnHelper] by ChanServ
14:01 < xn0r> hello, I have a config that works on one system, but on another (alpine linux) openvpn fails with: VERIFY ERROR: depth=0, error=self signed certificate: C=...
14:01 < xn0r> OpenSSL: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed
14:03 < xn0r> the config has a <ca> block, key-direction 1, <tls-auth> block
14:16 <@dazo> xn0r: sounds like you're trying to either use a wrongly created certificate or a CA certificate with --cert
14:17 <@dazo> xn0r: Certificates provided to --cert must be signed by a CA (a CA which you most commonly manage yourself)
14:18 < xn0r> dazo: there's no cert option in my config, only a "remote-cert-tls server"
14:21 <@krzee> xn0r:
14:21 <@krzee> !configs
14:21 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
14:23 < xn0r> !paste
14:23 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
14:23 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
14:27 < xn0r> krzee: https://paste.fedoraproject.org/paste/VYOQMyDpGGzKZyb~ER1r715M1UNdIGYhyRLivL9gydE=
14:27 < xn0r> cert/key omitted
14:27 <@dazo> and server config?
14:27 < xn0r> no server configs, because I don't run the server
14:28 <@dazo> okay, then you need to discuss this with your VPN server provider .... server config + logs are crucial to dig deeper into this one
14:28 < xn0r> openvpn 2.4.1 x86_64-alpine-linux-musl, LibreSSL 2.5.3
14:29 < xn0r> dazo: I can also paste logs
14:29 <@dazo> we need to see server config + logs to be able to dig deeper
14:29 < xn0r> but it works with identical config on other systems
14:29 <@dazo> we need to see server config + logs to be able to dig deeper
14:30 < xn0r> logs coming right up, what --verb ?
14:30 <@dazo> xn0r: what you can do ... is to double check if the configs are truly identical .... do sha256sum of the config files on both systems
14:31 <@dazo> they should match .... and if they match, then you we MUST see SERVER config + logs
14:31 < xn0r> dazo: yes they are 100% identical, the only difference is in the CLIENT
14:32 <@dazo> even more a reason to see SERVER configs + logs
14:34 < xn0r> there is no difference in the server, and I cannot get server configs, the difference is in the CLIENT
14:35 <@dazo> Which is EXACTLY why we need to see server logs and configs
14:36 <@dazo> if you cannot access them ... then you need to get in touch with those providing you the VPN service
14:37 < xn0r> https://paste.fedoraproject.org/paste/B5xNkjfSz2mz0fHzdH3M3V5M1UNdIGYhyRLivL9gydE=
14:37 < xn0r> why? the service works perfectly on every other platform
14:38 <@dazo> Because that server log and configuration contains additional needed information to understand what is going on
14:41 <@krzee> ya what dazo said unfortunately
14:42 < xn0r> so basically what you're saying is that you cannot figure out what a client is doing
14:42 <@krzee> of course, you may have a bad ca file on that client
14:43 <@krzee> but yes, thats what we're saying, you need both ends for troubleshooting
14:43 <@krzee> !both
14:43 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
14:43 < xn0r> no, I don't, because it's the same good CA file that works perfectly on every other system
14:43 < xn0r> as I said 5 times now
14:43 <@krzee> md5sum to see its the same
14:43 <@krzee> no matter how many times you said it, its either that or we cant help you
14:43 < xn0r> we've already been through that .. 5 minutes ago?
14:43 -!- xn0r was kicked from #openvpn by dazo [And we've said go to your VPN service provider for further help]
14:44  * dazo got out of patience
14:44 <@krzee> !provider
14:44 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team., or (#2) Please contact their support team.
14:44 < xn0r> I am not asking for tech support for my provider's service
14:45 <@krzee> cool, guess we're done here
14:45 < xn0r> so openvpn will remain broken on alpine, cool
14:45 <@krzee> not broken, its you and your provider
14:45 < xn0r> I'll forward that as is
14:45 <@krzee> cool
14:48 -!- mode/#openvpn [+vvv _FBi _quadDamage |Mike|] by krzee
14:49 < xn0r> oh nice, I know what the problem is
14:50 <@krzee> must be that its broken on alpine, right?
14:51 < xn0r> yes, but only the latest version
14:51 <@krzee> so what is it
14:51 < xn0r> sorry, I'll be as helpful as you were, bye~~
14:52 <@krzee> bye
14:52  * krzee googles alpine and decides he still doesnt care
14:52 <@dazo> I bet the configs weren't identical, and he got too embarrassed to admit it
14:53 <@krzee> 98% sure
14:53 <@dazo> depth=0 is a key detail ... so if the same remote host works on other hosts, it means that either something else added a --cert, or that the embedded --ca was wrong
14:54 <@krzee> or he finally saw that his ca file was bad
14:54 <@dazo> yeah
14:54 <@dazo> and if not that .... It could be some LibreSSL quirks
14:55  * dazo does not fully trust LibreSSL yet
14:55 <@krzee> ive used but i still prefer polar
14:55 <@dazo> mbedtls, you mean? ;-)
14:55 <@krzee> instead of cleaning up openssl i like the idea of a fresh start
14:55 <@dazo> yeah, completely agree
14:55 <@krzee> lol yes, i sometimes forget its mbed now
14:56 <@krzee> by the time i remember they'll have a new name :D
14:56 <@krzee> oh hey you played with lede yet?
14:56 <@dazo> If rumours is right (I haven't cared enough to verify them) ... what is even worse with libressl is that some claims they've started to introduce API changes which is not compatible with OpenSSL
14:56 <@krzee> that doesnt even make sense!
14:56 <@dazo> exactly
14:57 <@krzee> the whole POINT was that it wouldnt do that
14:57 <@dazo> yes ... but the claim is they figured openssl was too broken on some areas
14:57 <@krzee> well, im sure thats true
14:57 <@krzee> which is why i favor mbed for starting over
14:57 <@dazo> (which I also find hard to believe considering the cleanup happening in openssl-1.1)
14:58 <@krzee> so they got part way and were like omg its worse than we thought, lets just do the best we can
14:58 <@dazo> yeah, mbedtls is definitely the right approach
14:58 <@dazo> yeah, that's my impression
14:58 <@krzee> kinda scary
14:58 <@krzee> for openssl more than libre or libres compat, really
14:59 <@dazo> it makes BoringSSL sounds sane by comparison
14:59 <@dazo> actually, I think that OpenSSL 1.1 have a lot of sane changes ... they are really cleaning up old cruft
15:00 <@krzee> im sure things like libre help make that easier
15:00 <@krzee> puts a spotlight on things to fix, but thats just a guess
15:00 <@dazo> there's a presentation here by the OpenSSL package maintainer for RHEL .... https://www.youtube.com/watch?v=RTRuXW93rqk  ... covering openssl 1.0 vs 1.1
15:00 <@krzee> nice thanks!
15:01 <@krzee> oh i made that ticket last night, #880
15:01 <@dazo> (Tomas Mraz is a guy I'd trust)
15:01 <@krzee> im sure people want me to provide more or test more, i just made a ticket to start things off
15:02 <@krzee> but im also on rc1 so maybe 2.4.1 would magically fix it
15:02 <@dazo> that's good! thx!
15:02  * dazo checks the changelog
15:04 <@dazo> there's nothing really glaring "this fixes it!" patches as I can see from v2.4_rc1 to v2.4.1
15:05 <@krzee> cool so i guess next step for me should be to try to replicate  it on machines running 2.4.1 that i can easily test fixes on
15:05 <@krzee> the current device is my snom phone and a server i run
15:06 <@krzee> so ill get it rockin on my laptop and try to reproduce
15:06 <@krzee> that way if we get further i can actually test stuff
15:06 <@dazo> well, there is one plausible candidate .... https://github.com/OpenVPN/openvpn/commit/ec4dff3bbdcc9fedf7844701dc5aa2679d503667
15:06 <@krzee> although the server is probably the issue, which i can currently easily test
15:06 <@krzee> seems like the old no soup for you patch again
15:06 <@dazo> are clients also v2.4_rc1?
15:06 <@krzee> yes
15:07 <@dazo> okay ... well, that commit I pointed at would actually affect clients
15:07 <@krzee> i dont drop privs
15:07 <@dazo> this is more about NCP actually
15:07 <@krzee> oh
15:08 <@krzee> so maybe more NO SOUP FOR YOU but for ncp
15:08 <@dazo> well, actually it's related to privs too
15:08 <@krzee> the no soup patch was for normal push options
15:08 <@dazo> yeah
15:09 <@krzee> want a more verbose log or anything like that?
15:09 <@krzee> or should i skip to testing 2.4.1 cause why waste effort if it doesnt reproduce
15:09 <@dazo> yeah, it would be good to have a 2.4.1 test done, tbh
15:10 <@krzee> cool, first thing ill do is get a 2.4.1 client on my linux laptop and see if i can reproduce with same server, then if so ill upgrade server and see if i can
15:10 <@krzee> oh hah my laptop has 2.4.1
15:11 <@dazo> because the commit I pointed at ... had a bug, which got fixed here: https://github.com/OpenVPN/openvpn/commit/bf72ae68c05922c289056f2f851ed36014449cdf ... but I'm not yet convinced if that's the crux of your issue or not
15:11 <@vpnHelper> Title: Fix push options digest update · OpenVPN/openvpn@bf72ae6 · GitHub (at github.com)
15:11 <@krzee> yay package manager
15:11 <@krzee> well that *is* right there in the code
15:11 <@krzee> thats promising
15:12 <@krzee> thst specific is just whitespace, but it was obviously getting worked on in other nearby commits
15:14 <@dazo> from 2.4.1_rc1 to v2.4.0, it was mostly just bug fixes and needed improvements ... v2.4.0 to v2.4.1 is also relatively boring, with mostly minor fixes (and a few more major crash fixes)
15:14 <@krzee> ohhh the stuff from that audit!
15:15 <@dazo> nope
15:15 <@krzee> oh
15:15 <@dazo> that'll be in v2.4.2 ;)
15:15 < AndrejKralovic> hi all pls somebody who know about openvepn-status.log
15:15 <@dazo> AndrejKralovic: what do you want to know?
15:15 < AndrejKralovic> so i use it for reading status about connected users
15:15 < AndrejKralovic> on time
15:16 <@dazo> (no promises for an answer ... but knowing what you look for helps understand what/how/whom can help)
15:16 < AndrejKralovic> but after upgrade to 2.4.0  version from 2.3.  was changet this log file
15:18 <@dazo> hmmmm .... the format of the status file should not change in updates ... well, the more advanced --status-version may have fields appended at the end, but if there are other changes to the format - that does sound like a bug
15:18 < AndrejKralovic> there is not PID number with IP and before there was .. and that helps identifie user and users's aditional info
15:18 < AndrejKralovic> yes i think so but it is reality ..
15:18 < AndrejKralovic> i sow you diferences wait second
15:19 <@dazo> thx!
15:19 < AndrejKralovic> zilina-simonova,84.245.121.254:46151,6811576,13030770,Thu Apr 27 09:03:00 2017 [13:52]
15:19 < AndrejKralovic> old version
15:19 < AndrejKralovic> zilina-simonova,84.245.121.254,6811576,13030770,Thu Apr 27 09:03:00 2017 [13:52]
15:19 < AndrejKralovic> new
15:20 < AndrejKralovic> there is not IP:PID
15:20 <@krzee> id recommend using the management interface btw
15:20 <@krzee> but you're still right, it should be a consistant format
15:20 <@dazo> well, that's basically the same code which is called when dumping the status file vs querying the management interface (with the 'status' command)
15:21 <@dazo> AndrejKralovic: so it is the port number you see missing ... just need to be sure, as PID means something else to me :)
15:21 < AndrejKralovic> husp
15:22 < AndrejKralovic> @dazo no this is not port number
15:22 <@dazo> 84.245.121.254:46151  vs   84.245.121.254   right?
15:23 < AndrejKralovic> yes
15:23 < AndrejKralovic> or can be a port
15:23 < AndrejKralovic> but in log is like identification of connection
15:23 <@dazo> I believe that should be the client port number
15:23 <@krzee> definitely a port
15:24 <@krzee> the srcport that the client sends traffic out as
15:24 <@krzee> not to be confused with the dstport, which is what your vpn runs on
15:24 <@dazo> AndrejKralovic: which --status-version do you use?  Or have you added that at all?
15:24 < AndrejKralovic> and this is important becasue with this i can join user with right session and if somebody else join with duplicate ip and keys ... will have different this PID
15:24 < AndrejKralovic> let mi check
15:25 <@krzee> its not PID, its source port, but yes it'll be different for each openvpn instance
15:25 < AndrejKralovic> openvpn-2.4.1
15:26 < AndrejKralovic> here is not this no
15:26 <@dazo> AndrejKralovic: on your openvpn config .... do you have --status-version there?
15:26 <@dazo> (server config, that is)
15:26 <@krzee> as openvpn doesnt fork clients to new processes, if it were PID it would be very boring... ALL would match
15:27 <@krzee> =]
15:27 < AndrejKralovic> and in this verison i have this nober
15:27 < AndrejKralovic> number
15:27 < AndrejKralovic> openvpn-2.3.12_1
15:27 <@krzee> sounds like a valid bug
15:27 <@krzee> !trac
15:27 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker., or (#2) if you have a forum login, use that for trac, its the same database.
15:28 <@krzee> any chance you could make a trouble ticket with the relevant info?
15:28 < AndrejKralovic> bednarik,95.102.191.199:1194,1176508,989921,Sun Apr 30 20:22:48 2017
15:28 < AndrejKralovic> 10.8.0.30,bednarik,95.102.191.199:1194,Sun Apr 30 22:21:57 2017
15:28 <@dazo> AndrejKralovic: Again, which --status-version do you have on your server config?   --status-version is not the openvpn version you're running, but the format of your status file
15:28 < AndrejKralovic> ah yes
15:29 < AndrejKralovic> let me check
15:29 <@krzee> ya finish with dazo before making a ticket, maybe he can get you fixed up
15:31 < AndrejKralovic> so i dont know how to find ... is default and i istaled it form pkg in freebsd
15:32 < AndrejKralovic> and in config is not directive like that
15:32 <@dazo> okay, then it is probably the default (--status-version 1)
15:32 <@krzee> then read it in the manpage and use it in both configs
15:32 <@krzee> maybe you can get it uniform by specifying
15:35 <@dazo> well, I see now --status-version doesn't matter ... it's the same function used to generate the string put into the status log in all --status-version variants
15:35 <@dazo> AndrejKralovic: are you capable of compiling OpenVPN yourself for a test?
15:35 < AndrejKralovic> not realy bt i can look at ports there can be some options
15:36 <@dazo> okay ... well, then please file a Trac ticket on this ... with your examples .... And I'll run some tests to confirm my suspicion
15:37 < AndrejKralovic> this swithes is avaiable
15:37 < AndrejKralovic> Build and/or install documentation
15:37 < AndrejKralovic> EASYRSA          Install security/easy-rsa RSA helper package
15:37 < AndrejKralovic> EXAMPLES         Build and/or install examples
15:37 < AndrejKralovic> LZ4              LZ4 compression support
15:38 < AndrejKralovic> PKCS11           Use security/pkcs11-helper
15:38 < AndrejKralovic> SMALL            Build a smaller executable with fewer features
15:38 < AndrejKralovic> TEST             Build and/or run tests
15:38 < AndrejKralovic> TUNNELBLICK      Tunnelblick XOR scramble patch (READ HELP!)
15:38 < AndrejKralovic> X509ALTUSERNAME  Enable --x509-username-field (OpenSSL only)
15:38 < AndrejKralovic> OPENSSL          SSL/TLS support via OpenSSL
15:38 < AndrejKralovic> MBEDTLS          SSL/TLS via mbedTLS
15:38 < AndrejKralovic> thats all
15:39 < AndrejKralovic> what switch you think  possible i can put it into configure script
15:39 <@dazo> that's not really relevant here ... I wanted to provide you a tarball with a commit reverted, to see if that was correct or not
15:40 <@dazo> I'm about to get a test rig running, so I'll have the answer in not too long :)
15:41 < AndrejKralovic> so if is some switch that you want to put into configure line that is no problem
15:41 < AndrejKralovic> becasue in ports from freebsd is tarball
15:43 <@krzee> ports also checks the hash and stuff, if you knew how to mod a port to take your tarball youd probably have no issue compiling it yourself =]
15:43 <@krzee> if you just make the trac ticket for dazo he'll work on it for ya
15:44 <@dazo> hmm ..... I get this:
15:44 <@dazo> 10.8.0.2,Test-Client,192.168.122.1:1194,Sun Apr 30 22:38:47 2017
15:44 < AndrejKralovic> hmmm
15:44 < AndrejKralovic> version
15:44 < AndrejKralovic> ?
15:45 <@dazo> this one of the post v2.4.1 release .... some git master revision
15:45 <@dazo> OpenVPN 2.4.1 [git:HEAD/8731dfa7caaf8b6d]
15:46  * dazo tries the shipped openvpn v2.4.1 now
15:46 < AndrejKralovic> so it can be some freebsd patch ...
15:47 <@dazo> hard to say ... I'll see if I can manage to run some tests on a freebsd box
15:47 <@dazo> could be bsd related (I ran this test on Linux)
15:48 < AndrejKralovic> so thank you anyway becasue now i know that version is not problem
15:48 <@dazo> same behaviour on the shipped v2.4.1 ... tested on Fedora 25
15:48 < AndrejKralovic> i go to try something and last chance will be compile by myself ...
15:48 <@dazo> AndrejKralovic: it might be BSD related actually
15:49 < AndrejKralovic> probably their patch ...
15:49 <@krzee> dazo: need another bsd box?
15:49 <@dazo> krzee: I have access to the one used for our internal tests ... so I'll try to run a few builds on that
15:50 <@krzee> cool
15:50 <@krzee> if you need more, i got a server i dont mind you on, eric is on it too
15:50 < AndrejKralovic> will be great
16:00 <@dazo> AndrejKralovic: confirmed, this is a FreeBSD issue ... built from source (no ports patches on top) ...
16:01 <@dazo> Test-Client,180.195.129.252,4102,5357,Sun Apr 30 16:54:58 2017
16:06 <@krzee> hah why would they even mess with that though
16:06 <@krzee> sent in by the unnecessary patch dept.?
16:06 <@dazo> it's probably a side effect of  cleaning up the ipv4/ipv6 stuff
16:07 <@krzee> try the openvpn-devel port
16:07 <@dazo> just not noticed as not many freebsd users seem to depend on port number in status :)
16:07 <@dazo> I'm doing some git bisect now on bsd
16:08 <@dazo> 2.4.1_alpha2 had the same issue too
16:08 <@krzee> i think ecrist is the openvpn-devel port maintainer
16:08 <@krzee> or was at least
16:09 <@krzee> when building with mbed was broken in the port it was only in devel iirc
16:09 <@krzee> cause different people maintain them
16:12 <@dazo> well, this is not about the ports repo stuff at all ... I'm working on the upstream git repos
16:12 <@dazo> ports maintainers are not to blame here ;-)
16:15 <@krzee> oh i thought it was a patch that they included
16:15 <@krzee> like of their own
16:16 <@dazo> nope :)  And v2.3.12 from the git tree works as expected on freebsd (just confirmed it) ... running through a bunch of tests now
16:23 < AndrejKralovic> im back
16:23 < AndrejKralovic> so great work friends
16:23 < AndrejKralovic> thank you
16:24 < AndrejKralovic> yes older version is okay
16:24 < AndrejKralovic> after 2.4. was changed someting
16:24 < AndrejKralovic> so i have to go to frebsd why they do it with it
16:25 < AndrejKralovic> beacuse ports or pkg is very good tool for updating and save my time with self compilating ..
16:25 <@krzee> dazo is looking into it more
16:26 <@krzee> he says he doesnt think its freebsd's fault
16:26 < AndrejKralovic> hm okay
16:26 < AndrejKralovic> but may be isdepend of patches or something ... something was changed and problaby nobody knows what  ...
16:27 <@krzee> he'll know what
16:27 <@krzee> hes on fbsd testing stuff ;]
16:27 < AndrejKralovic> sure :-)
16:27 < AndrejKralovic> super
16:30 <@dazo> AndrejKralovic: do you depend on IPv6?
16:31 < AndrejKralovic> no
16:31 < AndrejKralovic> i'm not using it
16:32 < AndrejKralovic> still on IPV4
16:32 <@dazo> I might have stumbled upon a workaround by coincidence .... can you try adding --proto udp4 to your config (or change --proto udp to --proto udp4)
16:33 < AndrejKralovic> now is in config file "proto udp"and you want "proto udp4"
16:33 < AndrejKralovic> okay
16:33 <@dazo> yeah
16:34 <@krzee> bonus, it'll stop openvpn from binding to ipv6 as well
16:34 < AndrejKralovic> reconecting user
16:35 < AndrejKralovic> man
16:35 < AndrejKralovic> you are the best
16:35 < AndrejKralovic> kralovic-pc,193.187.56.240:62728,6010,6099,Sun Apr 30 23:28:53 2017
16:35 <@dazo> well, that's a workaround ... the issue is the IPv4/IPv6 dual-stack patches
16:36 < AndrejKralovic> you have beer
16:36 < AndrejKralovic> fromme
16:36 <@dazo> heh
16:37 <@dazo> AndrejKralovic: did you file a Trac ticket on this issue?
16:37 <@krzee> !beer
16:37 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
16:37 < AndrejKralovic> hahahah
16:37 < AndrejKralovic> so no i dont have any ticket
16:38 <@dazo> okay, I'll file one .... and let the guys working on the networking stack in openvpn poke at this
16:38 < AndrejKralovic> i wrote on oficial suport openvpn and thay kicked me off
16:39 <@krzee> you mean somewhere related to AS?
16:39 <@dazo> The offending commit seems to be related to this one
16:39 <@dazo> https://github.com/OpenVPN/openvpn/commit/8832c6c4cf7d1425684dd8e56984e407fe3e2aac
16:39 <@vpnHelper> Title: Implement listing on IPv4/IPv6 dual socket on all platform · OpenVPN/openvpn@8832c6c · GitHub (at github.com)
16:40 <@dazo> so this is probably related to some freebsd ipv6 dual stack artefact
16:40 < AndrejKralovic> probably
16:40 < AndrejKralovic> thank you so much guys
16:40 <@dazo> yw!
16:40  * krzee points at dazo
16:40 < AndrejKralovic> now my script is fully functional agan hahaha
16:40 <@krzee> all that guy!
16:41 < AndrejKralovic> again
16:41 <@krzee> one day you may enjoy:
16:41 <@krzee> !management
16:41 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface, or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN, or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
16:42 <@dazo> krzee: but .... this issue hits also --management too ;-)
16:42 <@krzee> ouch
16:42 <@krzee> either way, he may enjoy management one day
16:42 <@krzee> i know i do
16:42 < AndrejKralovic> hhaaha
16:42 <@krzee> have to parse it with an expect script tho, i should probably make a wiki entry on that
16:42 < AndrejKralovic> guys if you will be somewhere close to slovakia let me know
16:45 <@krzee> so like https://paste.ee/p/VTSP9
16:45 <@dazo> AndrejKralovic: let me know if you'll join devconf.cz next year! ;-)
16:45 < AndrejKralovic> sure
16:46  * dazo even lived in Brno from 2008 to 2011
16:46 < AndrejKralovic> nice
16:47 < AndrejKralovic> so close to me
16:47 < AndrejKralovic> piestany
16:47 <@dazo> nice!
16:49 < AndrejKralovic> im parsing this log file with php script
16:49 <@dazo> krzee: I'm trying to get some time to work on a new OpenVPN 3 client for Linux, which will use D-Bus for management .... to get an idea of how much more pleasant that can be ... have a look at my D-Bus POC demonstration for OpenVPN 2 (bridging --management to a D-Bus interface) ... https://gitlab.com/dazo/openvpn-dbus-poc/tree/master
16:49 <@vpnHelper> Title: Files · master · David Sommerseth / openvpn-dbus-poc · GitLab (at gitlab.com)
16:50 <@dazo> krzee: you'll probably enjoy looking at the Perl POC client first of all :)
16:50 < AndrejKralovic> so i have to go guys  again thank you so much
16:50 < AndrejKralovic> see you later
16:50 <@dazo> have fun! :)
16:50 <@krzee> later AndrejKralovic thanks for helping find the bug
16:51 <@krzee> hmm i gotta read up on DBUS
16:52 < AndrejKralovic> with pleasure
16:52 < AndrejKralovic> and now i know where i can find answare if i will have some problem with OpenVPN
16:52 <@dazo> krzee: yeah, it's a really neat IPC ... I dunno how it is with D-Bus support on the BSD world ... but it sure is a cool tool
16:52 <@krzee> d-bus sounds cool, if its actually secure
16:53 <@krzee> sounds windowsy lol
16:53 <@dazo> it is ... it actually have quite some possibilities to even control which functions users may call over D-Bus on which D-Bus enabled services ... so you can have really fine grained control
16:54 <@krzee> did this evolve from android?
16:54 <@krzee> oh no seems to have come from RH
16:55 <@krzee> back when you were over there even
16:55 <@dazo> it comes from GNOME initially ... and then KDE adopted it too
16:55 <@dazo> it's been around for ages actually
16:55 <@krzee> TIL
16:56 < sgtpepper> Hey folks, anyone had issues using --subject-alt-name= in easy-rsa 3?
16:57 < sgtpepper> for some reason the signed cert doesn't have the altnames
16:58 <@krzee> i havent actually used easy-rsa3, dazo showed me xca and i kinda love it
16:58 <@krzee> !xca
16:58 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa., or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA
17:01 < sgtpepper> krzee: checking...
17:02 <@dazo> AndrejKralovic: https://community.openvpn.net/openvpn/ticket/881 ... feel free to add any additional details if you think it is needed
17:02 <@vpnHelper> Title: #881 (OpenVPN v2.4 breaks --status formatting of client IP:port on FreeBSD) – OpenVPN Community (at community.openvpn.net)
17:37 < SynfulAck> damn, i didnt even know there was an alternative to easy-rsa. All the guides i have seen use it exclusively.
17:37 <@krzee> theres many
17:37 <@krzee> easy-rsa is just a CA management utility
17:38 <@krzee> in fact it just calls the openssl binary itself, which *actually* makes the certs
19:01 < DrosteEffect>  I can't get an Ethernet bridge to work properly. I lose the network connection whenever making the bridge. The script I'm using to create the bridge: https://gist.github.com/anonymous/6b8dcbc0ac103bb541695396f7390421
19:01 <@vpnHelper> Title: gist:6b8dcbc0ac103bb541695396f7390421 · GitHub (at gist.github.com)
20:42 < Matir> DrosteEffect: you may need to add a route for your gateway
20:59 <@ordex> aloha
21:12 <@krzee> he left an hour ago
21:40 < aokfire> Hey... got a new problem. Can't seem to connect to my server with my laptop and NetworkManager-openvpn plugin
21:41 < aokfire> I keep getting TLS Error: TLS key negotiation failed to occur within 60 seconds
21:41 < aokfire> I put the ta.key into the extra section of TLS Auth, and set direction to none
21:42 < aokfire> Not sure what's causing this TLS error. Everything works fine on my android
21:47 <@krzee> !netman
21:47 <@vpnHelper> "netman" is (#1) NetworkManager usually works fine, but can have some challenges in som env, or (#2) Ensure you run a reasonably recent NM version, or (#3) NM is aimed at client configurations and requires a logged in user session and is sensitive to instable unstable networks, or (#4) If OpenVPN works from the command line but not NM, go to #nm or https://wiki.gnome.org/Projects/NetworkManager
21:47 <@krzee> well thats been changed, lol
21:48 <@krzee> aokfire: are you configuring the vpn using network manager?
21:48 <@krzee> if so, dont! but instead get openvpn working from commandline with a config, then import the config when openvpn works right
21:51 < aokfire> ahhh, got it
21:51 < aokfire> I'll try that out. Need to uhm...
21:51 < aokfire> I guess reformat and reinstall because my install is fucked now
21:51 < aokfire> Had to power off during an update and well
21:51 < aokfire> :/
21:56 <@ordex> aokfire: "well" is not probably the best conclusion for this chain of events
21:56 <@ordex> :LD
21:56 <@ordex> :D
21:59 < aokfire> yeahhhh I'm reinstalling as we chat lmao..
22:00 < aokfire> Not questioning what happened, just... restarting
22:00 < aokfire> not that much was changed but yeah it's a pain regardless
22:02 < aokfire> all part of the learning process...
22:06 <@ordex> the more the pain, the more you learn :P
22:08 < aokfire> ya lol
22:11 < aokfire> oh no my .bashrc is gone :(
--- Day changed Mon May 01 2017
00:26 < Kyoku> anyone know why block-outside-dns might cause big delays in dns lookup times?
00:26 < Kyoku> if I don't have this option enabled lookups are instant, when it's enabled they take around 5 to 7 seconds
00:49 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
00:49 -!- mode/#openvpn [+o mattock1] by ChanServ
02:46 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds]
03:27 < phr34k> i have a openvpn setup on my desktop computer and my laptop, but on my desktop computer i can still acess the internet, but on my laptop I can't after establishing the vpn. What can i do to termine what is wrong?
03:27 < phr34k> in specific it seems to be related to dns requests
03:30 <@ordex> phr34k: most likely about networking setup
03:30 <@ordex> like routes and similar
03:30 <@ordex> you shoulc heck your routes/traffic
03:30 <@ordex> *check
03:34 < phr34k> hmm i never done this before, what exactly should i be looking for? just the 'route' command?
04:22 < nacelle> Kyoku: if you have multiple nameservers in /etc/resolv.conf, where one is local or relatively quick to access from your box (outside dns) and the other is over the vpn tunnel... once you turn on block-outside-dns it would prevent access to the quick local dns and force lookups over the tunnel dns.
04:22 < nacelle> just a guess.
04:37 < trohn_javolta> !erlvomr
04:37 < trohn_javolta> !welcome
04:37 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
04:37 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
04:37 <@vpnHelper> you
04:39 < trohn_javolta> !goal access ip in local lan from vpn client, vpn server is on router
04:40 < trohn_javolta> !howto
04:40 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
04:40 < trohn_javolta> !route
04:40 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
04:40 < rob0> The bot does not understand that, "!goal <stuff>"
04:41 < rob0> the "local lan" is local to server or client?
04:41 < trohn_javolta> ok. I have an openvpn server running on my linksys router (dd-wrt firmware)
04:42 < rob0> !dd-wrt
04:42 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN, or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783, or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536, or (#4) And the
04:42 <@vpnHelper> security focus still seems to need improvements: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=279467 (hint: dd-wrt company does not do this effort + no reference to any security fixes)
04:42 < trohn_javolta> I used a tutorial to set it up, it seems to be set up correctly.
04:42 < rob0> the "local lan" is local to server or client?
04:43 < trohn_javolta> ...to server
04:43 < rob0> !serverlan
04:43 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
04:43 < rob0> follow the ^^ flowchart
04:44 < trohn_javolta> via vpn tunnel I can already successfully reach all clients in lan despite of one
04:44 < trohn_javolta> it's my homeserver running a debian distribution called armbian.
04:44 < trohn_javolta> on the homeserver there's no firewall enabled. It has a static Ip.
04:45 < trohn_javolta> I already asked on armbian forum and debian irc.
04:45 < Serac> !welcome
04:45 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
04:45 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
04:46 < trohn_javolta> I dont really know what to do, I tried some things already
04:47 < trohn_javolta> I don't understand why just this one ip isn't reachable, I checked iptables on the device, all acepted.
04:50 < Serac> My problem is as follows: I set up OpenVPN using WiFi connection on Windows10, to access a private network through it; everything works fine. Now I want to change to a wired connection. I plug in the network cable, and OpenVPN connects fine, but then DNS addresses of that private network aren't reachable anymore
04:55 < trohn_javolta> what is meant by "..ping the vpn ip of the server"?
04:56 < trohn_javolta> in vpn settings under network i specified 172.16.1.0 and netmask 255.255.255.0
04:57 < trohn_javolta> so vpn server ip is 172.16.1.0 right?
04:57 < trohn_javolta> according to flowchart i connect to vpn server and ping 172.16.1.0 right?
05:01 < rob0> probably 172.16.1.1
05:04 < trohn_javolta> sry, i'm a total noob. So 172.16.1.0 specifies the whole subnet?
05:04 < trohn_javolta> + the mask
05:05 < trohn_javolta> ok, i cant ping that adress. but why on earth am I still able to ping the other clients on lan from vpn client?
05:06 < rob0> 172.16.1.0 is called the "network address", and can't ping it sounds like firewall
05:08 < trohn_javolta> the dd-wrt router has this ISP firewall, which I disabled for now. I read there are rules to add later so the firewall can be enabled. But I'll check that at the end. Disabled firewall shouldnt interfere
05:10 < rob0> !iptables
05:10 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this., or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG, or (#3) These are just the basics to get you started
05:10 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter
05:11 < rob0> a simple test might be "iptables -I INPUT -i tun+ -j ACCEPT"
05:11 < rob0> if that dd-wrt gives you CLI access
05:16 < trohn_javolta> *SPI firewall I meant
05:16 < trohn_javolta> so there are 2 firewalls running, SPI and iptables?
05:19 < trohn_javolta> from the tutorial I used I understood you need to use these iptables rules so you can have the SPI firewall still running
05:20 < trohn_javolta> can I paste you the rules? I also have an openvpn client running on the router. It has tun1, server tun2
05:20 < trohn_javolta> https://pastebin.com/mN2nJzH5
05:20 < trohn_javolta> I guess I have to change these rules, tun0 to tun2 right?
06:44 < aditsu> hi, is there a tool that helps put together all the files I need to set up on the client (after generating a new certificate)? I'm kinda tired of doing it by hand
07:08 < netcent> Hi! How can i reconnect OpenVPN to a remote server without connection interruption?
07:09 < netcent> So, like this 1.) get new connection, 2) drop old connection and drop old sockets and continue new requests with new connection
07:15 <@ordex> netcent: the way you describe it, it sounds like something happening above the socket layer, hence in the application. there's nothing openvn can do
07:15 <@ordex> netcent: if you assume you keep the same IP and same GW over reconnection
07:16 <@ordex> then you may keep the same connections and sockets
07:16 <@ordex> and let the networking layer recover the connections
07:16 <@ordex> but this is different from what you are describing .. so it really depends on what problem you are trying to solve
07:16 < netcent> target is to get a new ip adress from my provider upon request or periodically
07:16 <@ordex> who gets the new IP? is it the public IP? does it affect the IPs assigned via VPN ?
07:17 < netcent> this IP is the outgoing ip from the VPN provider
07:17 <@ordex> ah ok, so your public IP is changing
07:17 <@krzee> it would have to have connection interruption in that case
07:17 < netcent> upon reconnection, yes.
07:18 < netcent> hm. is there a way to prevent this?
07:18 <@krzee> except apps that support some sort of floating, like --float in openvpn for example
07:18 <@krzee> except for those, no
07:18 <@ordex> your application should support that
07:18 <@ordex> because everything up to the application layer is broken, so the app is the only entity that can do something
07:18 <@krzee> exactly
07:18  * ordex shakes hand
07:18 <@ordex> :D
07:18 < netcent> hehe
07:18 <@krzee> nice way to say it ^
07:19 < netcent> ok thanks for the enlightenment, guys!
07:19 <@krzee> well explained ordex
07:19 <@ordex> thanks :D it's because I just had dinner
07:19 <@ordex> so I am ready to battle :P
07:19 <@krzee> and i just woke up :D
07:19 <@ordex> lol
07:19 <@ordex> :D
07:19 <@ordex> US east coast ?
07:19 < aditsu> any ideas about my question? :)
07:19 <@krzee> close, caribbean
07:20 <@ordex> ah, same timezone, but better place ;) hehe
07:20 <@krzee> aditsu: you could script it, or even build it into easy-rsa
07:20 <@ordex> aditsu: I so it by hand too
07:20 <@krzee> aditsu: sounds like you just wanna tar the files, i do that by hand personally
07:21 < aditsu> plus adjusting the client config
07:21 <@krzee> i leave certs named client.crt client.key, no adjustments
07:21 <@krzee> ;]
07:21 <@ordex> aditsu: you could script that, also the config generation, using some bash
07:21 <@krzee> in my pki they named for client, when they go to client they named client.{crt,key}
07:22 <@ordex> I used to have the config in a bash variable completed with other variable holding these names. at the end you just echo into a file
07:22 <@ordex> *other variables
07:26 < aditsu> so there's no generic tool
07:27 <@ordex> i think it is such a simple and at the same time customizable operation, that having a tool might be overkill
07:28 <@ordex> aditsu: you may write a generic script to share ;)
07:33 < aditsu> hmm, the files to copy depend on the server config
07:35 <@krzee> ssl-admin had a feature for packaging certs with the config, but that tool is old, needs updating before still using it as a CA
07:35 <@krzee> and i dont think eric cares to update it anymore
08:13 < Kyoku> anyone know why block-outside-dns causes big (5-7 seconds) delays in dns lookup times?
08:16  * krzee takes a step back and shakes his head
08:20 < Kyoku> nacelle that still doesn't explain why lookups are taking 5-7 seconds
08:30 -!- davimore_ is now known as davimore
08:53 -!- fractal is now known as Guest72263
09:28 <+hyper_ch> hmmmm, what's the best way to route all traffic to a specific port through openvpn?  e.g. I'm a vpn client and connected. Now I want all traffic on port 21 go through the vpn?
09:29 <+hyper_ch> I'd guess I'd have to add an entry to the routing table
09:29 <@ordex> Kyoku: tried to look at the traffic ?
09:29 <@ordex> hyper_ch: the routing table does not support "ports" because it works on layer 3 only
09:30 <@ordex> I have something in mind that would use tc and policy routing..but maybe iptables could help to make it simpler
09:31 <+hyper_ch> hmmm, right.... iptables can do stuff with ports
09:32 <@ordex> yeah, but not sure how you would redirect to an interface
09:32 <@ordex> given that there is no routing for that
09:33 <@ordex> what I ha din mind is: with "tc" you can mark packets based on some rules on the ingress queue. then with ip rule you can create a routing table that is used only for packets having a given mark
09:33 <@ordex> in this routing table you have the vpn server as default route
09:33 <+hyper_ch> don't know bout "tc"
09:33 <@ordex> then you have to make the tc rule match packets tcp/21
09:33 <@ordex> it's a low level tool used to work with queues
09:33 <@ordex>        tc - show / manipulate traffic control settings
09:33 <@ordex> man tc
09:34 <@ordex> it's a bit tricky as it is fairly low level
09:34 < Kyoku> ordex I looked at the client side with wireshark, but all I see is a delay in dns lookup response.. will look at server side when I get a sec, it just seems so bizarre to me - when I don't have block-outside-dns enable lookups are instant, and it's a very fast network so it should still be fast even when it's enabled surely?
09:34 <@ordex> Kyoku: honestly i don't know what that options does exactly .. that's why i suggested to look at the traffic ... that may give some clues
09:34 <+hyper_ch> I don't even know the difference in the different network layer protocols :)
09:35 < Kyoku> ordex right, there is this option and nobody seems to know how it works - it's crazy
09:35 <@ordex> Kyoku: lol
09:35 <@ordex> :D
09:36 <@ordex> hyper_ch: maybe even iptables could be used for that with the MARK target...you can give it a try..would be easier than tc
09:36 <@ordex> you have to apply the mark in the prerouting chain or around that - before the packet gets to the routing engine
09:36 <@ordex> hyper_ch: it gets complicated because you are asking to make a routing decision based on an upper layer information (port)
09:37 <@ordex> hyper_ch: https://unix.stackexchange.com/questions/58635/iptables-set-mark-route-diferent-ports-through-different-interfaces
09:37 <@vpnHelper> Title: ubuntu - iptables --set-mark - Route diferent ports through different interfaces - Unix & Linux Stack Exchange (at unix.stackexchange.com)
09:37 <+hyper_ch> also googling but can't find a suitable answer
09:37 <@ordex> but it's using the route command, not sure if that really works
09:38 <@ordex> hyper_ch: this guy is using the mark approach as i suggested
09:38 <+hyper_ch> having a look now
09:38 <@ordex> not sure you will find the exact commands to copy/paste :P
09:39 <@ordex> yeah this guy uses the mangle table and the prerouting chain to marke the packets with fwmark 4, then ip rule to create a table accepting those packets
09:39 <+hyper_ch> looking at it :)
09:42 <+hyper_ch> ordex: https://serverfault.com/questions/345111/iptables-target-to-route-packet-to-specific-interface
09:42 <@vpnHelper> Title: routing - iptables - Target to route packet to specific interface? - Server Fault (at serverfault.com)
09:48 < deadhead> Anyone ever had issues with running a server config on win 10, this particular machine says the service is running but the event log shows it exiting every 10 seconds
09:48 <+hyper_ch> never tried to run ovpn server on windows
09:55 < deadhead> I have a win7 box does fine, i have a 2008R2 and 2012R2 run fine
10:31 <@krzee> deadhead:
10:31 <@krzee> !logfile
10:31 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
10:31 <@krzee> see what the openvpn log file says... there may be a reason it cant startup... maybe a bad path or something...
10:46 < deadhead> krzee, thanks
10:52 <@krzee> np
10:52 <@krzee> also you could just start it without the service
10:52 <@krzee> using the gui
10:53 <@krzee> that'll show you the output without making a log file
10:53 <@krzee> gotta stop the service first tho
10:53 <@krzee> regardless of OS i always recommend starting openvpn manually to see that everything works, before moving to the OS startup method
11:15 <@ecrist> I am - does it need an update?
11:22 <@krzee> oh i dont know, i just assumed it had gone eol awhile back lol
11:37 <@ecrist> krzee: I mean openvpn-devel port
11:47 -!- allizom1 is now known as allizom
11:47 -!- vamiry_ is now known as vamiry
12:03 < aokfire> Hi
12:03 < aokfire> http://puu.sh/vCeiX/285674bf4c.txt
12:04 < aokfire> Just wanted to make sure this client config is OK. I managed to connect properly now, and can access local services, but can't get outside to the internet
12:04 < aokfire> I do have a NAT rule to translate the OpenVPN network to the local network, but it doesn't seem to work for this client
12:04 < aokfire> Not sure if I'm missing a rule
12:13 <@krzee> ecrist: oh, no dazo said it was unrelated to the port
12:13 <@krzee> it was fbsd specific i think, but its in the openvpn code itself
12:14 <@krzee> aokfire: dont do that: route 0.0.0.0 0.0.0.0 vpn_gateway
12:14 <@krzee> instead use redirect-gateway
12:14 <@krzee> !redirect
12:14 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
12:14 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
12:21 < xinming> If I connect to multiple virtual networks, and each virtual network has it's own dns server, How can I make system to query the private domain using different DNS?
12:22 <@Eugene> You can't. Your client would need to have a local DNS resolver that is aware of the different private domains for each network
12:22 <@Eugene> A saner alternative is to not use private DNS - put all your records in a public zone. Nobody actually cares if there are RFC1918 addresses in public DNS, and it works just fine to query for them
12:23 <@Eugene> Then it does not matter what DNS server that you query - the records will always be available if they're public.
12:23 < xinming> Eugene: So, You mean, I get a top level domain, and setup the DNS server there. then, each DHCP service updates the global DNS server, right?
12:24 < xinming> Eugene: Thanks, That's what I thought too. Just not so sure about it.
12:24 < xinming> I don't like that sollution is, I need an IP to query.
12:24 <@Eugene> Setting up DNS is an exercise left to the reader ;-). I use a subdomain zone for each of my "sites"; eg my desktop is "sealth.dhcp.wa.kashpureff.org".
12:25 < xinming> I need to setup a vps globally.
12:25 <@Eugene> !goal
12:25 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:25 < rob0> there's also:
12:25 < rob0> !dnsmasq
12:25 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
12:25 < vectr0n> unbound is also another option to dnsmasq
12:25 < rob0> no
12:26 < vectr0n> works fine for split dns
12:26 < rob0> well, maybe, but the point is not recursion, the point is to be directed to the right authoritative DNS source
12:27 <@Eugene> dnsmasq and unbound are not exactly the same thing; I don' like manually configuring either. Unbound is pretty nice for basic setups in pfsense
12:27 < vectr0n> unbound can do both..
12:27 < rob0> and BIND can do it too.  It's just easiest in dnsmasq.
12:28 < vectr0n> depends on the size of the network, id never put dnsmasq into a large environment personally
12:28 < xinming> Eugene: my goal is just connect to multiple virtual networks, and each lan has their own DNS server setup privately with DHCP updating the host names, I wish to resolve the right ip for the hosts in different networks.
12:28 < xinming> I do split the ip address range.
12:29 < xinming> something like,  192.168.6.0/24 ~ 192.168.15.0/24
12:29 <@Eugene> Do you actually need DHCP+DDNS? Or can you just set up IP reservatiosns for the machines you care about, and make an easy A record like myhost.mydomain.com
12:32 < xinming> Eugene: I need ddns
12:33 < xinming> I need to associate the machines with id, so I can connect to them, and know which machine is "dead"
12:33 < xinming> they are almost headless machiens.
12:33 < xinming> machines*
13:15 <@ecrist> krzee: ok
13:24 <@krzee> to know which is dead.. sounds like a job for icinga / munin
13:39 < aokfire> Lemme edit that krzee, just got back
13:44 < aokfire> I do have NAT and IP Forwarding enabled on my device, so hopefully this works
13:48 < aokfire> if only my tethering would stop erroring out...
13:57 < aokfire> Not working krzee :(
14:03 < aokfire> aw geez now the mobile client can't even :(
14:03 < aokfire> OH NO
14:03 < aokfire> I rebooted and lost the iptables rule lmao... no way
14:04 < BtbN> iptables is not persistent accross reboots, that's normal.
14:04 < aokfire> yup, totally forgot that
14:05 < aokfire> any way to retain it
14:06 < rob0> that would depend on your distro, and would be better asked in #your-distro-here
14:06 < aokfire> whoops true. root crontab doesn't run at reboot but yeah I'll figure it out
14:10 <@krzee> sure it does, @reboot
14:11 <@krzee> theres also always rc.local
14:11 <@krzee> but im sure theres a way in your distro, so i second rob0
14:13 < aokfire> So it's still not working on the desktop, but
14:13 < aokfire> I'm getting some route error messsages
14:13 < aokfire> post them in a second
14:14 < rob0> a second rob0?  No way, ONE of those is bad enough!
14:20 < aokfire> krzee: https://puu.sh/vCmyy/f2009ed233.log
14:20 < aokfire> the remote addresses have been changed is all
14:21 < aokfire> but I'm getting errors related to the routes
14:21 < aokfire> it seems
14:22 < aokfire> ok, so after discon and reconnecting to the hotspot it cleared out the routes
14:22 < aokfire> but yeah just curious why those errors would happen otherwise
14:33 <@krzee> the first error i dunno
14:41 < aokfire> so yeah just a routing issue
14:42 < aokfire> I think maybe because I also enabled OpenVPN on my phone that was tethering
14:42 < aokfire> woo hoo, it works! :D
15:26 -!- ReimuHakurei_ is now known as ReimuHakurei
15:35 -!- Alchemy is now known as daemon
17:19 -!- yarddog_ is now known as yarddog
18:02 -!- Arquino is now known as Manolon
18:02 -!- Manolon is now known as Altiare
19:09 < Kyoku> wow, i fixed the delay caused by block-outside-dns
19:10 < Kyoku> omfg
19:24 <@krzee> what was it?
19:26 < Kyoku> Windows 10 allows you to set the priority of network interfaces, and I have quite a few active
19:26 < Kyoku> I set it to priority 1 and probem solved
19:27 < Kyoku> Set-NetIPInterface -InterfaceIndex "13" -InterfaceMetric "1"
19:27 < Kyoku> Get-NetIPInterface shows the Index
19:28 < Kyoku> in powershell
19:28 <@krzee> thank you
19:28 <@krzee> !man
19:28 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
19:28 <@krzee> (thats for me)
19:30 <@krzee> !learn block-outside-dns as in windows this option blocks DNS servers on other non-VPN network adapters to prevent DNS leaks. This option prevents any application from accessing TCP or UDP port 53 except one inside the tunnel.
19:30 <@vpnHelper> Joo got it.
19:32 <@krzee> !learn block-outside-dns as if you have a delay in DNS when using this in windows 10, a user fixed this problem by setting the network interface priority to 1 in powershell with: Set-NetIPInterface -InterfaceIndex "13" -InterfaceMetric "1"    replace 13 with the index number from Get-NetIPInterface shows the Index
19:32 <@vpnHelper> Joo got it.
20:03 <@ordex> morning :)
20:07 < nacelle> that is weird.
20:15 <@krzee> ordex: good evening
20:15 <@ordex> aloha krzee
20:15 <@krzee> buenos!
20:16 <@ordex> :D
21:04 < commanderkeen> is it normal for an openvpn client to listen on *:1194 ?
21:25 <@ordex> cornfeedhobo: that's the default port, no ?
21:32 < daemon> for a server
21:32 < daemon> let me check client
21:33 < daemon> yeah mine does not
21:33 < rob0> it might be a good idea to ask the real question, too
21:39 <@ordex> :D
21:39 <@ordex> rob0++
21:40 <@ordex> btw, I read the word "client" just now
22:05 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:15 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:15 -!- mode/#openvpn [+o syzzer] by ChanServ
23:23 <@krzee> he probably wants --nobind
--- Day changed Tue May 02 2017
00:40 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
00:40 -!- mode/#openvpn [+o mattock1] by ChanServ
01:13 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds]
01:41 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:41 -!- mode/#openvpn [+o mattock1] by ChanServ
02:37 < xtuh_> hi, i'm trying to understand what ip ranges i need to use, can you explain? https://pastebin.com/bCewRRTg
03:39 < Manis> Hi. Can I configure OpenVPN to send response packets through the same interface that they were received from?
03:43 <@ordex> Manis: outgoing packets are normally sent to the VPN server, thus using the interface providing a route to it (which normally is the one you received them from)
03:43 <@ordex> Manis: or maybe you should describe a bit more about your scenario first ? and describe what are the interfaces in the game
03:44 < Manis> ordex: Sorry, I forgot to mention that I'm talking about the server side here.
03:44 <@ordex> ok and which are the involved interface ? maybe you make an example to describe what you want to change ?
03:46 < Manis> The scenario is that my OpenVPN server also has a IPSec client running. Now the problem is that when my laptop (OpenVPN client) is in the same network that the IPSec client goes to, I cannot connect to my OpenVPN server because it responds through IPSec interface instead of the "normal" one.
03:46 < Manis> I hope this is at least somewhat understandable.
03:47 <@ordex> it is not 100% clear, but to me it looks like you are having some subnet overlapping, right ?
03:47 < Manis> Yeah, somehow.
03:48 <@ordex> why should a vpn client have an IP belonging to the IPSec network?
03:48 <@ordex> don't openvpn define its own subnet?
03:50 <@ordex> btw in these cases, one way is to set a host route (i.e. /32) towards that client on the VPN interface
03:50 <@ordex> but it's ugly
03:50 <@ordex> and should be done on a client basis
03:50 <@ordex> I'd rather try to understand and avoid the overlapping
03:50 < Manis> ordex: My OVPN server has two network interfaces. One is the regular one connecting it "to public internet" and a second one which is connected to my university's network (IPSec). They are on distinct interfaces. But the way my university has configured their VPN it pushes routes to the subnets where "students laptops" are located. So when I'm at university and connect to my VPN through the "public internet"
03:50 < Manis> interface, the server responds through the uni VPN interface (because of routing table).
03:51  * Manis meant distinct subnets not interfaces.
03:52 < Manis> And as a result the client rejects the response packet because it arrives from a different IP than the request was sent to.
03:52 <@ordex> phew
03:52 <@ordex> I think I got it now
03:52 <@ordex> :D
03:53 <@ordex> so basically the ovpn server has a route towards "students laptops" passing through the VPN
03:53 < Manis> yep
03:53 <@ordex> just to understand: "students laptops" have public IP addresses?
03:53 < Manis> true
03:53 <@ordex> ah
03:53 <@ordex> ok
03:53 <@ordex> and the uni VPN routes these public IPs through it...
03:53 <@ordex> ok
03:54 < Manis> exactly
03:54 <@ordex> so in theory, the best would be that when you are at the university, you connect to your server via the IPSec IP
03:54 <@ordex> but, this is probably not what you want
03:54 <@ordex> because it would create ovpn on top of ipsec
03:54 < Manis> yeah, I'd rather not open any ports on the uni VPN interface.
03:54 < Manis> and that too.
03:54 <@ordex> that too
03:54 <@ordex> :D
03:54 <@ordex> ok, well, then my previous suggestion still holds
03:55 <@ordex> you could either remove the routes towards the students laptops, or install a single route for your laptop going through the public network
03:55 <@ordex> openvpn by itself is probably not able todo much, because it just says "I want to send something to host X", then the system does the rest based on routing
03:56 < Manis> hmm, both are suboptimal tbh, because my laptop gets an IP through DHCP and I don't know which of the subnets are for "students laptops".
03:56 <@ordex> alright
03:56 < Manis> ordex: Couldn't OpenVPN be configured to tell the OS to do all communication through one iface?
03:57 <@ordex> you could bind the process to a specific IP (I guess), but when the packets goes through the routing mechanism
03:57 <@ordex> it will follow the routing rules
03:58 <@ordex> Manis: I think you could script the server to add the route dinamically when a client connects
03:58 < Manis> that could actually work.
03:58 <@ordex> there should be some hook script launched upon client connection (not sure, but it should be there)
03:59 <@ordex> Manis: check David, by the way, I forgot to say "thank you" for taking the effort in putting
03:59 <@ordex> this together. I am sure that at the end this will be a great piece of
03:59 <@ordex> documentation for OpenVPN3.
03:59 <@ordex> ops
03:59 <@ordex> wrong copy/paste
03:59 <@ordex> notsure where this is coming from
03:59 <@ordex> Manis: check --client-connect in the man
03:59 <@ordex> you can specify a command/script to execute upon client connection
04:00 <@ordex> you could add the route in this script and clean it up with --client-disconnect
04:05 <@ordex> Manis: the only problem might be that the script is invoked when the connection is established ... but without the route being there the connection won't succeed
04:06 < Manis> this also makes sense :-/
04:07 < Manis> ordex: Maybe I'll go ahead and filter the subnets.
04:07 <@ordex> that's probably the easiest thing
04:07 <@ordex> one thing might be to mark openvpn packets and use policy routing to have them go through another routing table, which does not contains the routes towards ipsec
04:07 < Manis> I guess they won't change too often so the initial effort is probably worth it for a better design.
04:31 <@ordex> hyper_ch: I was just playing with iptables
04:32 <@ordex> and I managed to do what I was suggesting you without using tc
04:32 <+hyper_ch> how?
04:32 <@ordex> Manis: I may have found something convenient for you using iptables+ip-rule/route
04:32 <@ordex> hyper_ch: if you add a rule in the mangle table on the OUTPUT chain, you can use the MARK target to set the fwmark in the packet
04:32 <@ordex> this is what you need. then with iprule you create a table matching that mark
04:32 < Manis> ordex: OK. Sounds good.
04:33 <@ordex> Manis: what I just said above: with iptables you can mark all the packets originated at a given source port
04:33 < Manis> ordex: Do you have more information on it?
04:33 <@ordex> and then address them to a specific routing table with ip rule
04:33 < Manis> ah.
04:34 <+hyper_ch> ordex: can you give an concrete example of what you altered?
04:34 <@ordex> I can sho what I was doing here
04:34 < Manis> Actually I'm gonna give it a try because I'm struggling modifying the routes pushed by openconnect
04:35 <@ordex> first I marked the packet with iptables:
04:35 <@ordex> iptables -t mangle -A OUTPUT -d 8.8.8.8/32 -j MARK --set-mark 0xffff
04:35 <@ordex> in this case I am marking all the packets going to 8.8.8.8/32, but you can customize the filter
04:35 <@ordex> then create a policy routing rule
04:35 <@ordex> ip rule add fwmark 0xffff table 101
04:35 <@ordex> basically sends all the traffic marked with 0xffff to table 101
04:35 <+hyper_ch> what's 8.8.8.8/32?
04:35 <@ordex> my random filter for some packets
04:36 < nbastin> google DNS
04:36 <@ordex> yeah I used google DNS for a test
04:36 <@ordex> you can filter the packets you want: i.e. -p udp --sport 1194
04:36 <@ordex> then you can add a route to the table: ip route add default via a.b.c.d table 101
04:36 <@ordex> this way in table 101 you only have the default route
04:37 <@ordex> and packets will just follow it, without being affected by other routes (i.e. the students laptops)
04:37 <@ordex> it may work[tm]
04:37 <+hyper_ch> ok, thx
04:38 <@ordex> hyper_ch: I don't clearly remember your scenario, but I thought it was related to tc and matking packets. so the marking can be done with iptables directly in the mangle table
04:38 <@ordex> *marking
04:38 <@ordex> Manis: ^^^ that above should work for you, I think - you may let us know
04:39 <+hyper_ch> ordex: basically I want to make sure that some stuff using defined ports will be routed over a specific interface
04:39 <@ordex> yeah, mark those packets with iptables and then set the routes so that they go where you want, without being affected by the other routes
07:26 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 260 seconds]
08:17 <@ordex> hyper_ch: did you try the iptables way? or not yet? I am curious to see if that helps
08:17 <+hyper_ch> ordex: didn't have time to test yet
08:17 <@ordex> hyper_ch: alright. ping me when you are playing with it, I can try to help if needed
08:21 <@krzee> ya the iptables way is the only way for that goal
08:21 <@krzee> multiple routing tables + marking in firewall
08:22 <+hyper_ch> hi krzee
08:28 <@krzee> heyhey
08:46 <@ordex> krzee: yeah, at the beginning I tohught about tc (that's what I did in the past) but iptables is more ... user friendly :P
08:46 <@ordex> unless you need low level control over pkts
08:47 <@krzee> i only knew that tc did shaping, as i havent used it before i didnt know it could also do fine grained policy routing
08:47 <@ordex> it can do marking
08:48 <@ordex> but I might be wrong .. it was long time ago :O
08:48 <@krzee> ill believe you ;]
08:49 <@ordex> http://man7.org/linux/man-pages/man8/tc-skbedit.8.html << this subcommand
08:49 <@vpnHelper> Title: tc-skbedit(8) - Linux manual page (at man7.org)
08:49 <@ordex> he good thing is that it can be applied veeeeery early, but not useful in this case
08:49 <@ordex> *the
08:50 <@krzee> back to figuring out which libs to put in this chroot
08:51 <@ordex> enjoy :)
08:51 < rob0> bonjour
08:51 <@ordex> ldd mypants :
08:51 <@ordex> :D
08:52 <@krzee> if this voip phone had ldd
08:54 < rob0> or if you had the firmware's build environment ...
08:54 <@krzee> true, but im just going 1 by 1, cant last forever!
08:55 <@krzee> should probably have scripted it, but i think im close to the end
08:58 <@ordex> and it's when you are almost there ... that you realize you overlooked that big pile of cr0p behind the corner
08:58 <@ordex> :P
08:59 <@krzee> nope, its when i get there and realize it uses a different glibc so i need to go back to my emulated image and compile it myself
08:59 <@krzee> =/
08:59 <@krzee> (JUST now)
09:00 <@ordex> arghhh
09:09 < skyroveRR> Hi krzee
09:09 <@krzee> hey!
09:09 < skyroveRR> Any support for libressl yet?
09:16 <@krzee> official? nope
09:16 <@krzee> i mean, ive seen it work fine
09:16 <@krzee> but that doesnt mean it always will, or even that it still does
09:28 <@dazo> skyroveRR: what krzee says ... we're not rejecting it, and as long as the LibreSSL API is fully compatible with OpenSSL (at least the portions of it we make use of) ... then it should be fine
09:29 < skyroveRR> Hmm. The last time I checked, you guys were quite "opposed" to making openvpn use it.
09:30 <@dazo> but once LibreSSL decides to deviate away from that (there's been rumours going that is/will be happening) ... then you're out of luck, unless someone writes a new SSL/TLS library module for OpenVPN ... and gets it reviewed and applied upstream (unless you want to maintain your own fork)
09:30 <@dazo> skyroveRR: lets put it differently .... we ignore LibreSSL's existence .... as long as it works, it works, and we're don't have any more opinions about it than that
09:31 <@dazo> (several of us developers do think LibreSSL should burn in h.....  but that's an entirely different topic)
09:32 < skyroveRR> Why is that?
09:32 < skyroveRR> Never heard about libressl being "hated" by anyone.
09:36 <@krzee> personally i dont hate it, but i dont think it was the right way to spend energy
09:36 <@krzee> if openssl is so broken, and even the libre people say it is, then why use openssl as a starting point?
09:36 < skyroveRR> Oh.
09:36 <@krzee> that's why i use mbedtls, they started over from scratch
09:36 < skyroveRR> You mean why not a complete rewrite.
09:36 <@dazo> exactly
09:36 <@krzee> yessir
09:37 < skyroveRR> mbedtls.
09:37 < skyroveRR> Hmm.
09:37 <@krzee> (like mbedtls did)
09:37 <@krzee> it used to be polarssl
09:37 < skyroveRR> IS openvpn compatible with mbedtls?
09:37 <@dazo> yes
09:37 < skyroveRR> Hmm.
09:37 <@krzee> has been since it was polarssl
09:38 <@dazo> mbed TLS does have some challenges though .... currently with the 2.x version of mbed TLS your keys must be 2048 bits or larger ... and lacks PKCS#12 support
09:38 <@krzee> i agree with 2048 or larger tho
09:38 <@krzee> its 2017, if you use 1024 why not 512? ;]
09:39 <@dazo> There are some work in the pipe which will re-enable smaller keys and a few more hashing algorithms ... to avoid having to redo your complete setup in a hurry due to an upgrade
09:40 <@dazo> I agree, 2048 should be the minimum .... but if you have quite some users with 1024 bits .... updating that can be a massive operation
09:40 <@krzee> oh bro i know ALL about massive upgrading operations
09:40 <@dazo> :)
09:40 <@krzee> btw im STIlL working on that migration
09:42 <@dazo> it's that annoying crossing point between usability, don't break existing setup and security
09:42 <@krzee> (i have the openvpn stuff done)
11:54 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
11:54 -!- mode/#openvpn [+o mattock1] by ChanServ
13:24 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 255 seconds]
17:51 < d4rk1> I have my openvpn working on both sides, once my client connects it pulls from my existing dhcp server, however it does not assign a gateway. If I manually assign it to the client, everything works fine.
18:08 < d4rk1> Anyone around to help with a gateway issue, it's working great otherwise....
18:13 < Te3-BloodyIron> sounds like you should check the server config for serving a gateway route
18:16 < d4rk1> I've tried setting this: redirect-gateway def1
18:16 < d4rk1> but that doesn't seem to do anything
18:16 < d4rk1> is their anyway to force the gateway setting..
18:20 -!- alexandre9099_ is now known as alexandre9099
18:27 <@krzee> i can tell that guy is bridging and thats causing his problem
18:27 <@krzee> but hes gone now, so whatever
18:27 <@krzee> bbl
18:31 < d4rk1> Still no luck with the gateway
18:31 < d4rk1> anyway to force it, I have openvpn configured via an asus router...
19:17 <@ordex> morning
20:06 < d4rk1> Ok, so I figured out the gateway thing. All seems to be work, I have windows computers, and macs, however my IP phones will not pull from DHCP...
20:28 < TheWhisper> Does anyone have an experience using DC++ through OpenVPN? I'm running into issues with my setup — I can connect to hubs and users can access my files, but I cannot access other users' files. It seems like I'm being forced into 'passive' mode and my active ports (TCP & UDP) are closed/not being forwarded. I've looked through iptables firewall, and all the ports seem to be set to ACCEPT.  I just can't figure it out.
21:17 < nbastin> D4rk: your IP phones probably need BOOTP to load a firmware image (or at least tell them not to), which maybe isn't being handled with the DHCP redirect
21:21 <@ordex> I'd guess the phone is already booting, so it may have the fw already
21:22 <@ordex> it can be the phone does not like the dhcp response for some reason (some poor firmwares react badly when they see an IE they don't know about)
22:05 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:10 -!- |Mike| [mike@2001:19f0:5001:21c::3] has quit [Ping timeout: 246 seconds]
22:15 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:15 -!- mode/#openvpn [+o syzzer] by ChanServ
22:52 < sms> Hey how's it going?
22:54 < sms> I'm connecting to OpenVPN and using the auth-nocache flag, but maybe after ~30-60 mins it'll ask me for my credentials again.
23:02 <@Eugene> sms - yes, that's what auth-nocache does?
23:07 < sms> Eugene: But why is it trying to reconnect like that in the first place?
23:08 < sms> Is that typical or is it a network issue
23:56 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
23:56 -!- mode/#openvpn [+o mattock1] by ChanServ
--- Day changed Wed May 03 2017
00:58 <@krzee> if sms comes back tell him that it happens because of reneg
00:59 <@krzee> D4rk: you probably dont want bridging, which it seems you're using
00:59 <@krzee> ordex: aloha
00:59 <@ordex> aloha :)
00:59  * krzee throws up the shaka
01:18 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
01:29 < cbauer> on windows, can I bridge openvpns tap with a physical network adapter after establishing the vpn tunnel with it to allow clients connected to that to use the vpn tunnel?
03:03 <@Eugene> !reneg
03:03 <@vpnHelper> "reneg" is (#1) by default (in client/server mode) openvpn will renegotiate the tls key hourly. this can be adjusted with the --reneg option, or (#2) this should not be disabled as it is important for !forwardsecurity
03:03 <@Eugene> sms ^
03:09 < sms> Ohh, thanks Eugene
03:38 < pokmo> hi
03:38 < pokmo> i'm trying to have my openvpn server listen on 443 TCP as well. is this iptable chain correct?
03:38 < pokmo> iptables -I INPUT -p tcp --dport 443 -j ACCEPT
03:39 < pokmo> https://dpaste.de/UzP2
03:56 <@ordex> pokmo: it will make sure incoming packets on that port will be accepted (assuming tha tno other rule in the chain will drop them before getting to this entry)
03:56 <@ordex> pokmo: what is the actual problem?
03:57 < pokmo> ordex, i'm already listening on 443 UDP, and that works fine
03:58 < pokmo> ordex, if i connect through 443 TCP, i can't ping
03:58 <@ordex> is the connection succesful ?
03:59 < pokmo> ordex, yes it is. i can ssh into the openvpn server fine
03:59 <@ordex> using the VPN IP ?
03:59 < pokmo> ordex, that's right
03:59 <@ordex> alright, then the VPN connection is working fine - 443TCP is already receiving traffic properly
03:59 <@ordex> no need to add any iptables rule
04:00 < pokmo> oh
04:00 <@ordex> if that was filtered, then the VPN connection would work at all
04:00 <@ordex> *woulcn't
04:00 <@ordex> *wouldn't
04:00 <@ordex> sorry
04:00 < pokmo> i remember having a similar problem before
04:00 < pokmo> with 443 UDP
04:00 <@ordex> it's more like a configuration/routing problem rather than a VPN one
04:00 < pokmo> i think i fixed it by removing a rule
04:00 < pokmo> an iptable issue?
04:01 <@ordex> yeah, probably something *on top* of the VPN
04:01 <@ordex> I don't know, it depends on your setup
04:01 <@ordex> just saying that openvpn is connecting properly, so that's not the problem
04:01 <@ordex> when you say "I can't ping", what are you talking about ?
04:01 <@ordex> the VPN server ?
04:01 <@ordex> you said you can ssh, so I presume you can reach it properly
04:01 < pokmo> i can't ping 8.8.8.8
04:01 < pokmo> yeah, i can reach the vpn server from the vpn ip
04:02 <@ordex> and did you set the VPN server as default gateway? (openvpn can do this for you if you specify the right option)
04:02 < pokmo> here's another list https://dpaste.de/udmz
04:02 < pokmo> ordex, hmm i think i did - UDP works fine
04:03 <@ordex> is this the subnet on the tun interface: 10.8.0.0/24 ?
04:03 <@ordex> of your UDP instance
04:03 <@ordex> sorry
04:03 <@ordex> TCP
04:03 < pokmo> here's ifconfig https://dpaste.de/ost5
04:04 < pokmo> tun0 is udp, tun_tcp443 is tcp
04:04 < pokmo> same inet address?
04:04 <@ordex> you can't use the same subnet and IPs on two different interfaces
04:04 <@ordex> yap
04:04 < pokmo> maybe that's my issue
04:04 <@ordex> the system just does not know where packets have to go back
04:04 < pokmo> makes sense
04:05 <@ordex> you can use another subnet for tcp
04:05 <@ordex> and add another rule in iptables for the NAT
04:05 < pokmo> in my .conf should i still have the line server 10.8.0.0 255.255.255.0?
04:05 < pokmo> i have that in my udp's .conf=
04:05 < pokmo> *.conf
04:05 <@ordex> well, that's the line deciding the subnet to use
04:05 <@ordex> you may want to change that on the TCP instance
04:06 < pokmo> to a different subnet entirely or just change the ip so it won't clash with udp?
04:06 <@ordex> the subnet has to change. otherwise you'll have two interfaces routing the same subnet
04:06 <@ordex> you can use 10.8.1.0 for instance
04:07 < pokmo> ok
04:07 <@ordex> however, just to clarify, this is not an openvpn issue :)
04:07 < pokmo> ordex, thanks :)
04:07 <@ordex> np
04:07 < pokmo> well, my bad setting
04:08 <@ordex> let us know is that works for you
04:08 <@ordex> hehe
04:12 < pokmo> pokmo, perfect!
04:12 < pokmo> ordex, ^
04:12 < pokmo> ordex, thanks heaps
04:12 <@ordex> :) np
05:38 < murkx> !poodle
05:38 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has, or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
07:22 <+hyper_ch> krzee: ping
10:49 < Knyaz> hi. is there a paid service similar to freeopenvpn.org? I want to be able to connect to the VPN without having to change the password
10:51 < Knyaz> I am looking at private tunnel, but it does not have location in Russia, the way I see it
10:54 < Knyaz> is there an easier way to get the password for freeopenvpn.org without having to go to the website? Is there a token software?
11:10 <@krzee> !policy
11:10 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario, or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic
11:10 <@krzee> Knyaz:
11:10 <@krzee> !provider
11:10 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team., or (#2) Please contact their support team.
13:44 -!- Pavr is now known as a-wolf
13:45 -!- a-wolf is now known as Pavr
15:45 < Devrim> Does anyone know if it is possible to make OpenVPN Connect (the android app) automatically connect to my VPN when switching from WiFi to a mobile network? (and disconnect when I'm on WiFi again)
15:45 < Devrim> I couldn't find the option in the app but maybe I'm overlooking something
17:34 -!- Hobbyboy|BNC is now known as Hobbyboy
17:34 -!- x5eb is now known as _0x5eb_
20:22 < Abbott> how can i see what is going wrong with the openvpn windows service? I don't know of a way to view the stdout of a service file
20:23 < Abbott> I don't have the GUI installed
20:51 <@ordex> !as
20:51 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
20:51 <@ordex> Devrim: ^^^
21:07 <@ordex> aloha aloha
21:07 <@ordex> krzee: goodnight
22:08 < Abbott> ordex: any idea bout how I can troubleshoot the windows service?
22:55 < WhizzWr> hi guys
22:55 < WhizzWr> anyone familiar with iroute directive
22:55 < WhizzWr> ?
22:55 < WhizzWr> I am trying to route a traffic from server through client
22:56 < WhizzWr> followed this guide https://community.openvpn.net/openvpn/wiki/RoutedLans
22:56 <@vpnHelper> Title: RoutedLans – OpenVPN Community (at community.openvpn.net)
22:57 < WhizzWr> but I realized my goal is a bit different: I need to access certain IP from server, through a client WAN, not LAN
22:58 < WhizzWr> is this possible without the need of installing opemvpn server on the client?
23:20 <@ordex> Abbott: not really, sorry
23:20 <@ordex> WhizzWr: should be, but the client need to have forwarding/NAT enabled too
23:20 <@ordex> !lan
23:21 <@ordex> !routelan
23:21 <@ordex> mh can't remember
23:23 <@ordex> !welcome
23:23 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
23:23 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
--- Day changed Thu May 04 2017
00:30 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
00:30 -!- mode/#openvpn [+o mattock1] by ChanServ
01:21 < nbastin> I mean we route through the clients all the time, but we use tap, so the tunnel is L2 and we use actual routers over it
01:21 < nbastin> If you're not doing that, then you're going to have to be constrainted to whatever ovpn can do directly
01:24 <@ordex> iroute + route should do the trick, that's all he needs I think
03:34 < modem> hey
03:35 < modem> I am running an openvpn client, it add a global route for all traffic. Hence I am not able to connect to the services listening on this server
03:35 < modem> How can I keep accessing the listening port while all outgoing traffic goes thru the VPN ? Thanks ! :-)
03:45 < modem> anyone can give me advises please ? Thanks
03:48 < rob0> by "this server" do you mean the openvpn server?  Or are you speaking of the openvpn CLIENT as server of other protocols?
03:49 < rob0> client machine, that is
03:51 -!- Kelsar_ is now known as Kelsar
03:56 < rob0> okay, I am only going to be here a few minutes.  You have to answer questions to clarify what you mean.  I suppose I guessed right, and you meant to access other protocols on the client machine's real IP address.
03:56 < rob0> !policy
03:56 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario, or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic
03:56 < rob0> err, no
03:56 < rob0> !policy_routing
03:57 < rob0> !factoids search routing
03:57 <@vpnHelper> "advanced_routing" is https://github.com/knorrie/network-examples/blob/master/README.md for a tutorial on how to learn OSPF and BGP
03:57 < rob0> !factoids search -values routing
03:57 <@vpnHelper> (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
03:57 < rob0> !factoids search --values routing
03:57 <@vpnHelper> 'lans', 'samba', 'iroute', 'all', 'winroute', 'interface', 'client-to-client', 'bonjour', 'c2c', 'rip', 'linportforward', 'layer2', 'mbuf', 'basic', 'buffer', 'bridging', 'bridging', 'hotpotato', '101', 'route', 'whybridge', 'interface', 'interface', 'interface', 'linnat', 'linnat', 'lartc', 'routebyapp', 'redirect-policy', 'lartc', 'tap', 'tap', 'splitroute', and 'service_behind_client'
03:58 < rob0> looky there
03:58 < rob0> !service_behind_client
03:58 <@vpnHelper> "service_behind_client" is In addition to normal iptables (firewall) configuration with port NAT, you also need to configure an ip routing policy ... for some quick clues: https://paste.fedoraproject.org/526839/48433431/raw/
03:59 < rob0> ^^ note that that assumes Linux.  For other OS, the search term would be "policy routing".
04:00 < rob0> um, and the link is gone
04:00 < rob0> !lartc
04:00 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux, or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
04:41 -!- |Mike| [mike@2001:19f0:5001:21c::3] has joined #openvpn
05:57 -!- Tyklol is now known as Tykling
06:01 <@ordex> does anybody know is I can export a private subkey only and move it to a secondary device? this way my master key won't need to be moved
06:01 <@ordex> *if
06:12 <@dazo> ordex: pgp?
06:12 <@ordex> gpg, yap
06:13 <@dazo> I've found  this one quite helpful in the past .... https://alexcabal.com/creating-the-perfect-gpg-keypair/
06:13 <@vpnHelper> Title: Creating the perfect GPG keypair - Alex Cabal (at alexcabal.com)
06:13 <@ordex> I am not sure I can separate the sub key from the master .. but actually i think it should be doable
06:13 <@ordex> thanks. I'll have a look
06:13 <@dazo> lookfor --export-secret-subkeys
06:13 <@ordex> because I always use subkeys, but now i wanted to create a pair and move it to my mobile phone
06:13 <@ordex> without moving also the master
06:14 <@dazo> right ... it's a while since I did that last time ... but --export-secret-subkeys should be the trick, iirc
06:14 <@ordex> lemme try :)
06:14 <@ordex> yup sounds so!
06:14 <@ordex> thanks, I'#ll let you know :)
06:15 <@ordex> the problem is probably when you want to send something encrypted to me ... no? you'll have two pub key marked for encryption
06:16 <@dazo> Oh, that stuff ... I always gets confused but which key does what .... but it seems to work :-P
06:17 <@ordex> :D
06:17 <@dazo> I think the crux is that the subkeys are the ones really in use for msg signing /decryption ... where the sub-pubkey is used for encryption
06:17 <@ordex> correct
06:17 <@dazo> while the master key is used for maintaining the identity of the sub-key, plus signing other pubkeys
06:17 <@ordex> the point is: if I create 2 pairs of subkey (one for the laptop and one for the phone)
06:18 <@dazo> ahh!
06:18 <@ordex> which one will you use when you want to send me an encrypted email ?
06:18 <@ordex> pair1 or pair2 ?
06:18 <@dazo> That I'm not sure will work well in reality
06:18 <@ordex> still searching .. maybe soembody has solved this problem already :)
06:19 <@dazo> heh :)  I tried that long ago (when I stumbled upon the URL you got) ... and I gave up :-P
06:19 <@ordex> :D
06:19 <@dazo> I rather think that if I loose a device with my sub-keys, I'll revoke it instantly and deploy new sub-keys
06:20 <@ordex> I just found a wikipage on debian.org and it just says that if you have multiple signing subkeys it will work (because you just need to find the right pub one to verify it), but it does not work with multiple encryption keys...as we just expected
06:20 <@ordex> yap
06:20 <@ordex> I think I will just deploy my subkey pair on all the devices I have .. and if something bad happens I revoke that and redeploy a new one everywhere
06:20 <@ordex> (luckily I don't have thousands of devices :D)
06:20 <@dazo> yeah
06:20 <@dazo> hehe :)
06:21 <@ordex> thanks for the support :D
06:21 <@dazo> lol :-D
09:40 < SviMik> http://svimik.com/hdms24cpu1.png
09:40 < SviMik> that feeling when openvpn is single-threaded...
09:46 <@dazo> SviMik: how many connected users?
09:46 < SviMik> dazo 171
09:46 <@dazo> SviMik: doing reneg at approx the same time?
09:47 < SviMik> nope, the 100% load is constant
09:49 < SviMik> just high traffic volume, I suppose
09:50 < SviMik> 150mbit right now
09:50 <@dazo> hmmm ... how many are on the UDP connection?
09:51 < SviMik> dazo 176 on tcp, 60 on udp
09:52 < SviMik> and cpu time is 905h vs 232h... seems legit
09:52 <@dazo> yeah
09:54 <@dazo> But to be honest, I'm not sure how much multi threading would have help in this case though ... unless also implementing tun multi queue support
09:54 <@dazo> another aspect is also the need to avoid CPU cache misses ... so the threading must be more clever than just "one thread per client", as that wouldn't scale either
09:55 <@dazo> (basically if you exceed the number of worker threads higher than the system have CPU cores, that also impacts badly on high CPU load tasks)
09:55 < SviMik> dazo isn't it encrypting taking most of the cpu time?
09:57 <@dazo> SviMik: well, not necessarily.  It depends on cipher algorithms chosen .... and the tunnel itself (data channel) is symmetric encrypted (using a session key, which gets rotated on --reneg-*).  Symmetric encryption is quite fast, and if also using AES-NI you'll have quite good performance there
09:57 <@dazo> What really loads a CPU is --reneg-* scenarios, as that involves asymmetric crypto, which is way more CPU intensive
09:58 <@dazo> and the rest is basically shuffling data between buffers to/from network sockets .... whether it be UDP/TCP sockets or the TUN/TAP socket
09:58 < SviMik> dazo we are still using blowfish
09:59 <@dazo> that is strictly CPU bound
09:59 <@dazo> so in your case, that will increase the CPU load .... though, again, symmetric is not as hefty as the --reneg-* scenarios
10:00 <@dazo> but ... if you have not disabled --reneg-bytes ... and many clients use v2.4 (or your server) ... then you will have a renegotiation happening every 64MB for each client
10:00 <@dazo> (which is sane, considering the BF issues)
10:01 <@dazo> if you upgrade to v2.4 server ... and your users moves over to v2.4 based clients too, then you will automatically switch over to AES-GCM for v2.4 clients
10:01 <@dazo> (unless you deploy --ncp-disable)
10:01 < SviMik> dazo I'm running 2.3.12 on server. can you remind me if 64MB-reneg patch is already there?
10:02 <@dazo> not on 2.3.12 ... I think that arrived in 2.3.14
10:03 < SviMik> so, no reneg problem then...
10:03 <@dazo> no, it arrived in v2.3.13 .... commit a91ddc99a524014ec7
10:06 < SviMik> well, I'm already running multiple openvpn instances for different configurations, so perhaps... I did everything I could, right?
10:07 < SviMik> except maybe promoting udp somehow to balance the load :)
10:08 < SviMik> I already can imagine something like weather forecast... "today the tcp is highly loaded, consider taking udp config"
10:17 < SviMik> I'm still nervous about upgrading to 2.4... I lost track on changes, because it was developed in a separate branch for too long... And I have my own patches and plugins too... Not sure if everything gonna work as expected
10:17 < SviMik> too much work to bring it to production...
10:43 < SviMik> just checked, 39 of 97 our servers do support AES-NI
10:43 < SviMik> well, that's something
11:22 < s33_> Hi, how do you setup openvpn on a vps? anyone done it?
11:23 < BtbN> exact same was as on a normal server.
11:23 < BtbN> *way
11:23 < s33_> It says no network devices available when I try to put it up, network manager is not working correctly, I think it's because it's a vps, do anyone know if it's even poss to use openvpn on a vps?
11:23 < s33_> It says no network devices available when I try to put it up, network manager is not working correctly, I think it's because it's a vps, do anyone know if it's even poss to use openvpn on a vps?
11:23 < s33_> Hi, how do you setup openvpn on a vps? anyone done it?
11:23 < BtbN> Is that a container or something? Can you load tun?
11:23 < SviMik> make sure you are not using openvz
11:24 < SviMik> otherwise, same as a normal server, yes
11:24 < s33_> yea openvz server.. then it doesn't work?
11:24 < BtbN> You probably need the admin to load tun for you
11:24 < BtbN> if it isn't loaded by default
11:25 < s33_> Alright I'll have to have a look at xen servers then, oh.. I see, I will look into that and see if it can be done
11:25 < s33_> How do i check that?
11:25 < modem> rob0: thanks a lot pretty much answer my question i will check that closer!!!
11:25 < s33_> Ok thanks
11:25 < modem> rob0++
11:25 < s33_> How do u check if it's on?
11:25 < BtbN> look at lsmod or something
11:25 < SviMik> well, that's not definitely "no", but you probably will need to contact the admin, right
11:25 < BtbN> openvpn not working is a pretty good indicator that it's not though
11:26 < SviMik> it's easier to find xen, kvm or vmware, right
11:26 <@dazo> s33_: openvz does work, but requires you to ask the VPS provider to load the tun driver for your container .... openvz is more like containers than virtual machines
11:26 < s33_> Ok aight will see, alright alright. I'll see what I can do and try contact
11:26 < s33_> Oh great answer
11:26 < s33_> Aight, I will look into it!
11:26 < s33_> Thanks
11:26 < BtbN> some hosters do not want you to do so though
11:26 < s33_> Thanks dazo, and all of u, will look into it.
11:28 <@krzee> t !openvz
11:28 <@krzee> !openvz
11:29 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn, or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
12:02 -!- fireglow- is now known as fireglow
12:57 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 240 seconds]
12:58 < Devrim> Lol I was wondering why my OpenVPN connection wasn't working for like 10 minutes
12:58 < Devrim> I completely forgot to enable it in the firewall >.>
13:22 <@ecrist> Devrim: not the topic. ;)
14:36 < Devrim> ecrist :p
14:37 < Devrim> I switched from 1 app to the other, must have forgotten to switch my settings while moving settings around :D
14:37 < Devrim> I'm surprised by how good the Raspberry Pi runs the OpenVPN server
14:38 < kerio> ok lets not get ahead of ourselves here
15:35 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 260 seconds]
15:56 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
15:56 -!- mode/#openvpn [+o syzzer] by ChanServ
16:43 < InfraBrondo> Need some quick help *banging head against wall*
16:44 < InfraBrondo> I've been using OpenVPN successfully for sometime now.  However, I deployed a new OpenVPN server configured to push the LAN route to the client.  Routing table on client gets updated correctly.  However, when I test a ping to a machine on the LAN and run tcpdump against the LAN interface of the OpenVPN box, it shows the originating interface IP for the ping to be the TUN interface IP, not the LAN interface.  My other OpenVPN box
16:45 < InfraBrondo> BTW -- both OpenVPN servers (the one that routes correctly and the one that doesn't) are on 2.4.1
16:47 < InfraBrondo> any ideas?
16:54 < InfraBrondo> anyone?  Bueller....Bueller...
17:07 < InfraBrondo> anyone actually here?
17:08 < InfraBrondo> well crap.
17:08 < vectr0n> you have to be more patient on freenode, sometimes no one is paying attention that is able to help
17:09 < InfraBrondo> I understand that -- just thought maybe since it's business hours here in USA maybe someone was on
17:09 < vectr0n> also start with !welcome and go from there
17:09 < InfraBrondo> !welcome
17:09 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
17:09 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
17:09 <@vpnHelper> you
17:09 < InfraBrondo> !goal to access LAN behind OpenVPN gateway
17:11 < vectr0n> (theres a command for that)
17:17 < InfraBrondo> nevermind -- figured it out... stupid CentOS firewalld issue.  Masquerade needed to be enabled...
17:17 < InfraBrondo> And that's why I like Debian... ;-)
17:36 < daveb778> hello
17:37 < daveb778> Im having a issue where after i create a bridge my machine will no longer access the net.
17:40 < SviMik> !welcome
17:40 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
17:40 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
17:42 < daveb778> !goal "Need help with bridging networks"
17:43 < daveb778> !goal Need help with bridging networks
17:43 < daveb778> am i doing it wrong?
17:43 < daveb778> '!goal Need help with bridging networks'
17:43 < daveb778> yea im not too sure how to go about that.
17:45 < daveb778> Well, umm so far i have have made the bridge scripts and it works inside my network but even tho i have it port forwarded it still doesnt work from outside the network.
17:46 < daveb778> Everything worked before i added the bridge, and i didnt change any ports and such.
18:02 < daveb778> !1925
18:02 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
18:16 -!- daveb778 is now known as davindra
18:19 < |Mike|> davindra: why bridging?
18:20 < davindra> I want to access machines on my network, i had orignally setup just to route internet.
18:20 < davindra> also i was banned from the the devel chat tho ive never joined it before.
18:21 < davindra> mike could you lend a hand in me figuring this out lol.
18:21 < |Mike|> they just ban gateway/web/freenode/* ;)
18:22 < davindra> oh ok.
18:22 < |Mike|> configs, logs please!
18:23 < davindra> sure thing
18:24 < davindra> https://puu.sh/vFQFM/d83cc5d790.png
18:25 < davindra> hmm im not too sure how to copy the log give me a minute
18:27 < |Mike|> Do you have tap0 and br0?
18:28 < davindra> yes
18:28 < davindra> https://puu.sh/vFQS8/91543eb391.png
18:31 < davindra> mike its strange cause the ports are still the same and the firewall wasnt touched im not sure why i can no longer connect from outside the network
18:34 < |Mike|> have you added 'iptables -A INPUT -i br0 -j ACCEPT' etc?
18:34 < |Mike|> (same for tap0 and br0
18:34 < |Mike|> )
18:35 < davindra> let me check
18:35 < davindra> https://puu.sh/vFRa6/1d184166a2.png
18:35 < davindra> yep
18:35 < davindra> heres my log
18:35 < davindra> https://pastebin.com/sJrvmQM9
18:36 < davindra> i removed the public ip for obvious reasons lol
18:36 < |Mike|> 192.168.1.70 is the local IP from the OpenVPN server?
18:37 < davindra> correct
18:37 < |Mike|> ifconfig_pool looks good
18:38 < davindra> oh ok
18:39 < |Mike|> 172.56.28.146:50944 write UDPv4: Network is unreachable (code=101)
18:39 < |Mike|> Where's that IP address coming from?
18:39 < davindra> i think that mightve been my phone
18:41 < davindra> i could generate a new config if that helps?
18:42 < davindra> also when i connect from any of my machines it hangs on this
18:42 < davindra> https://puu.sh/vFRtg/bec565d9b3.png
18:43 < davindra> if it helps im running this in a docker container in freenas
18:46 < |Mike|> what's the output of ifconfig br0 ?
18:46 < |Mike|> does it show the 192.168.1.70 address?
18:46 < davindra> IT DOES
18:46 < davindra> oops
18:46 < davindra> sorry about the caps
18:46 < davindra> https://puu.sh/vFRFw/5370acb63d.png
18:48 < |Mike|> it has been years that i've touched a bridged setup to be honest. Have you used the bridge-start script?
18:48 < davindra> yep
18:50 < davindra> is there a easier way to route traffic through openvpn
18:50 < davindra> from the local network
18:54 < |Mike|> net.ipv4.ip_forward=1 <== could you check?
18:55 < |Mike|> and another Q; your phone is android? Since it only supports TUN :)
18:55 < |Mike|> same goes for iOS
18:57 < davindra> yea but i was trying it from a laptop.
18:57 < davindra> like a tried a couple of different machines
18:57 < davindra> https://puu.sh/vFSaM/147d8813db.png
18:58 < davindra> also ipv4 forward is enabled
18:58 < |Mike|> Can you reach the OpenVPN IP with ping?
18:59 < davindra> yep
18:59 < |Mike|> routing or firewall issue o/
18:59 < davindra> hmm
19:00 < |Mike|> traceroute 8.8.8.8 for example stops at the openvpn server ip, right?
19:01 < davindra> traceroute doesnt work on linux
19:02 < |Mike|> huh?
19:06 < akkad> traceroute works, someone is blocking your frags with df bit thrown
19:09 < akkad> try `ping -R 8.8.8.8`
19:10 < davindra> ping: sending packet: Network is unreachable
19:10 < davindra> akkad and mike
19:10 < davindra> idk why its doing that when i even tried to pinged other addresses
19:11 < |Mike|> local works, right?
19:11 < davindra> yes
19:12 < davindra> https://puu.sh/vFSNE/dcbdf9588d.png
19:13 < |Mike|> have you tried to push a route ?
19:13 < Gozzy> good evening
19:14 < davindra> i havent mike
19:14 < |Mike|> push route 192.168.1.70 255.255.255.0"
19:15 < |Mike|> err, make sure the " " 's are correctly placed
19:15 < |Mike|> push "route 192.168.1.70 255.255.255.0"
19:15 < davindra> kk
19:15 < Gozzy> im trying to route all my traffic (windows 10) through my VPN, I am giving this command: "C:\Program Files\OpenVPN\bin>openvpn.exe --redirect-gateway --local def1" but this gives "Options error: You must define TUN/TAP device (--dev) Use --help for more information." anyone who recognises this? I checked help but cant figure it out
19:16 < davindra> no luck mike
19:16 < |Mike|> Gozzy: configs
19:16 < |Mike|> and see topic Gozzy
19:16 < |Mike|> davindra: restarted the OpenVPN server?
19:16 < davindra> yea
19:16 < davindra> i have
19:16 < Gozzy> !welcome
19:16 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
19:16 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
19:17 < |Mike|> it's 02:11 on my side of the world, not thinking straight anymore
19:17 < Gozzy> so we can talk durch? :P
19:17 < Gozzy> dutch*
19:17 < |Mike|> nee
19:17 < Gozzy> ok ok
19:18 < davindra> yea i think i might just give on bridging for now lol
19:19 < davindra> up*
19:20 < Gozzy> |Mike| do you mind if i dump the contents of my OVPN file here? I think it's ok :/
19:20 < |Mike|> krzee: could you shed some light on davindra his configs?
19:20 < |Mike|> Gozzy: pastebin
19:20 < |Mike|> and I'm about to head to bed to be honest
19:21 < |Mike|> Gozzy: as the error states; you haven't defined a tun/tap device
19:21 < |Mike|> !tunortap
19:21 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
19:21 <@vpnHelper> rooted/jailbroken) support only tun
19:21 < Gozzy> https://pastebin.com/TWG4F9YM
19:21 < Gozzy> no worries sleep is important
19:21 < Gozzy> go to bed :) thx anyway
19:22 < davindra> yea thanks man
19:22 < davindra> hopefully krzee can lend a hand
19:22 < Gozzy> hmm i just want to play on pokerstars via my corporate openvpn
19:23 < |Mike|> Gozzy: I see heaps of config errors already. You better read some docs Sir! :-)
19:23 < Gozzy> not a major issue
19:23 < Gozzy> hmm ok i got this from my sysadim lol
19:23 < Gozzy> *sysadmin
19:23 < |Mike|> davindra: hope so, he's the master
19:23 < |Mike|> night yall.
19:23 < davindra> night mate
19:23 < Gozzy> gnight & thx!
19:37 <@krzee> just got in
19:37 <@krzee> davindra: whats the problem?
19:38 < davindra> i can no longer connect to my server from outside the network after the bridge
19:38 <@krzee> bridge?
19:38 <@krzee> why you bridging?
19:38 < davindra> eth0 and tun0
19:38 <@krzee> why you bridging?
19:38 <@krzee> !whybridge
19:38 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun., or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#3) See also !tunortap
19:38 <@krzee> !tunortap
19:38 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
19:38 <@vpnHelper> rooted/jailbroken) support only tun
19:39 <@krzee> so again, why you bridging?
19:39 <@krzee> it's normally the wrong solution, lets see if you actually want that...
19:39 <@krzee> !goal
19:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:39 < davindra> i wanna have traffic go between my local network and the vpn without trouble
19:40 <@krzee> !route
19:40 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
19:40 <@krzee> if thats normal ip traffic then you want tun and proper routing
19:41 <@krzee> if its layer2 traffic then lets talk about what specifically
19:43 < davindra> well im trying to get a program to dectect a pc over the vpn
19:43 <@krzee> ...what program and hows it detect?
19:44 < davindra> umm well its steam, as far as i know it scans the network for a machine running the program.
19:48 <@krzee> i wouldnt know if that uses ip or mac (l;ayer 2 or 3)
19:48 < davindra> is their anyway i can check?
19:49 <@krzee> sure, you could run a packet dump while running it
19:49 <@krzee> if its windows, you could use ethereal
19:49 < nbastin> (wireshark)
19:49 <@krzee> oops wireshark
19:49 < davindra> lol ok
19:50  * nbastin drags Krzee out of the time machine.. :-)
19:50 <@krzee> i got confused and thought wireshark changed to ethereal but i had it backwards
19:50 <@krzee> hahah i use tcpdump tho :D
19:50 < nbastin> yeah
19:50 < nbastin> yeah, same
19:50 <@krzee> i just assumed hes on windows
19:50 < nbastin> I mean I use wireshark sometimes to load pcap files after I capture them
19:50 <@krzee> cause steam is for gamers
19:50 <@krzee> and windows is for gamers
19:50 < davindra> lol
19:50 < nbastin> I'm pretty sure wireshark for windows comes with a command line capture tool
19:50 <@krzee> probably, i wouldnt know
19:51 <@krzee> but with win10 doing bash and powershell, id expect it does
19:51 < davindra> well i used to using windows and linux lol
19:52 < nbastin> krzee: oh long before that...  :-)  I stopped using windows around 2003, and it had cmdline capture then
19:52 <@krzee> oh nice, i stopped around then and didnt know that
19:52 <@krzee> whats it called (or was) ?
19:53 <@krzee> davindra: once you find the relevant stuff if you're not sure if its layer2 or 3 feel free to take a pic of it
19:53 < davindra> krzee i have wireshark open forgive cause i have no idea what to do
19:53 <@krzee> also, if it uses broadcast or multicast i think we'll want tap as well
19:53 < davindra> ok
19:54 < davindra> how do i limit it to a application
19:54 <@krzee> capture on the network device and start steam searching for computers
19:54 <@krzee> you dont, but we'll find it
19:54 <@krzee> only run the capture when starting steam's search
19:54 <@krzee> start, search, stop
19:59 < davindra> im not really having good luck
20:00 < davindra> its also not really a search]
20:00 < davindra> idk how it works but ive tried having both machines on the vpn at one point and they couldnt find each other as tun
20:01 <@ordex> morning
20:13 <@krzee> hey ordex do you know if steam uses layer2 or 3 to find clients on the lan running steam?
20:13 <@ordex> never used it
20:14 <@ordex> but if it "searches" for clients in the LAN, I'd say it uses broadcast/link-local
20:14 <@ordex> aka L2
20:16 < simbalion`> Hi, I can connect to openvpn from the shell just fine but it does not work from the gui NetworkManager applet, could someone help me? If there's a log or something I could read I could probably work out the issue..
20:17 <@krzee> you want #nm
20:17 <@krzee> ordex: you any good with bridging? davindra seems to need help with it
20:17 <@krzee> but i never used bridging nor do i have plans on it
20:18 <@krzee> i usually just convince everybody to use routing, but he may actually need bridging
20:18 <@ordex> :D
20:19 <@ordex> yeah, I have been fan of bridging for quite some time :P
20:19 <@ordex> but I haven't found the problem statement in the backlog
20:19 <@krzee> ya i dont know what the problem is, i stopped him at "bridge"
20:21 <@krzee> but i do feel that i shouldnt be helping people with bridging unless im the only option ;]
20:21 <@krzee> ordex: out of curiosity, what do you use bridging for?
20:22 <@ordex> krzee: I have been developer of a layer2 mesh network protocol for various years. so basically we used the concept of bridging extended to an entire wireless mesh network
20:23 <@ordex> it made everything easy and plug-n-play
20:23 <@ordex> davindra: would you mind re-stating the problem ?
20:23 <@krzee> oh very cool!
20:23 <@krzee> very very cool
20:24 <@ordex> www.open-mesh.org if you have free time and wanna read something :D
20:24 <@krzee> dude you dev BATMAN?
20:25 <@krzee> ive heard of this stuff
20:25 <@krzee> impressive
20:26 <@ordex> yup, been working on that for some years, now I just join discussions (when I have time), but I mostly stopped with the development
20:26 <@ordex> wanted to do $something else :D
20:28 < Gozzy> hola, im trying to force all traffic through openvpn but it keeps saying i do not have a tun device but i am quite sure i do... https://pastebin.com/UiCmD1AH anyone who can take a look at this?
20:29 <@ordex> Gozzy: you need to create a config file
20:29 <@ordex> and launch openvpn properly
20:29 <@ordex> not with just one option
20:29 <@ordex> or, if you are already running openvpn as a daemon/service, then you should add redirect-gateway to your current config file
20:30 < Gozzy> client
20:30 < Gozzy> tls-client
20:30 < Gozzy> dev tun
20:30 < Gozzy> persist-tun
20:30 < Gozzy> remote vpn.server.nl 1194 udp
20:30 < Gozzy> verify-x509-name "vpn.server.nl" name
20:30 < Gozzy> resolv-retry infinite
20:30 < Gozzy> keepalive 10 60
20:30 < Gozzy> ca bakkerspees.crt
20:30 < Gozzy> cert gerko-laptop.crt
20:30 < Gozzy> key gerko-laptop.key
20:30 < Gozzy> persist-key
20:30 < Gozzy> comp-lzo yes
20:30 < Gozzy> verb 3
20:30 <@ordex> !paste
20:30 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
20:30 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
20:31 <@ordex> Gozzy: did you read my previous message? :)
20:31 <@ordex> Gozzy: [0922.36] <@ordex> or, if you are already running openvpn as a daemon/service, then you should add redirect-gateway to your current config file
20:31 < Gozzy> yes i did
20:31 < Gozzy> i added this to my config redirect-gateway local def1
20:31 <@ordex> ok
20:31 < Gozzy> but thats not doing much on whatsmyip.org
20:32 <@ordex> does openvpn start properly ?
20:32 <@ordex> and why "local" ? is vpn.server.nl a local machine in your LAN ?
20:33 < Gozzy> no
20:33 <@ordex> then it is not needed (as per man page)
20:34 < Gozzy> when i do ipconfig it shows a network adapter with that DNS suffix
20:34 < Gozzy> ok thx, getting a bit lost
20:34 <@ordex> that's because you configured your host machine that way
20:35 <@ordex> but local is only to be used when the server is in the same LAN as the client
20:35 <@ordex> so not in your case
20:36 < Gozzy> ah yes that does not apply to me
20:37 < Gozzy> im in france trying to connect to my corporate openvpn and getting a dutch ip
20:37 <@ordex> yap
20:37 <@ordex> so just def1 is enough
20:37 <@ordex> once connected, make sure openvpn is running
20:37 <@ordex> and check the routing table to see if the routes where properly installed
20:38 <@ordex> if not, then the traffic won't flow through the vpn
20:39 < Gozzy> so netstat -rn
20:39 <@ordex> not sure how that works on windows, sorry
20:40 <@ordex> but maybe yes
20:41 < Gozzy> hmm I think so.. it's 3:35 over here I should go to bed :/ thx for your help ordex surely ill figure it out tomorrow :) feel like i do not belong in IT atm but i'll keep at it :)
20:41 < Gozzy> thx & gnight
20:42 <@ordex> :) np and goodnight !
20:44 <@ordex> davindra: ?
21:08 < davindra> krzee sorry for the late reply
21:08 < davindra> https://puu.sh/vFYsB/0f98f9a763.png
21:09 <@krzee> not me, ordex =]
21:09 <@krzee> he knows bridging, i dont
21:09 < davindra> ahh kk
21:10 < rob0> all we know is that bridging is almost always a bad idea :)
21:10 < davindra> ordex help me lol
21:10 <@ordex> davindra: this is just a screenshort of tcp packets
21:10 <@ordex> davindra: what was the problem first of all ?
21:11 < davindra> Well after bridging networks i can no longer connect to the server outside my network.
21:11 <@ordex> bridging what exactly? the tap interface of the VPN with your ethX ?
21:11 < davindra> yep
21:12 < rob0> that's possibly because you bridged the internet interface
21:12 < davindra> thats what the guide on the site suggested
21:12 <@ordex> davindra: what are you trying to achieve ?
21:13 < davindra> i want data to move through my local network and vpn without the virtual wall
21:13 < rob0> !goal
21:13 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:13 <@ordex> davindra: ok
21:14 <@ordex> so basically what you want to get at the end is a big LAN having the same subnet all over the place
21:14 <@ordex> when bridging, you know that you should remove IPs from the plain interfaces and add one to the bridge only
21:14 < davindra> yea pretty much
21:14 <@ordex> I think openvpn can help you with this
21:15 < davindra> i have a script from the wiki that does that
21:15 <@ordex> davindra: are you also using --server-bridge ?
21:15 < davindra> yes
21:15 < davindra> but after the bridge is formed the machine can no longer ping the outside world
21:15 <@ordex> davindra: ok, after connecting, can you please run: "ip route" "ifconfig" and paste the output somewhere ?
21:15 <@ordex> !paste
21:15 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
21:15 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
21:16 < davindra> run those commands on the server or client
21:16 < davindra> ordex?
21:16 <@ordex> davindra: server
21:16 < davindra> ok
21:17 <@ordex> davindra: who losts the internet connectivity? the client or the server ?
21:17 < davindra> server
21:17 <@ordex> ok
21:20 < davindra> https://puu.sh/vFZ1G/1b41e96c98.png
21:20 < davindra> if the client connects they lose internet
21:21 < davindra> but it seems a problem on the server side
21:21 < davindra> https://puu.sh/vFZ3B/71981461d9.png
21:21 < davindra> ordex lemme know what you think of all this
21:21 <@ordex> ok
21:22 <@ordex> davindra: that's the only thing you have in ip route on the server ?
21:22 < davindra> thats the only thing it shows for some reason
21:22 <@ordex> davindra: do you normally get your eth0 IP from a DHCP server on the LAN ?
21:22 <@ordex> or you assign it statically ?
21:23 < davindra> statically but the script clears it for the bridge
21:23 <@ordex> because to me it seems that br0 was reconfigured with a static IP, but basically lacks default GW (and possibly also a DNS)
21:23 <@ordex> yes
21:23 <@ordex> but the default GW has to be reassigned too
21:23 <@ordex> you probably missed that in the script ?
21:23 < davindra> lemme see
21:23 <@ordex> if it is static, then also the default GW has to statically be reassigned
21:25 < davindra> https://puu.sh/vFZgn/9e061aadab.png thats the bit of the script for the ip
21:26 <@ordex> davindra: yeah, no GW
21:26 < davindra> so what command would i add to fix this?
21:26 <@ordex> it should be reassigned after clearing eth0
21:26 <@ordex> davindra: you mean "how do I add a default gateway on linux?"
21:27 <@ordex> davindra: http://bfy.tw/BbnX
21:27 <@vpnHelper> Title: LMGTFY (at bfy.tw)
21:27 <@ordex> :p
21:27 < davindra> well i thought there wouldve been something to add to this script to do it automatically
21:28 <@ordex> well, I guess so too
21:28 <@ordex> anything you do in the console can be done in a script too :)
21:28 < davindra> true
21:28 <@ordex> just test on the console first and then adapt the script accordingly
21:28 <@ordex> first I'd add the Gw to check if that solves the problem
21:28 <@ordex> there might be something else to fix afterwards
21:28 <@ordex> if that's enough, than add the command to the script :)
21:29 <@krzee> right, no reason to mod the script before you know if it helps :D
21:30 < davindra> true
21:31 < davindra> i add this for br0
21:31 < davindra> or for eth0?
21:31 <@krzee> br0
21:34 < davindra> omg ordex and krzee you both are gods xD
21:34 <@ordex> lol
21:35 < davindra> now let me confirm something
21:36 <@krzee> we have to give that one all to ordex ;]
21:36 <@krzee> ordex++
21:36 <@krzee> !karma
21:36 <@vpnHelper> "karma" is nick++ adds karma nick-- adds bad karma, as seen in !ircstats
21:36 < davindra> ordex++
21:36 < davindra> krzee++
21:36 <@ordex> lol
21:37 < davindra> lol
21:37 <@krzee> if ecrist still processes the logs that is, i dont think hes done it for hella long
21:37 <@krzee> !ircstats
21:37 <@ordex> didn't know we have karma here
21:37 <@vpnHelper> "ircstats" is (#1) See http://secure-computing.net/logs/openvpn.html for all-time IRC stats., or (#2) See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats.
21:37 <@ordex> !karma ordex
21:37 <@krzee> nah its just in the logs
21:37 <@krzee> the bot doesnt know about it
21:37 <@ordex> ah
21:37 <@ordex> :P
21:37 <@krzee> ircstats processes the logs and keeps the karma
21:37 <@krzee> lol last processed december 2014
21:37 <@krzee> hey ecrist can you do that sometime?
21:41 < davindra> well umm i got good news and bad news
21:41 < davindra> do i need to do a dns push aswell?
21:41 < davindra> or arout dns
21:41 < davindra> route*
21:41 <@ordex> the DNS might still be configured
21:41 <@ordex> because it is just in resolv.conf
21:41 <@ordex> but not sure if the script is wiping it too
21:42 < davindra> ahh, cause i can connect but now i dont get internet and i cant ping in my network.
21:42 < davindra> from the remote machine
21:42 < davindra> i see why people hate bridging now
21:42 < davindra> lol
21:43 <@krzee> well that and needless overhead, and layer2 has no attempt at security
21:43 < davindra> i see
21:44 <@ordex> davindra: the problem is also that you should know what you are doing :D plugging things together does not always work :P
21:44 <@krzee> but for you it seems to be what you need
21:44 < davindra> ordex and krzee when i can connect but now its lost internet access and i cant ping my desktop from the vpn
21:46 < davindra> well thats odd how i lost those two abilities
21:46 <@krzee> did you reconnect?
21:46 < davindra> yea
21:46 <@krzee> if so, you lost that gateway again
21:46 <@krzee> well probably
21:46 <@krzee> just a guess, of course
21:46 < davindra> so if i connect a client it resets on the server?
21:47 < davindra> wait not its still here
21:47 < davindra> no*
21:47 < davindra> yea after you mentioning the extra overhead that might be a problem.
21:48 < davindra> can i use push to foward one machine into the vpn with tun?
21:48 < davindra> tp*
21:48 < davindra> tap*
21:49 <@krzee> huh?
21:50 < davindra> yea the bridge seem to have broken more then i wouldve like
21:50 < davindra> krzee.
21:51 <@krzee> is it only 2 steam computers?
21:51 <@krzee> (but in different lans)
21:52 < davindra> yea i have my laptop on my phone hotspot to simulate a external connection.
21:52 < davindra> and my desktop on my local home network.
21:52 <@krzee> well
21:52 <@krzee> then you dont seem to need the entire lan
21:53 <@krzee> you could run openvpn on the computers that use steam, and then you could use a normal routed setup, but with dev tap instead of dev tun
21:53 <@krzee> assuming you dont have multiple steam computers on the same actual lan
21:53 <@krzee> (that need to be reached over the vpn)
21:54 < davindra> hmm
21:55 < davindra> i was trying that before with both machines on the vpn with dev tap and they wouldnt find each other
21:55 < davindra> unless you have a idea im missing.
21:55 <@krzee> nah see, i know nothing about steam
21:56 <@krzee> but if it didnt work with dev tap while directly connected, im not sure if bridging will help
21:56 <@krzee> dev tap passes all layer2 traffic
21:56 < davindra> well shit.
21:56 <@krzee> steam may not have tried scanning the tap interface
21:57 <@krzee> mahybe theres a setting for it or something
21:57 <@krzee> but if you wanna keep working on the bridge tell ordex whats wrong as i dont use bridging
21:58 < davindra> im trying to recreate something like this with my server instead of a router
21:58 < davindra> https://www.youtube.com/watch?v=yb91cz6mnNg
21:58 <@krzee> i see somebody has done it over bridge
21:58 <@krzee> https://steamcommunity.com/groups/homestream/discussions/0/540731691282205961/
21:58 <@vpnHelper> Title: "In-Home" streaming over the internet with OpenVPN :: Steam In-Home Streaming (at steamcommunity.com)
22:02 < davindra> man that seems like so much to do
22:03 <@krzee> ya its advanced networking so the first time can take a lot of work and learning if you dont have a networking background
22:04 <@krzee> the doc i wrote on routing was originally written after i took hella long to figure it out... i had to dive into the code to figure out what iroute actually did (this is a long time ago)
22:04 < davindra> yea i mostly do this for the fun of it lol
22:06 <@krzee> same, but as i became better with it i started seeing more and more to use it for
22:06 <@krzee> for example now its the reason i get to work from home sometimes... cause now it's actually possible
22:06 < davindra> same, if i went back a couple of months i had no idea how to get openvpn to even work
22:07 < davindra> lol nice
22:08 < davindra> i dont understand why it doesnt work with tap but it works with bridge according to the internet lol
22:08 < davindra> hey ordex you still around?
22:16 < davindra> !redirect
22:16 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
22:16 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
22:20 < davindra> ok so it sorta works.
22:20 < davindra> like when i first connect i see the notification for the machine detected but then it disappears
22:21 <@krzee> post your configs and bridge script for ordex
22:21 <@krzee> !configs
22:21 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
22:21 <@krzee> !paste
22:21 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
22:21 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
22:28 < davindra> ordex https://pastebin.com/aqCXMKNw
22:31 <@krzee> comment redirect-gateway for now so we can worry about that after, and try commenting server-bridge and see if server-bridge nogw gets you an IP from the dhcp server on the server lan
22:31 <@krzee> but im just guessing
22:31 < davindra> heres my bridge script
22:31 < davindra> https://pastebin.com/HZixAZp0
22:35 < davindra> if i comment server-bridge [FAIL] Starting virtual private network daemon: server failed!
22:36 < davindra> i get that
22:36 <@krzee> thats not what you should be looking at
22:36 <@krzee> !logfile
22:36 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
22:37 <@krzee> i said to comment it and put server-bridge nogw
22:37 < davindra> oh ok
22:37 <@krzee> but comment it so you can easily switch back
22:47 < davindra> yea im gonna hve to call it a night
22:47 < davindra> ill catch you guys on later.
22:48 <@krzee> goodnight
22:48 <@krzee> im curious tho
22:48 <@krzee> when you did that, did you get an ip from the servers lan?
22:49 < davindra> i was able to connect and have internet access
22:50 < davindra> i also found this
22:50 < davindra> https://puu.sh/vG3b6/7a5fd5fd68.png
22:54 <@krzee> nice
--- Day changed Fri May 05 2017
00:03 < s33_> hi, im trying to make openvpn work but network manager fails to work when i install it (im on a xen), how would you troubleshoot the network on a vps when the network stops functioning, all i can do is reinstall and reboot, any help? if anyone has knowledge of how to make network manager similiar to the existing network i have, or is it offtopic, if anyone knows i would be grateful to know
01:02 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:02 -!- mode/#openvpn [+o mattock1] by ChanServ
02:58 < npn> Hey guys. OpenVPN android app doesn't let me use tap, only tun. I do actually have a custom kernel with a working tap module. Any way I can disable the check within the OpenVPN android app?
02:59 <+hyper_ch> why you wanna use tap over tun?
02:59 < npn> No tun- just tap
03:01 < npn> Oh you mean why did I choose tap? I usually prefer tun, but in this case I have a virtual networking lab that I've set up for a couple of students. I need the layer 2 bridging functionality for accurate simulations
03:05 < nobiz> hi, i have a working configuration vor openvpn which only supports ipv4. i'd like to be able to connect to my ipv4 openvpn server and receive a valid ipv6 address when tunneling to the internet
03:05 < nobiz> anyone who can help me with that?
03:06 <@ordex> nobiz: it mostly depends on your actual IPv6 setup, but you can find the various ipv6-related options by searching "IPv6 Related Options" in the man
03:06 <@ordex> ifocnfig-ipv6 might be enough..it really depends on your deployment
03:08 < nobiz> my german provider gives ma a dual stack
03:08 < nobiz> ill check the man page again
03:12 < nobiz> i don't get it actually :D
03:12 < nobiz> it seems like i have all of this configured
03:12 <@ordex> then how about pasting your logs so that we can see what is getting configured and what is not ?
03:12 <@ordex> !logs
03:12 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
03:13 < nobiz> thank you
03:13 < nobiz> one moment please
03:15 <@krzee> npn: no way i know of unless you patch the code and compile it for android... you dont have to use the gui you can start it cli
03:16 < npn> Tx krzee
03:16 <@krzee> plaisthos: ^ apparently some people have tap working in their android
03:17 <@krzee> (i didnt know that, dunno if you did)
03:19 -!- haasn is now known as hanna
03:49 < skyroveRR> Hi krzee
05:02 < haaning> Something weird happens with one of our Windows VPN clients. Usually it pushes the DNS quite fine but in this case he needs the IPs to connect to servers on LAN. I asked him to show me the routing table for which there are 2 entries for 0.0.0.0 netmask 0.0.0.0
05:02 < haaning> Could that be the reason for the DNS errors?
05:08 < nobiz> hi
05:08 < nobiz> !logfile
05:08 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
05:12 < nobiz> hmm, i can't find any suitable logs on server
05:12 < nobiz> verb is set to 4
05:13 < nobiz> ok.. seems legit. being on the wrong machine... -.-
06:52 < nobiz> ok.. i'm sorry.
06:53 < nobiz> its not very smart to reconfigure your private openvpn server, while you are using it at work to access the openvpn configuration :P
07:17 < rob0> ha
07:34 <@ordex> nobiz: :D
07:38 <@ecrist> krzee: sure, I can run a log proccess at some point.  I'll try to do it this weekend (maybe today if I have the time)
07:45 < nobiz> ordex, still around?
07:46 <@ordex> nobiz: for a bit
07:46 <@ordex> feel free to paste your logs somewhere
07:47 <@ecrist> !irclogs
07:47 <@vpnHelper> "irclogs" is Channel logs are available at http://secure-computing.net/logs/openvpn.log and http://secure-computing.net/logs/openvpn-devel.log and are updated every three hours.
07:47 <@ecrist> !ircstats
07:47 <@vpnHelper> "ircstats" is (#1) See http://secure-computing.net/logs/openvpn.html for all-time IRC stats., or (#2) See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats.
07:47 < nobiz> i'd like to talk in general if its ok, before
07:47 < nobiz> not a good idea to hassle with the config while at workd
07:47 < nobiz> work
07:48 < nobiz> i read quite a few articles about tunneling ipv6 over ipv4, but i think i'm still lacking some basic knowledge to understand what i'm doing
07:50 <@ordex> nobiz: that's one way to bring ipv6 connectivity to a point that lacks it
07:50 <@ordex> you said your provider is providing you with dual stack already
07:50 <@ordex> this means that from there, whatever you phisically connect, can have IPv6 natively - no need for a tunnel
07:50 <@ordex> openvpn supports that: the tun interface can natively carry ipv6 segments
08:02 < nobiz> i guess i got a problem with my psybnc too......
08:02 < nobiz> which is odd.
08:03 < nobiz> it says the following in the manual for 2.4
08:03 < nobiz> --server-ipv6 ipv6addr/bits
08:03 < nobiz> does this have to be my public available ipv6 address, right?
08:04 < nobiz> the thing is i never want to connect to the vpn via ipv6
08:04 < nobiz> i just want to have the address when tunneled to the internet
08:08 -!- Netsplit *.net <-> *.split quits: @syzzer
08:08 <@ecrist> hah, dazo_afk talks more than dazo does
08:14 <@ecrist> krzee: stats are updated
08:15 <@ecrist> heh
08:15 <@ecrist> ecrist is either insane or just a fair op, kicking a total of 90 people!
08:15 <@ecrist> ecrist's faithful follower, EugeneKay, kicked about 66 people.
08:15 < nobiz> grrr
--- Log opened Fri May 05 08:20:24 2017
08:20 -!- Irssi: #openvpn: Total of 299 nicks [10 ops, 0 halfops, 5 voices, 284 normal]
08:20 -!- mode/#openvpn [+o ecrist] by ChanServ
08:20 -!- Irssi: Join to #openvpn was synced in 1 secs
08:29 <@ecrist> 298 users, that's impressive.
08:32 -!- Netsplit *.net <-> *.split quits: @syzzer
08:32 -!- Netsplit over, joins: syzzer
08:32 -!- mode/#openvpn [+o syzzer] by ChanServ
09:05 < omgs> Hi. I'm having problems with the windows openvpn gui. Isn't there a kind of wizard similar to the network manager one?
09:06 <@ecrist> what is your problem?
09:06 <@ecrist> there is no wizard for it
09:06 < omgs> An alternative would a way to export the real config file one can use in linux, so that same config can be used
09:07  * rob0 puts on his wizard robe and hat
09:07 <@ecrist> omgs: the same config for linux can be used on windows.  
09:07 <@ecrist> !network-manager
09:07 <@ecrist> !netman
09:07 <@vpnHelper> "netman" is (#1) NetworkManager usually works fine, but can have some challenges in som env, or (#2) Ensure you run a reasonably recent NM version, or (#3) NM is aimed at client configurations and requires a logged in user session and is sensitive to instable unstable networks, or (#4) If OpenVPN works from the command line but not NM, go to #nm or https://wiki.gnome.org/Projects/NetworkManager
09:07 < rob0> except for the few OS-specific settings
09:07 < omgs> There's an "export" button in linux, but that file misses several things
09:09 < omgs> ecrist, I haven't set the file in linux manually, but with the network manager dialog. I'm not sure where the resulting file for the connection is stored, in whose case I would just use it.
09:10 <+hyper_ch> omgs: just renamed the file extension to .ovpn and alter it to windows line breaks
09:10 <+hyper_ch> (and make sure paths are correct to certs)
09:10 < omgs> hyper_ch, but where is that file stored?
09:10 <+hyper_ch> -> /etc/openvpn/
09:11 <+hyper_ch> or   [some drive letter]:\Path\to\Windows\OpenVPN\config\
09:11 < omgs> hyper_ch, sorry, networ-manager doesn't store its files there
09:11 <+hyper_ch> no idea what network manager does
09:12 <+hyper_ch> on debian, *conf files in /etc/openvpn/  will be autostarte
09:14 <+hyper_ch> on nixos, I use entry in the globla configuration file like   services.openvpn.servers = { if-name = { config = ''\n config /path/to/config/file.conf\n ''; }; if-other-name = { ...}; };
09:15 <+hyper_ch> but where do you mean where the files are stored? windows or linux?
09:18 < DArqueBishop> Windows line breaks are nice but unnecessary. I never converted my ovpn/conf files to Windows line breaks and OpenVPN for Windows still reads them fine. :-)
09:18 <+hyper_ch> DArqueBishop: I do it automagically when I generate the configs
09:18 <+hyper_ch> with certs/keys included
09:19  * DArqueBishop nods.
09:19 < DArqueBishop> !nm
09:19 < DArqueBishop> !networkmanager
09:19 <+hyper_ch> ./autoMagic.sh "hosname" -->   hostname.conf & hostname.ovpn
09:20  * hyper_ch is a huge fan of auto magic
09:25 <+hyper_ch> omgs: so, what's the issue you're having?
09:27 < omgs> hyper_ch, well, I'm not there now, but lots of unsuccessful tests. It's our fault because we thought there would be a kind of gui to help. We realized that was false when it was late, so it's been a hard morning, having to investigate some silly detail about why the windows openvpn client can't connect successfully, just like linux does easily.
09:28 <+hyper_ch> the client has sort of a gui and it also prints out the log or soemthing
09:36 < omgs> As far as you know, how can one export or tell the windows client the p12 password, just like in linux?
09:36 < omgs> Sometimes when running the config file, the log expected a password
10:14 < varesa> are there some checks regarding the destination address when running an openvpn tunnel in server-client mode?
10:15 < varesa> I am trying to route traffic to another subnet from the openvpn server through the client but traffic seems to get lost
10:15 < varesa> I can ping the other end of the tunnel but no other networks beyond that. tcpdump on the client never shows any echo requests arrivinhg
10:19 < catalase> is there a way to use a --client-connect script but exempt a specific connection?
10:20 < catalase> --client-config-dir it appears
10:21 < catalase> or not lol
10:53 <@ecrist> omgs: you're best bet is to learn how to create the configuration file directly
10:53 <@ecrist> we're not going to waste a ton of time teaching you how to export it from Network Mangler
10:54 <@ecrist> !factiods search script
10:54 <@ecrist> !factoids search script
10:54 <@vpnHelper> '2.1-winpass-script', 'script', 'scripting', 'scripts', 'subscription', and 'winscript'
10:57 < varesa> ecrist: any ideas about my issue?
10:59 < varesa> I'm trying to google site to site openvpn but that only seems to bring up things like pfsense and vyos
11:03 <@dazo> varesa: See the "simple test scripts" here: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14538.html ... generate your own proper certificates, and you have a pretty secure site-to-site/peer-to-peer tunnel
11:03 <@vpnHelper> Title: [Openvpn-devel] [PATCH v2] crypto: Enable SHA256 fingerprint checking in --verify-hash (at www.mail-archive.com)
11:04 <@dazo> varesa: depending on your security needs ... you may choose to optionally drop the --verify-hash options ... but that test script is basically the essence of what you need
11:04 <@ecrist> !howto
11:04 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
11:04 <@dazo> use the man page to understand each of the options used
11:04 <@dazo> !man
11:04 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
11:05 <@ecrist> varesa: see the howto ilnked there.
11:05 <@ecrist> There is a simple p2p tunnel setup example
11:05 <@dazo> ecrist: the howto simple p2p setup there is based on static key .... which is really not recommended at all
11:06 <@dazo> (I'm considering to submit a patch complaining loudly in the  logs when --secret is being used)
11:06 <@ecrist> dazo: there are uses for it, however.
11:06 <@ecrist> If it's insecure, we should fix that.
11:06 <@dazo> it's insecure due to lack of PFS
11:07 <@ecrist> is it, though?
11:07 <@ecrist> there's no key exchange
11:07 <@dazo> the fix is to use --tls-server and --tls-client   (not --server/--client) ... and add the --ca/--cert/--key/--dh .... and the rest of the config is the same
11:07 < varesa> looks like iroute might be what I need
11:08 < omgs> thanks
11:08 <@dazo> ecrist: exactly, so there is no key rotation ... so if someone stores all your encrypted traffic for a long time .... and later on gains your --secret key ... the complete communication is exposed in plain text
11:09 <@dazo> (gains => gets a copy or using  bruteforce)
11:09 <@dazo> ecrist: in the moment you add --tls-server/--tls-client ... that's when the control channel gets activated, and then the --reneg-* stuff kicks in, and you get PFS
11:12 <@dazo> ecrist: there is _one_ area where --secret is useful ... that's to escape the GFWs ... as it just plain encrypts the TUN/TAP data and pushes it to the remote site ... so the wire data is truly "random" and cryptic .... while the control-channel/data-channel multiplexing used with TLS mode, actually gives something GFWs can fingerprint as OpenVPN
11:12 <@ecrist> dazo: you should put that in the how to. ;)
11:12 <@dazo> yeah, I know :)
11:13 <@ecrist> I know jjk has the book, but we should post a few common recipes to the howto page, and point things like this out.
11:14 <@dazo> agreed ... and we should move the howto to the community site instead
11:14 <@dazo> (so we truly can edit it)
11:14 <@ecrist> yes
11:14 <@ecrist> I've been meaning to ask
11:15 <@ecrist> do we doxygen the source?  if not, we might want to start doing that, too.
11:15 <@dazo> ecrist: we do :)
11:15 <@ecrist> this is probably ot here
11:15 <@dazo> ecrist: http://community.openvpn.net/openvpn ... search for Doxygen ;-)
11:15 <@ecrist> dazo: where is it published?
11:15 <@vpnHelper> Title: OpenVPN Community (at community.openvpn.net)
11:15 <@ecrist> no way, awesome
11:16 <@dazo> :)
11:16 <@dazo> most of that work is done by Fox-IT.  It was needed for their OpenVPN-NL certification
11:16 <@dazo> in the Netherlands
11:16 <@ecrist> It looks great.
11:17 <@ecrist> I wish I had known about it when I wrote Mastering OpenVPN
11:17 <@ecrist> I did a lot of spelunking on my own
11:17 <@dazo> it covers the aspects related to security ... but there's lots of code still being undocumented
11:25 < varesa> is it possible to somehow just pass all traffic through the tunnel without iroutes on the server assuming I there are entries in the server routing table to the tunnel client ip?
11:29 <@dazo> varesa: iroute is needed if you want to computers residing on your VPN server side to communicate with computers on the LAN behind the VPN client
11:29 <@dazo> !goal
11:29 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:30 < varesa> I have a bunch of different sites/subnets that are currently connected using ipsec vti tunnels & OSPF
11:31 < varesa> at one location I currently have only a single server that I wanted to connect to the network using a similar topology, e.g. link networks over VPN and advertising its subnet over OSPF
11:32 < varesa> the routers that act as openvpn servers receive the routes from the server but traffic towards that subnet gets lost
11:37 < varesa> basically what I want to achieve is site to site routing between two subnets with two redundant tunnels
11:39 < varesa> however I can't get server to a network via the client to work
11:39 < varesa> ip_forward sysctl is enabled and firewall is not blocking anything
11:44 <@krzee> !ircstats
11:44 <@vpnHelper> "ircstats" is (#1) See http://secure-computing.net/logs/openvpn.html for all-time IRC stats., or (#2) See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats.
11:58 < varesa> ah, got how to setup "site-to-site" openvpn tunnel and got it to work
11:58 < varesa> maybe my I've got the wrong term, my google-skills are horrible or the documentation on that is pretty bad
12:08 <@krzee> !route
12:08 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
12:11 <@krzee> do you plan on using ospf over openvpn as well? if so when i started doing that i found that i needed to use ptp links for the points where ospf goes over
12:11 <@krzee> ecrist: thanks =]
12:12 < varesa> krzee: I (plan to) use ospf, yes
12:12 <@krzee> on the openvpn links themselves?
12:12 < varesa> actually ospf was working from the beginning, only the traffic was being dropped
12:13 < varesa> yes
12:13 <@krzee> ahh ok, i wasnt able to use ospf over openvpn on freebsd without using ptp links, but this was awhile ago too
12:13 <@krzee> now i do it that way cause i know it works
12:13 <@krzee> but if you got ospf working over client/server then i guess thats fine now
12:14 <@krzee> i should note that i was using bird4
12:14 < varesa> I use quagga/zebra/ospfd
12:14 <@krzee> cool
14:24 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds]
17:38 < majuk> !ovpnuke
17:38 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
17:39 < majuk> You ever have a problem that is too convoluted to explain succinctly via text?
17:39 < majuk> Me too.
17:44 < majuk> So I have a PtP VPN tunnel established between my site [siteA] and a remote site [siteB]. The siteB has road warriors that VPN into it. I would like for them to be able to access the siteA network, but they do not get advertised routes for siteA.
17:44 < majuk> Any questions or comments towards a resolution appreciated.
17:46 < majuk> Both siteA and siteB have OpenVPN servers.
18:17 < rob0> it's kind of like !serverlan but with an extra hop
18:18 < rob0> The siteA route has to be pushed to clients of siteB.
18:18 < majuk> rob0: Yea, that's what I'm not sure how to do.
18:18 < majuk> !serverlan
18:18 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
18:21 < majuk> I explicitly added a route for RoadWarVPNNetwork -> ServerSiteBLANAddress on ServerSiteB, but it did not propogate to the road warrior
18:22 < majuk> Road Warrior does get adverts for SiteB's LAN... so I thought that the explicit route would do it
18:22 < majuk> But no joy
18:23 < majuk> sorry, added a route for PtPVPNNetwork/24 -> ServerSiteBLANAddress
18:25 < majuk> Anyway, I it's the end of my work day. Thanks for your time and attention. Try again another time.
18:39 < thefinn93> !goal
18:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:41 < thefinn93> I'm trying to get the OpenVPN management interface to listen on a unix socket in a particular directory on my Debian Sid box. it works fine if the socket file is in /run/openvpn, but when i put it in /var or anywhere else it seems, it says permission denied:
18:41 < thefinn93> MANAGEMENT: Socket bind[4] failed on unix domain socket /var/jankyvpn/finnsvpn-management.sock: Permission denied
18:42 < thefinn93> I tried creating a fifo in that directory from the user and group that openvpn is supposed to switch to, and it works fine
18:42 < thefinn93> is there some crazy permission magic I'm missing?
18:42 < thefinn93> or perhaps obvious non-magic..
18:47 -!- yarddog- is now known as yarddog
19:10 < thefinn93> hrm, when i chown that directory to root:root, it works...
19:51 <@krzee> thefinn93: sounds worthy of a trac ticket
19:51 <@krzee> !trac
19:51 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker., or (#2) if you have a forum login, use that for trac, its the same database.
19:53 < thefinn93> eh, yeah, i'll see if i can get a little more specific info before reporting
23:46 < s33_> Hey, trying to connect from a xen server to a vpn with openvpn, as I connect the complete network goes down, how would I go to fix this?
23:47 < s33_> TUN is activated, idk what to configure to make it work, the server is default
23:50 < s33_> And when I reboot the server from my control panel, the server is still down, so it gets messy, what should I configure or how to troubleshoot it, anything I've missed?
--- Day changed Sat May 06 2017
00:35 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
00:35 -!- mode/#openvpn [+o mattock1] by ChanServ
00:49 <@krzee> s33_: i have a guess, tell me if you're right
00:50 <@krzee> you have a server online that you ssh to, that you then run openvpn in client mode on, with redirect-gateway to redirect its internet over the vpn
00:50 <@krzee> is that right?
00:57 <@krzee> i'll assume im right and answer... if i was right then your ssh session dies because it's responding over the vpn (its new default route) so you need to use multiple routing tables and policy routing to say anything headed for server_ip uses the second routing table to respond, which doesnt get overwritten by openvpn
00:57 <@krzee> !splitroute
00:57 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/viewtopic.php?t=7175#p8056 to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet, or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
01:15  * nbastin is so glad he doesn't use tun.. :-)
03:37 <@krzee> s33_: talk in the channel not private message
03:38 <@krzee> i generally ignore those unless i know you or you asked
03:38 <@krzee> there, now i /ignore'd them
03:39 < s33_> So what do you think is wrong?
03:39 < s33_> Is it enough with these 2 lines if I put in the right ip's, shouldn't it?
03:39 <@krzee> dunno, i ignored the private messages
03:39 <@krzee> you want to read up on policy routing
03:40 < s33_> ip rule add from your_ip table 10     and   ip route add default via your_gateway table 10
03:40 < s33_> oh alright
03:40 < s33_> gotta see for a minute
03:54 <@ordex> s33_: what are you trying to achieve?
03:54 <@ordex> !goal
03:54 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
03:54 < s33_> It's a bit too advanced though, read on the inet, is there anyone with the knowledge of helping me with it? I could give the pw to my server
03:55 < s33_> Hey orderx, thank you for asking I'm trying to connect to a vpn with openvpn and it's a hosted vps
03:55 < s33_> it's xen so i have full control and it has tun activated, my problem is that when I connect the network goes down
03:56 < s33_> There seem to be routing issues and I'm not good at mixing with ip add and doing what to be needed there, aka policy routing
03:59 <@ordex> hmhm why do you want to use policy routing ?
03:59 <@ordex> did you understand why the connection goes down?
03:59 <@ordex> maybe you are using the same subnet for the VPN *and* for the VPS?
03:59 <@ordex> thus leading to a collision ?
04:01 < s33_> Yea, well I have no idea what the problem is, I have a ssh im connecting through, but the whole network goes down so it's not just that, it may very well be what you're saying, then how would I fix that?
04:01 < s33_> Im using everything by default
04:02 < s33_> simply doing openvpn 'my-config-file.ovpn' when connecting with the openvpn client
04:03 < s33_> I cannot really troubleshoot well either because when the network goes down, then I have to reinstall my server because a reboot doesn't restore it
04:04 < s33_> How would I go about changing the subet for both the vpn and vps? by going into /etc/network/interfaces? hmm i doubt if that's the prob though if im gonna go there
04:04 < s33_> But may be if it's e.g. a common problem
04:06 <@ordex> s33_: not sure if that's the problem, but you can check
04:06 <@ordex> check what's the subnet being assigned to the vps
04:06 <@ordex> and check what you have configure in the openvpn config file
04:07 <@ordex> is the VPS acting as server ? or is it acting as client ?
04:08 < s33_> acting as a client, and openvpn as a client
04:08 <@ordex> ah, then are you configuring over vpn to install a new default route ?
04:08 <@ordex> that would also mess up your uplink
04:09 <@ordex> !configs
04:09 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
04:09 <@ordex> s33_: I know you feel desperate, but you should step back a bit and try to understand what's going on before jumping out of the window :D
04:11 < s33_> Hehe :D well u're kinda right, it's just that I thought these things would be a click of a button, they could be, but seems like not :D
04:15 <@ordex> well, if you push the right button on the right console :D
04:39 <@krzee> ordex:
04:39 <@krzee> !splitroute
04:39 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/viewtopic.php?t=7175#p8056 to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet, or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
04:39 <@krzee> thats what he needs
04:39 <@krzee> i should make a writeup about it one day =/
04:40 <@krzee> policy routing can be complex tho
04:40 <@krzee> hard to know what to explain and when to stop
04:41 < nbastin> policy routing is an unnecessary evil.. :-)
04:42 <@krzee> says the guy who says hes glad he doesnt use tun lol
04:42 <@krzee> policy routing is total greatness
04:42 < nbastin> well I use lots of routing, just we do it outside of ovpn.. :-)
04:43 < nbastin> we use tap between bridges and then use routers between nets across those tunnels
04:43 < nbastin> mostly I'm happy I don't use tun with ovpn just because it's basically another router config to learn
04:44 < nbastin> versus just L2 and then routers we already use
04:46 < nbastin> (almost all routing is already policy, so when someone says "policy routing" it's an extra level of troubling.,. :-))
04:51 < s33_> Well, there's long text of pages regarding policy routing I feel bit clumsy to even know where to start as I feel it's just a simple thing I want to do, I made a stack thread https://unix.stackexchange.com/questions/363355/connect-through-openvpn-to-vpn-network-disconnects in hope I'd get a answer of someone having done it, tbh I feel like the above should have worked aka these 2 ip rule and ip route commands, well gonna read some more 
04:51 <@vpnHelper> Title: ubuntu - Connect through OpenVPN to VPN - network disconnects - Unix & Linux Stack Exchange (at unix.stackexchange.com)
04:57 < s33_> If that user in that forum solved the routing issue by 2 commands, I got a question, his first line is his ip and his second is his ip ending with .254 which is his gateway ip, right? On my server my gateway ip is not similiar to the main ip, what's the difference in that? Isn't it the same gateway ip, or are there more than one type of gatweay ips?
04:57 < s33_> https://forums.openvpn.net/viewtopic.php?t=7175#p8056
04:57 <@vpnHelper> Title: OpenVPN with redirect-gateway renders public ip inaccessable - OpenVPN Support Forum (at forums.openvpn.net)
05:00 < s33_> Like there seem to be a local and public gateway ip, but what about the gateway ip that is like the main but with a different ending in the last digits?
05:01 < s33_> W/e I don't know, thinking if I used the wrong fields when inserting the 2 commands, the first I did insert my ip from ifconfig and the second my gateway ip that I got form route -n
05:01 < s33_> from*
05:27 <@ordex> krzee: policy routing is helpful if you have somehow overlapping routing rules, but if the setup is simple (and you should keep it such :P), there is no need for that
05:31 <@krzee> theres a need for it if you have a server on the internet that needs sshd to all internet, but runs openvpn redirecting gateway, for 1 example
05:31 <@krzee> i have many more examples from work, but thats a pretty relevant one since we get people with that issue every month or so
05:34 <@ordex> krzee: yup, I totally agree
05:35 <@ordex> but this guy hasn't been able to tell us if he has redirect-gateway enabled or not :P
05:35 <@ordex> that's why I was hoping he could paste the configuration (unless i missed it)
05:36 <@krzee> he does
05:36 <@ordex> oh ok, sorry then :S I missed that
05:36 <@krzee> he didnt know how to use his webchat client and privmessaged it to me
05:36 <@krzee> confirming my guess was right
05:37 <@ordex> oh alright
05:37 <@ordex> not my fault this time :D
05:39 <@ordex> krzee: then I guess that s33_'s problem is that although he is creating the tables, he still has redirect-gateway enabled, which is adding a new default route in the main table anyway
05:39 <@ordex> thus defeating the purpose of the policy routing he installed
05:39 <@ordex> no ?
05:40 <@ordex> s33_: u still there ?
05:40 < s33_> I'm here, I have no idea about that, as I said it's a default configuration, how would I check if that is enabled or disabled? Ive not messed with any settings, trying to keep it clean
05:40 <@ordex> s33_: could you paste your config somewhere?
05:40 <@ordex> !paste
05:40 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
05:41 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
05:41 < s33_> Yea sounds reasonable, that could be it
05:41 <@ordex> s33_: btw, the option we are talking about is —redirect-gateway def1
05:42 < s33_> So, alright, no idea on how to check it though but I'll have to google then
05:42 <@ordex> it's an openvpn config option
05:42 <@ordex> it's part of the openvpn config file
05:42 <@ordex> either you wrote it in it or not
05:43 < s33_> Aight well I've not written in it so it's at default :P dno what the default value is though
05:43 < s33_> I'll have a check
05:44 < s33_> Oh I see
05:44 <@ordex> s33_: you mean there is no "redirect-gateway" entry in your openvpn config file ?
05:44 < s33_> The vpn provider gave me a list of what servers I decide to join
05:44 <@ordex> sorry, I just want to be sure I understood
05:44 < s33_> Yea I think so, I have to take a look, no problem, hold on
05:44 < s33_> I'll see for a sec
05:47 < s33_> Ok uhmm, should I paste of what my .ovpn file looks like, that is the config file right? because that's the one im using to start openvpn, not sure which config file you mean but that one right?
05:48 <@ordex> yes, the .ovpn is the openvpn config file
05:48 < s33_> I see no redirect-gateway in the .ovpn file atleast, not much interesting here I think, only ip from vpn, some authentic data/certficate
05:48 <@ordex> you can paste it on any of the paste services mentioned above
05:48 < s33_> Ok aight hold on for sec
05:48 <@ordex> ok
05:52 < s33__> https://gist.github.com/anonymous/5b2bb9ccff750a4e430f914e40d7491f
05:52 <@vpnHelper> Title: gist:5b2bb9ccff750a4e430f914e40d7491f · GitHub (at gist.github.com)
05:53 < s33__> There you go
05:53 < s33__> I had to reconnect to ircchat, my internet disconnected, i'm here
06:39 <@krzee> ordex:
06:39 <@krzee> [03:38] <s33_> The vpn provider gave me a list of what servers I decide to join
06:39 <@krzee> you know ANY vpn providers that dont push redirect-gateway down their users throats?
06:40 <@krzee> (personally i think they should put it in the client configs so users can choose what to redirect when they wanna, but they never seem to)
06:41 < s33_> Aight, well I got some interesting stuff, a user on stackexchange pointed me to like whitelist my PC ip when connecting to the user, I found out this way I can troubleshoot now
06:42 < s33_> I saw there was the vpn ip in route -n command but it didn't seem to work properly as it was like the same behavior when I used the 2 commands earlier except that now I could be on my server with network enabled
06:43 < s33_> I can ping to ips but I cannot connect to them
06:44 < s33_> when connecting to the vps*
06:48 < BtbN> krzee, such a VPN without redirect-gateway seems very useless?
06:49 < BtbN> Not needing it is kind of a special case, and you can just disable it yourself if you know you need that
06:50 < skyroveRR> o.o
06:50 < skyroveRR> hey krzee
07:14 <@ordex> krzee: right - I didn't think about that (I have not much experience with provideers)
07:17 <@ordex> krzee: then I guess he needs to filter that, no ? otherwise his policy routing will go poo poo
07:17 <@krzee> he doesnt have policy routing, he needs it to solve his problem
07:18 <@krzee> BtbN: yes but maybe some people dont want to redirect *everything* maybe just certain subnets
07:18 <@krzee> over the years i had to help quite a few people with that
07:18 <@krzee> !redirectignore
07:18 <@krzee> !ignoreredirect
07:18 <@krzee> !factoids search ignore
07:18 <@vpnHelper> 'ignore' and 'redirect_ignore'
07:19 <@krzee> !redirect_ignore
07:19 <@vpnHelper> "redirect_ignore" is you can ignore --redirect-gateway (because you do not run the server, and the server pushes it to you) by reading the info at this page: https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway
07:19 <@krzee> that =]
07:19 <@krzee> oh we should update that to have the new 2.4 option that ignores specific pushed stuff by regex
07:24 <@ordex> krzee: uhm, he said he tried with those rules/route rules and it still did not work, that's what I was referring to
07:24 <@ordex> anyway
07:28 < s33_> Hi im here
07:29 < s33_> Weren't these 2 policy routing?
07:29 < s33_> I thought it was
07:30 <@krzee> well those were the 2 rules that worked for him
07:30 <@krzee> youd need your own rules based on your configuration
07:30 <@krzee> but ya thats policy routing
07:31 <@krzee> hey skyroveRR
07:31  * ordex focuses on his mango
07:31 < s33_> Yea I just read, it's the same.. yea
07:32 < s33_> Dno what differs in my cfg though
07:32 < s33_> Will have to wait and lookaround
07:32 <@krzee> ip rule add from 91.121.199.129 table 10
07:32 <@krzee> ip route add default via 91.121.199.254 table 10
07:32 <@krzee> first ip is his public ethernet interface
07:32 <@krzee> second ip is his normal lan gateway
07:32 < s33_> which can be found by using the ifconfig command, and gateway i get with route -n
07:33 < s33_> yep, or so atleast is how I get them
07:33 <@krzee> that says that anything with the source address 91.121.199.129 (his ip) should go out via routing table 10, which has default gateway of 91.121.199.254
07:34 <@krzee> then when your openvpn changes your default routing table's gateway, you'll still send out all packets that have SRC IP of 91.121.199.129 via 91.121.199.254 instead of via your VPN
07:34 < s33_> ah I see, in my case scenario though I can ping from the server, be on it but I cannot ping or connect to domains or ips, I can only ping.. so it's different
07:35 < s33_> I can ping but I cannot connect to domains or ips*
07:35 <@krzee> you said you can ping but you cant ping
07:35 <@krzee> i didnt follow
07:35 < s33_> Yea I meant so, I can ping
07:35 <@krzee> dude once you can ping openvpn is done
07:35 < s33_> was mistype
07:35 <@krzee> probably firewall
07:35 <@krzee> routing is done if you can ping
07:35 < s33_> Yea, true, and in route -n I can see openvpn's ip in there and the ethernet interface called tun0
07:36 <@krzee> ping doesnt traverse networks differently than TCP
07:36 < s33_> ok i drop it here, idc about the ips i will remove link later here's what my route -n looks like https://gist.github.com/anonymous/b04d0532c355e375a36c4d6c8d5ba02d
07:36 <@vpnHelper> Title: gist:b04d0532c355e375a36c4d6c8d5ba02d · GitHub (at gist.github.com)
07:36 <@krzee> ya, and when you look at table 10 you should see another routing table
07:36 <@krzee> you have multiple
07:36 <@krzee> ip route show table 10
07:36 <@krzee> or something like that
07:36 < s33_> oh ye let me write that and i see what's there
07:36 < s33_> check also this https://gist.github.com/anonymous/b04d0532c355e375a36c4d6c8d5ba02d
07:36 <@vpnHelper> Title: gist:b04d0532c355e375a36c4d6c8d5ba02d · GitHub (at gist.github.com)
07:37 < rob0> route(8) and other Linux net-tools are broken.  Unlearn that and start learning ip(8).
07:37 <@krzee> i was waiting for that :D
07:38 <@ordex> yessss
07:38 <@ordex> :D
07:38 <@ordex> deprecated since? 2.2.x? :)
07:38 <@ordex> that is a good example of how it's impossible to get rid of deprecated tools :D
07:38 < rob0> yeah a recent thing, like 15-18 years ago
07:38 <@ordex> right :D
07:39 < s33_> what are you guys talking about :O
07:39 < rob0> but "google is your friend" and everybody blogs about their half-baked successes
07:39 <@ordex> lol
07:40 < s33_> krzee: should i upload my list of ip rules/routes? well i'll do it anyway
07:40 <@krzee> s33_: read the above text to know what we're talking about :D
07:40 <@krzee> not really, im just telling you how it works
07:40 <@krzee> you said you can ping
07:40 <@krzee> that means ip routes and rules are done
07:40 <@krzee> unless somebody else wants to look
07:41 < s33_> im on webirc, cannot see any text above me, just the chat :D, aight. well maybe ordex wants to, well if ip routes and rules are done then what is left? what's the problem that is left
07:41 < s33_> as it's not working completely 100%
07:41 <@krzee> it pings everything it should?
07:41 < rob0> he was talking about the CHAT
07:41 <@krzee> you can ping the clients public ip while its connected to the server?
07:42 < s33_> hmm kinda yea. nameserver, any ip, but it cannot join a ip or domain Only ping
07:42 < s33_> yea
07:42 <@krzee> rob0: [05:29] <s33_> I can ping but I cannot connect to domains or ips*
07:42 <@krzee> change your nameserver to 8.8.8.8
07:42 < s33_> I can try
07:43 <@krzee> if your client was using a nameserver from its ISP and then joined a vpn redirecting gateway, that will break DNS
07:43 <@krzee> i guess we could always test if you need that
07:43 <@krzee> from the vpn client (while connected to vpn) ping 8.8.8.8 and ping google.com
07:45 < s33_> Aight, well im inserting 8.8.8.8 now so we'll see
07:49 < s33_> haha wow lol :D expert, well u were right about it breaking the DNS
07:49 < s33_> it works now, I can ping google.com
07:49 < s33_> let me see my ip now if it's vpn's
07:49 <@krzee> i was right about needing policy routing too ;]
07:50 < s33_> Yea i'd say so :) I'll have to try it once more because im using a temporary solution now and just whitelisting my ip! gonna first check my ip
07:50 <@krzee> oh dude, you said it pinged but thats cause you added a route for your ip
07:50 <@krzee> lol
07:50 <@krzee> fine show me those things
07:51 <@krzee> the rule / second routing table
07:51 < s33_> hmm, well I could ping any ip, oh yea, it should work with the 2 rules I tried before because it wouldn't work at all without them, and that is what I will use and nameserver 8.8.8.8, and that should work will try in a sec and combine em
07:51 <@krzee> umm no
07:52 < s33_> this is what i use now sec
07:52 <@krzee> all we're fixing is your server being pingable while its connected to the openvpn server
07:52 < s33_> ip ro a mypcpublicip/32 via mygatewayip
07:52 < s33_> that's what i use now
07:52 <@krzee> and the temp route you added is another solution, if you never needed to ssh from another place
07:52 < s33_> mypcpublicip is my ip i connect with, just temporary solution i used so i could troubleshoot but it's actually or should be the same like the 2 other lines bcuz i see no difference
07:53 <@krzee> the difference is no other IP can reach the server on its public IP
07:53 <@krzee> only the one you added a route for
07:53 <@krzee> my solution fixes it for the entire internet
07:53 < s33_> Ah ye well mby, I can connect with ssh, yep exactly. And I don't want that so I will insert the 2 rules we talked about before just in a second
07:53 < s33_> Yea
07:53 < s33_> :D
07:54 < s33_> Yea I will use that
07:54 <@krzee> i'll be leaving in 10min
07:55 <@krzee> so show me the route and rule now if you want me to see them
07:55 < s33_> Ok just checked the ip on whatsmyip, it can connect and it displays the vpn's ip! so it works, just wanted to be sure on that last thing. Ok now Im going to add the rules
07:56 < s33_> Alright, yea wait It's the same I linked here before in that link you sent me, here they are I just insert my own ips
07:56 <@krzee> and if i dont see what you inserted ill never know if you're wrong or not
07:56 <@krzee> but whatever, either way... up to you
07:56 < s33_> ip rule add from 91.121.199.129 table 10
07:56 < s33_> ip route add default via 91.121.199.254 table 10
07:56 < s33_> these 2
07:56 <@krzee> those are NOT your ips
07:56 < s33_> Yea ok hold on!!
07:57 < s33_> Imma put them in now
07:57 < s33_> :D
07:57  * krzee facepalms
07:57 < s33_> I'll try be fast
07:57 < s33_> try to be fast
07:59 < s33_> ip rule add from 94.176.238.213 table 10
07:59 < s33_> ip route add default via 169.254.0.1 table 10
08:01 < rob0> um, default via a link-local address?
08:01 < s33_> Voila! It works perfectly :) Thank you :D for the time being and today overall and the other guy
08:01 < s33_> Took some time.. to get it fixed
08:02 < s33_> But definately worth it, no need to buy proxies now or spend money on windows vps servers to use vpn clients
08:02 < s33_> on my servers
08:03 < s33_> Thanks @krzee, @ordex
08:03 <@ordex> krzee++
08:52 -!- workimer is now known as lorimer
09:55 <@krzee> that guy was better than most webchat users
09:56 <@krzee> usually they give up after 5-30min
09:58 < rob0> I still don't get using a link-local address as gateway, is that possible?
09:58 < rob0> I guess as long as the source IP is not link-local it might work
09:59 <@krzee> im sure he fixed those lines after
09:59 <@krzee> the ip in the first line was direct from the forum
09:59 <@krzee> so i KNOW that wasnt valid either
10:00 <@krzee> oh no, it wasnt
10:00 <@krzee> both started with 9, and i havent slept
10:01 <@krzee> you never know, maybe he set his lan to use that subnet, i seen things almost that funny before
12:22 < CJCoastal> I'm reading through Mastering openVPN and running the examples on my LAN with an RPi as the server. I'm trying to initiate a pre-shared key connection, but the server cannot make the UDPv4 link local step. Is this because of my firewall?
12:23 < rob0> I don't know what "link local step" you refer to.
12:25 < CJCoastal> I'll try to explain better
12:27 < CJCoastal> the openVPN server prints "/usr/bin/ip addr add dev tun0 local 192.168.1.3 peer 192.168.1.7" to the terminal, then stalls. Also, the Pi becomes unreachable.
12:28 < rob0> stalls?  Or perhaps your routing is broken and you no longer can interact with your shell?
12:29 < CJCoastal> yes, the ssh session quits and I cannot reconnect without rebooting.
12:29 < CJCoastal> rebooting by power cycling the pi.
12:57 < piem> howdy. is there a way to configure which of several eth interfaces will be used for outgoing traffic?
12:58 < rob0> your system routing tables control that
13:01 < piem> rob0: ok, thanks. could you suggest some documentation i could read about that?
13:02 < rob0> not easily, since I don't know what OS you are talking about.
13:02 < piem> oh, true. debian on linux.
13:02 < rob0> !lartc
13:02 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux, or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
13:02 < rob0> and this might help also:
13:03 < rob0> !route
13:03 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
13:03 < piem> rob0: awesome, thank you!
14:29 < CJCoastal> !serverlan
14:29 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
15:30 -!- Dougy [~dougy@openvpn/community/support/Dougy] has joined #openvpn
16:28 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds]
20:31 <@ordex> morning !
20:59 < pylearner> I can vpn to my network but i cannot access any of the machines on my network i am getting assigned a 10. address my machines on my network are 192.168
21:07 <@ordex> pythonsnake: you have created a link. it does not automatically connect you to anywhere
21:07 <@ordex> usually you would configure some routing in order to tell your client where your network is
21:07 <@ordex> !lan
21:07 <@ordex> !route
21:07 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
21:15 < pylearner1> I can vpn to my network but i cannot access any of the machines on my network i am getting assigned a 10. address my machines on my network are 192.168
21:16 < pylearner1> sorry reposting question because I got kicked off my internet connection
21:18 < Vampire0> [04:01:32] <@ordex> pythonsnake: you have created a link. it does not automatically connect you to anywhere
21:18 < Vampire0> [04:01:56] <@ordex> usually you would configure some routing in order to tell your client where your network is
21:18 < Vampire0> [04:01:58] <@ordex> !lan
21:18 < Vampire0> [04:02:01] <@ordex> !route
21:19 <@ordex> !route
21:19 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
21:20 <@ordex> pylearner1: ^^
21:31 < pylearner1> ordex, so I am assuming when I have this setup right I should be able to get ping responses from the machines on my lan that I am accessing this is majorly annoying and I have been trying to figure this problem out for some time now
21:32 <@ordex> pylearner1: yap, once the proper routing is established you'll be able to exchange ip packets between your lan and the vpn clients
21:32 <@ordex> is the VPN server also the Gateway for your LAN clients?
21:33 < pylearner1> no it is not
21:33 < pylearner1> I have never been so frustrated at a computer problem
21:33 < pylearner1> lol, I have read and read
21:33 < pylearner1> to no avail nothing solves my issue
21:34 < pylearner1> I have a router that acts as the gateway unfortunately the router is a dumb router and I cannot add routing at the router level
21:34 <@ordex> pylearner1: basically you have a "network" that is your VPN which is accessible via your VPN server
21:34 <@ordex> thus you need two things
21:34 <@ordex> 1) tell everybody in the LAN that to reach that network (the VPN) they have to go through a specific PC X
21:35 <@ordex> 2) you have to inform the VPN clients that the LAN is behind the VPN server
21:35 <@ordex> point 2) is easy: you only need to inject a route via openvpn config
21:36 <@ordex> point 1) .. you'd need to add a route to the PC in the LAN, because I don't think that your dumb router can inject any route
21:36 <@ordex> pylearner1: does it make sense?
21:40 < pylearner1> ordex, this kinda makes sense and usually I am a big boy and can do things on my own but can you show me what the client ovpn config should look like for my network that is 192.168.0.*
21:41 <@ordex> :D no worries about being big boy or not :D somethings need to be figured out together hehe
21:41 <@ordex> wait a sec
21:41 < pylearner1> thanks a ton man
21:42 <@ordex> pylearner1: you can search for the option "—route" in the man page
21:42 <@ordex> this is something you can configure on the clients
21:42 <@ordex> or if you want you can configure it to be pushed by the server (and avoid configuring it on every vpn client)
21:43 <@ordex> this way the client will add a route through the VPN going to that network
21:43 <@ordex> so something like "route 192.168.0.0 255.255.255.0" is what you are looking for I guess
21:43 < pylearner1> honestly I will only have one laptop that needs this config it is to a home learning lab
21:43 <@ordex> ok
21:44 <@ordex> you can add that to your client vpn config then
21:44 < pylearner1> does it matter where this is located in the ovpn
21:44 <@ordex> nope
21:44 < pylearner1> on the file
21:44 < pylearner1> ok ill add at the end
21:44 <@ordex> is the client a linux client ?
21:44 <@ordex> ok
21:44 < pylearner1> windows
21:44 < pylearner1> it is connected just cannot do anything on the network I am connecting to :)
21:44 <@ordex> ok
21:45 <@ordex> well, you are connected to the server, not to the network :P
21:45 < pylearner1> right sorry
21:45 <@ordex> btw, have you read the article I gave you before ?
21:45 <@ordex> https://community.openvpn.net/openvpn/wiki/RoutedLans << this one
21:45 <@vpnHelper> Title: RoutedLans – OpenVPN Community (at community.openvpn.net)
21:46 < pylearner1> I have done a lot of server config stuff so just on a whim let me see if this config addition works for me pinging machines going to disconnect and reconnect
21:46 < pylearner1> yes
21:47 < pylearner1> I am still not pinging :(
21:47 < pylearner1> let me ssh into the openvpn server and see where I am at there
21:47 < pylearner1> ok
21:48 < pylearner1> I am logged in one thing I was reading is I would have to do something like this
21:48 < pylearner1> iptables -t nat -A POSTROUTING -s 192.168.0.2 -o enp2s0 -j MASQUERADE
21:49 <@ordex> that's for NAT
21:49 <@ordex> here we were trying to setup simple routing
21:49 < pylearner1> ok
21:49 < pylearner1> let me see what I have
21:50 <@ordex> on the VPN server you only need to enable ip forwarding
21:50 <@ordex> what OS are you running on the VPN server >
21:50 <@ordex> ?
21:50 < pylearner1> centos
21:50 < pylearner1> I have turned off anything like selinux
21:50 <@ordex> is ip forwarding enabled ?
21:51 <@ordex> otherwise the kernel will just block packets aimed for routing
21:52 < pylearner1> I dont think so and not sure can i PM you my current routing table it looks like I have done some work on this
21:52 < pylearner1> potentially incorrect
21:52 <@ordex> it is unrelated to the routing table right now
21:52 < pylearner1> ok
21:52 <@ordex> if you want to paste something long
21:52 <@ordex> you can paste on any service
21:52 <@ordex> !paste
21:52 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
21:52 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
21:53 <@ordex> on the server I presume the routing is properly setup, because it is already connected to both networks
21:53 <@ordex> you just have to enable ip forwarding on the server
21:53 <@ordex> to allow packets to flow from left to right and viceversa
21:53 < pylearner1> https://bpaste.net/show/d5e05c8568f3
21:53 <@ordex> looks ok
21:53 <@ordex> nothing special
21:54 < pylearner1> Thinking I need to delete routes
21:54 < pylearner1> I have added stuff that could be incorrect :(
21:54 <@ordex> what did you add ?
21:54 < pylearner1> 10.8.0.0 is listed not having a gateway
21:54 <@ordex> right
21:54 <@ordex> you are directly plugged into that network, why would you need one ?
21:54 < pylearner1> checking history i show this
21:55 < pylearner1> route add 10.8.0.0 mask 255.255.255.0 gw 192.168.0.1
21:55 <@ordex> that would be wrong, but I think it did not get through
21:55 < pylearner1> good
21:55 < pylearner1> so you think the routing table looks fine
21:55 <@ordex> so far seems ok
21:56 < pylearner1> also I dont even know what 192.168.122.0 is
21:56 <@ordex> I told you already what needs to be done :P
21:56 < pylearner1> I dont think it is needed how can i delete
21:56 <@ordex> it's another interface
21:56 <@ordex> not sure why you care :P
21:56 < pylearner1> ok
21:56 <@ordex> it is part of the virbr0 interface configuration
21:56 < pylearner1> I will look up how to enable ip forwarding
21:56 <@ordex> ok
21:56 < pylearner1> however I think I have done this already
21:56 <@ordex> just quickly check, to be sure
21:57 < pylearner1> yes I have
21:58 < pylearner1> [root@localhost ~]# sysctl net.ipv4.ip_forward
21:58 < pylearner1> net.ipv4.ip_forward = 1
21:58 <@ordex> alright
21:58 <@ordex> now point 1) of my list
21:59 < pylearner1> ok so i need to add a route from the openvpn server to the client
21:59 <@ordex> uhm
21:59 <@ordex> when you say client what do you mean ?
22:00 < pylearner1> sorry the 10. address that my client is getting on the openvpn linux server that I am connecting to remotely
22:00 < pylearner1> thanks for your patience with me man it would make my evening if I can get this working
22:00 <@ordex> well, that you already have
22:00 <@ordex> :D
22:00 < pylearner1> ok
22:00 <@ordex> you are making my morning, no problem
22:00 <@ordex> what you need is an answer to the question:
22:00 <@ordex> does a client in the LAN know how to reach 10.8.0.0/24 ?
22:01 < pylearner1> you'd need to add a route to the PC in the LAN
22:01 < pylearner1> no it does not
22:01 < pylearner1> so your saying on each client
22:01 < pylearner1> i need to add a route
22:02 <@ordex> right
22:02 < pylearner1> so for each 192.168 box
22:02 <@ordex> unless you are able to add this route to your LAN Gateway
22:02 < pylearner1> I am not
22:02 < pylearner1> ok
22:02 < pylearner1> gotcha
22:02 <@ordex> (this would be a bit suboptimal, but faster to settup)
22:02 <@ordex> ah ok
22:02 < pylearner1> the gateway is the router
22:02 <@ordex> then yeah, each client needs a path to 10.8.0.0/24 somehow
22:03 <@ordex> yap
22:03 < pylearner1> ok
22:03 < pylearner1> I only have ssh to the actual vpn server
22:03 < pylearner1> so I can try there
22:03 < pylearner1> the ip of that box on the lan is 192.168.0.2
22:03 < pylearner1> I just pasted the routing table that I currently have for that box
22:04 < pylearner1> just for the sake of my sanity and making sure I am doing this right
22:05 <@ordex> you can try on one client first. just to be sure we are getting this right :P
22:05 <@ordex> mh
22:05 < pylearner1> route 10.8.0.0 255.255.255.0
22:05 < pylearner1> would this syntax be correct
22:05 <@ordex> mh no
22:05 <@ordex> this is openvpn config syntax
22:06 <@ordex> not actual route syntax
22:06 < pylearner1> oh
22:06 <@ordex> normally on linux I use "ip route"
22:06 <@ordex> I would run something like "ip route add 10.8.0.0/24 via 192.168.0.2"
22:06 <@ordex> where 192.168.0.2 is the IP of the VPN server in the LAN
22:08 <@ordex> this way, when a client wants to send something to 10.8.0.x, will forward it to the VPN server which in turn will route over the VPN
22:08 <@ordex> (if I have. not forgotten something :P)
22:08 <@ordex> btw, you don't need that route on the VPN server itself
22:09 < pylearner1> https://bpaste.net/show/d29764d1b917
22:09 <@ordex> what I just said :P
22:09 < pylearner1> ok
22:09 <@ordex> on the VPN server you already have a route for that
22:09 < pylearner1> ok
22:10 < pylearner1> do you think I should try to log back in and ping that 192.168.0.2 from the client
22:11 <@ordex> mh you can try
22:11 <@ordex> not sure that will work
22:11 < pylearner1> did not work :(
22:12 <@ordex> because the VPN server may want to use its 10.8.0.x ip when talking to the VPN
22:12 <@ordex> yeah
22:12 <@ordex> you need to try with an actual client
22:12 < pylearner1> I did
22:12 < pylearner1> I am on the windows box now
22:12 < pylearner1> the vpn server is remote
22:13 < pylearner1> I connect and try to ping nothing for 192.168.0.2 :(
22:13 <@ordex> yeah sorry, I meant you should try with an actual LAN client
22:13 < pylearner1> oh to ping the 10. address
22:14 < pylearner1> 11 packets transmitted, 0 received, 100% packet loss, time 9999ms
22:14 < pylearner1> welcome to my nightmare :(
22:14 <@ordex> as I Said this is expected
22:14 <@ordex> you have to try with an actual LAN client
22:14 < pylearner1> tried to ping from 192.168.0.2 to 10.8.0.4
22:15 < pylearner1> my main goal though is that I can access also the 192.168.0.2 from 10.8.0.4
22:15 <@ordex> can't you use 10.8.0.1 ?
22:15 <@ordex> or .2 can't remember which is the IP?
22:15 < pylearner1> 10.8 is my openvpn windows client
22:15 < pylearner1> that wants to connect into my lan that is natted 192.168
22:16 <@ordex> sure, but your VPN server has two IPs
22:16 <@ordex> one in the VPN network and one in the LAN
22:16 < pylearner1> ok
22:16 <@ordex> from your VPN client, can you ping 10.8.0.1 or 10.8.0.2 ?
22:17 < pylearner1> virbr0
22:17 < pylearner1> ohhhh
22:17 < pylearner1> i see
22:17 < pylearner1> i think
22:18 < pylearner1> inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
22:18 < pylearner1> Ping statistics for 10.8.0.1:
22:18 < pylearner1>     Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
22:18 < pylearner1> from windows client i do try to ping and get that
22:19 <@ordex> also .2 ?
22:19 < pylearner1> but the tun0 on the server does show that
22:19 <@ordex> ah ok
22:19 < pylearner1> oh yeah when i try to ping 192.168.0.2 nothing
22:19 < pylearner1> from the windows client
22:19 <@ordex> are you sure the vpn server has not firewalling blicking pings?
22:20 < pylearner1> still timing out I did turn off iptables not sure what other firewall could be blocking
22:21 <@ordex> that's the firewall - if everything is off, then you shuould have no blocking enabled
22:21 <@ordex> mh weird
22:21 <@ordex> so basically you can't even ping the VPN server at this point
22:22 < pylearner1> I try to ssh to the 10.8.0.1 bc I have ssh server running and no connection goes through
22:22 <@ordex> can you paste both configs (vpn client and server)?
22:22 < pylearner1> right I cannot
22:22 < pylearner1> absolutely
22:23 < pylearner1> also one odd thing I just noticed is I have to break the vpn connection to use my web browser on my windows client
22:23 < pylearner1> https://bpaste.net/show/ed1d2a60cd6d <--- here is the client config
22:26 < pylearner1> https://bpaste.net/show/9c9191567b6a <--- server config
22:26 < pylearner1> again man thank you a ton for the helping hand
22:27 <@ordex> np
22:28 <@ordex> why do you have local 192.168.0.2?
22:28 < pylearner1> honestly I have no clue
22:29 < pylearner1> I was thinking that I was specifying that the openvpn server was running on local 192.168.0.2
22:29 < pylearner1> I can commment that out if you think it is interfering
22:30 <@ordex> well, I guess it does not matter
22:30 <@ordex> is the VPN connection coming through port forwarding on the router?
22:31 < rob0> "--local" is the address that openvpn clients use to connect to the server, and the address that a server will listen on for clients' connections
22:32 < pylearner1> rob0, ok I need to maybe do remote then bc I dont care to vpn from local lan clients
22:32 < pylearner1> maybe do remote
22:32 < pylearner1> and I have a hostname I am connecting to or wanting to connect to I actually connect fine
22:32 < pylearner1> just not able to communicate
22:33 < pylearner1> yes
22:33 < pylearner1> I can connect to the server fine
22:33 < pylearner1> via my windows box
22:33 < pylearner1> my windows remote client
22:33 < pylearner1> but I cannot talk to the server
22:33 < pylearner1> at all
22:33 <@ordex> route 192.168.0.0 255.255.255.0;push "route 192.168.0.0 255.255.255.0" <<< a bit bogus
22:33 <@ordex> comment the entire line out on the server
22:33 <@ordex> as you are configuring that on the client already
22:33 < pylearner1> ordex,
22:33 < pylearner1> oops ok
22:33 < pylearner1> ok will do that now comment that out
22:34 <@ordex> ok
22:34 <@ordex> can you reconnect and show us the client log ?
22:34 <@ordex> just t be sure the connection is taking place properly
22:34 < pylearner1> ordex, sure I will do so now
22:36 < pylearner1> https://bpaste.net/show/1e5cc010f901
22:36 < pylearner1> also still the weirdness that I have to break my openvpn connection to browse the internet :)
22:38 <@ordex> because you are pushing this: push "redirect-gateway def1 bypass-dhcp"
22:38 <@ordex> but if the server is not doing NAT/routing to the Internet, then Internet won't work
22:38 <@ordex> pylearner1: do you need all your internet traffic to go through the VPN ?
22:39 < pylearner1> gotcha so in client I need to get rid of that
22:39 < pylearner1> ordex, I dont need all the traffic to go through vpn
22:40 < pylearner1> I just need to connect to work on the server my goal is to not have to open ports on my server and clients to be able to work on my lan
22:40 < pylearner1> :)
22:40 <@ordex> then you can comment that
22:40 < pylearner1> well just only have openvpn port
22:40 < pylearner1> ok thanks
22:41 <@ordex> can you reconnect now and verify that you can connect to internet even though the VPN is on?
22:41 <@ordex> then can you again try to ping the server 10.8.0.1 ?
22:41 < pylearner1> ok I will do this now
22:42 < pylearner1> gimmie a bit need to restart openvpn
22:44 < pylearner1> ok I have internet working now but not able to ping
22:45 <@ordex> mah
22:45 <@ordex> weird
22:46 < pylearner1> yep :(
22:47 < pylearner1> I did some other stuff in the openvpn server.conf file a while back that may be messing stuff up not sure but good catch on the one blocking me from getting internet upon connect
22:48 <@ordex> this is weird because it is the basic vpn now that does not work
22:48 <@ordex> has nothing to do with you lan
22:48 < pylearner1> oh
22:48 < pylearner1> well it is connecting to the server
22:49 < pylearner1> I have a green status icon on my windows client
22:49 <@ordex> yeah
22:49 < pylearner1> just still cannot talk to anything
22:49 <@ordex> also the log shows that the connection is established
22:49 <@ordex> can you paste the windows routing table after the connection ?
22:49 <@ordex> and the server routing table too, again, please?
22:50 < pylearner1> absolutely
22:51 < pylearner1> https://bpaste.net/show/4c65e1d4895e  <--- windows client
22:52 < pylearner1> https://bpaste.net/show/407f6459925f  <----- server client
22:54 <@ordex> mah everything looks setup properly
22:54 <@ordex> weird
22:54 < pylearner1> :(
22:54 <@ordex> if nothing is blocking pings, you should be able to ping 10.8.0.1 from the client
22:54 <@ordex> and 10.8.0.4 from the server
22:55 < pylearner1> would i need to port forward anything for 10.8.0.1
22:55 <@ordex> no
22:55 <@ordex> it is all going through the VPN
22:55 < pylearner1> what is virbr0 that shows 192.168.122.1 on my interfaces
22:55 < pylearner1> gotcha
22:55 <@ordex> it's another interface
22:55 <@ordex> might have been installed by another application
22:55 <@ordex> but does not interfere
22:56 <@ordex> can you show the output of:
22:56 <@ordex> iptables -nvL
22:56 < pylearner1> sure
22:56 <@ordex> iptables -t nat -nvL
22:56 <@ordex> both of them please
22:56 < pylearner1> iptables shows blank
22:56 < pylearner1> both the rules chain shows nothing
22:56 <@ordex> ok
22:57 < pylearner1> one thing though when i do iptables save or something like that I did do a lot of stuff in the past here however the service is off now
22:57 < pylearner1> i thought there was other firewall crap on centos like firewalld or something
22:57 <@ordex> yeah if the tables are empty .. there is nothing there now
22:57 <@ordex> and the default policy is ACCEPT, right ?
22:57 <@ordex> but they eventually all converge on iptables rules
22:58 < pylearner1> [root@localhost openvpn]# systemctl status firewalld
22:58 < pylearner1> ● firewalld.service
22:58 < pylearner1>    Loaded: masked (/dev/null; bad)
22:58 < pylearner1>    Active: inactive (dead)
22:59 < pylearner1> apologize for the small flood but that is off
22:59 <@ordex> yup
22:59 <@ordex> is the default policy ACCEPT in both iptables tables?
22:59 <@ordex> well…nothing would work otherwise
23:00 < pylearner1> well not sure there is nothing listed at all and iptables is off
23:00 <@ordex> personally i would try installing tcpdump to have a quick look at what's going on at the packets level
23:00 <@ordex> but this should just work .-.
23:01 < pylearner1> ok I will look at this
23:02 < pylearner1> you think i should look at tcpdump on the server
23:02 <@ordex> fyi, Chain INPUT (policy ACCEPT) << this is the default policy I meant before. In this case it is ACCEPT, which means ACCEPT anything that does not match any rule
23:02 <@ordex> yup
23:02 <@ordex> to see if the packets from the windows client are arriving and what the server is trying to send back
23:02 < pylearner1> gotcha
23:02 < pylearner1> will do it
23:02 <@ordex> that may help showing something we haven't realized yet
23:03 < pylearner1> do this on tun0
23:03 <@ordex> pylearner1: are you on Pacific?
23:03 <@ordex> right
23:03 < pylearner1> as far as time I am one hour behind that server right now
23:03 <@ordex> hehe
23:03 <@ordex> it is in the future
23:04 < pylearner1> :)
23:05 < pylearner1> I am capturing on that interface and it is not showing anything in tcpdump
23:05 < pylearner1> Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),  <--- client shows
23:05 < pylearner1> lol
23:05 < pylearner1> obviously
23:07 <@ordex> ah
23:07 <@ordex> so nothing is reaching the server al all
23:07 <@ordex> *at
23:07 < pylearner1> tcpdump -n -X -i tun0
23:07 <@ordex> any clue if on windows something might be blocking this ?
23:07 < pylearner1> when i ping nothing is getting there
23:07 < pylearner1> let me look
23:07 < pylearner1> I can run tcpdump on this box
23:07 < pylearner1> and see what is happening to the packets
23:07 <@ordex> like settings for public network or something similar? I have no experience on windows
23:07 <@ordex> ok
23:08 < pylearner1> do you htink i need to enable ip forwarding in windows maybe??
23:08 <@ordex> don't think so
23:08 <@ordex> there is no forwarding
23:08 <@ordex> in place
23:08 <@ordex> btw need to go afk for a sec
23:09 < pylearner1> ok
23:14 < pylearner1> just for the hey of it i turned on and enabled routing in windows to see if that did anything and as you thought it did nothing
23:18 < pylearner1> going to reboot my windows client that I am chatting with you on brb
23:28 < pylearner> ordex, I am back
23:38 < pylearner> tcpdump on the windows client side says who has 10.8.0.1 I guess bc it cant find it I do see network traffic when vpn in to the 192.168 remote local lan it is just chatter when I try to ping any of the machines though nothing
23:39 < pylearner> also when pinging I also get no response found
23:42 <@ordex> mh i don't know. I think it should be the windows TAP driver to reply to these ARP requests
23:45 < pylearner> ok
23:46 < pylearner> ordex, do you have any other recommendations to try?  :)
23:48 < pylearner> do you think instead of local 192.168.0.2 i need to specify remote and my external hostname I am using a free hostname service for that server
23:57 <@ordex> no, does not matter, because that's the only ip the server can listen on
23:57 <@ordex> and if that was wrong, you couldn't connect at all
23:57 <@ordex> it is not useful .. but does not hurt
23:57 <@ordex> i think
--- Day changed Sun May 07 2017
00:01 < pylearner> ok
00:02 < pylearner> looking back on my history I think I did something wrong on the linux routing table that could be causing the issue
00:02 < pylearner> route add 10.8.0.0 mask 255.255.255.0 gw 192.168.0.1  <--- I ran this command
00:02 < pylearner> ip route add 10.8.0.0/24 via 192.168.0.2  <--- but we were trying to do this earlier
00:02 < pylearner> RTNETLINK answers: File exists
00:06 <@ordex> pylearner: you said that packets do not even reach the linux server ..
00:06 <@ordex> thus not sure how the routing table can affect that
00:06 <@ordex> ip route add 10.8.0.0/24 via 192.168.0.2  <--- but we were trying to do this earlier <<< command to run on the LAN clients to let them know where the VPN is. useless on the VPN server as it already has a route for that (hence the error)
00:07 <@ordex> it seems something is wrong on the window side
00:07 <@ordex> because the windows client is not even able to start a ping to the server
00:07 <@ordex> but I have no clue about windows and his tap driver :(
00:08 < pylearner> gotcha the problem is on the windows side it sounds like
00:10 < pylearner> ordex, thanks for everything tonight I will pick this up tomorrow evening thanks big thanks for the helping hand man
00:11 < pylearner> super sleepy gnite
02:03 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
02:03 -!- mode/#openvpn [+o mattock1] by ChanServ
02:21 < spike> i've been googling for ten mins and can't seem to figure this out. I have OpenVPN set up on a node somewhere and I can connect/use it just fine with a .ovpn file on my computer. however, I want to connect to it from my PS4, which can't use .ovpn files. is there a setting I can use to allow logins from my home IP so that the PS4 can just connect on its own?
02:32 -!- mattock2 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
02:32 -!- mode/#openvpn [+o mattock2] by ChanServ
02:36 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 260 seconds]
02:37 <@ordex> spike: is there a ovpn client for openvpn? :O
02:54 <@krzee> spike, ive never heard of anybody using openvpn from their ps4
02:55 <@ordex> although it sounds cool :D
02:55 <@ordex> hehe
02:55 <@krzee> it does :D
02:55 <@krzee> i hacked my new camera system last night
02:56 <@ordex> oh, and? can it still take pictures?
02:56 <@ordex> :P
02:56 <@krzee> have an openvpn binary with libs for that cpu, so tried them... but no tun device in the kernel =[
02:56 <@ordex> ah :/ too bad
02:56 <@ordex> so it is running some linux thing ?
02:56 <@krzee> meh already got a nice openwrt router in front of it
02:56 <@krzee> oh ya, they all do
02:57 <@krzee> well basically
02:57 <@krzee> china knowss to use opensource, i have a qsee 5716
02:58 <@krzee> so i extracted the recovery firmware, then binwalked that shit and got a jffs2 image which i mounted and grabbed the pwfile
02:58 <@krzee> then john cracked it for me to 1001chin
02:58 <@krzee> aqnd boom rootness in like an hour
02:59 <@ordex> :D
02:59 <@krzee> next time maybe like 15min if i have to do all that, cause i have a spare work computer with 64cpu
02:59 <@krzee> so hashcat instead of john, and win
02:59 <@krzee> (john is single cpu)
03:00 <@krzee> oh btw im drunk :D
03:00 < Algernop> o/
03:00 <@krzee> o/
03:02 < skyroveRR> \o
03:03 <@ordex> <o
03:03 <@ordex> krzee: hopefully it was something good !
03:04 <@krzee> some very nice wine while watching the fight
03:04 <@krzee> (chavez v alvarez)
03:04 <@ordex> :)
03:06 <@krzee> alvarez won every round
03:06 <@krzee> like not even arguable
03:19 < mgcyung> l
03:23 <@ordex> krzee: did you bet on the other one? is that why you are now drunk? :D
04:06 < aokfire> Hi, I Really really screwed up and need help. I am remote and restarted my OpenVPN service while connected, to set block-outside-dns
04:06 < aokfire> and well
04:07 < aokfire> I can't connect now... so I think I Fucked up and the service didn't restart properly
04:07 < aokfire> so... is there anything I can do aside from asking someone locally to fix something?
04:11 <@ordex> aokfire: if you have no access whatsoever to remote machine .. I don't know how you could fix that
04:11 <@ordex> aokfire: don't you even have ssh access outside of the vpn ?
04:12 < aokfire> no... I Never opened ports
04:12 < aokfire> I really didn't think this through. I'm just really not sure what to do
04:12 < aokfire> I Don't know who to ask. I Don't know anyone savvy enough and there is sort of sensitive info on the server
04:12 < aokfire> I mean I know one of my parents or a friend but idk if I Can trust them enough
04:14 <@ordex> aokfire: you could ask somebody to open ssh, without the need for doing anything else
04:14 <@ordex> and from there, you'll take over
04:14 < aokfire> so
04:14 < aokfire> hm
04:14 < aokfire> SSH is on port let's say 10144
04:14 < aokfire> ALl I Have to do is ask them to go to my house, connect to the router and open it?
04:14 < aokfire> specific to the IP of the system?
04:14 < aokfire> and then that's it?
04:15 <@ordex> if ssh is already running ..
04:15 < aokfire> yes
04:15 <@ordex> then yeah, I guess you only need to setup the port forwarding
04:15 < aokfire> ok. and there's ddns running on the router too
04:20 < aokfire> is there a way to forward a "fake" port that forwards to the actual port?
04:20 < aokfire> say to forward 10146 that actually forwards to 10144
04:21 <@ordex> depends on your router
04:21 <@ordex> normally yes
04:21 <@ordex> inner and outer ports do not need to be the same
04:21 <@ordex> aokfire: this is a but beyond openvpn debugging I think :P
04:22 < aokfire> Yes sorry. I Just figured to ask if there was a failsafe or something in OpenVPN where it'd Not restart if the config was bad
04:22 < aokfire> but yes opening up SSH is beyond OpenVPN
04:22 < aokfire> Now the issue is who to ask, who can I trust
04:23 <@ordex> imho you should better always have an ssh open on some crazy port
04:23 <@ordex> exactly for this reason
04:23 <@ordex> you can disable password login and authorize only your rsa key
04:23 < aokfire> I already do that
04:23 < aokfire> I just limit it
04:23 < aokfire> fuck
04:24 < aokfire> I think I set SSH to only allow logins from a local network IP
04:24 < aokfire> so allow only 192.168.1.0/24?
04:24 < aokfire> would that... hinder progress?
04:27 <@ordex> hm
04:27 <@ordex> i think so, no? because the connection will come from a public IP
04:29 < nbastin> so, I don't know the background here
04:29 < nbastin> but by the time the kernel has parsed the packet, the damage is done
04:29 < nbastin> it's a very expensive operation, and you basically can't stop it
04:29 < nbastin> regardless of what is running anywhere
04:30 < nbastin> you can move services around and block things, but you're saving a few cycles after burning 400 parsing a packet in the first place
04:30 < nbastin> if you have a NIC driver where you can drop things in hardware that is better, but at the IP layer this is unlikely
04:31 < aokfire> :/
04:31 < nbastin> if you have a true upstream ddos problem, you need to get your upstream to solve it
04:31 < aokfire> Yeah ordex, fair. The only other consideration is to connect to an ssh server on another system in the house, albeit it's not setup properly and idk the port off my head
04:31 < aokfire> and then ssh from that server to the other one, after copying the priv key to the system
04:32 < nbastin> it's a lot easier to stop a thing where you have more bandwidth, not less.. :-)
04:32 <@ordex> nbastin: yeah, ddos is not something to even think about :P you can't do much
05:57 -!- mattock2 [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
10:35 <@krzee> ordex: nope, didnt bet at all
10:41 <@ordex> krzee: :) good morning
10:41 <@krzee> moinmoin
10:47 < Petfrogg> hello
10:48 < Petfrogg> i get "passphrase not accepted" when i connect with my client. I set it up without passphrase.
10:48 < Petfrogg> how do i make the logging more verbose
10:49 < Petfrogg> ?
11:02 <@krzee> with --verb
11:02 <@krzee> !verb
11:02 <@vpnHelper> "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info, or (#2) verb 5 is good for finding firewall problems, verb 4 for troubleshooting anything else, and 3 is good for every day usage., or (#3) Anything more than 5 is for developer debugging only (special debug build needed)
11:11 < Petfrogg> so how do i start it in it?
11:13 <@krzee> what?
11:14 < Petfrogg> how do i restart openvpn on ubuntu in verbose mode?
11:15 < Petfrogg> i get docket all ready in use
11:16 < Petfrogg> hm
11:16 <@krzee> no different than any os, change the verbosity in the config
11:16 <@krzee> !verb
11:16 <@vpnHelper> "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info, or (#2) verb 5 is good for finding firewall problems, verb 4 for troubleshooting anything else, and 3 is good for every day usage., or (#3) Anything more than 5 is for developer debugging only (special debug build needed)
11:16 <@krzee> !--
11:16 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
11:16 <@krzee> !man
11:16 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
11:16 <@krzee> the manual is your friend too, or should be
11:18 < Petfrogg> got it
11:18 < Petfrogg> need to do systemctl stop openvpn
11:32 < Keitaro> hello guys
11:33 < Keitaro> i am starting to config my vpn server
11:33 < Keitaro> i would like to know i can connect to my vpn server and access to others host on the network
11:34 < Keitaro> but why i can't see thoses host in the windows network tab on win 10 ?
11:34 < Keitaro> is it normal ?
11:34 < Keitaro> thank you in advance for your answer/advice :)
13:29 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
13:29 -!- mode/#openvpn [+o mattock1] by ChanServ
13:36 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds]
14:20 < daxorid> Accordinng to multiple stackoverflow posts, adding dhcp-option DNS 8.8.8.8 to the client config ought to change the local resolver list upon connect, but it does not appear to work.
14:29 < rob0> is it a Windows client?  If not, --dhcp-option is not available.
14:56 < daxorid> rob0: got it, thanks
14:57 <@krzee> what os? if osx tunnelblick can use it
14:57 <@krzee> if linux you can use an --up script
15:08 < RoBo_V> !walkthrough
15:08 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
15:09 < RoBo_V> !howto
15:09 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
15:39 < Keitaro> when we try to connect both openvpn did we need to have some port forwarding on both side ?
15:40 <@krzee> Keitaro: what sort of setup are you looking to have?
15:40 <@krzee> if client / server, then only server needs it
15:41 < Keitaro> i mean a VPN server on a server A who try to connect to a network B, we need to do port forwarding on the server of network B, but we don't need to do for the network A right ?
15:41 < Keitaro> i try to connect my office network to my home
15:42 < Keitaro> bidirectionnal
15:42 <@krzee> the only relevant part is whether its client/server or ptp with remote entries on both sides
15:42 <@krzee> how you route over it is irrelevant
15:42 <@krzee> (for your question)
15:42 < Keitaro> oki
15:42 <@krzee> !configs
15:42 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
15:43 <@krzee> if you show me your configs i can easily answer your question
15:43 <@krzee> specifically answered for your setup
15:43 < Keitaro> i don't have all my config there atm
15:43 <@krzee> 1 config should be fine
15:43 <@krzee> either side
15:44 < Keitaro> i am just wondering how to do, because i think if i use a simple client on network A to connect on vpn server on network B, it is only one way traffic right (A to B) ?
15:45 < Keitaro> we can't access to network A ressources from B right ?
15:45 <@krzee> of course you can if you configure routing properly
15:45 <@krzee> !route
15:45 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
15:45 <@krzee> once the connection is made traffic flows inside the tunnel, it doesnt matter if the client has port forwarding or not
15:45 <@krzee> !vpn
15:45 <@vpnHelper> "vpn" is http://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html for a basic rundown of what a vpn is
15:47 < Keitaro> oh i didn't know
15:47 < Keitaro> so i can go through the firewall and other restrictions without changing them on my network A
15:48 <@krzee> as long as the client can reach the server, yes
15:49 < Keitaro> oki so even with client ->server it is be directionnal
15:49 < Keitaro> thanks for your advise i will read all that
15:49 <@krzee> no problem
15:49 < Keitaro> i will search for my config vpn i did it in my pfsense
15:49 <@krzee> the doc i wrote in !route was client/server
15:49 < Keitaro> thanks
15:50 <@krzee> and that is about connecting the lans behind 2 clients and the server
15:50 <@krzee> (as an example)
15:50 < Keitaro> oki
15:52 < Keitaro> other question krzee and it will be my last one : did you see the differents host in the network tab in windows when you connect to a vpn server ?
15:53 <@krzee> i dont use windows
15:53 < Keitaro> oh i see ^^
15:53 < Keitaro> yep windows is bad
15:53 <@krzee> !bestos
15:53 <@vpnHelper> "bestos" is (#1) the best os for openvpn is the one you are most comfortable with, or (#2) FreeBSD. Always FreeBSD.
15:53 < Keitaro> but i need to use it for my work :/
15:54 <@krzee> !bestos 1
15:54 <@krzee> !factoids whatis bestos 1
15:54 <@vpnHelper> the best os for openvpn is the one you are most comfortable with
15:54 < Keitaro> usually i use debian but at work they don't allow it ^^
15:54 < Keitaro> oki
15:54 <@krzee> i take it you're not allowed to run this vpn then lol
15:55 <@krzee> cause i never heard of a networking dept not allowed to run linux
15:55 <@krzee> haha
15:56 < Keitaro> i have admin rules on my computer
15:56 <@krzee> but you can run windows, its fine
15:56 < Keitaro> but they don't want me to do a dual boot
15:56 < Keitaro> oki ^^
17:17 < tony1> whats the proper way to get systemd-resolved to play nice with openvpn? the dns server is not being properly updated
17:17 < tony1> I am using ubuntu 17.04 btw
17:21 < spike> ordex, dunno what you're talking about :\
17:21 < tony1> I have it configured with network manager but systemd-resolve --status shows the wrong dns server
17:22 < spike> krzee, ah... well, that's lame. I'd rather not pay for some random vpn service that does work if i already have my own :\
17:22 < tony1> looks like with the new systemd-resolve dns is not being pushed
17:28 -!- rax-Y is now known as rax-
17:48 <@krzee> spike:  huh?
17:48 < spike> krzee, from several hours ago about openvpn + ps4..
17:48 <@krzee> ahh
18:05 < tony1> a manual edit of /etc/resolv.conf with the address of the correct dns server fixes it but I know that is not the proper way
18:05  * tony1 needs to learn more about systemd-resolve I guess?
18:41 <@krzee> spike: you're aware that you could run openvpn on another machine and route over it?
18:41 <@krzee> (if you're good at networking)
19:14  * _FBi highfives krzee 
19:15 <@krzee> ^5
19:15 <+_FBi> clever
19:15 <+_FBi> I was reading the running openvpn nouser nogroup is insecure
19:17 <@krzee> whys that
19:18 <@krzee> sandboxing is a common best practice, but you should remember to use a different sandbox user per app
19:26 <@krzee> _FBi: got the link?
19:27 <+_FBi> I do not, but I can ask and find out why they said not to.  Maybe the chroot jail was a safer route, but I can't say for sure -- as I forget and use nouser nogroup haha
19:28 <@krzee> chroot would be used in addition to --user / --group
19:28 <@krzee> but ya, whoever said that was wrong unless you forgot to mention an important part of what they were saying
19:29 <@krzee> taking away unnecessary permissions is the unix way!
19:32 <+_FBi> me forget something!?  unpossible!
20:03 <@ordex> spike: ?
20:07 <@krzee> that was the guy who asked if PS4 ran openvpn
20:14 <@ordex> morning
20:14 <@ordex> krzee: ah ok
20:14 <@ordex> krzee: did you find out more?
20:15 <@krzee> regarding?
20:19 <@ordex> krzee: about the existence of a real openvpn client for PS4
20:20 <@ordex> I was sceptical about that
20:20 <@krzee> oh, i doubt it
20:20 <@krzee> but he could route through another machine
20:21 <@krzee> i deploy LEDE / openwrt routers for that all the time
20:22 <@ordex> oh yeah, that makes sense
20:22 <@ordex> I do the same too here
20:22 <@ordex> with openvpn running on the router and routing what I want[tm]
20:25 <@krzee> yep
20:26 <@krzee> i do it often for remote workers with voip phones that dont run openvpn
20:26 <@krzee> vpn to the office network and connect to the voip server just like it was inside the office
20:26 <@krzee> (with no changes to the voip phone necessary)
20:33 <@ordex> how is latency ?
20:35 <@krzee> good but latency doesnt matter much
20:35 <@krzee> its all about change in latency (jitter)
20:35 <@krzee> i use voip over 8ms links and over 500ms sat links both just fine
20:40 <@ordex> I see
23:11 -!- DeathShot_ is now known as DeathShot
--- Day changed Mon May 08 2017
01:12 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:12 -!- mode/#openvpn [+o mattock1] by ChanServ
04:05 < squeeb> Hi, can someone tell me what the property `vpn.daemon.0.server.ip_address` does in openvpn access server, I can't find any documentation
04:05 < squeeb> and how it differs from `vpn.daemon.0.listen.ip_address`
04:07 <@ordex> !as
04:07 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
04:07 <@ordex> squeeb: ^^
05:05 < squeeb> ordex: there never seems to be anyone alive in there :(
05:06 < rob0> perhaps not, but we here simply do not use your software
07:31 <@ecrist> squeeb: there are people alive in there.  sometimes it's best to ask your question and just await a response.
07:31 <@ecrist> the reality is Access Server is not OpenVPN, even though it uses some of the same code/technology.  We can't help you here.
07:39 < Dougy> hello ecrist
07:46 <@ecrist> hey Dougy, how goes?
08:17 < Dougy> it goes
08:28 -!- batrick_ is now known as batrick
08:33 <@krzee> sup Dougy
08:41 <@krzee> what you been upto
08:45 < Dougy> hey krzee
08:45 < Dougy> breaking stuff
08:45 <@krzee> nice!
08:45 < Dougy> eating a lot
08:46 < Dougy> bored
08:46 <@krzee> bored?
08:46 < Dougy> starting to ease back onto IRC here and there
08:46 <@krzee> still going tech stuff?
08:46 <@krzee> doing*
08:46 < Dougy> oh yeah
08:46 <@krzee> eric wrote a new book on openvpn btw
08:46 < Dougy> solid
08:47 < Dougy> i do techs tuff all day, volunteer with heavy rescue squad in free time, getting masters degree
08:47 < Dougy> all kinds of stuff
08:47 <@krzee> ya its pretty good, its called troubleshooting openvpn
08:47 < Dougy> still bored
08:47 <@krzee> nice man
08:47 <@krzee> masters in what?
08:47 < Dougy> emergency management
08:47 < Dougy> something different
08:47 < Dougy> learning about floods and flood prevention at the moment
08:47 <@krzee> werd
08:48 < Dougy> tech pays so much better than that does, but its something different
08:48 < Dougy> i am a fan of learning
08:50 <@krzee> right on
08:54 < Dougy> what are youdoing
09:01 <@krzee> googling around to see if anybody else has had i ssues connecting to their qt5716 dvr
09:02 <@krzee> im on the same lan, windows program connects fine but android one will not
09:03 < Dougy> funky
09:03 < Dougy> im screaming at a vendor
09:03 < Dougy> i busted my butt to rack this heavy as heck dell md3660i i got for myself
09:03 < Dougy> so i go to take out my 10g switches, and the buggers sent me the rails but no screws to attach the ears themselves to the switch
09:04 < Dougy> like wtf
09:04 <@krzee> doh
09:05 < Dougy> big project, rarg
09:05 <@ordex> dazo: I was running autoconf insytead of autoreconf. not sure this one command is documented though - the README suggests ./configure right away
09:05 < Dougy> i got 2 nice 192gb dual e5's, this 60 bay san md3660i, 2 10g switches
09:05  * Dougy goes to work
09:44 < PsynoKhi0> Greetings, are there security implications to be aware of when using DynDNS hostnames in combination with OpenVPN? E.g. sensitive information being transmitted when establishing that could leak due to spoofing?
09:45 < PsynoKhi0> establishing a tunnel*
09:45 <@ordex> PsynoKhi0: dyndns is just another dns, openvpn will resolve the hostname like any other. Why do you think there could be a "leak" ? where exactly? (I am no expert he)
09:52 < PsynoKhi0> ordex: someone spoofing the DNS entry
09:54 <@ordex> this can happen also for other DNS I believe ?
09:54 <@ordex> but still, you won't connect to the new server as the TLS handshake will fail (or even the tls-auth/crypt if you are using that)
09:55 <@ordex> unless the attacker has all your private key material .. then there is not much you can do
09:55 <+hyper_ch> krzee: https://twitter.com/taviso/status/860681252034142208
09:55 < PsynoKhi0> ordex: ok thank you, I just wanted to be sure
09:57 <@ordex> PsynoKhi0: np, however I am no expert as I said. I just looked at that from the networking perspective
09:57 <@ordex> hyper_ch: omg
09:58 <+hyper_ch> the only windows I run (except on a gaming notebook where nothing else is installed) is only reachable through a vpn
09:59 <@dazo> PsynoKhi0: --tls-auth/--tls-crypt, using --ca/--cert, --verify-hash and --verify-x509-name are the OpenVPN "defences" ... then there is DNSSEC which should (if implemented and used correctly) protect the DNS spoofing itself
10:08 <+hyper_ch> ordex: it sounds really bad
10:08 <+hyper_ch> and IIRC Ormandy has also discovered security issues in te ast
10:09 <@krzee> hyper_ch: til he says what it is, *meh*
10:10 <+hyper_ch> you're sceptical?
10:10 <@krzee> computers are like air conditioners... they work well until you open windows
10:10 <@krzee> skeptical no, i just dont care
10:10 <+hyper_ch> Imagine an open world without Gates and Windows
10:10 <@krzee> i mean is this some sort of surprise to you?
10:11 <+hyper_ch> don't you care about your windows customers?
10:11 <@krzee> so until theres something technical to care about, i wont
10:11 <@krzee> windows customers?
10:11 <+hyper_ch> customers that use windows
10:11 <@krzee> what makes you assume you know what i do?
10:11 <@krzee> lol
10:11 -!- xx00___ is now known as xx00__
10:12 <@krzee> i admin exactly 0 windows machines
10:12 <+hyper_ch> 0 that you know of ;)
10:12 <@krzee> you guessing split personalities or something?
10:12 <+hyper_ch> I assume you do things with computers
10:12 <@krzee> ya, and one of those things i do is not use windows
10:12 < skyroveRR> :)
10:13 <+hyper_ch> what about "know thy enemy"?
10:13 <@krzee> its been that way for somewhere around 12 years now
10:13 <@krzee> you smoking something new?
10:13 <+hyper_ch> I don't smoke
10:13 <+hyper_ch> too expensive
10:13 <@dazo> !windows
10:13 <@vpnHelper> "windows" is (#1) computers are like air conditioners, they work well until you open windows., or (#2) http://secure-computing.net/files/windows.jpg for funny, or (#3) http://secure-computing.net/files/windows_2.jpg for more funny
10:14 < skyroveRR> !mac
10:14 <@vpnHelper> "mac" is Use Tunnelblick for the Mac. (https://tunnelblick.net/)
10:14 <@dazo> mac is boooooring
10:14  * dazo yawns
10:15 < skyroveRR> Just cos it's expensive?
10:15 <@dazo> nope, just boring :)
10:15  * hyper_ch heard Linux runs well on Macs
10:15 <@dazo> boring as in ... we don't have any funny jokes on mac
10:15 < skyroveRR> dazo: boring in what sense?
10:16 < skyroveRR> Ah.
10:16 <@krzee> linux used to run well on macs
10:16 <@krzee> then they got lame mac specific hardware like retina
10:16 <@krzee> well maybe linux caught back up, i havent looked for awhile
10:16 <+hyper_ch> well, I know a few people who rn linux on macbook air
10:17 <@krzee> could also be older macbooks
10:17 <@dazo> and it runs very well on Thinkpads ... the T460s is really slick, 10h battery time with great Linux support ... and you can get them for a better price than many Macs
10:17 <+hyper_ch> yeah, 3-4 years old
10:17 <@krzee> my wifes MBP would run linux well, older
10:17 <@ordex> is really cool
10:17 <@ordex> the t460s is really cool*
10:18 <@dazo> the only slimmer and lighter variant is the X1 Carbon ... that again has the Mac price tag again
10:18 <@dazo> I'm curious about how the T470s will be
10:19 <+hyper_ch> t460 not longer being sold?
10:19 <@dazo> yeah it is ... T470 is new of this year
10:19 <@ordex> +10 every year :P almost
10:19 <@dazo> so you can probably get T460 models on sale soon
10:19 <@dazo> yeah
10:19 <@ordex> I have been so lucky that I got the t440s, the only one with sh0tty soft buttons :D
10:20 <@ordex> the worst experiment ever :P and I got it!
10:20 <@dazo> eewwww
10:20 <@ordex> :D
10:20 <@dazo> I truly feel sorry for you
10:20 <@ordex> hehe no worries, at some point you get used .....
10:20 <@ordex> some point in the future :p
10:21 <@dazo> My wife got a T460, and I've arranged for a few T460s for some people ... Currently I have T450s myself, and haven seen the T460s I am tempted to switch soon
10:21 <@dazo> (despite the T450s working just wonderfully)
10:22 <@ordex> I still have the t440s and it's just fine except for the outdated cpu and ssd, but it's a piece of very nice hardware I think. very well done for being a solid workstation
10:22 <@ordex> and with 2 batteries …. it lasts alllot
10:22 <@ordex> :)
10:22 <@ordex> also the weight is reasonably good i think, compared to other models with similar size
10:23 <+hyper_ch> 2kg for a notebook :(
10:23 <+hyper_ch> my poor back
10:24 <@ordex> should be less
10:25 <+hyper_ch> Non-touch with 3-cell+3-cell: 1.73kg  Non-touch with 3-cell+6-cell: 1.87kg  Touch with 3-cell+3-cell: 1.77kg Touch with 3-cell+6-cell: 1.90kg
10:25 <+hyper_ch> closer to 2kg than 1kg ;)
10:25 <@ordex> yeah
10:25 <@dazo> hyper_ch: the latest t460s have had 2 batteries and been < 1.5kg
10:25 <@dazo> 1.35kg iirc
10:25 <@dazo> with 14" 1920x1080 display
10:26 <+hyper_ch> dazo: that's from dell site... copy'n'paste for the t60
10:26 <+hyper_ch> t460
10:26 <@ordex> ?
10:26 <+hyper_ch> http://www3.lenovo.com/us/en/laptops/thinkpad/thinkpad-t-series/T460/p/22TP2TT4600
10:26 <@vpnHelper> Title: ThinkPad T460 | 14" Thin & Light Enterprise Ultrabook | Lenovo US (at www3.lenovo.com)
10:26 <@ordex> ah lenovo :P not dell
10:26 <@dazo> well, some of the models are heavier
10:26 <+hyper_ch> all the same :)
10:27 <@ordex> well, it all boils down to what you want :P the x1 carbon isnot that ligther either
10:27 <@dazo> I think they're trying to scare people over to the 470 series :-P
10:27 <@ordex> lol
10:27 <@ordex> possible :D
10:27 <+hyper_ch> or maybe you just got so much stronger, dazo
10:28 <+hyper_ch> maybe you've done so much training excercise with your t460 that it feels lighter now
10:28 <@ordex> lol
10:29 <@ordex> the new mbp is not lighter either
10:29 <@dazo> hehe ... nope :)  I have the "heavy" t450s ... the 460s feels like half the weight, and my 450s is about 1.8
10:29 <@dazo> but it has to be the ultrabook variants, otherwise it gains 0.5kg or more
10:31 <@dazo> hyper_ch: https://preisvergleich.check24.de/business-notebooks/lenovo-thinkpad-t460s-20f90058ge.html
10:31 <@vpnHelper> Title: Lenovo ThinkPad T460s (20F90058GE) Preisvergleich | CHECK24 (at preisvergleich.check24.de)
10:31 <+hyper_ch> dazo:  .de?
10:32 <@dazo> thought you grasped that language :)
10:32 <+hyper_ch> it's one of a few language that I knew some of the words
10:32 <+hyper_ch> s/knew/know/
10:32 <@dazo> ahh, sorry!
10:32 <@dazo> the _ch probably confused me :-P
10:32 <+hyper_ch> :)
10:33 <@plaisthos> 1,4kg is really light if the website is right
10:33 <@plaisthos> that is 400g lighter than mine :)
10:33 <@dazo> yeah, those models are that light, really
10:34 <+hyper_ch> plaisthos: you got more bang for the buck... 400g more bang :)
10:35 <@plaisthos> hyper_ch: And less keys
10:35 <@plaisthos> (the worst keyboard I ever used)
10:55 <@krzee> i have the dell latitude e7240
10:56 <@plaisthos> I am also pretty sure if Macbooks weren't so popular, nobody would bother to port Linux to them
10:57 <@plaisthos> https://github.com/Dunedan/mbp-2016-linux
10:57 <@vpnHelper> Title: GitHub - Dunedan/mbp-2016-linux: State of Linux on the MacBook Pro 2016 (at github.com)
10:57 <@plaisthos> basic things like keyboard&mouse need an extra driver, because appearently they are connected via SPI insteadof USB
10:58 <@krzee> looks like 1.6 KG here
10:58 -!- r00t^2 is now known as google
10:59 -!- google is now known as r00t^2
11:09 < Eugene> Lard ass
11:10 <@krzee> nah thats my alienware 17"
11:10 <@krzee> hella heavy
11:14 < GrayShade> hi, since a week or so ago (i'm using openvpn 2.4.1) i'm no longer able to connect to a specific vpn. specifically, i'm getting "VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak" and "OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed"
11:16 < GrayShade> is there something i can change to be able to connect?
11:17 <@dazo> GrayShade: which OS?
11:18 < GrayShade> linux
11:18 <@dazo> okay, which distro?
11:18 < GrayShade> arch linux, openssl 1.0.2.k
11:18 < GrayShade> my cert has Signature Algorithm: md5WithRSAEncryption
11:19 <@dazo> GrayShade: yeah, that's the problem
11:19 <@plaisthos> GrayShade: your own server?
11:19 <@dazo> MD5 certificates have been deprecated in OpenSSL ... but you can override this
11:19 < GrayShade> plaisthos: no
11:19 <@plaisthos> the certificate of the server uses so outdated signing/hash methods that modern OpenSSL just refuses to conect
11:20 < GrayShade> i tried OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5 , but it didn't help
11:20 <@dazo> GrayShade: use just OPENSSL_ENABLE_MD5_VERIFY=1 ... and that needs to be set as an environment variable alone
11:21 <@dazo> there are some tricks required to make this work with systemd unit files, though
11:21 < GrayShade> i'm using "sudo OPENSSL_ENABLE_MD5_VERIFY=1 openvpn foo.ovpn"
11:21 <@dazo> I don't think sudo will do what you want
11:21 <@dazo> sudo su -
11:21 <@dazo> # OPENSSL_ENABLE_MD5_VERIFY=1 openvpn foo.ovpn
11:22 <@dazo> that should work
11:22 < GrayShade> still doesn't work
11:22 <@dazo> okay, then your openssl build have removed that feature
11:22 < GrayShade> can i check that with openssl?
11:23 <@plaisthos> strings =openssl |grep OPENSSL_ENABLE_MD5_VERIFY
11:23 <@dazo> I honestly don't know ... I ditched MD5 certificates many years ago ... and don't trust any VPN provider using that
11:23 <@plaisthos> might work
11:23 < GrayShade> it's not there
11:25 < GrayShade> so there's not much i can do
11:25 < GrayShade> all right
11:26 <@dazo> GrayShade: you're VPN provider should not delay upgrading their VPN certificates ... really ... I mean, it's not uncommon to see users use SHA256 .... an MD5 is older than SHA1
11:26 <@plaisthos> complain to the server's adminstrator
11:27 <@plaisthos> dazo: s/you're/your/ :p
11:27 < GrayShade> dazo: i know that using md5 is a very bad idea
11:27 < GrayShade> i just complained to the server's administrator and they said it works from Windows
11:28 < GrayShade> and that it's hard to change all the certificates (though i think there's only one for everybody)
11:28 <@plaisthos> GrayShade: tell him that the OpenVPN devs told you that windows will stop working very soon too if he doesn't act
11:29 < GrayShade> plaisthos: haha :D
11:29 <@dazo> ehm ..... okay .... that's probably the worst response I've ever heard .... as SHA256 is fully capable of working on current Windows releases .... and it probably means the VPN clients are also completely outdated
11:29 <@dazo> plaisthos: hehe :-P
11:29 < GrayShade> i think he tried with 2.4.1
11:30 < GrayShade> maybe the windows openssl build that openvpn bundles still has that enabled, or..
11:34 < GrayShade> welp.. i hear there's this fancy crypto thing called caesar's cipher, maybe we should upgrade to that
11:40 < Eugene> Et tu, Brute?
12:01 < GrayShade> dazo: this is our new openvpn setup, the old one required openvpn 1.6
12:02 <@dazo> !??!!!??!??!
12:02 <@dazo> GrayShade: you are kidding me?
12:03 <@dazo> some setups truly just deserve to burn into ashes ....
12:04 < GrayShade> to be fair, that was like two years ago
12:04 < rob0> that's still way past the use-by date
12:04 <@dazo> ehm .... that's not fair at all .... we deprecated 2.0 in 6-7 years ago
12:06 <@dazo> I mean, people were running 2.1_rc21 in production for 2-3 years (as the 2.1 development dragged for ever) .... but with the 2.2 release, anything older than 2.1 was deprecated and unsupported
12:06 <@dazo> now we are on 2.4.1
12:06 < GrayShade> yeah, well... thanks for working on openvpn. i promise to use the latest versions if i can
12:06 <@dazo> :)
12:06 < GrayShade> my client is 2.4.1
12:06 <@dazo> you are good!  your sys-admin needs to get to taste the "upgrade now whip!" ;-)
12:08 <@dazo> commit 1ed76da8b70aa13e0e8ac52d0459d37105f151e8
12:08 <@dazo> Date:   Thu Apr 21 21:26:05 2011 +0200
12:08 <@dazo>     Tagging the v2.2.0 release
12:08 <@dazo> Just had to check ....
12:16 < Syntaxerror> Any way I can test a NAT-T if I don't know if it works? Somehow, ISAKMP-SA expires instantly
12:18 < rob0> I can't tell what you're asking ... is it an #openvpn question?
12:20 < Eugene> Nope, that's IPsec
12:20 <@krzee> !linipforward
12:20 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
13:23 < peterandre> hi, i have created an openvpn tunnel on my vps, the tunnel initializes just fine but i can't get dns resolving to work once connected to the tunnel. When I ping an ip like 8.8.8.8 it works fine but when i ping google.com it won't work. I tried to push dns servers and without pushing them. No luck. Any ideas?
13:25 <@ecrist> peterandre: OpenVPN doesn't actually update DNS server entries on *nix devices
13:25 < peterandre> ok
13:25 <@ecrist> it's the responsibility of the --up script on the client side to handle it.
13:25 < peterandre> i see
13:27 < peterandre> any tips to debug dns problems tho ?
13:27 <@krzee> or if its only a couple, give them static ips on the vpn and just make static dns entries to match
13:27 <@krzee> sure
13:27 <@krzee> set your dns server to 8.8.8.8
13:27 <@krzee> it'll just work
13:27 < peterandre> ok ill check
13:27 <@krzee> the problem is you're using your ISPs nameserver but sending your traffic out a vpn
13:28 < peterandre> omg
13:28 < peterandre> i cant believe it was that simple
13:28 < peterandre> that did the trick
13:28 < peterandre> lol
13:29 < peterandre> thanks
13:53 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds]
14:05 <@krzee> np
15:57 < tony1> when I was using ubuntu 16.04LTS I was not having issues with my vpn server and the push options from the server using network-manager. ever since upgrading to ubuntu 17.04 I have issues with network-manager not using the dns server of the tunnel. any workarounds? I can do it from the cmd line with openvpn-systemd-resolved and it will work with a few errors I would rather use "NM"
15:58 < tony1> I am using ubuntu 17.04 with gnome desktop
16:18 <@dazo> krzee: what do you know about /proc on FreeBSD?
16:22 < tony1> proc is a list of all the running process
16:23 < tony1> they will could also be listed with "ps aux"
16:23 < chiggins> Any idea why I get "TLS Error: cannot locate HMAC in incoming packet from [AF_INET]IP_ADDRESS" when I try to connect from a client?
16:29 <@dazo> tony1: I know procfs on Linux ... but need to know a few differences on FreeBSD
16:30 <@dazo> chiggins: sounds like the remote side is not using --tls-auth or --tls-crypt
16:38 < chiggins> dazo: Are those new options? This config has been working until a recent upgrade
16:38 < tony1> chiggins: is tls-auth set in your client config as well as on the server?
16:39 < chiggins> Server yet. Having troubles with being able to view the client config since it's on my phone and I forgot where the openvpn app saves the conf lol
16:39 < chiggins> server yes **
16:41 <@krzee> dazo: nada =/
16:54 <@krzee> i feel like it's far less used in bsd land
17:03 <@dazo> krzee: thx! ... I found phillip and mounted it there, so I managed to extract the details I needed
17:03 <@krzee> great!
17:45 < havoc> I am going to have ~1,800 linux TUN clients, connecting to a linux server. Ideally they would dynamicall make/update their DNS entries. I'm looking for suggestions.
17:45 < havoc> Or just script it with an up-script?
17:45 <@krzee> for one thing, you'll need a number of openvpn servers
17:46 <@krzee> openvpn is single threaded, it will only run on a single cpu core
17:46 <@krzee> so you can run an instance per core if you like
17:46 < havoc> ok
17:46 <@krzee> you wont get anywhere near 1800 clients on a single process
17:46 < havoc> the target server is gonna be a VM, so we have some flexibility
17:46 <@krzee> potentially more like 200ish
17:47 < havoc> ok, very good to know
17:47 <@krzee> so then you give each server process its own subnet
17:47 <@krzee> you can configure routing between them if needed
17:47 <@krzee> you will need an up script for the dns part, like you thought
17:47 < havoc> I was gonna use a /21, but I'll use a /20 instead then
17:47 <@krzee> you may like something like dnsmasq for this
17:47 <@krzee> well you want a /24 for each server
17:48 < havoc> a /20 with a /24 per ovpn proc
17:48 <@krzee> you cant put them all in a big subnet
17:48 <@krzee> ya exactly
17:48 <@krzee> nice
17:48 < havoc> haven't been here in a while, glad I stopped by :)
17:48 <@krzee> =]
17:48 < havoc> the proc limit is key info
17:48 <@krzee> yep, that woulda gone boom
17:49 <@krzee> you can put multiple remote entries in the client configs
17:49 < havoc> but can still go on a single "machine" then
17:49 <@krzee> different port for each process if they on same ip
17:49 < havoc> krzee: yeah, I've seen that in the config
17:49 < havoc> I can give the VM multiple IPs, we have the resources
17:49 <@krzee> and then you just put the port in the --remote entry
17:50 <@krzee> you can set max clients in the server config to stop each from overloading
17:50 < havoc> or the --remote thing, I guess it's really up to *me*
17:50 <@krzee> yes but if you're handing out 1800 configs, you'll probably want them all to try all
17:51 <@krzee> and let them naturally sort themselves onto different servers
17:51 < havoc> I was initially more concerned w/ the DNS bit, we need to conviniently address/access these clients
17:51 <@krzee> and --remote-random
17:51 < havoc> yeah, that will be the plan
17:51 <@krzee> dnsmasq configuring in an --up script should make that easier than expected
17:51 < havoc> we want them all to have identical configs, so all also using same keys
17:51 < havoc> the clients are all actually going to be UBNT routers
17:52 < havoc> the little ERPOE-5's
17:52 <@krzee> same openvpn keys
17:52 <@krzee> ?
17:52 < havoc> every client will use the same keyset
17:52 <@krzee> that's not the best idea
17:52 <@krzee> lol
17:52 < havoc> no, but we can't have individual configs
17:52 < havoc> they all must be identical
17:52 <@krzee> for 1 thing, you have no way to differentiate them to make differing DNS entries
17:53 < havoc> the ONLY difference will be the hostname
17:53 <@krzee> generate keys with the hostname as CN
17:53 <@krzee> script it
17:53 < havoc> how do the keys get to the server then?
17:54 <@krzee> umm they dont
17:54 <@krzee> you understand how PKI works?
17:54 <@krzee> !pki
17:54 <@vpnHelper> "pki" is (#1) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed specially as a server (see !servercert), or (#2) !certman for various PKI management tools, or (#3) see !intro-to-pki
17:54 < havoc> the clients will be configured in the field, and will not get a unique name until then
17:55 <@krzee> if you dont find a way to give them each a CN of their own, i wish you luck
17:55 < havoc> why? Is it a security, or a functionality issue?
17:57 < havoc> I undertsand it *is* a security issue, I'm asking what your main concern is
17:57 < havoc> s/main/specific/
17:57 <@krzee> at one point you'll need to change a cert
17:58 <@krzee> when that happens, your life will suck
17:58 <@krzee> also, you wont have much to go off with your up script and DNS entries
17:58 < havoc> there will be the hostname
17:59 <@krzee> like the external ip's dns entry?
17:59 < havoc> I could setup an additional server that uses all the same key for everything for the clients to connect to initially to get a custom key based on their hostname
17:59 < havoc> lotta scripting, but should work
17:59 < havoc> krzee: no, the routers will be given a unique hostname when they are setup in the field
18:00 <@krzee> like the hostname command in unix?
18:00 < havoc> yes
18:00 <@krzee> you wont have access to that from the server when the client connects
18:00 < havoc> no
18:00 < havoc> every client will be NAT'd
18:00 <@krzee> i assumed youd prefer to do the DNS centralized
18:00 < havoc> yup
18:00 <@krzee> but i mean, i guess you could do the dns on every single client
18:01 <@krzee> (thats the only way you can do what you said)
18:01 <@krzee> youd need to setup dnsmasq on the server to forward every vpn ip's autority for DNS to the client
18:01 <@krzee> then dnsmasq on every client offering the dns entry
18:01 < havoc> ovpn's only purpose in this situation is to provide IP access to the machines behind the router, which itself will be on a private subnet behind another router
18:01 <@krzee> because only the client will have access to the hostname you speak of
18:02 <@krzee> so each client will run its own dns, right?'
18:02 < havoc> no, I wanted them to update the DNS server
18:02 <@krzee> not gunna happen
18:03 <@krzee> because of the reason given above ^
18:03 <@krzee> unless you have some other way to update dns, not involving openvpn (it could happen over openvpn)
18:04 <@krzee> like if you run your own ddns server internally type of thing
18:04 <@krzee> (which i have no experience with)
18:04 < havoc> yeah, was gonna have BIND on the openvpn server
18:05 < havoc> I figured I'd have to use an up-script on the client side
18:05 <@krzee> to do it with bind you would need to make the server a slave and each client a master
18:05 <@krzee> update the master on the client with up script, let it propagate to the server
18:06 <@krzee> then use the server as the authoritative dns server on the internet, even though its configured as a slave it's the authority
18:06 <@krzee> i think dnsmasq would be easier, but thats up to you
18:07 <@krzee> now i keep saying clients need to be master because you have chosen to have all certs the same
18:07 <@krzee> if you did proper certs i would say to use a --client-connect script to update the dns on the server, done.
18:07 < havoc> I mentioned a way to have them be unique
18:07 < havoc> just need all the same certs to go out when the units ship new
18:08 <@krzee> ok, well if you do that you only need dns running on the server, and you use --client-connect to setup the dns
18:08 < havoc> they then connect using that common cert to get access so they can get a unique cert/CN
18:08 <@krzee> and client-disconnect can clean up after it if you like
18:08 <@krzee> both ways is doable, if i were you i would figure out the last idea
18:09 < havoc> and I doubt anymore than 200 units would ever be setup at the same time, probably more like 6, so a single server process would be fine for that
18:09 < havoc> --client-connect only has access to the CN, and not the hostname?
18:11 <@krzee> you keep saying hostname, but that could lead people to misunderstand it as the entry in DNS for the public ip
18:11 <@krzee> you are meaning the computername
18:11 <@krzee> and no
18:11 <@krzee> but why not take a look at what you'll get
18:11 <@krzee> !script
18:11 <@vpnHelper> "script" is (#1) See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR, or (#2) to see all vars available to a script, you can env > /tmp/env, or (#3) if using bash you can put exec 2>&1 in the first line of your script and it will send all error output to
18:11 <@vpnHelper> your openvpn log. set -x as well to show your commands as they are executed
18:11 <@krzee> see #2 and #3
18:11 < havoc> I just found that (google)
18:11 <@krzee> those are my tricks for scripting
18:11 <@krzee> (in openvpn)
18:12 <@krzee> dump env, also see stderr
18:12 <@krzee> and send set -x to stderr i mean
18:12 <@krzee> so it appears in the logfile
18:12 < havoc> also, there are no public IPs, anywhere
18:12 <@krzee> huh?
18:12 < havoc> at least not assigned to anything in this infra, just in transit
18:13 <@krzee> well right, but the server gets the connection from the clients public ip
18:13 < havoc> the clients are all NAT'd, the only access to them is via the openvpn IP
18:13 <@krzee> since RFC 1918 ips dont route
18:13 <@krzee> so the server *will* see the public ip
18:13 < havoc> right, hence scripting, using the client's hostname
18:13 < havoc> ...and not the incoming/source IP
18:14 <@krzee> every time you say hostname i die a little
18:14 <@krzee> computername!
18:14 < hanna> Does UDP work over tun devices or does that require tap?
18:14 <@krzee> hanna: udp is ip traffic, yes
18:14 <@krzee> works with tun
18:14 < hanna> Ah okay, so it works for all IP traffic
18:14 <@krzee> well not mcast or bcast
18:14 <@krzee> otherwise yes
18:15 < hanna> Ah right, it was UDP *broadcast* that I was remembering not working
18:15 <@krzee> at least i dont think mcast or bcast, but i havent seen anybody with issues with that for awhile either
18:15 < havoc> krzee: I get you, hostname is interpreted as FQDN, I want the machine name
18:15 <@krzee> havoc: exactly. you'll have the FQDN but not the machine name
18:15 <@krzee> from server side
18:15 <@krzee> but you'll have the CN
18:16 <@krzee> just dump env and you'll see everything you get
18:16 <@krzee> hell maybe you'll get lucky and ill be wrong :D
18:16 < havoc> is there an existing script somewhere to update BIND with the CN?
18:16 < havoc> (I'm scrolling up, but lots to re-read)
18:17 <@krzee> not that i know of... ive dont it before tho...
18:17 <@krzee> you just mod the zone file, update the serial (make sure to skip numbers ending in 0) and reload bind
18:17 <@krzee> dnsmasq is easier tho
18:17 <@krzee> if you havent used it, look before leaping
18:18 <@krzee> easier for volatile dns like this
18:18 <@krzee> (not in all cases would i suggest dnsmasq)
18:19 < havoc> dnsmasq can handle this for 2000 hosts?
18:19 < havoc> I'm guessing it can, it's just text
18:19 <@krzee> never tried, id expect yes
18:19 <@krzee> haha
18:19 < havoc> so I'd put dnsmasq on the server
18:19 <@krzee> brb gotta go walk dogs
18:19 < Dougy> doge
18:19 < havoc> later
18:22 < havoc> ah, dnsmasq goes on the client, to update the server
19:32 <@krzee> havoc: it can be either way
19:32 <@krzee> either the server can do them all, or it can forward requests to the clients
19:32 <@krzee> !dnsmasq
19:32 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
19:36 < havoc> I'm not sure what path I'm going to take yet, seems like I've got 5 or so different possible configs
19:37 < havoc> I'm not gonna make a decision until I've thought about it for a day or so
19:37 <@krzee> that's smart
19:37 < havoc> but I appreciate the input/info, thank you
19:37 <@krzee> no problem
19:37 < havoc> I may say "fuckit" and do it all on the same key, depends on how much they piss me off
19:38 <@krzee> part of i t isnt optional, you could always bust out the openvpn part now or whenever
19:38 < havoc> I just want out of this whole industry :(
19:38 <@krzee> its the dns part that will take thought
19:38 < havoc> yeah, I can script it, it's just how, and how much work
19:38 < havoc> it's all "lego"
19:38 <@krzee> hey if you do it all on the same key you can still make it work right with dnsmasq and a setup similar to the writeup in !dnsmasq
19:41 <@krzee> youd definitely configure dnsmasq with a script, youd need every VPN ip to be its own authoritative NS
19:41 <@krzee> so the example in !dnsmasq has 3, youd have 1801
19:41 <@krzee> haha
19:41 <@krzee> (server and 1800 clients)
19:42 <@krzee> the good news is the client configs would be identical
19:42 < havoc> heh, not my first choice :)
19:42 < havoc> yeah, identical is ideal, if achievable
19:42 <@krzee> (client configs for dnsmasq as well)
19:43 <@krzee> i once made a script that generated firmware builds for each client
19:43 <@krzee> using the openwrt (now lede) image generator
19:43 <@krzee> fully configured with their own certs/keys and all
19:44 < havoc> this is kindof a nightmare project, but oh well
19:44 <@krzee> ohhhh wait a sec here... i have some questions
19:44 < havoc> shoot
19:44 <@krzee> are you doing this to access the lan behind the routers?
19:45 < havoc> correct
19:45 <@krzee> LOL you have a problem
19:45 < havoc> exactly one PC (a NUC), and 3 IP cams, all identical
19:45 <@krzee> they much EACH be on SEPARATE lan subnets
19:45 <@krzee> otherwise you'll never ever get routing working
19:45 < havoc> all accessed via port forwarding on each router
19:45 < havoc> all will have identically configured subnets
19:45 <@krzee> and thats a difference in the router config right there
19:45 <@krzee> ya that'll be a problem dude
19:46 < havoc> I don't see a problem
19:46 < havoc> everything is accessed via the router's openvpn IP:port
19:46 <@krzee> well i guess you could configure routing right every time you want to access a different one
19:46 < havoc> I've got 3 test nets running now
19:46 <@krzee> you wont even get routing working with them all on same subnet
19:46 < havoc> no, just need the IP, or hostname
19:47 < havoc> again, only portforwarding from the router/ovpn client
19:47 < havoc> it works, it's up and running now w/ 3 test nets
19:47 <@krzee> oh so you'll access the router's VPN ip and it forwards  and NATs internally?
19:47 < havoc> at least it works according to spec/requiremwnts
19:47 < havoc> yes
19:48 <@krzee> ya ok that'll work
19:48 <@krzee> wow what a hack this will be
19:48 <@krzee> haha
19:48 < havoc> all automated via a web "dashboard"
19:49 < havoc> but yes, "hackish" :|
19:49 < havoc> it is what it is
19:49 <@krzee> no judgement here, i do similar things ;]
19:49 <@krzee> lots  of bash glue
19:49 < havoc> and then some
19:50 <@krzee> in fact im going to be doing something you mentioned as well
19:50 <@krzee> i will need to make a openvpn server only for provisioning onto another vpn
19:50 < havoc> the specs are largely beyond my pay grade, but I have a lot of control over implementation details
19:51 < havoc> but there's also a hard deadline
19:51 <@krzee> my voip phones dont use a new enough openvpn, so the first server will drop a payload which updates openvpn and loads the EC certs and stuff for the 2.4 openvpn connection
19:51 < havoc> lots of variables, and in the end I'll likely be stuck doing whatever works that can be done in the allotted time
19:52 < havoc> the "provisioning" server would be the ONLY way we could use (get) unique CNs on everything
19:53 <@krzee> problem im having now is that second openvpn server has to run in a chroot (had to use newer libs than the system had) so when it starts sshd from the up script (so it can first mod the sshd_config to only listen on vpn ip) it starts sshd in the chroot and i cant access the main OS
19:53 <@krzee> i guess i could link the important stuff into the chroot so i could mod files from there if needed, but id rather have access to the entire OS
19:54 < Eugene> This is one of those stupid problems that I refuse to read farther than "chroot" on
19:54 <@krzee> lol
19:54 < Eugene> And you have nobody to blame but your own damn self
19:54 <@krzee> new openvpn wont compile on the old ass voip phones, too old
19:54 <@krzee> so i made it work
19:55 <@krzee> well, i paid a friend to help me make it work :D
19:55 < Eugene> Make new friends!
19:55 <@krzee> (cause that shit was crazy)
19:55 <@krzee> hah i tried to pay most of our devs to help, nobody had success
19:55 < havoc> oh yeah, one of the reasons the routers can't have pre-configured CN's is that they don't even get imaged until they're onsite in the field
19:55 <@krzee> havoc: which is why i mentioned that i have made custom firmware generators that include ALL config
19:56 < havoc> so all this stuff has to be built into the image that goes on the PCs
19:56 <@krzee> you could pass out custom firmwares to be used on site
19:56 < havoc> except that we don't know what each station will be called
19:56 < havoc> everything has to be 100% dynamic, and automated
19:57 <@krzee> could generate on the fly, thats only a single piece of info
19:57 <@krzee> enter computer name:        *GENERATE*
19:57 < havoc> again, gonna let it roll around my head for a day or two
19:58 < havoc> still enough crap to do independent of this, like the windows scripts to do it all
19:58 <@krzee> and it would be 3 files, the file that keeps $HOSTNAME, the cert and the key
19:58 <@krzee> cert and key would be client.key client.crt so the config doesnt change
19:58 < havoc> won't know $HOSTNAME until they install the unti somewhere
19:58 <@krzee> in lede imagebuilder thats as easy as moving 3 files into a dir and FILES=/path/to/dir
19:59 < Eugene> You say "easy" I say "what the fuck is this unholy abomination"
19:59 <@krzee> right, and im saying THEY generate it from your script on your central server
19:59 < havoc> some people in our org were pushing for Meraki ;)
19:59 <@krzee> sounded like theres already a dashboard and stuff
19:59 < havoc> ~$1,000,000 more cost, plus zero automation (on the level we NEED)
20:00 < Eugene> There is always some clown pushing Meraki
20:00 <@krzee> shit bring me in for $10,000 and ill bust out the entire project :D
20:00 < Eugene> The last one I ran into was a "former junior sales VP" of some sort there
20:00 < havoc> have to manually config them all individually via the cloud gui
20:00 < Eugene> We dropped that client instead of arguing with them
20:01 < havoc> we use meraki for some other stuff, but they're trying to make up for some contract shortfalls here
20:01 < havoc> i.e. someone on the contract team fucked up :(
20:01 <@krzee> havoc: what happens if a client location is no longer a client location, but they have a router still?
20:01 <@krzee> is that a possibility?
20:02 <@krzee> because you cant revoke when they all have 1 cert
20:02 < havoc> krzee: yes, and if we use a common CN, we'd have to firewall it off vs. CRL
20:02 < havoc> I get it
20:02 <@krzee> firewall is if you dont have 2 clients on same ISP
20:02 <@krzee> (with dynamic ips)
20:02 <@krzee> with 1800 clients can we be sure thats realistic?
20:03 < havoc> right now I'm 51/49 provisioning/common-CN, we'll see how I feel in the morning ;)
20:03 <@krzee> how would you even know what IP the client comes from to firewall him? with all looking the same to openvpn
20:03 < havoc> ah, no, FW internall to prevent access beyond the ovpn server
20:04 <@krzee> ahh on the router that is in their site?
20:04 < havoc> ...which only works if they have the same IP
20:04 <@krzee> better hope nobody knows what a JTAG is
20:04 <@krzee> lol
20:04 < havoc> ha, jesus, there are so many other glaring security holes, my vpn setup isn't even in the running ;)
20:05 <@krzee> too bad our systems wont be AT ALL similar since we're both probably about to code provisioning scripts
20:06 <@krzee> be easier for 1 to give to other, but in our case that does nothing
20:06 <@krzee> we'll be on quite different embedded systems lol
20:07 < havoc> I am leaning towards the provisiongin, and automated cert gen, as it's not that much more work, and can use a CCD, as well as CRL, to temporarily disable clients
20:07 < havoc> makes the DNS updaing easier too as CN is avail as an ENV var
20:07 <@krzee> yessir
20:08 <@krzee> thats what id be looking to do
20:08 < havoc> not that hostname is difficult, sans trailing domain
20:08 <@krzee> the one bad thing is your CA will be on your server, but that's just how it is for this
20:09 < havoc> yup
20:09 <@ordex> morning
20:09 <@krzee> less bad =]
20:09 <@krzee> moinmoin ordex
20:09 <@ordex> :)
20:10 < havoc> krzee: probably have everything ALWAYS default to the provisioning server, just in case
20:11 < havoc> ...even once a unnique CN is generated
20:38 <@krzee> havoc: what? why?
20:38 <@krzee> you only provision once
20:39 < havoc> krzee: in case someone monkeys with shit and breaks something
20:39 <@krzee> you could make the logic be ready for a second run, like not regenerate just use certs that exist there
20:39 <@krzee> and if the firmware has the provisioning script setup by default the a firmware reset should too
20:39 <@krzee> and boom, provisions again, all is well
20:40 <@krzee> (i havent tested that)
20:44 < havoc> there will be much testing...hopefully ;)
21:02 < xkwizt12345> anyone have a good config for openvpn for maximum performance?
21:02 < xkwizt12345> i have a 100Mbps connection to the amazon cloud, running openvpn in the amazon cloud... only getting 4-5 Mbits.
21:09 < nbastin> could be an MTU problem
21:09 < nbastin> abjectily horrible performance is a bit of a sign
21:09 < xkwizt12345> i tried MTU and MSSFIX but it didnt help much
21:09 < nbastin> I also can't type today
21:10 < nbastin> I am not sure what openvpn does internally, so sadly I can't help that much - I use tap so I just adjust the interfaces themselves
21:11 <@krzee> iperf on the IPs outside the tunnel show 100mbit?
21:11 <@krzee> try iperf
21:11 < nbastin> also does UDP give you different perforamnce than TCP
21:11 <@krzee> ^^
21:12 < xkwizt12345> TCP is horrible, i get 1mbps
21:12 < xkwizt12345> switched to udp, getting 4-5 mbits
21:12 <@krzee> using iperf we mean
21:12 <@krzee> iperf supports udp and tcp modes, test both on internet routable IPs and on VPN IPs
21:17 < xkwizt12345> iperf outside the tunnel shows 92 Mbits down and 93 Mbits UP
21:17 < xkwizt12345> on VPN it fluctuates like crazy
21:17 < nbastin> tcp or udp?
21:17 < nbastin> (outside the tunnel)
21:18 < xkwizt12345> TCP and UDP outside the tunnel
21:18 < nbastin> you did -b 100M?
21:18 < nbastin> if UDP shows 92Mbits, that's some non-trivial packet loss
21:20 <@krzee> !speed
21:20 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help., or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded), or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu), or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links, or (#5) less likely are issues with bad
21:20 <@vpnHelper> TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs), or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp), or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better., or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no), or
21:20 <@vpnHelper> (#9) a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them.
21:21 <@krzee> also heres some things that jjk tested over gigabit
21:21 <@krzee> !gigabit
21:21 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
21:21 <@krzee> yours is .1 that but still what he did could be worth seeing
21:22 <@krzee> !mtu
21:22 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting, or (#3) useful info here: https://forum.pfsense.org/index.php?topic=67080.0
21:22 < xkwizt12345> i havent tried iface txqueuelen
21:30 < xkwizt12345> could it be an issue that the server is linux and the client is windows?
21:31 < Dougy> no
21:31 < Dougy> definitely not
21:31 < xkwizt12345> ok
21:32 <@krzee> if you have a linux machine laying around it cant hurt to test from there too
21:32 <@krzee> id try to test as many differences as possible
21:33 < xkwizt12345> ive got a ubuntu machine around here somewhere..
21:33 < xkwizt12345> ill test it out
21:33 <@krzee> for such a huge difference in throughput somethings definitely wrong somewhere
21:33 <@krzee> did you go over the MTU debugging guide?
21:34 <@krzee> and did you see this? https://www.lowendtalk.com/discussion/comment/843711/
21:34 <@vpnHelper> Title: Why OpenVPN is so slow? (cool story) - LowEndTalk (at www.lowendtalk.com)
21:34 < xkwizt12345> i did see that, reading through now
23:22 < xkwizt12345> ew MTU changes made it worse, i calculated MTU to 1460 - MSS 1420
23:22 < xkwizt12345> went down to 0.2 Mbits!
23:22 < xkwizt12345> I went back to a super basic config for troubleshooting, im now back at 6-8 Mbits... something funny is going on.
23:26 <@ordex> xkwizt12345: is the problem the same when testing udp vs tcp traffic over the vpn?
--- Day changed Tue May 09 2017
00:00 < xkwizt12345> ordex: yes same problem with both TCP and udp
00:02 <@krzee> did you try the links i gave?
00:04 < xkwizt12345> yes, i tried changing the buffers, didnt make a difference
00:04 <@krzee> damn i thought that one would help you
00:05 <@krzee> as he was specifically using linux + windows and didnt have the issue when using windows and windows
00:05 < xkwizt12345> ill try it again, how do i confim if my changes to the config actually take?
00:06 < xkwizt12345> Basic Config right now is: port 1194 proto udp dev tun1 ifconfig 10.4.0.1 10.4.0.2 status server-tcp.log verb 3 secret  XXXXXX.key
00:06 < xkwizt12345> i stripped it back to bare minimum to try and workout what was happening
00:07 <@krzee> ya i would too
00:07 <@krzee> you tried the buffers at 0 and at the high number?
00:07 < xkwizt12345> yes does it matter which line i add the config to?
00:07 < xkwizt12345> i added it at the end, ill try adding it after the protocol
00:08 <@krzee> doesnt matter
00:09 < xkwizt12345> ok one thing i didnt do, was stop and start the service, i think thats where the problem is... lets try now
00:10 <@krzee> oh you definitely have to do that
00:10 <@krzee> config changes only take effect after you restart
00:12 < xkwizt12345> rookie mistake :) but buffer on 0 after restarting services had no effect. testing large buffer now.
00:13 < xkwizt12345> no effect, both same speed with buffer at 0 and with buffer at 393216
00:16 <@krzee> did you try changing the linux side too?
00:16 < xkwizt12345> both sides, restarted service on server and restarted client too
00:18 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
00:18 -!- mode/#openvpn [+o mattock1] by ChanServ
00:22 < xkwizt12345> does dev tun need to be defined on both client and server, i just noticed ive got dev tun1 on server and dev tun on client... does that matter?
00:30 <@krzee> no, if you want to know what it does see --dev in the manual
00:30 <@krzee> !man
00:30 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
03:12 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds]
06:37 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
06:37 -!- mode/#openvpn [+o mattock1] by ChanServ
07:36 <@ecrist> !trust
07:36 <@ecrist> !verify
07:36 <@vpnHelper> "verify" is (#1) If you receive certificate-based 'VERIFY ERROR' messages, you can manually verify the remote cert against a local CA using openssl: `openssl verify -verbose -CAfile /local/ca.crt /remote/copy/of/other.crt`, or (#2) Note that this requires you to manually transfer the remote certificate to the local system for testing, or (#3) You can also manually check issuer fingerprints with
07:36 <@vpnHelper> detailed cert output: `openssl x509 -in /some/cert.crt -noout -text` and compare against the CA cert fingerprint
09:15 <@krzee> !ircstats
09:15 <@vpnHelper> "ircstats" is (#1) See http://secure-computing.net/logs/openvpn.html for all-time IRC stats., or (#2) See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats.
09:16 < havoc> krzee: if I use unique CNs, and BIND on the openvpn server, the DNS bit is easy, only need a client connect script which does an nsupdate
09:17 < havoc> the bind server on the ovpn server will only have a single zone, forwarded to the AD infra
09:17 < havoc> this isn't looking *too* bad
09:18 <@krzee> nice
09:18 <@krzee> good job
09:18 < havoc> no need for dnsmasq, as the client side will all be static IPs
09:19 < havoc> each remote setup is essentially a single unit, or treated as such, and is a locked-down single-purpose "device"
09:19 < havoc> we only need the VPN to access them directly as they will all be NAT'd, and we don't want to mess with custom local network configs
09:19 < havoc> ...that would be a management nightmare
09:20 <@krzee> oh you gunna have static ips based on common name?
09:20 < havoc> no, each "unit" is a ubnt router, w/ a Windows NUC, a OKI printer, and 3 IP cams, behind it
09:20 < havoc> all *identically* configured
09:21 < havoc> all the devices behind the UBNT will have static IPs configured already
09:21 <@krzee> behind, but arent you specifically doing DNS for the vpn ip?
09:22 < havoc> the server-side DNS for the VPN IPs is to facilitate us accessing each unit
09:22 < havoc> ...from the "outside"
09:23 < havoc> they are known as "stations", and each station will likely have a name like "SY892345"
09:23 < havoc> we have to provide access to the IP cams to the client, via a web dashboard, heance the VPN
09:23 < havoc> hence
09:24 < havoc> also, don't want the shit exposed willy-nilly to the outside; it needs some access control
09:25 < havoc> plus >99% of them will be on rfc1918 subnets
09:25 <@plaisthos> might want to look into pushing cli-nat from the server
09:25 <@plaisthos> to nat them to different ip ranges from the server server
09:25 <@plaisthos> (+iroute)
09:26 <@plaisthos> for access control probably disable client-to-client + iptables
09:27 < havoc> client-client will be disabled, and I'll be running a shorewall setup on the server
09:27 < havoc> these "stations" will be spread over thousands of miles
09:27 < havoc> all at different locations
09:27 <@plaisthos> so what is your question?
09:28 < havoc> questions were last night, this is now "discussion" :)
09:28 < havoc> just explaining it a bit more the krzee; I'm not sure I explained it enough last night
09:29 <@plaisthos> from what I see client-nat, ccd, iroute should make these subnets available from the server
09:29 < havoc> what subnets?
09:29 <@plaisthos> the subnet that your ip cams are in
09:30 <@plaisthos> I assume they have identical ips on each client
09:30 <@krzee> hes port forwarding over a nat instead
09:30 <@krzee> all will have same subnet
09:30 <@plaisthos> ah
09:30 <@plaisthos> then there is no need for client-nat
09:30 < havoc> exactly
09:30 <@plaisthos>  but client-nat would have been a nice solution for that ;)
09:30 <@krzee> all 1800 clients will have identical LEDE config including subnet and vpn config (i talked him into using separate certs tho)
09:30 < havoc> yeah, jsut not necessary
09:31 < havoc> krzee: a little more work on the provisioning side, to use unique CNs, but saves work on the DNS side
09:31 < havoc> plus has the benefit of being much more secure, and adding capability
09:32 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds]
09:32 < havoc> I told you last night that I get it, and agree, it's just a cost:benefit issue
09:32 <@krzee> right, and im telling plaisthos
09:32 <@krzee> :-p
09:33 < havoc> yup, I'm just being clear that I agree with you, it's just not always possible to do it the Right way :(
09:33 <@krzee> you said the clients have access to a web control panel
09:33 <@plaisthos> yeah sounds like a almost standard config otherwise
09:33 <@krzee> you could generate the firmwares and put them there
09:33 <@krzee> wouldnt even have a separate provision
09:33 < havoc> krzee: only one "client"
09:34 < havoc> business client, that is
09:34 <@krzee> oh, well samesame on the rest
09:34 <@krzee> client has*
09:34 < havoc> I still need to write a ton of crap to go on the image that goes on the NUC to automate all of this
09:35 <@krzee> are these routers gunna run LEDE/ openwrt by chance?
09:35 < havoc> the IP cam mfg is gonna pre-config everything for us, but the routers have to be done by us as we're gonna be lucky to get enough of them in time in the first place
09:35 < havoc> we're sucking all 5 ubiquity vendors dry on this one
09:35 <@krzee> oh i see, so you wont be making the web portal yourself
09:35 < havoc> krzee: no, just the stock Ubiquity linux distro
09:36 <@krzee> ya i guess easier to just do the provisioning script
09:36 < havoc> krzee: another team in my corp is doing the web portal
09:37 <@krzee> the firmware idea would be cleaner, but that was assuming you were hacking up the whole thing
09:37 <@krzee> provisioning script only slightly more effort and will work too
09:37 < havoc> this is a bit of a catch22 for the company; "industry standard vs. opensource", but there's a SUBSTANTIAL cost diff
09:37 < havoc> yeah, and we may not get all the devices in time as it is
09:38 <@krzee> im starting to think this is a company we've heard of
09:38 <@krzee> haha
09:38 < havoc> I'm gonna have the imaging guys put putty, winscp, 7zip, and RSAT on the image
09:39 < havoc> hopefully that'll give me enough to work with to get it done
09:39 <@krzee> these are windows!?
09:39 < havoc> the NUCs are
09:39 <@krzee> the routers?
09:39 < havoc> the "PCs"
09:39 <@krzee> not familiar with 'NUC'
09:39 < havoc> the PCs are Intel NUCs
09:39 <@plaisthos> nuc is an intel pc line
09:39 < havoc> tiny little computers
09:39 <@krzee> are they also the vpn clients?
09:39 < havoc> no
09:40 < havoc> but we will access them through the VPN on the routers
09:40 <@krzee> oh ok, i had assumed the clients were linux the whole time
09:40 <@krzee> the rotuers are what os?
09:40 < havoc> the NUCs, while technically a PC, are locked-down, single-purpose
09:40 <@krzee> like POS machines?
09:40 < havoc> the routers are Ubiquiti's embedded linux
09:40 < havoc> krzee: very similar, yes
09:40 <@krzee> ahh ok ya thats more like what i thought
09:41 < havoc> they boot into our software/app, and that's it
09:41 <@krzee> think maybe youd end up needing wireshark on them?
09:41 < havoc> I think the ubnt linux distro is debian-based
09:42 <@krzee> nah for that you have tcpdump, i mean on thw nuc
09:42 < havoc> krzee: good idea, but I'm mostly concerned with what I need to automate the installs, and/or really large downloads
09:42 <@krzee> werd
09:43 < havoc> other stuff can be added later, if it's not freakin huge, once we have connectivity
09:43 < havoc> gonna be a neat trick to get it all done in 4wks
09:44 < havoc> there's me, the imaging team, the dashboard team, and the colo team
09:44 <@krzee> you could maybe script your part today
09:44 < havoc> whole lotta cat-herding going on :(
09:44 <@krzee> cat herding is easy
09:44 <@krzee> get a box
09:44 < havoc> krzee: until we get the infra setup I have nothing to test with, but I've been making a LOT of notes/psuedo-code
09:45 < havoc> if I can get the colo infra setup by this weekend, and the imaging team on board with my requirements, I'll call this week a win
09:46 < havoc> oh, and there' sa DR site too
09:46 < havoc> so technically there will be two ovpn server setups
09:46 < havoc> but that's just more <connection> blocks on the client side
09:46 <@krzee> only if they're very different
09:46 < havoc> oh, and another fun bit, all these routers need a multiple WAN failover config
09:47 <@krzee> you can probably use multiple --remote entries instead
09:47 <@krzee> if you configure both servers then theres no reason for needing connection blocks unless im missing info
09:47 < havoc> krzee: yeah, --remote, connection block, just implementation details at this point ;)
09:47 <@krzee> werd
09:48 <@krzee> you can make multiple server certs in the same pki, for the record
09:48 < havoc> but all the units/stations will also have air-cards as a failover Net connection
09:48 <@krzee> (some people dont realize that)
09:48 < havoc> so each router has to be able to use one or the other of the two available Net/WAN connections
09:49 < havoc> src routing isn't difficult, and I already have several working implementations in the field, but those were all when I knew the network info
09:49 < havoc> so I wrote a buch of bash to use iproute2 to gather all the info when given only a list of ifaces to work with
09:49 < havoc> as all IPs are gonna be via DHCP
09:50 < havoc> (WAN IPs, that is)
09:50 < havoc> also, iproute2 is freakin awesome for such things
09:51 < yarddog> i am totally confused about ovpn on linux, i ran it with tunnelblick in mac, now im lost
09:53 <@krzee> in linux its more normal to start openvpn via commandline, and then if you want it at boot to use the system startup scripts
09:53 <@krzee> openvpn /path/to/config
09:53 <@krzee> !logfile
09:53 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
09:55 <@krzee> network manager is a gui option, but be sure to still configure openvpn by hand and get it working manually from commandline first, then you can import the config if you want, but then if you have issues after importing the config you need #nm for their help
09:58 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
09:58 -!- mode/#openvpn [+o mattock1] by ChanServ
11:14 < havoc> krzee: I think I'll do a /25 per ovpn server proc, that'd be 125 clients per server
11:14 < havoc> should be safer/more reliable than a /24, w/ 200 client limit, per proc
11:15 <@krzee> depends, some people have no problems with 200 clients
11:15 < havoc> under a /21, that's 16 server processes, for a total of 2,000 clients
11:16 < rob0> I was thinking 124, but I guess there's no reason why you can't use .127 or .255 because there is no broadcast address.
11:16 < havoc> rob0: any subnet is the n-3 usable IPs, one for network number/subnet, one for bcast, one for gateway
11:17 < havoc> a /25 is 128, -3 is 125 usable
11:17 < rob0> oh, my arithmetic is off, ENOCOFFEE
11:17 < havoc> heh
11:17 < rob0> but there IS no broadcast on tun
11:17 < KettleCooked> My problem is probably firewall. Really. And I know quite little about firewalls. My issue: Ubuntu server works fine, serving http/80 etc. But the same server, when connecting as an OpenVPN Client to outside server, suddenly blocks all incoming connections etc. Do you agree this could be firewall issue, or could it just as well be something OpenVPN network related?
11:18 < havoc> rob0: this is all subnet config
11:18 < havoc> or it will be
11:18 < havoc> subnet topology, I should say
11:19 < rob0> KettleCooked, routing maybe?  What is the purpose of yourn VPN?  Do you run the server?
11:19 < KettleCooked> rob0, yeah I run both servers. Both are Ubuntu 16.04. Purpose of my 'problem' server is web server, VPN server, fileserver lots of different things.
11:20 < DArqueBishop> KettleCooked: is the VPN server sending a redirect-gateway parameter to the client server?
11:20 < DArqueBishop> If so, that's your problem right there.
11:20 < KettleCooked> It's my home server basically. And whenever that is connected as a OpenVPN client it blocks incoming.
11:20 < KettleCooked> ok I'll try to check this
11:20 < rob0> yes, that's why I asked about the purpose of the VPN
11:21 < DArqueBishop> rob0: sorry, not trying to step on toes. :-)
11:21 < rob0> no, you're not
11:21 < KettleCooked> the server I'm connecting TO has: push "redirect-gateway def1 bypass-dhcp"
11:21 < KettleCooked> is that the problem there?
11:21 < DArqueBishop> KettleCooked: yes.
11:22 < KettleCooked> ok, is it possible for me to set it up in a way that makes my home server (the one with the problem), connect to outside VPN, route all traffic through that server and still be connectable? or am I too naive here? :)
11:22 < DArqueBishop> Basically your client server is now pushing all traffic through the VPN instead of through its original gateway, which makes it more or less inaccessible due to the changed routing.
11:23 < rob0> policy routing
11:23 < rob0> !lartc
11:23 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux, or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
11:25 < KettleCooked> this is some cool stuff - do you happen to know if it's a feasible approach to try and solve this with 'ufw' (it's like  a simplified firewall handler I appear to have in Ubuntu) or would it be wiser to focus on iptables only? I've used ufw up to now, and it seems to take some sort of precedence in saving the settings etc
11:26 < KettleCooked> or maybe netfilter != iptables..
11:27 < rob0> ufw is 100% certain to make it unmanageable, and probably no one on IRC can/will help you fix that.
11:28 < KettleCooked> haha ok thanks for the heads up
11:32 < smrtz> Hello!  I'm getting kicked off my VPN during use, it's hitting the inactivity timeout, and then attempting to re-auth, but failing since I use an RSA token for my password.
11:32 < smrtz> I'm looking at the --keepalive interval timeout here: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
11:33 <@vpnHelper> Title: Openvpn24ManPage – OpenVPN Community (at community.openvpn.net)
11:33 < smrtz> But, I'm a little unsure how to implement it.  Can I just add 'keepalive timeout 99999' to my vpn.ovpn file?
11:33 < smrtz> On the client.
11:51 < hanna> When connecting to a VPN, I get a route like `10.128.0.0/16 dev tun0` added to my routing table. Is there any way I can add the equivalent of this to a different routing table in my `route-up` script? I can't find any suitable env vars that will get me `10.128.0.0/16`
11:51 < hanna> Right now I'm adding 10.0.0.0/8 as a work-around which works on the implicit assumption that every VPN provider I care about uses something under 10. for their internal addresses, but that's a hack
11:53 < hanna> I guess ifconfig_netmask is similar, but I'm not sure which one of those options corresponds to the base address
11:55 < hanna> I also can't find an env var that will give me the interface of the “old” network (for the purposes of adding $route_net_gateway)
11:57 < hanna> Actually it seems like I don't even need that route
11:57 < hanna> Linux is smart enough to figure out what device to send it out on by its own
12:24 <@plaisthos> smrtz: basically you want auth-token
12:24 <@plaisthos> !blowfish
12:24 <@plaisthos> !sweet32
12:24 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32
12:24 <@plaisthos> hanna: that is a common problem with sweet32
12:24 <@plaisthos> see that page for infos about auth-token
12:25 <@plaisthos> keepalive won't help you
12:25 <@plaisthos> you need to set the --reneg params
12:25 <@plaisthos> on both client and server
13:29 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds]
14:28 <@krzee> just did a freelance openvpn job \o/
14:28 <@krzee> (trying to get all the $ i can (legally) right now)
14:28 < havoc> where are you again?
14:29 <@krzee> caribbean
14:29 < havoc> ah
14:29 < havoc> you moving or something?
14:29 <@krzee> but im doing online jobs
14:29 <@krzee> good guess! moved recently and now unexpectedly have to put hella thousands into my roof which had major issues
14:30 < havoc> :(
14:30 <@krzee> totally love the house tho, worth it still
14:30 <@krzee> and got a great price (now i know why i guess!)
14:30 < havoc> Wife and I are gutting half our house in a few weeks
14:30 <@krzee> nice!
14:30 < havoc> down to the sticks
14:30 <@krzee> remodel time!
14:30 < havoc> not as much as fix shit
14:31 <@krzee> luckily we dont have any of that to do... the place is freshly remodeled and really nice
14:31 <@krzee> but that roof tho...
14:31 < havoc> old house, no insullation, extremely poor electric, plumbing, HVAC
14:31 <@krzee> fix it or lose my house to water damage... i guess ill fix it!
14:31 < havoc> if we want to get anything from a future sale, this shit needs to be done :(
14:31 <@krzee> ohh i see
14:32 <@krzee> well not as fun of a motivation, but at least you'll be able to make it yours while putting it back together
14:32  * krzee assumes you'll have gigabit in the walls
14:33 < havoc> yeah, a lot of it is for us, but I've already been here 19yrs
14:34 < DArqueBishop> Carribean?
14:34  * DArqueBishop is jealous.
14:34 < DArqueBishop> My wife would be too.
14:34 <@dazo> DArqueBishop: just think of the hurricanes, and you'll be fine again .... ;-)
14:35 < DArqueBishop> dazo: I live in Houston. Hurricanes are an issue here too. :-)
14:35 < DArqueBishop> The last time a hurricane came through the area my house's roof suffered serious damage.
14:35 <@dazo> DArqueBishop: lol ... oh, well, then you have real reasons to be jealous!
14:35 <@dazo> well, not lol'ing due to your roof though .... that's painful
14:36 < DArqueBishop> Yeah.
14:37 < DArqueBishop> It could be worse. There's a seafood restaurant in a coastal town here that my wife and I ate at, and there's a line on the wall about fifteen to twenty feet up that marked how high the water level was when that hurricane came through.
14:41 <@krzee> dazo: thats not a factor where im at =]
14:42 <@krzee> im safe from that
14:42 <@krzee> and ya, the roof thing suuuuucks
14:43 <@krzee> so now i wanna sell my apartment, and it seems that one of my neighbors is having serious financial problems... because he's selling his for less than we even bought for (and i bought out of construction, so i got a good price)
14:43 <@krzee> damn him! lol
14:44 <@krzee> so somebody needs to buy his fast (and probably will, cause thats a crazy deal)
14:51 < havoc> our roof should be good for ~40yrs or so
14:51 < havoc> ...from now
14:51 < havoc> but we plan to sell in 5-10yrs, so all good
16:27 < chachasmooth> wow.. the openvpn repo only has 2000 commits
18:45 -!- alexandre9099_ is now known as alexandre9099
19:30 < jge> hey all, could anyone help me. I've enabled Duo-Mobile 2FA on my VPN server, everything working as expected but I was wondering if it's possible to enable it only for certain users? I tried setting --auth-user-pass-optional in the client config but the module on the server side still expects a username/password.
20:09 < nsnsns> Hi!
20:10 < nsnsns> I setup PiVPN
20:10 < nsnsns> Now my question.
20:10 < nsnsns> I have my host running the openvpn server
20:11 < nsnsns> I have other things on it
20:11 < nsnsns> Can I expose them to the OpenVPN Clients :>
20:11 < nsnsns> say like samba
20:14 < jge> nsnsns: I don't see how that wouldn't be possible if you have a VPN tunnel up and running
20:14 < nsnsns> I'm not sure how to.
20:15 < jge> nsnsns: you don't expose services to the vpn server, you make them available on your network
20:15 < jge> do you have a firewall on your piVPN?
20:16 < nsnsns> that's what I mean
20:16 < nsnsns> on the host, UFW
20:19 < nsnsns> jge: I'd also love to be able to expose other machines
20:20 < jge> nsnsns: I see, you should be able to just open up samba ports udp 137/138 tcp 139/445
20:21 < jge> something like this would do: sudo ufw allow proto udp to any port 137 from your-VPN-Client-Subnet-Here
20:21 < nsnsns> So just tell it to listen in on the host's internal network IP
20:21 < jge> do that for each of the ports
20:21 < nsnsns> ah
20:21 < nsnsns> So, 10.10.10.10/8?
20:21 < jge> well, yes those services must be listening on your box
20:22 < nsnsns> Yea
20:22 < jge> if that's your client subnet then yes
20:22 < jge> if you want to allow your vpn clients to reach other resources or machine on your network you will neet to enable IPv4 forwarding
20:22 < jge> and put a static route on your router for return traffic
20:23 < jge> if that's not a possibility, you'll need to do masquerading with your IPTABLES set up (UFW)
20:24 < nsnsns> Any good guides on that?
20:24 < jge> basically have UFW (iptables) NAT your client's subnet out your PiVPN interface facing your network
20:24 < jge> yeah, one sec
20:29 < jge> nsnsns: check this guid here https://gist.github.com/kimus/9315140 (NAT section only)
20:29 <@vpnHelper> Title: NAT and FORWARD with Ubuntu’s ufw firewall · GitHub (at gist.github.com)
20:29 < nsnsns> ty
20:30 < jge> yeah no problem and make sure to do the masquerading only if you can't set up a static route on your router
20:30 < nsnsns> jge: well, this is in a server in a OVH datacenter :^)
20:31 < jge> I see, yeah then you'll probably need masquerading then if you plan on talking to other hosts within the network
--- Day changed Wed May 10 2017
00:49 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
00:49 -!- mode/#openvpn [+o mattock1] by ChanServ
01:55 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 245 seconds]
03:41 < hid3> Are there any available scripts to simplify generation of certificates for OpenVPN?
03:42 <+hyper_ch> configs or certs?
03:42 < hid3> certs
03:42 <+hyper_ch> isn't easy-rsa simple enough?
03:43 < hid3> hm.. Didn't even know about such. Thanks, will study it
03:43 <+hyper_ch> !easy-rsa
03:43 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
03:44 <+hyper_ch> I prefer this version: https://community.openvpn.net/openvpn/wiki/EasyRSA3-Insecure-PKI as I generate all the keys/certs myself
03:45 <+hyper_ch> and there's also  https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto  where clients generate according signing requests
03:45 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net)
03:47 <+hyper_ch> hid3: easyrsa makes it simple imho :)
03:48 < hid3> yeah, at first glance seems so
03:51 <+hyper_ch> in addition I wrote myself a small script that will generate the conf file for the according client hostname with integrated certs and keys
03:54 <+hyper_ch> https://paste.simplylinux.ch/view/3e427933
03:54 <+hyper_ch> it's very simple :)
03:54 < hid3> Brilliant, thanks a lot!
03:57 <+hyper_ch> it's in the easy-rsa key's folder and executed   ./script hostname
03:57 <+hyper_ch> of course you'll need to adjust the conf template part to your settinigs
04:00 < hid3> yes, I understand that :)
04:02 <+hyper_ch> also, there's also a unix2dos convesino with chaning file ext to ovpn (for windows)... but it seems, unix2dos linebreaks are not needed
05:06 < lg188> Hello, are there other methods to give a specific client a specific ip other and ccd?
05:06 < lg188> s/and/than/
05:07 < lg188> or if anyone tried how do you keep up a ccd up to date in a docker container
05:23 <@ordex> lg188: I am not familiar with docker. what is the actual problem? dockers keeps changing the assigned IP and thus you have to update the IPs you give to clients?
06:03 < lg188> Eh no, the docker has a web address we can bind to. The problem is that we need the ips of the clients to be static
06:11 < lg188> ordex: and I know it's possible with ccd, but I'm looking for alternatives
06:13 < rob0> why is ccd not going to work?  Shared certificate?
06:21 < lg188> Eh no, because when the docker restarts they'll be wiped if they're not stored somewhere else
06:23 <@dazo> lg188: you need to configure some kind of persistent storage for your docker container ... and save the CCDs there ... that's the "easy fix"
06:23 < rob0> oh
06:23 < rob0> ^^ maybe nfs, or does it have a hostfs?
06:24 < lg188> dazo: yeah, that's true. but there's a bit confusion on my part what's going to be easy vs secure
06:25 < lg188> there's an option to write directly to the host fs, yes
06:25 <@ordex> lg188: I guess you need to have some "persistent state" somewhere, no? otherwise where are the static IPs coming from?
06:25 <@dazo> well, docker doesn't make much on the security side anyhow ... it's just a hyped chroot with some additional features and some automation ... it's possible to break out of docker containers as well
06:25 < lg188> but the down side of that is that it needs to be transfered
06:25 <@dazo> lg188: otherwise you need some --client-connect script which connects to a database or similar "storage" which is accessible via the network ...  --client-connect scripts can write "ccd" files on-the-fly which OpenVPN picks up .... but this is the over-engineered solution in this case
06:26 < lg188> I don't think it is actually
06:27 <@dazo> persistent storage is most likely a better fit in this case, tbh
06:27 <@dazo> "less moving parts" compared to --client-connect scripts
06:27 < lg188> the files are going to change regularly
06:29 <@ordex> dazo's solution is where I Was also going. the static IP must be stored somewhere … then use the —client-connect to generate the ccd on the fly
06:29 <@ordex> this way you can change the static IP in "your storage" and no need to touch the script
06:29 < lg188> Yeah, indeed
06:30 <@ordex> I just don't see where is the difference in "security" between storing the ccd files and the file containing the information about the static IP
06:30 <@dazo> if your CCD files are changing more regularly and if you have lots of users ... then I will probably recommend developing a plug-in in C, to make things more integrated ... the script-hooks have their own set of challenges.  A --plugin have a smaller "trouble scope" than scripts once it first works, and it performs far better
06:30 <@ordex> assuming the "security" is about hiding the IP settings
06:31 < lg188> Eh to be honest I don't know why I used security in this case
06:32 <@dazo> :-P
06:32 < lg188> but in any case, I don't want to rebuild a docker container for every change I make to the ccd's
06:33 <@dazo> if you have a persistent storage which is "mounted" in your container, then you wouldn't need to rebuild the openvpn container on CCD changes
06:33 < lg188> true
06:33 <@dazo> http://stackoverflow.com/questions/18496940/how-to-deal-with-persistent-storage-e-g-databases-in-docker#20652410
06:33 <@vpnHelper> Title: How to deal with persistent storage (e.g. databases) in docker - Stack Overflow (at stackoverflow.com)
06:35 < lg188> but the only place I can store it (afaik) is on the aws host it's running. which might be wiped for whatever reason
06:35 < lg188> also if we change we have to copy that manually
06:35 < lg188> change provider*
06:37 <@dazo> lg188: which is yet another vote for the docker volume API ... you should be able easily backup the persistent storage
06:38 < lg188> Eh sure, but it's all operating outside the docker container so it's not portable any more
06:38 < lg188> if I have to do backups that way
06:39 <@dazo> well, if you do the networked service thing ... similar data used by opnevpn still needs to stored somewhere, and preferably backed up as well ... so this is just a dog chasing the tail, IMO
06:40 < lg188> the configuration is stored in a git repository and then build into a container
06:40 < lg188> so it's stored in 2 places and doesn't change in a regular use case
06:40 < lg188> the ccd's on the other hand could change
06:41 <@dazo> My experience with lots of various setups ... the best ones are those which are a simple and standardized as possible ... it's fun and challenging developing a special feature for a special need, but it needs to be maintained - and when others take over it'll be harder again
06:42 < lg188> eh what's your point in that? I'm trying to keep it as simple as possible without sacrificing flexibility on the ccd part
06:43 <@dazo> avoid developing --client-connect scripts which depends on other moving parts .... the service the script connects to also needs a kind of persistent storage ... then you have the same storage requirement regardless, but you have two moving parts - the client-connect script + the service the script connects to
06:44 < lg188> alright I get that
06:45 <@dazo> of course, it's a cost/usage consideration ... how important is the flexibility over a lesser complicated setup?
06:45 < lg188> that's what I'm thinking about
06:45 < lg188> I could always just rsync them from somewhere else
06:46 <@dazo> once you start to have some 1000 users connecting to your VPN and having more VPN servers needing access to the same information, that's when the --client-connect/--plugin approach starts to make sense
06:47 < lg188> does --client-connect give environment variables to who's connecting?
06:47 <@dazo> yes
06:47 < lg188> because I could use that for something else
06:48 <@dazo> how many users are you providing VPN service to?
06:48 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
06:48 -!- mode/#openvpn [+o mattock1] by ChanServ
06:49 < lg188> well, it's not a regular user set up though, but I had to provide a current setup of about 500 clients, and had to make scaling possible
06:49 < lg188> to about 1000
06:49 < lg188> as a precaution
06:50 <@dazo> alright, then I will strongly encourage you to look at the --plugin approach instead ... to not reduce the performance too much .... remember, openvpn is single threaded - so if a --client-connect script uses 2 seconds to do its stuff, then that will hurt the other connected clients
06:51 <@dazo> --plugin is far more complicated, but it avoids the fork() and loading of a shell/script interpreter and then parsing the script
06:51 < lg188> eh well, speed isn't top priority though.
06:51 <@dazo> which otherwise happens each time the --client-connect is run
06:52 <@dazo> well, it impacts latency as well ... if the --client-connect script holds for 2 seconds ... no VPN traffic is passed to/from the other clients either
06:52 <@dazo> so you'll get a worse latency
06:53 < lg188> eh, sure
06:54 < lg188> it's not a big issue since it's not for regular internet
06:54 <@dazo> alright, fair enough
06:54 < lg188> I'll keep it in mind though
07:04 < lg188> Oh i'd have to give an .so file for it?
07:05 <@dazo> lg188: --plugin is using a C program compiled to a .so file, yes
07:06 < lg188> guess that's a bit more complex than just calling a bash script....
07:07 <@dazo> true, but it is also the best performance and can give overall security (if the C code is safe and good)
07:07 < lg188> In my case it won't
07:07 <@dazo> If you've done a little bit of C, it's not that hard though
07:08 < lg188> only some basic io stuff
07:16 < peterandre> hi, i'm using the openvpn-plugin-auth-pam.so plugin to authenticate users. unforunately it only allows 1 login per account. how can i make the plugin allow like 2 simultanous connections per account
07:17 <@dazo> !configs
07:17 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
07:19 < peterandre> i can just do !paste config stuff ?
07:20 <@dazo> no
07:20 <@dazo> !paste
07:20 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
07:20 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
07:20 < peterandre> oh
07:20 < peterandre> ok
07:20 < peterandre> one sec
07:21 < rob0> that's a UUOC in that last factoid :)
07:21 < rob0> nc < file
07:22 < peterandre> here's the config -> https://0bin.link/paste/vpa-XsTc#WaYeLICW1vCcMyBFWSRJOcCXYWxcT5sJgxXe-Oh7phk
07:22 < ddybing> Hi! I'm trying to set up OpenVPN on a Debian machine. Problem is that when I try to do "source ./vars" it replies with "Note: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys". Any ideas? :(
07:22 <@dazo> peterandre: okay, you might need to add --duplicate-cn to your config
07:22 <@dazo> !--
07:22 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
07:22 < rob0> ddybing, ideas about what in particular?
07:22 < peterandre> alright then i'll look into that
07:23 < peterandre> thanks
07:23 <@dazo> ddybing: that's just a warning ... to ensure you don't run ./clean-all just like that
07:23 < rob0> well, for one thing, I would not run my CA as root and wouldn't have it under /etc
07:24 <@dazo> and I wouldn't have it on my VPN server
07:24 < rob0> yes
07:26 < ddybing> Oh, OK. I was under the impression that this was some sort of error. But I've probably misunderstood.
07:26 < ddybing> thanks!
07:33 < peterandre> ok i checked this. once i set duplicate-cn in the server conf. can i use "max-clients 2" to limit 2 connections per ip? or does this limit the total connected users ?
07:34 <@dazo> that's the maximum number of clients in total
07:34 < peterandre> i see
07:34 < rob0> --duplicate-cn opens up a big can of worms
07:34 < rob0> maybe another choice is to issue more certs?
07:35 < peterandre> i guess
07:35 < rob0> I don't know how that will interact with PAM auth, however.
07:37 < Koleon> Hello guys, does anyone use OpenVPN server authentication against FreeIPA server??
07:39 < AlexeyX> Hi there! I have strange issue with shell script and easyrsa. I can't create certificates via bash in while loop ...
07:39 < AlexeyX> but without WHILE everything is ok...
07:43 <@dazo> rob0: with --client-cert-not-required, --duplicate-cn isn't that bad
07:43 <@dazo> Koleon: I did test the auth-pam module yesterday against a FreeIPA enrolled OpenVPN server yesterday
07:44 <@dazo> that worked quite nicely
07:45 < Koleon> dazo: Nice, what disto do you use?
07:45 <@dazo> Koleon: Scientific Linux
07:45 <@dazo> (RHEL clone)
07:47 < Koleon> dazo: I tested it a month ago, finally I have free time to test it out so I just prepared VMs and I am ready to start over. Could you share your pam module please?
07:48 <@dazo> Koleon: I used the stock OpenVPN auth-pam module
07:48 <@dazo> the one shipped in the openvpn package
07:51 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Quit: Leaving.]
07:51 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
07:51 -!- mode/#openvpn [+o mattock1] by ChanServ
07:52 < Koleon> dazo: Alright, to be host I'm new in these area. Unfortunately haven't found any tutorials, so I just tested from scratch. I have freeIPA (installed, working like a charm), then I installed openVPN Community Edition, install ipa-client, the user authentication works. What's the correct way to make it work with certificates and IPA credentials?
07:53 <@dazo> Koleon: add: --plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "login login USERNAME password PASSWORD"  to your OpenVPN config
07:54 <@dazo> all users who are allowed to use the 'login' service on the VPN server should now be allowed to connect to the VPN service
07:54 <@dazo> I'm trying to figure out how to add another service (like openvpn) to have specific HBAC rules ... but haven't come that far on this yet
07:58 < Koleon> dazo: Great, I'm going to test it out. I'll deploy Scientific distro in a minute. Btw is it possible to login on the VPN with certificate? I mean via TLS authentication?
08:00 <@dazo> you can have both certificate + user/password .... you can have just user/password (--client-cert-not-required in server config) ... or you can use --username-as-common-name, where the username is extracted from the client certificates CN field + password
08:02 < Koleon> dazo: Nice, I just wanted to ensure that certificate + user/password works. Going to test it. Thanks for your replies. :)
08:15 -!- Poster is now known as Poster`
08:15 -!- Poster` is now known as Poster
08:19 <@dazo> Koleon: Okay, got it working!  https://paste.fedoraproject.org/paste/F7GB9NqZkIoW2Gw57oUXKl5M1UNdIGYhyRLivL9gydE=  ... I have this in my /etc/pam.d/openvpn file (PAM service which is named 'openvpn')
08:20 <@dazo> Koleon: My openvpn configuration have: --plugin openvpn-plugin-auth-pam.so "openvpn"
08:21 <@dazo> In the FreeIPA admin webui, I created the openvpn service under "Host Based Access Control" -> "HBAC Services"
08:21 <@dazo> Then it was just a matter of setting up the proper HBAC Rule to allow the selected users to use the openvpn service.
08:27 < Koleon> dazo: Thank you very much Dazo, for the pam.d. I already had the "plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn" in my config file. Right now I have to get familiar with the HBAC services. Thanks a lot, I'm getting my hands dirty. May I contact you tomorrow or so in case of failure? . )
08:30 <@dazo> Koleon: sure!  I'm a big FreeIPA fan, and working on OpenVPN ... so this is truly my sweet spot! :)
08:35 < Koleon> dazo: Awesome :) I see the IPA as a quite complex thing so far, combining a lot of things together (Krb5 KDC, 389ds LDAP, NTPD, DNS), on the other hand compare to OpenLDAP, it's pretty easy to deploy. I'll let you know how it works. . )
08:39 <@dazo> FreeIPA is absolutely complex under the hood .... I have set up a kerberos kdc with openldap once by hand, not ever going to do that again .... IPA makes it truly manageable
08:39 <@dazo> (even master-master replication is a breeze to setup and configure)
08:41 < Koleon> dazo: Haha, so true. I run all my machines on Debian/Ubuntu based distro, unfortunately it's not common on these systems to run IPA. But it's getting better with Ubuntu 16.04. OpenLDAP was really a lot of manual work.
08:43 <@dazo> That's good that IPA support in the deb/ub world is improving ... I don't know how this is with Arch/Gentoo and SUSE ... but once they also embrace it, then it truly gets great!
08:44 < DArqueBishop> I'm tempted to troll and say, "IPA is a great thing, yes, but if you want to use something useful and robust, you should go to AD." ;-)
08:45 < Koleon> dazo: Oh yeah, Arch have only AUR builds. That's it. Sorry for spamming. :)
08:45 <@dazo> DArqueBishop: heh ... well, I don't trust closed source as much as open sourced based products ;-)
08:46 < DArqueBishop> I kid, of course. :-)
08:46 <@dazo> heh :)
08:47 <@dazo> somehow my brain filtered out "to troll and " ... as you usually don't do such things, DArqueBishop! ;-)
08:48 <@dazo> Koleon: well, to be honest ... it is possible to enrol those other distros too ... but it's far much more work than just ipa-client-install :)
08:48 < Koleon> dazo: "I don't trust closed source as much as open sourced based products" ... That's my word! :)
08:49  * DArqueBishop nods.
08:50 < _ADN_> port 7505 for management allows for example "reload" of config files, like ipp.txt?
08:50 < DArqueBishop> Generally I'm the same way, but I'm also pragmatic enough to recognize when closed source may have better products.
08:50 <@dazo> _ADN_: I don't think so
08:50 < _ADN_> i didn't see it
08:50 < _ADN_> but just double checking
08:50 < _ADN_> then I need a basic restart of the service
08:51 < Koleon> dazo: Guess you are right, I've never been package maintainer, I'm really sorry to see all the diversity in Open-source world. Mainly the Ubuntu related thing, RedHat related stuff etc. What a heck, all those products can't be compatible among other distros.
08:52 < DArqueBishop> About ten to fifteen years ago, I had someone try and castigate me for having Windows workstations at the office instead of Linux. I politely asked him where I could get a Linux version of the 3D CAD software our designers and engineers were using to create our products that was fully equivalent of what we were using now. He didn't have a response.
08:53 < rob0> sorry to see diversity?
08:53 < DArqueBishop> The company I worked for at the time made oilfield equipment. For reference, we made the kind of equipment that failed in the Deepwater Horizon disaster and actually got a lot of business in the aftermath.
08:56 <@dazo> Koleon: well, the incompatibility is actually a result of the flexibility you have when putting together a Linux distro ... and the most challenging point is dependency tracking.  In the windows world, you have a set of *.dll files, and if the Windows version doesn't fit - you ship your own version
08:57 <@dazo> Koleon: in the Linux world ... a distro ships primarily only one version (or perhaps 1-2 more) of libraries ... as they can co-exist on the system
08:58 < Koleon> rob0: Diversity is good in certain way. I mean I'm sorry to see that everyone is doing something that's not compatible or shareable with other systems.. English in not my native language.
08:58 <@dazo> Koleon: shipping your own "competing" library then gets a lot more difficult to handle when packaging it ... as those files should then also go into the system library paths ... unless you want to deploy a lot of various tricks
08:59 <@dazo> And there is a tight relation between a lot of the libraries ... and glibc is even somewhat tightly coupled to the kernel
08:59 < madduck> hey, I have a machine that connects three LANs via OpenVPN. At irregular intervals, usually after two LANs haven't communicated in a while, the connection takes a few seconds, while OpenVPN seems to "re-learn" the topology. Just in a few hours today, the number of "MULTI: Learn …" entries in syslog is several thousand. Since the setup is more or less stable, I wonder if it's possible to increase the
08:59 < madduck> time period during which OpenVPN caches the topology?
08:59 <@dazo> so it's really not an easy task when you're not a "single company" defining the complete dependency stack
09:03 < Koleon> dazo: I understand, that's the difference between Windows and Linux worlds. Guys, I gotta go to work. Thanks again for help, chat tomorrow. .)
09:25 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds]
09:55 < madduck> take for instance these two log lines:
09:55 < madduck> May 10 16:46:25 sysyphus ovpn-madduck6[11427]: clegg.lehel.madduck.net/46.244.140.127:46007 MULTI: Learn: 192.168.14.128 → wall.gern.madduck.net/188.174.33.34:50918
09:55 < madduck> May 10 16:47:57 sysyphus ovpn-madduck6[11427]: clegg.lehel.madduck.net/46.244.140.127:46007 MULTI: Learn: 192.168.14.128 → wall.gern.madduck.net/188.174.33.34:50918
09:55 < madduck> 1.5 minutes apart…
10:02 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
10:02 -!- mode/#openvpn [+o mattock1] by ChanServ
10:40 < madduck> I also have another problem trying to push a v6 default route to clients
10:41 < madduck> push "route-ipv6 ::/0 2001:1620:201b:600::1"
10:41 < madduck> however, the gateway is ignored for I am using tun, and the routing table on the client gets "default via vpn-tun"
10:41 < madduck> which really does not properly work
10:42 < madduck> if I use instead set "default via 2001:1620:201b:600::1" manually, then it all works
10:42 < madduck> i suppose since I am bridging subnets, I suspect I'd be better off using tap anyway…
10:44 <@dazo> !bridging
10:44 <@vpnHelper> "bridging" is (#1) Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you, or (#2) See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
10:45 <@dazo> madduck: not just tap ... go for tun!
10:51 <@ordex> go for fun!
10:51 <@ordex> madduck: what openvpn version are you using?
10:51 <@ordex> do you have any error in the log regarding that route?
11:17 < jge> hey all, could anyone help me. I've enabled Duo-Mobile 2FA on my VPN server, everything working as expected but I was wondering if it's possible to enable it only for certain users? I tried setting --auth-user-pass-optional in the client config but the module on the server side still expects a username/password.
11:20 < rob0> when a new connection comes in, how would the server know which class of user it is?
11:21 < rob0> It might work based on the cert's commonName and a CCD
11:21 < rob0> but you'd have to look that up (and maybe test)
11:22 < rob0> another idea is to use separate instances, one for --auth-user-pass and the other without
11:32 < Eugene> madduck - the good answer is "dont do bridging". The dumb answer is "set up a cron job or Nagios or something to ping across the tunnels regularly"
11:35 <@dazo> jge: Have you read the man page carefully in regards to --auth-user-pass-optional
11:35 <@dazo> ?
11:40 <@dazo> !man
11:40 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
11:42 < jge> dazo: yes I have, it pretty much leaves it to the authentication module to have the right logic to detect empty strings for user/password..I just logged into Duo-Mobile the portal allows you set up a user to Bypass (skip two factor) so that might work, need to test.
11:43 <@dazo> jge: you also wrote "--auth-user-pass-optional in the client config" ... but that should be the server config
11:43 < jge> rob0: I'm already using CCD with cert's commonName to assign static IPs from a given subnet to certain users, just not sure where to look to tie it with Duo-Mobile
11:44 < jge> dazo: that was my mistake sorry, it's server side
11:44 <@dazo> ahh, okay ... then that's settled :)
11:48 < jge> will test to see if setting user to bypass 2factor on duo-mobile's site work
12:01 < nikola_i> hi i followed this guide (https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04) for setting up openvpn server and client on the same machine. However when the client connects to server, the internet access is absent
12:01 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com)
12:02 < nikola_i> what am i missing here
12:28 < Eugene> Alcohol
12:28 <@dazo> :-P
12:28 <@dazo> !blogs
12:29 <@dazo> !blog
12:29 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
12:29 < Eugene> He left, but the page he linked even says "(Optional) Push DNS Changes to Redirect All Traffic Through the VPN
12:29 < Eugene> "
12:29 < Eugene> Which isn't even correct; it is not a DNS change that causes redirect
12:29 < Eugene> But digitalocean is lol so what do you want
12:29 <@dazo> which makes !blog just even more true ....
12:30 < Eugene> And whatever the one about patience is
12:34 < rob0> !patience
12:35 <@dazo> we need to add that as a special function ... which will respond with something in $rand minutes :-P
12:45 < rob0> haha yes
12:45 < rob0> DO IT NOW
12:45 < rob0> I CAN'T WAIT
12:48 < Eugene> !help timer
12:48 <@vpnHelper> Error: There is no command "timer".
12:49 < Eugene> Figures
12:52 < rob0> give me !patience -- and give it RIGHT NOW
13:01 < skyroveRR> !patience
13:06 < jge> ok, so I can report that setting the user (on Duo-Mobile) to skip 2FA works when using auth-user-pass-optional
13:06 < jge> client connected fine without it
13:07 < jge> and those who have it on, connect fine with a prompt
13:07 < jge> hooray
13:14 <@krzee> ooooo !blog is good
13:15 <@krzee> i usually use !walkthrough
13:15 <@krzee> but i like !blog
13:15 < DArqueBishop> More channels need an equivalent to !blog.
13:17 <@krzee> !walkthrough
13:17 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
13:24 < havoc> hmm, looking for a comparison of openvpn 23 vs 24, only finding changelogs
13:25 <@krzee> theres that and changes.rst
13:32 < havoc> changes.rst is it, thanks
13:46 < havoc> 24 looks nice, but I think we'll be stuck w/ 23 for a while, at least on the client side :(
13:46 < havoc> at least for this project
13:50 < nacelle> 2.4 has ecc key support, which is nice
13:50 < nacelle> all the way through,  not just quasi like in 2.3
13:55 < havoc> gah, these routers are 2.3.2 :(
13:57 <@krzee> that and also they support negotiating the crypto
13:57 <@krzee> thats pretty sweet too
13:57 <@krzee> havoc: you can get 2.4 on them...
13:57 <@krzee> didnt you say ubiquiti was configuring these for you?
13:57 <@krzee> hell my LEDE routers have 2.4 lol
13:58 <@krzee> (with a cost of about $35 each)
13:58 < havoc> they are ubiquiti EdgeRouters (ER-X), but they are not configuring them for us, that was the IP CAM people
13:59 <@krzee> oh actually $25 each, my bad
14:00 <@krzee> https://www.amazon.com/TP-Link-Wireless-Router-300Mbps-TL-WR841N/dp/B001FWYGJS/     once i put LEDE on them they're damn good for me
14:00 < havoc> might be nice, but not an option
14:00 <@krzee> ya, just showing what i do
14:01 < havoc> yeah, cool, just not an option for me for this project :(
14:01 <@krzee> for the same sort of stuff... ip camera setups over vpn, or remote workers, etc etc
14:01 < havoc> think I'm gonna be stuck w/ 2.3.2 on the clients, oh well :(
14:01 <@krzee> still didnt explain why
14:01 < havoc> well, at least for now, new versions with new firmwares
14:01 <@krzee> whoever is doing these should be able to compile it
14:02 < havoc> no one is "doing" anything, using mfg firmware
14:02 <@krzee> then you do it
14:02 <@krzee> either cross compile it or emulate the firmware image and do it there
14:02 <@krzee> well, or dont... whatever you like :D
14:02 < havoc> no way in hell I'm gonna saddle myself with that 5-10yr responsibility for no extra money
14:02 <@krzee> 5-10yr responsibility?
14:03 < havoc> it's a 5yr contract, w/ potential extensions to 7yrs, and 10yrs
14:03 <@krzee> how do you have more responsibility for using updated openvpn?
14:04 < havoc> because it breaks the upgrade path using the mfg firmware updates?
14:04 <@krzee> is the openvpn compiled with openssl or mbedtls?
14:04 <@krzee> youd be replacing a binary with another binary of the same name
14:04 <@krzee> you think their upgrade will check md5 of existing file and complain its wrong?
14:04 < havoc> which comes with openvpn
14:05 <@krzee> i havent seen any do that
14:05 < havoc> I have no idea, if it did, that means it would fail, which isn't good either
14:05 < madduck> Eugene: don't do bridging in as use tun rather than tap?
14:05 <@krzee> meh enjoy the old software :D
14:06 < havoc> I agree, 2.4.x is better, but not for the additional time it'll take me, for someone else
14:06 < havoc> *I* don't have to enjoy it at all ;)
14:06 < havoc> I wanna build it, ship it, and forget it
14:06 < havoc> ...except for the server-side maintenance
14:06 < havoc> still stuck w/ that
14:06 <@krzee> is the openvpn compiled with openssl or mbedtls?
14:06 <@krzee> if openssl, what version?
14:06 < havoc> hang on, sshing in to router
14:07 < havoc> OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  5 2014
14:07 <@krzee> openssl version
14:07 < madduck> ordex: 2.3.2 on the "server" and 2.3.4 on the clients.
14:07 < havoc> gah, fucking tiny fonts
14:08 < madduck> ordex: there are no errors in the logs I can see.
14:08 < havoc> krzee: OpenSSL 1.0.1e 11 Feb 2013
14:09 <@krzee> https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenSSL1.0.1m
14:09 <@vpnHelper> Title: VulnerabilitiesFixedInOpenSSL1.0.1m – OpenVPN Community (at community.openvpn.net)
14:09 < havoc> so 1.0.1e is too old :(
14:09 <@krzee> https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b
14:09 <@vpnHelper> Title: SecurityAnnouncement-97597e732b – OpenVPN Community (at community.openvpn.net)
14:09 <@krzee> https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenSSL1.0.1j
14:10 <@vpnHelper> Title: VulnerabilitiesFixedInOpenSSL1.0.1j – OpenVPN Community (at community.openvpn.net)
14:10 <@krzee> https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenSSL1.0.1i
14:10 <@vpnHelper> Title: VulnerabilitiesFixedInOpenSSL1.0.1i – OpenVPN Community (at community.openvpn.net)
14:11 <@krzee> https://community.openvpn.net/openvpn/wiki/CCSInjection
14:11 <@vpnHelper> Title: CCSInjection – OpenVPN Community (at community.openvpn.net)
14:11 < havoc> I wonder if these things have non-volitile storage, for binaries
14:11 <@krzee> https://community.openvpn.net/openvpn/wiki/heartbleed
14:11 <@vpnHelper> Title: heartbleed – OpenVPN Community (at community.openvpn.net)
14:12 <@krzee> those all apply to your routers
14:12 <@krzee> sooooooo, up to you, wont change me life any ;]
14:12 <@krzee> id tell ubiquiti to give me better software
14:13 <@krzee> they can literally compile that stuff for you in under an hour and have you a new firmware
14:13 <@krzee> if you can make them want to
14:13 < havoc> yeah
14:13 <@krzee> 1800 routers should be enough to cause desire, i think
14:14 <@krzee> also, maybe consider asking them to compile with mbedtls while you're at it
14:14 <@krzee> since cleaner code and seems to have less vulns over time
14:15 <@krzee> (thats what ill be doing as i prepare to upgrade my embedded devices)
14:15 < havoc> gah, wheezy based still
14:16 <@krzee> welcome to my life
14:17 <@krzee> did i mention what i went through to get openvpn 2.4 compiled and working on my snom phones?
14:17 <@krzee> oh ya i did
14:19 < havoc> http://sector5d.org/openwrt-on-the-ubiquiti-edgerouter-x.html
14:19 <@vpnHelper> Title: OpenWRT on the Ubiquiti EdgeRouter X (at sector5d.org)
14:20 < havoc> gah, nope, that's not an option :(
14:23 < madduck> dazo: okay, so I am rightly using tun. Thanks for the nice link.
14:23 < madduck> but really, there's some stuff not ok
14:24 < madduck> with ipv6
14:55 < madduck> what I don't understand is why the manpage claims for route-ipv6 that the gateway is ignored for L3 links and only used in L2 setups
14:56 < havoc> krzee: gah, fuckers maintain their own src tree, wheezy based, but all from src from that starting point
14:56 < havoc> krzee: to they apply fixes, but never bump the version :(
14:57 < havoc> I didn't check all the CVEs you listed, but I check 6+, all are fixed/not vulnerable
14:58 < havoc> pita to check/verify though, they need to work on their communication skills :(
15:06 < nikola_i> i tried to setup openvpn server and client on the same machine. after everything in up, there is not internet connection. please point out what could be missing
15:11 <@krzee> havoc: actually https://downloads.lede-project.org/releases/17.01.1/targets/ramips/mt7621/lede-imagebuilder-17.01.1-ramips-mt7621.Linux-x86_64.tar.xz
15:11 <@krzee> better than the openwrt link, thats the newest lede imagebuilder for your device
15:11 <@krzee> for making your own firmwares
15:11 < havoc> noted
15:12 <@krzee> even if not for this project, check it out for fun
15:12 <@krzee> found from https://downloads.lede-project.org/releases/17.01.1/targets/ramips/mt7621/
15:12 <@vpnHelper> Title: Index of /releases/17.01.1/targets/ramips/mt7621/ (at downloads.lede-project.org)
15:14 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Quit: Leaving.]
15:29 < havoc> krzee: might be nice in the future, but I'm hoping to be out of this entire industry in the "future"
16:02 < madduck> this part in the manpage really makes no sense to me, under --route-ipv6: "The gateway parameter is only used for IPv6 routes across ``tap'' devices"
16:03 < madduck> i mean, sure one needs a gateway for tap, but also for tun. Or does "default dev tun-openvpn" just shove everything across the tunnel?
16:15 < rollinDyno> calling openvpn shows error but my internet access is null
16:26 < madduck> ping4 from my client to my OpenVPN server averages at 12ms. ping6 from the server to e.g. google.com averages at 23ms. ping6 from my client to google.com via the ovpn tunnel averages at 1517ms. wtf?
16:27 < madduck> where do those 1480ms come from?
16:38 < Brixius> I'm having an issue with DNS/Windows 10 Enterprise Domain joined PC's, and NRPT.  OpenVPNAS 2.1.4 OpenVPNClient 2.1.3.110.
16:39 <@krzee> !as
16:39 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
16:39 < Brixius> ok, thanks
16:39 <@krzee> np
17:09 < havoc> oh boy, now I'm being told that the server is only gonna have a single vNIC
17:09 < havoc> w/ the public IP 1:1 NAT'd in
17:12 < havoc> hmm, that should work
17:12 < havoc> s/should/could/
17:24 <@krzee> why wouldnt it?
17:24 <@krzee> but if 1:1 nat, why not just assign the ip direct? not possible with the vm stuff?
17:25 < havoc> apparently not with the way they have it setup, and I don't have the authority to have them change it
17:25 <@krzee> werd
18:30 < pylearner> when I login to openvpn my internet connection will work for a while but then quit working
18:31 < pylearner> well web browsing i think it is related to dns bc I can ping ip address just not domain like google.com
18:31 < pylearner> but can ping 8.8.8.8 and get a reply
19:05 <@krzee> sounds like your dhcp server is overwriting your dns
19:12 < Eugene> madduck - re: ipv6 in the man page. This is really a question for the -devel channel, but that documentation sounds like it is referring to the first tun-ipv6 implementation,(2.2?) which required some funny options. 2.3/2.4 are much-improved. I don't think the man page has gotten the same love, though
19:16 < Algernop> !tunortap
19:16 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
19:16 <@vpnHelper> rooted/jailbroken) support only tun
19:33 < Algernop> !whybridge
19:33 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun., or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#3) See also !tunortap
19:34 <@dazo> !bridging
19:34 <@vpnHelper> "bridging" is (#1) Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you, or (#2) See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
20:36 -!- alexandre9099_ is now known as alexandre9099
20:37 < Eugene> http://ascii.co.uk/art/bridge
20:37 <@vpnHelper> Title: BRIDGE - ASCII ART (at ascii.co.uk)
20:53 -!- frank-- is now known as thumbs
20:56 < Algernop> Pretty
21:45 < adfhau> !welcome
21:45 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
21:45 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
21:46 < adfhau> !goal
21:46 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:50 < adfhau> I would like to know what version and/or features of OpenVPN server the official Android client,           OpenVPN Connect, supports. My router runs OpenVPN 2.4.x, but when I export an OVPN file to the Android client, it tells me "OpenVPN core error : crypto_alg: RSA-SHA512: not found"
21:50 <@ordex> !as
21:50 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
23:07 < vectr0n> people who are using PIA should reach out to their support instead of inquiring in here, correct? trying to see where to send a friend for help, im pretty sure its speak to PIA directly, but never hurts to ask
23:20 <@ordex> vectr0n: yeah, this channel is just about the open source openvpn software, but we have nothing to do with providers
23:20 < vectr0n> kk figured as much, ty for confirming :)
23:36 < vectr0n> is there any known issues with a ovpn client on a debian openvz vps?
23:36 < vectr0n> (unrelated to PIA)
23:37 < vectr0n> nm found it :)
--- Day changed Thu May 11 2017
00:03 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
00:03 -!- mode/#openvpn [+o mattock1] by ChanServ
01:28 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 245 seconds]
01:44 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:44 -!- mode/#openvpn [+o mattock1] by ChanServ
02:45 <+hyper_ch> damn, still no gigabit internet at home today :(
02:48 < yang_> fiber7 ?
02:49 <+hyper_ch> yep
02:49 <+hyper_ch> I got email yesterday, that it's active on plug 2 on my oto connector at home
02:49 <+hyper_ch> and I saw yesterday, that a parcel was sent to me
02:49 <+hyper_ch> so I thought it's that tp-link thing to connect my router to the OTO connector... unfortunately it was something else
02:50 <+hyper_ch> you're also with fiber7?
02:52 <+hyper_ch> yang_: ?
02:52 <+hyper_ch> and I thought I'll spend my evening on how to setup my static /48 block
02:52 < yang_> i am not
02:54 <+hyper_ch> how do you know fiber7 then?
03:10 < nacelle> how did you get a static /48?
03:13 <+hyper_ch> nacelle: I asked them
03:13 < yang_> I peer with Init7
03:13 <+hyper_ch> https://www.init7.net/en/support/faq/Statischer-IPv6-Range/
03:13 <@vpnHelper> Title: Can I have a static IPv6 range? (at www.init7.net)
03:14 <+hyper_ch> yang_: peering? peering sounds like a big mess :)
03:14 <+hyper_ch> yang_: so, you know much about ipv6?
03:15 <+hyper_ch> they handed me a /48 block... a /64 would have been sufficient as well
03:15 <+hyper_ch> it's not that I need 65k subnets with gabillions of ips in each subnet
03:17 <+hyper_ch> how do peering agreements even work?
03:18 < yang_> read about that on drpeering.net
03:19 <+hyper_ch> I only heard horror stories about it... mainly from d-telecom
04:34 < pabs3> I seem to have a certificate mismatch issue, is there any way to print out the certificate that openvpn is getting back from the server to check it against the copy of the server cert I have locally?
04:36 < pabs3> http://paste.debian.net/hidden/898ba379/
04:37 < rob0> there are several openssl(1) subcommands which can do that, one being: x509(1).
04:43 < pabs3> rob0: can that connect via the openvpn protocol?
04:53 < rob0> um, no, what is the actual problem?  Do you not run the server?
04:58 < pabs3> I do not
04:59 < pabs3> the problem is that I as client can't connect to the server using the provided ca cert, because http://paste.debian.net/hidden/898ba379/
05:00 < pabs3> they probably gave the wrong cert, but I'd like to verify that the issue isn't caused by some other problem (like obsolete crypto)
05:02 < rob0> you can try with ever increasing values of verbosity, you might see the server cert in there somewhere
05:02 < rob0> can you verify that YOUR cert was signed by the CA cert they gave you?
05:03 < pabs3> they didn't give a client cert, just password auth
05:03 < pabs3> that paste was with --verb 11, I didn't think it went higher...
05:04 < pabs3> --verb 1111111 doesn't do anything extra
05:08 < rob0> so you have no client cert, no CA cert <-- I was asking about CA, but if they gave you nothing, you have neither
05:08 < rob0> I think you're stuck talking to their help desk
05:12 < pabs3> they gave a CA cert, but no client cert
05:34 < k3tan> Hi  I am running pfsense at home. I have set up an OpenVPN server.  When I connect to the OpenVPN server with my mobile phone, I find that there is a significant delay in being able to initially connect to messaging services such as Whatsapp, Telegram, Facebook Messenger and Snapchat. Once it has established the initial connection to these services - it is quick. Accessing webpages is fine right from the get-go.
05:35 < k3tan> When I connect my mobile to a VPN using the PrivateInternetAccess App, there are no initial connection delays.  Any settings I should be looking at with my OpenVPN server to ensure a quick initial connect to these messaging services?  Any help would be much appreciated.
06:00 < |Mike|> re!
07:35 < havoc> morning
07:49 <@ecrist> maybe where _you_ live
07:54 < havoc> more or less :)
08:16 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 264 seconds]
08:26 <@dazo> technically, it's afternoon here .... but feels like morning to me ... :-P
08:28 < DArqueBishop> It's MORNING IN AMERICA, so it's MORNING EVERYWHERE!
08:28 < DArqueBishop> #MAGA
08:29 < Koleon> Hello guys, I'm testing the pkcs12 format and one question comes into my mind. Is it dangerous to do NOT set password for the .p12 container? I mean, when I want to paste <pkcs12> [...] </pkcs12> section to .ovpn file.
08:35 <@plaisthos> well
08:35 <@plaisthos> it has no password then
08:35 <@plaisthos> you could also use pem/key without password then
08:36 <@plaisthos> password less pkcs12 are often more trouble than worth
08:36 <@plaisthos> since pkcs12 is alwyas pasword protected
08:36 <@plaisthos> you basicaly have an empty password then
08:40 <@dazo> openvpn is the only user I've seen which tries to first parse the .p12 file with an empty password and if that fails, it will ask for a password
08:40 <@plaisthos> even my app fails with an empty password :0
08:40 <@plaisthos> it always ask you then for a psssword
08:41 <@dazo> plaisthos: you need to adopt openvpn's behaviour ;-)
08:41 <@plaisthos> dazo: nah, I had only one complain so far
08:41 <@plaisthos> :)
08:41 <@dazo> plaisthos: I can complain too, if you need more complaints! ;-)
08:42 <@dazo> one nice side-effect of pkcs#12 files are if you use sub-CAs ... then all the CA certificate stacking happens correctly and you don't have to worry about incorrect order
09:15 < sbehrens> A typo: "These have been fixed in OpenVPN 2.4.12"  https://openvpn.net/index.php/open-source/downloads.html
09:15 <@vpnHelper> Title: Downloads (at openvpn.net)
09:31 < Koleon> plaisthos: dazo: Thank you guys :) then I'll set up passwords.
09:32 < lg188> does an ovpn file support/need a dh.pem?
09:32 <@plaisthos> server needs one
09:34 < Koleon> plaisthos: Is it necessary? I saw the dh.pem is rather hardening "feature".
09:34 <@plaisthos> well
09:35 <@plaisthos> openvpn forces cipher suites with diffie hellman
09:35 <@plaisthos> so yes ;)
09:35 < kerio> what
09:35 < kerio> no it doesn't
09:35 <@plaisthos> 2.4+ does
09:35 <@plaisthos> !pfs
09:35 <@vpnHelper> "pfs" is See !forwardsecurity
09:35 <@plaisthos> !forwardsecurity
09:35 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can not decrypt past traffic, or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured
09:35 < kerio> 2.4 is the one where you don't necessarily need a discrete log DH modulus file
09:35 < kerio> because you can rely on ECDH
09:35 < Koleon> I see, I'm still running 2.3.10 backports
09:35 <@plaisthos> yeah
09:35 <@dazo> Koleon: openvpn have always enforced dh on the server ... and that have turned out to be a good decision
09:36 <@dazo> kerio: not just ECDH ... but DH in general
09:36 < kerio> which is mindboggingly superior, even with the crappy NIST curves
09:36 <@plaisthos> yeah
09:36 < kerio> X25519 when
09:37 <@plaisthos> 2.4 enforces PFS suites
09:37 <@plaisthos> so without any DH you won't be able to connect
09:37 <@plaisthos> and ecdh is not that common yet
09:37 < lg188> plaisthos: only the server, okay
09:37 < Koleon> dazo: Alright, I understand. What size would you recommend? 2048b or bigger one?
09:38 < kerio> if you have openvpn 2.4 on both ends you can kinda assume ECDH is available, can't you
09:40 <@dazo> kerio: if the SSL library have enabled, yes
09:42 <+_FBi> there's a new SSL DoS attack
09:43 < kerio> why doesn't openvpn use DTLS?
09:43 < kerio> instead of this half-baked crap that defaults to blowfish
09:43 <@plaisthos> kerio: DTLS is newer than OpenVPN
09:43 < kerio> with a separate TLS channel
09:44 < kerio> hm
09:44 <@plaisthos> seperate control channels are common in VPNs
09:44 <@plaisthos> and DTLS is a minefild
09:44 <@plaisthos> just look at the number of CVE of DTLS
09:45 <@ecrist> I always get a kick out of people that stroll in here and call the openvpn way of doing things "crap"
09:46 < kerio> no way man i've been here for like 5 days already
09:46 < kerio> i got seniority :^)
09:46 <@ecrist> well, by all means!
09:46 -!- mode/#openvpn [+o kerio] by ecrist
09:47 < WhizzWr> lmao
09:47 <@kerio> wew
09:47 <@plaisthos> lol
09:47 -!- mode/#openvpn [-o plaisthos] by plaisthos
09:47 < WhizzWr> that's one interesting way to get an chanop status
09:47 < plaisthos> so now I can complain and you have to defend!
09:47 <@kerio> alright openvpn is now ipsec over ssh tunnel
09:51 <@ecrist> oh, right, I like that plaisthos 
09:51 -!- mode/#openvpn [-o ecrist] by ecrist
09:51 -!- mode/#openvpn [+v ecrist] by ChanServ
09:52 < plaisthos> so ecrist I see you got voice, is that IpSec any god?
09:52 <@kerio> :|
09:52  * _FBi idles harder
09:52 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has quit []
09:52 <+ecrist> plaisthos: you mean IP-SUCK?
09:52 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn
09:52 -!- mode/#openvpn [+o danhunsaker] by ChanServ
09:52 < lg188> Can I simulate an CN name in an ovpn file?
09:54 <@dazo> lg188: no, that would defeat the purpose of certificates and the information there being signed by a CA
09:54 < lg188> Well, I have certificates
09:54 < lg188> between <ca> stuff
09:54 < lg188> or whatever is applicable
09:54 < lg188> but there's no information in it
09:55 < plaisthos> ?!
09:55 < lg188> mhm?
09:55 < plaisthos> a cert (between <cert> and </cert>) always has a cn
09:55 < lg188> like only the actual key part
09:55 < plaisthos> there is also a username-as-cn option if you use user-pass
09:55 <+_FBi> will openvpn ever run on linux?
09:56 < plaisthos> lg188: what do you want to know?
09:56 < plaisthos> _FBi: sure, there is a Android version that should be easy to port
09:56 < lg188> Do I need to inclued the whole .key file in it then?
09:56 < lg188> for the cert info to be included
09:57 <+_FBi> my mac is running a linux vm with android SDK, will that work?
09:57 < plaisthos> lg188: your question does not make sense
09:57 < plaisthos> !xfory
09:57 < lg188> so you have a <key> </key> segment
09:57 <+ecrist> _FBi: I'll rejoice when there's an OpenVPN BlackBerry client
09:58 < lg188> what should I put in it?
09:58 < plaisthos> !learn xfory as https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem
09:58 <@vpnHelper> Joo got it.
09:58 <+_FBi> ecrist, so you're waiting for blackberry to have android? ha
09:58 <+ecrist> oh the irony
09:58 < plaisthos> lg188: Either you are trolling or you are lacking serious knowlege about certificates
09:59 < plaisthos> in the key section you should put the certificate's key
09:59 <+_FBi> ecrist, http://feedproxy.google.com/~r/TheHackersNews/~3/rSTspoRmBl8/police-blackberry-pgp-phones.html
09:59 <@vpnHelper> Title: Dutch Police Seize Another Company that Sells PGP-Encrypted Blackberry Phones (at feedproxy.google.com)
10:00 <+_FBi> what is this world coming to?
10:00 < lg188> Yeah, ---- begin key ---- -----end key ---- -ish stuff is there
10:01 < lg188> all I'm asking is if the "metadata" can be put there as well
10:01 < plaisthos> yes you can
10:01 <@kerio> well, the "metadata" is in the certificate
10:02 < plaisthos> kerio: openssl -text -in foo.pem gives a lot of user readable stuff
10:02 < plaisthos> lg188: ssl libraries ignore everything not between the begin end marker
10:02 <+_FBi> I'm out for now guys.  Take care!
10:02 < lg188> I think we're confusing certificate here
10:02 < lg188> you have the file
10:02 < lg188> and you have the actual stuff used for the math
10:03 < lg188> plaisthos: so It's even pointless to add, right?
10:05 < plaisthos> lg188: helps you as human to know what is in that file
10:05 < plaisthos> but for the clinet it does not matter if it is there or not
10:06 < lg188> alright
10:06 < lg188> I'm wondering how they put the CN in there but that's for another time
10:07 <+ecrist> openssl x509 -noout -in <certfile> -text
10:07 <@dazo> lg188: the (private) key and certificates are tied together.  So you can't decrypt anything when the sender (remote side) used a certificate and you have a private key for a different certificate
10:07 < plaisthos> for a config you don't want noout :)
10:07 <@dazo> :)
10:08 < lg188> eh,
10:08 < lg188> okay
10:10 < lg188> it's the same as the first half of the file?
10:11 < lg188> So in this case, the CN will always be right
10:11 < lg188> nice
10:13 <+ecrist> plaisthos: noout just prevents writing the file out, so if you're trying to just "look" at a certificate, you can see it.
10:14 <@dazo> I've more commonly dropped -text in favour of -issuer -dates -subject  .... and perhaps -sha256 -fingerprint
10:15 <+ecrist> dazo: that's a bit more advanced than telling a typical user how to look at a certificate.
10:16 <@dazo> ecrist: yeah, after over 8 years in RH working with only neer^W software engineers, I've lost track of how to communicate with normal average users
10:17 <+ecrist> :)  this is why we demand logs, and not "do you see errors in your logs"
10:17 <+ecrist> the latter is always "no"
10:17 <+ecrist> which is almost never accurate
10:18 <@dazo> :)
10:19 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
10:19 -!- mode/#openvpn [+o mattock1] by ChanServ
10:19 < plaisthos> or point out errors that can be ignored
10:19 < plaisthos> like my clint that complains that it cannot get the mac address of lo
10:19 <@dazo> those are the worst though ... I hate those errors ... if it's an error which can be ignored, is it really an error?
10:19 <@dazo> lo-lol
10:19 <@dazo> ;-)
10:19 < plaisthos> it kind of breaks push-peer-info
10:20 < plaisthos> but then again Android O will not allow you to read mac addresses of any interface anymore so it cannot be fixed either
10:43 -!- mode/#openvpn [-o kerio] by ChanServ
10:43 -!- mode/#openvpn [+o ecrist] by ChanServ
10:43 -!- mode/#openvpn [+o plaisthos] by ChanServ
11:45 -!- krzee changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire /topic || Current Release: 2.4.2 (11 May 2017) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || Your problem is probably firewall. Really || TAP/bridging is almost always a bad idea || Vulninfo: !heartbleed !poodle !ovpnuke !sweet32 || Patience is a virtue
12:00 < Algernop> Yay!!! Fresh OpenVPN goodness.
12:01 < skyroveRR> Heh
12:01 < peterandre> =]
12:02 < skyroveRR> Hey, TIL the latest version of openvpn for android doesn't require a rooted android phone :>
12:03 <@krzee> hasnt ever
12:04 <@krzee> or at least for so long i forgot
12:04 < Eugene> !android
12:04 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html, or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android, or (#3) For a difference between the clients see http://ics-openvpn.blinkt.de/FAQ.html#faq_androids_clients_title, or (#4)
12:04 <@vpnHelper> Really old (<4.0) see !android-old
12:04 < Eugene> !android-old
12:04 <@vpnHelper> "android-old" is (#1) If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the market, or (#2) Standalone OpenVPN binaries (expert users only) for Android are also available at http://plai.de/android/standalone-binaries.tar
12:04 <@krzee> it uses the android vpn API
12:04 <@krzee> oh right, since ICS
12:04 < Eugene> Since that API started existing
12:04 <@krzee> so gingerbread and prior needed root
12:04 <@krzee> thats a long long time
12:05 < Eugene> And if you still have a phone that old, throw it away
12:05 <@krzee> what if its an mp3 player?
12:05 <@krzee> :-p
12:06 < Eugene> nobody wants a mp3 player with RCE vulns
12:08 <@krzee> with nothing listening and not using it for browsing or games etc... just listening to music shouldnt be much issue ;]
12:08 <@krzee> hey dont you use voip phones?
12:08 <@krzee> prolly a 2.6 kernel in there somewhere!
12:09  * DArqueBishop chuckles.
12:10 < DArqueBishop> It took me a couple of months to get used to having a phone at my desk again. My last job used Skype for Business instead of desk phones.
12:11 <@krzee> i have 3 voip phones setup in my room
12:12 <@krzee> its a big room, my desk is in it too
12:12 < DArqueBishop> At my house, we have a cordless phone system whose base station connects to our cell phones via Bluetooth. We turned off the land line a year or two ago.
12:12 <@krzee> almost setup a separate office, but wife likes hanging with me while i work so may as well just be in my room
12:13 <@krzee> ya no landline here either
12:13 <@krzee> 2 voip phones for the office, for remote working
12:13 <@krzee> 1 for my darknet voip company, which also has a second line with a free USA number that i setup 2 days ago
12:14 <@krzee> and then a ton of other voip phones in my storage closet, also for my voip company
12:14 <@krzee> when i need to devel on them
12:16 < kerio> you sound like someone who understands how asterisk works ;o
12:17  * DArqueBishop chuckles.
12:18 < DArqueBishop> In my own case, I've never worked with Asterisk, but I've had to maintain Avaya and ShoreTel phone systems in the past.
12:20 <@plaisthos> krzee: you are forgetting honeycomb!
12:20 <@plaisthos> the only release that did something good for tables
12:30 <@krzee> plaisthos: i did forget honeycomb! wasnt there some letter they skipped?
12:37 <@krzee> OVPN-02-1: Potentially flawed TLS control channel encryption: IV collision    <-- says something will be done to mitigate, says man page was updated, and says which commit was done, so the commit was only to the manpage?
12:45 <@krzee> oops meant that for other chan
13:03 -!- r00t^2 is now known as zulu
13:03 -!- zulu is now known as r00t^2
13:36 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
14:25 < nacelle> hyper_ch: thank you, interesting... through your isp?
16:03 < Eugene> krzee - honeycomb was released on like two devices as a tech preview, but the code for it  was not pushed until AOSP because it was a fucking disaster
16:04 < Eugene> gingerbread+honeycomb were separate development branches for phone and tablet UI; they ended up being reconciled with ICS
16:04 < Eugene> Sorry, "was not pushed to AOSP until ICS"
16:33 -!- |Mike| [mike@2001:19f0:5001:21c::3] has quit [Read error: Connection reset by peer]
16:53 <@krzee> ahh ok, so CM probably skipped that release and thats what i was thinking of
17:00 -!- alexandre9099_ is now known as alexandre9099
17:37 < havoc> heh, we're finally replacing a production setup that's been running through a bunch of $180 dumb Netgear switches
18:00 <@dazo> The rumours I heard about honeycomb was that it was a hacky release as Google got pushed by some hardware vendors to release a version with support for higher resolutions (I wonder if it was about the time with the first Android tablets arriving) ... Google was so ashamed of their work, they kept it private - fixed things and released ICS later on, publicly for all
18:02 <@dazo> oh, here it is ... https://lwn.net/Articles/435774/
18:02 <@vpnHelper> Title: Android and Honeycomb [LWN.net] (at lwn.net)
18:11 < iateadonut> i'm trying to access a client's VPN.  he's only provided a uname and pword and no CA.  i'm on linux and he's on windows, so he doesn't seem to be able to give me the CA.
18:12 < iateadonut> i'm running ubuntu 16.04 (mint 18.1) and set it up through the network manager, although i can copy/paste the configuration.
18:12 < iateadonut> i'm getting this error: nm-openvpn[3150]: Options error: You must define CA file (--ca) or CA path (--capath)
18:12 < iateadonut>  
18:12 < iateadonut> further, i'm surprised that a windows client is able to login without a CA; the documentation is pretty explicit: Note that client-cert-not-required will not obviate the need for a server certificate, so a client connecting to a server which uses client-cert-not-required may remove the cert and key directives from the client configuration file, but not the ca directive, because it is necessary for the client to verify the server certificate.
18:16 <@dazo> iateadonut: are you sure your client is using OpenVPN?
18:16 <@dazo> If configured with --tls-client/--tls-server (--client/--server) ... then, there _must_ be a CA certificate
18:24 <@krzee> dealing with qsee technical support has been sad
18:25 <@krzee> ive been told by support people that i need to port forward on my router in order to view on the same lan
18:25 <@krzee> i had a level 3 support tech try to connect  to my mac address over the internet
18:26 <@krzee> ive had them give me a link to instructions and then tell me the instructions must be wrong
18:26 < iateadonut> dazo, yes, he said he is using openvpn and even sent me an openvpn executable
18:26 <@krzee> i have no facepalms left
18:29 < iateadonut> dazo, any idea under the [vpn] settings, what i should put?  i have "connection-type=password"
18:30 <@krzee> !netman
18:30 <@vpnHelper> "netman" is (#1) NetworkManager usually works fine, but can have some challenges in som env, or (#2) Ensure you run a reasonably recent NM version, or (#3) NM is aimed at client configurations and requires a logged in user session and is sensitive to instable unstable networks, or (#4) If OpenVPN works from the command line but not NM, go to #nm or https://wiki.gnome.org/Projects/NetworkManager
18:30 <@krzee> you should configure openvpn with an openvpn config
18:30 <@krzee> once you get it working THEN you can try netman
18:30 <@krzee> !ubuntu
18:30 <@vpnHelper> "ubuntu" is dont use network manager to configure your vpns! get it working via commandline and then import to network manager if you want to use it.
18:30 <@krzee> boom thats the one i wanted
18:30 <@krzee> luckily nobody clobbered that one :D
18:38 <@dazo> krzee: I have to say though, NM have improved considerably since the time we really hated the guts out of it .... now I'm able to connect to multiple VPNs at the same time, it does the DNS stuff correctly ... and so on
18:38 <@dazo> my last outstanding issue with it, is that it disconnects the VPNs when it looses contact with lan/wlan
18:39 <@dazo> (but I'll have to say, I do need to re-test that though)
18:50 <@krzee> ahh maybe its time to give it another try
18:50 <@krzee> personally i still hate the approach of having nm style configs
18:50 <@krzee> should leave the config alone imho
18:54 <@dazo> krzee: I kind of understand your argument there .... but to make it GUI friendly, it gets quite hard
18:56 < iateadonut> is openvpn.net and openvpn.com the same people?
18:58 <@krzee> no, we are openvpn.net and openvpn.org
18:59 <@krzee> dazo: this is linux, i expect only a gui for starting/stopping maybe manage autostart... but i think linux users can handle editing their config by hand
18:59 <@krzee> i think if it were far more simple it would be far better
19:00 <@krzee> and tunnelblick managed to make a user friendly gui that still allows a decent amount of config
19:00 <@krzee> without using their own style configs either, they use normal openvpn configs
19:15 <@dazo> krzee: I'd claim that the days when Linux were for the techies and nerds are long gone .... I mean, I've even deployed Linux to people who in best case barely knows what an OS is ... And even my wife have been running on Linux for many years already ... I agree the advanced options to OpenVPN can be overwhelming ... but have a look at NM with GNOME 3.14 or newer ... I'm sure you'll be surprised on how things are these days
19:15 <@dazo> (to me it actually have quite some references to OSX)
19:15  * dazo gotta go ... getting way too late here now
19:21 <@krzee> with openvpn being advanced networking im ok with it being less point and click to configure... and trying to make it that way just gets more confusing
19:22 <@krzee> gnite
19:26 < froglegstew> hello
19:27 < froglegstew> i've got a bit of an interesting issue (i think), but i'm not sure if i should ask here
19:27 < froglegstew> it's about bypassing a firewall
19:32 < froglegstew> the firewall probably has deep packet inspection , because ssh works fine (over port 22 !) and when i tunnel openvpn over ssh it connects
19:32 < froglegstew> but on android, obviously when you switch networks in drops the other one
19:32 < froglegstew> so i need to use stunnel or maybe ssh tunneling (whatever) to make the firewall think it's ssl over port 443
19:32 < froglegstew> and have openvpn not infinitely loop as it kills its own connection
22:56 < nacelle> openvpn over 443 should look like that, its tls/etc.
22:57 <@krzee> he said its probably behind DPI
22:57 <@krzee> if its behind DPI it doesnt look like web tls, it looks like openvpn
22:57 <@krzee> !obfs
22:57 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols, or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation, or (#3) in client/server mode an admin can know that openvpn is being used.
22:57 <@vpnHelper> in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
--- Day changed Fri May 12 2017
00:12 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
00:12 -!- mode/#openvpn [+o mattock1] by ChanServ
01:29 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
02:18 < misterjack> hey, I'm using OpenVPN 2.4.2 and how I can configure listening of server on ipv4 and ipv6?
02:19 <@ordex> misterjack: what system is the server running on ?
02:20 < misterjack> actual gentoo linux
02:22 <@ordex> if I am not wrong, when specifying "proto udp6" on linux it will listen on a socket that is basically dual stack (I might be wrong here, but I remember something like that during my tests)
02:22 <@ordex> but I am not really sure and I can test right now :( sorry
02:23 < misterjack> ordex, tested it right now, it listens only on ipv6
02:26 < misterjack> https://community.openvpn.net/openvpn/ticket/556 ok ,not supported atm
02:26 <@vpnHelper> Title: #556 (Dual Stack: bind to multiple IPv4 and IPv6 addresses not working) – OpenVPN Community (at community.openvpn.net)
02:28 <@ordex> misterjack: I think that's about listening on a set of IPs, not about listening on all of them at the same time (v4 and v6)
02:30 < misterjack> ordex, ok, without "local fqdn" it works :)
02:30 <@ordex> yeah, because with local you would bind it to one ip only
02:30 <@ordex> if you want dual stack, you can only listen on wildcard at the moment
02:30 <@ordex> which is what the ticket was saying
02:31 <@ordex> misterjack: so with proto udp6 ?
02:31 < misterjack> I configuried "local example.com" it should listen on ipv4 & ipv6 - like postfix, proftpd & others :)
02:32 <@ordex> because example.com resolves to both an IPv4 and IPv6 addresses?
02:32 < misterjack> tcp6-server in my case. udp6 without local is dualstack too
02:32 < misterjack> ordex, right
02:32 <@ordex> yeah
02:32 <@ordex> yeah, that's what is missing right now
02:32 <@ordex> would be cool to have :)
02:34 < misterjack> right :)
02:35 <@ordex> I started working on a multi-socket listening patch, inspired by some work done by d12fk, but I did not have enough time to make it mergeable .. it's still in a PoC state
02:35 <@ordex> misterjack: if you feel like taking over :) please do
02:37 < misterjack> oh, than I've to learn C first ;)
02:38 <@ordex> hehe
02:38 <@ordex> it's never too late !
02:39 < Algernop> ^
02:47 <+hyper_ch> yang_: still here?
02:51 < yang_> yes
03:16 <+hyper_ch> yang_: still got fiber7 ceo in arms length?
03:47 < yang_> hyperch, i think if you have a fiber7 inqury, you can contact their help staff, CEOs dont usually deal with customers directly
03:48 <+hyper_ch> yang_: :)
03:48 < yang_> but i think you can find his contact info on thecwebsite too
03:48 <+hyper_ch> no need :) still it's an intersting coincidence that he's with you just when I get my connection
03:49 < yang_> Maybe you missjudged me I am not in Init7 staff
03:50 <+hyper_ch> I assumed such
03:54 <@ordex> what is init7 ? :O
03:55 <+hyper_ch> ordex: my new home ISP and soone also my new business ISP
03:56 <+hyper_ch> I get gigabit internet and a static /48 ipv6 prefix for CHF 777/y
03:56 <+hyper_ch> (although my router only manages to get 940/70Mbit)
03:56 <+hyper_ch> (although my router only manages to get 940/740Mbit)
03:57 <+hyper_ch> when I attached my notebook directly, I did get 940/940 thouhg
03:57 < BtbN> get a better router
03:57 < BtbN> some mips plaster router can't handle gigabit
03:58 < BtbN> if you get those numbers via an OpenVPN tunnel, they are _very_ decent though
03:58 <+hyper_ch> asus rt-ac68u currently with merlin
03:58 <+hyper_ch> and there's of course a $350 alternative https://omnia.turris.cz/en/
03:58 <@vpnHelper> Title: Turris Omnia (at omnia.turris.cz)
03:59 <+hyper_ch> well, 940/740Mbit isn't too bad with my asus router
04:01 <@ordex> hyper_ch: oh a swiss provider, I see
04:02 < BtbN> Or just buy some APU board, throw pfSense or opnSense on it, and you get your gigabit easily
04:03 <+hyper_ch> ordex: yes
04:03 <+hyper_ch> will, for the office I'll also get a static ipv4 though....
04:04 <@ordex> hyper_ch: 777 CHF per month ?!
04:04 <+hyper_ch> which seems rather expensive compared to the rest (CHF 20/M)
04:04 <+hyper_ch> CHF 777 per year
04:05 <@ordex> ah
04:05 <@ordex> better :D
04:05 <+hyper_ch> (you can also opt for quarterly or half-yearly payments which are slightly more expensive)
04:05 <+hyper_ch> CHF 64.75/M for symm. gigabit
04:06 <+hyper_ch> (all in all 10x the speed of my current isp for the same price)
04:06 <@ordex> hehe sounds convenient :)
04:06 <@ordex> wow, the pinebook is out: https://www.pine64.org/?page_id=3707
04:06 <@vpnHelper> Title: PINEBOOK PINE64 (at www.pine64.org)
04:06 <@ordex> this is an interesting machine
04:07 <@ordex> although I expected it to be lighter..but for 99USD
04:07 <@ordex> :D
04:08 <+hyper_ch> how specific "Linux Distro (Default)
04:08 <@ordex> hehe
07:41 <@krzee> ordex: <ordex> if I am not wrong, when specifying "proto udp6" on linux it will listen on a socket that is basically dual stack (I might be wrong here, but I remember something like that during my tests)      <--- udp6 will be ip6 only, proto udp will be both, udp4 would be ip4 only
09:44 < hubot> Hi!
09:45 < yarddog> krzee: was it you i spoke with about openvpn on linux the other day? you said it had to be cli?
09:45 < hubot> My firewall drops openvpn packets
09:45 < hubot> http://paste.asie.pl/MBXo
09:46 < hubot> I use shorewall to filter packets
09:47 < DArqueBishop> I'm not familiar with Shorewall, but does "DPT" mean "destination port"? If so, do you have OpenVPN listening on tcp/23?
09:48 < hubot> VPN is listening on udp at port 7480
09:48 < DArqueBishop> ... then AFAICT those Shorewall messages don't relate to OpenVPN.
09:48 < hubot> http://paste.asie.pl/Wt22
09:49 < hubot> shorewall rules above
09:49 < DArqueBishop> Are you sure OpenVPN is listening on that port?
09:49 < hubot> Yes
09:50 < hubot> http://paste.asie.pl/62Q8
09:51 < hubot>  /etc/openvpn/server.conf ^
09:51 < DArqueBishop> What happens when you run "ss -a"?
09:52 < hubot> http://paste.asie.pl/yeuI
09:53 < rob0> Did you try asking your shorewall question in #shorewall channel?
09:57 <@ecrist> !notovpn
09:57 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn.
09:58 < hubot> rob0: no
10:00 <@ecrist> I like that the dimensions of the pinebook are in freedom units instead of those commie units you europeans use
10:02 <@ordex> :D
10:02 <@ordex> ecrist: don't start this please :D
10:02 < DArqueBishop> Are freedom units like freedom fries?
10:02 < DArqueBishop> (Aka, the same the rest of the world uses except that the world snickers at our childishness?)
10:03 < MacGyver> No.
10:03 < MacGyver> For example, the boiling point of water is at 212 degrees Freedom whereas it's at 100 degrees Communist.
10:04 < MacGyver> <-- Dutch, not American, can laugh about this joke.
10:04 < DArqueBishop> I'm American and laughing along with you.
10:05 <@krzee> yarddog: no idea, i talk to a lot of people... especially regarding openvpn
10:05 <@ecrist> :D
10:05 < DArqueBishop> I would imagine that NetworkManager is a way of doing OpenVPN via a type of GUI?
10:05 < DArqueBishop> (Warning - I have never used OpenVPN with NetworkManager.)
10:05 <@ecrist> DArqueBishop: Network Manager was written by some BDSM fanboi to torture network admins
10:06 <@krzee> freedom units LOL
10:06 <@krzee> network mangler
10:07 < DArqueBishop> I suppose if I had a Linux laptop I'd test out OpenVPN/NM.
10:07 <@krzee> it's hate with a gui
10:08 <@krzee> hate.c
10:08 < DArqueBishop> As it stands my next laptop (if I get one) will likely be Windows, if only because most of the places I would do work for are Windows-centric.
10:09 <@krzee> you could do windows with a linux VM, or linux with a windows VM
10:09 <@krzee> or dual boot
10:09 < DArqueBishop> True.
10:10 < rob0> I use a Linux laptop, and if I need to connect to a new secured access point, I edit /etc/wpa_supplicant.conf and restart the interface.
10:11 < rob0> doesn't take any longer than entering a passphrase in a GUI
10:11 <@krzee> now that you put it like that i guess theres parts of nm i like, but not related to openvpn
10:12 < rob0> haha
10:16 <@krzee> https://vimeo.com/197889802
10:16 <@krzee> havoc: check that out ^
10:17 < havoc> nifty
10:18 < havoc> just nicely packaged peripherals, for your phone
10:19 <@krzee> yes, with an app to make it desktop-like
10:19 <@krzee> instead of just having android on a bigger screen with a keyboard
10:20 < rob0> ooooh nice
10:20 <@krzee> perfect for people like my wife or mom... people that have a computer simply because some things (ms word, long emails, etc) are less comfy on a phone
10:20 <@krzee> never upgrade their computers again! they already upgrade phones :D
10:22 <@krzee> maybe people like us have valid reasons to have full computers... but i dont think most people will have a good reason anymore if this is as good as it should be
10:22 <@krzee> of course phones are not securable, but i dont think that bothers most people lol
10:23  * DArqueBishop nods.
10:23 < Eugene> I wish Google Glass hadn't suffered such a backlash. That's how I really want to interact with my computer
10:23 < MacGyver> Just a shame it's not how the rest of the world wants to interact with you.
10:24 < Eugene> Like I give a fuck
10:24 < MacGyver> I'd prefer not to have you beaming my current location to google and facebook, thank you very much.
10:24 < DArqueBishop> Hell, the example I like to give is my mother-in-law. She worked for Digital/Compaq/HP for 20 years. These days, she has a laptop that she pretty much only uses for updating her iPod. The rest of the time, she uses her tablet.
10:24 < Eugene> Do you actually believe that or are you just spouting rheotoric?
10:24 < MacGyver> Yes, I do actually believe that. Do you think the facial recognition works locally on your phone?
10:24 < Eugene> You are an idiot
10:53 < havoc> what I'd really like would be "commodity" (i.e. cheap) X-terms
10:53 < havoc> like purpose-built hardware just for X-windows
10:54 < Eugene> Its the wrong abstraction layer. Chromeboxes are the right one for the future, IMO
10:55 < Eugene> They are a web browser in a box/with a keyboard/in a stick/
10:55 < Eugene> The web is where its at, not X windows
10:55 < havoc> but that's not what *I* want :)
10:55 < Eugene> Indeed
11:00 < havoc> our new biz can get by just fine on 1990's tech :)
11:01 < havoc> (Our == Wife & I)
11:08 < DArqueBishop> Heh.
11:08 < DArqueBishop> Part of me wonder if Wyse thin clients would suit your needs.
11:09 < DArqueBishop> (Though, the word "cheap" may mean something different to you. ;-) )
11:09 < MacGyver> You could see it like being an idiot. You could also see it as being a pessimist when it comes to "company interests vs public interests".
11:10 < MacGyver> I don't trust any big company with that amount of information about my daily life, and it's fine as long as you make that choice for yourself, but not when that starts being a choice you make for *others*.
11:10 < MacGyver> Hence the "get your camera out of my face" backlash.
11:11 < DArqueBishop> The place I worked at three jobs ago had almost everyone connect to Windows terminal servers via Compaq/HP/Wyse thin clients.
11:12 < havoc> DArqueBishop: I'm thinking an Xterm that costs as much as a chromebook, or simialr
11:12 < havoc> i.e. "cheap"
11:12 < havoc> current xterns on the market are much, much more than that
11:12 < havoc> xterms
11:12 < Eugene> MacGyver - #1 you are conflating a form factor with a software stack.
11:13 < Eugene> MacGyver - #2 have you seen a google glass? Do you know how much computing power and bandwidht it takes to do facial recognition?
11:13 < MacGyver> Eugene: The backlash was against the software stack. I liked the form factor.
11:13 < havoc> which is ridiculous, as LCDs exist now, and all the hardware is commodity
11:13 < MacGyver> Eugene: That's not a reason to then just accept the tradeoff.
11:13 < Eugene> Then you are stupid
11:13 < Eugene> I like the form factor, not google
11:13 < MacGyver> No, I just have different priorities from you.
11:13 < Eugene> If you are inferrring things and calling it shit before learning then you are stupid by definition
11:13 < DArqueBishop> havoc: you also have to admit that yours is a very tiny market, which means that it'll be more expensive because so few people will be buying.
11:14 < MacGyver> You're assuming I haven't learned.
11:14 < Eugene> GO away
11:14 < MacGyver> No.
11:14 -!- mode/#openvpn [+o Eugene] by ChanServ
11:14 -!- MacGyver was kicked from #openvpn by Eugene [yes]
11:17 < havoc> DArqueBishop: agreed
11:18 <@Eugene> My 2c on Wyse terminals: good for ENTERPRISE, but a cheaper option usually works better at home/smb
11:18 < havoc> in the end I'd just use the cheapest laptops that met my needs and pxe boot or something
11:18 < DArqueBishop> Eugene: agreed.
11:18 < havoc> options/solutions are out there, I just would prefer a purpose-built product
11:18 <@Eugene> And chromebooks are cheap
11:18 <@Eugene> Oh wow, when did dell buy wyse
11:18 <@Eugene> Thats a downhill
11:19 < DArqueBishop> They were wonderful for us because we didn't risk users losing data if their local machines went dead, and we could just ship them a new pre-configured thin client.
11:19 < havoc> although we'd still need a decent windows workstation :(
11:19 < havoc> s/would/will/
11:19 <@Eugene> CLOUD-based Terminal Servers are awesome, right up until the internet cuts out
11:20 < DArqueBishop> Many of our locations were in the ass-end of America because it was an oilfield equipment provider, so we couldn't depend on local IT services or people knowing what they were doing locally.
11:20 < havoc> but what I *want* is largely irrelevant, gotta deal with What Is :(
11:20 < DArqueBishop> Of course, we still had laptops for the road warriors and beefy workstations for the engineers.
11:21 <@Eugene> I like chromebooks because its a web browser, and those work great locally. You can run an app server for it on a RasPi or whatever
11:21 <@Eugene> Have that thingy speak to the cloud to save data
11:21 < DArqueBishop> We actually had a lot of success with Wyse's thin client laptops.
11:23 < DArqueBishop> All we needed to do was "unlock" the filesystem long enough to add the RDP connections and a VPN client, and lock it back up. From that point on they were great for mobile users who only needed to access the terminal servers when out of the office.
11:24 < DArqueBishop> Personally, these days, when I'm traveling I get by with my phone and tablet (and sometimes don't even need the tablet).
11:25 <@Eugene> I have my phone for making phone calls, a tablet with all my work crap, and a laptop if I need to do something with a "real" computer, like tcpdump
11:26 < DArqueBishop> I have a work laptop, but this is the first job I've been on where I haven't been on call 24/7, even if unofficially.
11:29 <@krzee> Eugene: i agree with MacGyver
11:29 <@krzee> i hate google glass, glad it suffered a public death
11:29 <@krzee> i dont want people taking my picture and uploading it to google either
11:30 <@Eugene> Then you are also an idiot who cannot separate form from function. Have you considered a job in the patent office? ;-)
11:30 <@krzee> i dont care about the form, the product was shit
11:30 <@Eugene> If you think that I would be running an overlord's software on my face then you are high
11:30 <@krzee> and if you think im an idiot for that, then you're the idiot
11:30 <@krzee> :D
11:31 <@Eugene> I just think its too early in the mornign to be that baked
11:31 <@krzee> i dont care what YOU specifically run, i care what everybody else is running
11:31 <@Eugene> Its not the face hardware that tracks your every movement, that's what fixed-moutn cameras are for
11:32 <@krzee> i dont like those either
11:32 <@krzee> the traffic cams etc
11:32 <@krzee> the huge amount of cctv everywhere
11:33 <@krzee> i mean, you dont expect a nice percent of the people hanging in #openvpn to be privacy conscious? :D
11:33 < MacGyver> Eugene: See, what you *could've* said initially was "I meant purely the hardware paradigm, not the software stack" and then I would've said "Ah! That was not clear to me, good point!"
11:34 <@Eugene> MacGyver - I said go away. Do not talk to me again or it becomes a ban
11:34 < MacGyver> Fine.
11:34  * MacGyver shuts up.
11:37 <@Eugene> krzee - CCTV surveillance is not a crypto issue, its a social one. Not a damn thing we can do about it
11:37 <@Eugene> Except whine, of course
11:37 <@Eugene> !shotgun
11:37 <@vpnHelper> "shotgun" is (#1) the most effective form of physical security, or (#2) <hyper_ch> shotgun security? <EugeneKay> If you try to physically attack my network, I chase you with a shotgun.
11:37 <@Eugene> This always applies ^
11:38 <@krzee> i dont think we were talking about crypto
11:38 <@krzee> we were talking about privacy
11:38 <@Eugene> You said openvpn
11:38 <@krzee> ya, some people use openvpn because they care about privacy
11:38 <@krzee> im sure you know that
11:38 <@Eugene> Yup, and they're fools too. That's not how anonymity works :-p
11:39 <@Eugene> Even Tor is a crapshoot
11:39 <@krzee> i didnt say to be anonymous
11:39 <@krzee> but if i go on public wifi, it DOES give me privacy
11:40 <@krzee> so stop being so judgemental
11:40 <@Eugene> Against some things, sure. And no, you should know that i am an ass
11:40 -!- allizom1 is now known as allizom
11:40 <@krzee> ya but today going a lil too far, not everybody who cares about privacy is an idiot deserving of kickbans
11:42 <@krzee> personally that feeling is my motivation for being here
11:43 <@krzee> does that mean a person can sign up for a vpn account and magically be anonymous? we all know thats a big no. but openvpn can definitely be an aide in maintaining privacy
11:43 <@Eugene> Privacy is relative. My idea of privacy is being left alone, and sometimes that means having 'leave me be' respected ;-)
11:43 <@Eugene> Yup, layers
11:43 <@krzee> evidenced by my darknet voip company
11:43 <@krzee> with no interconnects
11:43 <@Eugene> I have little patience for those who assume that $5 VPNs are a magic bullet in the same manner
11:44 <@Eugene> I could explain it to them, but I have other things to do
11:44 <@Eugene> Like argue on the internet
11:44 <@krzee> left alone, like people not wearing glasses that upload images of you to the datamining overlords?
11:44 < havoc> Privacy, as a concept, is exceedingly difficult to maintain in an age where the majority voluntarily gives away personaly info everywhere in exchange for the tiniest conviniences
11:44 <@Eugene> HUDs kick ass. Super private screen
11:45 <@krzee> !anon
11:45 <@krzee> hmm i thought i made something about that
11:45 <@krzee> !factoids search -invalues anon
11:45 <@vpnHelper> (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
11:45 <@krzee> !factoids search --values anon
11:45 <@vpnHelper> No keys matched that query.
11:45 <@krzee> !factoids search --values provider
11:45 <@vpnHelper> 'provider', 'vpnproviders', and 'paidvpn'
11:46 <@krzee> !paidvpn
11:46 <@vpnHelper> "paidvpn" is We are very reluctant to help you if you use a (commerical) VPN provider since we do not want to be their unpaid support team. See also !both
11:46 <@krzee> !vpnproviders
11:46 <@vpnHelper> "vpnproviders" is (#1) A list of VPN providers you really need to be careful with ... https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa, or (#2) Not convinced? See !pure
11:46 <@krzee> hmm
11:46 <@krzee> i guess i didnt =/
11:47 <@Eugene> !factoids
11:47 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
11:47 <@Eugene> Is that dump actually updated anymore
11:48 <@krzee> ya its automagical
11:48 <@krzee> well it was, i think it still is!
11:48 <@krzee> ecrist: ^ ?
11:50 <@Eugene> !free
11:50 <@vpnHelper> "free" is (#1) http://lifehacker.com/5697167/if-youre-not-paying-for-it-youre-the-product, or (#2) PrivateTunnel does up to 2GB for free... And is operated by OpenVPN Technologies... For what that's worth...
11:50 <@Eugene> Eh?
12:02 <@krzee> !learn anon as https://www.goldenfrog.com/blog/myths-about-vpn-logging-and-anonymity
12:02 <@vpnHelper> Joo got it.
12:19 -!- allizom1 is now known as allizom
12:44  * ecrist looks
12:44 <@ecrist> yeah, it's automatic
12:45 <@ecrist> Eugene: why would you doubt me?
12:45 <@Eugene> !blame
12:45 <@vpnHelper> "blame" is (#1) According to Bushmills, it's always krzee's fault, or (#2) According to krzee, it's always dazo's fault, or (#3) and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments, or (#4) cron2 says its always d12fk's fault (and sometimes the customers), or (#5) if it is crypto blame syzzer and plai for acking
12:45 <@Eugene> Oh you're not in that list
12:46 <@Eugene> That's disappointing
12:47 <@krzee> ya we dont really blame him enough
12:47 <@krzee> haha
12:47 <@ecrist> I'm in the list...
12:47 <@ecrist> !blame 3
12:47 <@Eugene> Wow
12:47 <@krzee> !factoids whatis blame 3
12:47 <@vpnHelper> and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments
12:47 -!- Eugene was kicked from #openvpn by Eugene [incompetence at reading]
12:48 <@ecrist> lol
12:50 < rob0> wb
12:50 < Eugene> Well if you ever get pregnant, you're set
12:50  * Eugene alt-tab
12:51 < rob0> I'm already pregnant.  Going to have a baby elephant.  His trunk is already out.
12:52 < DArqueBishop> Aww. rob0's having a pygmy elephant.
12:52 <@krzee> :o
12:52 < Eugene> I mean, its not wrong?
13:10 < SviMik> Hi! I have just compiled the 2.4 for the first time, and it gave me an error:
13:10 < SviMik> Options error: Unrecognized option or missing or extra parameter(s) in server.conf:18: plugin (2.4.2)
13:10 < SviMik> did I forgot something?
13:34 <@krzee> maybe a compile ./configure option?
13:34 < skyroveRR> Hey krzee, morning to you :)
13:34 < SviMik> krzee nope, see -devel
13:34 <@krzee> g'day sir
13:35 < skyroveRR> * night :>
13:35 < skyroveRR> Midnight in 2 mins :>
13:35 <@krzee> ahh ok SviMik,ya  better for there
13:36 < SviMik> krzee they broke my plugins!!
13:36 < SviMik> all of them!
13:37 < SviMik> let me just find whose commit it was...
13:37  * krzee gets his pitchfork
14:11 < havoc> gah, not possible (with stock ssh alone) to programatically login w/ a password :(
14:11 < havoc> sshpass it is, I guess
14:11 < havoc> at least I control the server side
14:17 < havoc> hmm, nm, doing initial login from putty, which support -pw on command line
14:17 < rob0> hmm?  why not use a key?
14:17 < havoc> rob0: this is to automate setting up new routers, from factory
14:18 < havoc> so there is no key, yet
14:19 < havoc> need to get our config on these things, but need it to be automated, so need to be able to use the factory default user/pass
14:20 < rob0> oh, you're not the factory
14:20 < havoc> nope
14:20 < rob0> you could ssh-copy-id first with the password
14:22 < havoc> ah, another option, but then I remembered that this will all happen onsite, in the field, from a windows machine
14:42 <@ecrist> havoc: what's wrong with keys?
14:42 <@ecrist> oh
14:43 <@ecrist> havoc: use perl's SSH module
14:43 <@ecrist> or python's
14:47 < havoc> except for running it from windows
14:47 < havoc> would have to install perl, and/or python as well
14:47 < DArqueBishop> Ubuntu for Linux?
14:48 < DArqueBishop> ...
14:48 < DArqueBishop> Ubuntu for Windows?
14:48  * DArqueBishop hasn't installed it so he doesn't know if Perl is part of it.
14:48 < havoc> these are custom NUCs, w/ Embedded Windows (custom Windows build) on them
14:48 < havoc> basically hardware controllers
16:15 < SviMik> Does OpenVPN 2.4-icsopenvpn [git:HEAD-a7bf6fceeae86468+*] support NCP? Or any icsopenvpn at all?
16:32 <@dazo> SviMik: all 2.4 releases on any platform should support NCP ... unless disabled in the configuration file
16:32 <@dazo> (--ncp-disable)
16:33 < SviMik> that's weird, because my android connects with BF-CBC
16:33 <@dazo> it requires 2.4 on both sides, though
16:34 < SviMik> well, of course it is
16:34 < SviMik> I wouldn't question if I wasn't tested other client platforms with the same server
16:35 < SviMik> and windows client happily connects with AES
16:37 <@dazo> I'm running a newer "OpenVPN for Android" (from F-Droid) - 2.5-icsopenvpn [git:HEAD-53e588afe9fe4500] ... that have --cipher aes-256-cbc in the config, but gets upgraded to aes-256-gcm
16:39 < SviMik> To support 2.3 both with BF and CBC, as well as 2.4 with GCM, I put into the server config these two lines:
16:39 < SviMik> cipher BF-CBC
16:39 < SviMik> ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
16:39 < SviMik> is it correct?
16:41 <@dazo> That sounds sane to me
16:41  * dazo double checks his own setups
16:42 <@dazo> Yes, that is similar to what I have too
16:43 < SviMik> well, I have tested Windows 2.3 client both without "cipher" in config (which resulted in BF) and with "cipher AES-256-CBC", which also worked correctly
16:44 < SviMik> seems legit
16:44 <@dazo> yes
16:44 <@dazo> hmmmm just remembered a little detail .... does your openssl support GCM?
16:44 < SviMik> how to check?
16:45 <@dazo>  openssl ciphers -v | grep -i gcm
16:46 < SviMik> 14 lines
16:46 < SviMik> seems the answer is yes
16:47 <@dazo> yeah, agreed ... and you see gcm here too?  openvpn --show-ciphers | grep -i gcm
16:47 < SviMik> AES-128-GCM, AES-192-GCM and AES-256-GCM
16:47 <@dazo> good ... then, NCP should work
16:48 <@dazo> NCP actually depends on GCM support, as that is what it prefers to upgrade to
17:34 <@krzee> is fdroid nice dazo? i never heard of it til now
18:02 <@dazo> krzee: considering it mostly consists of free/open source packages, and even warns you before installing about anti-features ... I tend to trust that more than much other alternatives
18:03 < fury_> I'm configuring a client on a freebsd system. I have no access to the server configs. basically I want the client to still be able to route internet traffic over the VPN, but not be the *default* router for the entire system. I've tried everything I see here: https://community.openvpn.net/openvpn/wiki to no avail. If I use (any of) those things, the VPN does not become the default gateway,
18:03 < fury_> but I cannot reach the internet over the tunnel (but can still ping my VPN IP and VPN gateway). If I do not use those things, it works but is the default gateway for the entire system. it seems I need something inbetween
18:03 <@vpnHelper> Title: OpenVPN Community (at community.openvpn.net)
18:04 < fury_> these are the routes created by openvpn without any routing skips: https://paste.codexterous.com/view/eda457d3
18:04 <@dazo> krzee: Most of the apps I generally use is from F-droid these days .... and a few ones from Play store, due to them only being available there (banks, public transport, etc)
18:04 < fury_> my guess is I perhaps *just* want the 0.0.0.0 one to not happen, but I'm not really sure
18:05 < fury_> (it does not seem to be a firewall issue as it persists if I stop the firewall)
18:05 < fury_> so just a routing issue
18:23 < SviMik> VERIFY ERROR: depth=0, error=CRL signature failure
18:23 < SviMik> after upgrading openssl-devel.x86_64 0:1.0.1e-48.el6 to openssl-devel.x86_64 0:1.0.1e-57.el6
18:24 < SviMik> I hate everything in this world...
20:10 <@krzee> SviMik: im sure you got that fixed by now... right?
20:11 < SviMik> krzee rpm -Uvh --oldpackage ftp://fr2.rpmfind.net/linux/centos/6.8/os/x86_64/Packages/openssl-1.0.1e-48.el6.x86_64.rpm
20:11 < SviMik> fixed.
20:11 <@krzee> werd
20:11 < SviMik> works. idk what's wrong with 1.0.1e-57, really
20:11 <@krzee> you could also check out openvpn with mbedtls instead of openssl
20:12 <@krzee> i prefer because openssl is way too much code, mbedtls is much smaller / cleaner
20:12 <@krzee> so next time an openssl bug comes out, you can ignore most likely :D
20:15 < SviMik> krzee I've never built openvpn with mbedtls. what's the main differences except it's smaller? does it support all ciphers openssl has?
20:15 < SviMik> krzee btw, if you are interested in debugging, I'm in. just direct me what to do
20:16 <@krzee> not sure about *all*, but it supports what you'll care about
20:16 <@krzee> including ecc
20:17 < SviMik> I mostly care about BF-CBC, AES-GCM and AES-CBC
20:17 < SviMik> krzee does mbedtls use AES-NI?
20:18 < SviMik> as I understand, openssl does
20:18 <@krzee> no idea never tried
20:18 <@krzee> openssl can, if compiled specifically for it
20:18 <@krzee> wont by default tho
20:18 < SviMik> really?
20:19 <@krzee> unless that RPM of yours had it during compile time
20:19 <@krzee> !gigabit
20:19 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
20:19 <@krzee> i think jjk mentions it there
20:28 < SviMik> krzee found this: http://ask.xmodulo.com/check-aes-ni-enabled-openssl.html
20:28 <@vpnHelper> Title: How to check if AES-NI is enabled for OpenSSL on Linux - Ask Xmodulo (at ask.xmodulo.com)
20:29 < SviMik> by running this benchmark I got the 9x difference, which makes me think my openssl rpm is AES-NI capable
20:29 < SviMik> probably should work in openvpn too
20:33 < SviMik> krzee mbedtls can AES-NI too, but this thread is little suspicious https://tls.mbed.org/discussions/platform-specific/5x-slower-aesni-performance-compared-to-intels-sample-library
20:33 <@vpnHelper> Title: 5x slower AESNI performance compared to Intels sample library - Discussion Forum - mbed TLS (Previously PolarSSL) (at tls.mbed.org)
20:40 < nbastin> The results in that gigabit wiki page are...quite odd.  Although I guess it also is very old
20:40 < nbastin> would be useful to know the NICs in use
20:42 < SviMik> nbastin right, that page is from 2011 according to google
20:44 < SviMik> "The default OpenVPN for CentOS 5 currently is 2.1.4; the system OpenSSL version is 0.9.8e-fips."
20:44 < nbastin> yeah also centos 5...
20:45 < SviMik> thst says a lot
20:45 < nbastin> OpenSSL is sadly *not* a lot faster now
20:45 < nbastin> but the linux kernel netdev parser is
20:45 < nbastin> I should run a test on our testbed for fun
20:48 < SviMik> nbastin well, at least OpenSSL in CentOS 6 has AES-NI enabled by default. that's a noticeable improvement
20:48 < SviMik> if your CPU has AES-NI, of course :)
20:49  * nbastin wonders the last Intel CPU that didn't have AES-NI.. :-)
20:50 < nbastin> I guess atom D520 and things
20:52 < SviMik> nbastin from our servers: Core2Duo, Xeon L5420, L5430, L5520
20:52 < nbastin> ok, core2duo is old.. :-)
20:53 < nbastin> (launch date Q1 '08 says ark)
20:53 < SviMik> L5520 - Q1'09
20:54 < nbastin> yeah it looks like 56xx and later
20:55 < SviMik> also, AES-NI is missing in "QEMU Virtual CPU" and "Common KVM processor"
20:55 < SviMik> the most popular processors I've ever seen :D
20:55 < nbastin> I mean aes-ni can be in QEMU Virtual CPU if you expose the instruction set
20:56 < nbastin> but that's on the person that builds the host container
20:56 < SviMik> nbastin then it will be detected with some real processor name
20:57 < nbastin> not just host-passthrough, you can just -cpu qemu64,+<any-instruction>
20:58 < nbastin> with KVM it'll be the real CPU in HVM
20:58 < SviMik> at least, I can't see any QEMU Virtual CPU with AES-NI in my almost 100-line server list
20:58 < nbastin> you should be able to start it with -cpu qemu64,+aes
20:59 < nbastin> (assuming the host supports AES anyhow)
20:59 < SviMik> nbastin idk, I'm not a hoster. I'm just renting these virtual machines
21:00 < nbastin> yeah I mean for a public infrastructure there are ring0 safety problems with exposing a lot of instructions
21:00 < SviMik> I can see only what /proc/cpuinfo and cpuid inside the virtual machine can
21:00 < nbastin> so you won't find a lot of that in rented machines
21:01 < SviMik> what kind of problems?
21:02 < nbastin> guests can use various instructions to compromise the hypervisor and other guests
21:02 < nbastin> so you'll find most commercial providers don't expose a full set
21:02 < nbastin> they're not all safe to virtualize
21:02 < SviMik> if there's some kind of vulnerability, it must be known at least what exact instructions have such problems, no?
21:03 < nbastin> I think everyone learned the hard way from the AWS rebuild that they needed to whitelist instead of blacklisting
21:03 < nbastin> intel probably has some official guidance, somewhere
21:05 < SviMik> I don't think SSSE3, SSE4.1/2 and AES-NI are that kind of instructions. but they all are disabled in 47 of 69 kvm machines we have
21:06 < SviMik> yes, in 2017 69% of kvm machines are without even SSSE3
21:07 < SviMik> even Core2Duo has SSSE3
21:08 < nbastin> if any are on opteron, they have SSE2 and SSE4
21:08 < nbastin> but not SSE3
21:08 < nbastin> (we still have a few racks of operatons)
21:08 < nbastin> er, opterons
21:08 < nbastin> damn fingers
21:08 < SviMik> neither SSE4 too
21:09 < nbastin> huh, our 62xx have ssse3 it turns out
21:09 < nbastin> the 24xx don't
21:11 < SviMik> we're going to make mass-ticket-sending to all hoster bringing up this question. just need to write some really nice and motivating message...
21:11 < SviMik> maybe some of them just didn't think about it
21:12 < SviMik> or some maybe reconsider it according to the year of date
21:13 < SviMik> at least for SSE. I really hope for it.
21:20 < SviMik> nbastin according to our statistics, servers with all instructions exposed can handle 2x-3x more traffic than machines with "whitelisted" instructions, being in the same network in the same datacenter room
21:21 < nbastin> sure, I would think so
21:21 < SviMik> thanks to our provider who installed different supervisors in different years, so we could build such statistics :)
21:22 < nbastin> I mean there's also a lot of questions about underlying load and hardware type
21:22 < nbastin> but certainly exposing more instructions is generally better for the customer, from a perforamnce standpoint
21:22 < SviMik> the older vmware solutions are even more than 3x faster comparing with newer kvm they recently switched to :(
21:23 < nbastin> that is almost certainly a configuration issue
21:23 < nbastin> unless there was some other underlying change like systems with quad-channel versus dual-channel memory, etc.
21:24 < SviMik> I hope they'll fix it
21:25 < SviMik> nbastin I can only assume that new server hardware can't be slower than a few years old, but I can't really check it
21:25 < nbastin> it really can.. :-)
21:26 < nbastin> switching from say quad-channel ddr3 to dual channel ddr4 is generally a loss on variable workloads, which general VM hosting is
21:26 < nbastin> faster CPUs with fewer cores are worse (and more variant) for VM isolation
21:27 < nbastin> a lot of variants in system design matter
21:27 < nbastin> 10G SR-IOV NICs have fewer VFs than a quad-port 1G SR-IOV NIC, etc.
21:28 < nbastin> so if you're offering bandwidth limits, you can offer fewer of them well on a 10G NIC
21:28 < nbastin> (and thus people turn to software shaping)
21:28 < SviMik> for openvpn I'd prefer to have faster cores :) if you know what I mean...
21:28 < SviMik> http://svimik.com/hdms24cpu1.png
21:29 < nbastin> yeah we do something totally wacky, so I don't have this problem.. :-)
21:29 < nbastin> (every customer has their own openvpn instance running on a different port)
21:30 < SviMik> that would be 200 instances in my case...
21:30 <@krzee> SviMik: id test aes-ni, given that it was polarssl in that post it was old
21:30 < nbastin> This is really because we tap that instance into its own backend bridge, but it has the side effect of being nicely parallel for CPU usage
21:30 <@krzee> may have been improvements
21:31 <@krzee> and personally id still choose mbedtls given that over time their performance will get better and i feel that over time openssl will have more vulns found
21:32 < nbastin> openvpn doesn't even push out ksoftirqd in the top 100 processes in my list
21:33 < SviMik> nbastin how many instances do you run?
21:33 < nbastin> ooh one ticked into top.. :-)
21:33 < SviMik> and how many cores you have
21:33 < nbastin> there are 165 instances running right now
21:33 < nbastin> 48 cores
21:34 < nbastin> (hence the ksoftirqd problem)
21:34 < SviMik> ~3.4 per core... that's not so insane actually
21:35 < nbastin> I mean openvpn is a side effect of what we do, not actually what we do, but I would definitely run at least a few dozen per core without thinking about it
21:35 < nbastin> ultimately their CPU usage is metered by the upstream bandwidth
21:35 < nbastin> and my CPUs are faster than that, regardless of how many I run
21:35 < nbastin> each instance costs a *little*, but generally they just scale with bandwidth
21:36 < nbastin> 100 instances using 100 mbits isn't going to be a lot worse than 1 instance using 100 mbits
21:37 < SviMik> krzee so just ./configure --with-crypto-library=mbedtls, right?
21:41 < nbastin> oh phooey, apparently the orchestrator doesn't delete the tap interfaces when the openvpn instance is destroyed.. :-/
21:41 < SviMik> nbastin wait, your number of instances is the total number of customers, regardless of who is connected and who is not?
21:41 < nbastin> SviMik: yes, they're site-to-site VPNs at L2
21:41 < nbastin> the presumption is they're up 100% of the time
21:42 < SviMik> ah... ok
21:42 < nbastin> if they're not, I don't really care
21:42 < nbastin> but we basically have to separate them because openvpn doesn't let me select a tap interface based on client certificate
21:42 < nbastin> so I have to run multiple instances to keep them isolated
21:43 < nbastin> it just has the side effect of fairly well balancing across CPUs
21:43 < nbastin> we do set their affinity to keep them all on the CPU that the internet-facing NIC is bound to
21:43 < nbastin> so really only 12 cores available
21:45 < nbastin> so each openvpn tap is attached to an openvswitch, that the customer has control over
21:45 < nbastin> so they can program flows into it to manage their traffic, etc.
21:46 < nbastin> so like an example would be: https://www.dropbox.com/s/29fn6qxthk5sznh/Screenshot%202017-05-12%2022.40.28.png?dl=0
21:47 < nbastin> where they have it dropping a bunch of windows SMB and mdns stuff
21:47 < nbastin> so it doesn't flow over the WAN
21:47 < nbastin> oh that's dropbox lan sync, funny.. :-)
21:49 < SviMik> and we are just a public VPN provider. so if some website is blocked in your country, you can access it using our service :)
21:50 < nbastin> yeah we are providing VPNs *from* the internet, not *to* the internet.. :-)
21:50 < nbastin> (into private research networks)
21:50 < SviMik> lol
21:50 < nbastin> you specifically *cannot* access the internet over our VPN
21:51 < nbastin> we're just providing a bridge into isolated private networks from the internet (in the openvpn case)
21:51 < nbastin> if you're coming over internet2 or glif or something we generally use l2tp over ipsec, or just a raw vlan if we can reach your end
21:52 <@krzee> nbastin: why more openvpn instances than cores?
21:52 < nbastin> krzee: well we run as many openvpn instances as backend network connections
21:53 < nbastin> krzee: because I can't tell openvpn to route a given client to a specific tap
21:53 < nbastin> so I have to run an instance for each tap
21:53 < nbastin> it's REALLY ANNOYING.. :-)
21:53 < SviMik> well, our servers can do the reverse job too. we have a control panel with nat and firewall settings, so you can accept incoming connections if you like to share some IP camera etc, but your ISP does not allow incoming connections
21:53 <@krzee> why tap?
21:53 < nbastin> krzee: because our connects are L2-to-L2
21:53 <@krzee> for a reason?
21:54 < nbastin> krzee: all the internal networks are L2, so you have to be able to create vlans on the remote site
21:54 < nbastin> and have them tunneled
21:54 < nbastin> most of the research nets don't use IP
21:54 <@krzee> did the vlan tagging patches not make it into openpn?
21:54 < SviMik> krzee congratulations, you found another user who use tap :p
21:55 < nbastin> sometimes people are using wacky new protocols that use new ethertpyes, etc.
21:55 <@krzee> SviMik: i see them often, just dont hear great reasons for it often... sounds like nbastin has a much much better reason than you guys :D
21:55 < nbastin> krzee: I have to carry LLDP, STP, etc. sometimes
21:56 < nbastin> I would *not* use tap if you didn't have to, just because the MTU overhead sucks
21:56 <@krzee> nbastin: i get it, sounds reasonable
21:57 < nbastin> over TRCPS we can offer people 7000 byte MTUs, but over the internet I think 1420 bytes is what I came to as the most optimal
21:57 < SviMik> krzee we already have tun, and even some other protocols like IKEv2 :)
21:57 <@krzee> nice
21:57 < nbastin> (TRCPS is the internet2 layer3 transitrail service that goes to lots of universities)
21:57 < nbastin> so a lot of our users can get on that
21:58 < nbastin> openvpn is basically a convenience we offer to people off campus or in weird situations
21:58 < nbastin> (over the internet)
21:59 < nbastin> well, or also users I kinda don't want to provide support for.. :-)
21:59 < nbastin> I'd rather they generally used l2tp over ipsec, but eventually I stop wanting to explain it
22:00 < SviMik> krzee and today we have started migrating servers to 2.4.2 to support AES :)
22:00 < nbastin> I love the people that think openvpn is hard.. :-)
22:01 <@krzee> very nice SviMik
22:01 < SviMik> I'm quite nervous, because not all things are going right... like the openssl...
22:01 <@krzee> SviMik: ive been migrating to it for a long time lol
22:01 <@krzee> i control all the clients, so i need to upgrade them all properly
22:01 < nbastin> if I filed a ticket somewhere to make --status-version 3 work with PSK, would someone actually care?  :-)
22:02 < nbastin> I have to parse the entire log file right now to report on connection status
22:03 < SviMik> nbastin sometimes you have to fix things yourself...
22:04 < SviMik> we already have our internal patches for openvpn and strongswan
22:04 < nbastin> SviMik: I mean I could probably fix it in openvpn as long as someone would accept the patch
22:04 < nbastin> I feel like someone was going to burn down my house when I suggested that we could patch openvpn to mediate backend tap interfaces based on frontend client certs
22:05 < nbastin> that is apparently a non-starter
22:05 < nbastin> so I'm scarred
22:07 < SviMik> nbastin I don't care. I fix it for myself doing statusfile customizations and other things that unlikely to be accepted
22:08 < nbastin> SviMik: sure, just parsing the log file works for now.. :)
22:08 < nbastin> which was easy to implement in the orchestrator
22:08 < nbastin> rather than patching openvpn, and then applying those constantly, etc.
22:08 < nbastin> maintenance OPEX is much lower if workarounds are in our own code
22:09 < SviMik> nbastin today patch to show the encryption in status file: http://svimik.com/openvpn_2.4.2_statusfile_remote_ciphername.patch
22:10 < SviMik> very handy to count how many BF-CBC users we have
22:11 < SviMik> right now it's 100% :)
22:12 < nbastin> yeah, the statusfile problem with PSK seems to be higher up and more pervasive
22:12 < nbastin> it's a completely different seemingly-abandoned at-some-level code path
22:13 < nbastin> it hasn't been touched in that way since the version 1 status file
22:13 < nbastin> (even v2 is no different, it's completely ignored)
22:14 < nbastin> http://paste.debian.net/932239/ that's a v3 status file for PSK
22:14 < nbastin> full of values I could have read off the netdev...
22:14 < SviMik> lol
22:14 < nbastin> and so, totally useless
22:15 < SviMik> that's... a lot of information
22:15 < nbastin> indeed
22:15 < nbastin> all I really want to know is a) if someone is connected, and b) (less-important) what IP they are coming from
22:15 < nbastin> but really just (a)...
22:16 < nbastin> so I just search the log for "Peer Connection Initiated with"
22:16 < nbastin> and then check for disconnects after that
22:16 < nbastin> which is hacky but works
22:16 < SviMik> nbastin you can try management interface, maybe you can find something there
22:17 < nbastin> yeah, uh, with potentially thousands of instances we don't run that.. :-)
22:17 < SviMik> nbastin or maybe updown scripts to write a status file
22:17 < nbastin> we make the tap interfaces ourselves and give them to openvpn
22:17 < nbastin> they're up all the time
22:17 < nbastin> even if no one is connected
22:17 < nbastin> this is important
22:17 < nbastin> because otherwise the port number would change on the bridge
22:17 < SviMik> I mean client-connect and client-disconnect
22:18 < nbastin> HAHAHAHAA, yeah, that doesn't happen on PSK either
22:18 < SviMik> there are such script hooks
22:18 < SviMik> lol 2x
22:18 < nbastin> the hatred for PSK runs deep I think.. :-)
22:18 < nbastin> (I get this in general, but then why support it)
22:18 < nbastin> also don't stop supporting it.. :-)
22:19 < nbastin> (NSF and EU provide an independent PKI for our clients, where we exchange the PSK keys)
22:19 < nbastin> but obviously PSK can be horribly bad
22:20 < nbastin> (this is why I want to dispatch tap based on client-certs, because each federation user already has a client cert they use for other services)
22:20 < nbastin> and we would like to just use them for this
22:20 < SviMik> the hatred for PSK // there must be a list somewhere. I'm sure the tap is also there.
22:20 < nbastin> yeah, I'm living at the bottom of the openvpn barrel
22:21 < nbastin> the good news is it tastes like honey if you filter out the rat poison
22:21 < nbastin> :-)
22:21 < SviMik> :D
22:21 < nbastin> (the reason they hate PSK and TAP is probably because of the rat poison for normal users...)
22:21 < nbastin> I mean if you don't know what you're doing 'dems some dangerous things
22:21 < nbastin> but they're also sortof essential
22:22 < nbastin> (and also easy, if your users understand L2 and PKI)
22:22 < nbastin> a lot of openvpn pain is people who don't understand switching or routing, and openvpn trying to abstract it for them
22:22 < SviMik> they just don't know how to cook it!
22:23 < nbastin> obviously dry rub is the only way to go
22:23 < nbastin> you just rub L2 forwarding all over it and it tastes good
22:23 < nbastin> (minus my hatred of tunnelblick for macosx users)
22:24 < nbastin> we've got someone working on a replacement solution that we can tell people to use
22:24 < nbastin> but mostly openvpn is fantastic, really
22:25 < nbastin> makes it easy to get non-networking people connected without walking them through l2tp over ipsec
22:26 < nbastin> (which, ironically, macosx natively supports)
22:26 < nbastin> but for windows users that's a deep well of suffering
23:05 < SviMik> PLUGIN_INIT: could not load plugin shared object /etc/openvpn/async_updown.so: /etc/openvpn/async_updown.so: undefined symbol: pthread_create
23:06 < SviMik> krzee mbedtls disabled pthread somehow Oo
23:11 < SviMik> don't asked me how it worked before, but I was able to use threads in my plugins
23:12 < SviMik> until I put --with-crypto-library=mbedtls
23:35 < SviMik> ok, figured that out. now to sleep...
--- Day changed Sat May 13 2017
04:38 -!- vamiry_ is now known as vamiry
07:58 < sn0wf0x3h> Hello
07:59 < sn0wf0x3h> How do I manually start the vpn service. Im using ubuntu 17.04 and it keeps saying the vpn service hasnt started
08:49 < SviMik> if you ever stumble into "error=CRL signature failure" with openssl or "The CRL is signed with an unacceptable hash" with mbedtls - that means you need to change default_md=md5 to default_md=sha256 in your easy-rsa/openssl.cnf (or whatever you use for CRL generation)
08:49 < SviMik> thanks to mbedtls for more clear error, it helped me to figure it out
09:15 < SviMik> okay google. "openssl vs mbedtls benchmark"
09:15 < SviMik> wait... nobody did it? how's that possible?
10:15 <@krzee> i can tell you why i never bothered
10:15 <@krzee> cause i dont care much, im personally much more worried about security than performance, and i feel mbedtls wins that by enough to decide without making benchmarks
10:16 <@krzee> however, if you do it i will enjoy reading it :D
10:30 <@krzee> SviMik: syzzer looked at your patch and doesnt think it'll always work how you expect
10:30 < SviMik> krzee really?
10:31 <@krzee> ya come back to the other chan
16:17 < SviMik> https://c2.staticflickr.com/6/5474/31291444086_dc6027e001_c.jpg
16:17 < SviMik> which block size is mostly used by openvpn?
16:17 < SviMik> do I understand right that if openvpn says "256 bit key, 128 bit block" then the 16-byte benchmark result is what I'm interested in?
17:49 < vutral> i got a problem with windows clients
17:49 < vutral> it seems it doesnt like to set the ip correctly
17:50 <@krzee> what do you mean
17:50 < vutral> well dhcp fails
17:51 < vutral> it kept setting an private autoconfiguration ip address
17:51 < vutral> i switched now to manual interface configuration
17:51 < vutral> is there any tool btw for making a bundled openvpn config file ? with the certificates embedded
17:52 <@krzee> tool no, but its explained here:
17:52 <@krzee> !ios
17:52 <@vpnHelper> "ios" is See the iOS FAQ here - https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html
17:53 <@krzee> aww they unlinked my howto
18:13 < doubledip> !inline
18:13 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV, or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
18:13 <@krzee> ahh thats it!
18:13 <@krzee> #2 used to be at !ios too
18:14 <@krzee> !learn ios as https://community.openvpn.net/openvpn/wiki/IOSinline might be useful
18:14 <@vpnHelper> Joo got it.
18:16 < doubledip> !ios
18:16 <@vpnHelper> "ios" is (#1) See the iOS FAQ here - https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html, or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline might be useful
18:18 <@krzee> !learn sslbenchmarks as see http://svimik.com/mbedtls_bm1.htm for a comparison of ssl benchmark speeds between openssl and mbedtls check out
18:18 <@vpnHelper> Joo got it.
18:20 < nbastin> hrm, those don't seem like equivalent tests
18:24 <@krzee> please continue...
18:25 < nbastin> well it's hard to tell exactly what that data is from, in the first place
18:25 < nbastin> since all those tools report many values
18:25 < nbastin> but I don't see a way for openssl speed to match up precisely to benchmark.c
18:25 < nbastin> plus the input sets should be the same to be accurate
18:25 <@krzee> SviMik: what tool did you use?
18:25 <@krzee> internal benchmarks?
18:26 < SviMik> the tools used are mentioned in footnotes
18:26 < nbastin> yeah they're both internal benchmarks
18:26 <@krzee> oh yes they are
18:26 <@krzee> that seems like a fair source to me nbastin
18:28 < nbastin> I mean the problem isn't that the numbers aren't accurate, the problem is they're not comparable
18:29 < SviMik> well, I didn't found a way to test how they perform inside openvpn, so that's a synthetic test, right
18:29 < nbastin> SviMik: well, so if you want to test them for a purpose you need to figure out what that purposes is, and design a test that is at least close to that.. :-)
18:30 < nbastin> but I'm not sure how to compare the numbers from one library to another, since they don't seem like equivalent tests
18:31 <@krzee> ahh i see the issue, i like this test but i see your point and would love to see a test more specific to openvpn too sometime if somebody does it
18:31 < SviMik> I'd love to see too
18:31 < nbastin> this is certainly valid for telling me things for the same library across multiple systems.. :-)
18:35 < nbastin> I mean it might be easier to just benchmark openvpn itself, rather than trying to design a matching synthetic text
18:35 < nbastin> test, even
18:36 < SviMik> testing inside openvpn will involve network layer a lot and will require a very special setup
18:36 < nbastin> well I mean you design a topology, it's not that special.. :-)
18:37 < nbastin> but if the network layer is not identical between the ssl libraries, you have other problems.. :-)
18:38 <@krzee> !gigabit
18:38 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
18:38 < nbastin> yeah that's super old, it really needs an update
18:38 < SviMik> nbastin our servers are spread across different physical locations. I don't have any pair of unused servers that could be connected with a wire
18:38 < nbastin> I was looking at that yesterday
18:38 < nbastin> SviMik: well you can use a veth pair
18:38 < nbastin> SviMik: which is a more consistent test anyhow
18:38 <@krzee> !learn sslbenchmarks as jjk also made a writeup that includes comparing aes to bf at !gigabit
18:38 <@vpnHelper> Joo got it.
18:39 < nbastin> although if you don't have 2 cores you can use that might not really be good
18:40 <@krzee> awhile back mbedtls was like 5x slower than openssl according to their forum, so 2x now is much better
18:40 <@krzee> assuming we accept the values as given and ignore the concerns ;]
18:40 <@krzee> syzzer: maybe you can comment on this when you're around? ^
18:41 < SviMik> right, veth and couple of cores would work. still, a lot of things to configure and run
18:42 < SviMik> especially if you need to test on different hardware configurations
18:43 < nbastin> meh, building all the code is more complicated.. :-)
18:44 < nbastin> I mean you make two namespaces, make a veth pair, set their IP addresses, move them into each namespace, then start server and client
18:45 <@krzee> nice nbastin is going to make the other benchmark!
18:45 <@krzee> :D
18:45 < SviMik> ...make certs, write openvpn configs, find some tool for network benchmarking...
18:45 < nbastin> I may, actually...we do this all the time
18:45 < nbastin> well, iperf.. :-)
18:45 < nbastin> or nuttcp
18:45 < nbastin> (or both, for fun)
18:45 <@krzee> iperf is nice
18:45 < nbastin> the issues with iperf are less important if you just care about relative comparisons
18:46 <@krzee> i hadnt seen nuttcp
18:46 -!- mode/#openvpn [+vv nbastin SviMik] by krzee
18:48 <+nbastin> after I eat my pasta I may stick my hand into the benchmarking woodchipper.. :-)
18:49 <@krzee> and the community wins again!
18:49 < MiniFridge> Hi. So, I have OpenVPN's desktop GUI for Windows and I've been noticing that if I start the VPN after opening some applications like IRC, those applications will not run through the VPN and will instead run through the normal network adapter in Windows. However, if I start an application after I connect to the VPN, then web traffic will go through the VPN. Is there a way to force everything to go through the VPN so I don't have
18:49 < MiniFridge> this issue?
18:51 <+nbastin> I don't know windows that well, but you would need a way to force every existing open socket to close
18:51 <+nbastin> (except openvpn)
18:52 <+nbastin> What's going on is that the OS kernel only decides what interface to use when a new connection is made, so previously open connections are still using their previous interfaces
18:53 <+nbastin> (this is true of adding any kind of interface, not just openvpn tunnels)
18:55 < MiniFridge> Private Internet Access's client will disconnect non-VPN connections. I believe it has OpenVPN under the hood, but I can't use that due to some compatibility issues.
18:55 <+nbastin> right I mean presumably there is some way to tell windows to do this, but I don't know what it is, or whether you can do it from the command line or something
18:57 < MiniFridge> okay, thanks I'll just keep waiting to see if someone is familiar with that method.
18:57 <+nbastin> MiniFridge: http://www.nirsoft.net/utils/cports.html might help you, I found that in a stackoverflow answer about a similar question
18:57 <@vpnHelper> Title: CurrPorts: Monitoring TCP/IP network connections on Windows (at www.nirsoft.net)
18:57 < MiniFridge> I'll take a look! Thanks.
18:57 <+nbastin> it appears to have a way to close individual TCP sockets
18:57 < Eugene> im in ur socketz closin ur pipez
18:58 <+nbastin> lol
18:58 <+nbastin> There is apparently also a sysinternals command line tool called tcpvcon
18:58 <+nbastin> https://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
18:58 <@vpnHelper> Title: TCPView for Windows (at technet.microsoft.com)
18:58 <+nbastin> so something to start with at least
18:58 <@krzee> interesting
18:59 < MiniFridge> in regards to the software you linked, I don't want to have to close connections manually. :/
18:59 <@krzee> if theres something internal to windows maybe a windows only option would be valid to have to do that automatically
18:59 < yarddog> i gave up on PIA about two yrs ago when they kept blaming my equipment, went elsewhere and it's fine.
18:59 <+nbastin> well, so in win32api you can get a list of open tcp connections and then cache that, and then run openvpn, and then close all the cached socket fds
18:59 <+nbastin> if you were inclined to script something.. :-)
19:00 < yarddog> if i recall, PIA has a socks5 proxy for irc
19:00 < MiniFridge> yarddog, well, I haven't really had issues with them. But, I am having the exact same issue with OpenVPN's client as the NordVPN-given client. LOL.
19:00 < MiniFridge> Yeah, they have a Socks5 proxy
19:00 < MiniFridge> I think that's pretty standard, though
19:01 < yarddog> i dont care for either of those companies you mention :) i had nothing but trouble with both
19:02 < MiniFridge> nbastin, heh, I know nothing about Windows scripting.
19:02 < MiniFridge> So, there's nothing OpenVPN specific I can really do to your knowledge?
19:02 < MiniFridge> Like maybe changing config files?
19:02 <+nbastin> MiniFridge: certainly not that *I* know of, but I am not well versed in openvpn on windows
19:03 < MiniFridge> nbastin, okay, thanks anyways for trying to help! I appreciate it. :)
19:03 <@krzee> no its not openvpn doing it
19:03 <@krzee> like he said, its your OS's kernel
19:03 < MiniFridge> ah, okay
19:03 <@krzee> but if we find something simple in windows to reset it, then maybe openvpn could incorporate it
19:04 <@krzee> id say maybe you should make a trac ticket
19:04 <@krzee> !trac
19:04 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker., or (#2) if you have a forum login, use that for trac, its the same database.
19:04 <@krzee> at the least its something for the wishlist, and it's a pretty valid wish
19:04 < MiniFridge> true. I'll consider it. Thanks
19:04 <+nbastin> yeah I mean thinking about it a script could be fairly easily integrated into pre/post hooks
19:05 <+nbastin> you'd have some fenceposting issues with connections that happen between pre but before the tunnel is up, but something simple would probably work most of the time
19:05 < MiniFridge> fenceposting?
19:06 <+nbastin> off-by-X error
19:06 <+nbastin> this is a little bit more hinky than that, so really not OBx, but the idea is that nothing happens in perfect sequence
19:07 < MiniFridge> ah
19:07 <+nbastin> so if you cache a copy of the existing sockets, and then do something 1ms later, in half a ms maybe a new one got created
19:07 <+nbastin> you'll miss that one
19:07 < MiniFridge> that makes sense
19:07 <+nbastin> but in general it would work most of the time
19:10 <+nbastin> is mbedtls a drop-in replacement for openssl?
19:10 <+nbastin> oh polarssl, there's a build option, I see
19:11 <@krzee> openvpn doesnt care or know about your sockets, it just passes traffic that was routed to it, and when it starts it will add the routes you told it to add
19:11 <@krzee> nbastin: yes, it used to be polarssl now its mbedtls
19:11 <@krzee> ARM bought it, it happens to be great for embedded cause its lean code
19:12 <+nbastin> putting together a script for this benchmark.. :-)
19:13 < MiniFridge> hmmmm, not sure if tcpview tells me any info on what is being routed to the VPN
19:14 <+nbastin> MiniFridge: I don't think it does, other than whatever existed *before* you started the VPN is not on the VPN
19:14 <+nbastin> MiniFridge: it's like a step removed from telling you what you want
19:14 <+nbastin> I am not sure if there's a way to inspect a socket in windows (via public API anyhow) that will tell you what interface it's bound to
19:14 <+nbastin> which is really what you want to know
19:15 <+nbastin> I was just suggesting that you could infer this data by snapshotting the connections before you start the vpn
19:15 <+nbastin> it's not perfect, but it would mostly work
19:17 < MiniFridge> nbastin, oh, okay I understand now
19:17 < MiniFridge> previously I was using WireShark
19:17 < MiniFridge> Just for testing purposes
19:18 <+nbastin> yeah I mean pcap will definitely know, but that's attached at the hardware layer
19:18 <+nbastin> (what wireshark uses)
19:19 < MiniFridge> I wonder if there would even be a way for me to use a firewall to achieve this, too
19:19 <+nbastin> well you could probably block all connections other than openvpn on the hardware interface
19:19 <+nbastin> although I have no idea how to configure that in the windows firewall
19:19 < MiniFridge> I have Windows firewall disabled. I've been using Emsisoft's.
19:20 < MiniFridge> I could probably ask their support. One of the better companies when it comes to support. lol
19:28 <+nbastin> SviMik: also when doing benchmarks you might want to capture a bunch of static system info
19:28 <+nbastin> SviMik: we wrote a tool https://bitbucket.org/UH-netlab/uhexp/src/tip/scripts/uhgetconf that captures a bunch of stuff we like to look at later
19:28 <@vpnHelper> Title: UH-netlab / uhexp / source / scripts / uhgetconf Bitbucket (at bitbucket.org)
19:29 <+SviMik> nbastin all right, all right, I got it. do your own benchmark =)
19:29 <+nbastin> SviMik: just throwing that out there while I build this.. :-)
19:29 <+nbastin> SviMik: you might find it useful to have a database of those for your systems for varying reasons
19:29 <+nbastin> SviMik: it just writes out a json file
19:30 < MiniFridge> yarddog, what VPN do you use now?
19:30 <+nbastin> SviMik: (because a lot of times you end up wanting to know 3 days later about some thing on a box, and maybe you don't have a record of it)
19:34 <+nbastin> Theres a bunch of tooling I keep wanting to write around that data so we can search for various things across the infrastructure, but I've not done it.. :-)
19:35 < yarddog> MiniFridge: Air
19:37 <+SviMik> nbastin with 90+ boxes we have own monitoring system collecting and analyzing data itself, and reporting it on dashboard
19:37 <+nbastin> SviMik: yeah, we only have that for basic stuff (memory, cpu, load, etc.)
19:37 < MiniFridge> okay, well thanks for help everyone!
19:38 < MiniFridge> I appreciate it :)
19:38 < MiniFridge> I'm going to go. Bye!
19:40 <+nbastin> well,a nd for non-shared systems I only have temp basically, and power status
19:40 <+nbastin> (if we give them to someone else, we promise to not monitor them, that's their problem)
19:40 <+SviMik> nbastin for example, recently I added `netstat -lpn` analyser, which knows which services there must be always, and which are allowed to appear occasionally. if something is abnormal - I see a red lamp on dashboard
19:41 <+nbastin> yeah, because we're giving out infrastructure directly, there's a lot less I can monitor, even if they wanted me to
19:41 <+nbastin> if we're the *user* of the infrastructure we gave out, I have more stuff.. :-)
19:42 <+nbastin> so like for this openvpn benchmark, I will reserve two systems on the same 10G interconnect from the infrastructure allocator
19:42 <+SviMik> for the *big important server* I have even SMS notifications
19:43 <+nbastin> because everyone loves waking up when metal melts.. :-)
19:43 < SCHAPiE> hm, anyone else experiencing that AES-256-GCM cipher is chosen, even though something else is defined in both the (running) client and server config?
19:44 <+SviMik> SCHAPiE yes, disable NCP
19:50 < SCHAPiE> thnx SviMik
19:51 <+SviMik> yw
19:51 < SCHAPiE> blasting that CAMELLIA-256-CBC with streebog512 hash
19:51 < SCHAPiE> >:D
19:51 < SCHAPiE> https://en.wikipedia.org/wiki/Streebog
19:51 <@vpnHelper> Title: Streebog - Wikipedia (at en.wikipedia.org)
20:06 < SCHAPiE> does the ecdh-curve option allow a list of curves? instead of just one?
20:22 <@krzee> or instead of disabling ncp, configure it
20:22 <@krzee> i think its something like ncp-ciphers
20:22 <@krzee> !man
20:22 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
20:25 <@krzee> well, i think... the man page seems to insinuate you do need to disable
20:26 <@krzee> SCHAPiE: its for DH, a list wouldnt make sense
20:26 <@krzee> its only valid in server context
20:26 <@krzee> its not like ncp where its a negotiation
20:29 < SCHAPiE> well, for tls-cipher it does work as a negotiation, when not using NCP
20:30 <@krzee> thats still something done between both sides
20:31 <@krzee> whereas DH params only exist on the server
20:34 < SCHAPiE> true, but the curves are used to generate an ephemeral DH key used for the ECDHE iirc, so if the client doesn't support the particular curve, it should fall back to a curstom dh parameter file offered by the server to use for the moduli in the exchange (and be forced to use a DHE ciphersuite)
20:35 < SCHAPiE> a list of curves could make sense; NGINX supports it
20:36 <+nbastin> ok, on iperf on this setup I can get 35Gbits, time to build openvpn.. :-)
20:38 <+nbastin> 39.4 if I push 10 streams
20:42 <+nbastin> ah crap I didn't give them enough memory
21:37 <+nbastin> doing a test with the packaged 2.3.14 just to make sure things are working
21:46 <@krzee> sweet i look forward to the writeup!
21:49 <@krzee> many people will appreciate the benchmarks you guys sre up to!
21:49 <+nbastin> [SUM]  0.0-30.2 sec   718 MBytes   200 Mbits/sec
21:49 <+nbastin> default libressl build on alpine
21:49 <+nbastin> suspiciously round number
21:50 <+nbastin> although I ran 10 streams and they were more random
21:50 <+nbastin> I should try fewer perhaps
21:50 <@krzee> NICE you doing all 3
21:51 <@krzee> most people ignore libre, im usually included :D
21:51 <+nbastin> yeah I mean once it's scripted we can change any parameter we want and just run it more
21:51 <+nbastin> 190Mbits with 5 streams
21:51 <+nbastin> that's awful.. :-)
21:52 <+nbastin> I'll try some UDP tests, but they're usually worse
21:52 <@krzee> see in !gigabit how he changes mtu for tests
21:52 <+nbastin> 207Mbits with one TCP stream
21:52 <@krzee> that fixes his udp
21:52 <+nbastin> I have my MTU legit changed to 7000 bytes
21:52 <+nbastin> (the underlying link is 9000 bytes)
21:52 <@krzee> oh
21:52 <+nbastin> MTU probably not the problem
21:53 <+nbastin> although MTU to openvpn apparently means "mss"
21:53 <+nbastin> I am running taps, also
21:53 <+nbastin> so MTU is controlled by the OS
21:53 <+nbastin> I haven't done a TUN test yet
21:53 <@krzee> theres also mssfix
21:53 <+nbastin> there's a ton of options once this test is automated
21:53 <+nbastin> we can run all the permutations
21:53 <@krzee> sweetness
21:53 <+nbastin> I've grabbed these two systems for the summer for some other work
21:54 <+nbastin> so we can use them any time for this.. :-)
21:54 <+nbastin> iperf is only running 39.5Gbits, which also seems low, and i need to try to tune that
21:54 <+nbastin> (they're back-to-back intel FM10840s running 100G)
21:55 <+nbastin> we can also test on some ARM64 boxes that are on 10G
21:56 <@krzee> badass
21:56 <+nbastin> (they have a 10G fabric inside the server chassis)
21:56 <+nbastin> I'm scripting this with our general framework, so anyone could run this on any two systems they can ssh to
21:56 <+nbastin> once it works, anyhow.. :-)
21:57 <+nbastin> when we run benchmarks we always automate them so we don't have to cobble them by hand 2 years later when we want to run them again.. :-)
21:57 <@krzee> thats great!
21:57 <+nbastin> http://starlight.vts.bsswks.net:3627/dstat/sliver/urn:publicid:IDN+starlight.vts.bsswks.net+sliver+2d1bee2c-c2a9-44ae-8de1-ccdb2f157696
21:58 <@krzee> you could make an open project of it
21:58 <+nbastin> not that interesting, but you can see the CPU usage roll around when I do tests
21:58 <@krzee> i suspect people will use your code from time to time
21:58 <+nbastin> yeah, we're trying to open up all the automation stuff
21:58 <+nbastin> the CPU time on that graph is CPU ms consumed in a 120 second window
22:00 <+nbastin> I will make a bitbucket repo for this benchmark once it mostly works
22:00 <+nbastin> maybe tomorrow, I dunno, it's mother's day so maybe sometime next week
22:00 <+nbastin> but the basic setup is working at least
22:01 <+nbastin> I also bet this libressl isn't built with aes-ni support
22:01 <+nbastin> since it's the distro defaul
22:01 <+nbastin> default, even
22:01 <+nbastin> (if that's even an option for libressl)
22:02 <+nbastin> I'm going to build it now from scratch
22:04 <+nbastin> (just bare configure/make on 2.4.2, see if it's any different from package 2.3.14)
22:08 <+nbastin> hrmph, some kind of LZO problem
22:10 <+nbastin> ok configure finished at least.. :-)
22:17 <+nbastin> so 2.4.2 server with 2.3.14 client I got 205Mbits in the first test, which is basically the same
22:17 <+nbastin> not surprising, but worth seeing.. :-)
22:20 <+nbastin> that's with blowfish-cbc
22:24 <+nbastin> 314Mbps with aes-256-cbc
22:25 <+nbastin> I should try no cipher for fun
22:28 <@ordex> lol
22:28 <@ordex> then no vpn
22:28 <@ordex> :D
22:28 <+nbastin> it's still a VPN
22:28 <+nbastin> just not encrypted
22:28 <+nbastin> 363Mbits
22:28 <+nbastin> I should maybe change systems for something with faster cores
22:28 <+nbastin> as that's the high end we can get regardless
22:29 <+nbastin> 314 Mbps with AES-256-CBC with a no-encrypt of 363Mbits is not bad really
22:29 <+nbastin> these systems are super-wide to saturate the NICs, but openvpn I should just use some faster single core things
22:30 <@ordex> what's your connection speed ?
22:31 <+nbastin> 100G
22:31 <+nbastin> iperf gets 39.5G without any tuning
22:31 <@ordex> ah
22:32 <@ordex> not bad
22:32 <+nbastin> I was trying to get the network out of the way.. :-)
22:32 <@ordex> where is the other endpoint of your iperf?
22:32 <+nbastin> in the blade next to the first one.. :-)
22:32 <@ordex> 363Mbps by just putting openvpn in between ?
22:32 <@ordex> same endpoints?
22:32 <+nbastin> yeah
22:32 <@ordex> wow
22:32 <@ordex> :)
22:33 <+nbastin> iperf is threaded though
22:33 <+nbastin> I can do a single connection iperf test
22:33 <+nbastin> sec
22:34 <@ordex> ok
22:34 <+nbastin> 12.7Gbits for 1 iperf connection
22:34 <+nbastin> so it's really 12.7 to 363Mbits
22:34 <+nbastin> so much better.. :-)
22:34 <@ordex> yeah
22:34 <@ordex> well
22:34 <@ordex> you have the interface layer in between
22:34 <@ordex> which makes everything slower
22:34 <+nbastin> yeah I mean I could add a tap between for iperf
22:34 <@ordex> as openvpn handles all the payloads
22:34 <+nbastin> lemme do that
22:35 <@ordex> nope
22:35 <+nbastin> to at least get a netdev in it
22:35 <@ordex> that is still in kernels pace
22:35 <@ordex> *space
22:35 <+nbastin> yeah but for iperf we have a hardware netdev
22:35 <+nbastin> and for openvpn we have 1 hardware 1 software
22:35 <+nbastin> (the nic, plus the tap)
22:35 <@ordex> right, that is handled in userspace
22:35 <@ordex> while any netdev you create now is all handled in kernel space
22:35 <@ordex> which makes quite a change
22:36 <+nbastin> sure, just the CX-4 accelerated netdev is the only thing iperf is using
22:36 <+nbastin> adding even a tap will probably cost it a lot
22:36 <@ordex> ah ok
22:36 <@ordex> well, just try then :)
22:36  * ordex is curious too
22:36 <+nbastin> skbuffs are expensive...
22:36  * nbastin trundles off to trick this thing into using two netdevs
22:36 <+nbastin> I'll probably have to use a bridge
22:37 <+nbastin> thank god for serial consoles....
22:37 <@ordex> lol
22:37 <@ordex> how many times would have you been locked out otherwise?
22:37 <@ordex> :D
22:38 <+nbastin> uh, ...all of them.. :-)
22:38 <@ordex> :D
22:38 <+nbastin> these boxes are not even conencted to the internet
22:38 <+nbastin> to get openvpn source and stuff I had to plumb other interfaces to a router and get some real IPs.. :-)
22:39 <+nbastin> the testbed has a fully configurable L1 fabric, so at least I can move wires around from home
22:39 <+nbastin> well, for 1G and 10G
22:39 <+nbastin> the 100G wires are fixed
22:40 <+nbastin> I dunno if anyone makes L1 100G switches, but they're probably really really really expensive
22:40 <@ordex> likely
22:42 <+nbastin> ugh really I can only have one tap?  thanks mknod...
22:42 <+nbastin> well I can whack the openvpn one for now
22:42 <+nbastin> and then fix my OS later
22:42 <@ordex> one tap?
22:42 <@ordex> mh ok
22:43 <@ordex> if you have tunctl that can help
22:43 <+nbastin> yeah I had to do some magic to get this to work, and I didn't make enough devices I think
22:43 <+nbastin> I had the orchestrator put a base alpine on these boxes and it has...nothing.. :-)
22:43 <+nbastin> ok, so I made a bridge with tap0 and eth1
22:43 <+nbastin> lets fix the client
22:46 <+nbastin> I broke it good
22:47 <+nbastin> oh hrm
22:47 <+nbastin> ip link set tap0 up is not really doing anything
22:48 <+nbastin> ok well that works
22:48 <+nbastin> now to iperf
22:49 <+nbastin> well it costs, but not horrible
22:49 <+nbastin> 11.9Gbits
22:50 <+nbastin> (tcp)
22:51 <+nbastin> trying UDP for fun
22:51 <+nbastin> that should be worse
22:51 <@ordex> why worse?
22:52 <+nbastin> no segmentation offload
22:52 <+nbastin> 1.20 Gbits
22:52 <+nbastin> of course this sortof makes sense
22:52 <+nbastin> I put openvpn on udp
22:52 <+nbastin> so really the comparison is 1.2 Gbits to 363 Mbits
22:53 <+nbastin> there's no TSO for openvpn either
22:53 <+nbastin> so it's not as horrible a cost as one might think, but still 25% of "bad optimal"
22:53 <+nbastin> as I haven't tuned anything
22:54 <+nbastin> I need to get a grad student to port openvpn to use libpcap...
22:55 <+nbastin> for UDP this would be a massive improvement
22:55 <+nbastin> for TCP it would be painful.. :-)
22:56 <+nbastin> http://starlight.vts.bsswks.net:3627/dstat/sliver/urn:publicid:IDN+starlight.vts.bsswks.net+sliver+2d1bee2c-c2a9-44ae-8de1-ccdb2f157696
22:56 <+nbastin> again not that illustrative
22:56 <+nbastin> but the highest CPU usage is definitely the early iperf
22:56 <+nbastin> I need to close the gap on that collector to like 10s
22:56 <+nbastin> instead of 2 minutes
22:56 <@ordex> how much was udp with no tap?
22:57 <@ordex> just to know how much it lost on the first step when introducing the tap interface *and* the bridge
22:57 <+nbastin> yeah, good question, I didn't run that before
22:57 <+nbastin> sec
22:57 <@ordex> k
23:00 <+nbastin> 392 bits a second says I screwed up something.. :-)
23:00 <+nbastin> sec
23:01 <@ordex> :D
23:01 <+nbastin> apparently netlink sockets are...slow
23:01 <+nbastin> so I gotta wait to issue some brctl commands
23:02 <+nbastin> ok running
23:03 <+SviMik> interesting. if I restart 2.4.2 server, then 2.4.2 clients connects back, but 2.3 clients need to be restarted manually...
23:03 <@ordex> or maybe it just needs some more time ?
23:03 <+SviMik> >5min?
23:03 <+nbastin> SviMik: oh yeah I just experienced that actually
23:03 <+nbastin> with my testbed setup
23:03 <+nbastin> when I switched to 2.4.2 server
23:03 <+nbastin> 1.38Gbits
23:03 <+nbastin> so about the same
23:03 <+nbastin> I mean same margin of cost
23:04 <+nbastin> sortof worse I guess
23:04 <+nbastin> but not a lot
23:04 <+nbastin> (tcp 12.7Gbps to 11.9Gbps, udp 1.38Gbps to 1.20Gbps)
23:05 <@ordex> when introducing the tap ?
23:05 <+nbastin> yeah
23:05 <@ordex> what was the reason for dropping from 35 to 12.7 in tcp ?
23:05 <+nbastin> threads
23:05 <@ordex> ok
23:05 <+nbastin> if I run 10 tcp iperf threads, I can get almost 40G
23:05 <@ordex> and udp with one thread was also around that ?
23:05 <+nbastin> one thread UDP is all we get
23:05 <@ordex> yeah
23:05 <+nbastin> I haven't run multi-thread UDP
23:05 <@ordex> ok
23:05 <+nbastin> doing it now.. :-)
23:06 <@ordex> :D
23:06 <@ordex> are you writing these numbers down in table? of the irc log is all we have? :D
23:06 <+nbastin> I mean I'm recording the history of my terminal, but I have a fully automated test setup, so I can run these whenever
23:06 <+nbastin> we're hoping to publish the whole setup
23:06 <@ordex> oh ok
23:06 <+nbastin> 1.67Gbps with 5 UDP
23:06 <+nbastin> UDP is unlikely to get a lot better...
23:06 <@ordex> it would be interesting to see what could be improved and where
23:07 <@ordex> because of the missing tso ?
23:07 <+nbastin> lemme go 64 wide for all cores for fun
23:07 <@ordex> that's quite a change eh
23:07 <@ordex> :)
23:07 <+nbastin> well hardware TSO is...good.. :-)
23:07 <+nbastin> We can get multi-hundreds of gigabits on hardware TSO
23:07 <+nbastin> 2.03 Gbits on UDP 64-threads
23:07 <@ordex> yeah
23:08 <+nbastin> I mean that starts to introduce some awful reordering and loss, lemme ratchet the rate down
23:08 <+nbastin> I'll run 64 threads at a gig each
23:08 <+nbastin> (instead of 10G.. :-))
23:08 <+nbastin> up arrow is a meaniehead.. :-)
23:09 <+nbastin> 1.98 Gbits, so not really a concern for loss or reorddring
23:09 <+nbastin> it costs, but not much
23:09 <+nbastin> (I'm running 24 100M threads for fun, sec)
23:10 <+nbastin> I run these all for 30s, so, that's what a second means.. :-)
23:10 <+nbastin> 1.90 Gbits
23:10 <+nbastin> so probably 2.03 just cramming packets down its throat is the best we can do on UDP through the kernel
23:10 <+nbastin> with 1.20 on a single core
23:12 <+nbastin> packet parsing in the linux kernel is stupid expensive in general
23:12 <+nbastin> a libpcap udp version of openvpn would likely be much much much better
23:12 <+nbastin> for TCP you'd have to implement a state machine, so that gets horrible
23:13 <+nbastin> the engineering cost of managing all random client state machines would not be worth it, but the UDP side is really pretty easy
23:13 <+nbastin> since you're just unpacking packets
23:13 < Eugene> "reimplement tcp in libpcap" is the craziest thing i've heard all day
23:13 <+nbastin> we did that once....
23:14 <+nbastin> I mean for paired implementations it works.. :-)
23:14 <+nbastin> but handling all the variants is awful
23:14 <+nbastin> but for udp using libpcap could be a real win
23:14 <+nbastin> the cost of packet parsing in the linux kernel is obscene
23:14 <+nbastin> so many unnecessary memory copies for the purposes of a thing like openvpn
23:15 <+nbastin> with libpcap we can saturate a 10G link with 900Mhz of CPU
23:15 <+nbastin> with the linux kernel skbuff it takes almost 4Ghz to do the same
23:16 <+nbastin> parsing UDP is easy compared to TCP, so a UDP libpcap driver might actually be a reasonably easy win
23:17 <+nbastin> this doesn't work as well for people running multiple services
23:17 <+nbastin> since the way to make it fast is you don't put an IP on the netdev
23:17 <+nbastin> (thus the kernel never parses the packets)
23:17 <+SviMik> so, are you gonna test openssl vs mbedtls and aes-cbc vs aes-gcm?
23:17 <+nbastin> yeah
23:17 <+nbastin> I'm just using libressl now
23:17 <+nbastin> but will use libressl, openssl, mbedtls
23:18 <+nbastin> but the no-cipher problem seems to be the limiter at some level
23:18 <+nbastin> I mean various ssl will cost more/less CPU, but the upper limit on throughput is no-cipher
23:18 <+nbastin> unless that code path is horribly slow for some reason
23:18 <+SviMik> also would be interesting to see different CPUs and virtualization systems too (xen vs kvm vs virtualbox)
23:19 <+nbastin> we can run kvm vs. xen, I can't help you with virtualbox.. :-)
23:19 <+SviMik> s/virtualbox/vmware
23:19 <+SviMik> just a typo :)
23:20 <+nbastin> the problem there is generally config - we run all 3 of those with almost identical perf
23:20 <@ordex> nbastin: what do you mean with "reimplementing with pcap"?
23:20 <+nbastin> like within 0.01%
23:20 <+nbastin> ordex: so instead of openvpn binding to the netdev from the kernel and getting sockets
23:20 <@ordex> yap
23:20 <+nbastin> ordex: you can just pcap_open_live on the hardware interface
23:20 <@ordex> and send raw packets directly to the hw?
23:21 <+nbastin> yes
23:21 <+nbastin> it's MUCH MUCH faster
23:21 <@ordex> what is the difference with opening a RAW sock in the kernel ?
23:21 <+nbastin> a LOT
23:21 <+SviMik> but how about receiving?
23:21 <+nbastin> so the linux kernel when it gets a socket parses the packet headers and copies them into an skbuf
23:21 <@ordex> mh the kernel would still open on top of the ip layer
23:21 <+nbastin> that copy is stupid expensive
23:21 <@ordex> well, now this is much faster
23:21 <+nbastin> it also does stat and accounting on them
23:21 <@ordex> then before
23:21 <@ordex> well it does routing too before sending down to the hw :P
23:22 <@ordex> while you assume you already know where the packet has to go out
23:22 <@ordex> of course
23:22 <+nbastin> you can still push DOWN into the kernel if you want
23:22 <+nbastin> I was thinking on server-side only
23:22 <+nbastin> on the receive side for a bound interface
23:22 <@ordex> oh ok
23:22 <+nbastin> you could really improve performance
23:22 <+nbastin> I would not touch client, that gets awful
23:22 <@ordex> so get the packets right away and skipping the kernel basically
23:22 <+nbastin> right
23:23 <+nbastin> then you just have a packet mask in memory that gets the header values you know you already want
23:23 <@ordex> mh yeah, that's hardcore :D
23:23 <+nbastin> and when they don't match you drop it
23:23 <@ordex> but with udp I can see that working, with some headache
23:23 <@ordex> :D
23:23 <+nbastin> yeah with UDP only
23:23 <@ordex> yap
23:23 <+nbastin> TCP don't even try.. :-)
23:23 <+nbastin> I mean you could do it faster, but the eng effort is....a lot
23:23 <+nbastin> with UDP it's not that bad
23:23 <@ordex> you could implement a bpf in openvpn, no ?
23:24 <+nbastin> right
23:24 <@ordex> instead of the libpcap thing
23:24 <+nbastin> so you set the bpf filter for openvpn packets to start with
23:24 <@ordex> or maybe that's what you meant
23:24 <@ordex> right
23:24 <+nbastin> well that's still libpcap
23:24 <@ordex> alright
23:24 <+nbastin> that's what implements bpf
23:24 <@ordex> yeah, right
23:24 <+nbastin> but you set a filter for your port and udp and whatnot
23:25 <@ordex> that could be done quite easily, no?
23:25 <+nbastin> if the kernel netdev has NO ip address this is SUPER fast, if it has an IP it's only MOSTLY fast
23:25 <+nbastin> yes
23:25 <+nbastin> I mean seriously this is not tha thard
23:25 <@ordex> lol
23:25 <@ordex> shall we do it .. NOW ?
23:25 <+nbastin> (for udp)
23:25 <@ordex> :D
23:25 <+nbastin> no one say the text "tcp" in this context.. :-)
23:26 <+nbastin> I have zero experience with the openvpn source, but I could look at it
23:26 <+nbastin> we did a converstion for quagga which is like 8x faster
23:26 <+nbastin> conversion, even
23:27 <+nbastin> but I think you could get 2-3x pretty naively in openvpn for udp servers
23:28 <@ordex> well
23:28 <@ordex> the point is that not many servers have your bandwidth
23:28 <@ordex> most of the people have no more than 100Mbps and they can get that with the current implementation
23:28 <+nbastin> I think a lot of public hosting servers have over a gigabit
23:29 <@ordex> mah dunno
23:29 <+nbastin> plus, the CPU savings are useful?
23:29 <+nbastin> I mean if oyu bridge internet-to-internet maybe not as much
23:29 <@ordex> I Was talking to a provider that is quite focussed on speed and they target 100Mbps on most locations
23:29 <@ordex> ?
23:29 <+nbastin> well the backend output side is still kernel netdevs
23:29 <+nbastin> it'll help to get packets in faster, but only so much
23:30 <+nbastin> for our use case it would help a lot.. :-)
23:30 <+nbastin> since we're not vpn'ing you into the internet, but a different network
23:30 <+nbastin> and that network already has netmap interfaces on it
23:30 <@ordex> ah ok
23:30 <+nbastin> (there's no NAT or any other kernel transfer)
23:32 <+nbastin> http://info.iet.unipi.it/~luigi/papers/20120601-dxr.pdf if you are interested in crazy
23:32 <+nbastin> they're doing 800m route lookups/sec in software
23:32 <@ordex> lol
23:32 <@ordex> I studied there :D
23:33 <+nbastin> oh good, so netmap is known to you.. :-)
23:33 <+nbastin> this is why I suggest pcap, it's available everywhere
23:33 <@ordex> only heard of it :D
23:33 <@ordex> btw gtg
23:33 <@ordex> talk soon!
23:33 <+nbastin> and then you get free netmap acceleration if someone builds pcap with netmap
23:34 <+nbastin> I am going to move to a different set of hosts, because 363Mbps no-cipher is insufficient to me.. :-)
23:34 <+nbastin> we'll see if we can get something better on high Ghz hosts
23:35 <+nbastin> but even with libressl we were driving 300+ Mbps with aes-256-cbc
23:35 <+nbastin> it's unclear whether the ssl library even matters at that rate
23:36 <+nbastin> (we'll find out)
23:45 <+nbastin> I mean I suppose it would be very interesting if any lib was faster than no-cipher, but that would trouble me.. :-)
--- Day changed Sun May 14 2017
00:02 <@ordex> lol
00:02 <@ordex> not sure how that could happen
00:07 <+nbastin> I can only hope.. :-)
00:07 <+nbastin> trying on a new system in a few
00:09 <+nbastin> I gotta teach the orchestrator about a new build
00:10 <+nbastin> plus there is pizza and stuff.. :-)
00:15 <@ordex> :P
00:22 <+nbastin> ok, teaching new intels about things...
00:23 <+nbastin> meh, E5-2450, not that useful, but we'll see
00:23 <+nbastin> grabbing what I can.. :-)
00:23 <+nbastin> grabbing things on 10G+ switches, which is a somewhat limited set
00:24 <+nbastin> (for things on the *same* switch)
00:25 <+nbastin> I've got some C6100s directly connected, but I need to stand up some tftp/pxe to boot them
00:26 <+nbastin> I grabbed two more 100G devices anyhow.. :-)
00:35 <+nbastin> 1.70 Gbps for single thread
00:35 <+nbastin> so that's a fair amount better at least
00:35 <+nbastin> (iperf udp)
00:36 <+nbastin> (tweaking a little)
00:39 <+nbastin> I can get it to 1.73Gbps
00:39 <+nbastin> not really a win
00:39 <+nbastin> so lets get some openvpn and see
01:05 <+nbastin> ugh that was horrible
01:05 <+nbastin> log messages are...not helpful
01:08 <+nbastin> 644 Mbits
01:08 <+nbastin> over openvpn
01:08 <+nbastin> more than I would have suspected, but different processor and such
01:12 <+nbastin> [  3]  0.0-30.0 sec  2.26 GBytes   648 Mbits/sec   0.005 ms 899027/2551021 (35%)
01:13 <+nbastin> trying to figure out how to fix the datagram size in iperf on udp
01:17 <+nbastin> hrmph, openvpn is not respecting my mtu
01:24 <+nbastin> fwiw iperf parallel TCP crushes.. :-)
01:24 <+nbastin> [SUM]  0.0-30.0 sec   347 GBytes  99.4 Gbits/sec
01:26 <+nbastin> 32-core E5-2450, which is not like a burner ghz
01:26 <+nbastin> (2.1ghz)
01:28 <+nbastin> only 8 cores really on the NIC, but still some useful cpu
01:31 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 255 seconds]
01:31 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
01:31 -!- mode/#openvpn [+v s7r] by ChanServ
01:35 <+nbastin> still, almost 650Mbits on ovpn, I can't complain
01:35 <+nbastin> that's a good place to start testing
01:35 <+nbastin> I still think we could reach 2.5-3Gbps with pcap
01:37 <+nbastin> (rebuilding with aes-256-cbc)
01:41 <+nbastin> 433 Mbits/sec
01:41 <+nbastin> that's with libressl, so there may be some real opportunities for openssl or others to win
01:45 <+nbastin> well, that was udp in the tunnel
01:45 <+nbastin> lemme see if TCP is much different
01:46 <+nbastin> ew that's awful, 318Mbps
01:46 <+nbastin> with 16Mbyte windows
01:48 <+nbastin> yeah outside the tunnel even with ovpn running is 94.9G
01:49  * nbastin will write all of these things up.. :-)
02:01 <@ordex> :)
02:02 <+nbastin> 318 Mbps TCP, 433 Mbps UDP with libressl on 2.3.14
02:02 <+nbastin> 648 Mbits in 2.3.14 with no encryption
02:02 <+nbastin> so that's the target
02:03 <@ordex> asymptotically speaking :P
02:04 <+nbastin> well sure.. :)
02:05 <+nbastin> we wont do better than 648Mb without some architectural change
02:05 <+nbastin> well I could probably pull a bigger CPU for a gigabit
02:06 <+nbastin> a 3.6 would almost certainly pusha  gigabit on no encryption
02:07 <+nbastin> if I could pay a grad student over the summer we could probably do 3-4x that... :-)
02:19 <@ordex> or you could get a phd for free :P
02:23 <+nbastin> well that's what we pay the grad students for.. :-)
02:31 <@ordex> well, not bad :) when i was a grad student i was paid to do stupid things only :P
02:31 <+nbastin> we try to find real projects.. :-)
02:50 <+nbastin> I mean we'll pay them to do stupid things if I have no other options.. :-)
02:50 <+nbastin> summer is here, so there's some stupid stuff on deck
04:09 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
04:09 -!- mode/#openvpn [+o mattock1] by ChanServ
04:10 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
06:04 < mutsy> Hi there. I have a question. I have on digital ocean a droplet which serves as a VPN server. I connect to it via my laptop, but does more clients connected to it make it slower? I assume it does, since it does need to handle more traffic?
06:14 <@ordex> mutsy: of course more cpu power is required to handle the traffic in the openvpn process
07:22 < SviMik> http://svimik.com/openvpn_opt_changed.log
07:22 < SviMik> something went wrong...
07:22 < SviMik> and it fails constantly
07:23 < SviMik> works till the first Inactivity timeout, then fails to reconnect
07:24 < SviMik> Sun May 14 07:22:42 2017 GID set to nobody
07:24 < SviMik> Sun May 14 07:22:42 2017 UID set to nobody
07:24 < SviMik> ....
07:24 < SviMik> Sun May 14 07:37:34 2017 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
07:24 < SviMik> perhaps that's the problem
07:24 < SviMik> it can't reopen tap without permissions, right?
07:25 < SviMik> and the source of the problem - new 2.4 server, which causes the "Pulled options changed" issue in 2.3 clients
07:32 <@ordex> SviMik: why does 2.4 triggers that ?
07:33 <@ordex> but yeah, it smells like a permission problem due to having dropped the privileges earlier
07:33 < SviMik> idk. see the log, maybe you'll find something
07:34 <@ordex> the only change is the peer-id
07:34 <@ordex> maybe this is enough to trigger a tun/tap restart on the client side
07:35 <@ordex> but why the inactivity timeout is triggered ? isn't there anyway to keep that alive ?
07:35 < SviMik> poor network probably
07:35 <@ordex> oh ok
07:36 <@ordex> not sure what the peer-id is about
08:43 < nzb_> !welcome
08:43 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
08:43 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
08:46 < nzb_> !goal 'getting this error in pfsense PID_ERR large diff '
08:48 -!- Dougy [~dougy@openvpn/community/support/Dougy] has quit [Ping timeout: 246 seconds]
08:57 <@ordex> the bot does not understand
09:10 < SviMik> me neither
11:08 < SviMik> Error: pushed cipher not allowed - AES-256-CBC not in BF-CBC or AES-256-GCM:AES-128-GCM
11:08 < SviMik> and why CBC wasn't included in the default NCP ciphers... now I can't upgrade clients to CBC because of that...
11:16 < SviMik> what is worse - the negotiation fails completely while both sides was allowed to use BF-CBC
12:00 < SviMik> and I probably understand the reason of failing 2.3 reconnection. that's because I have set "cipher AES-256-CBC" in the 2.3 client, and 2.4 server is configured with "cipher BF-CBC" and NCP enabled.
12:01 < SviMik> the NCP server sends "cipher BF-CBC" for backward compatibility, and 2.3 client thinks the options was changed
12:02 < SviMik> so that conbination doesn't work properly
12:34 < SviMik> nope, ordex was right. that's because of peer-id option
12:35 < SviMik> which is sent to 2.3.12 clients and cause them to fail
12:35 < SviMik> but it's not being sent to 2.3.2, so no problem there
12:36 < SviMik> interesting. will track it down to the exact version
12:38 < SviMik> 2.3.10 - peer-id is sent as well, causing the same bug
12:41 < SviMik> 2.3.6 is affected too
12:44 < SviMik> 2.3.4 - no peer-id, not affected by the bug
12:46 < SviMik> 2.3.5 - no peer-id
12:46 < SviMik> and just being curious, now will check the latest 2.3 release...
12:50 < SviMik> 2.3.15 - peer-id is sent, but not affected by the bug
12:52 < SviMik> so, it was fixed somewhere
12:52 < skyroveRR> ...
12:53 < SviMik> but no fix was made for the server to not send peer-id to the glitchy clients
12:54 < SviMik> even while the bug was probably known. weird
12:54 < skyroveRR> SviMik: are you done with your ranting? Next time, use a pastebin site to post your rants.
12:55 < SviMik> skyroveRR something is wrong?
12:55 < skyroveRR> Yeah, you just ranted so much.
12:56 < skyroveRR> It was annoying to read it.
12:56 < SviMik> 11 messages in 18 minutes?
12:57 < SviMik> well, you can always leave the channel if you're annoyed by less than 1 message per minute
12:58 < SviMik> it's not even off-topic
13:01 < SviMik> or turn the notifications off
13:02 < SviMik> you're annoyed by my ranting, and I'm annoyed by openvpn bugs
13:03 < skyroveRR> :)
13:12 < SviMik> so, to sum it up: the peer-id was introduced in 2.3.6, and up to 2.3.12 (incl) it was causing the bug described (well, it's almost a crash. a graceful crash.)
13:12 < SviMik> Now when I understood what to look for, I've found that Lev Stipakov was fixed it in 2.3.13 ("Exclude peer-id from pulled options digest")
13:12 < SviMik> Now I'm curious if I can make a patch for the server to exclude glitchy versions from the peer-id exchanging
13:15 < SviMik> because 2.3.10 is what most of our clients are using right now
13:15 -!- dvl_ is now known as dvl
13:35 < fury_> would anybody happen to have any insight about this? https://serverfault.com/questions/850045/openvpn-client-as-secondary-gateway
13:35 <@vpnHelper> Title: firewall - OpenVPN client as secondary gateway - Server Fault (at serverfault.com)
13:36 < Phrk_> Hello is it possible to chain many up and down script ?
13:46 < SviMik> Phrk_ write one script, inside that scripts call whatever you want
13:47 < SviMik> of course one script can call another
13:54 < hubot> How can I restrict access to Glassfish to users that are in a VPN network using shorewall?
13:54 < SviMik> !offtopic
13:56 < SviMik> that's not actually openvpn-related. sounds more like a shorewall question
15:01 < Phrk_> SviMik, so is not possible to call many scripts from the command ?
16:49 -!- MogDog66 is now known as MogDog
20:26 < shhhs> So.
20:26 < shhhs> I'm looking for two things
20:27 < shhhs> 1. A script to assist in the setup of OpenVPN
20:27 < shhhs> 2. How to handle multiple servers.
20:29 < SviMik> 1. easy-rsa if you need cert making assistance
20:31 <@ordex> 2. is a bit generic, no ?
20:32 < shhhs> SviMik: that's the thing.
20:32 < shhhs> Earlier I setup my server and it refused to forward traffic
20:32 < shhhs> So I was connected, but not able to use it to mask my IP
20:32 < shhhs> Probably fucked up with sysctl
20:32 <@ordex> or you just did not setup the routing properly
20:32 < SviMik> 2. Handle each server like the one only.
20:32 < SviMik> (or tell us what you need in more detail)
20:35 < SviMik> shhhs there is no script to replace your head :) of course you need to configure your firewall and routing according to your situation and environment
20:39 < SviMik> shhhs in linux you may need to enable forwarding like this article says: http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/
20:39 <@vpnHelper> Title: How to enable IP Forwarding in Linux - MDLog:/sysadmin (at www.ducea.com)
20:50 < shhhs> SviMik: I 99%
20:50 < shhhs> most likely fucked that up.
20:54 < shhhs> ordex: I'm mostly just looking for how to setup multiple servers so a user can authenticate to any one of them using the same login
20:54 < shhhs> or cert
20:56 <@ordex> I am not an expert in this, but maybe by using the same CA on every server, clients with certs issued by that CA should be able to login everywhere ?
20:56 < SviMik> shhhs install easy-rsa to one server. make multiple server certs. upload these certs for each server
20:56 <@ordex> I think you could create intermediate CAs (i.e. server certificates)
20:56 <@ordex> yeah
20:57 < shhhs> Si
20:57 < shhhs> So* use one cert?
20:57 < shhhs> like one CA
20:57 <@ordex> from that CA you can create multiple server certs
20:57 <@ordex> yes
20:57 < SviMik> the client certs will be accepted on all server as long as all certs are created by the same CA
20:58 < SviMik> so yes, just make all certs in one place
20:58 < shhhs> That makes more sense
21:04 < shhhs> Any advice for preventing abuse?
21:04 < shhhs> I know I can DNS sinkhole
21:14 < shhhs> ordex: would you reccomend following the ArchWiki easy-rsa guide?
21:15 < shhhs> https://wiki.archlinux.org/index.php/Easy-RSA#Certificate_Authority_.28CA.29https://wiki.archlinux.org/index.php/Easy-RSA#Certificate_Authority_.28CA.29
21:15 <@vpnHelper> Title: Easy-RSA - ArchWiki (at wiki.archlinux.org)
21:15 < shhhs> So if I am understanding this correclty.
21:16 < shhhs> I setup a CA pair, I use the private to sign the per server pair
21:16 < shhhs> I also use the CA to sign the clients
21:23 <@ordex> yap, think so
21:23 < shhhs> Jesus
21:23 < shhhs> my PC just locked out.
21:23 < shhhs> Memory was 75% used and my HDD was being thrashed.
21:24 < SviMik> virus?
21:24 < shhhs> no
21:24 < shhhs> chrome
21:25 < shhhs> So ordex  like I was trying to say
21:25 < shhhs> I use the CA to sign my Server's keys
21:25 < shhhs> I use my CA to make my client Keys
21:25 < shhhs> My servers all have the public key as do the clients?
21:25 < SviMik> yes
21:26 < shhhs> So keep my private CA locked away
21:26 < shhhs> if my private CA gets comped all my clients are comped?
21:27 < SviMik> yes. it's better to issue certs on an isolated PC
21:27 < hehehe> hi folks
21:27 <@ordex> the private key of the CA is the most important file
21:28 < hehehe> I have setup openvpn however connection yet to happen :) I disabled firewalls on server and client - temporary same stuff
21:29 < hehehe> used both udp and tcp
21:29 < shhhs> ordex: so lets say I wanted to automate keys being handed out
21:29 < shhhs> sorry, certs
21:29 < shhhs> Any easy way?
21:29 < hehehe> I get Connection timed out (WSAETIMEDOUT)
21:29 < SviMik> cliets will have three files: ca.crt, client.crt and client.key; servers will have four files: ca.crt, server.crt, server.key, dh2048.pem (and optionally: crl.pem)
21:29 < SviMik> make sure to not copy anything else
21:29 < hehehe> anything else i can check to make it work?
21:30 <@ordex> shhhs: personally I don't think so, unless you want to put your CA in a system that is connected to the internet and available for a script to use it
21:31 <@ordex> honestly never thought this trough
21:31 < shhhs> I'm setting up a VPN host.
21:31 < shhhs> I've done server hardening and webhosting
21:31 < shhhs> So why not dabble with OpenVPN?
21:32 <@ordex> well, the "problem" is not openvpn but it's the CA
21:33 < hehehe> order?
21:33 <@ordex> you can easily do a system that autogenerate certs. the only problem is: "if you CA gets exposed, you need to restart from scratch with a new CA"
21:33 < shhhs> I can generate certs
21:33 < shhhs> :>
21:33 <@ordex> hehehe: do you see the traffic arriving on the server with tcpdump? does the server log say something?
21:33 < shhhs> I could also just do Username Password authentication
21:34 < SviMik> well, there are hardware devices for cert signing which make sure there is no way to pull the private key out
21:34 < SviMik> idk how much they cost though
21:35 <@ordex> or you make a box with just one port open where you send a request to generate a cert and it spits out the cert
21:35 <@ordex> possibly not directly connected to the internet
21:35 < shhhs> I could use username passowrd authentication
21:36 < hehehe> yes I can see traffic from win box going to server
21:36 < SviMik> http://mcacert.safescrypt.com/token.html
21:36 <@vpnHelper> Title: SifyComm: Digital Signature Certificates for MCA 21 (at mcacert.safescrypt.com)
21:36 < SviMik> something like that
21:38 < hehehe> IP reverse-178-33-xx-xx.v.net.3389 > 1xx.168.xx.xx.47956: Flags [.], ack 1, win 63034, options [nop,nop,TS val 27684492 ecr 5245848], length 0
21:38 < hehehe> :)
21:47 < hehehe> :D
21:47 < hehehe> blocked what?
21:47 < hehehe> wrong window
21:48 <@ordex> hehehe: does the server log say anything ?
21:48 <@ordex> or it behaves like no connection was received at all ?
21:48 < hehehe> sys log saying open vpn started
21:48 < hehehe> checking more
21:49  * SviMik started sending VPN servers to reboot... being connected to one of them...
21:50 < hehehe> order usually all output is in syslog right?
21:50 < shhhs> ordex: SviMik any tips for anti abuse?
21:50 < shhhs> I'm going to do HMAC
21:51 < SviMik> shhhs what kind of abuse?
21:51 < shhhs> preventing things like DDoS
21:51 < shhhs> Like outgoing DDoS
21:51 < shhhs> or DoS
21:52 < SviMik> for incoming - CloudFlare
21:52 < shhhs> My hosting provider lets me rent a firewall
21:52 < shhhs> They are also a internet backbone
21:52 < shhhs> So far they've stopped all incoming DDoS attacks
21:52 < SviMik> idk, depends on your application
21:52 < shhhs> OpenVPN?
21:53 < SviMik> CF is not just anti-ddos, it's also CDN for your website
21:53 < shhhs> I know
21:53 < shhhs> I've used them many times.
21:53 < SviMik> shhhs you mean your clients will start ddos?
21:53 < shhhs> Yea
21:53 < shhhs> Not every client is... savory.
21:53 < SviMik> we just block them without moneyback.
21:54 < shhhs> How do you handle detection?
21:54 < hehehe> Windows version 6.2 (Windows 8 or greater) 64bit
21:54 < hehehe> I am on Win server 2012
21:54 < hehehe> maybe I need xp client?
21:54 < SviMik> shhhs iptables -j LOG
21:54 <@krzee> yep, thats a firewall thing
21:54 <@krzee> maybe #netfilter would be a good place for better info
21:55 < shhhs> SviMik: you got any tools you suggest for automating deployment?
21:55 < shhhs> or is it more of a roll your own toolkit situation
21:55 < SviMik> I use my own tools
21:55 < shhhs> If it's the latter, I'll post mine to Github. I'm working on deploying to Docker containers to make rollbacks easier
21:55 < shhhs> Incase anything breaks.
21:57 < shhhs> I'm going to be back, I'm grabbing a coffee.
21:57 < shhhs> It's been a long 18 hours.
21:59 < hehehe> ordex: https://pastebin.com/sRrhzpwm
21:59 < hehehe> verbosity level 9 :)
21:59 <@krzee> never verb 9
21:59 <@krzee> !verb
21:59 <@vpnHelper> "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info, or (#2) verb 5 is good for finding firewall problems, verb 4 for troubleshooting anything else, and 3 is good for every day usage., or (#3) Anything more than 5 is for developer debugging only (special debug build needed)
21:59 < hehehe> why
22:00 < hehehe> oki
22:00 <@krzee> cause aint nobody got time fo dat
22:00 < hehehe> what does a=TA means? :D
22:00 <@krzee> verb 4 or 5 are good for troubleshooting... 4 normally and 5 if i suspect firewall issues
22:00 < hehehe> its not firewall
22:01 < hehehe> what else can it be?
22:01 <@krzee> then 4 is fine
22:01 < hehehe> issue with a keys?
22:01 <@krzee> i didnt even see the problem
22:01 < hehehe> same
22:01 <@krzee> i just caught you saying verb 9
22:01 < hehehe> but it wont connect
22:01 < hehehe> it times out and wont connect
22:01 <@krzee> !timeout
22:01 <@vpnHelper> "timeout" is if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or one of the ISPs blocks it
22:01 < hehehe> server is running
22:02 < hehehe> firewalls I did disable both same
22:02 < SviMik> krzee I see tcp in his log
22:02 < hehehe> yes I am trying tcp now
22:02 <@krzee> im not looking til its verb 4 or 5 heheh
22:02 < hehehe> whatever :D
22:02 < SviMik> it's time for tcpdump!
22:02 <@krzee> lol i was laughing but i said your name :D
22:03 < hehehe> how can I check is ISP blocks port?
22:03 < hehehe> :)
22:03 <@krzee> iperf?
22:03 < SviMik> tcpdump on both sides
22:04 < SviMik> or sites... whatever
22:04 <@krzee> !configs
22:04 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
22:04 <@krzee> show me both configs exactly as you are CURRENTLY using
22:04 <@krzee> i dont want to see configs that are in some previous irrelevant state
22:05 < hehehe> oki
22:11 < hehehe> https://pastebin.com/6pZD0YDY  https://pastebin.com/4d8Au78v
22:11 < hehehe> here
22:13 <@krzee> read again pls:
22:13 <@krzee> !factoids whatis configs 1
22:13 <@vpnHelper> please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version
22:13 <@krzee> your config is all comments
22:14 < hehehe> ......
22:14 < hehehe> .......
22:14 < hehehe> lubuntu 16.04
22:14 < hehehe> and windows server 2012
22:19 < SviMik> just upgraded 97 production servers to 2.4.2
22:19 < SviMik> probably not gonna sleep next hour :)
22:20 < hehehe> i might do it later
22:20 < hehehe> have to talk to friend
22:20 < hehehe> diff to erase lines and talk :D
22:22 < SviMik> 2.93% of our users now are switched AES automatically
22:22 < SviMik> the rest are 2.3 clients
22:26 < SviMik> we have one user with IV_VER=3.0.12 and IV_PLAT=android O_o
22:26 <@krzee> hehehe: if you post your configs without comments i will take a look
22:26 < hehehe> ok ok
22:26 < hehehe> :D
22:26 < hehehe> I will try
22:27 <@krzee> SviMik: "openvpn connect"
22:27 <@krzee> its the app from openvpn technologies, a total rewrite of openvpn in c++ under a different license so they could get it on the IOS store
22:28 <@krzee> !connect
22:28 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide, or (#2) the source is here: https://github.com/OpenVPN/openvpn3 except for the portion that may not be released
22:28 <@vpnHelper> because of NDA with apple (for its vpn API), or (#3) It is impossible to retrieve your configuration from Connect itself. This is by design. Keep a copy of your config (and any certs/keys/etc that go with it) someplace safe, and where you can find it later
22:28 <@krzee> its technically 'openvpn 3' which will be interesting when openvpn 2.x turns into the next version (maybe it'll be v4? lol)
22:29 <@krzee> once upon a time there was this:  but it was before ovpn3 was written
22:29 <@krzee> !roadmap
22:29 <@vpnHelper> "roadmap" is https://community.openvpn.net/openvpn/wiki/RoadMap for the roadmap for OpenVPN 3
22:30 <+nbastin> If anyone cares about an update, I got cipher none up to 1.3Gbps when I set up tun-mtu properly
22:30 <+nbastin> The docs are...less than clear.. :-)
22:30 <@krzee> nbastin: you'll be making a writeup when you're done?
22:31 <+nbastin> krzee: uar
22:31 <+nbastin> yar, even
22:31 <@krzee> nice, ill be giving that a read
22:31 <+nbastin> still working through a bunch of permutations.. :-)
22:31 <+nbastin> trying to see if I can just get base performance up
22:31 <+nbastin> I got a little distracted.. :-)
22:31 <+nbastin> apparently you have to set tun-mtu, even if you've properly configured your tap interfaces
22:32 <+nbastin> it doesn't really mean tun-mtu, it means like...openvpn application message size or something
22:32 <+nbastin> (as it doesn't even set the device mtu)
22:34 <@ordex> hm
22:34 <@ordex> shouldn't that be inferred automatically? why do you need to set it up ? something non-standard on your interfaces mtu?
22:34 <+nbastin> maybe I should have set link-mtu
22:34 <+nbastin> I'm not really sure
22:35 <+nbastin> the underlying interfaces are 9000 byte MTU, I set the tap on the server side to 7000 just to be safe
22:35 <+nbastin> but nothing over 1500 moved if I didn't tweak the configs
22:35 <+nbastin> I tried to send a 5000 byte ping with DF set and it never made it unless I set tun-mtu
22:36 <+nbastin> I set tun-mtu to 7000 in the client config, but when it makes the tap interface the netdev itself is still set to 1500
22:36 <+nbastin> so I have to change that by hand when it comes up
22:38 <+nbastin> maybe I really want to set link-mtu?
22:38 <+nbastin> it's not really clear to me in the docs what these actually control
22:45 <+nbastin> is --link-mtu and --tun-mtu on...a synthetic interface that isn't a netdev that represents the vpn inside userspace?
22:49 <@ordex> mh sounds like there is a 1500 hardcoded somewhere instead of detecting the actual interface mtu
22:49 <+nbastin> or at least some kind of assumption that the MTU is only smaller, not larger
22:50 <+nbastin> The docs...confuse me
22:51 <+nbastin> I don't understand the relationship between link mtu and tun mtu, although if I had to guess I'd say that tun-mtu "knows" about openvpn framing overhead
22:51 <@krzee> tbh me too :D
22:51 <+nbastin> but this isn't really ever described anywhere
22:51 < hehehe> https://pastebin.com/kgUackzh https://pastebin.com/UVJ2Zqi3 krzee
22:51 < hehehe> :D
22:51 < hehehe> I managed to delete stuff :D
22:53 <+nbastin> I should grab some pcaps and figure out the on-wire framing I guess
22:55 < hehehe> and as I bonus for helping me to fix it https://www.youtube.com/watch?v=Dpv1X3OjJ1A
22:55 < hehehe> some fun stuff
22:55 <@krzee> hehehe: dude you posted your private key'
22:55 < hehehe> nah
22:56 < hehehe> I edited it :D
22:56 < hehehe> haha
22:56 <@krzee> !inline
22:56 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV, or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
22:56 <@krzee> you didnt do it right
22:56 < hehehe> whats the mistake?
22:56 <@krzee> hella human readable stuff in the <cert>
22:56 <@krzee> see link #2 above
22:57 < hehehe> mine looks similar
22:58 < hehehe> i dont see what exactly is wrong
22:59 < hehehe> i use same format
22:59 < hehehe> ....
23:00 <+nbastin> 731Mbps with 6000 byte frames with aes-256-cbc
23:00 <+nbastin> (libressl, default build, blah blah)
23:05 < hehehe> krzee: exactly same
23:05 < hehehe> what is the mistake :D
23:06 < hehehe> I dont have time to think now
23:06 < hehehe> busy
23:06 < hehehe> :D
23:07 < hehehe> if u see what it is may as well tell me'
23:08 <@krzee> !logs
23:08 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
23:08 <@krzee> both sides, verb 5
23:13 < hehehe> I used to have linux pia client maybe it was messing
23:13 < hehehe>  resolver1.privateinternetaccess.com.domain: 9683+ PTR? 216.22.33.178.in-addr.arpa. (44)
23:13 < hehehe> from tcp dump
23:15 <@krzee> you dont control the server?
23:16 <@krzee> you connecting to PIA?
23:16 < hehehe> dun
23:16 < hehehe> no!
23:16 < hehehe> https://pastebin.com/famrqJUT
23:16 < hehehe> client box
23:17 < hehehe> on server box I had PIA client installed maybe its somehow messing with open vpn
23:17 < hehehe> but it should not
23:17 < hehehe> 1 thing I could try is to change inline config to ordinary one
23:17 < hehehe> and see
23:18 <@krzee> nah its not that
23:18 <@krzee> waiting for server log
23:18 <@krzee> seems to me that 90.191.63.155:1195 is closed
23:19 <@krzee> so either firewall on server, on router, or not listening on that ip:port
23:21 < hehehe> well I added it to firewall
23:21 < hehehe> so maybe router
23:23 < hehehe> server log is MULTI: REAP range 208 -> 224
23:23 < hehehe> 2017 us=798646 MULTI TCP: multi_tcp_action a=TA_TIMEOUT p=0
23:23 < hehehe> us=798673 MULTI TCP: multi_tcp_dispatch a=TA_TIMEOUT mi=0x00000000
23:23 < hehehe> us=798740 MULTI TCP: multi_tcp_post TA_TIMEOUT -> TA_UNDEF
23:23 < hehehe> us=798766 SCHEDULE: schedule_find_least NULL
23:26 < hehehe> krzee: I run nmap router got 4 ports open
23:26 < hehehe> so it kinda may block others by default?
23:30 < hehehe> seems so
23:34 <@krzee> 30min after i said to post logs, and you still havnt
23:35 <@krzee> well 1/2
23:35 < hehehe> i did
23:35 < hehehe> server log is MULTI: R
23:35 < hehehe> that is it
23:35 <@krzee> !logfile
23:35 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
23:35 <@krzee> thats not the servers log file
23:37 < hehehe> you mean syslog ok
23:37 <@krzee> depends on your setup... you could use --log instead
23:38 <@krzee> or let syslog deal with it
23:38 <@krzee> potentially having syslog output it to its own file and newsyslog rotate it
23:38 <@krzee> but ya thats all your choice
23:42 < hehehe> I use log
23:42 < hehehe> and I paste output
23:42 < hehehe> blah
23:42 <@ordex> hehehe: best is to use the —log option so that the output is redirected to the file you chose. this makes it easier to pick up the log later
23:42 < hehehe> its something very simple
23:42 < hehehe> yes
23:42 <@ordex> hehehe: just upload the log somewhere, no ?
23:42 < hehehe> I do that
23:42 < hehehe> I already did twice
23:42 <@ordex> I just arrived :P sorry
23:43 <@ordex> can you repaste the link ?
23:43 < hehehe> there are no more details there lol
23:44 <@ordex> what do you mean? the link has expired?
23:45 <@krzee> no, you didnt
23:45 < hehehe> krzee: hmm
23:45 < hehehe> anyway I think its private key etc
23:45 < hehehe> I did
23:45 < hehehe> erver log is MULTI: REAP range 208 -> 224
23:45 < hehehe>  2017 us=798646 MULTI TCP: multi_tcp_action a=TA_TIMEOUT p=0
23:45 < hehehe>  us=798673 MULTI TCP: multi_tcp_dispatch a=TA_TIMEOUT mi=0x00000000
23:45 < hehehe>  us=798740 MULTI TCP: multi_tcp_post TA_TIMEOUT -> TA_UNDEF
23:45 < hehehe> us=798766 SCHEDULE: schedule_find_least NULL
23:46 < hehehe> that is it....
23:46 < hehehe> even at verbose 9
23:46 < hehehe> I used also -A POSTROUTING -s 10.8.0.0/8 -o wlan0 -j MASQUERADE
23:46 < hehehe> wlan0 public network interface
23:47 <@ordex> hehehe: that is *part* of the log
23:47 < hehehe> rest is same
23:47 <@ordex> what's wrong with pasting the entire log somewhere from beginning to end?
23:47 < hehehe> exactly same
23:47 <@krzee> a we dont want verb 9
23:47 < hehehe> !!!
23:47 <@krzee> i told you verb 5
23:47 <@krzee> specifically
23:47 < hehehe> I changed it to 5
23:47 < hehehe> :D
23:47 < hehehe> 9 gives more than 5 right?
23:47 < hehehe> more details
23:47 < hehehe> or each gives a specific output?
23:48 <@ordex> it gives too much, to the point that you can't debug higher-level problems
23:48 <@ordex> hehehe: are you asking for help or are we playing some kind of riddle here? :D
23:49 <@krzee> seriously
23:49 <@krzee> im like 50% that hes trolling
23:51 < hehehe> nah
23:51 < hehehe> its all the same
23:51 < hehehe> there is nothing else there
23:51 <@krzee> then either you arent using openvpn or you arent looking at the right file
23:51 <@krzee> !logfile
23:51 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
23:52 < hehehe> etc/openvpg/openvpn.log
23:52 < hehehe> and I grep a syslog nothing there
23:53 < hehehe> what is usually there?
23:53 <@ordex> in the openvpn log file you have *all* the openvpn output
23:53 <@ordex> from the beginning, when it tries to boot up, read configuration etc etc etc
23:54 <@ordex> like any normal logfile
23:54 <@ordex> you just have to take the file that you have specified after —log and pastebin it
23:54 <@ordex> if you have wgetpaste installed, just run: wgetpaste /path/to/logfile
23:54 <@ordex> this will do the trick for you and give you a link
23:56 <@ordex> if you believe you have all the information to solve the problem, then it's fine
23:56 < hehehe> in config I got log-append  openvpn.log
23:58 <@ordex> it's ok. like the man says, this just keeps the log of the previous executions instead of deleting it. best would be if you delete the file first, and then run the server and try to replicate the problem, then upload the logfile
--- Day changed Mon May 15 2017
00:00 < hehehe> yep
00:00 < hehehe> 1 moment
00:06 < hehehe> https://pastebin.com/DG1ixtRK
00:07 < hehehe> Listening for incoming TCP connection on [undef] maybe this is mistake?
00:07 <@ordex> hehehe: did you attempt a client connection ?
00:07 < hehehe> yes
00:07 <@ordex> nope, that's ok
00:07 <@ordex> krzee: ^^
00:07 < hehehe> its constantly tried to connect
00:08 < hehehe> *tries
00:08 <@ordex> ok, the server does not seem to have any incoming connection whatsoever
00:08 < hehehe> yesss
00:08 <@ordex> so the problem must be between the openvpn server and client
00:08 <@ordex> is the server connected to the internet with a public IP address?
00:08 < hehehe> but tcp dump shows there is a connection
00:08 < hehehe> yes
00:08 < hehehe> oo wait its a residential ISP dynamic IP
00:09 < hehehe> does it make difference?
00:09 <@ordex> no
00:10 < hehehe> IP reverse-178-33-xx-xx.ve.net.3389 > 192.xx.xx.xx.47956: Flags [P.], seq 346:511, ack 1, win 63883, options [nop,nop,TS val 28604219 ecr 7545441], length 165
00:10 <@ordex> so the server has been assigned a public IP? or you have a residential router in front ?
00:10 <@ordex> and ?
00:10 < hehehe> router with firewall disabled
00:10 < hehehe> isp block?
00:10 <@ordex> assuming 192.xx.xx.xx is the VPN server, it seems the packet is going to 47956
00:11 <@ordex> so the router gets the public IP, I guess?
00:11 <@ordex> if so, have you configured port forwarding on the router?
00:11 < hehehe> i disabled firewall on it
00:11 < hehehe> ok u mean to forward packets to server internal ip or?
00:12 <@ordex> yes
00:12 <@ordex> it's called port forwarding
00:12 < hehehe> checking
00:12 <@ordex> you *must* do that when you want a host (your router) to forward packets arriving on a given port
00:12 <@ordex> otherwise the router just does not know what to do .. why would it send them to your server ?
00:12 <@ordex> !portforwarding
00:13 <@ordex> mh we don't have anything for that I think .. too generic :P
00:13 <@krzee> at some point update your openvpn, thats over a year old
00:14 <@krzee> but thats not the problem, problem is not in openvpn at all
00:14 <@krzee> its general networking
00:15 <@krzee> if you were running a webserver on that port on that machine, you wouldnt be able to reach that from the client computer either
00:15 <@krzee> im not sure why, but its still one of the things i said before
00:16 <@krzee> bad firewall rules or bad port forwarding
00:16 < hehehe> ordex: do I need to use upnp or not?
00:16 < hehehe> :D
00:17 <@ordex> I have no clue. this is about your router
00:17 <@ordex> like krzee said, this is about general networking and your home setup
00:17 <@ordex> I don't know how your router works :P
00:17 <@krzee> openvpn will not use upnp
00:18 <@krzee> you need to manually port forward, and you wont get much help with that here
00:18 <@krzee> !101
00:18 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
00:19 < hehehe> its cool
00:19 < hehehe> I got it
00:34 < hehehe> ok its ISP blocking ports :) have to call them and ask to open
00:38 <@ordex> if you want to be fair, you should call them and tell them only one part of the issue
00:38 <@ordex> :P
00:44 < hehehe> funnily to get to tech support there u have to dial 1 and 3
00:44 < hehehe> 13
00:48 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
00:48 -!- mode/#openvpn [+o mattock1] by ChanServ
00:51 <@krzee> you could test by putting the server on the public ip for a moment, to just bypass the router/firewall momentarily
00:51 <@krzee> i havent seen too many isps block all ports, and i doubt 1195 is special to them
00:52 < hehehe> well they said they will open ports in 10 min or so :)
00:52 < hehehe> that one does
00:52 <@krzee> hah nice!
00:53 < hehehe> what you mean by idea to put server on public ip? it still goes via same isp and ports :D
00:54 <@krzee> nevermind
00:54 <@krzee> if you confirmed they block, then what i said didnt matter
00:55 < hehehe> yep
00:55 <@krzee> ahh you're in estonia too, svimik as well but he just left
00:55 < hehehe> server is
00:55 <@krzee> maybe they block ports out there normally, in usa not so much
00:55 <@krzee> usa blocks mail ports usually, but not all
00:56 < hehehe> yep
00:58 <@krzee> theres also a pretty cool trick ive used when i cant listen to * because of firewall/NAT... i have set up a ptp connection before and control the srcport and dstport so each is connecting to the other's srcport
00:58 <@krzee> so each one connects to the other on the same port the other sent from
00:58 <@krzee> that way both sides open the NAT/firewall for the return connection
00:59 <@krzee> but you are getting the port opened so it doesnt matter =]
01:01 < hehehe> works now
01:01 < hehehe> nice
01:02 < hehehe> neat supply of residential ips :) for qq accounts
01:03 <@krzee> qq?
01:03 <@krzee> i wish estonia domains didnt cost so much
01:03 <@krzee> i want krz.ee!
01:05 < hehehe> lol
01:05 < hehehe> well they are not that pricey
01:05 < hehehe> but you need to register a company there
01:05 < hehehe> to get a domain
01:06 < hehehe> I could try and register hehehee? :)
01:06 <+nbastin> eh, not really, you just need an agent
01:06 < hehehe> hehehe.ee
01:06 <+nbastin> which a registrar will act as
01:06 <@krzee> heeheeh.ee
01:06 <@krzee> haha
01:06 <@krzee> heheh.ee
01:07 <@krzee> you need a company? last i looked you just had to be a resident
01:07 < hehehe> well are you?
01:07 < hehehe> I am UK resident :D
01:07 < hehehe> but I got company in ee
01:07 <@krzee> nah but iirc svimik considered it once for me but then we found the price it was like near $100 iirc
01:07 < hehehe> its less
01:08 <+nbastin> it's like $14
01:08 < hehehe> if he is resident its cheap
01:08 <@krzee> whoa, did it go down?
01:08 <+nbastin> they were forced to lift their ID requirements because of new rules
01:08 <+nbastin> (as was mostly everyone)
01:08 < hehehe> nbastin so whats the new rules?
01:08 <+nbastin> the only rule is that you must be a legal rep of the registrant (which is to say...yourself)
01:08 <+nbastin> you can't register like...att.ee
01:09 <+nbastin> if you are not an authorized legal rep of at&t
01:09 <+nbastin> but generally there's no restrictions
01:09 <@krzee> i am krzee!
01:09 <+nbastin> unless you collide with something
01:09 < hehehe> trademarks
01:09 <@krzee> i found $50
01:10 <+nbastin> "Administrative contact's Estonian ID requirement will be abolished - administrative contact may be a natural person, regardless of nationality or residency;"
01:10 <@krzee> found $40
01:10 <+nbastin> (dec 1, 2015)
01:10 < hehehe> https://www.zone.ee
01:10 <@krzee> very nice!
01:10 < hehehe> :P
01:10 <@krzee> ya i was looking WAY before that
01:11 < hehehe> are country domains worth something nowdays?
01:11 < hehehe> there are so many domain extensions
01:11 <@krzee> only if its .ee and you're krzee
01:11 <@krzee> haha
01:11 <+nbastin> domains are worth whatever someone will pay for them.. :)
01:11 <+nbastin> (I was looking at the root zone file a few weeks ok, holy cow there are a ton of TLDs now)
01:12 <@krzee> boom 9 euro
01:12 <+nbastin> few weeks ago
01:12 <+nbastin> damn stupid fingers
01:12 <@krzee> maybe ill grab krz.ee after all!
01:12 <+nbastin> you should!
01:12 < hehehe> nbastin.ee is free :)
01:12 <+nbastin> obviously I want nbast.in
01:12 <+nbastin> or not.. :-)
01:12 <+nbastin> couldn't really care less
01:12 <@krzee> well ya theres that too
01:12 <@krzee> lol
01:12 <@krzee> but like, may as well
01:13 <+nbastin> krz.ee is way cooler.. :-)
01:13 <@krzee> could grab my altnick too, krz.ie
01:13 <+nbastin> although obviously you shoudl register z.ee and then make kr.z.ee
01:13 < hehehe> lol
01:13 < hehehe> wtf
01:13 <@krzee> oooo lets see if they do single letter domains
01:13 <@krzee> lol
01:14 < hehehe> nay
01:14 <@krzee> nope!
01:14 <+nbastin> phooey!
01:14 <+nbastin> phoo.ey!
01:14 <+nbastin> I make whatever TLDs I want inside our private networks.. :-)
01:15 < skyroveRR> :)
01:15 <+nbastin> (I believe that all networks should be isolated and private, and the internet as "one network" should not be a thing, but I'm freaking crazy)
01:15 < skyroveRR> Morning.
01:16 < hehehe> iamcraz.ee is gree nbastin  :)
01:17 < hehehe> free
01:17 <+nbastin> lol
01:17 <+nbastin> now see THAT is tempting.. :-)
01:17 <+nbastin> but it would require that I acknowledge that there is one internet.. :-)
01:18 <+nbastin> I need to finish my dns-dispatcher this summer
01:18 <+nbastin> (so you can have multiple root views on your network)
01:19 < hehehe> http://blog.europeandomaincentre.com/list-of-domain-extensions/
01:19 <@vpnHelper> Title: Wow! All 882 domain extensions.The Big 2017 List [Infographic] (at blog.europeandomaincentre.com)
01:20 <+nbastin> that list is...very incomplete
01:21 <+nbastin> (as it does not include my favorite - .americanexpress)
01:21 <+nbastin> but also a lot of others
01:21 < hehehe> which one is complete?
01:21 < hehehe> I like max 2 to 3 letters extensions
01:22 <+nbastin> you can download the root zone from IANA
01:23 <+nbastin> icann says more than 1200 new gTLDs
01:23 <+nbastin> so probably there's more like 2k total
01:24 <+nbastin> apparently .rugby was allocated on april 7, 2017, because...you know...rugby
01:24 <+nbastin> I need to refresh our root zones at some point
01:24 < hehehe> !!!
01:24 < hehehe> 2k?
01:24 < hehehe> who will use them?
01:25 <+nbastin> if you want the *actual* root zone file, you can get it from https://www.internic.net/domain/root.zone
01:25 <+nbastin> it's sortof huge
01:25 < hehehe> do they allow registration of rude names? or nope?
01:26 <+nbastin> for gtlds?
01:26 <+nbastin> they used to have pretty tight rules, but they have mostly relaxed them
01:26 <+nbastin> so long as you're willing to pay the obscene fees
01:27 < hehehe> and what if I get 2 to 3 letters domain and its same as someone trademark?
01:27 < hehehe> I guess it depends on a registrar
01:28 <+nbastin> for subdomains (e.g. X.<tld>), then their rules determine what you can register as <X>
01:28 <+nbastin> although of course the laws of your country can also be used to litigate it
01:28 <+nbastin> regardless of registrar policy
01:32 <+nbastin> (the structure of internet DNS is somewhat antithetical to the idea of the internet in general)
01:32 <+nbastin> or at least how people imagine the internet
01:32 < hehehe> boot.ee :)
01:33 <+nbastin> I'ma register that and put a PXE server there.. :-)
01:59 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Quit: Leaving.]
04:33 <+nbastin> can anyone give me any example of where setting proto to tcp is a good idea...
04:36 <+nbastin> I should add that to my tests maybe
04:55 < dakar> setting proto?
04:55 <@ordex> nbastin: when udp is blocked :D
04:55 <+nbastin> ordex: ok, I can accept that answer.. :-)
04:55 <@ordex> ;)
04:55 < dakar> oh, in openvpn settings.
04:56 < dakar> i was like, wth is 'proto' for 'tcp'
04:56 <+nbastin> heh
04:56 <+nbastin> yeah
04:56 <+nbastin> "if you would like disgustingly bad performance, esp. when the underlying network is bad"
04:56 <@ordex> :D
05:28 <+nbastin> alright I need some kind of sleep, but maybe initial automated testing available later today
05:39 -!- r00tobo[BNC] is now known as r00tobo
06:34 < _ADN_> tcp you will have more overhead traffic
06:54 -!- frank-- is now known as thumbs
07:12 < lg188> Hi where, do I find the assignable ip addresses again?
07:12 < lg188> Because if I'm not mistaken, there's a weird schema when using windows
07:15 < BtbN> Only if you use the old net30 mode
07:17 < lg188> are you sure? because I have not enabled it and the automatic ips I got assigned were 10.0.0.3 and the next one was 10.0.0.5
07:17 < lg188> 6*
07:17 < lg188> and it had something to do with 10.0.0.5 being used behind the scenes
07:19 < rob0> !net30
07:19 <@vpnHelper> "net30" is (#1) https://community.openvpn.net/openvpn/wiki/273-qifconfig-poolq-option-use-a-30-subnet-4-private-ip-addresses-per-client-when-used-in-tun-mode explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology
07:20 < lg188> ah, right. do I need net30 if I want windows clients to connect?
07:20 < lg188> or can that just work with tun?
07:22 < lg188> !topology
07:22 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
07:29 < rob0> if all clients are versions > 2.0.x, you do not need net30
07:29 < rob0> and 2.0.x was EOL about a decade ago IIRC
07:30 < rob0> maybe more
07:31 < lg188> Mhm, I suppose I can use subnet then
07:42 <@dazo> _ADN_: there's not much of an extra traffic overhead with TCP over UDP (2 bytes per packet, iirc) ... but the TCP over TCP issue is far more relevant
07:43 <@dazo> lg188: topic subnet is more than reasonable these days ... the only reason it's not switched to a new default is to not break existing configurations, but all valid openvpn versions supports it
07:43 < lg188> Okay, thanks
08:01 <@dazo> !blog
08:01 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
08:01 <@dazo> !blogs
08:10 -!- Szadek_ is now known as Szadek
09:07 < Enrix> Hi everybody, I am a mewbie with openvpn and I just installed it in a server and a client so now I am trying it works
09:08 < Enrix> but I receive an error: openvpn /etc/openvpn/server/server.conf
09:08 < Enrix> Mon May 15 23:37:07 2017 Warning: Error redirecting stdout/stderr to --log file: /var/log/openvpn/m: Is a directory (errno=21)
09:08 < Enrix> Options error: --server directive network/netmask combination is invalid
09:08 < Enrix> Use --help for more information.
09:09 < Enrix> any help?
09:12 < rob0> well, the first should be self-explaining: you defined a directory name "/var/log/openvpn/m" for --log, and --log expects a file name.
09:12 < Enrix> yes sorry not the first
09:12 < Enrix> :)
09:14 <@krzee> show us the --server line of your config
09:14 < rob0> the second indicates that whatever you specified for --server's network/netmask was not valid.  Trying as hard as I can, but I don't know what you put there.  Sorry.
09:14 <@krzee> !crystal
09:14 <@vpnHelper> "crystal" is (#1) Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome., or (#2) unless reiffert is here, his crystal ball is functional again
09:14 <@krzee> :D
09:14 < rob0> or I could have been concise like krzee and asked you to show it :)
09:15 <@krzee> how ya doing rob
09:15 < Enrix> ok I will show the server.conf
09:16 <@krzee> you cant just pull the server line out?
09:16 < Enrix> how?
09:17 <@krzee> umm
09:17 < Enrix> I am new in this
09:17 < rob0> um, you DID write this file, did you not?
09:17 <@krzee> how were you going to show us the entire file?
09:17 <@krzee> like that, but only with 1 line
09:17 <@krzee> lol
09:17 < Enrix> ah ok
09:17 < Enrix> just thought that the entire was better
09:18 < Enrix> because probably there are other mistakes
09:18 <@krzee> would be, if the rest had anything to do with your error
09:18 <@krzee> oh, i kinda expect you to try too
09:18 < rob0> you might be right about that
09:18 <@krzee> as opposed to spoonfeeding
09:18 < Enrix> server 192.168.1.194 255.255.255.0
09:19 <@krzee> i did just wake up though... i might expect too much of the world still today
09:19 <@krzee> ok 2 things
09:19 < rob0> why did you choose .194?
09:19 <@krzee> 1) dont use the most common lan subnet on earth for your vpn subnet
09:19 <@krzee> 2) .0 for network address
09:20 < Enrix> this is the ip that the machine get from the dhcp
09:20 <@krzee> so maybe server 192.168.69.0 255.255.255.0    or something
09:20 < rob0> whoa, we're getting deep into xy here
09:20 < rob0> !xy
09:20 <@krzee> very
09:20 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
09:20 <@krzee> !goal
09:20 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:24 < Enrix> krz: ok but a part the best practice, it should work like that
09:25 <@krzee> na lot of the time that is false
09:25 <@krzee> !samesubnet
09:25 <@vpnHelper> "samesubnet" is (#1) clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway, or (#2) you can use --client-nat if on 2.3 to work around changing the subnet, but you should still just change
09:25 <@vpnHelper> the subnet
09:27 <@krzee> or do whatever you want and come back for help when you realize it doesnt work lol
09:28 <@krzee> so once again...
09:28 <@krzee> !goal
09:28 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:32 < Enrix> in the client.conf it is enough to put under server address the ip of the server with the port 1194?
09:34 < DArqueBishop> Remember, when using tun, the VPN has to have its own subnet. (Yes, late to the convo and all...)
09:39 <@krzee> and if not using tun, use tun
09:39 <@krzee> but i wont be helping more til i know the goal, because that would require a crystal ball and ours is broken
09:44 < lg188> I'm getting connection resets, sigusr1 thing every second. Any ideas why the program does this?
09:55 < rob0> A search of the man page for "sigusr1" landed me in --proto
09:56 < lg188> now that's wierd.
09:56 <@krzee> lg188: you watching the log on both sides?
09:57 < lg188> that never was a problem so far
09:57 < lg188> Wait, I must have accidentally changed udp to tcp
09:57 < lg188> no reversed
10:07  * lg188 opens up the server log
10:08 < lg188> tls error on the server side
10:09 < lg188> !tls-error
10:11 < lg188> AH yes, I removed the tls-auth option but the 1 and 0 thing were in there as well. I removed them in favour for the <tls-auth> thing
10:14 < lg188> !tls-auth
10:14 <@vpnHelper> "tls-auth" is "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to
10:14 <@vpnHelper> make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
10:22 <@krzee> oh so you need --key-direction
10:22 <@krzee> as seen in:
10:22 <@krzee> !inline
10:22 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV, or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
10:44 < Enrix> if I see my client.conf I cannot see an ip bit something like gt.nameofmycompany 1192
10:45 < Enrix> where should I define this alias?
10:45 < Enrix> it is a client.conf that I got from another machine
10:45 < Enrix> as example
10:53 < DArqueBishop> Enrix:
10:53 < DArqueBishop> !configs
10:53 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
10:53 < DArqueBishop> Also, as krzee pointed out:
10:53 < DArqueBishop> !goal
10:53 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:54 <@krzee> also
10:54 <@krzee> !walkthrough
10:54 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
10:54 <@krzee> !man
10:54 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
10:54 < DArqueBishop> !howto
10:54 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
10:54 <@krzee> i suggest reading the man page on every option in your configs
10:54 <@krzee> and if you want help, i suggest explaining what your goal for the VPN is
10:55 <@krzee> otherwise, it will be impossible to help you
11:04 < rob0> re: !walkthrough, it's a misnomer to call them "docs", which in my mind implies documentation.  Most random bloggers barely understood what they did and think they are helping to share their story.  But in reality they have no place at all in writing real documentation.
11:07 < DArqueBishop> That's why I think !blog is better than !walkthrough. :-)
11:12 <@krzee> !blog
11:12 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
11:12 <@krzee> ahh yes thats nice
12:41 < skyroveRR> :D
13:46 < D5> [Question]: What good wireless access point can stably do 100mbit OpenVPN over wifi?
13:49 < BtbN> none, even without OpenVPN
13:50 < havoc> a dual-band 802.11ac WAP probably could, for a single vpn client, and no other wifi users
13:51 < havoc> but as will all things wireless, "it depends"
13:54 <+nbastin> definitely a lot of APs can easily handle 100Mbps per client for a small number of clients, but the openvpn part is somewhat orthogonal
13:54 < D5> BtbN: why not? Here is a quote from the openwrt wiki about some mediatek soc: "Generic throughput numbers are about 400-500mbit/s "
13:54 < BtbN> if you're standing right next to it maybe
13:54 < havoc> the dual-band 802.11ac units typically are rated at 1,300mbps
13:55 < D5> well RF can go to shit anytime with any hardware. I'm worried about bottle-necking somewhere else
13:55 < havoc> but all things wireless are subject to many environmental factors which impact performance
13:55 <+nbastin> everything since 802.11n has had MIMO in the spec, and you can really get high performance from them
13:55 < D5> did anybody have good experience with any particular router?
13:56 < havoc> we've been using a lot of Ubiquiti gear, excellent value
13:56 <+nbastin> we have some edimax CAP1200 that are super nice, although I think they don't make that model anymore
13:57 < D5> havoc: The office I'm in right now has those. Work really great. I'll check them out, thanks!
13:57 < havoc> I think the ubnt stuff has a good bang for the buck
13:57 < havoc> and usaully also available Amazon Prime too
13:57 < havoc> D5: good luck :)
14:19 < skdf> So
14:19 < skdf> It's me the server hardening guy
14:20 < skdf> So last night i was told to keep my CA private
14:20 < skdf> the public key is given to each server and each client
14:20 < skdf> Each server has it's own Public Private key
14:20 < skdf> How would I revoke one certificate from all servers?
14:20 < rob0> the public key is called the "CA certificate"
14:21 < rob0> "each server"?
14:21 < skdf> rob0: I know
14:21 < DArqueBishop> !crl
14:21 <@vpnHelper> "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with
14:21 <@vpnHelper> openvpn) that will create the CRL file for you. ssl-admin will also build a crl for you, or (#3) openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem
14:21 < skdf> I want to have multiple servers recognize the same certificates
14:22 < rob0> yep, a CRL (and keep it in synch among all servers)
14:22 < rob0> A simple form of access control can be done with ccd and --ccd-exclusive, but in your case you probably need the CRL.
14:23 < havoc> I'm using ccd, but that's because I want to *temporarily* disable a client's access
14:24 < havoc> handy for that
14:27 < skdf> SO
14:27 < skdf> Lets just say I want to be a lazy fuck.
14:27 < skdf> I know OpenVPN supports username password authentication with a CA cert
14:27 < skdf> Could I be lazy and set up OpenVPN to query a master database?
14:29 < DArqueBishop> !authpass
14:29 <@vpnHelper> "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
14:29 < skdf> DArqueBishop: Thank you.
14:33 < skdf> So I'd follow last nights instructions
14:33 < skdf> Generate a CA on a secure machine, Generate Server Certs, Pass out the CA public key, and the other keys?
14:33 < skdf> I don't have a full rundown of the ones I need on this machine
14:44 < skdf> So
14:44 < skdf> So if I do choose to go down the route of using username and passwords, can I use it with OpenVPN on Android?
14:59 < skdf> well for now I'll use certs and write some automation
15:00 < hehehe> hey hey
15:00 < skdf> hey
15:10 < hehehe> if I want open vpn client to use server machine dns
15:10 < hehehe> I add push "redirect-gateway def1 bypass-dhcp"
15:10 < hehehe> and then?
15:10 < hehehe> there is a way to push "dhcp-option DNS 208.67.222.222"
15:11 < hehehe> but if I dont want to specify a dns ip?
15:11 < skdf> You have to.
15:14 < skdf> hehehe: how do you expect to do a DNS lookup without DNS?
15:17 < hehehe> true
15:17 <+nbastin> Magic.
15:17 < hehehe> yes ty
15:17 < hehehe> I use magic :D
15:17 < skdf> nbastin:
15:17 < skdf> ree
15:18 < hehehe> also if server goes offline, and some app is using open vpn client machine, it will hop on a client normal net ip?
15:18 < hehehe> so I have to set rules in client machine firewall to prevent it?
15:19 <+nbastin> That depends on the OS of the client machine and your routing tables and such
15:19 < skdf> You want a deadmans switch in essense?
15:19 <+nbastin> So a bit out of scope for here
15:19 < hehehe> np :D
15:20 < hehehe> I was thinking maybe it can be added to a future community release
15:20 < hehehe> a switch like that
15:20 <+nbastin> There is a post-down hook in openvpn where you can execute such a thing
15:20 < skdf> SO.
15:20 <+nbastin> The implementation is OS and environment specific
15:21 < skdf> I'm wondering
15:21 < skdf> Is there any good guide on Anti Abuse?
15:21 <+nbastin> anti abuse?
15:22 < skdf> Preventing outgoing abuse
15:22 <+nbastin> I guess I'm not sure what you mean
15:23 < TCShain> Hello helpful OpenVPN community!
15:23 < TCShain> I've recently inherited an OpenVPN Access Server implementation, but am having a bit of trouble setting up a new user account.
15:23 <+nbastin> there's a...different channel for AS...hrm...
15:23 < skdf> Very detailed
15:23 < skdf> Much information!
15:23 < TCShain> I can create the user account and connect to the VPN just fine.
15:24 < TCShain> oh is there?
15:24 <+nbastin> !as
15:24 < skdf> TCShain: ask #openvpn-as
15:24 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
15:24 <+nbastin> there we go
15:24 < TCShain> Thank you! I will go there!
15:24 < skdf> nbastin: beat you :p
15:24 <+nbastin> skdf: you beat vpnhelper.. :-P
15:25 < skdf> I'll beat you with my nine ethernet whip :^)
15:25 <+nbastin> yowzers
15:26 < TCShain> !welcome
15:26 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
15:26 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
15:26 <+nbastin> I'll have to return the beating with a qsfp28 octopus cable.. :-)
15:27 < skdf> nbastin: Kinky.
15:27 <+nbastin> although they really only have 4, so unclear why we call them octopus cables..
15:27 < skdf> Will you give me 10gb/s?
15:28 <+nbastin> 10G is so boring.. :-)
15:28 < skdf> Infiniband is dead.
15:28 < BtbN> no, why would it be dead?
15:28 <+nbastin> some of our new racks disagree with you...
15:29 < skdf> Didn't Intel discontinue their work on it?
15:29 < skdf> Or am I confusing it for a different thing
15:29 <+nbastin> intel never had infiniband anything
15:29 <+nbastin> or at least if they did no one ever used it
15:29 < skdf> what tech am i thinking of?
15:29 <+nbastin> I dunno!  :-)
15:29 < skdf> ITs 40gb/s SFP connector, the cards are like $20 on ebay
15:30 <+nbastin> that does not sound familiar...
15:31 < BtbN> the bandwidth isn't the most important thing about IB
15:31 <+nbastin> mmm...rdma
15:31 < BtbN> It's the low latency and syscallless communication
15:31 < skdf> i'll be back
15:31 < skdf> I'm setting up OpenVPN inside of Docker.
15:34 <+nbastin> apk add openvpn, done.. :-)
15:47 <+nbastin> arg, now I am on a personal mission to figure out how to make openvpn faster...
15:47 <+nbastin> which is sortof distracting from my original goal.. :-)
15:49 < sdbfsdhf> OK!
15:49 < sdbfsdhf> So
15:49 < sdbfsdhf> I'm still trying to understand this
15:49 < sdbfsdhf> how do I keep my CRL in sync across multiple machines?
15:50 <+nbastin> We have a crontab that downloads our CRL from a central server, for services that don't use OCSP
15:50 < sdbfsdhf> So
15:50 < sdbfsdhf> ok so I need to explain this on multiple lines, don't yell at me.
15:51 < sdbfsdhf> So I'd have my Front End where I add users
15:51 < sdbfsdhf> This would go to my CA and be like "yo, make me a cert"
15:51 < sdbfsdhf> Then all my servers running OpenVPN would recognize my certs I created.
15:52 < sdbfsdhf> Every day a few minutes before midnight my CA server would check what certs to kill
15:52 < sdbfsdhf> Then I'd have all my OpenVPN servers go "yo, ca, we need the new CRL" and reload it?
15:52 <+nbastin> sure, that would work
15:53 <+nbastin> you might want to do it more often depending on your policies
15:53 < sdbfsdhf> !crl
15:53 <@vpnHelper> "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn)
15:53 <@vpnHelper> that will create the CRL file for you. ssl-admin will also build a crl for you, or (#3) openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem
15:53 < sdbfsdhf> !kill
15:53 < sdbfsdhf> fuck.
15:53 < sdbfsdhf> ok so I got the general idea down
15:54 <+nbastin> I mean, the certs are not killed, they're just untrusted
15:54 < sdbfsdhf> My CA holds the master CRL
15:54 < sdbfsdhf> Can I re-trust my certs?
15:54 <+nbastin> Not really
15:54 < sdbfsdhf> So I'd be better off with a SQL based system
15:54 <+nbastin> There are various horrible ways to do that, but they're all horrible
15:55 < sdbfsdhf> That way I can disable and re-enable logins?
15:55 <+nbastin> I mean if you're revoking a cert, that should be a permanent act
15:55 <+nbastin> If you want to do something else, don't revoke the cert.. :-)
15:55 < sdbfsdhf> So I should just avoid certs for my use cae.
15:55 < sdbfsdhf> case*
15:55 <+nbastin> Well
15:56 <+nbastin> you should not use CRLs to selectively control logins for limited times
15:56 <+nbastin> That is orthogonal to whether you should use certs
15:56 <+nbastin> The reason to revoke a cert is because it has been compromised
15:56 <+nbastin> they don't get "un-compromised"
15:56 < sdbfsdhf> So I should be looking at user-pass-verify
15:58 <+nbastin> probably?  I still don't quite know what you're trying to do
15:58 <+nbastin> but if you want to selectively deny logins even from valid certs, yes
15:58 < sdbfsdhf> I want to be able to disable access on demand and renable about creating a ne wlogin
15:59 <+nbastin> yes then use a script on auth-user-pass-verify to check your system to see if the username has been disabled
16:00 < sdbfsdhf> So my VPN hosts (servers) get assigned a ca.crt from my CA and they're told to authenticate against a mysql database
16:00 < sdbfsdhf> So my CA signing server is offline, my VPN server's are told to authenticate clients against the MySQL server
16:00 < sdbfsdhf> Each client also has a ca.crt to validate the server's identity
16:01 <+nbastin> uh, I think you are missing some pieces
16:01 <+nbastin> or at least using the wrong names for them
16:01 <+nbastin> the servers have the ca.crt to validate client certificates against
16:01 < sdbfsdhf> yea I'm just doing a simplified
16:01 <+nbastin> but that is not the server certificate
16:01 < sdbfsdhf> Yea I oversimplified.
16:02 < sdbfsdhf> So I'm wondering
16:02 < sdbfsdhf> if I'm not using certificate based authentication but username password only
16:02 < sdbfsdhf> Does each server require a ca.crt?
16:03 <+nbastin> Well your server needs to trust whatever cert your clients are offering to you, if they're not offering you certs, then you don't have that problem
16:03 <+nbastin> But that seems like a bad idea...
16:04 < sdbfsdhf> yes and no from what I understand so far.
16:04 < sdbfsdhf> The clients themselves still challenge the server to prove its identity
16:04 < sdbfsdhf> So a client will never blindly connect
16:06 <+nbastin> I mean, I don't know how to securely operate an openvpn instance without clients having certificates issued by...someone you trust
16:06 <+nbastin> so you may be extending outside of my configuration knowledge for openvpn
16:06 <+nbastin> if that is somehow possible
16:06 < sdbfsdhf> From what I understand the servers have their own certs
16:06 < sdbfsdhf> The clients still get a ca.crt
16:06 < sdbfsdhf> they use it to challenge the server
16:08 <+nbastin> someone else here will have to explain whether that compromises the initial TLS handshake...
16:09 <+nbastin> it could, or not, depending on how its implemented
16:11 < DArqueBishop> If you're using certs, even if non-unique certs, the ca.crt is still needed for verification.
16:13 < sdbfsdhf> DArqueBishop: nbastin Do you know if I can put my CRL into a database?
16:13 <+nbastin> sdbfsdhf: the CRL file is a pretty specific format, you can of course store it anywhere you want
16:13 < DArqueBishop> I'm pretty sure the answer is no.
16:13 <+nbastin> but the user needs it in that file
16:14 <+nbastin> (the "user" of the file in this case is the server)
16:14 < DArqueBishop> I would just write up a script that when you make a change to the CRL, that it pshes the changed CRL file to the servers.
16:14 < sdbfsdhf> The issue is I don't want a hacky solution to re-instating a certificate
16:15 <+nbastin> you should not be revoking certs that are not compromised
16:15 <+nbastin> you need to solve your auth problem separately from your trust problem
16:15 < DArqueBishop> If you think you'll be activating/deactivating access at whim, you should be looking into adding user/pass authentication and handling it from there.
16:17 < sdbfsdhf> DArqueBishop: The goal is to simplify setup for the end users as well
16:18 < DArqueBishop> You need to decide where you want the balance between security and usability to be, then.
16:19 <+nbastin> I mean if you're going to give them passwords anyhow, their setup is basically the same cert or no
16:19 <+nbastin> so you should give them certs.. :-)
16:20 <+nbastin> You could also make their password empty
16:20 <+nbastin> if all you're doing is pausing accounts
16:20 <+nbastin> then you can take the common name from the cert
16:20 <+nbastin> as the key to check
16:20 <+nbastin> the cert is still valid, but auth-user-pass-verify script can check the CN against a database or something
16:21 <+nbastin> you don't ever have to check the password
16:22 < sdbfsdhf> And what do I do if I want to permantly revoke the cert
16:23 <+nbastin> you still use a CRL for that
16:23 < sdbfsdhf> Ok so I setup my server's their keys
16:23 <+nbastin> CRLs are for revoking certificates, not controlling authentication
16:23 < sdbfsdhf> I have my CA
16:24 < sdbfsdhf> I have OpenVPN check against my database to see if the key is allowed to login
16:24 < sdbfsdhf> When I decide to invalidate the key I add it to my CRL
16:24 <+nbastin> the common name in the client cert
16:24 <+nbastin> there's no keys in this part of the equation
16:25 <+nbastin> you make a cert for each client, issued by your CA (or preferably an intermediate CA issued from your CA)
16:25 <+nbastin> they have unique CN values
16:25 <+nbastin> you use the CN value to check authorization
16:25 <+nbastin> (e.g. have you disabled it temporarily)
16:25 <+nbastin> if you have permanently disabled a client, you use the CRL to revoke their cert
16:26 < sdbfsdhf> So what I said.
16:26 < sdbfsdhf> Still have my CA, my server's cert, my CA creates client keys and handles my CRL
16:26 < sdbfsdhf> my OpenVPN servers grab the CRL
16:27 < sdbfsdhf> my openvpn check the CN against my authorization database and deny / allow logins based on that
16:28 <+nbastin> yes
16:29 < sdbfsdhf> ok
16:30 < sdbfsdhf> nbastin: the common name is unique per client
16:30 < sdbfsdhf> correct
16:30 <+nbastin> you have to make it unique
16:31 <+nbastin> when you issue the certs
16:34 < sdbfsdhf> nbastin: got anything I can read on?
16:35 <+nbastin> for which part?
16:36 < sdbfsdhf> Pretty much anything of a rundown
16:36 < sdbfsdhf> Mostly between the connection and validating the CN
16:37 < sdbfsdhf> OpenVPN supports PAM based authentication O_o
16:37 < sdbfsdhf> So I could use users in /etc/passwd
16:38 <+nbastin> then you really are requiring the users to have usernames and passwords of course
16:38 < sdbfsdhf> yea, ideally I would only require a username password auth
16:38 <+nbastin> instead of just using the auth-user-pass-verify mechanism to effectively just check a certificate attribute
16:39 < sdbfsdhf> !auth-user-pass
16:39 < hehehe> nbastin: dns leak
16:39 < hehehe> well I know why
16:39 < hehehe> I forgot to change config
16:40 < hehehe> after fixing router
16:40 < sdbfsdhf> nbastin: So what I'd be after is doing auth-user-pass with a ca.crt
16:40 < sdbfsdhf> nbastin: that way I can validate the identity of my server.
16:40 <+nbastin> I don't understand what you are asking - the ca.crt is used to validate the client certificate (on the server side)
16:41 <+nbastin> and on the client side it's used to validate the server certificate, but both of those things are done before auth
16:41 <+nbastin> automatically
16:41 < sdbfsdhf> nbastin: exactly.
16:41 <+nbastin> the certs are completely orthogonal to auth-user-pass-verify
16:41 < sdbfsdhf> nbastin: From what I understand based on reading OpenVPN docs and other guides
16:42 < sdbfsdhf> I would be using username password based authentication with the ca crt
16:42 < sdbfsdhf> the ca.crt would be used to validate the server is who it claims to be before we share anything else
16:42 < sdbfsdhf> We'd then use the username and password to actually authenticate
16:42 <+nbastin> again, if you're not giving the user a client cert, you're doing something I don't know how to configure
16:43 < sdbfsdhf> ok
16:43 < sdbfsdhf> Ty for trying
16:43 <+nbastin> if you're giving them a client cert, then you can just use that CN (providing it is unique) as their username
16:43 < sdbfsdhf> I'm not going to provide a cert
16:43 < sdbfsdhf> I might actually authenticate against FreeRADIUS
16:43 < sdbfsdhf> Since FreeRADIUS handles a lot of things
16:51 < sdbfsdhf> !freeradius
16:51 < sdbfsdhf> !radius
16:53 < sdbfsdhf> nbastin:
16:53 < sdbfsdhf> I know that OpenVPN can call a script with variables when a client connects
16:56 < sdbfsdhf> OK!
16:56 < sdbfsdhf> nbastin: you know anything at all about OpenVPN's ability to runscripts?
16:57 <+nbastin> sdbfsdhf: the man page describes a bunch of hooks, use the one that you find appropriate.. :-)
16:57 < sdbfsdhf> auth-user-pass-verify /etc/openvpn/bin/auth via-file
16:57 < sdbfsdhf> I'm interested in that
16:57 < sdbfsdhf> I know how to abuse FIFO pipes.
16:57 < sdbfsdhf> Like, I'm not allowed to use them anymore kinda abuse
17:04 < hehehe> nbastin
17:04 < hehehe> some things work :D
17:24 < hehehe> https://www.raymond.cc/blog/automatic-vpn-kill-switch/
17:24 < hehehe> which one did you folks use?
17:24 < hehehe> I sense messing with windows firewall takes time
17:26  * dazo don't even consider to use windows at all
17:28 < hehehe> well what if I give you 1 apple pie?
17:28 <@dazo> not even a rotten apple
17:29 < hehehe> dazo: just think freshly baked apple pie
17:29 < hehehe> with a crust
17:29 < hehehe> you can cut it with a knife and eat!!!
17:30 <@dazo> All I accept in my life are penguins ;-)
17:30 <+nbastin> I don't use openvpn to access networks I am already connected to, so the whole notion of a kill switch is unnecessary
17:31 <@dazo> I might consider to look at the BSD devils .... but not going to give my soul to them
17:31 < hehehe> dazo:  no wonder your gf kicked you out to sleep in a penguin house :)
17:31 < hehehe> had you brought her a freshly baked apple pie after work :) just imagine
17:31 <@dazo> hehehe: she's running the same as me .... that was a requirement to get my computer support ;-)
17:31 < rob0> let's hope his wife doesn't find out
17:31 <@dazo> lol
17:32 <@dazo> rob0++
17:33 <@dazo> hehehe: the upside of that .... I barely need to do anything on my wife's computer ... it just works and she's happy ... she can even play her cute youtube videos too! ;-)
17:33 < hehehe> :)))
17:33 < hehehe> you need win xp there with no updates :D
17:34 <@dazo> Normally I'd do /kick for that ... just for the fun of it .... but I'm in a too good mood now
17:42 < hehehe> i use linux however friends in china and qq messenger works in win only so far
17:53 < hehehe> can app somehow using uTP, DHT, UPnP, Local Peer Discovery and IPv6 bypass openvpn and check machine ip?
17:53 < hehehe> or nope?
18:04 < Eugene> Elon is lobbing another one at the stars in 20 minutes https://youtu.be/ynMYE64IEKs
19:01 <+nbastin> Woo more space junk in the sky.
19:10 < hehehe> :)
20:12 < hehehe> I am using https://technet.microsoft.com/en-us/library/cc773767(v=ws.10).aspx
20:12 < hehehe> as a trigger in event to launch powershell and disable ethernet adapter
20:13 < hehehe> however it yet to get triggered :D
20:13 < hehehe> I wonder what did I miss?
20:13 < hehehe> simple way to kill open vpn on win
20:16 <+nbastin> I feel like this is a problem best solved with simple routing
20:16 <+nbastin> but I have no idea how to do routing on windows.. :-)
20:17 <+nbastin> but in general just DONT have a route to the internet, just have a route to your vpn endpoint
20:17 <+nbastin> then if you lose your vpn, you lose all your routes
20:17 <+nbastin> and can't reach the internet - voila
20:19 <+nbastin> the only reason you need this kill switch in the first place is because you have a route to 0.0.0.0/0 through both your ethernet adapter AND the vpn, which is silly
20:19 <+nbastin> you should just NOT have that route to fall back on
20:25 < hehehe> nbastin: I am nearly there - when I run task manually it does work :) maybe on windows server 2012 triggers are different
20:25 < hehehe> true @ what you said
20:29 < Apostata> Hello, I was wondering where I could find the public keys that signed the lastest release of easy-rsa, v3.0.1
20:30 -!- mode/#openvpn [+o ordex] by ChanServ
20:40 < hehehe> nbastin: https://pastebin.com/5HwvEcvd
20:40 < hehehe> current routes data
20:41 <@ordex> morning :)
20:42 < hehehe> morning
20:42 < hehehe> :D
20:47 < hehehe> alot of foutes
20:47 < hehehe> routes
20:48 < hehehe> nbastin: routing table looks complex
20:50 <@ordex> it's just windows:P
20:50 < hehehe> windows is nice
20:50 < hehehe> once its clear how it works :D
20:51 < hehehe> anyway there are many active routes
20:51 < hehehe> so idea to disable  route to 0.0.0.0/0 through your ethernet adapter
20:52 < hehehe> what if this route will simply be recreated by a network manager?
20:53 <@ordex> could be, for example upon dhcp re-lease
20:54 <@ordex> or maybe not .. not sure how that works on windows
20:56 < hehehe> I asked in win server :)
20:57 < hehehe> nbastin: is genius :D
20:57 < hehehe> delete 1 permanent route and bingo
21:11 <@ordex> bingooo
21:19 < hehehe> yey slightt issue
21:19 < hehehe> I need access for remmina
21:19 < hehehe> on rdp :D
21:20 <@ordex> remmina?
21:20 < hehehe> just need to access box via rpd
21:20 < hehehe> rdp
21:21 < hehehe> now that 0000 - ethernet is gone so is rdp access
21:22 <@ordex> well, the box now talks only via the vpn
21:22 <@ordex> there is no direct access to the internet anymore
21:25 < hehehe> lol I got access to it
21:25 < hehehe> but not via rdp
21:25 <@ordex> good
21:26 < hehehe> but how I can get RDP as well
21:26 < hehehe> console access via browser is so so :D
21:27 <@ordex> honestly I have no clue what you are doing and the relationship with openvpn
21:27 <@ordex> :P
21:27 < hehehe> !!!
21:27 < hehehe> :DDD
21:27 < hehehe> its was nbastin idea but he run away
21:28 < hehehe> i got a windows box with open vpn on it
21:28 <@ordex> well, can't you use rdp over the vpn?
21:28 < hehehe> so I had an idea to use event trigger to close net if vpn connection drops
21:28 < hehehe> then this idea came
21:28 < hehehe> true
21:28 < hehehe> going to check
21:29 < hehehe> you mean via ssh tunnel?
21:32 <@ordex> ?
21:33 < hehehe> its a window vps
21:33 <@ordex> I don't know your setup, so I am just suggesting directions. but now you access the internet via VPN, so can your rdp service listen on the VPN and let your VPN server forward the rdp traffic to your box ?
21:33 < hehehe> not a stand alove server
21:33 < hehehe> i access it via provide console
21:33 < hehehe> thinks
21:34 < hehehe> I dont get it
21:34 < hehehe> there is rdp port and vpn port
21:34 < hehehe> they are tow different ports
21:34 <@ordex> yes, but the VPN is creating another networking layer
21:35 < hehehe> yes
21:35 <@ordex> so instead of listening on your default network card, you could listen on the VPN
21:35 < hehehe> yes
21:35 <@ordex> so rdp would be reachable within the VPN
21:35 < hehehe> yes
21:35 <@ordex> then the VPN server needs to do port forwarding so that what it receives is forwarded to the rdp port of your box
21:35 <@ordex> but I am not sure you want to do this. this is just one way
21:35 < hehehe> !!
21:36 < hehehe> I usually just do
21:36 < hehehe> I dont think alot
21:36 <@ordex> and assumes you have control of the vpn server
21:36 < hehehe> :)))
21:36 <@ordex> lol
21:36 <@ordex> then good luck :P
21:36 < hehehe> people who just think think rarely do
21:36 <@ordex> right, that's why you need a proper combination of the two :)
21:36 < hehehe> I do have access to vpn server
21:37 < hehehe> :)
21:37 <@ordex> or at least, you should know what you are doing :D
21:37 <@ordex> ok
21:37 <@ordex> then you can setup the port forwarding
21:37 <@ordex> and forward the access over the VPN to your rdp service
21:38 <@ordex> unless your rdp client has a static IP, then you could install a single route on your box just for your client
21:38 <@ordex> to ensure the traffic can flow to and from the client
21:38 <@ordex> but I don't know if you have a static IP
21:38 < hehehe> i dont
21:38 < hehehe> wait
21:38 < hehehe> rdp client
21:38 < hehehe> windows box - got a static ip
21:39 <@ordex> I am talking about the rdp clien
21:39 <@ordex> t
21:39 < hehehe> ok I got it
21:40 <@ordex> btw, have you understood what I am suggesting? or you are blindly trying to follow what I am saying? :D
21:40 < hehehe> yes client is on dynamic ip
21:40 < hehehe> window box is static
21:40 < hehehe> I am working on understanding it
21:40 < hehehe> I cant yet visualise it all
21:41 <@ordex> if the client is dynamic, this can't work
21:41 < hehehe> ....
21:41 < hehehe> why not
21:41 <@ordex> because if you install a route to the client, everytime the client changes IP
21:41 <@ordex> the route is not valid anymore
21:41 < hehehe> well I can simply change route
21:41 <@ordex> because the IP will not be correct anymore
21:41 < hehehe> :)
21:41 <@ordex> yes, everytime the client changes IP you have to access the console and change the route
21:42 < hehehe> thats fine
21:42 < hehehe> it changes it only long router reset
21:42 <@ordex> if you like so :P
21:42 < hehehe> after long
21:42 <@ordex> ok
21:43 < hehehe> route [-f] [-p] [Command [Destination] [mask Netmask] [Gateway] [metric Metric]] [if Interface]]
21:44 < hehehe> so whats the line would be?
21:46  * ordex takes his crystal ball
21:46 < hehehe> I can see that requests go to gateway then via tunnel via vpn server to the address
21:46 < hehehe> and they come back same way
21:46 < hehehe> what ball
21:46 < hehehe> I though u know it :D
21:46 <@ordex> I said several times I have no clue how windows works
21:46 <@ordex> you may take some time to study it :P
21:46 < hehehe> *knew it
21:47 < hehehe> it same as linux
21:47 < hehehe> just diff commands
21:47 < hehehe> to ensure the traffic can flow to and from the client
21:47 <@ordex> yeah, then do it :P
21:48 < hehehe> what do you  mean?
21:48 < hehehe> I need to understand first what do I want to do
21:48 < hehehe> then i can do it :D
21:48 <@ordex> that you need a route to the client IP passing through your real GW
21:48 <@ordex> this way you avoid the VPN
21:48 <@ordex> might work
21:49 < hehehe> I might not listen to nbastin next time
21:49 < hehehe> :D
21:49 < hehehe> my idea was nearly working :D
21:49 < hehehe> gw gateway?
21:49 < hehehe> can you post route example?
21:49 < hehehe> for linux
21:51 <@ordex> found this: http://bfy.tw/BoLw
21:51 <@vpnHelper> Title: LMGTFY (at bfy.tw)
21:51 < hehehe> WTF
21:51 < hehehe> is htis
21:51 < hehehe> :D
21:51 < hehehe> its not a school here:)
21:51 <@ordex> ah no? :D
21:51 < hehehe> dude
21:51 <@ordex> sorry, wrong room :P
21:51 < hehehe> people who use school method to study
21:52 < hehehe> study way slower
21:52 < hehehe> in life
21:52 <@ordex> yes, then you should not ask me
21:52 <@ordex> because I Went to school
21:52 < hehehe> well its good I asked u
21:52 < hehehe> cause now you know there are easier ways :)
21:52 <@ordex> you can keep on typing random thing in the powershell, eventually it will work :P
21:52 < hehehe> nah
21:52 <@ordex> rather than studying
21:52 <@ordex> :P
21:53 < hehehe> school makes people slower than they can be
21:53 <@ordex> I think you should not generalize this much
21:53 <@ordex> world is big and schools are different
21:53 <@ordex> same as people
21:53 < hehehe> I dont
21:53 <@ordex> this said
21:53 <@ordex> my time is out
21:53 < hehehe> its based  on a research
21:53 < hehehe> np
21:53 < hehehe> you can check it yourself
21:54 <@ordex> who makes research?
21:54 < hehehe> me
21:54 <@ordex> :P
21:54 < hehehe> many people cant explain well
21:54 < hehehe> its also part of school conditioning
21:54 < hehehe> I spend time to drop it
21:54 < hehehe> *spent
21:54 < hehehe> maybe some can drop it instantly
21:55 < hehehe> part of mental power required to solve task is spent on trying to understand what is dude saying
21:55 <@krzee> hehehe: how many countries have you gone to school in?
21:55 < hehehe> thats the school inherited issuse
21:55 < hehehe> 3
21:55 < hehehe> and you?
21:56 <@krzee> im not acting as if im an expert in the worlds schools
21:56 < hehehe> I have studied in 3 countries
21:56 < hehehe> I am
21:56 < hehehe> and its easy to check man
21:56 < hehehe> in school you cant correct teacher manner of explaining
21:56 < hehehe> so there is  not much interaction
21:56 <@ordex> hehehe: communication is important. solving tasks without being able to understand what the personis stating or not being able to explain back the solution makes everything useless
21:57 <@krzee> i did plenty of that in school
21:57  * ordex too
21:57 <@ordex> especially in university
21:57 < hehehe> ordex: well can u simply illustrate in few words how traffic travels from rdp client into windows box and back
21:57 <@krzee> ya i was talking about uni
21:57 < hehehe> then its clear
21:57 < hehehe> :)
21:58 <@ordex> hehehe: isn't that teaching?
21:58 < hehehe> it needs to sent packets to server ip, server ip sends them to ...
21:58 < hehehe> its not
21:58 < hehehe> no need to be pedantic
21:58 <@ordex> mh
21:58 <@ordex> anyway
21:58 <@ordex> it's ok :) good that everybody has his own opinion. otherwise everything would be boring :P
21:59 < hehehe> yes
21:59 < hehehe> its like this - people who code alot often have certain way to pass intellectual knowledge
21:59 < hehehe> and that way is maybe more suitable for humans with similar ways to receive
22:00 < hehehe> that is observation of many folks in IT :)
22:00 <@ordex> could be, but you can;t force somebody to use that language
22:00 < hehehe> correct
22:01 <@krzee> i remember a tech class where the teacher loved when i would correct him or help him explain things to the class
22:01 < hehehe> thats good :)
22:02 <@krzee> ya he was a good teacher
22:02 <@ordex> still, what does this has to do with reading on google how to do something?
22:02 <@ordex> you are just trying to justify your laziness :P
22:02 <@krzee> (i didnt scroll up to see how this started lol)
22:02 < hehehe> I just wonder why cant u say it
22:02 < hehehe> :D
22:03 <@ordex> because I'd prefer you to learn
22:03 <@ordex> this is how I have fun spending my time
22:03 <@ordex> :P
22:03 < hehehe> I dont
22:03 < hehehe> 100% no
22:03 < hehehe> :)
22:03 <@ordex> hehe
22:03 <@krzee> help channel owes nobody
22:03 <@krzee> :D
22:04 < hehehe> not via manuals written in school style
22:04 < hehehe> if I can help it
22:04 < hehehe> fun style yes
22:04 <@ordex> hehehe: then pay somebody that searches things for you and just tells you things to do :P
22:04 < hehehe> I got an idea
22:04 <@ordex> hehehe: where do you think I have learnt how to use the command ?
22:04 <@ordex> by reading the man, reading examples and reading the code
22:04 < hehehe> u learned it school way
22:04 < hehehe> I can tell
22:04 < hehehe> :)
22:04 < hehehe> and its a way too
22:04 <@ordex> don't know what "school way" is
22:05 < hehehe> lack of playfulness
22:05 < hehehe> route
22:05 <@ordex> but for sure I have not studied the ip command at school :D
22:05 < hehehe> read repeat
22:05 <@ordex> uhm
22:05 < hehehe> till its clear
22:05 <@ordex> I have patched the iproute2 package, not sure I could do that by just asking people how to do it :P
22:06 <@ordex> hehehe: the last thing you can do to "learn" is read repeat
22:06 <@ordex> if that was the way you were taught..then ok, I am sorry for the school you attended
22:06 <@ordex> but you can't assume everybody went through that
22:07 <@ordex> and I understand the frustration with such method (I'd be frustrated too), but this is not a good reason to attack everybody else's education
22:07 <@ordex> anyway, I don't know how the route command works. nobody does now. what do you do? up to you now ..
22:08 < hehehe> comment are comment
22:08 < hehehe> :)
22:08 < hehehe> I can solve it  all
22:09 < hehehe> just saying try to drop uni ways
22:09 < hehehe> and learn as kid and compare
22:09 <@ordex> I don't know what that is
22:10 < hehehe> well dont u remember how fast you learned as 3,4,5
22:10 <@ordex> yup I agree
22:10 <@ordex> that's why you should keep on doing that
22:10 < hehehe> :)
22:10 <@ordex> that's why we are hackers and like to keep on breaking stuff to see how they works. but what has this to do with the school ?
22:11 <@ordex> these things are parallel
22:11 <@ordex> which is then what makes the result
22:16 < hehehe> I understand but there are many ways to solve same thing some ways are easy some are unnecessary complex
22:18 <@ordex> agreed, that's where you need to be smart )
22:18 <@ordex> :)
22:20 < hehehe> i have talked about it with chinese bud
22:20 < hehehe> :)
22:21 < hehehe> what happens is the way I like to learn differs from school way and so naturally when people of school way want to encourage learning its the school way process of learning
22:21 < hehehe> which I droped
22:21 < hehehe> :)
22:21 < hehehe> hence the mix
22:21 < hehehe> I am going to fix rdp
22:22 <@ordex> well, nobody "encouraged" the school way. I simply did not want to do the work for you :P
22:43 < hehehe> what work
22:43 < hehehe> u know exactly what to do
22:43 < hehehe> :P
--- Day changed Tue May 16 2017
00:28 <+hyper_ch> krzee: dazo: ecrist: syzzer: https://www.theregister.co.uk/2017/05/16/openvpn_security_audit/
00:28 <@vpnHelper> Title: Good news, OpenVPN fans: Your software's only a little bit buggy • The Register (at www.theregister.co.uk)
00:41 <+nbastin> even by the register's standards that's a horribly written article
06:10 < hamdjan> hi
06:10 < hamdjan> should i install openvpn manually or use something like this? https://github.com/sprokhorov/ansible-openvpn
06:10 <@vpnHelper> Title: GitHub - sprokhorov/ansible-openvpn: Bootstrap openvpn server for Ubuntu 14/16 or CentOS 7 (at github.com)
06:15 < skyroveRR> Download the tarball from the official openvpn site, not from github hamdjan
06:16 < hamdjan> skyroveRR, this github link is no install source, it uses the repos, its just a playbook to automate it
06:16  * skyroveRR hates stuff that is automated.
06:17 <+hyper_ch>   skyroveRR hates cars :)
06:17 < BtbN> Why not use your distributions packages?
06:18 <+hyper_ch> hamdjan: it's not good to query random people you've never talked to just because they are in an irc channel
06:18 <+hyper_ch> BtbN: it does, but that ansible script seems also to setup configs and stuff....
06:19 < hamdjan> hyper_ch, i wanted to ask something i didnt want to write in public
06:19 <+hyper_ch> 99% of the things that people do not want to write in public don't matter if posted in public
06:20 < hamdjan> hehe probably
06:20 <+hyper_ch> also, hamdjan, I have no idea who you are or why you queried me... I didn't even know you were in #openvpn until you wrote something here.... not good to just query random people
06:20 <+hyper_ch> usually they end up on my ignore list directly
06:21 < hamdjan> seen you a few times on another channel and i was curious if you know if people share maxmind geoip2 either by shared subscription or other channels
06:21 < hamdjan> for smaller websites their subscription is just too expensive
06:22 <+hyper_ch> I don't use geoip2
06:24 < hamdjan> mhm i see... sticking with the free version geoip light for now then :)
06:51 < Enrix> Hi all
06:51 < hamdjan> are keys and config options used in this tutorial still secure? https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
06:51 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com)
06:52 < Enrix> when I launch # openvpn /etc/openvpn/server/server.conf or openvpn /etc/openvpn/client/client.conf I dont receive any otput. How can I troubleshoot?
06:55 < rob0> !blog
06:55 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
06:55 < rob0> hamdjan, ^^ but I might look at it in a bit.
06:56 < rob0> !daemon
06:56 <@vpnHelper> "daemon" is openvpn starts in the foreground by default, with output going to the terminal. if you use --log then the output goes to the file instead of the terminal. with --daemon openvpn will go to the background after starting
06:56 < rob0> Enrix, ^^
06:58 < rob0> hamdjan, Step 2, two insecure mistakes.  First, they are setting up a CA on an openvpn server, and that is wrong.  The CA should be maintained somewhere away from the VPN.
06:59 < rob0> Second, they are using a virtual machine (I presume, since it is from DO) for the CA, and that's also wrong, because a VM lacks a native source of entropy.
06:59 < rob0> !entropy
06:59 <@vpnHelper> "entropy" is https://www.youtube.com/watch?v=95N2KXqH5cs for a nice talk that explains some nice info on rsa factoring, especially why you need good entropy sources
07:01 < rob0> on the plus side it does appear that they're not using the root account for the CA
07:02 < rob0> but in general I'd recommend that you stick with
07:03 < rob0> !howto
07:03 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
07:03 < hamdjan> rob0, well that sounds not that bad, i worred that the used keys might be too weak (only 2048 bits) and a weak cipher AES-128-CBC :)
07:04 < rob0> oh, you can research that as well, we're not crypto experts around here for the most part
07:04 < hamdjan> rob0, hmk, going to finish this one, because im already at step 12, and then redo it with openvpns howto
07:04 < rob0> the keys are definitely weak if entropy is lacking when generating them
07:05 <@ecrist> hyper_ch: sup?
07:06 < rob0> IIUC many successful crypto attacks are based on the ability to guess the "random" numbers used.
07:07 <@ecrist> that's the big one
07:07 <@ecrist> they other one is tricking the session to renegotiate to something the attacker knows
07:14 <+hyper_ch> ecrist: big one?
07:15 <+hyper_ch> ecrist: still alive... trying to get ipv6 to run properly
07:17 < rob0> Run, Forrest, Run!
07:18 <+hyper_ch> well, theoretically I have a fixed /48 prefix available
07:18 <+hyper_ch> practically I can't get it to run :(
07:20 <@ecrist> hyper_ch: re: the vuln report.  thanks for the link, I hadn't read the article.  I was aware of the reports and reviewed the results over the past month with the rest of the security team.
07:20 <@ecrist> My part was mostly as an observer, so don't give me any credit.
07:21 <+hyper_ch> well, the overall review seems rather positive
07:22 < rob0> We give credit to God!  All others must pay up front.
07:22 <+hyper_ch> God? You mean the FSM?
07:22 < rob0> isn't that just an impasta?
07:22 <@ecrist> yeah, we were pleasantly surprised with the results.  The developers worked their asses off to address nearly every item in the reports before they were made public.
07:23 <+hyper_ch> and your job was to refill the coffee cups?
07:23  * hyper_ch hides
07:23 < rob0> that's an important job
07:25 <+hyper_ch> refill coffee cups and empty pizza plates :)
07:25 <+hyper_ch> refill empty plates with pizza slices
07:25 < havoc> seems like both [reported] vulnerabilities are related to denial of service
07:26 <@ecrist> yeah, most stuff was just "breaking" connections, not "breaking into" or deciphering anything
07:26 < havoc> exactly
07:27 <+hyper_ch> "OpenVPN is good quality code, no doubt, but it mostly looks like that because OpenSSL and similar are just pieces of unfathomable shite in comparison."
07:28 < Enrix> guys how can I troubleshoot openvpn if I dont receive any output?
07:28 <+hyper_ch> log
07:28 < rob0> Enrix, is yours a write-only client?"
07:28 <+hyper_ch> what's a write-only client?
07:28 < rob0> I already answered you and FLAGGED you on the answer.
07:29 < Enrix> rob0, what does it means? didnt see
07:33 < Enrix> dont know what write-only client means
07:41 < rob0> it means in this case that you should scroll back to 11:49 UTC, when I answered the question that you repeated.
08:21 < Enrix> I can read just Enrix ^^
08:35 < rob0> Enrix, I'll try again.  I'll type this line, then call up a factoid for you, and perhaps this time you can see it.
08:35 < rob0> !daemon
08:35 <@vpnHelper> "daemon" is openvpn starts in the foreground by default, with output going to the terminal. if you use --log then the output goes to the file instead of the terminal. with --daemon openvpn will go to the background after starting
08:38  * DArqueBishop hands rob0 a donut.
08:39 < rob0> O <-- very nice, ty
08:40 < DArqueBishop> We have guests from out-of-town offices here today, and one brought donuts and kolaches.
08:41 < rob0> Can't beat guests with goodies.
08:45 < Enrix> ok I saw the log
08:46 < Enrix> Options error: --client-config-dir fails with 'ccd/m': No such file or directory
08:46 < Enrix> Options error: Please correct these errors.
08:46 < Enrix> Use --help for more information.
08:48 < Enrix> where I suppose to see that dir?
09:02 < rob0> A ccd which is a relative path (not beginning with "/" which is an "absolute path") would be relative to the directory in --cd
09:03 < rob0> or if no --cd I think it is relative to the current working directory
09:03 < rob0> Your --client-config-dir must exist.
09:04 < havoc> hmm, gonna need 16 tun adapters
09:07 < havoc> hmm, or can I use one, if there are 16 ovpn server confs, but all binding on diff ports?
09:08 < havoc> nope, won't work, as IPs need to all be diff for each diff subnet
09:08 < havoc> , unless I aliased everything
09:10 < rob0> different tun for each instance
09:10 < havoc> that's pretty much what I was thinking
09:10 < rob0> yes, different netblock also, but RFC 1918 is very big so that should be no problem.
09:11 < havoc> gonna use a /25 for them all, topo subnet
09:11 < rob0> a /25 for 16?
09:11 < hamdjan> is the private key encryption, e.g. rsa 2048 bits, only relevant when you set a passphrase? without passphrase you could also just use no encryption right?. because the authentication in openvpn is done with SHA256 or SHA512 anyways and the encryption with e.g. AES-256-CBC
09:12 < havoc> rob0: no, /25 for each
09:12 < havoc> need ~2,000 total clients
09:12 < rob0> ah, okay, so that could all fit in a /20 if I figured my subnetting right :)
09:13 < havoc> I'll do udp:1194 for provisioning, w/ --duplicate-cn, then gen custom CNs from there, push new configs to clients for reconnect
09:13 < havoc> rob0: a /21 actually, but I'm setting aside a /20 just in case ;)
09:14 < havoc> the server is a vm on a blade center, so if it needs more power, we can add it
09:16 < havoc> I'm using shorewall for fw, so I'll setup a "zone" for the whole /20 via "hosts" instead of per iface
09:20 < Enrix> ok when I launch server.conf I receive a request for a password but if I remember well when I created the public certificate it was: easyrsa gen-req "servername" nopass
09:20 < Enrix> someone can explain why it is asking me the password?
09:22 < hehehe> http://www.nerdjargon.com/2013/10/how-to-force-windows-application-to-use.html
09:22 <@vpnHelper> Title: Nerd Jargon: How To Force A Windows Application To Use Your VPN (at www.nerdjargon.com)
09:22 < hehehe> here
09:22 < hehehe> messing with routes lead to reinstall of server
09:22 < hehehe> nbastin: lol dude why even advice such stuff
09:37 < DArqueBishop> What was that all about?
09:53 < engi> is there a javascript library?
09:54 < engi> I'm looking into making a html5 client
09:54 < kerio> browsers don't allow arbitrary sockets
09:54 < kerio> especially not UDP ones
09:55 < engi> kerio: what about a native vpn
09:55 < engi> in chrome
09:56 < engi> it's for an extension
09:57 < rob0> openvpn is not such a thing
09:57 < engi> rob0: it can't be used for web traffic?
09:57 <@krzee> you mean "it cant be established over the web?"
09:57 < rob0> openvpn can be used for any and all traffic
09:57 <@krzee> and no to that
09:58 < rob0> but browser-based "VPNs" cannot
10:01 < engi> rob0: I just want to have the browser traffic go through a vpn
10:02 < engi> the idea was using an extension instead of a desktop app
10:03 <@krzee> wrong idea
10:03 <@krzee> i would suggest a socks proxy for that goal, potentially over openvpn if you like
10:04 <@krzee> !sockd
10:04 <@vpnHelper> "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
10:04 <@krzee> !routebyapp
10:04 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination., or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
10:04 <@vpnHelper> policies you set. For Linux, read about !lartc
10:06 < engi> kerio: doesn't this support arbitrary sockets https://developer.chrome.com/apps/sockets_tcp
10:06 <@vpnHelper> Title: chrome.sockets.tcp - Google Chrome (at developer.chrome.com)
10:07 < kerio> krzee: hold on, why wouldn't it work as a browser extension?
10:10 < Enrix> I saw many guides and I can see that easyrsa gen-req is use to create a request to be signed from the ca and at the same time it created a private key. In other guides to create the private key it is used build-client-full. Can somebody explain me the difference?
10:10 < Enrix> thanks
10:11 < engi> kerio: there's also for udp https://developer.chrome.com/apps/sockets_udp
10:11 <@vpnHelper> Title: chrome.sockets.udp - Google Chrome (at developer.chrome.com)
10:20 < Enrix> guys why gen-req servername create the servername.key if there is a particular command like build-server-full to create the private key?
10:23 < rob0> Perhaps the problem is that you're using blog posts rather than the real documentation.  I don't use easy-rsa myself, but I do believe it is documented.
10:24 < kerio> even if it wasn't, it's hardly the most difficult thing to read
10:24 < kerio> it's a shellscript
10:25 < rob0> Most random bloggers barely understood what they did, so it's risky to use them to learn things.
10:25 < Enrix> ok so what do you use if not easyrsa?
10:26 < kerio> you missed our point
10:26 < kerio> !blogs
10:26 < kerio> !blog
10:26 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
10:27 < Enrix> https://wiki.archlinux.org/index.php/Easy-RSA this is the guide I use
10:27 <@vpnHelper> Title: Easy-RSA - ArchWiki (at wiki.archlinux.org)
10:27 < havoc> Enrix: that is not the same as: https://openvpn.net/index.php/open-source/documentation/howto.html
10:27 <@vpnHelper> Title: HOWTO (at openvpn.net)
10:27 < havoc> ^^^ that is what you should be using if you expect to get help here
10:28 < rob0> what I use?  I was stupid and spent the time and energy to learn the openssl commands.  I think you're better off staying with easyrsa :)
10:30 < havoc> Enrix: the point is that someone else's documentation is someone else's documentation, you should ask them, if you're using their docs
10:30 < havoc> Enrix: if you want help here, then you should use OpeVPN's docs
10:53 < engi> are there commercial services using openvpn
11:24 <@krzee> there are many commercial services that use openvpn, some of the admins even hang out here
11:24 <@krzee> but depending on your goal, they may or may not help you achieve it
11:24 <@krzee> !goal
11:24 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:26 <@krzee> hell, even openvpn technologies has commercial services that use openvpn
11:27 <@krzee> all found from openvpn.net i think they call the vpn service privatetunnel and they have a solution for openvpn called OpenVPN-AS that makes managing users and stuff much easier i hear, it's all gui based with a web interface
11:52 -!- |Mike| [mike@2001:19f0:5001:21c::3] has joined #openvpn
11:52 < |Mike|> re.
11:53 < |Mike|> sudo apt-get update
11:53 < |Mike|> err
12:12 < engi> krzee: like openvpn-aas?
12:13 < engi> krzee: goal is internet access over vpn, for geo-fencing, privacy etc
12:13 < engi> kind like hola does
12:21 < r1ppa> Hey guys! Trying to solve a DNS mystery, some machines do not respect the DNS server added via OpenVPN config, do the TAP adapters act up from time to time? How to troubleshoot?
12:22 < engi> wireshark
12:22 < r1ppa> when folks are remote with VPN on, a few will not work while most are fine, same setup/install
12:22 < r1ppa> yeah getting wireshark now
12:22 < r1ppa> but wondering if TAP adapter has a history of this problem
12:22 < engi> idk
12:22 < r1ppa> me either
12:28 <@ordex> it does not. unless there is a bug in the system specific implementation
12:36 < engi> I want to murder the barking dogs
12:40 < r1ppa> reading people are changing their InterfaceMetric to something lower than the rest of the adapters, this really necessary?
12:41 < r1ppa> wireshark almost setup, I am sure it wll just confirm, yup, your are not trying your internal DNS....what then?
13:21 < r1ppa> ok wireshark is confusing me lol
13:21 < r1ppa> I ping the hostname, expected result, nothing, but wireshark tells me DNs went to expected server, then gives 2 responses.....dafuuuuuq, yet my window shows me no dice
13:22 < r1ppa> ping IP fine, hostname just not getting back to me
13:58 < r1ppa> Can anyone help with DNS resolve issues and OpenVPN?
14:59 <@krzee> r1ppa: what OS is the client that is not respecting your dns settings?
15:00 <@krzee> any unix os will need a script to take the dns settings in openvpn and apply them
15:00 <@krzee> !pushdns
15:00 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for
15:00 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option
15:01 <@krzee> damn i cant stay for the answer, but theres some info, hopefully it helps you
15:01  * krzee off to work
18:23 < fsdsdsd> So
18:23 < fsdsdsd> I need to clarify something
18:23 < fsdsdsd> So
18:23 < fsdsdsd> username-as-common-name
18:23 < fsdsdsd> So!
18:24 < fsdsdsd> I use that config option when I use one certificate for all clients.
18:25 < fsdsdsd> So
18:25 < fsdsdsd> What I would do is setup my CA
18:25 < fsdsdsd> my server's certs
18:25 < fsdsdsd> one certificate all clients share
18:25 < fsdsdsd> but require a username + password?
18:25 < fsdsdsd> so I'd use username-as-common-name to identify each client by their username instead of common name?
18:28 <+nbastin> yrd
18:28 <+nbastin> er, yes
18:28 < fsdsdsd> nbastin:
18:28 < fsdsdsd> So!
18:28 < fsdsdsd> its me again btw
18:28 < fsdsdsd> from last night
18:29 < fsdsdsd> the confused guy
18:29 < fsdsdsd> I changed my search queries and appeared to have found a lot more documents
18:30 < fsdsdsd> so nbastin
18:30 < fsdsdsd> I'm bugging you again
18:30 < fsdsdsd> :^)
18:30 < fsdsdsd> but I'm following your advice
18:30 < fsdsdsd> to an extent.
18:31 < fsdsdsd> nbastin: So instead of generating hundreds of seperate certficiates, I can simply generate one and use username password + certificate
18:32 <+nbastin> yes
18:32 <+nbastin> (sorry, was getting ice)
18:32 <+nbastin> the downside is if that cert is every compromised you have to revoke the entire thing
18:32 <+nbastin> so, for all users
18:32 <+nbastin> ever, even
18:33 < fsdsdsd> Well
18:33 < fsdsdsd> If I'm understanding correctly from you last night
18:33 < fsdsdsd> The only way for a cert to be compromised is if my CA is comped
18:33 < fsdsdsd> ?
18:33 <+nbastin> no
18:33 <+nbastin> each cert you issue (hopefully) has a separate private key
18:34 <+nbastin> I mean if you're giving out one cert to all clients it's quasi-compromised by default
18:34 <+nbastin> since any one of them could just give it to someone
18:34 < fsdsdsd> yes and no
18:34 < fsdsdsd> They'd have to share their login too
18:34 <+nbastin> so it really only serves as a server validation
18:34 < fsdsdsd> yea
18:34 <+nbastin> well it gets to the root of what a cert can be used for
18:35 <+nbastin> the certificate in this case is being used to validate server identity
18:35 <+nbastin> (and secure the conenction, but anything could be used for that)
18:36 < fsdsdsd> So the connections are safe even if the certificate is shared as long as the login isn't?
18:36 <+nbastin> if the cert is compromised for this usage, it means a cert that basically looks the same identifies another server root
18:36 <+nbastin> it depends on your definition of safe.. :-)
18:36 <+nbastin> I mean you have to assume that random person X has your client cert
18:36 <+nbastin> which means that you server can still be attacked by brute force on the logins
18:37 < fsdsdsd> ok
18:37 < fsdsdsd> lets assume we have a perfectly secure username - password system
18:37 <+nbastin> (e.g. someone just tries endlessly to find a username/password that work, since your cert is effectively "public")
18:37 < fsdsdsd> Sharing the common cert would be ok?
18:37 <+nbastin> I'm not sure what a perfectly secure system would mean.. :-)
18:38 < fsdsdsd> lets pretend they can never enforce it
18:38 <+nbastin> I mean you're allowing someone to send you thousands of username/password combos
18:38 < fsdsdsd> force it*
18:38 < fsdsdsd> ok
18:38 < fsdsdsd> Well, if they fail multiple times I automatically drop their packets
18:38 <+nbastin> this is not awful, obviously lots of systems *only* work this way
18:38 <+nbastin> but that is the exposure you have
18:38 <+nbastin> when you make the decisions it's entirely about what kind of security you can live with
18:39 <+nbastin> with a common cert and user/pass, you allow a brute force attack with a relatively small valid set
18:39 <+nbastin> (compared to a 2048bit key or something)
18:39 <+nbastin> so, it's more possible
18:39 < fsdsdsd> Yea
18:39 <+nbastin> of course, someone needs your cert, but lets assume that's not actually hard
18:39 < fsdsdsd> But the actual comminication between the client and server is safe?
18:39 <+nbastin> yes
18:40 < fsdsdsd> but someone else can force their way in
18:40 < fsdsdsd> in theory
18:40 <+nbastin> right
18:40 < fsdsdsd> Ty
18:40 <+nbastin> the only way for someone to decrypt TLS (properly implemented) is if they have the SERVER key
18:40 <+nbastin> the client cert is useless to them
18:40 <+nbastin> (and the client key)
18:41 < fsdsdsd> So one layer of security is gone
18:41 < fsdsdsd> Ty
18:41 <+nbastin> you lose the first layer of fast-rejection, yes
18:41 <+nbastin> it's trivial to reject a client-cert that is bad
18:41 <+nbastin> so the burden here is on your side, it doesn't affect your clients
18:42 <+nbastin> they are still secure, but you might be able to be more easily attacked from someone else
18:42 < fsdsdsd> I'd impliment soemthing like Fail2Ban
18:42 < fsdsdsd> That would be vulnerable for UDP though
18:42 <+nbastin> that is useful, but realistically if someone has a botnet, they'll just look like millions of distinct IPs
18:42 <+nbastin> (the in-vogue way to attack services now)
18:43 <+nbastin> again, this is not horrible, every https web site in the world is attackable this way
18:43 <+nbastin> (since they don't have client certs)
18:43 < fsdsdsd> I'm already under attack by a botnet.
18:43 <+nbastin> it's just one thing you lose
18:46 <+nbastin> network security (and all security) is all about layers, and you pick the layers that you want and what they cost you
18:46 < fsdsdsd> ok
18:46 < fsdsdsd> I'm installing Ubuntu on this laptop as we speak
18:46 < fsdsdsd> so I may have to disconnect.
18:46 <+nbastin> kk, I'll be here, as I always am.. :-)
18:47 <+nbastin> well, there is one point to be made here if you care about forward security
18:48 <+nbastin> which is that if you give them all the same cert you risk all their sessions if your server cert is ever compromised
18:48 < fsdsdsd> Tradeoffs
18:48 < fsdsdsd> nbastin: if my server crt is compromised, I have much bigger issues.
18:48 <+nbastin> but not doing that also means rotating intermediate CA certs
18:48 <+nbastin> so it's a larger system to solve the problem
18:49 <+nbastin> you should assume that your server cert is likely to be compromised
18:49 <+nbastin> and rotate it often
18:49 <+nbastin> you have to put the private key where a piece of software can use it, which means that it can be compromised
18:49 < fsdsdsd> OpenVPN downgrades it's privledges
18:50 < fsdsdsd> OpenSSH is hidden behind knockd
18:50 < fsdsdsd> SSH Keys
18:50 <+nbastin> it doesn't matter, it is a system on the internet.. :-)
18:50 < fsdsdsd> Sudo disabled.
18:50 < fsdsdsd> Updated Kernel
18:50 <+nbastin> we know that openssh leaked keys
18:50 <+nbastin> there are zero-days
18:50 <+nbastin> you have to assume that you operate in a world where some zero day will compromise your server cert
18:50 < fsdsdsd> True
18:50 < fsdsdsd> I could always do something like use Grsecurity
18:50 <+nbastin> and thus rotating it frequently assists in forward-security
18:51 <+nbastin> if you change your server cert every month, you have only 30 days of leaked past
18:51 <+nbastin> etc.
18:51 < fsdsdsd> True
18:51 < fsdsdsd> So
18:51 <+nbastin> we rotate server certs every day, but we are crazy.. :-)
18:52 < fsdsdsd> In the world of 0Days there are solutions
18:52 <+nbastin> I rotate server certs every day and intermediates every 100 certs or every 30 days, whichever is less
18:52 < fsdsdsd> ASLR
18:52 < fsdsdsd> Hardened Kernels
18:52 < fsdsdsd> Disable root
18:52 < fsdsdsd> Lower your privledge
18:52 < fsdsdsd> It makes it harder.
18:52 <+nbastin> it's an arms race, you should never assume that you will beat the next thing you've never heard of
18:52 < fsdsdsd> Not impossible.
18:52 < fsdsdsd> True
18:53 <+nbastin> so we basically act as if our certs will be compromised, and start from that position
18:53 < fsdsdsd> How do you handle getting new keys out to clients daily?
18:53 <+nbastin> what can we live with when that happens
18:53 <+nbastin> we don't
18:53 < fsdsdsd> ..?
18:53 <+nbastin> the clients keep using the same certs issued from the intermediate CA
18:53 <+nbastin> only the server certs change
18:53 <+nbastin> a client connected 10 days ago is still using a 10-days-ago server cert
18:53 <+nbastin> (if they're still connected)
18:54 <+nbastin> all new connections come in on the new certs
18:54 < fsdsdsd> ah
18:54 <+nbastin> there's really nothing to be done about that unless you force clients to disconnect
18:54 <+nbastin> you could do that, but we decided not to
18:54 <+nbastin> (there's never a good time)
18:54 < fsdsdsd> so if you change the server cert
18:54 < fsdsdsd> the clients need a new cert?
18:54 < fsdsdsd> or
18:54 <+nbastin> no
18:54 <+nbastin> so the clients keep their certs
18:54 <+nbastin> forever
18:55 <+nbastin> (unless an intermediate CA cert is compromised)
18:55 < fsdsdsd> Just change the server cert
18:55 <+nbastin> the server cert rotates
18:55 <+nbastin> the server makes the session keys
18:55 <+nbastin> which is why you don't want to lose that cert
18:55 < fsdsdsd> So as long as your CA is safe
18:55 <+nbastin> our CA is offline.. :-)
18:56 <+nbastin> the local site admin makes a new server cert and copies it on USB stick
18:56 < fsdsdsd> UI'm copying that
18:56 < fsdsdsd> nbastin: You give me good ideas for Security
18:56 <+nbastin> although you could issue the server certs automatically from the intermediate CA you are currently using online
18:56 < fsdsdsd> A good way to stay secure is to use OpenBSD :^)
18:56 <+nbastin> that would basically be fine as well
18:56 <+nbastin> the OS really is irrelevant
18:56 < fsdsdsd> not really
18:56 <+nbastin> they have different policies, but any given day there's no point
18:56 < fsdsdsd> OpenBSD devs comb over every line
18:57 < fsdsdsd> What was the last big OpenBSD 0day?
18:57 <+nbastin> again, you *have to assume you will be compromised by a thing you have never heard of*
18:57 < fsdsdsd> True
18:57 <+nbastin> there is theory and practice.. :-)
18:57 <+nbastin> yes in theory some OSes are better
18:57 <+nbastin> but in practice your assumption should be that no one knows about the exploit that will screw you
18:57 < rob0> wait, you're worried about being secure, and you're using a single cert for all clients?
18:58 <+nbastin> rob0: I'm not, he is.. :-)
18:58 < rob0> yes, I know
18:58 <+nbastin> I mean that doesn't strongly violate various security rules
18:58 <+nbastin> it just means the cert is only used for server identity
18:58 <+nbastin> which means it provides utility to the client, and no utility to him
18:58 <+nbastin> but that is still useful
18:59 < fsdsdsd> rob0:
18:59 < rob0> there is certainly no IMPROVEMENT in a shared cert, it's only ease of use
18:59 < fsdsdsd> ^
18:59 < fsdsdsd> That's the point
18:59 < rob0> Generally security and ease of use are a tradeoff.
18:59 <+nbastin> using a shared cert issued from YOUR CA, identifies your server
18:59 <+nbastin> this is of use
18:59 <+nbastin> if you issued a shared cert from like, comodo, well that'd be stupid
19:00 <+nbastin> but it is ONLY used to identify that the server was issued from a trusted CA (hopefully YOUR CA)
19:00 < fsdsdsd> rob0: The idea is to have the connection between the server and client be secure
19:01 <+nbastin> and then yeah, you control the basic security of the session key exchange, which is also useful
19:01 <+nbastin> assuming you choose something reasonable
19:01 < fsdsdsd> Assuming they do bruteforce a login, the worst they can do is browse the web in someone elses account
19:01 < fsdsdsd> Accounts are stateless in a way
19:01 <+nbastin> fsdsdsd: well browsing the internet as someone else might compromise that person in troubling ways, but that's *way* out of scope for this discussion
19:02 < fsdsdsd> nbastin: They can't be individualy identified
19:02 <+nbastin> fsdsdsd: you think that's true.. :-)
19:02 <+nbastin> that is definitely not true
19:02 < fsdsdsd> Yes and no.
19:02 < fsdsdsd> I know of browser fingerprinting
19:02 <+nbastin> if someone with access to backend web tracker metadata has access to the frontend account info...
19:03 < fsdsdsd> And?
19:03 <+nbastin> but that's completely orthogonal to this discussion
19:03 <+nbastin> as that is true regardless of connection mechanism
19:03 < fsdsdsd> You have to remember though, everyone shares one IP
19:03 < fsdsdsd> Different browser fingerprints
19:03 <+nbastin> it doesn't matter
19:03 <+nbastin> trackers track users, not IPs
19:03 < fsdsdsd> That's outside of the VPN's scope
19:04 <+nbastin> yes, that is my point
19:04 < fsdsdsd> Your Gmail login and your VPN are different
19:04 <+nbastin> it's outside this scope
19:04 <+nbastin> but it's possible
19:04 < fsdsdsd> The VPN login contains nothing identifying
19:04 <+nbastin> well, again, if you have access to both, you can identify the vpn user account and tie them to their web behaviour
19:05 < fsdsdsd> if you have access to the person's personal accounts and the VPN the only thing you can confirm is that they use the VPN
19:05 <+nbastin> (we do work identifying people from their encrypted traffic, trust me, easier things are possible.. :-))
19:05 < fsdsdsd> nbastin: It's a good thing I broadcast as much info as possible
19:05 < fsdsdsd> Removing noise making a better SNR
19:06 < fsdsdsd> Why remove hay from the haystack when you can keep throwing more on faster than they can search?
19:06 < fsdsdsd> Searching is hard. Generating is easy
19:06 <+nbastin> you are unlikely to add faster than can be searched.. :-)
19:06 <+nbastin> this was true once upon a time
19:06 <+nbastin> like, in the 1990s
19:06 <+nbastin> it's not true now
19:07 <+nbastin> compute power is massively outpacing network throughput
19:07 < fsdsdsd> nbastin:  I can throw out about 2tb a day per server of data
19:07 < fsdsdsd> Thats on a 250mb/s connection.
19:07 < fsdsdsd> 8TB on 1gb/s
19:07 < fsdsdsd> in theory.
19:07 <+nbastin> I can crunch that in less than a minute probably
19:07 < fsdsdsd> 80 on 10
19:08 < fsdsdsd> 80TB on 10gb/s
19:08 < fsdsdsd> Now lets say I have 100 servers.
19:08 <+nbastin> if I had to do super high memory copies for inspection I'd have to take longer.. :-)
19:08 < fsdsdsd> 8PB~ a day
19:08 < fsdsdsd> keeping up with storage demands alone would be cost prohibative
19:08 < fsdsdsd> Not to mention downloading 8PB a day
19:09 <+nbastin> you don't just need 100 servers, you need bandwdith to match
19:09 < fsdsdsd> 100 servers with 10gb/s
19:09 <+nbastin> I mean assuming I'm local to your servers, that's not really a factor
19:09 <+nbastin> (100G a site?  maybe 200G?)
19:10 < fsdsdsd> There's ways to drown out the system
19:10 <+nbastin> I mean *I* have access to 100s of Gs, imagine what a government actor has
19:10 <+nbastin> (you may have missed my 99.5G iperf testing openvpn...)
19:11 <+nbastin> I really should get back to workinbg on that tonight.. :-)
19:11 < fsdsdsd> If my goal was to evade a government I'd use Tor.
19:11 < fsdsdsd> tor + whoonix / Tails
19:11 <+nbastin> we have single servers that handle ~340G
19:11 < fsdsdsd> I'd never browse the clearnet
19:12 <+nbastin> and...a bunch of them
19:12 < fsdsdsd> tor is a challenging beast
19:12 <+nbastin> (they have 12x40G, but 340G is about all I can really manage)
19:12 <+nbastin> for inspection
19:12 <+nbastin> I will just reiterate that you should not assume that.. :-)
19:13 <+nbastin> and thus if you want forward-security you should rotate keys
19:13 < fsdsdsd> True
19:13 <+nbastin> if you want to protect your OWN servers and easy-drop bad actors, then give clients individual certs
19:13 <+nbastin> if you don't care so much about that
19:14 <+nbastin> and want to just validate your servers for clients, the one cert is fine
19:14 <+nbastin> then your only concern is if someone can hash a new server that matches your CA
19:14 <+nbastin> which lets presume is a few years out if you use modern hash lengths
19:14 < fsdsdsd> Realistically if I wanted to share data securely
19:15 < fsdsdsd> I'd do it in person without a phone
19:15 <+nbastin> what are phones?  :-)
19:15 < fsdsdsd> your cellphone
19:15 < fsdsdsd> it's pretty.
19:15 <+nbastin> I don't have a cellphone.. :-)
19:15 < fsdsdsd> laptop...?
19:16 <+nbastin> (we did a demo a few years ago with an SDR acting as GSM tower and hijacked everyone in the room)
19:16 < fsdsdsd> nothing new
19:16 <+nbastin> I do have a laptop, but I only ever use it on the road and don't have anything on it I care about
19:16 <+nbastin> right, but this is why not to use these things
19:16 < fsdsdsd> why go for GSM?
19:16 < fsdsdsd> 99% of people leave WiFi on
19:16 <+nbastin> well in 2011 GSM was what we used...
19:16 <+nbastin> oh god wifi is too easy
19:16 < fsdsdsd> Hey
19:16 <+nbastin> not interesting
19:16 < fsdsdsd> i'm your wireless network!
19:16 < fsdsdsd> Authenticate against me!
19:16 < fsdsdsd> oh, ads.google.com?
19:17 <+nbastin> "thanks for beaconing me your ssid, I can be that ssid"
19:17 < fsdsdsd> You mean my.badwebsite.com?
19:17 <+nbastin> my friends used to think I was crazy...these days they find me less crazy
19:17 < fsdsdsd> what's that?
19:17 < fsdsdsd> i'm busy throwing RPI 0w's in your office ;)
19:18 < fsdsdsd> Totally not jacking your clients.
19:18 <+nbastin> we haz no wifi, have fun!  :-)
19:18 < fsdsdsd> Ethernet.
19:18 < fsdsdsd> Give me an open jack
19:18 <+nbastin> have fun with the 802.1x OF switch endpoint you are connected to.. :-)
19:19 <+nbastin> we run a wifi network that can reach teh internet for visitors
19:19 <+nbastin> you can compromise that a lot.. :-)
19:19 < fsdsdsd> Security is good.
19:19 < fsdsdsd> But.
19:19 < fsdsdsd> Nothing stops me from just breaking your legs.
19:19 < fsdsdsd> People squeel like pigs when you break their legs.
19:19 <+nbastin> ok but that existed before the internet.. :-)
19:19 < fsdsdsd> If you're the government, you don;t break their legs.
19:19 < fsdsdsd> You break their family.
19:19 < fsdsdsd> Your daughter sally?
19:20 < fsdsdsd> You want to watch her slowly die a painful death by cyanide?
19:20 < fsdsdsd> or you want to give us the docs we want.
19:20 <+nbastin> but presumably you are trying to protect your users from being in that situation in the first place
19:20 <+nbastin> which is why security is good
19:20 < fsdsdsd> no
19:20 < fsdsdsd> You don't trust a company in that situation
19:20 < fsdsdsd> You host your own VPN
19:21 < fsdsdsd> I can eavsedrop.
19:21 <+nbastin> and...trust a company?
19:21 <+nbastin> where can you host your own VPN where you don't trust someone else
19:21 < fsdsdsd> Trust no one.
19:21 <+nbastin> I mean, using the internet is stupid in that case
19:21 <+nbastin> period
19:21 < fsdsdsd> yea
19:21 < fsdsdsd> Use tor then
19:21 < fsdsdsd> tor -> VPN
19:21 <+nbastin> (again with the "don't use a VPN to access a network you already have access to")
19:21 <+nbastin> (or tor)
19:22 < fsdsdsd> Onions make me cry
19:22 <+nbastin> use cakes
19:22 <+nbastin> they have layers too.. :)
19:22 < fsdsdsd> like a ogre
19:22 <+nbastin> indeed
19:23 < fsdsdsd> ShrekNET VPN
19:23 < fsdsdsd> It's All Orge NOW
19:23 <+nbastin> heh
19:23 < fsdsdsd> I need a new laptop
19:23 < fsdsdsd> What should I Get?
19:23 <+nbastin> .shreknet
19:23 < fsdsdsd> I want Linux support
19:24 <+nbastin> hrm, I should use that for my next private network root
19:24 < fsdsdsd> lol
19:24 < fsdsdsd> I might host OpenVPN in docker
19:24 <+nbastin> we currently use the .ftn (floyd-ter-net)
19:25 <+nbastin> everything that doesn't have a name is named floyd
19:25 <+nbastin> or bruce
19:25 < fsdsdsd> You know what you need to use?
19:25 < fsdsdsd> it.hertz
19:25 <+nbastin> hrm, is hertz really not already a tld?  :-)
19:26 < fsdsdsd> oh
19:26 <+nbastin> it's not
19:26 <+nbastin> but it seems a risk
19:26 <+nbastin> (I just searched root.zone)
19:26 < fsdsdsd> get please disconnectfrommy.net
19:27 <+nbastin> .net is a TLD for sure.. :-)
19:27 < fsdsdsd> cheese.pizza
19:27 < fsdsdsd> do not click that.
19:27 < fsdsdsd> That is a dark joke
19:28 < fsdsdsd> I don't know if I want to install Ubuntu with Unity
19:28 < fsdsdsd> or Mate
19:29 < fsdsdsd> I just bought 2 32GB usb's
19:29 < fsdsdsd> Should I buy a third
19:29 < fsdsdsd> They're $10
19:29 < fsdsdsd> but they are also 10mb/s write....
19:30 <+nbastin> how could I click things in my terminal?  :-)
19:31 < fsdsdsd> have a nice terminal
19:31 <+nbastin> I do not generally access the internet, I ssh through a vpn to a host that accesses the internet for irc and such
19:32 < fsdsdsd> ...
19:32 <+nbastin> and runs mutt for my email
19:32 < fsdsdsd> r
19:32 < fsdsdsd> r-richard stallman?
19:32 < fsdsdsd> do you use emacs?
19:32 <+nbastin> ew no.. :-)
19:32 <+nbastin> I'm a vim user
19:32 < fsdsdsd> >not nano
19:32 <+nbastin> one tool for one job, not one tool for all jobs
19:32 < fsdsdsd> leave
19:33 < fsdsdsd> I've been using vim on my other computer for the last 8 years
19:33 < fsdsdsd> I don't know how to close it
19:33 <+nbastin> heh
19:33 < fsdsdsd> seriously.
19:33 <+nbastin> yeah, I use ConqueTerm as well in vim buffers
19:33 < fsdsdsd> I hit esc, did !qe
19:34 < fsdsdsd> !qw*
19:34 < fsdsdsd> I can't wait for Ubuntu to be installed.
19:35 <+nbastin> 16.04?
19:35 < fsdsdsd> any day of the week
19:36 < fsdsdsd> btw ty for the help nbastin
19:36 < fsdsdsd> <#
19:36 < fsdsdsd> <3
19:36 < fsdsdsd> you vim wierdo
19:37 <+nbastin> lol
19:37 <+nbastin> true.
19:37 <+nbastin> but really just consider the security you want to provide, and then the security you want to implement falls out from that
19:37 < fsdsdsd> Well
19:38 < fsdsdsd> A monthly server cert rotation would be good.
19:42 <+nbastin> sensible things like cert rotations and intermediate CAs offer no additional problems for your users, so they're easy to deploy
19:43 < fsdsdsd> :^)
19:43 <+nbastin> honestly non-shared client certs are also easy to deploy
19:44 <+nbastin> given that you're giving them a cert anyhow
19:44 < fsdsdsd> I need to dynamically generate them
19:44 < fsdsdsd> So I have to keep my CA online
19:44 < fsdsdsd> or bridge the gap somehow
19:44 <+nbastin> that's why you make intermediate CAs
19:44 <+nbastin> which you can keep online
19:45 < fsdsdsd> Any guides
19:45 <+nbastin> I mean basically from your original root CA
19:45 < fsdsdsd> I've never heard of a intermediate CA in my lifetime
19:45 <+nbastin> you make a new cert that has constraint CA still true
19:45 <+nbastin> you leave THAT one online (and rotate them)
19:45 <+nbastin> all certs are issued from intermediates
19:45 <+nbastin> (from internet PKI)
19:45 <+nbastin> the roots are offline
19:46 <+nbastin> https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html
19:46 <@vpnHelper> Title: Create the intermediate pair OpenSSL Certificate Authority Jamie Nguyen (at jamielinux.com)
19:46 <+nbastin> (a useful guide, I haven't reviewed the whole thing)
19:47 <+nbastin> your server then has the intermediate PEM with the CA PEM
19:47 <+nbastin> (you can make the chain basically as long as you want)
19:47 <+nbastin> but when you make a raw true root CA, you keep that thing offline forever
19:47 <+nbastin> you just issue new intermediate CA certs
19:48 <+nbastin> if the online cert is compromised you just CRL the intermediate
19:48 <+nbastin> which screws everyone that has a cert issued from that
19:48 <+nbastin> which is why you rotate them every N certs issued
19:48 <+nbastin> but protects your CA forever, and thus you never have a real compromise
19:49 < fsdsdsd> I'll probably not set that up
19:49 < fsdsdsd> Realistically if my CA is comped the client I distribute to manage OpenVPN will trigger a new cert download
19:50 <+nbastin> you should never ever ever allow your root CA to be compromised
19:50 <+nbastin> because you cannot revoke it
19:50 <+nbastin> that's why you make the intermediate
19:50 <+nbastin> because there is no mechanism for revoking a root
19:50 < fsdsdsd> In the event my CA is comped I have much much bigger issues
19:51 <+nbastin> again, you should assume your intermediates will be compromised.. :-)
19:51 < fsdsdsd> my CA will be on a airgapped machine in a undisclosed location
19:51 <+nbastin> it's a state of mind...assume everything connected to a network will be compromised, eventually
19:51 < fsdsdsd> I gotta reboot
19:51 < fsdsdsd> I'll brbr
19:51 <+nbastin> kk
19:54 < jqrj> psst
19:54  * jqrj pokes nbastin 
19:54 < jqrj> psssst
19:54 <+nbastin> ack!
19:54  * jqrj pokes nbastin with a stick
19:55 < jqrj> PSST
19:55 <+nbastin> you need to pick a username that isn't stupid some day
19:55 < jqrj> you need to pick a non judgemental attitude one day
19:55 <+nbastin> maybe, but probably not today
19:55  * jqrj whips nbastin with a SFP cable
19:55 <+nbastin> ow
19:56 <+nbastin> 1G hurts me.
19:56 <+nbastin> in my soul
19:56 < jqrj> I'll hurt you with 40g
19:56 <+nbastin> qsfp+ feels better.. :-)
19:57 <+nbastin> I put 2x40G in a mini-itx once and it turned into a toaster
19:58 < jqrj> why
19:58 < jqrj> 40g cards run hot as fuck?
19:58 <+nbastin> yeah
19:58 < jqrj> add more fans
19:58 <+nbastin> well obviously we did that... :-)
19:59 <+nbastin> I mean the energy dissipation on early 40G was over 10W a port
19:59 < jqrj> so
19:59 < jqrj> you should put a 800w GPU inside a ITX case
20:00 < jqrj> that way you can crack hash's, do accelerated deep learning, and cook your breakfast
20:00 <+nbastin> most of those are full size, they don't fit.. :-)
20:00 < jasonwc> Hello everyone, I've successfully setup OpenVPN to accept connections using an IPV6 address and to issue IPV6 addresses from a /64 block to internal clients.  However, I can't get the equivalent of redirect-gateway to work for IPV6.  IPV4 internet traffic is directed through the tunnel but IPV6 internet access is not available.  Is there a guide for setting this up?  The information I've found
20:00 < jasonwc> seems inconsistent.  The 2.4 release notes say that "tun udp" should listen on both IPV4 and IPV6, but I had to set "tun udp6" to get IPV6 to work despite both clients being on 2.4.0.
20:01 <+nbastin> as a practical matter whether a stack listens on both v4 and v6 is sortof kernel dependent
20:01 <+nbastin> tun udp doesn't seem to make openvpn try to detect this
20:01 <+nbastin> but that seems separate from your first problem
20:02 < jasonwc> Yeah, "tun udp6" listens on both IPV4 and IPV6, so that's resolved
20:02 < jasonwc> The situation is that I can connect to the server using its public IPV6 address, the client is issued both an IPV4 and IPV6 address, and IPV4 internet traffic is routed through the VPN.  However, I can't access any IPV6 sites (ipv6-test shows I have no public IPV6 address)
20:03 <+nbastin> I do not use redirect-gateway myself, so I'm reviewing the docs to see if I have any useful insight
20:03 <+nbastin> do you have a client to look at?
20:03 < jasonwc> I enabled ipv6 forwarding on the server and created a static route on my pfsense router to send the /64 being used internally by OpenVPN through my HE tunnel on the router
20:04 <+nbastin> does your client get an IPv6 address from openvpn, or is it just the local address?
20:04 < jasonwc> Yes, the client gets an IPV6 address from OpenVPN
20:04 <+nbastin> hrm, if that's out of the openvpn block that's a little weird
20:04 <+nbastin> should be hoisted on local routing then
20:04 <+nbastin> (brb quick)
20:05 < jasonwc> and I can ping the OpenVPN servers' IPV6 address (the internal address for the VPN server)
20:06 <+nbastin> the gateway IP?
20:07 <+nbastin> does your client have a route via the IPv6 gateway to whatever segments you're trying to reach?
20:07 < jasonwc> I believe so.  I setup a static route on my router to route the internal OpenVPN /64 to the HE tunnel gateway
20:08 <+nbastin> can you make an interface with an IP in that net on the openvpn server and reach what you want?
20:08 < jasonwc> I'm not sure what routes if any I need in my server config.  The Arch wiki says to include push "route-ipv6 2000://3"
20:09 < jasonwc> elsewhere I saw push "redirect-gateway ipv6"
20:09 < Eugene> Which /64 are you using? A screenshot of the tunnel details on your tunnelbroker.net account would be best
20:09 < jasonwc> sure
20:09 < Eugene> HE issues you a "on link" and a "routed" /64 separately; only one of these will actually work ;-)
20:10 < jasonwc> I'm using a /64 from a routed /48 they gaver me
20:10 < jasonwc> *gave
20:10  * nbastin is not wise in the ways of HE
20:10 < jasonwc> one sec
20:10 < Eugene> Perfect, that is what I was going to suggest heh
20:10 < jasonwc> http://imgur.com/a/WHKMd
20:10 <@vpnHelper> Title: HE Tunnel - Album on Imgur (at imgur.com)
20:11 < Eugene> And can you dump the Diagnostics --> Routing page too
20:11 < Eugene> Routes*
20:12 < Eugene> Annnnd did you set up firewall rules for the OpenVPN interface, too?
20:12 < jasonwc> https://pastebin.com/hPrSmTQ7
20:12 < Eugene> Note that the defaults are to IPv4, not IPv4+IPv6 ;-)
20:12 < jasonwc> yeah, I did
20:13 < Eugene> I do not see an ovpn interface in that routes page.
20:13 < jasonwc> The OpenVPN server is running on a machine behind the router
20:14 < jasonwc> I setup a static route to route the /64 to the HE interface
20:14 < Eugene> A-ha
20:14 < Eugene> Why not just make the pfsense do openvpn?
20:15 < jasonwc> Kind of a long story but I recently upgraded to Gigabit FiOS and purchased an EdgeRouter Lite.  I realized the CPU is pitiful and could only handle 50-90 Mbit on the HE tunnel so I quickly repurposed an old machine to run pfsense
20:15 < jasonwc> The server running OpenVPN is much more powerful
20:15 < Eugene> Which is supposed to be your OpenVPN subnet?
20:15 < Eugene> Go buy a SG-2220. You'll be way happier than the POS ER-Lite or any repurposed machine
20:16 < Eugene> The SG-1000 won't push gigabit, so don't try
20:16 < jasonwc> I'm probably going to buy this
20:16 < jasonwc> http://www.ebay.com/itm/New-1U-Firewall-PFsense-Server-Router-8x-1GBE-Ports-Xeon-3-1Ghz-QC-64GB-FLASH-HD-/142373803386?hash=item212623d57a:g:O6IAAOSwX61ZDRGl
20:16 < Eugene> lol, mr rackables
20:16 < Eugene> Those guys are clowns and you're wasting your money
20:16 < jasonwc> Why?
20:17 < Eugene> That is a 2011-vintage CPU
20:17 < Eugene> Why do you think?
20:17 < Eugene> A SG-2220 costs the same from the netgate store and is an officially supported pfsense device. Boomerang routing like this is a recipe for frustration and terorr. "Do it right or don't bother"
20:17 < jasonwc> So? It may not be power efficient but a Quad Sandy Bridge Xeon is a lot more powerful than the Rangeley Atom, is it not?
20:18 < Eugene> Not by as much as you think. Moore's law is a bitch
20:19 < jasonwc> The system I'm using now is a Core i3 Ivy Bridge and I see almost no utilization at Gigabit speeds
20:19 <+nbastin> the E3-1200 is in general a lot faster than the 2338
20:19 <+nbastin> they both have aes-ni
20:19 < jasonwc> Intel has had rather poor progression over the last few generations
20:19 < jasonwc> Sandy Bridge was a big jump and added AES-NI
20:19 <+nbastin> the integrator may be a problem, but the CPUs are not a problem
20:20 < Eugene> I'm not debating sanity. This is an advice channel, I have given my best advice on how not to have a crappy unmaintainable network. Do what you want with it.
20:20 < jasonwc> Haswell added AVX2, but I don't think that is applicable here
20:20 < Eugene> I do this for a living; you're not gonna convince me I'm wrong here ;-)
20:20 < jasonwc> I understand the suggestion about buying supported hardware.  I was just surprised when you said a Sandy quad Xeon is slower than a dual core Atom.
20:20 < Eugene> I didn't say it was slower; I said that the vendor was a clown and the product is a waste of money
20:21 < jasonwc> ah, ok
20:21 < Eugene> It might be faster, but it will die long before the 2300 will
20:21 < jasonwc> I misinterpreted you then
20:21 < Eugene> I am looking at the total solution, not the single part
20:21 < jasonwc> So, the SG-2220 is fast enough for Gigabit?
20:21 <+nbastin> the rangely atom can definitely run gigabit
20:21 < Eugene> Yup, routes gigE just fine(with a simple filter table)
20:22 <+nbastin> they have a nice i354 table for accelerated filters, and quickassist and things
20:22 <+nbastin> so they're pretty nice
20:22 < Eugene> And their warranty support is bitchin'
20:22 < jasonwc> My issue with the ERL-3 was that it worked fine for regular routing/NAT/firewall but basically collapsed with the HE tunnel
20:22 < jasonwc> Anything that is not accelerated it basically can't do
20:23 < jasonwc> And amusingly, I couldn't work around it with a port forward because Protocol 41 forwarding is also not accelerated :/
20:23 <+nbastin> v6 acceleration cuts any table size by 4 generally, so short tables get shorter
20:23 <+nbastin> but that acceleration is generally NIC asic related, not cpu
20:23 <+nbastin> (other than the 2338 is an SoC with an i354 internal)
20:24 < Eugene> My issue with the ERL is that it fucking falls over all the time
20:24 <+nbastin> the ebay onboard can't compete with the pcie expansion ports
20:24 <+nbastin> the 82574 is not really what you want to use
20:24 < Eugene> We ended up pulling them from production because it was unacceptable levels of downtime
20:25 <+nbastin> but that box claims to have an I350-T4, which would be good
20:25 < jasonwc> I was aware of the 82574L issue
20:25 < Eugene> There's a decent chance that product listing is false or not what you will get in the box
20:25 < jasonwc> But it also comes with a quad I350-T4
20:25 < Eugene> mr rackables is not a good vendor
20:26 < Eugene> They are a lease-return shop in Santa Clara, thousands and thousands of systems go through their warehouses. How likely do you think the eBay listing is 100% right?
20:26 < jasonwc> I agree
20:26 < Eugene> I have bought from them in the past... its fine, but you waste a lot of time getting shit to work right
20:26 < Eugene> I would never recommend lease-return gear for production
20:27 < jasonwc> The hardware warranty from Netgate is only 1 year but effectively 3 with a CC
20:27 < jasonwc> vs basically nothing from ebay
20:28 <+nbastin> either way your problem is unrelated to your hardware
20:28 <+nbastin> so back to that...
20:28 < jasonwc> Yup
20:28 < Eugene> Well, the core problem is that the routing arrangement is three-legged and thus stupid, because the router isn't powerful enough
20:28 < Eugene> If pfsense was also the openvpn server it wouldn't exist
20:29 <+nbastin> maybe, but that's a different config and this one should work
20:29 <+nbastin> assuming all the pieces know about each other
20:29 < jasonwc> I think I may have discovered the issue
20:29 < Eugene> I don't see a route for a /64 in that routing table
20:29 < jasonwc> The firewall rule on the HE interface was set on TCP, not UDP, lol
20:29 < Eugene> Head ---> desk
20:30 < Eugene> !firewall
20:30 <@vpnHelper> "firewall" is (#1) please see https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets., or (#3) Please see this for a better method to unloading netfilter (aka iptables ) rules: https://gist.github.com/QueuingKoala/6350127
20:30 < jasonwc> yup :)
20:30 < Eugene> Oh, its in the /topic
20:30 < jasonwc> Well, let me test again.
20:30 < Eugene> FWIW, I always use TCP-mode when standing up a new openvpn circuit in an unfamiliar network. It is much easier to tell if its a socket problem or a crypto one that way
20:31 < jasonwc> It's a bit more complicated to test because Verizon doesn't provide native IPV6 and neither does AT&T (my phone)
20:31 < Eugene> Then switch it to UDP once everything works
20:31 < jasonwc> If I had native IPV6 on AT&T, I would have known immediately as it would never have connected to the server
20:31 < Eugene> Next question: which /64 is being used for the VPN subnet?
20:31 < jasonwc> 2001:470:e5d2:10::/64
20:32 < Eugene> 2001:470:e5d2:10::  2001:470:7:1141::1  UGHS    0   1500    gif0
20:32 < Eugene> That's what is in your routing table
20:32 < Eugene> Note the lack of a /64
20:32 < jasonwc> yeah
20:32 < jasonwc> oh, good point
20:33 < Eugene> And it appears to be routed to your default IPv6 gateway
20:33 < jasonwc> Actually, I entered it as 2001:470:e5d2:10::/64 and pfsense changed it to /128
20:33 < jasonwc> I don't know why
20:33 < Eugene> What you need to do is add the internal IPv6 of the openvpn server as a "Router"
20:33 <+nbastin> there's also no lo0 IP in that subnet, which might be ok (I don't do pfsense), but every other subnet has an ip on lo0
20:33 <+nbastin> possibly for routing
20:33 < Eugene> Then specify that as the target for the static route
20:33 < jasonwc> oh, durr
20:34 < Eugene> And yeah, the box you type in does not accept a /64. You need to type the address, wait a second for the JavaScript to determine what IP family the address is, then pick /64 from the drop-down
20:34 < jasonwc> There's a seperate tab for the /64 setting.  Entering the address with ::/64 just strips the /64
20:34 < Eugene> Yup
20:34 < Eugene> Its not the most intuitive, but it makes sense if you think about it as a series of XML entries
20:34 < Eugene> (which is what pfsense config is)
20:34 < jasonwc> i wish it would default to /64
20:35 < jasonwc> I literally forget every time when setting up a new interface and wonder why DHCPv6 won't let me assign addresses :/
20:35 < Eugene> "Because fuck you, that's why."
20:35 < jasonwc> and then go back and fix it
20:36 < jasonwc> ok, so now the question what do I need in my server config?  One site shows 'push "redirect-gateway ipv6"' while the main OpenVPN wiki says "push "route-ipv6 2000::/3"
20:36 < jasonwc> ipv4 is push "redirect-gateway def1 bypass-dhcp" I believe
20:36 < Eugene> 2000::/3 is "global unicast space"
20:37 <+nbastin> if you're pushing routes to any private v6 space, 2000::/3 won't cut
20:37 < Eugene> "redirect-gateway ipv6" will push routes for ::/1 and.... I can't think of the subnet off the top of my head, whatever the other half of the space is
20:37 <+nbastin> if you're just pushing the internet it'll work fine
20:38 < Eugene> "redirect-gateway ipv6" is the Correct thing to do. Or in pfsense, check the box ;-)
20:38 < jasonwc> Wait, I'm still trying to do it on the server.  I can't do so?
20:38 < jasonwc> I thought all I needeed was the static route in pfsense
20:39 < jasonwc> to allow me to use the server behind the firewall
20:39 < Eugene> If it was a pfsense openvpn server you would check the box for it
20:39 <+nbastin> the static route should be fine, just change the openvpn config to be non-specific for a subnet
20:39 <+nbastin> (this is unlikely your problem at the moment regardless)
20:39 < jasonwc> Got it
20:41 < Eugene> !beer
20:41 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
20:43 < jasonwc> Still the same situation
20:43 < jasonwc> Would it help if I put my server config on pastebin?
20:43 < havoc> mmmm, beer
20:46 < Eugene> !configs
20:46 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
20:46 < Eugene> https://vomitb.in is best bin
20:47 < jasonwc> very helpful info, doing so now
20:47 < tx> Eugene: I prefer hastebin.com
20:47 < tx> full screen :)
20:47 <+nbastin> termbin is by far the best, obviously.. :-)
20:47 < Eugene> Patches welcome
20:48 < tx> nbastin: all the good ones support uploading from terminal now : D
20:48 <+nbastin> tx: in convoluted rest endpoints, sure
20:49 < tx> echo "foo" | haste
20:49 <+nbastin> what is haste?
20:49 < tx> just gotta spend 5 seconds making an alias :p
20:49 < Eugene> `vomit` also exists ;-)
20:49 < jasonwc> https://vomitb.in/G1UO7YbA8K
20:49 < tx> hehe
20:49 <+nbastin> yeah I'm not describing that to people who don't understand shells already.. :-)
20:49 < tx> Eugene: If that is yours (vomitb.in)
20:50 < tx> I would suggest not having the code in a weird fixed-width containere
20:50 < Eugene> I own the domain; it is hosted and written by a friend of mine
20:50 < Eugene> Patches welcome
20:53 < jasonwc> OpenVPN 2.4.0 on both sides, OS is Debian Jessie (Server), client is Android with the latest OpenVPN Connect (testing from AT&T wireless netweork) and Windows 10/OpenVPN 2.4.0 (local client)
20:56 < jasonwc> Client: https://vomitb.in/AhZLraTCyL
21:00 < jasonwc> Just to confirm, I can ping the phone from the server using its OpenVPN issued IPV6 address (2001:470:e5d2:10::1000)
21:01 < jasonwc> Is it a problem to tunnel IPV6 traffic through a UDPv4 tunnel?  I don't have an IPV6 address from AT&T.
21:01 <+nbastin> no
21:02 < jasonwc> I can also ping the server on its LAN interface (2001:470:8:1141::2)
21:03 <+nbastin> barring some kind of crazy DPI, inner labels have nothing to do with the outer label
21:03 <+nbastin> assuming the server can ping something on the internet from that IP on the server, you have a routing problem on the server
21:04 < jasonwc> Yes, I can ping IPV4 and IPV6 addresses from the server
21:04 < jasonwc> And I enabled ipv6 forwarding on the server
21:05 < jasonwc> I thought the routes I needed were setup in the server.conf file
21:05 <+nbastin> the server only has one WAN-facing IPv6 address?
21:05 < jasonwc> yes
21:06 < jasonwc> https://vomitb.in/hg1ZqO5fDe
21:13 < jasonwc> here is the server routing table
21:13 < jasonwc> https://vomitb.in/fU1bsRZ9Fi
21:25 < jasonwc> and the client routing table - https://pasteboard.co/7bPClk5eX.png
21:28 < tx> do people actually use their phones
21:28 < tx> with terminal clients
21:30 < jasonwc> I just did :/
21:59 < jasonwc> Ah, I am one step closer
21:59 < jasonwc> My static route on pfsense was wrong (route was to the HE tunnel on the router, not the OpenVPN server).  I fixed that.  Now I can ping the router from the client.  I can also ping6 www.google.com and several other sites.  It must be going through the tunnel as the client is IPV4 only.
22:00 < jasonwc> However, ipv6-test shows no IPV6 address, as does Google's test site
22:00 < jasonwc> so, works in terminal, but not in my browser
22:13 < jasonwc> MTU issue?
22:38 <@ordex> jasonwc: not sure you shared more earlier, but I haven't read the entire backlog
22:38 <@ordex> you have a HE tunnel and a OpenVPN client on the same machine ?
22:40 < jasonwc> No
22:40 < jasonwc> My pfsense router uses an HE tunnel to provide IPV6 to my client machines
22:40 < jasonwc> I have a routed /48 and assign 7 different LANs
22:40 < jasonwc> One of the LANs has my main server, and that is running OpenVPN
22:41 < jasonwc> I am connecting to the OpenVPN server from my phone on AT&T's IPV4-only network, and have OpenVPN internally assign me IPV4 and IPV6 addresses.
22:41 < jasonwc> My IPV4 traffic is routed through the tunnel properly with redirect-gateway
22:41 < jasonwc> I can ping the router, ping6 www.google.com etc. which clearly is going through the tunnel, since I have no ipv6 address on AT&T
22:42 < jasonwc> However, ipv6 test sites say I have no ipv6 IP
22:42 < jasonwc> I tried setting MTU to 1000 on the phone
22:42 < jasonwc> ssame
22:42 < jasonwc> *same
22:43 < jasonwc> Oh, and I have a static route on the pfsense router to route traffic from the internal OpenVPN /64 to the internet-connected IPV6 address on my OpenVPN server
22:43 < jasonwc> from the terminal emulator, everything seems to work fine
22:44 < jasonwc> IPV6 forwarding enabled on the OpenVPN server etc.
22:44 < jasonwc> I figured it was an MTU failure since OpenVPN is not accounting for the 6in4 overhead
22:47 < jasonwc> I set the MTU to 1400 on OpenVPN but I'm getting the same issue
22:52 < jasonwc> Going to be offline for a bit but I'll be back
22:54 <@ordex> jasonwc: sorry got distracted
22:55 <@ordex> jasonwc: if ping6 is working, then routing is setup properly
22:55 <@ordex> have you tried going on an IPv6-only website ?
22:55 <@ordex> it could also be that your browser prefers ipv4 over ipv6 when possible and so it never reaches the dual stack websites using the v6 address
22:55 <@ordex> if ping6 is working then the network side of things is proeprly setup
22:55 <@ordex> and don't mess up with the mtu now :P
22:58 < jasonwc> Back
--- Day changed Wed May 17 2017
03:51 -!- parity_ is now known as parity
07:20 < HewloThere> hia! i have an vpn set up with openvpn and i want to route only my client to have all traffic EXCEPT for a wildcard domain (e.g. *.mysite.com) directed through the vpn. how can i do this in a client config?
09:00 < Enrix> guys when I launch the client I receive this in the log: Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. Use --help for more information.what can I do about it?
09:08 < a1exus> hello
09:10 < rob0> Enrix, I guess if you're not using TLS, remove that from your config.
09:12 < havoc> does/can openvpn interpret bash vars in the config file?
09:12 < rob0> no
09:12 < havoc> ok :(
09:12 < rob0> but, you can run without a file'
09:12 < havoc> yeah
09:12 < rob0> just about everything can be a command line option
09:13 < havoc> I was thinking for something like "key keys/$HOSTNAME.key"
09:13 < havoc> so you could use the same config on many clients
09:13 < rob0> use a generic name for the key on all clients
09:13 < rob0> or make a symlink with that name
09:13 < havoc> yeah
09:14 < havoc> ...when the key is installed on the client
09:14 < havoc> the env var support isn't necessary, it just would have been nice
09:14 < havoc> no biggie
09:24 < Enrix> rob0, I removed that line but it is still the same
09:29 < Enrix>  https://paste.pound-python.org/show/TwYhqV1wkYccVED                                                                                                                                                             UsJdB/
09:30 < Enrix> uff broken link
10:06 < Enrix> rob0, I got this: RESOLVE: Cannot resolve host address: gw1.eurojet-service.com: Name or service not known
10:08 < Enrix> do I need just to put the name in hosts?
10:13 < DArqueBishop> !spoonfeeding
10:13 <@vpnHelper> "spoonfeeding" is http://www.mp3car.com/the-faq-emporium/53368-faq-what-is-spoon-feeding.html
10:38 < Enrix> one quick question, in the client.conf wich server ip should I write? the phsycal ip of the server or the virtual ip that I put in the server.conf?
10:50 <@ordex> Enrix: where exactly ? are you talking about the remote option?>
12:14 < minimalism> Upgraded to OpenVPN 2.4.2 on Gentoo and am using the same configuration as always, and the service to which I am subscribed is still issuing the same configuration. I can't get OpenVPN to run with the OpenRC service since, and I've tried running it manually with --config, and it appears to be trying to use ipv6 even though I do not have the ipv6 tun line in my config.
12:15 < minimalism> I do not have ipv6 support on my system, and as a result, it's getting fatal errors trying to launch OpenVPN. Is there some line I can set somewhere to stop it from trying? It's returning this after mostly successful output:
12:15 < minimalism> https://bpaste.net/raw/22d83b4912a9
12:33 <@krzee> minimalism: see --proto in the manual
12:33 <@krzee> proto udp is ipv4 and ipv6, proto udp4 has no ipv6
12:34 < minimalism> I tried setting proto as udp4, it resulted in the same issue
12:35 < minimalism> I'm puzzled.. I don't know what's different between the last 2.3.* and 2.4.*
12:37 <@krzee> in the download area theres a changes.rst and a changelog
12:37 <@krzee> both help explain whats new in 2.4
12:40 <@krzee> but with proto udp4 on both sides you wont open an ipv6 socket
12:40 <@krzee> you say you tried that and it didnt work... if thats the case try it again and show me the logs of it with verb 4
12:46 < minimalism> krzee: https://bpaste.net/raw/fee3d329a216
12:54 <@krzee> now show me your server config
12:54 <@krzee> it seems to have a bunch of ipv6 stuff in it...
12:55 <@krzee> notice, i said proto udp4 on both sides to get rid of ipv6 all together
12:55 <@krzee> and thats only ipv6 for transport, you can still use ipv6 inside the tunnel if you configure it as such, and your server seems to be configured as such
12:55 < minimalism> I don't control the server, I'm subscribed to a service.
12:56 <@krzee> ahh usually id give you !provider and !both telling you that we dont support vpn services stuff... but in this case gimme a sec i think i can help
12:57 <@krzee> !factoids search ignore
12:57 <@vpnHelper> 'ignore' and 'redirect_ignore'
12:58 <@krzee> !ignore
12:58 <@vpnHelper> "ignore" is see --pull-filter in the manual (!man) to see how to have the client filter what it allows the server to push to it
12:58 <@krzee> ahh yes thats what we want
12:59 < minimalism> can "route" for pull-filter be a protocol?
12:59 <@krzee> you need to ignore route-ipv6 and ifconfig-ipv6
13:01 <@krzee> --pull-filter ignore "route-ipv6 "
13:01 <@krzee> --pull-filter ignore "ifconfig-ipv6 "
13:01 <@krzee> try adding those lines, remove the -- if using in config file
13:01 <@krzee> !--
13:01 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
13:02 < minimalism> krzee: That appears to have worked
13:03 < minimalism> I'm not familiar with the server side of things, but will this be an ongoing thing where servers will provide ipv4/ipv6 simultaneously causing issues for ipv4 only machines/nets?
13:03 <@krzee> well i mean, if your server is configured in ways your client cant handle, not openvpn's fault
13:03 <@krzee> and normally:
13:03 <@krzee> !both
13:03 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
13:03 <@krzee> !provider
13:03 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team., or (#2) Please contact their support team.
13:13 < minimalism> If I did operate a server, is there a particular line of config or something else minor that would prevent this from affecting ipv4-only users?
13:14 <@krzee> not that im aware of... systems that dont support ipv6 are not very able to notify the server that they're hella old
13:14 <@krzee> i dont use ipv6 either, but my systems are *able* to
13:25 < minimalism> Well thanks for the help. I'm going to email them and see if there's anything they can do as a workaround.
13:30 < BlackBishop> what would be a fast easy way (module ?) to setup a vpn server with username and password only .. and not pam ( I wouldn't want to create local users on the machine, even if they have a nologin shell ) ?
13:34 < DArqueBishop> !authpass
13:34 <@vpnHelper> "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
13:39 < BlackBishop> thanks !
13:48 < whoa> hi guys
13:49 < whoa> i was looking at the openvpn documentation
13:49 < whoa> and it mentions "OpenVPN uses an industrial-strength security model designed to protect against both passive and active attacks. OpenVPN's security model is based on using SSL/TLS for session authentication and the IPSec ESP protocol for secure tunnel transport over UDP."
13:49 < skyroveRR> Hey whoa :)
13:49 < whoa> heyo skyroveRR !
13:49 < whoa> how are ya sir :)
13:49 < skyroveRR> I'm doing good sir, how are you doing there, my American friend? :)
13:51 < whoa> heyyy not too shabby
13:51 < whoa> living the network dream :D
13:51 < whoa> trying to learn a thing or two and build some stuff
13:51 < whoa> glad all is well on your end
14:04 < whoa> nice article on openvpn https://openmaniak.com/openvpn.php
14:04 < whoa> i was just curious about the comment "and the IPSec ESP protocol for secure tunnel transport over UDP"
14:04 < whoa> trying to find some documentation that would explain that more in depth
14:07 < _abc_> Hello. Reading: https://www.theregister.co.uk/2017/05/16/openvpn_security_audit/ -- seems openvpn is *almost* clean.
14:07 <@vpnHelper> Title: Good news, OpenVPN fans: Your software's only a little bit buggy • The Register (at www.theregister.co.uk)
14:08 < _abc_> Question: is the openvpn (I think) version used in android somehow updateable? I think android uses something other than openvpn, no?
14:08 < DArqueBishop> !android
14:08 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html, or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android, or (#3) For a difference between the clients see http://ics-openvpn.blinkt.de/FAQ.html#faq_androids_clients_title, or
14:08 < _abc_> I mean the stock vpn on stock unrooted android is not openvpn?
14:08 <@vpnHelper> (#4) Really old (<4.0) see !android-old
14:09 < DArqueBishop> Correct. IIRC, the stock VPN client is based on L2TP.
14:09 < DArqueBishop> Of course, I don't have an Android device here to double-check.
14:09 < _abc_> And one needs root to install any other, right?
14:09 < DArqueBishop> Wrong.
14:10  * DArqueBishop points to the above factoid.
14:10 < _abc_> There are 2 kinds of oem vpn on droid. One is L2TP the other is I forget what
14:10 < _abc_> Ok, looking at links, thanks.
14:17 < _abc_> Ok so it says (the faq) no tap device support without root, that's why I remembered it requires root.
14:24 < _abc_> Hm does not look so great. Still much better than closed source horrors. Does one get a lot of crashes normally? The faq says there are several situations where one sees crashes in an "expected" way?
14:31 < whoa> got some more hints here about the comment above in the openvpn documention about the use of ipsec esp in openvpn udp tunnel mode
14:31 < whoa> https://forums.openvpn.net/viewtopic.php?t=21811
14:31 <@vpnHelper> Title: Does OpenVPN really use IPSec-over-UDP ? - OpenVPN Support Forum (at forums.openvpn.net)
14:32 < whoa> doesnt use ipsec esp but probably operates similarly
14:32 < whoa> is the best guess i have and its just the way they wrote it in the documentation
14:35 < rob0> openvpn doesn't control nor secure the transport to the server/peer.  If that happens to be done via ipsec or other VPN (including openvpn itself), openvpn does not care.
14:38 < whoa> charlie hosner here mentioned https://openvpn.net/archive/openvpn-users/2004-09/msg00170.html OpenVPN most resembles ESP in tunnel mode.  It encryptes the
14:38 < whoa> packet payload but does not do an integrity check on the packets head,
14:38 < whoa> allowing packets to pass through NAT devices without breaking the VPN.
14:38 <@vpnHelper> Title: Re: [Openvpn-users] Equivalent to "Transport Mode" (AH) (at openvpn.net)
14:38 < whoa> so thats probably why the open vpn site says "OpenVPN's security model is based on using SSL/TLS for session authentication and the IPSec ESP protocol for secure tunnel transport over UDP"
14:38 < whoa> its just a poorly written line
14:52 < BlackBishop> so .. trying to do the basic setup I was asking about earlier .. I got into this issue: https://paste.fedoraproject.org/paste/wMb0xV9OmcgG-~tNyzmGa15M1UNdIGYhyRLivL9gydE= .. Any pointers to what I'm missing ?
14:59 < BlackBishop> tls-auth key 1 :) forgot the 1
17:01 < djgerm> Howdy hello! I have probably a stupid question: so I noticed easy rsa 3 by default encrypts the CA when you generate it (and it's easy to not do that). But what I am wondering is how would one configure their openvpn server (2.1) to use an encrypted CA? I can't see anything other than "askpass" which is for a encrypted key I believe
17:03  * havoc reads up on <connection> blocks
17:07 < Eugene> djgerm - the CA.key is only required to be decrypted to sign a certificate. When running you only need the ca.crt, server.key+crt, and any client.key+crt
17:08 < Eugene> The CA can(and should, if you want Good security) exist completely offline. The more paranoid can sneakernet or even hand-copy the PEM files to an airgapped computer
17:08 <@krzee> !pki
17:08 <@vpnHelper> "pki" is (#1) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed specially as a server (see !servercert), or (#2) !certman for various PKI management tools, or (#3) see !intro-to-pki
17:10 < djgerm> oh! thanks @Eugene - that makes much more sense than what I was thinking haha.
17:13 <@krzee> !factoids search pass
17:13 <@vpnHelper> '2.1-winpass-script', 'authpass', 'change-passphrase', 'enable-passwd-save', 'password', 'password-only', 'strip-passphrase', and 'winpass'
17:13 <@krzee> !change-passphrase
17:13 <@vpnHelper> "change-passphrase" is see http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase
18:24 < jasonwc> Eugene and +nbastin: You guys were helping me get yesterday to get OpenVPN to forward IPV6 traffic through the VPN gateway.  I managed to get it working this morning.  Thanks for your help.  The remaining issues were that I had the wrong static route on my pfsense router (was routing the internal OpenVPN /64 to the HE gateway rather than the OpenVPN server's address) and I realized my LAN had
18:24 < jasonwc> a firewall rule which only allowed incoming traffic from LANNet, and the OpenVPN /64 wasn't in that group.  This led to a weird situation where I was able to ping servers on the internet (I had an ICMPv6 rule) but browsers kept saying I had no IPV6 access. :)
18:25 < jasonwc> When I was looking for documentation to set this up last night I didn't find any Howto that cleraly indicated the steps that needed to be done to get this working.  I wonder if it would be useful to draft something as I imagine I'm not the only one to try this.
18:30 <@krzee> jasonwc: you're certainly welcome to make a doc on either your page or you can use the openvpn community wiki
18:31 <@krzee> thank you for being willing to
18:31 <@krzee> thats how the community grows!
18:32 < jasonwc> Great.
18:32 < blondie101010> I'm getting a small problem with routes on 2 installations which are identical except for the subnet, but strangely the error is different in each case...  I'll start with only one:  in the server's log it shows: "SENT CONTROL [ms]: 'PUSH_REPLY,route 10.0.2.0 255.255.255.0,route 10.0.1.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.0.1.10 10.0.1.1,peer-id 0' (status=1)" but nowhere in that machine is ther
18:32 <@krzee> let me know the link after =]
18:32 < blondie101010> not in openvpn.conf nor in ccd/machine
18:33 <@krzee> blondie101010: lets backup and explain it better
18:33 <@krzee> !goal
18:33 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:33 < jasonwc> Also, the 2.4 documentation says "proto udp" should listen on IPV4 and IPV6, but I was unable to connect to the server's IPV6 address unless I specified udp6.  Is that a bug?
18:33 <@krzee> jasonwc: proto udp should listen on both
18:34 <@krzee> by only changing proto udp to proto udp6 you were able to connect on ipv6?
18:34 < jasonwc> Yes
18:34 <@krzee> you on latest release 2.4.2
18:34 <@krzee> ?
18:34 < jasonwc> 2.4.0
18:34 <@krzee> pls upgrade before considering a bug report
18:35 <@krzee> but if the issue remains after upgrading both sides to 2.4.2, id say its a bug and deserves a bug report at:
18:35 <@krzee> !trac
18:35 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker., or (#2) if you have a forum login, use that for trac, its the same database.
18:35 < jasonwc> Ok
18:35 < jasonwc> I'll wait for Debian to push the new release to jessie-backports
18:36 <@krzee> should be an easy compile if you get impatient and prefer up to date software
18:36 <@krzee> 2.4 has a few CVE
18:36 <@krzee> 2.4.0*
18:36 <@krzee> !security
18:36 <@vpnHelper> "security" is (#1) "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview, or (#2) see !wrench
18:36 <@krzee> hmm thats not it
18:37 <@krzee> lemme find and add
18:38 < jasonwc> http://metadata.ftp-master.debian.org/changelogs/main/o/openvpn/openvpn_2.4.0-5_changelog
18:38 < jasonwc> they backported the paches
18:38 < jasonwc> This is dated 5/11/17
18:38 <@krzee> !learn security as https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements for security announcements
18:38 <@vpnHelper> Joo got it.
18:38 <@krzee> oh ok
18:38 <@krzee> weird they would do that instead of just updating to 2.4.2 lol
18:39 < jasonwc> It's because of how Debian works
18:39 < jasonwc> They are currently in a freeze until Stretch releases
18:39 <@krzee> ahh
18:39 <@krzee> gotchya
18:39 < jasonwc> So, the patch goes to Unstable and if it's stable migrates to testing.
18:39 < jasonwc> A new release might be in experimental
18:40 -!- Vampire0_ is now known as Vampire0
18:40 < jasonwc> Another question, is there a recommendation from a security standpoint as to whether ECDHE or DHE is preferred?  I haven't seen anything on the OpenVPN site.
18:40 < jasonwc> I read something about the NIST curves being questionable given NSA involvement, resulting in some unofficial recommendations for DHE
18:40 <@krzee> thats a matter of personal taste
18:41 <@krzee> but i think ECDHE is ready to be used
18:41 <@krzee> personally im migrating my certs to EC
18:41 <@krzee> i chose to use the same curve as bitcoin... i figure if that gets broken it'll be front page that millions were stolen
18:41 < jasonwc> Does OpenVPN use the NIST curves?
18:42 <@krzee> im not really the guy to get deep into EC, but at least when i was making certs i was able to choose my curve (openvpn had to support, as did my ssl library)
18:42 < jasonwc> The recommendations I've seen say to use Curve25519
18:43 <@krzee> a lot of trusted software does
18:43 <@krzee> i see DJB uses it in some of his software... that guy knows his shit
18:44 < jasonwc> Curve25519 is in OpenSSL 1.1.0 and newer and I know OpenSSH supports it, but I don't see anything about OpenVPN
18:45 <@krzee> oh 1 sec
18:45 <@krzee> !man
18:45 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
18:45 <@krzee> --ecdh-curve name
18:45 <@krzee> Specify the curve to use for elliptic curve Diffie Hellman. Available curves can be listed with --show-curves. The specified curve will only be used for ECDH TLS-ciphers.
18:45 <@krzee> This option is not supported in mbed TLS builds of OpenVPN.
18:46 <@krzee> that explains why i didnt have to research with ECDH curve to use, i use mbedtls
18:47 < jasonwc> yup, I don't see 25519 in my list
18:47 < jasonwc> this page should probably be updated to at least mention ECDHE
18:47 < jasonwc> https://community.openvpn.net/openvpn/wiki/Hardening
18:47 <@vpnHelper> Title: Hardening – OpenVPN Community (at community.openvpn.net)
18:47 < blondie101010> krzee: sorry for the delay...  My whole setup is working if I delete the undesirable route afterwards, do you want to see my server's configuration file?
18:47 < jasonwc> oh, it actually was since the last time I read it
18:47 < jasonwc> "To use ECDH(E) or ECDSA cipher-suites, both client and server must be OpenVPN 2.4.0 or newer. (Older versions might work, but this is not something you can rely on.)"
18:47 <@krzee> ya its not easy keeping all these docs up to date
18:48 <@krzee> blondie101010: not yet... you still havent explained *anything*
18:48 <@krzee> if i look at configs i wont know what im looking at
18:48 <@krzee> i dont even know the goal
18:49 < blondie101010> I have two VPN servers and everything works fine on one except a warning about the route at the end, and on the other there is a route that comes out of nowhere...  both cases can be addressed independently since they happen whether the other connection is active or not
18:50 < blondie101010> my client is on gentoo which I suspect has a bug in its nicely improved connection management
18:50 < blondie101010> but I'm not sure
18:51 <@krzee> ok cool, so now lets see:
18:51 <@krzee> !configs
18:51 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
18:51 <@krzee> note the grep command so i dont have to swim through 100 lines of comments please
18:54 < blondie101010> https://pastebin.com/JcbfLXmt
18:54 < blondie101010> that's for VPN1
18:54 < jasonwc> @krzee: Thanks for your help.  The level of detail and professionalism on this channel is great. Thanks for the support and the great product.
18:56 <@krzee> no problem, we're all volunteers around here, cause we love the product too =]
18:56 < Eugene> WE LOVE EVERYBODY WITH A GREAT HUGE LOVE
18:57 < blondie101010> and here's the one for VPN2 with the route warning: https://pastebin.com/vNYdkAdu
18:58 < blondie101010> the warning can be ignored and it works but the first one causes routing issues if I don't manually take out a route
18:58 <@krzee> ok blondie101010whats the route you need to delete to make it work?
18:59 < blondie101010> ip route del 10.0.2.0/24 via 10.0.1.1
18:59 < blondie101010> on VPN1
18:59 < blondie101010> it should not be there
18:59 <@krzee> on client?
18:59 < blondie101010> yes, but my first message shows the relevant log on the server
19:00 <@krzee> ok, lets only focus on VPN1 for now
19:00 <@krzee> once we figure that out, we can look at vpn2 if needed
19:01 <@krzee> !logs
19:01 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
19:01 <@krzee> both sides, verb 4 please
19:01 <@krzee> (VPN1)
19:02 <@krzee> do you have any advanced routing protocols such as ospf,RIP,bgp running on client or server by chance?
19:04 < blondie101010> no, but I do use policy based routing
19:05 <@krzee> ahh ok
19:06 <@krzee> still i dont see why openvpn would push that route, so id still like to see the logs for VPN1 with the exact configs you posted for VPN1
19:06 <@krzee> (full logs from both sides from start to connection established)
19:07 < blondie101010> https://pastebin.com/VhSDXH19
19:08 <@krzee> that route was not in these logs
19:08 <@krzee> boom you fixed it! ;]
19:08 < blondie101010> oh and I do have one entry in my up.sh (handled by gentoo): ip route add default via 10.0.1.1 table VPN1
19:08 < blondie101010> what
19:09 < blondie101010> let me restart it, you scared it I think
19:09 <@krzee> :D
19:09 <@krzee> that happens!
19:10 <@krzee> so many times ive been called to a client and their annoying persistent problem runs away before i get there
19:10 < blondie101010> it's as if it applies the configuration changes delayed, even if I completely stop the client and the server
19:10 < blondie101010> this is weird
19:11 <@krzee> definintely delayed until server restarts
19:11 < blondie101010> :P
19:15 < blondie101010> well I think I was going too fast...
19:15 < blondie101010> thanks for your unneeded assistance :P
19:15 <@krzee> it happens
19:15 <@krzee> still got any issues?
19:15 < blondie101010> nope :)
19:15 <@krzee> nice!
22:07 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:16 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:16 -!- mode/#openvpn [+o syzzer] by ChanServ
23:08 <@krzee> !inline
23:08 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV, or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
23:08 <@krzee> see #2 ordex
23:08 -!- desnudopenguino is now known as zorak
23:09 -!- zorak is now known as brak
23:11 -!- brak is now known as desnudopenguino
23:11 <@ordex>  krzee thanks!
23:11  * ordex is feeling too lazy to read the code :P
23:14 <@krzee> np!
--- Day changed Thu May 18 2017
01:59 < Talltree> hey guys, i was wondering if you guys know a tutorial to tunnel http/https traffic through another "proxy" to filter out things like ads etc?
02:06 < PereP> hi all
02:06 < PereP> I'm using openvpn on linux as a client, and now my boss wants me to configure it to start automatically on startup
02:07 < Talltree> which desktop enviroment?
02:08 < Talltree> either way, just run openvpn $path_to_configfile in your startup management application
02:08 <+hyper_ch> Talltree: why DE?
02:08 <+hyper_ch> PereP: start up on every user or just given one?
02:09 < Talltree> hyper_ch: because they have different startup managers?
02:09 < PereP> Talltree: just one, as a service, on startup
02:09 < Talltree> i could tell him where to go when he tells me
02:09 < PereP> I don't know if this makes sense at all
02:09 <+hyper_ch> Talltree: if it should start everytime, just add it to systemd/init-v
02:09 < Talltree> thats probably a better idea ;)
02:09 <+hyper_ch> create own openvpn user and let it run under it
02:10 < Talltree> i use nobody/nobody i think
02:10 < PereP> I know how to create a service, but until now I was starting the client with $ sudo and I don't know if it makes sense to start this service as root... :S
02:10 < PereP> aha
02:10 <+hyper_ch> PereP: what distro?
02:10 < Talltree> you can configure a user/group to switch to once the needed sudo operations are over
02:10 < PereP> hyper_ch you just wrote it before I could complete my phrase ;)
02:10 < PereP> it's ubuntu... 16.04...
02:11 < PereP> also I don't know it this would interfere with other net services, currently a web/application server running on the same machine...
02:11 <+hyper_ch> what would that interfere?
02:11 <+hyper_ch> well, depends on how you configure openvpn I guess
02:12 < PereP> excuse me hyper_ch, but I have limited knowledge on using vpn connections
02:12 < PereP> I know it creates a network interface, and not much more
02:13 < Talltree> yeah, doesnt interfere with the web server
02:13 <+hyper_ch> it can if you redirect all traffic through the vpn
02:13 < Talltree> you could even configure it so it doesnt bind to the vpn ip
02:14 < Talltree> mhhhh, as a client?
02:14 <+hyper_ch> but basically autostarting it on ubuntu:  add your openvpn config file to /etc/openvpn/xxx.conf  and upon boot it should start it
02:14 <+hyper_ch> !def1
02:14 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
02:14 < PereP> yeah, it's a client, Talltree
02:15 <+hyper_ch> PereP: what does your current config file look like?
02:18 < PereP> hyper_ch: I'm not using a config file at all... I was just given a .ovpn file  and a couple of certs / keys and I'm starting the client with $ sudo openvpn --config file.ovpn
02:22 < PereP> oh, I'm finding some extra info online, but I have one further doubt:
02:23 < PereP> where do I put my user/password plain text file? inside /etc/openvpn? or do I still a openvpn for that, so I put the file inside his/her home directory?
02:28 <+hyper_ch> you use user/password' Not certs?
02:29 < PereP> certs and also a plain text with an user and a password, each one in one line
02:29 <+hyper_ch> pretty sure they can be integrated into the config
02:29 <+hyper_ch> certs and keys can... never used user/password auth
02:32 < PereP> so to my understanding, in any case it should be stored in /etc/openvpn, right?
02:32 <+hyper_ch> for autostarting yes
02:32 <+hyper_ch> the rason I don't use password is that my computers/servers are encrypted
02:33 <+hyper_ch> so if people get their hands on while it's running, they have access anyway....
02:33 <+hyper_ch> if they get hands on while it's not running, the encryption will prevent them from accessing the data
02:36 < PereP> aham
02:36 < PereP> well I think I don't have to worry about that for now...
02:37 < PereP> anyway, I have a .p12 "key"? file; it doesn't seem to be used by the current .ovpn file and I don't really know if that would be enough to avoid user/pass auth...
02:37 < Enrix> hi guys the client in openvpn doesnt work if I check the log I can read: Thu May 18 08:16:53 2017 TCP: connect to [AF_INET]192.168.1.36:1192 failed, will try again in 5 seconds: No route to host
02:37 < Enrix> Thu May 18 08:16:58 2017 RESOLVE: Cannot resolve host address: gw1.domain.com: Name or service not known
02:37 < Enrix> Thu May 18 08:17:03 2017 RESOLVE: Cannot resolve host address: gw1.domain.com: Name or service not known
02:38 < Enrix> I used to use the /etc/hosts with the domain but I took it off, still the same
02:38 <@ordex> PereP: a p12 file is just a bundle containing (usually) a key and a password
02:38 < PereP> hmm
02:38 <@ordex> I am not sure openvpn supports that directly - you should likely extract the two
02:39 <@ordex> (at least I never used a p12 directly)
02:39 <@ordex> mh, but there is a pkcs12 option in openvpn
02:39 <@ordex> you may try that then ..
02:40 <@ordex> yeah apparently so…you can use that instead of specifying all the certificates independently (check the man for —pkcs12)
02:41 <@ordex> Enrix: those are two different errors
02:41 <@ordex> the first says that the IP cannot be reached - you have no route to it
02:41 <@ordex> the second is a DNS error (
02:41 < PereP> yeah I was looking at the docs for that, ordex
02:41 <@ordex> this can probavly be workedaround with the hosts file)
02:41 <@ordex> PereP: okyz
02:41 <+hyper_ch> PereP: were did you get the .p12 file from?
02:42 <+hyper_ch> PereP: do you run your own vpn server?
02:43 < PereP> oh, I was given it along the user/password file and the .ovpn file, too, hyper_ch
02:43 < PereP> hyper_ch: I don't really know who set it up xD
02:43 <+hyper_ch> can you pastebin the .ovpn file?
02:43 < Enrix> ordex, should I set a route even if they are on the same network?
02:43 <+hyper_ch> usually, ovpn is for windows.. while on linux it uses .conf
02:43 <+hyper_ch> but maybe network managers handle it differently though
02:49 < Talltree> roflmao
02:50 < PereP> sorry guys, so the think is that I may rename my current .ovpn to .conf and use it inside /etc/openvpn, right?
02:51 < Talltree> that was fc btw
02:51 < PereP> or no need to rename it at all?
02:52 <@ordex> Enrix: if it's on the same network then you should already have a route (forwarding rule) towards that class
02:52 <@ordex> Enrix: can you ping that IP ?
02:53 < PereP> oh, I see... for the /etc/default/openvpn AUTOSTART thing, it looks for .conf files for each vpn name you specify
02:53 <@ordex> PereP: this depends on your distro
02:57 < PereP> ok ordex... well just used the /etc/openvpn/connection.conf without any further user creating and that, hyper_ch
02:58 < PereP> I hope that's enough
02:59 < PereP> I see an openvpn process running under root and a tun0 interface now
03:00 < Enrix> ordex I tried now, no I cannot ping, the point is that they are on the same network
03:01 < Enrix> ordex, which troubleshooting can I do?
03:01 <+hyper_ch> Enrix: print your routing table
03:03 < Enrix> hyper, this is the server:
03:03 < Enrix> Kernel IP routing table
03:03 < Enrix> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
03:03 < Enrix> default         192.168.1.254   0.0.0.0         UG    202    0        0 enp0s31f6
03:03 < Enrix> 10.254.254.0    0.0.0.0         255.255.255.0   U     0      0        0 tun0
03:03 < Enrix> 172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
03:03 < Enrix> 192.168.1.0     0.0.0.0         255.255.255.0   U     202    0        0 enp0s31f6
03:03 <+hyper_ch> can the server not ping addresses or the client?
03:03 < Enrix> this is the client:
03:04 < Enrix> Kernel IP routing table
03:04 < Enrix> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
03:04 < Enrix> default         192.168.1.254   0.0.0.0         UG    202    0        0 eno1
03:04 < Enrix> 172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
03:04 < Enrix> 192.168.1.0     0.0.0.0         255.255.255.0   U     202    0        0 eno1
03:04 <+hyper_ch> then why do you post kernel routes?
03:04 <+hyper_ch> also, can you use a pastebin
03:05 < Enrix> the server can ping the client
03:05 < PereP> ok, you've been of great help, guys ;)
03:05 < PereP> thanks a lot ;)
03:05 < Enrix> but the client cannot ping the server
03:08 < Enrix> ip route of the client
03:08 < Enrix> https://paste.pound-python.org/show/OyOBtQZHDHyMejbmzMFp/
03:09 <@ordex> Enrix: what's the IP of the client and what's the IP of the server? can you also paste the output of "arp -n" on the client please?
03:10 < Enrix> ip server is 192.168.1.136 ip client is 192.168.1.77
03:11 <@ordex> Enrix: are you sure the server is not firewalled ?
03:11 <@ordex> that might be why you can't ping and can't connect
03:11 < Enrix> arp -n https://paste.pound-python.org/show/coCLsDfzk4FMsRpSO7y5/
03:12 < Enrix> no the server is not firewalled I just finished the gentoo installation
03:12 <@ordex> arp is working fine
03:12 <@ordex> can't see other reason if not a firewall to be honest
03:12 < Enrix> so I dont think that on the default there is a firewall which block something
03:13 <@ordex> there should not be any
03:13 <@ordex> right
03:13 < Enrix> indeed
03:13 <@ordex> well, checking iptables -nL is quick :)
03:13 <@ordex> if empty, then I would check with tcpdump to understand where packets are being dropped
03:14 < Enrix> https://paste.pound-python.org/show/jqWot2M5IVzgr6YEtrxt/
03:14 < Enrix> empty
03:15 <@ordex> ok
03:15 <@ordex> personally I'd dig into tcpdump
03:15 <@ordex> that might be the fastest way to understand why the ping is not working
03:16 < Enrix> strange I tried to ping it again and now it works
03:16 < Enrix> before was unreachable and now it work bah
03:17 <@ordex> mah
03:17 <@ordex> :P
03:17 <+hyper_ch> !configs
03:17 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
03:17 <+hyper_ch> Enrix: paste the configs please
03:18 <@ordex> hyper_ch: we were debugging just the ping, as it was not working at all
03:18 < Enrix> ok sorry my falut I make a mistake with the dots about the ping
03:19 < Enrix> lets try now
03:22 <@ordex> hyper_ch: how is your new connection doing? :)
03:22 < Talltree> is there a tutorial how to configure dnsmasqh with openvpn?
03:22 <+hyper_ch> ordex: still issues with ipv6
03:22 < Talltree> i'm a noob and afraid to do something wrong :P
03:22 <+hyper_ch> but the 1gbit is nice
03:22 <@ordex> Talltree: I am not sure about what that means :P
03:22 <@ordex> hyper_ch: hehe, what kind of problems with v6?
03:23 <@ordex> are you supposed to get a native /48?
03:23 <+hyper_ch> yes, but it doesn't work
03:23 < Talltree> dnsmasq is a dns provider that "proxy's" dns to prevent dns leaks etc
03:23 < Enrix> ok now I just receive one error: Thu May 18 09:16:09 2017 RESOLVE: Cannot resolve host address: gw1.eurojet-service.com: Name or service not known
03:23 <+hyper_ch> router and clients do get ipv6 addresses
03:23 <+hyper_ch> but can't ping anything outside the lan
03:23 < Enrix> the point is that I erase that domain from hosts
03:24 <@ordex> Enrix: your client needs a way to resolve that
03:24 <@ordex> either you configure your DNS server to resolve that hostname
03:24 <@ordex> or you inject it manually in the hosts file
03:24 <@ordex> hyper_ch: oh ok
03:25 <@ordex> hyper_ch: you think it's a configuration problem on your router? or they haven't properly setup their end ?
03:25 <+hyper_ch> ordex: no idea... my ipv6 knowledge is close to 0
03:25 <@ordex> Talltree: yup, and this is independent from openvpn, so it should not depend on it
03:25 <+hyper_ch> I tried with Asus RT-AC68U with merlin and Omnia Turris router and neither works
03:25 <@ordex> hyper_ch: ah ok :P hehe
03:26 <+hyper_ch> I seem to receive the prefix fine... but why it's not resolving upwards, no idea... also bothere the folks in #ipv6 with it
03:26 <+hyper_ch> so I got back to my ISP since they recommend the Omnia Turris for full gbit support
03:26 <@ordex> normally it's quite easy - weird that it dsoes not work
03:26 < Talltree> ordex: yeah, but no idea how to configure it together correctly
03:27 <+hyper_ch> (the asus router only achieved like 930/750mbit and the turris achieves 940/940 mbit)
03:27 <@ordex> hyper_ch: can't you even ping their GW?
03:27 < Enrix> ordex, but I remove that domain from hosts
03:27 <@ordex> cool
03:27 <+hyper_ch> ordex: the asus didn't even get a gw
03:27 <+hyper_ch> I think the omnis turris does
03:27 <+hyper_ch> let me check
03:27 <@ordex> Enrix: ok :P you can decide what to do now :D you could readd it for the test
03:27 <@ordex> hyper_ch: ok
03:27 < Enrix> so how can it gets the domain if it is not anymore in any file>
03:27 < Enrix> ?
03:28 <@ordex> hyper_ch: normally you should get something along with the prefix
03:28 <@ordex> Enrix: it can't. so you have to add it again :P
03:28 < Enrix> ordex, didnt get you :)
03:28 <@ordex> Enrix: or you configure your DNS (but not recommented as it is a private IP)
03:28 <@ordex> (unless you have an internal DNS)
03:29 <+hyper_ch> ordex: he should just provide configs so that we actually know what's going on etc :)
03:30 <@ordex> but it looks like his problem comes even before openvpn can do something :P
03:30 <@ordex> also known as pebkac
03:30 <@ordex> :D
03:32 <+hyper_ch> ordex: https://paste.simplylinux.ch/view/fdb63aba
03:33 <+hyper_ch> ordex: possbily :)
03:36 <@ordex> hyper_ch: is eth1 enslaved in br-lan by any chance? (just a sanity check) it should not I believe
03:37 <+hyper_ch> not really sure what that even means
03:37 <+hyper_ch> ordex: with br https://paste.simplylinux.ch/view/bcaf2c17
03:38 < Enrix> ordex, but if I use just the ip in the .conf of the server and client I dont have to resolve it
03:39 <@ordex> hyper_ch: what does brctl show returns
03:39 <@ordex> there you can check who is enslaved into what
03:39 <@ordex> Enrix: works now ?
03:39 <@ordex> hyper_ch: have you tried running: ping6 ff02::2%eth1
03:39 <@ordex> ?
03:39 <+hyper_ch> ordex: brctl returns nothing
03:40 <@ordex> brctl show
03:40 <@ordex> ?
03:41 <+hyper_ch> ordex: https://paste.simplylinux.ch/view/b346b8a4
03:41 <@ordex> yeah makes sense
03:41 <@ordex> I just wanted to check :P
03:41 <@ordex> anyway, could you try running that ipv6 command ?
03:41 <@ordex> ping6*
03:42 <+hyper_ch> ordex: https://paste.simplylinux.ch/view/8e7b4362
03:43 <@ordex> mh alright
03:43 <@ordex> hyper_ch: is eth1 directly connected to the uplink? or is there something else in between ?
03:43 <+hyper_ch> there's a tp link media converter in between... spf <-> ethernet plug
03:43 <+hyper_ch> besides that, it's directly connected
03:43 <+hyper_ch> the media converter should be passive I think
03:44 <@ordex> mh ok
03:44 <@ordex> well, you can just try .. basically those two guys replying to you are advertising themselves as "ipv6 routers"
03:45 <+hyper_ch> who is replying to me?
03:45 <@ordex> those two guys in the ping output
03:45 <@ordex> you can try:
03:45 <@ordex> ip -6 route add default via fe80::da58:d7ff:fe00:1d95 dev eth1
03:45 <+hyper_ch> but isn't fe80 a local subnet?
03:45 <@ordex> yup
03:45 <@ordex> local to the eth1 link
03:45 <@ordex> but can be used to vehiculate public IPs
03:46 <@ordex> *route
03:46 <+hyper_ch> the problem is I have no idea what I'm doing... ipv6 is just so overly complicated
03:46 <@ordex> to some extends .. yes, they have made it a bit too complex :P
03:46 <@ordex> btw, what you did was:
03:46 <@ordex> pinging a special multicast address using eth1
03:47 <@ordex> this multicast group is formed by all those hosts on the eth1 link that advertise themselves as routers
03:47 <@ordex> it could be your ISP router
03:47 < Enrix> ordex, if I use in server and client conf the ip and resolution, I dont need to use names right?
03:47 <+hyper_ch> but upon reboot, things are different again
03:47 <@ordex> what do you mean ?
03:47 <+hyper_ch> root@turris:~# ip -6 route add default via fe80::da58:d7ff:fe00:1d95 dev eth1
03:47 <+hyper_ch> RTNETLINK answers: Invalid argument
03:47 <@ordex> darn I knew
03:48 <@ordex> it has been long time for me too :D
03:48 <@ordex> lemme check
03:48 <+hyper_ch> I'll wait till I get more and proper instructions from my isp
03:48 <@ordex> okyz
03:48 <+hyper_ch> thx
03:48 <+hyper_ch> static ipv6 would be so nice... finally not requiring to use different ports for various services anymore
03:50 <@ordex> hehe yeah
03:52 <@ordex> I wonder why the route command did not work .. mh
03:53 < Enrix> ordex, did you get me?
03:53 <@ordex> Enrix: sorry, overlook. can you rephrase please?
03:58 < Enrix> ordex, If I use just ip in the server and client .conf and they are on the same network, I dont need to use names in etc/hosts
03:59 <@ordex> right
04:00 < Enrix> so I removed the string host.domain in /etc/hosts but when I launch the client I still receive:Thu May 18 09:18:34 2017 RESOLVE: Cannot resolve host address: gw1.domain.com: Name or service not known
04:00 < Enrix> strange because that reference doesnt exist anymore
04:03 < Enrix> ordex, did you get me?
04:04 < lg188> Hi, So I have a config that uses `<tls-auth> </tls-auth>` to include a tls key. Is that valid?
04:05 <+hyper_ch> lg188: yes
04:05 < lg188> and I set an option earlier tls-auth 1 to declare the direction(?)
04:05 <+hyper_ch> yes
04:06 < lg188> I double checked the files and they both have the same 340 as a start and d5e at end
04:07 <+hyper_ch> that file is everywhere the same
04:07 < lg188> Yes, server and client
04:07 < lg188> I get a hmac authentication error
04:07 < lg188> I have no idea what that is
04:07 <+hyper_ch> direction has to be different on server and client IIRC
04:08 < lg188> on the server it's 0
04:11 < lg188> Yeah I double checked
04:12 <@ordex> Enrix: did you remove the hstname from the config file ?
04:12 <+hyper_ch> lg188: one of my configs  https://paste.simplylinux.ch/view/8fa704e0
04:12 <@ordex> Enrix: it seems you are still using that hostname to connect to the VPN server
04:13 <@ordex> hyper_ch: lg188: when using inline tls-auth, direction has to be specified with —key-direction
04:13 <@ordex> !ios
04:13 <@vpnHelper> "ios" is (#1) See the iOS FAQ here - https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html, or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline might be useful
04:13 <@ordex> check #2
04:13 <@ordex> it reports this case
04:13 <+hyper_ch> ordex: why highlighting me?
04:13 < lg188> ordex: now that explains a bit
04:14 <@ordex> because I saw you confirmed the usage of tls-auth to specify the direciotn
04:14 <@ordex> *direction
04:14 <@ordex> so I Wanted to involve you too :P
04:15 <+hyper_ch> no need to involve me :)
04:15 <@ordex> hehe sorry :)
04:18 <+hyper_ch> :)
04:24 < Enrix> ordex, I clean the hosts file, do you have any hint when the system can still get the domainname?
04:25 <@ordex> Enrix: I don't understand. did you remove the hostname from your openvpn config file as well ?
04:33 <@ordex> Enrix: ?
04:38 < Enrix> order, ok I solve it you know why? I just reboot it the client
04:38 < Enrix> weird
04:38 < Enrix> ordex, thanks for everything
04:38 < Enrix> probably in some cache there was still the domainname
04:39 < Enrix> yes it was removed
04:41 <@ordex> mh ok
04:41 <@ordex> np :)
05:11 < Enrix> ordex, but I am still curious about how a cache somewhere could keep the name after the removal :)
05:17 <@ordex> Enrix: I don't know what the problem is because you stopped providing information :P form the error you were showing I Was assuming that you were still using the hostname in the configuration. right ?
05:22 < Talltree> really weird, when i load a website in my browser my skype call lags.
05:22 < Talltree> not CPU related tho
05:23 <@ordex> bandwidth problem maybe
05:24 < Talltree> nah, 150.000 mbit
05:24 < Talltree> maybe because its not prefering skype packages or something
10:08 < havoc> bah, systemd :(
10:12 < PereP> well, bye people
10:13 < PereP> thanks again, hyper_ch ;)
10:13 < PereP> and ordex ;)
10:13 < PereP> so kind of you!
10:14 <@ordex> np
10:22 <@dazo> hmmm ... complaining about systemd .... is like complaining that the engine in Tesla Model S doesn't roar while accelerating
10:23 < Eugene> No, ts like complaining that the electric motor is on fire while accelerating
10:23 < Eugene> But it stops burning when you take your foot off the pedal, so everything is fine
10:23 <@dazo> heh :)
11:59 < ronnocol> Hey all, every so often I like to stop by, say thanks for the great VPN solution and update y'all on the stats on my 2-node OpenVPN cluster:
11:59 < ronnocol> nclients=100550,bytesin=921598526634738,bytesout=208099927932486
12:49 < havoc> ok, I'm missing something here, TUN client keeps creating a 0.0.0.0 target route, with no GW, on connect
12:50 < havoc> but I've got topology subnet set
13:06 < havoc> well shit, I'm using --ifconfig and --ifconfig-pool, should probably be using --server instead
13:33 < scratchy> guys can please someone help me out. i get nuts with this openvpn and latency/bandwith issues..
13:35 < scratchy> https://pastebin.com/P2bnw312
13:35 < scratchy> i tried EVERYTHING, switch to tcp, switch to udp
13:36 < scratchy> cpu load is on both system < 10%
13:36 < scratchy> changeing tcp windows size
13:36 < scratchy> chaning number of sockets..
13:36 < scratchy> please please please any suggestions?!
13:36 < scratchy> why is openvpn is spiking so much and the external connection is super stable..
13:37 < scratchy> even if i use openvpn in the SAME rack, i get some times 5-10ms on tun0 connection..
13:39 < scratchy> ah yeah, all dedicated servers no vps shit or so...
13:44 < havoc> bah, still adds that extra default route, even with --server, I guess I'll just "route del ..." on connect
13:45 < Eugene> !to havoc configs
13:45 < Eugene> !configs
13:45 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
13:45 < Eugene> Lame bot
13:45 < havoc> heh
13:51 < scratchy> https://pastebin.com/h00DTYXH heres my configs.. im really out of idears :(
13:58 < havoc> configs for phantom default route: https://pastebin.com/QFV4auhW
13:58 < havoc> the odd bit is that I'm using a 99% similar config in many other places without the extra route
13:58 < havoc> I'm wondering if it's an artifact of the Ubiquiti router config
14:43 < Eugene> Ah, the client is a Ubiquiti router?
14:43 < havoc> yes
14:43 < Eugene> EdgeRouter?
14:44 < havoc> yes, ER-X
14:44 < havoc> it's jsut adding a route for: 0.0.0.0         0.0.0.0         255.255.255.128 U     0      0        0 vtun0
14:44 < havoc> but I'm not telling ti to add that anywhere
14:44 < Eugene> Hm. Look through your config(I haven't used one of those, so I'm not familiar) to see if you have "redirect" or similar checked
14:44 < havoc> this is the only time I've seen this behavior
14:45 < havoc> it's pretty much the same setup I use in a few dozen places
14:45 < Eugene> You probably also have a route for 128.0.0.0 with the same netmask
14:45 < havoc> this is the only problem I've ever had like this
14:45 < havoc> Eugene: nope
14:45 < Eugene> Thats super weird. Its definitely a client-side issue; there is no route being pushed for that in your server config
14:45 < havoc> exactly
14:45 < Eugene> If you were using a client.conf we woudl just tell you not to do that; wrappers like Ubiquiti panel are outside of the core openvpn program
14:46 < Eugene> So your problem lies with them
14:46 < havoc> this config, w/ s/// for some files, is exactly what's running in 3 other locations just fine
14:46 < Eugene> You're sure? Paste it ;-)
14:46 < havoc> I did
14:46 < havoc> 13:51:46 <havoc> configs for phantom default route: https://pastebin.com/QFV4auhW
14:46 < Eugene> Except there isn't a route in that config, so its not the config ;-)
14:47 < Eugene> All bets are off when you're using a wrapper
14:47 < havoc> oh, that
14:47 < havoc> the point is there's a routed added when I don't want any routes added
14:47 < havoc> ...other than the link-local for the iface
14:47 < Eugene> !logs
14:47 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
14:47 < Eugene> I am guessing that openvpn didn't add the route; something else did
14:48 < Eugene> Logs will say
14:48 < havoc> tha'ts my guess too
14:48 < havoc> no, they won't
14:48 < Eugene> They will tell you if openvpn did or not
14:48 < havoc> nice little device, for $43, but it's got some limitations :(
14:48 < Eugene> Which will help in your future finger-pointing at Ubnt
14:49 < havoc> yeah, openvpn apparently did not, at least it's not in the logs, and I know what it looks like as I add/push routes on a lot of other setups
14:49 < Eugene> Yeah, there's a reason I don't deploy those things. The rest of the Unifi suite is pretty good(AP, Cloudkey, switches), but I don't dig their routers at all
14:49 < havoc> yeah, but they could be worse, and the price is a winner
14:49 < Eugene> I like pfsense, particularly netgate's branded series. The SG-2220 is $300 and I have not yet found a "consumer" network it can't run by itself
14:49 < havoc> we're deploying 2,000 of these things
14:49 < Eugene> Jesus
14:50 < havoc> but all the hardware is like $10k per install
14:50 < Eugene> I would recommend upgrading to a slightly-better platform, heh
14:50 < havoc> this is just so we have remote access to the NUC that's acting as the hardware controller
14:50 < Eugene> pfsense XML is pretty easy to template out
14:51 < havoc> you can recommend all you want, but shit's in motion now, budgets, and timelines are fixed
14:51 < Eugene> Indeed.
14:51 < havoc> just gotta deal with What IS, and somehow make it all work :(
14:51 < Eugene> This is why I hate ENTERPRISE acquisition process. Test, THEN deploy.
14:52 < havoc> the fuckup is the contract people left the routers, and some other networking gear, out of the fucking contract
14:52 < Eugene> Ready, fire, aim is the worst
14:52 < Eugene> Nice
14:52 < havoc> I said, on a conf call, that they should all be terminated immediately
14:52 < Eugene> Well good luck. In your position I would call Ubiquiti support
14:52 < Eugene> They might have a magic incantation or a software update
14:53 < havoc> nah, jsut "route del ..." on connect
14:53 < Eugene> That'll work up until the moment an update changes behaviour
14:53 < Eugene> So I guess make sure your update testing is on point
14:53 < havoc> if it does, it does
14:53 < havoc> I hope to be out of this company by then ;)
14:53 < Eugene> Fair
14:55 < havoc> anyway, $43USD for these litle ER-X things is kinda awesome
14:55 < havoc> ...for what they are
14:56 < havoc> some jackass in our corp suggested Meraki
14:56 < havoc> 1) That'd cost >$1,000,000USD more for the program
14:56 < havoc> 2) That'd require 2,000+ custom router configs
14:57 < havoc> morons
14:57 < havoc> the MErakis use "cloud based config" to get around the dynamic endpoint bit, but the IPs still need to be publicly accessible, all these units are gonna be NATd at customer sites
14:59 < havoc> Eugene: also, for $43ea., when they fail, as I expect they will over a 5/7/10 year deployment, they need not be replaced with the same thing, just the same capabilities/config
14:59 < Eugene> That's why I like pfsense ;-)
15:00 < havoc> still need something to run it on
15:00 < havoc> and we have a hard deadline to deal with
15:00 < Eugene> Yeah, this is just hindsight
15:00 < Eugene> Sorry you're involved in such a shit project, sounds ugly
15:00 < havoc> eh, everything at this corp is like that, it's why I get paid; I take their shit and make it work
15:01 < havoc> it's my Value Proposition: You need to provide Value to get paid. You provide Value by doing what others Can't, and/or Won't.
15:02 < havoc> I'm pretty much doing both here :|
15:02 < havoc> but I had been on their case about all this infra stuff almost 16mos. ago, because I know this is how it was gonan go down
15:03 < havoc> then the contract team screwed us
15:04 < havoc> and since ink was on paper, and the margin was set, $1,000,000 more wasn't an option, as it'd have to come out of our margin over the next few years
15:04 < havoc> and we'd still be contractually obligated to provide the service
15:05 < scratchy> havoc any idear why my vpn hast this latency spikes?
15:05 < havoc> scratchy: nope
15:05 < scratchy> did you setup a wan openvpn which have the same issues ?
15:06 < scratchy> or did you setup wan at all and it was stable?
15:07 < scratchy> even from datacenter to datacenter  (well 12 hops but..) has the same issues
15:07 < scratchy> reduced mtu as well now to 1200..
15:09 < havoc> scratchy: I have no setups where I have to mess with IP settings
15:53 < ronnocol> nclients=100550,bytesin=921598526634738,bytesout=208099927932486
15:53 < ronnocol> gah... up-arrow/enter in wrong window... sorry
16:21 -!- Captain_Beezay is now known as Anti-TrojanElite
16:25 -!- Chotizei is now known as Chotaire
16:41 -!- Anti-TrojanElite is now known as DongHao
16:42 -!- DongHao is now known as WuYingzhuo
17:44 < zx2c4> https://lists.zx2c4.com/pipermail/wireguard/2017-May/001338.html in case anybody here uses WireGuard and wants free wireguard stickers...
17:45 <@vpnHelper> Title: I will mail you WireGuard stickers (at lists.zx2c4.com)
18:42 < dimestop> hey everyone. I'm having a weird issue where submitting a page in a web application (freepbx) causes openvpn client on the system to drop out completely
18:42 < dimestop> the only error I can see is
18:42 < dimestop> "event wait return -1"
18:43 < dimestop> it's running on centos 6 in vmware 6.5
18:43 < dimestop> it was a fresh install of the freepbx distro. we've used it hundreds of times with openvpn and no issue
18:43 < dimestop> we believe it might be related to being a virtual
18:44 < dimestop> oh right
18:44 < dimestop> !welcome
18:44 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
18:44 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
18:44 < dimestop> !goal I would like openvpn client to not drop out when submitting a webpage
18:45 < dimestop> !goal
18:45 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:45 < dimestop> ah I get ya
18:45 < dimestop> I would like openvpn client to not drop out when submitting a webpage
18:46 < Eugene> That's a really interesting problem. I can't even begin to imagine how that is happening
18:46 < Eugene> Its proooooobably freepbx restarting networking or iptables somewhere
18:50 < zoredache> freepbx is on the server, or client end?  Or some device beyond the server?
18:50 < dimestop> openvpn client is on the freepbx server
18:50 < dimestop> the openvpn is used to connect to the upstream carrier
18:50 < dimestop> submitting on the freepbx box drops the client
18:50 < dimestop> very odd
18:51 < dimestop> maybe I'll make a ticket with #freepbx
18:51 < zoredache> Do you see anything getting logged to your system log when that happend?  Does it automatically come backup on its own?
18:51 < dimestop> it doesn't come back up automatically
18:52 < dimestop> do you mean /var/log/messages ? just the system log?
18:52 < dimestop> we got event wait return -1, i will log in and check for more messages now
18:52 < dimestop> s/now/soon/
18:52 < zoredache> Well that probably means something changed, so you probably need to look closely at the state of the system to see what changed.  Maybe a routed or firewall rule got added or something.
18:52 < zoredache> not sure which log to look at dimestop.  Whatever gets the most messages, distros send logs to different filenames
18:53 < dimestop> I'll run watch on ifconfig and iptables while i hit submit
18:53 < dimestop> very good tip
18:53 < zoredache> maybe look at all of the recent messages in all the logs.
18:53 < dimestop> and I'll check for more logs
18:53 < dimestop> thanks
18:53 < zoredache> maybe look at your route table/iptables and netstat before and after
18:53 < dimestop> i'll get back to you guys later
18:53 < dimestop> yeah :) ty
18:54 < zoredache> also, maybe run a wireshark at the time, to see if anything interesting is happening.
19:03 -!- WuYingzhuo is now known as Captain_Beezay
22:08 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:16 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:17 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Day changed Fri May 19 2017
01:20 -!- Olufunmilayo is now known as Adderall-OFC
01:38 -!- Adderall-OFC is now known as Adderall
01:40 -!- Adderall is now known as Olufunmilayo
05:13 < htd> hi guys, I upgraded from 2.3.12 to 2.4.2 server-side only. then I got the "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" error with 2.3 clients
05:14 < htd> is that expected behaviour? because downgrading to 2.3 on server-side made things work again
06:59 <@ecrist> no, we'd have to see your !logs and !configs
07:03 < htd> logs will be hard (since I reverted to v2.3) config I'll paste, just a sec
07:03 <@ecrist> we can't likely help without logs
07:08 < htd> right now I can't update to 2.4.2 again, this would kick my coworkers. I'll produce some logs at night when nobody needs it
07:08 <@ecrist> ok
07:17 < Enrix> is there any way to troubleshoot a client in windows? The server in a linux machine seems starting good but the client doesnt connect
07:17 < Enrix> ?
07:23 <@dazo> htd: Do you use CRL?  check that your CRL is valid .... see this bz for more details .... https://bugzilla.redhat.com/show_bug.cgi?id=1451696
07:23 <@vpnHelper> Title: Bug 1451696 openvpn update breaks server (at bugzilla.redhat.com)
07:23 <@dazo> start with comment 7
07:23 < htd> dazo: yes CRL is used
07:23 < htd> thanks for the hint
07:24 <@ecrist> Enrix: you do the same thing on either platform - read the logs
07:40 < htd> may I suggest you add the CRL expired proble as a reason to the FAQ page of https://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html
07:40 <@vpnHelper> Title: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) (at openvpn.net)
07:40 < htd> because else people will start to fiddle with their firewall settings and might make things worse ;)
07:40 <@ordex> htd: honestly I am not sure the CRL can lead to that error
07:41 <@ordex> htd: did you fix your issue by fiddling with the CRL ?
07:41 < htd> can test that at night
07:41 < htd> but I have
07:41 <@ordex> htd: ok. because the CRL joins the gain later. at that stage the client and the server are still trying to start some kind of communication
07:41 < htd> May 19 11:45:20 [openvpn] 185.127.207.104:60015 VERIFY ERROR: depth=0, error=CRL has expired
07:41 < htd> in the server logs
07:42 <@ordex> ah!
07:42 <@ordex> there you go then :)
07:42 < htd> yes, but the client tells me timeout
07:42 <@ordex> I thought the client would receive some error, but apparently the server just stops sending stuff
07:42 <@ordex> yeah
07:42 <@ordex> ok
07:42 < htd> since this particular user often messed with the "remote" setting I accused him of f-ing up again ;)
07:42 <@ordex> haha
07:42 <@ordex> good to start that way :P
07:42 < htd> but actually this time he was not at fault
07:42 <@ecrist> it would be nice if there was some error on the client side
07:43 <@ordex> yap
07:44 < htd> yes that's an even better fix, will help admins find the actuall issue quicker.
07:44 <@ordex> although this general error should be printed immediately at server boot
07:45 <@ordex> it does not make sense to start and reject clients later
07:46 <@plaisthos> I am not 100% sure
07:46 <@plaisthos> but I think you can replace the crl while openvpn is running
07:46 <@ordex> true you can
07:46 <@ordex> right
07:46 <@ordex> I implemented that part :D
07:46 <@ordex> hehe
07:46 <@plaisthos> ah right :)
07:47 <@plaisthos> we should get back to the old days when we did not check validity of crl
07:47 <@ecrist> ordex: the CRL is read on each client connection
07:47 <@plaisthos> everything was better than *ducks8
07:47 <@ecrist> I don't know if it's read at server start.
07:47 <@plaisthos> no
07:48 < htd> well for lazy dumbasses like me a read on server start would help
07:48 <@plaisthos> And I think ordex fixes it so that it is not reread on every connection
07:48 <@ordex> only ifit changed
07:48 <@ordex> *if it
07:48 <@ecrist> so, it checks mtime of the file, or what?
07:50 <@ordex> mtime and size
07:51 <@ecrist> so, the result is the same
07:51 <@ecrist> I could rephrase my statement as "the CRL is analyzed/considered on each client connection"
07:51 <@ordex> yap
07:52  * ecrist renames ordex => pedantic
07:52 <@ordex> it was plaisthos who complained :D
07:52 < Enrix> ecrist so it is enough that I go to the client.ovpn in windows and I set a file where to put the log?
07:52 <@ordex> I think he wanted emphasise that there is no "load" operation upon every connection (which may result in a slowdown)
07:52 <@ordex> :P
07:52 <@ecrist> ordex: see, there you go!
07:53 <@ecrist> *ahem* s/ordex/pedantic/
07:53 <@ordex> :D:D
07:53 <@ecrist> good morning, btw. :P
07:53 <@ecrist> Enrix: yes
07:54 <@ordex> good evening!
08:05 < Enrix> ok I receive this: Options error: On Windows, --ifconfig is required when --dev tun is used
08:06 < Enrix> in the windows client
08:07 <@ecrist> !logs
08:07 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
08:07 <@ecrist> !configs
08:07 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
08:12 < Enrix> ecrist, can you give me some hints?
08:15 <@dazo> Enrix: the hint is to provide the configuration files and logs, as described by !configs and !logs
08:16 < Enrix> ok
08:16 < havoc> Enrix: TAP is Layer2, DHCP is Layer2, TUN is Layer3, so no DHCP, so you either need to specify it on the client with --ifconfig, or push --ifconfig from the server
08:19 < MacGyver> (Or proxy DHCP.)
08:19 < MacGyver> Oh wait, it actually refuses to run.
08:20 < havoc> yes, openvpn knows that you need an --ifconfig to specify an address if you use --dev tun
08:20 < Enrix> havoc, you mean in the client write dev tun --ifconfig?
08:20 < DArqueBishop> Enrix:
08:20 < DArqueBishop> !howto
08:20 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
08:20 <@dazo> Enrix: maybe ... maybe not ... it depends on what kind of tunnel you are configuring
08:21 <@dazo> Enrix: sometimes it is needed, other times it is not needed - but you need to use other options instead
08:21 <@dazo> !configs
08:21 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
08:21 < DArqueBishop> I'm sorry if this is coming off as incredibly harsh, but after three or four days of this I seriously think Enrix needs to sit down with the documentation for a while, read it, and understand it before proceeding.
08:22 <@dazo> DArqueBishop: not harsh at all ... it sounds very reasonable
08:23  * DArqueBishop spent a couple of days poring over the HOWTO before implementing his first OpenVPN install.
08:24  * dazo too
08:24 < havoc> networking knowledge helps too
08:24 <@dazo> not just helps .... it's a requirement
08:24 < DArqueBishop> s/helps/is required/
08:24 < MacGyver> It's pretty much essen... yeah.
08:25 <@dazo> If you don't know networking, there's no chance you'll be able to understand VPNS
08:25 < MacGyver> If you've never routed between two subnets, you're probably going to have a bad time.
08:25 < Enrix> sorry guys it is just that I have to do this as a work and my boss pretend result immediatly even if for me it is the first time that I work with this
08:25 <@dazo> Enrix: well, there are no shortcuts than to learn what is needed to do
08:25 < Enrix> didnt want to bother you
08:26 < DArqueBishop> Enrix: then do what I would do in your situation. Hire a contractor to implement it.
08:28 < Enrix> I cant hire a contractor I should do the job by myself :)
08:29 <@dazo> Enrix: what do you know about basic networking?  Like subnet routing
08:29 < Enrix> I have knowledge
08:29 < Enrix> I studied ccna
08:29 <@dazo> okay, sounds reasonable
08:30 < Enrix> but i never worked with openvpn
08:30 <@dazo> then get started with this one ... https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
08:30 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net)
08:30 <@dazo> it should walk you through the most important steps of configuring openvpn
08:31 < DArqueBishop> If your boss says he needs an immediate result, you need to tell him that it's unrealistic to expect you to implement a brand new complex software implementation (ESPECIALLY a security/remote access one) "immediately".
08:31 <@dazo> DArqueBishop++
08:32 < havoc> "Nine women can't have a baby in one month", some shit just takes time; there are no shortcuts
08:32 < Enrix> the point is that it is something knew for me so I need time to study I cannot start working as I know this from my every day's work
08:33 < DArqueBishop> Enrix: my point is that from where I'm sitting you're rushing into it without taking the time to understand the software. You're asking questions that you would already know the answers to if you read dazo's link or the HOWTO.
08:34 < MacGyver> Enrix: In an ideal world, you'd tell your boss "I've never worked with openvpn, and it's going to take me a week to read up on it and get a secure working setup".
08:34 < Enrix> he didnt say immedatly but he speak with me as I know already the job
08:35 < Enrix> I am a lot of under pressure because I think I should receive more support but instead I am alone in this :)
08:37 <@dazo> Enrix: that's life, really .... bosses can set high expectations ... just start working on the topic .... if you really know the networking side well, you'll be up'n'running with a openvpn setup within 3-4 hours with your first clients and server if you follow the "Getting started" guide
08:37 <@dazo> I know it's a lot of text, but it tries to explain _why_ you need those various options
08:38 < Enrix> ok thanks guys
09:12 < Hack5190> Just installed all the 'security' updates on Ubuntu 16.04.2 LTS - OpenVPN 2.4 wasn't included, sigh....
09:17 < DArqueBishop> Linux distributions like Ubuntu typically do not increment version numbers when they update software packages. What they do is backport security and bugfix updates into the existing package.
09:21 < Hack5190> DArqueBishop: Not certain I understand what your saying....
09:21 < Hack5190> I ran "sudo unattended-upgrades" and OpenVPN was not listed in the packages being upgraded.
09:21 < DArqueBishop> It means if you want OpenVPN 2.4, you'll need a later version of Ubuntu.
09:22 < DArqueBishop> Here, this is the Red Hat explanation of backporting: https://access.redhat.com/security/updates/backporting/
09:22 <@vpnHelper> Title: Security Backporting Practice - Red Hat Customer Portal (at access.redhat.com)
09:23 < Hack5190> I thought that "LTS" would cover security fixes in OpenVPN.   -  Thanks
09:23 < DArqueBishop> It does, hence backporting.
09:24 < Hack5190> Now you really have me confused :) - how do I get a  later version of Ubuntu if not with updates?
09:24  * DArqueBishop sighs.
09:25 < DArqueBishop> I don't remember when OpenVPN 2.4 was released, but it would be included in either 16.10 or 17.04.
09:26 < rob0> backport ONLY IF the version is not supported upstream, of course
09:27 < DArqueBishop> The point is that if you're only worried about security and/or bug fixes, the people who maintain the OpenVPN build for Ubuntu will have ported those fixes into the version that is included in the relevant distros.
09:27 < DArqueBishop> So, the version of OpenVPN in Ubuntu 16.04.2 may be OpenVPN 2.3.something, but it will have the security updates from later versions.
09:28 < havoc> I used to use backports/pinning, many years ago, too much hassel
09:29 < havoc> better to build from src, and checkinstall
09:29 < Hack5190> It's obvious I completely misunderstood the linux update / upgrade process.  So I need to run "do-release-upgrade" to get what I want?
09:29 < DArqueBishop> Hack5190: why do you want to upgrade OpenVPN?
09:30 < DArqueBishop> Are you just after security fixes, or are you after features as well?
09:30 < Hack5190> security only.  The server is a ZNC bouncer and uses a 24x7 vpn connection.
09:31 < DArqueBishop> Then you're fine. Any security fixes will be backported into the version you're using.
09:32 < Hack5190> Thats what I thought - but openvpn was not in the list of packages when I ran "sudo unattended-upgrades -d"
09:32 < DArqueBishop> The version of OpenVPN in 16.04.2 is 2.3.10, but it'll have security fixes from later versions.
09:35 < Hack5190> Thats the same version I have (OpenVPN 2.3.10) dated Feb  2 2016 - it can't possibly have the new fixes just released this month after the code audit.
09:37 < DArqueBishop> Then they simply haven't been ported.
09:37 < Hack5190> Makes sense . . .
09:38 < DArqueBishop> That doesn't mean they won't be ported.
09:38 < Hack5190> Understood, I just need to keep checking :)
12:10 <@dazo> Hack5190: bottom line is: Don't trust the _version_number_.  You need to check the distro's changelog for that particular package.
12:10 <@dazo> Through this URL, I found the openvpn package
12:10 <@dazo> http://packages.ubuntu.com/search?keywords=openvpn
12:10 <@vpnHelper> Title: Ubuntu – Package Search Results -- openvpn (at packages.ubuntu.com)
12:11 <@dazo> And there you can dig up the proper release, and click "Ubuntu changelog" ... and you'll get seomthing like: http://changelogs.ubuntu.com/changelogs/pool/main/o/openvpn/openvpn_2.3.11-1ubuntu2/changelog
12:12 <@dazo> but it does seem the ubuntu packager have been sloppy in keeping it up-to-date .... 16.04 LTS ... http://changelogs.ubuntu.com/changelogs/pool/main/o/openvpn/openvpn_2.3.10-1ubuntu2/changelog
12:13 <@dazo> last updated:  Tue, 02 Feb 2016 13:33:39 +0100
12:39 < ghost75> is there a setting which controls how many seconds a client can be in standby till password prompt?
12:40 < ghost75> i am using also auth-gen-token on server
12:42 < ghost75> 10sec of standby results in password prompt
12:47 < ghost75> i guess its ping-restart
13:05 <@dazo> ghost75: no, there are no real limits for the password prompt .... but --ping-restart will decide when the server decides the client have disconnected
13:06 < ghost75> so default is 60 i think
13:06 <@dazo> ghost75: the password is generally collected before the client connects to the server .... so in --reneg-* situations, the client is just silent and doesn't send anything to the server until it have a password
13:08 <@dazo> ghost75: I think it might be 120 seconds actually
13:32 < ghost75> keepalive 10 60 <- this i am using
13:33 < ghost75> and reneg-sec is 3600 default i think
13:34 < ghost75> so if connection is flaky i.e. in train then it will reconnect no sooner than 60s
13:35 < ghost75> users are complaining that they need to reenter password
13:38 <@dazo> okay, then the server side is 120, as that takes --ping-restart * 2 ... --reneg-sec is 1h by default
13:38 <@dazo> the client will hit --ping-restart in 60
13:39 <@dazo> that means the server will have an extra grace period for clients to come back
13:54 -!- wuseman is now known as wuseman_
13:55 -!- remirol is now known as lorimer
13:55 -!- wuseman_ is now known as wuseman
14:06 < ghost75> dazo: do you recommend other setting?
14:07 <@dazo> ghost75: the defaults are usually fine, as long as you use --cipher AES-something and --auth SHA256 ... preferably adding --tls-crypt or --tls-auth
14:09 < ghost75> tls-auth but no auth
14:09 < ghost75> cipher AES-256-CBC
14:09 < meepmeep> hello :)
14:10 <@dazo> that's reasonable ... some might argue that AES-128 is somewhat better, and have better performance .... but 256 is far from bad
14:10 < meepmeep> I have an openvpn server with this subnet for client : 10.7.0.0/24, I forced some ip address on specific client (like USERA= 10.7.0.6), and I just saw that this assign could be assigned to another user. Is there a way to say "only use this ip for this user" ?
14:12 < meepmeep> or the solution is to reserve some ip at the end of the subnet ?
14:12 <@dazo> meepmeep: no, such options doesn't exist ... but you can define a more narrow IP address pool by using --ifconfig-pool directly and have those with fixed IPs outside that scope
14:13 <@dazo> or you can do some tricks with --client-connect, having your own script assigning IP addresses to all your clients ... where your script decides whom will get a random IP and whom have a fixed IP
14:14 < meepmeep> most of my client are phone with openvpn application, I could use such script with it ?
14:14 < meepmeep> otherwise i'll go for the 1st solution
14:14 <@dazo> that script is run on the server
14:14 < meepmeep> ah ok
14:17 < meepmeep> i'll try an ifconfig-pool outside the fixed ip then :)
14:18 < modem> hey
14:19 < meepmeep> next step, find where i could set this up on pfense :D
14:26 < rob0> !pfsense
14:26 <@vpnHelper> "pfsense" is (#1) dont use the web gui for configuring openvpn, you need to understand the config and logfiles, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
14:35 < meepmeep> :D
14:36 < meepmeep> great, the goal is to keep the same ip for the ip gw for client and a refuce ifconfig-pool
14:37 < catalase> how can i check my openvpn server version on ubuntu server 16.04.2 lts
14:38 < havoc> just use an ifconfig pool that's smaller than the routed subnet, and push ifconfig for the "statics" to specific clients via ccd
14:38 < havoc> ...statics outside the ifconfig pool
14:39 < catalase> openvpn --version did the trick
14:52 < meepmeep> ok but pfsense is rewriting my config file each time it starts openvpn ..
14:53 < meepmeep> i need to a create a new server config file ?
14:53 < meepmeep> and start it from command line ?
14:53 < rob0> well, that's up to you, but if you want help with pfsense we probably can't provide it here.  (I know I can't.)
14:54 < meepmeep> indeed !
15:30 < meepmeep> ok my problem : https://pastebin.com/j7t16Kbd
15:30 < meepmeep> i tried with ifconfig 10.7.0.1 10.7.0.2 but still got an error message
15:40 < meepmeep> i don't get the link between ifconfig second ip address and ifconfig-pool IPs
15:44 <@dazo> meepmeep: if you want to use --ifconfig-pool, you need to use --topology subnet (or net30 - which is the not so recommended default).... which means --ifconfig takes IP address as first argument and subnet mask as the second arg
15:45 <@dazo> your server config extract looks sane ... but you need to do something on the client side
15:45 <@dazo> oh, and the server *must* push the IP address in --mode server .... otherwise it won't work so well
15:46 <@dazo> and you should probably also push topology to the client
15:47 <@dazo> !ccd
15:47 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
15:48 < meepmeep> i'm using topo subnet
15:48 < meepmeep> if I push a subnet as second adress i get an error message on windows
15:49 <@dazo> meepmeep: do you also push topology subnet?
15:50 < meepmeep> without pushing topology, it worked before only with "server 10.7.0.0 255.255.255.0
15:50 < meepmeep> so i just exploded this line
15:50 <@dazo> if you used --server before ... then that does a lot of things for you, like pushing topology
15:50 < meepmeep> i removed the server line
15:51 < meepmeep> i'll try again with the netmask
15:51 <@dazo> Read the --server section carefully in the man page, and you'll see it is essentially just a kind of a macro doing a lot of things for you in one simple go
15:51 <@dazo> !man
15:51 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
15:53 < meepmeep> i'm justsaying that it looks like my error comes from windows openvpn client only
15:53 < meepmeep> https://pastebin.com/j7t16Kbd
15:55 <@dazo> first of all ... beef up 'verb 1' to 'verb 4' now when you are configuring it ... that will help you pinpoint several things
15:55 < meepmeep> Fri May 19 22:48:34 2017 WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address.  You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
15:55 < meepmeep> Fri May 19 22:48:34 2017 There is a problem in your selection of --ifconfig endpoints [local=10.7.0.50, remote=255.255.255.0].  The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet.  This is a limitation of --dev tun when used with the TAP-WIN32 driver.  Try 'openvpn --show-valid-subnets' option for more info.
15:55 < meepmeep> (for me, it means that windows client doesn't support a netmask as second ip on a TUN network, so i'm screw)
15:56 <@dazo> right, that is due to the client is in --topology net30, while the server is --topology subnet
15:56 < meepmeep> unless i move to net30
15:56 < meepmeep> linux client don't get this error
15:56 <@dazo> you are *MISSING*  'push "topology subnet"' in your server config   (third time I'm saying this)
15:59 < meepmeep> indeed ..
15:59 < meepmeep> windows could connect now, but i lost some route on linux side
16:00 < meepmeep> i'll investigate, thank you :)
16:01 < meepmeep> (sorry and thank you dazo)
16:08 < meepmeep> i think i spot a misleading configuration information ..
16:34 < AnnaRooks> hi im trying to set up openvpn so i can connect clients to each other for a game
16:34 < AnnaRooks> client-to-client is enabled, but theres this one client that doesnt respond to pings
16:34 < AnnaRooks> doesnt respond to other clients or the server
16:36 < AnnaRooks> everything else does respond to other clients and server though
19:25 <@krzee> AnnaRooks: sounds like that client has a firewall running on the vpn interface
19:26 <@krzee> you said games, ill assume windows... disable the windows firewall for the tap interface
22:06 < hadadat> Hello, I recently updated to 2.4.2 since I did openvpn fails to start. It's performing ifconfig tun0 add <ipv6> which is failing since my system doesn't have ipv6 support. Do I need to add something to the config to make it not try ipv6?
22:06 < hadadat> I don't have tun-ipv6 in my config file
22:07 <@ordex> hadadat: serve or client?
22:07 <@ordex> !logs
22:07 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
22:07 <@ordex> !configs
22:07 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
22:07 < hadadat> client
22:11 < hadadat> config: https://paste.pound-python.org/show/2XLYm4x6ViKwBumtDG0D/
22:13 < hadadat> log: https://paste.pound-python.org/show/YiQ5g2HEK7HRq0eMudVV/
22:26 <@ordex> hadadat: I believe in recent version there is the assumptions that every system supports ipv6
22:26 <@ordex> tun-ipv6 is deprecated for this reason
22:27 <@ordex> hadadat: you could try to pull-ignore ifconfig-ipv6 and route-ipv6
22:27 <@ordex> that *might* work
22:27 <@ordex> but I really wonder why you haveo ipv6 support :O
22:28 < hadadat> I built my kernel without it >_>
22:28 < hadadat> Is pull-ignore a setting I put in my config?
22:29 <@ordex> yap
22:29 <@ordex> you can check the man - it should be there
22:30 <@ordex> personally I'd use the ipv6 connectivity given by your vpn server - you may avoid nat etc. but up to you :)
22:33 < oalvarez> https://pastebin.com/agcu0dLd -- Can anyone help me find out why when I send a ping from the "Server" to 10.9.8.2, when captured in the client I see the inner IPv4 packet has the server public IP as the Source Address instead of 10.9.8.1?
22:34 < hadadat> Your advice for pull ignore worked ordex. Thank you
22:35 < oalvarez> https://pastebin.com/rYdFmPEY -- same paste with ip route on the server added
22:42 <@ordex> oalvarez: how about sharing the pcap too ?
22:43 < oalvarez> ordex: absolutely :)
22:50 < oalvarez> ordex: http://blog.alvarezp.org/files/ovpn-only.pcap
22:50 < oalvarez> however, under Wireshark, I must rightclick on the "Data" and set it to be decoded as IPv4.
22:51 < oalvarez> and there can be seen the inner header set to 173.x.x.x
23:07 < oalvarez> What I would expect is that because the routing table has 10.9.8.2/32 dev tun1 src 10.9.8.1, a ping would send it with 10.9.8.1 as the source in the inner IPv4 header before encapsulating it into OpenVPN back with the public IP addresses
23:07 < oalvarez> a ping to 10.9.8.2, that is
23:15 < oalvarez> ordex: you know what... I may have NAT rules causing a conflict!
23:16 <@ordex> what you are describing sounds like that
23:16 <@ordex> sorry but I am busy atm and can't look at your stuff
23:16 < vacho> I am connected via OpenVPN protocl to a remote network. I want to load the host 192.168.1.146 on the remote network which is a NAS, but how would my computer know if I am refering to 192.168.1.146 remotely or locally?
23:17 < vacho> sorry if my question is too primitive, I am new to this
23:18 < oalvarez> ordex: I still appreciate the attention :) I found out a bad NAT rule :)
23:19 < vacho> oalvarez: sorry to bug, can u please help me?
23:20 <@krzee> vacho: you need to use different subnets
23:20 <@krzee> !samesubnet
23:20 <@vpnHelper> "samesubnet" is (#1) clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway, or (#2) you can use --client-nat if on 2.3 to work around changing the subnet, but you should still just change
23:20 <@vpnHelper> the subnet
23:20 <@krzee> i know you dont have the gateway case, but seriously change subnets
23:20 <@krzee> on both sides if possible! lol
23:21 < oalvarez> vacho: I'm by far not an expert on OpenVPN itself but... your computer WILL NOT be able to recognize the difference; it will always think it's local
23:21 < vacho> krzee: got it! makes total sense.
23:21 < oalvarez> vacho: you can use NAT (but this sometimes carries its own set of problems)
23:21 < vacho> i want to change the subnet on the remote network
23:22 < oalvarez> vacho: your best bet is to have both subnets different
23:22 <@krzee> oalvarez: bad suggestion, last case scenario
23:22 < oalvarez> krzee: which one is bad, NAT or different subnets?
23:23 <@krzee> nat
23:23 < vacho> oalvarez: I agree, I do have the same IP local and remove.. e.g. the remote router is also 192.168.1.1 ,, in fact..my local and remote router are the same (netgear nighthawk)
23:23 <@krzee> different subnets is what i said :-p
23:23 < vacho> how do I change the subnet on the remote VPN? it's a netgear nighthawk
23:24 < oalvarez> krzee: I said that it has its own set of problems, and later I said the best bet is to use different subnets.
23:25 < oalvarez> vacho: gotta leave, but first renumber your remote network and then re-configure the VPN to use the new numbers. Be careful not to lock yourself out.
23:25 <@krzee> no reason to mention !nathack until its needed, people use it prematurely all the time cause they dont understand routing
23:26 < vacho> oalvarez: I have a person on the other end that can help..just need to know what I need to change.
23:26 < vacho> I dont mind finding it in the manual, as long as I know what it's called
23:26 <@krzee> on the router you change the lan subnet
23:27 < vacho> krzee: http://documentation.netgear.com/dg834n/enu/202-10197-02/images/LANIPsetup.jpg
23:27 < oalvarez> krzee: please tell me that this is an internal channel rule, convention or recommendation or practice, not that it is a bad suggestion per se. Thank you.
23:27 < vacho> krzee: is that the correct screen?
23:27 < oalvarez> vacho: good luck with your scenario, I gotta leave :)
23:27 < vacho> oalvarez: thanks h
23:27 <@krzee> oalvarez: my personal opinion, no official rule
23:27 <@krzee> although i doubt anybody would disagree
23:28 <@krzee> lol he asked and left within seconds... obviously didnt wanna hear the answer
23:29 < vacho> :)
23:30 <@krzee> vacho, try making it 192,168.84.1 and change everything that lets you to the 192.168.84. subnet
23:30 <@krzee> youll need to reconnect all machines
23:31 < vacho> krzee: not following
23:31 < vacho> everything is DHCP
23:31 <@krzee> change the .1. in 192.168.1.* to 84
23:31 <@krzee> yes and dhcp is from this router
23:31 <@krzee> you need to change your subnet
23:32 < vacho> what whould the new subnet be
23:32 < rob0> 84?  No!!  84 is MINE!!!11
23:32 < vacho> why not just use 192.168.2.1?
23:32 < vacho> https://www.dropbox.com/s/mmlh37wakfhcmsn/Screenshot%202017-05-19%2021.25.59.png?dl=0
23:32 < vacho> anything else I need to change?
23:33 <@krzee> that says .2. before both sides were .1.
23:33 <@krzee> now i leave all drunk
23:33 <@krzee> rob may help, we'll see :D
23:34 < rob0> ha, past my bedtime
23:34 < rob0> sorry, I would, but I'm worn out
23:35 < vacho> :(
--- Day changed Sat May 20 2017
00:08  * nbastin is around at some point in maybe an hour, but not right now
00:09 <+nbastin> but I will try to review your discussion
02:13 <+nbastin> or 3 hours later...
03:23 < AnnaRooks> ack i keep missing pings, im so sorry
03:47 < skyroveRR> Afternoon.
05:16 -!- alexandre9099_ is now known as alexandre9099
06:25 < Berny_> heya, I was wondering, I'm trying to configure an openvpn server on linux and I need a hand.. well, possibly an extra coupl'a brain cells... I was thinking what I wanted to do was to generate a cert using the TPM of the laptop, sign it using the "enterprise" (Really, just my lab) CA and have that verified by OpenVPN to verify the device. Now, I also wanted to verify the user, so possibly a...
06:25 < Berny_> ...username / password auth? So a tie into LDAP. And then to top it all off, I wanted to do a two factor authentication with a yubikey or something like that
06:29 < Berny_> I'm thinking devices and users should auto-enroll.. It's just a matter of verification of them
06:31 < dob1> hi, i read something on google but i can't find a solution: i can't copy large ( > 100MB) files on smb share over openvpn. As i read i tried some mssfix settings, tun-mtu, but always the same.
06:34 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Disconnected.]
06:34 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
06:35 -!- mode/#openvpn [+v s7r] by ChanServ
06:52 < dob1> another question, i am not using ipv6, how can i suppress MULTI: bad source address from client [ipv6 address], packet dropped
06:52 < dob1> i have a lot of them
07:01 < DryEagle> hi, i have some .ovpn config files but my login details are kept in a separate file, can i make a single .conf which will link the two together?
07:01 < skyroveRR> DryEagle: nope.
07:01 < DryEagle> or must i just put the login details into each .ovpn file?
07:01 < skyroveRR> Put everything into one .ovpn file
07:02 < DryEagle> the problem is i have a pile of .ovpn files for different servers all of which need the same login details
07:02 < DryEagle> so each time i change my login details i'd have to go through every single one of them
07:02 < skyroveRR> It's currently not possible to do that.
07:02 < DryEagle> i mean manually i can just start it with 'sudo openvpn --config /path/to/.ovpn --auth-user-pass /path/to/login'
07:03 < skyroveRR> Although the idea sounds good.
07:03 < DryEagle> but i'd like to run it as a service and for that they need to be in one
07:03 < DryEagle> as i understand it
08:06 <@krzee> dob1: you could stop from routing your ipv6 over openvpn unless you're going to configure it
08:06 <@krzee> !iroute
08:06 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
08:18 < dob1> krzee, i don't know how i am doing this,  i don't have any reference to ipv6 in my openvpn/iptables configuration
08:19 < rob0> iptables has no effect on ipv6, see ip6tables(8)
08:19 < dob1> ip6tables -L is empty
08:19 < rob0> but anyway, ipv6 has routes like ipv4 does
08:20 <@krzee> do you run your server?
08:20 < dob1> krzee, it's mine
08:20 <@krzee> lets see server and client configs, see this for the format:
08:20 <@krzee> !configs
08:20 < DryEagle> is there an easy way to convert a .ovpn file to a .conf file so it can be run as a service? i mean, do i just change the extension and it's fine or are they different formats?
08:20 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
08:23 < rob0> DryEagle, text is text, right?
08:23 < DryEagle> no, i mean, do they have to have different things in the files
08:23 < DryEagle> or have different layouts
08:23 < DryEagle> or are they interchangable
08:23 < DryEagle> like, do i have to restructure the contents or is changing the extension all it takes
08:24 < DryEagle> i don't know if there's a difference between the two
08:24 < rob0> I did not write your .opvn file so I could not know what's in it.  See "--config" in:
08:24 < rob0> !man
08:24 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
08:24 < DryEagle> i mean i just sudo openvpn /path/to/.ovpn and it's good to go
08:26 < rob0> Part of your confusion seems to be that you're blurring the distinction between openvpn itself and how your distro has implemented running it as a service.  The "--config" reference should help with the openvpn side of things.
08:26 < DryEagle> this is what it has in it https://bpaste.net/show/1475384f0b6c
08:27 < DryEagle> well i'm using systemd for services
08:27 < rob0> I always name mine .rob0 files ,,, "openvpn home.rob0" and I get connected.
08:28 < DryEagle> so it's just a case of systemctl start openvpn-client@configfile.service
08:28 < DryEagle> but that seems to expect .conf files only
08:28 <@krzee> i thought only i used the .rob0 file extension!
08:28 <@krzee> ;]
08:28 < rob0> That's the same as "openvpn --config home.rob0" btw
08:28 < DryEagle> not .ovpn
08:28 < DryEagle> i can run the .ovpn directly, yes
08:28 < rob0> there is nothing magical about the last 5 letters of a filename
08:28 < DryEagle> but i'd like to set it as a service so it auto starts
08:28 < dob1> sorry krzee thanks for the help but i need to exit. I will return, hope to find you online
08:28 < DryEagle> ok, so you're saying there's no difference between .ovpn and .conf
08:28 < dob1> *i have to exit
08:28 < DryEagle> in terms of what format the contents of the file need to be in
08:28 < dob1> bye
08:29 < rob0> DryEagle, text is text, right?
08:29 < DryEagle> ...
08:30 < DryEagle> if each filetype has a specific expected structure for its contents
08:30 < rob0> krzee, wow, I feel used :(
08:30 < DryEagle> and they are different for .conf and .ovpn
08:30 < DryEagle> then no, text is not just text
08:30 < DryEagle> because it might need to have a different layout or different headings or whatever
08:30 < DryEagle> thats what i'm asking
08:30 < rob0> and the reference is "--config" in the manual
08:30 < DryEagle> if you don't know just say so
08:31 < rob0> it tells you what the file has to be
08:31 < DryEagle> i guess you didnt even look at the link either
08:31 < DryEagle> i just want to know if that would work as a .conf file
08:31 < DryEagle> or if i need to go changing it
08:31 < rob0> oh, did you look at the manual?
08:31 < rob0> I'll look at yours if you look at mine :)
08:32 < DryEagle> because you wrote the manual, sure
08:33 < rob0> !pkcs12
08:33 < rob0> !pkcs
08:34 < DryEagle> it's ok, i've looked it up elsewhere
08:34 < DryEagle> if you'd written the manual you'd have known the answer
08:35 < rob0> haha
13:47 < sdfsdfk> Quick question
13:47 < sdfsdfk> Just to ensure I am understanding correclty
13:47 < sdfsdfk> So I want to prevent DNS leaks
13:47 < sdfsdfk> I can setup my own bind9 caching server on the same box as the OpenVPN server
13:47 < sdfsdfk> do I just push a dns route to my server?
13:48 < rob0> "dns route"?
13:48 < sdfsdfk> So the clients ask my server through OpenVPN to Bind9 for the DNS lookup
13:48 < sdfsdfk> rob0: push "dhcp-option DNS 8.8.4.4"
13:48 < rob0> that is a Windows-only option, but lots of other options exist for Unix/Linux clients
13:49 < sdfsdfk> rob0: ok. So for windows clients I would just push my own server ip?
13:49 < rob0> also, what is the point in using 8,8,4,4 if you're also running your own nameserver?
13:49 < rob0> yes
13:49 < sdfsdfk> It's an example.
13:50 < sdfsdfk> So if my OVPN server was test.com
13:50 < sdfsdfk> I could push the IP to that server as the DNS
13:50 < sdfsdfk> and the DNS lookups would happen behind OpenVPN
13:50 < rob0> the "allow-recursion" option must be set to include the VPN netblock
13:51 < rob0> (in named.conf that is)
13:51 < sdfsdfk> So I would push 10.8.0.1 as my DNS?
13:51 < sdfsdfk> or just push my external IP
13:52 < sdfsdfk> (for the OVPN server)
13:53 < rob0> I guess 10.8.0.1 is the server's VPN IP, and that would be what you'd want, if so.
13:53 < sdfsdfk> ok
13:53 < sdfsdfk> got anything to read about it/
13:56 < rob0> well, I wrote something about Unix clients:
13:56 < rob0> !dnsmasq
13:56 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
13:56 < rob0> but that's mostly about internal names, not about "dns leaks"
14:07 < sdfsdfk> rob0:
14:07 < sdfsdfk> DNS leaks are a big issue
14:07 < sdfsdfk> they can reveal all kinds of information
14:08 < sdfsdfk> but the internal names is cool too
14:09 < sdfsdfk> SviMik: !
14:10 < sdfsdfk> but yea
14:10 < sdfsdfk> the idea is that all DNS requests are hidden behind the VPN
14:14 < rob0> yeah, we don't all have the same issues
14:15 < sdfsdfk> yea I know
14:15 < sdfsdfk> but i'm asking about mine
15:01 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Disconnected.]
15:01 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
15:01 -!- mode/#openvpn [+v s7r] by ChanServ
16:36 < snake2k> hello everyone, how do I get openvpn to apply to ipv6 as well? when I do "openvpn config.opvn" it routes ipv4 only
16:39 < Berny_> heya, I was wondering, I'm trying to configure an openvpn server on linux and I need a hand.. well, possibly an extra coupl'a brain cells... I was thinking what I wanted to do was to generate a cert using the TPM of the laptop, sign it using the "enterprise" (Really, just my lab) CA and have that verified by OpenVPN to verify the device. Now, I also wanted to verify the user, so possibly a...
16:39 < Berny_> ...username / password auth? So a tie into LDAP. And then to top it all off, I wanted to do a two factor authentication with duo something like that. I'm thinking devices and users should auto-enroll.. It's just a matter of verification of them. Any suggestions on where to look for documentation on something like this? Or someone who I could talk to who might have done part of this?
18:33 < hubot> Hello!
19:22 < hubot> x
19:38 < Eugene> Welcome
19:42 < desnudopenguino> when generating a static key (for a quick/simple tunnel), does it not accept the --cipher argument?
19:49 < rob0> looks like no, according to the man page
19:58 < jasonwc> Good evening.  I am receiving "MULTI: bad source address from client" errors but the errors don't appear to make much sense.  The OpenVPN site says this usually occurs if you don't have appropriate routes setup, but in this case, the errors indicate the source address is actually identical to the expected address.  For example:
19:58 < jasonwc> laptop/2607:fb90:18d7:1a7f:9b0f:9dda:9272:573f MULTI: bad source address from client [2607:fb90:18d7:1a7f:9b0f:9dda:9272:573f], packet dropped
19:59 < jasonwc> I also see packets from localhost (::) and from the IPV4 IP address on the same interface
19:59 < jasonwc> phone/2001:470:e5d2:5:49bd:3cab:4da7:6c8 MULTI: bad source address from client [192.168.5.10], packet dropped
19:59 < jasonwc> phone/2001:470:e5d2:5:49bd:3cab:4da7:6c8 MULTI: bad source address from client [::], packet dropped
20:00 < jasonwc> The 2001:470:e5d2:5::/64 and 192.168.5.0/24 subnets refer to the same network.
20:02 < jasonwc> These errors eventually appear to reset the connection
20:02 < jasonwc> !config
20:02 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
20:03 < jasonwc> !welcome
20:03 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
20:03 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
20:03 < jasonwc> !configs
20:03 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
20:05 < jasonwc> This is my server config: https://pastebin.com/KN2wEV1p.  I am running OpenVPN 2.4.0 on Debian Jessie 8.8.  The client is an Android device with OpenVPN Connect.
20:14 < rob0> sounds like you're trying to route the tunnel through itself
20:15 < jasonwc> I think I just lacked the appropriate iroute entries for the local subnets on the client side
20:16 < rob0> the identical client address and bad source address means that the client used the outside IP address as source address INSIDE the tunnel.
20:16 < jasonwc> Why would it do that?
20:16 < rob0> broken routing, I guess
20:22 < jasonwc> I followed this [https://community.openvpn.net/openvpn/wiki/RoutedLans] and added iroute statements for the IPV4 and IPV6 subnet of the client side, and now I'm not seeing those errors
20:22 <@vpnHelper> Title: RoutedLans – OpenVPN Community (at community.openvpn.net)
20:25 < desnudopenguino> is there a way to generate a more secure key than the default cipher to be used for a static tunnel?
20:26 < rob0> not sure what kind of attacks you are worried about ...
20:27 < desnudopenguino> when starting openvpn it yells at me that the cipher is insecure
20:27 < rob0> the likely bigger threat is from the lack of forward security
20:27 < rob0> oh, what did you set for cipher?
20:27 < desnudopenguino> i didn't set anything
20:28 < rob0> then you got the --cipher default
20:28 < desnudopenguino> just followed the guide `openvpn --genkey --secret static.key`
20:29 < desnudopenguino> after that I tried with --cipher AES-256-CBC like the error message suggested, and still get the same messaeg
20:29 < desnudopenguino> message*
20:33 < desnudopenguino> could/should I just generate a key with openssl or something?
20:35 < rob0> --cipher is not an option for --genkey
20:35 < rob0> it is an option for your tunnel
20:36 < desnudopenguino> oh, hoh, my brain
20:36 < desnudopenguino> rob0: thanks buddy!
20:40 < desnudopenguino> that worked awesome, thanks man!
20:40 < rob0> yw
20:41 < rob0> do be aware that a static key tunnel could be replayed, if an attacker saved all your traffic and got the key later.
20:42 < rob0> that's what "forward security" means.
20:42 < desnudopenguino> ah, ok
20:42 < rob0> With TLS mode the actual tunnel key is renegotiated periodically
20:43 < rob0> with a static key, that IS the actual encryption key.
20:43 < desnudopenguino> ok
20:43 < desnudopenguino> so, my goal is to be able to connect to my home network with my laptop.
20:44 < desnudopenguino> I stumbled upon the static key guide figuring that should be "good enough"
20:44 < rob0> yep, that's fine, unless you have angered a gov't or other powerful entity, you're quite right.
20:44 < desnudopenguino> haha, not that i'm aware of
20:47 < desnudopenguino> is there a way someone could get my key without (digital or physical) access to my client or server?
20:51 -!- Captain_Beezay is now known as Turla
22:26 < Eugene> Psychically?
23:01 < desnudopenguino> haha
23:13 < gangil> Hi, why on my vpn client the address of both points of the tunnel is same ie. inet addr and p-t-p are both same and set to 10.8.0.1
23:14 < gangil> *10.8.0.10
23:14 < gangil> After reading docs I thought they would be different
--- Day changed Sun May 21 2017
02:01 < tomflint> !welcome
02:01 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
02:01 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
02:06 < tomflint> best bot.
07:23 -!- alexandre9099_ is now known as alexandre9099
10:14 -!- arunpyasi is now known as aryan
10:58 < hubot> Hi!
11:08 < skyroveRR> Hey :)
11:09 < hubot> I can't connect internet in OpenVPN network
11:12 < hubot> I tried change DNS server to 8.8.8.8
11:12 < hubot> I also tried add route 10.8.0.0 to tun0
11:12 < hubot> *10.8.0.0/24
11:13 < hubot> I have set masquerade and IPv4 forwarding in /etc/sysctl.conf and /etc/shorewall/shorewall.conf
11:20 < hubot> TLS key negotiation failed to occur within 60 seconds (check your network connectivity) in openvpn.log
11:33 < hubot> Nie mogę pingować na serwer DNS
11:33 < hubot> Sorry, wrong channel
12:59 < telmich> good evening
13:00 < telmich> I'm trying to setup an IPv6 only tunnel inside openvpn, but even when specifying ifconfig-ipv6-pool 2a0a:e5c0:0:3::11/64 i get the message MULTI: no dynamic or static remote --ifconfig address is available ...
13:00 < telmich> is there something I am doing fundamentally wrong?
13:20 < Kivak> hello. i have set push "dhcp-option DNS 192.168.1.1" in my server config and also tried dhcp-option DNS 192.168.1.1 in my user config however the dns request does not go though the openvpn tunnel, am i missing anything?
13:20 < Kivak> i know the dns request does not use the tunnel because i watched it in wireshark, everything uses openvpn except the dns request
13:20 < Kivak> my config if it helps: https://paste.debian.net/933509/
13:26 < rob0> what route would cover 192.168.1.1 ?  Your pastebin does not work with my lynx.  Did it include verb 4 logs?
13:27 < Kivak> 192.168.1.1 is the local LAN that my vpn server is on. i am only using verb 3 but will check verb 4 right now
13:27 < rob0> !serverlan
13:27 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
13:28 < rob0> ^^ flowchart might help
13:29 < Kivak> i can ping other ip's on the LAN and access websites through it
13:29 < Kivak> the only thing that does not work as expected is the DNS
13:31 < rob0> on a client, "dig openvpn.net. @192.168.1.1" and "cat /etc/resolv.conf" to a [different] pastebin
13:39 < Kivak> rob0: sorry its taking a while i don't have dig installed so i have to find it for my distro
13:42 < telmich> are any openvpn developers in here?
13:42 < telmich> It seems that ipv6 only is broken at least in 2.3.4
13:45 < Kivak> rob0: http://paste.lisp.org/display/347245/raw
13:46 < Kivak> rob0: was that just to check if dns works with 192.168.1.1?
13:52 < rob0> which it did, it seems
13:52 < rob0> or do you have another 192.168.1.1 ?
13:53 < Kivak> yes the dns works with 192.168.1.1 however if i do a regular dig it uses the wrong dns. in the logs and client output it says "dhcp-option DNS 192.168.1.1,route 10.8.0.1"
13:53 < Kivak> i only have one 192.168.1.1 in my network
13:54 < rob0> you know that dhcp-option is Windows-only, right?
13:54 < Kivak> well i do now, that might be the problom
13:54 < Kivak> i'm on linux
13:54 < rob0> ah
13:54 < rob0> !dnsmasq
13:54 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
13:55 < rob0> ^^ that's what I do; just set up a static dnsmasq which works whether on VPN or not
13:55 < rob0> others have other kludges to mess with resolv.conf
13:57 < rob0> anyway, good luck,
13:57  * rob0 afk
13:57 < Kivak> so i must setup dnsmasq on my vpn server and set it so dns is forwarded to 192.168.1.1?
13:57 < Kivak> oh okay, thanks for the help
13:57 < rob0> well it's one of many ways to proceed
14:10 < hubot> Can anybody help me gain access to internet on OpenVPN?
15:11 < desnudopenguino> hubot: what are you trying to do?
15:28 < AE_Soos> HI, I'm using openvpn and I keep getting connection reset, restarting[-1] and SIGUSR1[soft,connection-reset]... what possibly could be the problem?
16:45 < yahal> hi, I am a little confused: If connecting sucessful to my openvpn server I see this in the log: "/usr/bin/ip addr add dev tun0 local 10.234.0.6 peer 10.234.0.5" "/usr/bin/ip route add 10.234.0.0/24 via 10.234.0.5" if I am runing "ip addr" I can see this: "inet 10.234.0.6 peer 10.234.0.5/32 scope global tun0" (Client is Archlinux) (Server Debian 8)
16:45 < yahal> is this normal?
16:46 < rob0> !/30
16:46 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
16:51 < yahal> hm okay thx, okay, then my problem is still another one, routing doesn't work, means no ping comes through in both directions
17:17 < rob0> you should not use net30
17:17 < rob0> !topology
17:17 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
18:50 < mrjk_> Hi
18:50 < mrjk_> I was wondering, I'm trying to manually set the client configuration by disabling all push options.
18:51 < mrjk_> What I've done is to run openvpn in debug mode with all push options, to see what is going on. Then I remove the push option and I set up correctly my client. Then I start my vpn, but I still can't ping the remote gw
18:52 < mrjk_> Are there some stuffs OpenVPN do under the hood that I missed ?
19:34 < dirac1> Hello i want to mount an openvpn server on a debian vps instance.
19:34 < dirac1> Which way or guide should i take to create it?
19:35 < dirac1> Is the OpenVpn-AS a simpler way to do it?.
23:44 < mojtaba> Hello, Does anybody know how to check the MAC address of the client?
23:44 < mojtaba> And if the MAC address is different, revoke the key automatically.
--- Day changed Mon May 22 2017
00:31 < mojtaba> no one?
00:31 < mojtaba> Hello, Does anybody know how to check the MAC address of the client?
00:31 < mojtaba> And if the MAC address is different, revoke the key automatically.
00:33 < desnudopenguino> someone may come by that knows, I however do not know the answer
01:21 < skyroveRR> I'm trying to run an iptables script whenever the vpn connection comes up on my android phone. I'm using "openvpn for android", and the app itself doesn't run as root. In this case, how can I tell the script to come up? By setting the SUID bit on the script?
01:23 < skyroveRR> Even after setting the SUID bit, I get "Options error: --up script fails with '/etc/openvpn/up.sh': Permission denied"
01:38 < desnudopenguino> what's the permission on the up.sh file?
01:39 < skyroveRR> -rwsrwsrwt root root 83 2017-05-22 11:30 up.sh
01:39 < skyroveRR> And in the openvpn configuration, I have:
01:39 < skyroveRR> strict-security 2
01:40 < skyroveRR> up /etc/openvpn/up.sh
01:40 < skyroveRR> down /etc/openvpn/down.sh
02:27 -!- Raansu is now known as ShapeShifter499
02:29 <@ordex> skyroveRR: did you setuid'd it on purpose?
02:29 < skyroveRR> ordex: I did, yeah.
02:29 <@ordex> mh what does the last t mean ?
02:29 <@ordex> never seen it I believe
02:30 < skyroveRR> Sticky bit.
02:30 < skyroveRR> suid/guid/sticky bit
02:30 <@ordex> mh well, the problem must be there I think
02:30 <@ordex> imho
02:37 < skyroveRR> ordex: is the "script-security" option really needed to bring up a simple script?
02:40 <@ordex> I think so
02:40 <@ordex> I don't remember exactly what 1, 2, etc allow
02:40 <@ordex> but if you try to lower that i think it will give you an error on the script
02:57 < skyroveRR> ordex: I know.
02:57 < skyroveRR> ordex: how do you suggest that I should run the script?
03:00 <@ordex> skyroveRR: it depends on what commands it is running
03:00 <@ordex> what do you have in it ?
03:00 <@ordex> best wouldbe to run simply as user nobody
03:00 < skyroveRR> A one-liner iptables rule.
03:00 < skyroveRR> #!/bin/sh
03:00 <@ordex> skyroveRR: maybe the owner of the script should be nobody?
03:00 < skyroveRR> o.o
03:00 <@ordex> I haven't played with that in a while
03:00 < skyroveRR> Does openvpn for android run as nobody on android?
03:00 <@ordex> ah, no clue
03:00 < skyroveRR> #!/bin/sh; iptables-blablabla
04:10 < jacekowski> skyroveRR: suids will never work on scripts
04:12 < skyroveRR> Ok then, how do I make that iptables run?
04:12 < skyroveRR> * iptables command.
04:15 < jacekowski> first question, are you rooted?
04:15 < skyroveRR> Yup.
04:17 < jacekowski> so the way to do it would be to have two scripts
04:18 < jacekowski> one running as non-root
04:18 < jacekowski> that then executes the second one with command "su -c /second/script/wherever/it.is.sh"
04:33 < skyroveRR> jacekowski: ok, so I added a script "vpn.sh" to /etc/openvpn with the following contents: "#!/bin/sh; su -c /etc/openvpn/up.sh", but I still am getting "Permission Denied".
04:33 < skyroveRR> jacekowski: IDK where I should keep this script.
04:34 < skyroveRR>  /etc/openvpn doesn't seem to be a good place.
04:39 < skyroveRR> Keeping it in /data/data/com.termux (my terminal emulator) /files/home isn't helping either.
06:09 < Berny_> pening?
06:58 < kaushal> Hi
06:58 < kaushal> Any clue regarding Authenticate/Decrypt packet error: packet HMAC authentication failed ?
06:58 < kaushal> I am seeing this in vpn.log file
07:06 <@ecrist> kaushal: it usually means you have a missing keyfile, or the server/client values aren't complimentary
07:07 < kaushal> ecrist: ok
07:51 < johnfg> hi folks
07:51 < johnfg> Had a pretty odd occurence over the weekend, continuing until now.
07:52 < johnfg> I've been running an openvpn-server on debian for quite a few years, over 10 anyway.
07:52 < johnfg> Usually 5-6 clients at this site.
07:53 < johnfg> The cable network did go down for a while on Friday, but it's been up since, and settings are fine on modem and router.
07:55 <@krzee> still waiting for the odd occurence =]
07:57 < johnfg> But since then, only the server is up on the vpn.  The error I'm getting is: http://dpaste.com/3619T4Q
07:57 < johnfg> krzee: Sorry, trying to get it all in there, along with copying from the log.
07:57 < havoc> johnfg: check firewall on client
07:58 < havoc> I've seen that error many times, and it's usually the client side firewall blocking the TLS negotiation
07:58 < johnfg> havoc: nothing changed/was changed on the 3 clients that I'm aware of.
07:58 < havoc> johnfg: "that you're aware of"
07:59 < johnfg> Actually 4, and for all 4 to stop at once is odd, to me.
07:59 < havoc> could be the server firewall as well
07:59 < johnfg> I'm not at the office, so it will be a bit before I can check the clients.
07:59 < havoc> but check your firewalls either way
08:00 <@dazo> johnfg: " TLS: Initial packet from [AF_INET]174.45...."  that means a client succeeded to open a port towards the VPN server.  "TLS Error: TLS key negotiation failed to occur within 60 second..." means only the first packet was accepted
08:00 < johnfg> havoc: That I have checked, and it's good: port 1194 open both types.
08:00 <@dazo> johnfg: so ... check firewall, that it does allow "established and related" packets
08:01 <@dazo> johnfg: boost the --verb on the server to --verb 4, and look carefully for certificate and CRL errors
08:01 < johnfg> dazo: Will do.
08:02 <@krzee> i say firewall too
08:02 < rob0> the /topic says firewall
08:02 <@krzee> but i would go verb 5
08:02 <@krzee> then you get RWRW for read and write packets
08:02 <@dazo> krzee: if openvpn got upgraded to 2.4, lots of people have been hit by the much stricter validation checks on CRL files
08:03 <@krzee> helps prove if firewall or not
08:03 <@krzee> maybe tun device doesnt have accept for example
08:04 <@dazo> nope, this is on the TCP/UDP socket
08:04 <@dazo> the server only got one initial packet
08:04 <@krzee> ahh right too early
08:04 <@krzee> so it would be accepting the syn but not the keepstate (assuming a lot about the firewall here now)
08:05 <@dazo> easy-rsa generated CRL files by default have 1 month life time ... so that is truly an ugly surprise ... and can cause these errors root, verb 4 will reveal some details on the CRL validation
08:05 <@krzee> nice
08:05 <@krzee> so verb 5 shoes that and firewall issues together
08:05 <@krzee> winwin
08:05 <@dazo> :)
08:06 <@dazo> I generally find --verb 5 more useful when starting openvpn on the command line
08:06 <@krzee> <oprah voice> you get a win, you get a win, you all get a win! </voice>
08:08 < johnfg> guys, although no errors are reported from a normal `systemctl start openvpn@server`, after stopping; then doing `openvpn --verb 5 server.confg` I'm getting enough errors that the server doesn't start.
08:08 < johnfg> But not the type of errors I was expecting.
08:09 < johnfg> Does starting with systemd use the same config?  i.e., /etc/openvpn/server.conf?
08:10 < johnfg> and I'll show the errors: Oh, but first, it *does* start up and runs, without the --verb 5.
08:10 < johnfg> Sorry, I did 4, per dazo first with those results, and 5 is the same.
08:13 <@krzee> only difference with verb 5 over 4 is RWrw for read writes
08:16 < johnfg> Ok, I added --config server.conf, and it's running.  I don't need to add that on the clients.  And it's at --verb 4.
08:17 < kaushal> Hi ecrist
08:18 < kaushal> I generated the vpn.key file using openvpn --genkey --secret /etc/openvpn/vpn.key and then scp vpn.key to the other end and restarted both side openvpn servers
08:18 < johnfg> All that added, and it's not much is: Mon May 22 07:10:33 2017 174.45.122.178:36751 TLS: Initial packet from [AF_INET]174.45.122.178:36751, sid=1c4846c4 1bb5307b
08:18 < kaushal> it is a point to point vpn tunnel setup
08:19 <@dazo> johnfg: please pastebin the complete log since the restart
08:19 < kaushal> ecrist: I am seeing this issue Mon May 22 18:39:49 2017 Authenticate/Decrypt packet error: packet HMAC authentication failed in /etc/openvpn/vpn.log file
08:19 < johnfg> dazo: will do.  Pardon me if that 1 line was too long.
08:19 < kaushal> ecrist: Am i missing anything?
08:19 <@dazo> johnfg: we need more than that single line
08:22 <@dazo> kaushal: ensure you have the key-direction setup correctly .... it should be 0 or 1 on one side ... and if 0 on one side the remote side must be 1 (or vice versa)
08:22 < kaushal> dazo: ok
08:23 < kaushal> dazo: is it directive in server.conf file?
08:23 <@dazo> kaushal: server and client
08:23 < kaushal> ok
08:23 < kaushal> dazo: can i pastebin both the configs?
08:26 <@dazo> sure
08:26 < johnfg> http://dpaste.com/1J9GD8A
08:27 <@dazo> johnfg: this isn't --verb 4
08:27 < johnfg> working from putty on windows 7 to the server is a challenge.
08:27 < rob0> dazo never allows ME to pastebin both the configs :`(
08:29 <@krzee> not verb 5 either haha
08:30 <@krzee> kaushal: show me the command you're running on both sides, or the configs (if you use configs)
08:30 < johnfg> try this: http://dpaste.com/3KRK1DM
08:30 <@krzee> your config probably has verb in it
08:31 < johnfg> it was --verb 5, the first one, and the second --verb 4.  I'll check the config for verb, and comment out.
08:31 <@dazo> johnfg: this looks like --verb 2
08:31 <@dazo> not 4 or anything higher
08:31 <@krzee> ya his config is likely overriding
08:31 <@krzee> last entry wins for that iirc
08:32 < johnfg> krzee: It was in the conf set to 3, but I set it to 0, then restarted from the cli.
08:33 <@krzee> 0? not 5?
08:33 < rob0> 0 > 5
08:34 <@krzee> haha
08:34 <@dazo> rob0: hehe .... you're too smart! ;-)
08:34 <@krzee> thats why rob0 and not rob5?
08:34 < rob0> yep :)
08:34 <@dazo> lol
08:34 < johnfg> Should I just set it in the server.conf for now and not do it in the cli?
08:34 <@dazo> yes
08:34 < johnfg> ok
08:35 <@krzee> sure easy enough to change back after
08:35 <@krzee> and less confusion to be had
08:35 <@dazo> rob0: the day you need to pastebin config files here .... I'm not sure we're capable of figuring out your issue here :-P
08:35 <@krzee> hahah
08:37 < rob0> "The problem is my firewall, really."
08:38 < johnfg> http://dpaste.com/3G0DEKH
08:39 < johnfg> btw...ca.crt and server.crt are both good until 2027.
08:39 < rob0> just renewed?
08:39 < johnfg> last month, yes.
08:39 <@krzee> firewall!
08:39 <@krzee> see all the WWW
08:39 <@krzee> but no RRR
08:40 <@krzee> thats the bonus of going verb 5 over verb 4 (when firewall is a suspect)
08:40 < johnfg> does that mean the server firewall?
08:41 <@krzee> id expect yes
08:41 < rob0> maybe, since all clients failed at once
08:41 < johnfg> but the output doesn't specifically say that?
08:41 <@krzee> what output doesnt say that?
08:41 < rob0> how could it know?
08:41 < johnfg> rob0: That's the weirdness of it.
08:41 <@krzee> see how it has 1 R
08:41 <@krzee> and all WWWW
08:41 < johnfg> yeah...
08:41 <@krzee> maybe it doesnt say that to you, it does say it to me
08:42 < rob0> "iptables-save -c" on server --> pastebin
08:42 <@krzee> ^
08:42 <@krzee> ecrist: ^ example of what i mentioned for the book =]
08:43 <@krzee> (7 days til the pastebin expires)
08:44 < johnfg> I'm not using iptables, I'm doing the firewall on the router.
08:44 < rob0> ah
08:45 < rob0> but there are NO rules on the server itself?  "iptables-save -c" is empty?
08:45 < johnfg> correct.
08:46 < rob0> router is Linux, or something else?
08:46 <@krzee> must be something else
08:46 <@krzee> otherwise see above command
08:46 <@krzee> haha
08:47 < johnfg>  https://paste.fedoraproject.org/paste/kE6rGTyTe1u-nhL2wltEgV5M1UNdIGYhyRLivL9gydE=/ from the centos client.
08:47 <@krzee> i still suspect server side
08:48 <@krzee> the firewall in front of the server
08:48 < johnfg> Can't tell you the router make from here, will have to check later.
08:48 <@krzee> well i think thats where you should look
08:49 <@krzee> hope it helps!
08:49 < johnfg> When I looked, Fri-Sun, at the router: Advanced/PortForwarding, everything looked to be ok.
08:49 < kaushal> krzee: apologies i was away
08:49 < kaushal> dazo: please find the pastebin http://pastebin.centos.org/95101/
08:50 < kaushal> krzee: http://pastebin.centos.org/95101/
08:50 < johnfg> port 1194 open for both tcp/udp.
08:50 <@krzee> johnfg: it likely has a firewall as well
08:50 < kaushal> krzee: I am seeing Mon May 22 19:09:51 2017 Authenticate/Decrypt packet error: packet HMAC authentication failed
08:50 < kaushal> dazo: Mon May 22 19:09:51 2017 Authenticate/Decrypt packet error: packet HMAC authentication failed
08:50 < rob0> why both?  Running two instances?
08:50 <@krzee> 2 sides
08:50 <@krzee> ptp tunnel
08:50 < kaushal> krzee: yes
08:51 <@krzee> kaushal: md5sum the secret key on both sides
08:51 <@krzee> md5 matches?
08:51 < johnfg> krzee: who knows, maybe the network (Spectrum) going down, did something there.
08:51 < kaushal> krzee: please give me a moment
08:51 <@krzee> johnfg: sounds possible
08:52 < kaushal> krzee: yes md5sum matches
08:52 < kaushal> krzee: 5b2ab17f87a0de0add38cc2feadcdf84  vpn.key on both sides
08:52 <@krzee> johnfg: if you run a client on verb 5 i suspect youll see RWRWRW but the packets from it dont get to the server which is why it only writes never reads
08:53 < echelon> hey guys, as soon as i run openvpn, a port for another service immediately becomes unreachable
08:53 < echelon> how do i find out what's causing it?
08:53 < kaushal> krzee: it is a point to point tunnel setup
08:54 <@krzee> echelon: let me take a guess... you have a server on the internet serving a service to its public ip, and then you start openvpn with redirect-gateway so nobody can reac hyou by your public ip anymore?
08:54 <@krzee> kaushal: i see, but the weird thing is i dont see any mismatches
08:54 < echelon> it's not internet-facing
08:55 <@krzee> kaushal: updated openvpn versions?
08:55 < kaushal> krzee: yeah
08:55 < kaushal> krzee: both versions are same
08:55 < echelon> i just need to access it over my lan
08:55 < kaushal> krzee: openvpn-2.4.1-3.el6.x86_64
08:55 <@krzee> echelon: easy, add a route for your lan (im surprised it doesnt just work cause of layer2)
08:56 < kaushal> krzee: CentOS release 6.9 (Final)
08:56 <@krzee> !route_bypass
08:56 <@krzee> !factoids search route
08:56 <@vpnHelper> 'dlink_static_route', 'external_routes', 'iroute', 'ppp_defaultroute', 'route', 'route-nopull', 'route_outside_openvpn', 'route_outside_ovpn', 'route_override', 'routebyapp', 'router', 'splitroute', and 'winroute'
08:56 <@krzee> !route_override
08:56 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet, or (#2) you can read about the net_gateway variable in --route in the manual (!man), or (#3) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
08:56 < echelon> krzee: but yeah.. redirect-gateway is enabled
08:57 <@krzee> route 10.4.20.0 255.255.255.0 net_gateway
08:57 <@krzee> change the subnet as needed, dont change net_gateway
08:57 <@krzee> since net_gateway is an internal variable to openvpn
08:58 < kaushal> krzee: Any clue?
08:59 <@krzee> actually no, let me see both logs at verb 4?
08:59 < echelon> me?
08:59 <@krzee> no kaushal
08:59 <@krzee> you i gave the command
09:00 <@krzee> sorry i should address you when i say it lol
09:00 < kaushal> krzee: you want me to change from verb 3 to verb 4 in server.conf on both sides and then share the vpn.log files?
09:00 < skyroveRR> Hey krzee!
09:00 <@krzee> yes kaushal
09:00 < kaushal> krzee: ok
09:00 < skyroveRR> krzee: need help with openvpn on android :(
09:00 <@krzee> hey skyroveRR!
09:00 <@krzee> using 'openvpn for android' or openvpn connect?
09:00 < skyroveRR> 'openvpn for android'
09:00 <@krzee> good
09:01 <@krzee> whats wrong?
09:02 < skyroveRR> I've got a Samsung phone running android 6.0, and I'm trying to run a script, it's contents as follows: #!/bin/sh; <iptables_rule>, but every time I try connecting to my VPN, openvpn terminates the process by spitting out "Permission Denied" against the script.
09:03 <@krzee> oh dude its not root
09:03 < skyroveRR> The phone is rooted.
09:03 <@krzee> openvpn for android doesnt have root
09:03 < skyroveRR> Yeah, it doesn't.
09:03 <@krzee> it shouldnt ever use root
09:03 <@krzee> its made for the vpn API
09:03 <@krzee> youd have to compile openvpn for your proc and run it from commandline
09:03 <@krzee> as root
09:04 < skyroveRR> ...
09:04 <@krzee> maybe a startup script
09:04 <@krzee> ya dude, openvpn hasnt ran as root on android since ICS
09:04 <@dazo> kaushal: please run:  sha256sum  /etc/openvpn/vpn.key  on both client and server ... ensure the checksum is identical ... then stop the tunnel on both sides ... and start it manually via the command line as root:   openvpn --config /etc/openvpn/vpn.conf
09:04 <@dazo> (or whatever filename you use)
09:04 < skyroveRR> So basically it won't run any script at all that needs root, eh?
09:05 <@krzee> dazo: i had him md5sum them
09:05 <@krzee> [06:45] <kaushal> krzee: 5b2ab17f87a0de0add38cc2feadcdf84  vpn.key on both sides
09:05 <@dazo> krzee: hehe
09:05  * dazo is slow on catching up it seems
09:05 < kaushal> dazo: ok
09:05 <@krzee> wouldnt that be amazing if he had an md5 collision?
09:05 <@krzee> :D
09:05 < skyroveRR> ??
09:05 < skyroveRR> So basically it won't run any script at all that needs root, eh?
09:05 <@krzee> skyroveRR: its not root! it cant!
09:05 < skyroveRR> :<
09:06 < skyroveRR> Bad krzee!
09:06 < skyroveRR> :P
09:06 <@krzee> i told you how you can achieve the goal tho
09:06 <@krzee> depending on if thats good enougjh
09:06 < skyroveRR> Bad bad krzee :<
09:06  * skyroveRR throws a cute kitten at krzee 
09:07 <@krzee> i actually run openvpn on android as i said
09:07 < rob0> the kitten lands on him with claws out
09:07 <@krzee> lol rob0 is the DM
09:07 <@dazo> krzee: haha ...yeah :)  I generally prefer to make people use sha256sum instead of md5sum these days .... If needing to go "lower", I can stretch myself to sha1sum :)
09:07 <@plaisthos> skyroveRR: you need to do the su magic in your script
09:08 < skyroveRR> plaisthos: even jacekowski suggested that idea, but it hasn't worked.
09:08 <@krzee> while you will never accidentally collide md5, you're still right i need to retrain my fingers
09:08 <@plaisthos> btw. unless you understand policy routing and routing tables you probably should mess with iptables
09:09 <@plaisthos> skyroveRR: No idea how to the su/root stuff works, I have no rooted phone anymore
09:09 <@krzee> btw skyroveRR plaisthos made the app you're using.
09:09 < skyroveRR> plaisthos: I only want to run a simple iptables rule when the vpn comes up. SIGH.
09:09 <@dazo> plaisthos is _the_ most valuable OpenVPN on Android resource we have
09:10 <@plaisthos> skyroveRR: yeah, those can seriously mess up networking
09:10 <@plaisthos> you have been warned :)
09:10 < skyroveRR> ...
09:10 < skyroveRR> As if I don't understand the risks.
09:10 <@krzee> probably dont
09:10 <@krzee> android has gotten more complex under the hood
09:11 < skyroveRR> You mean by that.
09:11 <@plaisthos> https://github.com/schwabe/ics-openvpn/issues/676
09:11 <@vpnHelper> Title: Not all connections are routed through VPN · Issue #676 · schwabe/ics-openvpn · GitHub (at github.com)
09:11 <@krzee> policy routing / etc
09:11 <@plaisthos> btw. that are only the route table rules
09:11 < skyroveRR> I've never had any problem doing complex routing on a generic linux machine.
09:11 <@plaisthos> the iptables rules are missing from that :)
09:11 <@krzee> cool maybe you'll have no problem =]
09:12 < skyroveRR> ...
09:12 <@plaisthos> skyroveRR: but openvpn for android executes all scripts in its own context, i.e. its own app uid
09:12 <@krzee> but at least now if you do you'll know why
09:12 <@plaisthos> running scripts works
09:12 < skyroveRR> Is there any any any any possibility to get openvpn for android to run iptables?
09:13 <@plaisthos> skyroveRR: as non root user?
09:13 < skyroveRR> Oh, I haven't clicked on the link yet, one sec.
09:13 <@krzee> if you can figure out su for it
09:13 <@krzee> ive never used su from a script on android, i wouldnt know any gotchyas
09:13 < skyroveRR> krzee: already tried: su -c "iptables blablabla", and that did NOT work.
09:14 <@krzee> but the lucky thing is its not an openvpn question anymore, now you need help using su on android
09:14 <@krzee> :D
09:14 <@plaisthos> :)
09:14 <@plaisthos> skyroveRR: try absolute paths
09:14 < skyroveRR> Already did.
09:14 <@plaisthos> and what error do you get?
09:14 < skyroveRR> Didn't work.
09:14 < skyroveRR> Permission denied.
09:15 <@krzee> is the android app user in wheel?
09:15 <@krzee> or is that even a thing on android?
09:15 < skyroveRR> IDK
09:15 <@krzee> haha
09:15 < skyroveRR> ...
09:15 < skyroveRR> Funny.
09:15 < skyroveRR> >.>
09:15 <@krzee> id say if plaisthos doesnt get you fixed to find  some android hackers (xda?) to ask
09:16 <@krzee> as plaisthos might be your only hope here, and other venues are full of android hackers
09:17 <@krzee> it wont matter that its openvpn, just that its the user that openvpn is installed as
09:17 <@krzee> once that user can su on that script you should be all good
09:27 < echelon> krzee: it still blocks incoming port connections.. https://paste.ee/r/1ixTI :/
09:28 < echelon> fyi, i'm running openvpn inside a docker container, and i'm trying to run a socks proxy server to route all the connections through the vpn
09:30 <@krzee> show me your routing table before and after the connection
09:30 < echelon> ok
09:31 < echelon> before and after running openvpn you mean?
09:31 <@krzee> ya
09:31 < skyroveRR> :)
09:31 <@krzee> brb
09:32 < echelon> krzee: https://paste.ee/r/cbeqn
09:36 < gestahlt> Hi
09:38 < gestahlt> I have a really strange issue. I got the latest openvpn package (same issue with the 2.3 version..) and a windows 10 client. Usually our vpn works pretty flawless.. now following occurs: I can connect to our vpn server just fine. I can ping everything. Now, when i try to access a share, the connection drops (ping also says timeout in exact that moment)
09:38 < gestahlt> And then i cannot kill the openvpn process anymore and it seems stuck
10:29 < echelon> krzee: back?
10:35 <@krzee> woo
10:35 <@krzee> just harvested some cashews!
10:35 < echelon> hi
10:35 < echelon> ah :)
10:36 <@krzee> gestahlt: ive never heard of anything like that, have you tested your MTU?
10:36 <@krzee> !mtu
10:36 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting, or (#3) useful info here: https://forum.pfsense.org/index.php?topic=67080.0
10:36 <@krzee> echelon: your post expired?
10:48 < havoc> if I'm only specifying multiple "--remote addr port proto", I don't really need a <connection> block, do I?
10:48 < havoc> or is there some advantage to a <connection> block that I am unaware of?
10:49 < havoc> this is to handle 2,000 clients on the server, so 16 servers at 125 clients per server (/25)
10:49 < havoc> and I'd thrown --remote-random in there too
10:51 <@krzee> you are correct
10:51 <@krzee> <connection> blocks let you do more
10:51 <@krzee> if all servers have same config, no worries
10:51 <@krzee> connection blocks you could have differing compression, algs, etc
10:51 < havoc> since it's all the same machine, just diff ports, I don't really need <connection> then
10:52 < havoc> right, and proxies, etc...
10:52 <@krzee> same machine irrelevant, same config relevant
10:52 < havoc> yeah, same config, except for the port/iface/log file
10:52 <@krzee> good to go
10:52 < havoc> well, and ifconfig pool
10:52 < havoc> I wrote some bash to gen the 16 configs
10:53 < havoc> next question: what determines the max clients per server process?
10:53 < havoc> is that done by the ifconfig-pool?
10:54 < havoc> i.e. when will a server process reject new connections?
10:55 < havoc> --max-clients
10:55 <@krzee> answered your own question well
10:55 < havoc> man page is nice, but loooong, take s awhile to sort through it
10:55 <@krzee> yes
10:55 <@krzee> so many options
10:55 <@krzee> thats why the devs hate adding new ones and avoid when possible
10:56 < havoc> understandable
10:56 <@krzee> but its flexible as hell so ya, crazy big manual
10:56 <@krzee> every now and then *i* find new things in there still
10:56 <@krzee> and i feel like ive lived in that manual for a decade
10:56 <@krzee> lol
10:56 < havoc> needs a Contents at the top :)
10:57 < havoc> and/or index
10:57 < havoc> but that's a lot of work too, that I'm sure no one has time for
10:58 < havoc> I'm gonna put ssh keys on the client routers
10:59 < havoc> that'll help he get the hostnames to generate unique certs/keys
10:59 <@krzee> nice there ya go
11:00 < havoc> just call pkitool to gen everything automatically/non-interactively
11:01 < havoc> and then nsupdate for DNS; that's all setup and tested
11:01 < havoc> I'm just not a fan of the file input to nsupdate, but oh well
11:02 < havoc> ...as opposed to everything on one commandline, and/or piped
11:03 < echelon> krzee: sorry https://paste.ee/r/glKet
11:04 < havoc> next fun bit is "dynamic" source/policy based routing on these routers
11:04 <@krzee> oh sorry echelon you dont need the route i gave you
11:05 < echelon> oh
11:05 < echelon> so why is my port on eth0 becoming inaccessible? :/
11:06 < echelon> it doesn't seem logical to me
11:06 <@krzee> no idea, you should be fine on 172.17.0.0          255.255.0.0
11:06 <@krzee> is your firewall changing?
11:06 < echelon> nope
11:06 < echelon> i checked iptables
11:06 <@krzee> i mean, i can tell you what id do if this was a public service
11:06 <@krzee> it involves policy routing
11:07 <@krzee> but i dont see why youd need that
11:07 <@krzee> i mean... you really shouldnt need that
11:07 <@krzee> comment out the redirect-gateway
11:07 <@krzee> just to rule out weirdness that im not seeing
11:07 <@krzee> then reconnect and tell me if it still happens
11:09 < echelon> krzee: yeah, i tried that, after i commented out redirect-gateway the port was accessible
11:09 <@krzee> =/
11:09 < xx00__> I have a mini wireless router with OpenWRT preinstalled — I want to install OpenVPN, are there instructions somewhere?
11:09 <@krzee> what ip are you accessing it from?
11:10 <@krzee> any NAT coming in to play maybe?
11:10 <@krzee> (by accident?)
11:10 < xx00__> are you talking to me?
11:10 < echelon> 192.168.1.102
11:10 <@krzee> talking to echelon
11:10 < echelon> xx00__: try #openwrt
11:10 <@krzee> echelon: but dude, you're on 172.17.0.0          255.255.0.0
11:10 < echelon> krzee: no, that's my docker container
11:10 <@krzee> ok so add the route like i said before, but for 192.168.1.0/24
11:10 < xx00__> @echelon thanks
11:11 < echelon> oh
11:12 <@krzee> xx00__: if its a small rom on the router (4mb for example) it wont have openvpn unless you make your own firmware removing other stuff
11:12 < xx00__> I won’t be able to install OpenVPN myself?
11:12 < xx00__> is that what you’re saying?
11:12 <@krzee> depends on your router
11:13 <@krzee> i have a bunch of 4MB sized rom routers (old tp-link 841/941) and the only way for me to put openvpn on them is making my own firmware
11:13 <@krzee> i remove the web interface to make space for it
11:14 <@krzee> but i have some 8MB sized routers too and openvpn comes on them by default cause they have roms big enough for it
11:14 < xx00__> ah shit
11:14 < xx00__> ok
11:14 <@krzee> since you dont have openvpn on it by default i figure thats worth mentioning
11:14 <@krzee> so... what router?
11:14 < xx00__> MB150R
11:15 < echelon> krzee: nope, adding 192.168.1.0/24 doesn't help.. the docker container itself an interface with a 192.168.1.0/24 ip
11:15 < xx00__> the specs say “16M flash”
11:16 <@krzee> echelon: remove that and show me your routing table
11:16 <@krzee> xx00__: ok well thats plenty big, install it like the guy in openwrt help channel is helping you with
11:16 < xx00__> ok thank you
11:16 < xx00__> :)
11:16 <@krzee> i dont see your router model on the web tho
11:17 < xx00__> Another name listed is MiniBox V1
11:17 < xx00__> i ordered it straight from a factory in china
11:17 < xx00__> it’s not branded
11:17 < echelon> https://paste.ee/r/GffuI
11:17 <@krzee> https://wiki.openwrt.org/toh/hwdata/gainstrong/gainstrong_minibox_v1.0
11:17 <@krzee> there we go
11:18 <@krzee> btw openwrt is basically dead and now everybody uses LEDE
11:18 < echelon> i meant, the docker container itself doesn't have an interface with 192.168.1.0/24*
11:18 < xx00__> mine does not look like that at all
11:18 <@krzee> (#lede and #lede-dev)
11:20 <@krzee> echelon: tcpdump and tell me what IP is trying to reach the eth0 port in questio
11:20 < echelon> would there be a way to just get rid of "redirect-gateway" and have the socks proxy server route through openvpn?
11:20 <@krzee> of course
11:20 < echelon> can we try that? :S
11:20 <@krzee> run the proxy on the openvpn ip of the server
11:20 < echelon> oh
11:21 <@krzee> or if the proxy is another inet ip, add a route for that ip
11:21 < echelon> but i would be able to access it over lan?
11:21 < echelon> hrm
11:21 <@krzee> huh?
11:21 <@krzee> you only redirect-gateway to make all traffic to internet flow over the vpn
11:21 < echelon> ok
11:21 <@krzee> if you only want a specific ip or a couple of them to go over openvpn, then you route those ips
11:22 < echelon> i see
11:22 <@krzee> lets back up
11:22 <@krzee> !goal
11:22 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:22 < echelon> i basically want to run a container that serves a socks proxy server, which routes through openvpn tunnel
11:23 < echelon> i have the socks proxy server already running
11:23 < echelon> problem is when i start openvpn, the port of the socks proxy server becomes inaccessible
11:23 < echelon> from the local lan
11:23 < echelon> in fact, i can't access it via localhost either
11:24 <@krzee> what is the ip of the local lan machine is trying to access the socks proxy?
11:25 < echelon> 192.168.1.102
11:25 < frodox> !welcome
11:25 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
11:25 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
11:25 <@krzee> so for that to have any chance, you either need to NAT that to your subnet or add a route like this to your config:
11:25 <@krzee> route 192.168.1.102 255.255.255.0 net_gateway
11:25 < echelon> i think it's already NAT'd
11:26 < echelon> the machine running docker is on 192.168.1.10
11:26 <@krzee> tcpdump -s0 -n -i eth0 port <socks port>
11:26 <@krzee> what ip does it see?
11:26 < echelon> without openvpn already running?
11:26 < frodox> !1925
11:26 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
11:27 <@krzee> lol frodox getting ready to argue? :D
11:29 < echelon> krzee: https://paste.ee/r/wR9MH
11:29 < frodox> krzee, well, no, just need a help, do not know where to ask anymore :D
11:30 <@krzee> echelon: ok, did you add the route command i have you to your config?
11:30 <@krzee> show me your routing table after that
11:30 <@krzee> frodox:
11:30 <@krzee> !goal
11:30 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:30 < echelon> can i do "route 192.168.1.0/24 255.255.255.0 net_gateway" instead?
11:31 <@krzee> the /24 IS the 255.255.255.0
11:31 <@krzee> read up on cidr
11:31 < echelon> oh ok
11:31 <@krzee> !cidr
11:31 <@vpnHelper> "cidr" is http://www.oav.net/mirrors/cidr.html
11:32 < echelon> krzee: should i remove redirect-gateway?
11:32 <@krzee> no
11:33 <@krzee> you want the clients to access the entire internet over the socks, right?
11:33 < echelon> yeah
11:33 <@krzee> ive never ran it the way you are, but i dont see why not
11:34 < echelon> ok, i ran openvpn, and the port is inaccessible, i have tcpdump running though
11:34 <@krzee> usually what i would do is run the proxy on the other side of the vpn, setup routing for the lan to the vpn subnet, and have them access the socks on the vpn ip
11:34 <@krzee> but im not against trying your way, id expect it to work
11:34 < echelon> https://paste.ee/r/RHK18
11:35 <@krzee> iptables-save -c
11:35 <@krzee> and routing table again pls
11:35 < Eugene> Who you calling a table
11:35 <@krzee> hey look Eugene is here to help you!
11:35  * krzee gets Eugene a beer
11:36 < Eugene> Ugh, at 9:30? I have to go to a bar for a meeting at noon
11:36 <@krzee> :D
11:36 <@krzee> dude i didnt know you were pst
11:36 < echelon> https://paste.ee/r/DvjzE
11:36 < echelon> iptables ^
11:36 < Eugene> We've had this discussion at least once .I moved to Seattle a few years ago
11:37 <@krzee> oh riiight
11:37 <@krzee> yes we have
11:37 < echelon> route: https://paste.ee/r/kkfiC
11:38 <@krzee> hey echelon can you run this before and after connecting
11:38 <@krzee> curl ipinfo.io/ip
11:38 <@krzee> i dont need to know the ips
11:39 < echelon> yeah, i was doing that
11:39 <@krzee> but verify that it changes
11:39 < echelon> it does
11:39 <@krzee> ok good
11:39 <@krzee> echelon: you didnt add the line i said
11:39 <@krzee> route 192.168.1.0 255.255.255.0 net_gateway
11:39 < echelon> i did
11:40 <@krzee> oops i said .102 i was wrong
11:40 <@krzee> .0 :D
11:40 < echelon> oh
11:40 < echelon> heh
11:40 <@krzee> then run again and show routing table and tcpdump
11:40 <@krzee> if 192.168.1.0 isnt in the routing table tell me
11:40 <@krzee> cause then tcpdump wont matter
11:41 < frodox> I would like to consolidate dev-resources through internet. I have 1 dedicated server with white IP and my services(and ovpn server). I have developers in different parts of the world. I'm successfully setup it with tun0 and so on. Now I need to create several VMs on server for testing purpose (KVM), and every developer should be able to create local test-VMs accessible from/through vpn. I've read that bridhe/tap0 can help here, but... it is not pretty
11:41 < frodox> clear for me. Currently my VM(on ovpn-server) with bridge to tap0 has no routes/ip, and physical client from another machine works fine
11:41 <@krzee> you saw how your last tcpdump only had from 192.168. to the socks port? no responses... thats because the responses were going over the vpn
11:41 < echelon> oh!
11:42 <@krzee> frodox: you need layer2 to run the VMs?
11:42 < echelon> https://paste.ee/r/bf1nq
11:43 <@krzee> echelon: and tcpdump now
11:44 < echelon> krzee: https://paste.ee/r/5nkrX
11:44 < echelon> also.. curl: (7) Can't complete SOCKS5 connection to 0.0.0.0:0. (6)
11:44 <@krzee> tcpdump on tun0 while you do that now
11:45 <@krzee> oh but not socks port
11:45 < frodox> krzee, well, I just need to be able to add VMs from vpn-host-machine into vpn-subnet without generating new certs for every testing vm
11:45 < echelon> oh
11:45 < echelon> just take off port?
11:45 <@krzee> !route
11:45 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
11:45 <@krzee> frodox: ^
11:46 < echelon> tcpdump on tun0: https://paste.ee/r/5aVWa
11:46 <@krzee> echelon: is 104.20.17.242 what you were trying to reach over the socks?
11:47 < echelon> yes
11:47 <@krzee> ok and what is 172.17.0.6 ?
11:47 < echelon> is the ip on tun0
11:47 < echelon> errr
11:47 < echelon> sorryt
11:47 <@krzee> wait whats your lan again?
11:48 < echelon> it's the ip on eth0
11:48 < echelon> lan is 192.168.1.0/24, docker is 172.17.0.0/24
11:48 <@krzee> so whats your vpn ip?
11:49 < echelon> the gateway or the external ip?
11:49 < echelon> curl http://icanhazip.com
11:49 < echelon> 216.155.149.202
11:49 <@krzee> ifconfig tun0
11:50 < echelon> 10.10.7.6
11:50 <@krzee> ok
11:50 <@krzee> your socks software seems to be forcing the ip of the outbound packets
11:50 <@krzee> thats the problem
11:50 <@krzee> do you run the vpn server as well?
11:50 < echelon> no
11:50 <@krzee> if so, not a hard fix
11:50 <@krzee> ok, then you can do one of a couple things
11:51 <@krzee> a) figure out why your socks server is sucking
11:51 <@krzee> b) nat that traffic to the tun0 ip
11:51 < echelon> my socks proxy config.. https://paste.ee/r/Az6iF
11:51 <@krzee> c) run your own server and configure routing for the lan subnet over that client
11:51 <@krzee> but external isnt eth0 anymore :-p
11:51 < echelon> should external be set to tun0 then?
11:52 <@krzee> external is tun0 now
11:52 < echelon> errr
11:52 < echelon> d'oh
11:52 <@krzee> dante?
11:52 < echelon> yes heh
11:52 <@krzee> werd
11:52 < echelon> it works! :D
11:52 < echelon> thanks man :)
11:52 <@krzee> im currently talking to you over dante over openvpn :-p
11:53 < echelon> hehe nice
11:53 <@krzee> except i run dante listening on the vpn ip of the vpn server i connect to
11:53 < echelon> ah
11:53 <@krzee> then i can route apps through that vpn by setting them on the socks
11:53 <@krzee> !routebyapp
11:53 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination., or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
11:53 <@vpnHelper> policies you set. For Linux, read about !lartc
11:53 < echelon> cool
11:55 <@krzee> so 2 web browsers
11:55 <@krzee> 1 uses socks, 1 does not
11:55 <@krzee> etc
11:55 < echelon> yeah, that's sort of what i'm going for
11:55 <@krzee> soooo
11:56 <@krzee> if you decide to run more vpn connections on that machine
11:56 <@krzee> you'll need to use dev tun0 on this config
11:56 <@krzee> since thats hardcoded in your dante config now
11:56 <@krzee> !dev
11:56 <@vpnHelper> "dev" is https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list
11:56 <@krzee> oops
11:56 <@krzee> well --dev can take dev tun for dynamic or --dev tunX for static
11:56 <@krzee> you'll want static now
11:57 < echelon> oh
11:57 < frodox> krzee, am I right, that you are sure, I just need to setup server routings properly?
11:57 <@krzee> or use something else like tun9 so you can have other configs be dynamic without risking it
11:57 <@krzee> frodox: if it only requires layer3 (IP)
11:57 <@krzee> !tunortap
11:57 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
11:57 <@vpnHelper> rooted/jailbroken) support only tun
11:58 < Crypt0crc> hey
11:58 < rob0> tun9 from Outer Space
11:58 < Crypt0crc> how can i be sure if all traffic goes through VPN with bitmask and calyx vpn?
11:58 <@krzee> whats bitmask and calyx vpn?
11:58 <@krzee> we only support openvpn here
11:59 <@krzee> but the general answer to your question is by properly configuring your firewall
11:59 < frodox> krzee, it requires L3 only, if it is possible to add VMs from different host into vpn somehow (when host-machine - is just client with it's own cert) :)
11:59 <@krzee> if you only want to allow traffic to the vpn server, then only allow that!
11:59 < rob0> and perhaps routing tables @ Crypt0crc
12:00 <@krzee> frodox: then you're good, go read !route
12:00 < Crypt0crc> and how can i check that?
12:00 <@krzee> frodox: i wrote a doc for ya =]
12:00 < frodox> krzee, thank you, I'll check it out!
12:01 <@krzee> Crypt0crc: i still dont even know what bitmask and calyx vpn are... you know this is an openvpn help channel right?
12:01 < rob0> Crypt0crc, we don't know what your OS is, so we can't say
12:01 <@krzee> oh they are vpn providers?
12:01 <@krzee> !provider
12:01 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team., or (#2) Please contact their support team.
12:02 <@krzee> that, and if you want to block outbound except to the vpn, use your firewall
12:02 < frodox> Another way, I would like to use same cert for several vms/machins which belongs to one user. So I need to add 'duplicate-cn' in server.conf. Is it possible to use static ip in such case somehow (for all other long-living services) ?
12:02 <@krzee> for support for your firewall, see their help channel
12:02 < echelon> i'm wondering if it would now be possible to do port forwarding to another container via the openvpn instance
12:02 <@krzee> !static
12:02 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder, or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range, or (#5) See also: !addressing
12:02 <@plaisthos> or use a vpn provider that claims to support that and configures your firewall
12:02 <@krzee> echelon: yes, irrelevant to openvpn
12:02 < echelon> might require some netcat hackery
12:02 < echelon> yeah
12:02 <@krzee> plaisthos: nice point actually!
12:03 <@krzee> echelon: no, just iptables config
12:03 <@krzee> !dnat
12:03 <@krzee> !factoids search dnat
12:03 <@vpnHelper> 'bsdnat', 'fbsdnat', 'freebsdnat', 'obsdnat', and 'openbsdnat'
12:04 < Crypt0crc> can you help me to check if the iptables are in the correct configuration?
12:04 <@krzee> !factoids search --values dnat
12:04 <@vpnHelper> 'freebsdnat', 'bsdnat', 'linportforward', 'openbsdnat', 'nat', and 'frozentux'
12:04 <@krzee> !linportforward
12:04 <@vpnHelper> "linportforward" is (#1) to forward port 80 tcp to a vpn client, use this (replacing <SERVERIP> with the real ip of the server, and <VPNIP> with the clients VPN ip), or (#2) iptables -t nat -A PREROUTING -i eth0 -d <SERVERIP> -p tcp --dport 80 -j DNAT --to <VPNIP>, or (#3) iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j ACCEPT
12:04 <@plaisthos> !iptables
12:04 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this., or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG, or (#3) These are just the basics to get you
12:04 <@krzee> oh right, nevermind you dont run your server
12:04 <@vpnHelper> started as firewall design is beyond this channel's scope; you can also see #netfilter
12:04 <@krzee> Crypt0crc: why not try in their help channel?
12:05 <@krzee> since your question isnt about openvpn and all...
12:06 <@krzee> or have you tried them?
12:07 <@krzee> if they refuse to help you i'll try ;]
12:07 < Crypt0crc> when i go out through my browser goes well
12:08 < havoc> krzee: you ever see a device that adds a "null" route on tun up?
12:08 < havoc> krzee: these ubnt routers are adding 0.0.0.0 0.0.0.0 <mask> <tun> on connect
12:08 <@krzee> umm if they used redirect-gateway but didnt configure nat on the server it would kinda be a null route
12:08 < havoc> nothing in configs, or logs, it's just these ubnt routers that do it
12:09 <@krzee> hah id so be using LEDE on those
12:09 < havoc> I use do a "route del -net ..." on --route-up
12:09 < havoc> ...in the client config
12:09 <@krzee> haha
12:09 <@krzee> hey at least it works i guess :D
12:09 < havoc> again, nothing in configs, or logs, on either side
12:09 <@krzee> you dont use redirect-gateway?
12:10 < havoc> I can only imagine that it's something peculiar to do with these specific devices
12:10 < havoc> krzee: no
12:10 <@krzee> heh
12:10 <@krzee> ya i can tell you none of my routers do that
12:10 <@krzee> but i always went openwrt and now LEDE
12:10 < havoc> client and server side configs, firewall, etc..., are all nearly identical to several other setups I have
12:10 < havoc> very odd
12:10 <@krzee> LEDEs pretty sweet, you may wanna test it on one
12:10 < rob0> For Linux you should unlearn route(8) and Linux net-tools, switch to ip(8)
12:11 < havoc> rob0: yeah, been converting a lot of my scripts to do everything via iproute2
12:11 <@krzee> rob0: you didnt make a factoid for that? you and Eugene say it 2x per day
12:11 <@krzee> heheh
12:11 < rob0> yeah, we should :)
12:11 < havoc> rob0: adding that --route-up line was just a quick fix
12:11 < havoc> iproute2 provides a lot more info, and is easier to parse
12:12 < havoc> ...if you think cut/sed/awk is easy ;)
12:12 <@krzee> plus if you went to LEDE you could build custom firmwares for each router
12:12 < havoc> (I do)
12:12 < rob0> I still wish someone would write a route & ifconfig that use netlink and can support modern kernel features
12:12 <@krzee> then deployment is just *flash*
12:12 < havoc> krzee: ha, They asked if I could have this done by May 24th
12:12 < havoc> there was much laughter
12:13 <@krzee> the part im saying is fast as hell, all done for you
12:13 <@krzee> LEDE imagebuilder
12:13 < havoc> but the issue is still time, no time to do anything else, and much money has already changed hands, and gear is on the way
12:13 <@krzee> actually would get rid of the extra work of the redeployment scripts for after the original runs
12:13 <@krzee> same gear would be used
12:14 <@krzee> less work for you if you ask me
12:14 <@krzee> (assuming LEDE passes all your tests)
12:14 < havoc> I'm also trying to avoid being on the hook for future maintenance/upgrades of the routers
12:14 < havoc> krzee: I'm sure it would
12:14 <@krzee> or did you already script the re-deployment stuff?
12:14 < havoc> which side?
12:15 <@krzee> where it connects to the first vpn and gets configured for second
12:15 < havoc> ah, not yet, but I did POC on all the pieces
12:15 <@krzee> then change itself to always use second
12:15 <@krzee> ahh
12:15 < havoc> so all the bits are there now
12:15 < havoc> I'm still trying to get a deployment plan out of these people
12:15 <@krzee> ya i think thats way more effort than hooking into the imagebuilder and giving fully custom firmwares for each router from the web interface
12:16 <@krzee> especially if you have unknown amounts of weird in these routers
12:16 < havoc> e.g. their software needs Net/Internet access to be configured when the shit's all deployed, which they won't have til the routers are setup
12:16 <@krzee> who knows what else you'll run into
12:16 < havoc> my original plan was to image/configre all the routers inhouse alon with the NUCs
12:16 < havoc> now the shit is all being drop shipped to client warehouse
12:17 <@krzee> but you have people configuring each router
12:17 < havoc> many requirements to juggle :(
12:17 <@krzee> adding the hostname and stuff
12:17 < havoc> krzee: no, I don't
12:17 <@krzee> im saying you could easily cook that into the custom firmware along with the certs and configs and everything
12:17 <@krzee> no? *somebody* is configuring them, arent they?
12:17 < havoc> router config script will run from the NUCs, which will give router same hostname as the NUC
12:18 < havoc> rest is 100% automated
12:18 <@krzee> ahh
12:18 <@krzee> ya, that could all be automated
12:18 <@krzee> including the provisioning
12:18 < havoc> hostnames/CNs have to be dynamic
12:18 <@krzee> i bet you can even automate the flashing with an app supporting tftp
12:19 < havoc> ...as there is re-deployment in the field if/when gear fails, contractors drop out of program, program gets new contractors, etc...
12:19 < havoc> krzee: probably, but not likely in the time allowed
12:19 <@krzee> i feel like it would take me less time than what you're doing
12:19 <@krzee> but your way is still valid too
12:20 < havoc> that is entirely possible, but you know what you're doing with LEDE already too
12:20 < havoc> I'm also working on a few dozen other things concurently :(
12:20 <@krzee> the imagebuilder makes it so easy my wife could build it
12:20 < havoc> rob0: I'm using iproute2 exclusively for my "dynamic" policy routing script
12:21 <@krzee> so like
12:21 <@krzee> make image PROFILE=TLWR841 PACKAGES="-ip6tables -kmod-ip6tables -kmod-ipv6 -odhcp6c -ppp -ppp-mod-pppoe -kmod-nf-conntrack6 -kmod-nf-ipt6 -kmod-usb2 -kmod-usb-core -kmod-usb-ohci -kmod-mac80211 -kmod-cfg80211 -iwinfo -iw -libip6tc -kmod-ath9k-common -kmod-ath9k -kmod-ath -wpad-mini ip tcpdump-mini bird4 openvpn-openssl kmod-gre kmod-nf-nathelper-extra"
12:21 <@krzee> boom, it builds my firmware
12:22 <@krzee> optionally add FILES=path/ and it drops all files/dirs from that path into firmware, as if path/ was the root of the firmware
12:22 < havoc> krzee: I'll look into it for future contracts/programs, assuming I'm still around
12:22 <@krzee> feel free to hie me for similar jobs too ;]
12:23 < havoc> I wish :(
12:23 < havoc> one of the many constriants I have to operate under is lack of a reaslistic budget :(
12:23 <@krzee> lol
12:23 <@krzee> dude i figure out how to cheap through all sorts of stuff
12:24 <@krzee> ill save them $ by getting them $20 routers that do the job instead of $40, boom pay me!
12:24 < havoc> same here, that's why I still have the job ;)
12:24 <@krzee> those tp-links from the above command are $25, and sweetness
12:24 < havoc> but time is another resource in short supply
12:25 < havoc> I swear, more of my job is logistical/baby-sitting now, than technical :(
12:25 <@krzee> a lot of mine is currently playing solitaire
12:25 <@krzee> i wrote scripts that do my work
12:26 <@krzee> and they message me if they need me
12:26 <@krzee> but they still want me to go in sometimes, so solitaire
12:26 <@krzee> and my rubiks cube
12:26 < havoc> I work from home, almost exclusively
12:26 < havoc> that's my price for effectively being on-call 24/7
12:26 <@krzee> i work from home a lot lately, which is nice
12:27 <@krzee> that was never a thing until i got our tech stuff working right and made it a thing
12:27 < havoc> yeah, I'm never gonna work for anyone else again
12:27 < havoc> ...as in when I leave here, Wife and I are starting our own business
12:27 <@krzee> really most of the work at my job went away since i got there and smacked the technology into shape
12:28 <@krzee> nice i run one of those too
12:28 <@krzee> but it doesnt take much time except devel stuff
12:28 < havoc> oh yeah, even aside from the time constraints, there's no way in hell we can change gears now due to the gov contract aspect of it all
12:28 <@krzee> i built the network with redundancy and whatnot... so its never much work maintaining
12:28 < havoc> would need to ATP it all again, which can take months
12:28 <@krzee> no firefighting
12:28 <@krzee> oh gov
12:29 <@krzee> haha
12:29 <@krzee> shit man
12:29 < havoc> welcome to my hell :(
12:29 < Crypt0crc> lol
12:29 <@krzee> ya have fun with that :D
12:29 <@krzee> dude if you said that before i woulda stopped suggestion stuff and just gave pity
12:29 < havoc> we're a wholy owned subsidiary of another company, and our revenue is 99% gov contract based
12:30 < havoc> krzee: now you know why I want out ;)
12:30 <@krzee> yessir
12:30 < havoc> just have to make it another 18mos. or so
12:31 < havoc> Wife and I have kindof been operating the biz for the past year or so, for cash/beer
12:31 < havoc> gotta spin up another LLC this, or next, quarter, and legitimize
12:31 < havoc> she just graduated Saturday, so we can kick it all into high gear now
12:32 < havoc> ...in between my work :(
12:34 <@krzee> very nice
12:34 <@krzee> i wish you the best of luck with it
12:34 < havoc> thanks
12:55 <@krzee> skyroveRR: you could always just start the script as root with another app that runs scripts as root
12:56 < skyroveRR> krzee: that would defeat the purpose of it being solely used when a VPN tunnel comes up or goes down, wouldn't it? :) AKA on a "as and when its needed" basis.
12:56 <@krzee> at least til you figure out su
12:57 < skyroveRR> I've started using tasker. :)
12:57 < skyroveRR> It's a great app, allows stuff to be done as root explicitly.
12:57 <@krzee> nice
13:02 < skyroveRR> krzee: I suggest you try that app, too. :)
13:03 <@krzee> have
13:03 <@krzee> its one of what i meant when i suggested that
13:04 < skyroveRR> Suggested what?
13:05 <@krzee> <krzee> skyroveRR: you could always just start the script as root with another app that runs scripts as root
13:05 <@krzee> tasker is an app that will start the script as root for you
13:05 <@krzee> but you already know that =]
13:05 < skyroveRR> Ah
13:05 < skyroveRR> :)
13:08 <@ecrist> krzee: I'm not sure what you're talking about.
13:08 <@krzee> using verb 5 when firewall is a suspect to see the RWRW, i think i had mentioned that at one point
13:10 <@krzee> when i mentioned it today we had a guy whose log showed one R and then only WWWWWWWWW so i pointed at it
13:10 <@ecrist> Yes you did.  I think I incorporated it, but I don't recall.
13:15 < rob0> and we have had havoc ever since ;)
13:16 < rob0> (sorry, it just seemed amusing to me, weird sense of humor)
13:16 <@krzee> hah
13:52 < havoc> can a client script (--route-up) be pushed?
13:58 < havoc> no, it can't :(
15:09 < Abbott> I can connect to my vpn and access localhost stuff on the machine hosting the openvpn but I can't access other machines on the same subnet
15:09 < Abbott> for instance, I can connect to 10.0.0.2 but can't connect to the router on 10.0.0.1
15:10 < Abbott> I can connect if i tunnel the port through ssh though
16:14 < linuxmodder> for openvpn + easy-rsa ./easy-rsa --gen-req EntityName , the entityname would be the user or hostname yes?
16:15 < linuxmodder> I ask becuase on easy-rsa 3.0.1 it's not taking my hostname for a entityname arg
16:16 < linuxmodder> and I have ca.key and ca.crt on that host
16:19 < linuxmodder> nvm syntax error  no -- in the gen-req command sorry for noise
16:19 < segwent> linuxmodder: gen-req <filename_base> [ cmd-opts ]
16:20 < linuxmodder> segwent,  I see that now I was running --gen-req
16:21 < segwent> technically "EntityName" would be <filename_base>
16:21 < segwent> user or hostname would probably be best user as common_name
16:22 < linuxmodder> I'm doing the default endpoints atm and then gonna do user specific ones where host ca must not be on a crl then users connect with a username/pass + ca_file
16:23 < linuxmodder> parts of some of my servers will be shared all will be locked out with STIG + selinux some with MLS constraints
16:23 < linuxmodder> I tutor some Comp Sci students and pen-testers, and do white hat/sysadmin stuff off public networks remotely too often not to
16:24 < segwent> !easyrsa
16:24 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA, or (#4) Source checkouts available from the github project.
16:27 < linuxmodder> segwent,  was a simple missread but thanks
17:01 < Abbott> any idea why I can't see the router on the LAN of my openvpn server? I have push "route 10.0.0.0 255.255.255.0" in the server.conf
18:20 -!- alexandre9099_ is now known as alexandre9099
18:31 < war9407> Quick question, I have this setup:   fios->router->port_forward to linux machine (NAT) (e.g., 10.1.1.3) in server.conf I have listen 10.1.1.3 I can connect to  OpenVPN but I keep getting decrypt errors
18:31 < war9407> AEAD Decrypt error: cipher final failed
19:04 < Eugene> war9407 - that typically means that you have the --cipher mismatched on both ends
19:10 < war9407> Eugene: thx that was it + my openvpn on that client was too old, fixed
19:11 < Eugene> While you're at it, you should maybe set your cipher to something a bit more secure than the default
19:11 < Eugene> !hardening
19:11 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
19:11 < Eugene> And of course that wiki page doesn't even mention --cipher. Sigh.
19:12 < war9407> yup, on 256-GCM* ty again
19:13 < Eugene> Excellent, then you're already good to go
20:07 < johnfg> Hi folks
20:08 < johnfg> I'm at the office for a bit yet tonight.
20:08 < johnfg> Don't know if any are here from the discussion this morning of my problem.
20:09 < johnfg> After the network went down on Friday, a couple of times, on the cable level, none of my clients are able to connect to the server.
20:12 < johnfg> I do my firewall through the router with Advanced/PortForwarding.  All's good there.  The firewall settings in the router itself are nil.
20:13 < johnfg> I don't have any dmz set.
20:13 < johnfg> No iptables on my debian server, as it's done through the router.
20:14 < johnfg> both my ca.crt and server.crt were generated in April 2017, and are good until 2027.
20:16 < johnfg> Same for my client2.crt (which is centos), issued April 2017, good until April 2027.
20:16 < johnfg> I've got to run, but will have tty access.  Let me know if you want to see any pastes.
21:21 < pokmo> hi
21:21 < pokmo> i have openvpn sever running on a shared server, but for some reason, it's stopped working. i can ping the server but not outside IPs
21:22 < pokmo> here's iptables -L -t nat -v
21:22 < pokmo> https://dpaste.de/KnJq
21:22 < pokmo> does this list UDP?
21:31 <@ordex> it;s for any ip packet
21:31 <@ordex> is that the uplink IP of your server?
21:31 <@ordex> maybe it changed without noticing ?
21:31 <@ordex> is ip forward still enabled? maybe it got reset ?
21:31 <@ordex> does your client has a proper routing table ?
21:31 <@ordex> pokmo: ^^
21:35 <@krzee> and look at iptables using iptables-save -c, it'll save your sanity
21:35 < pokmo> hmm
21:36 < pokmo> ordex, that's the local IP
21:36 < pokmo> ordex, it seems to be the same though
21:37 < pokmo> ordex, how do i check if ip forward is enabled?
21:37 <@krzee> by outside ips do you mean the internet?
21:37 <@krzee> or like a lan?
21:37 <@ordex> how about the rest ?
21:37 <@krzee> !linipforward
21:37 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
21:37 < pokmo> krzee, yeah, external IP like 8.8.8.8
21:37 <@krzee> !redirect
21:38 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
21:38 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
21:38 <@krzee> see the flowchart
21:38 <@ordex> :D
21:38 <@krzee> same problems over and over, i made flowcharts :D
21:38 <@krzee> !flowcharts
21:38 <@vpnHelper> "flowcharts" is (#1) from !serverlan http://www.ircpimps.org/serverlan.png, or (#2) from !clientlan http://www.ircpimps.org/clientlan.png, or (#3) from !redirect http://www.ircpimps.org/redirect.png
21:38 < pokmo> lol
21:38 < pokmo> good stuff
21:39 <@ordex> krzee: next step is to have vpnHelper start talking proaxtively
21:39 < pokmo> i do have 1 in ip_forward
21:39 <@ordex> *proactively
21:39 <@ordex> :P
21:39 <@krzee> dude, thats doable for a python master
21:40 <@ordex> with some free time
21:40 <@ordex> :P
21:40 <@krzee> theres some keywords that when together basically tell the tale after !goal
21:40 < pokmo> how do i check if i already have the FORWARD rule in my iptables?
21:40 <@krzee> !linipforward
21:40 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
21:41 < pokmo> krzee, yeah, but it describes how to add not quite how to check the iptables, right?
21:41 < pokmo> or do I just add it anyway?
21:41 <@krzee> ordex: and some users actually already use !goal i want to route to my lan behind the server
21:41 <@krzee> like some already think vpnHelper will know :D
21:41 <@krzee> pokmo: umm, look at your rules and see!?
21:42 <@krzee> if you have that rule or one like it... then you did it
21:42 <@krzee> lol
21:42 < pokmo> krzee, with iptables -t nat -L -v?
21:42 <@krzee> [19:28] <krzee> and look at iptables using iptables-save -c, it'll save your sanity
21:42 <@krzee> but if you want more in depth help with iptables see #netfilter
21:42 < pokmo> krzee, i've tried iptables-save -c, it doesn't give any output
21:43 <@krzee> then put the rule
21:43 <@krzee> then look again
21:43 < pokmo> i've added the FORWARD rule, but iptables-save -c still gives nothign
21:43 < pokmo> *nothing
21:43 <@krzee> weird
21:44 <@ordex> the problem here is that openvpn is a small building block for bigger scenarios, usually, therefore we get 80% of the questions that are not related to openvpn
21:44  * ordex never used iptables-save
21:44 <@ordex> I think it is distro dependent
21:44 < pokmo> hmm how should one check FORWARD rules on ubuntu?
21:45 <@ordex> pokmo: the FORWARD chain is in the filter table, therefore no need to specify -t nat, otherwise you would be looking at the nat table (if you want to use the command you suggested)
21:45 <@ordex> pokmo: man iptables
21:45 <@ordex> iptables is the same everywhere, ifyou don't want to use distro specific tools
21:45 < pokmo> oh right
21:47 <@krzee> weird ive used iptables-save on debian (ubuntu is based on), ubuntu, and mint (based on ubuntu)
21:48 <@krzee> never seen it not work
21:48 <@krzee> but ya i bet #netfilter knows why :D
21:48 < pokmo> so i have this now
21:48 < pokmo> but still can't ping 8.8.8.8
21:48 <@krzee> cat /proc/sys/net/ipv4/ip_forward
21:48 <@krzee> is it 1?
21:49 < pokmo> krzee, yes it is
21:49 <@krzee> ok so ip forwarding should be fine
21:49 < pokmo> yeah, i'd think so
21:57 <@krzee> lets see the whole iptables -L -v
21:57 <@krzee> and the nat table is the same, right?
21:58 < pokmo> krzee, sure. https://dpaste.de/rpgF
21:59 < pokmo> krzee, and here with -t nat https://dpaste.de/D4os
22:06 <@ordex> I'd suggest to have a look with tcpdump, it may help seeing something that is being overlooked now
22:10 < johnfg>  Here's something interesting I found: I changed the server in client.conf, from `remote church.spirit.org 1194` to remote 192.168.0.107 1194`, and by starting manually, it connected.
22:11 < johnfg> This is after some years of having the server name.  But for some reason, fails to start/connect when I start with systemctl start openvpn-client@client.
22:13 < johnfg> doesn't systemd use the same client.conf as when I start from the cli
22:26 < johnfg> why would openvpn --config client.conf work, but not systemctl start openvpn-client@client.service?
22:37  * ordex has no clue about systemd
22:37 < tx> check the systemd journal
22:37 < tx> or
22:37 < tx> er, systemctl status openvpn@vpn.service
22:38 < tx> / whatever you called your service :)
22:50 < pokmo> hi
22:50 < pokmo> i've made some changes to my iptables
22:50 < pokmo> is this meant to be correct? https://dpaste.de/5Sxn
22:52 <@ordex> your policy on INPUT and FORWARD is ACCEPT. It doe snot make sense to add other rules having ACCEPT as terget
22:52 <@ordex> everything will be accepted anyway
23:00 < pokmo> hmm
23:00 < pokmo> ordex, does that mean i can delete line 9?
23:01 <@ordex> I think they are all useless
23:01 <@ordex> they all accept despite the default policy is accept
23:01 <@ordex> so no matter is the rule is matched or not, the packet is always accepted
23:02 <@ordex> you can read how this work on some iptables/netfilter doc
23:02 < pokmo> right
--- Day changed Tue May 23 2017
00:46 <@krzee> ordex: odd enough but i believe ive seen the forward rule needed when default was accept, i found it odd but just decided to always have it
00:47 <@krzee> however, i totally agree that its tcpdump time
00:47 <@krzee> on both sides of the vpn
00:47 <@krzee> tcpdump -s0 -n -i tun0 host 8.8.8.8
00:47 <@krzee> and then ping 8.8.8.8 from the client
00:48 <@krzee> sorry i took so long pokmo, people came over
00:48 < pokmo> krzee, no worries
00:48 <@krzee> i had promised to show a padwan how i hacked root on my DVR
00:51 <+hyper_ch> internet at home is down :(
00:52 <@krzee> ouch, tethering or got a hotel to have uplink? haha
00:52 <+hyper_ch> am at the office
00:52 <@krzee> ahh werd
00:52 <+hyper_ch> currently I have two fiber provider (one till the end of the month)
00:52 <+hyper_ch> and neither works
00:52 <@krzee> yas my office icinga can see when my home inet goes down too
00:52 <@krzee> although i dont have any triggers for it
00:53 <+hyper_ch> home and office are about 1.3km appart
00:53 <+hyper_ch> same providers, same network
00:53 <@krzee> whoa
00:53 <@krzee> that sucks
00:53 < whoa> hi
00:53 <+hyper_ch> well, it works at office
00:53 <+hyper_ch> but not at home
00:53 <@krzee> but that you have 2 providers for redundancy and they end up using same lines
00:53 <@krzee> bad luck
00:54 <+hyper_ch> nah, not 2 providers for redundancy
00:54 <@krzee> oh
00:54 <+hyper_ch> just switch provider and said new one should get active asap
00:54 <@krzee> ohh
00:54 <+hyper_ch> so it's been active for 2 weeks now
00:54 <@krzee> gotchya
00:54 <+hyper_ch> with 1gbit
00:54 <@krzee> damn dude
00:54 <+hyper_ch> old one is only 75/75
00:54 <@krzee> where you at?
00:54 <+hyper_ch> and the OTO plug I have has a total of 4 fibers so I could have 4 different isps
00:55 <+hyper_ch> but I guess some where between my home and the switch is something broken
00:55 <@krzee> you have 4 fiber providers in range!?
00:56 <+hyper_ch> well, there's Swisscom which help deploy the network
00:56 <@krzee> and here im on 10mbit dsl with the best plan available :D
00:56 <+hyper_ch> then there's Thurcom which I've used so far
00:56 <@krzee> damn you!
00:56 <+hyper_ch> and Fiber7 my new one
00:56 <+hyper_ch> krzee: https://www.init7.net/en/internet/fiber7/
00:56 <@vpnHelper> Title: Fiber7 - Gigabit-Glasfaser-Internet von Init7 zum konkurrenzlosen Preis-Leistungs-Verhältnis (at www.init7.net)
00:56 <+hyper_ch> CHF 777/y for gbit
00:56 <@krzee> i had 100mbit fiber but i bought a house and moved out of range
00:57 <@krzee> oh you out there
00:57 <@krzee> ya they all hooked the hell up out there
00:57 <@krzee> nice man
00:57 <@krzee> im sure your downtime will be brief and infrequent
00:58 <+hyper_ch> well, the town decided to deploy fiber network
00:58 <+hyper_ch> and swisscom complained that it could be an unfair advantage
00:59 <+hyper_ch> so together with swisscom every house/apartment gets 4 fiber and ISP can be selected
01:00 <@krzee> damn thats dope
01:00 <+hyper_ch> krzee: $800/y for 1gbit
01:00 <@krzee> <3
01:00 <+hyper_ch> and yeah, with the Turris Omnia I get speeds of around 940mbits
01:01 <@krzee> 10mbit over here
01:01 <@krzee> :-p
01:01 <@krzee> but at least its tropical
01:01 <+hyper_ch> that's plenty
01:01 <+hyper_ch> back in the days, I had 14.4kbps
01:01 <@krzee> harvested my bananas recently
01:01 <@krzee> some cashews as well
01:01 <@krzee> mangos coming soon
01:01 <+hyper_ch> :)
01:02 <@krzee> about to plant some pink bananas
01:02 <@krzee> :D
01:02 <+hyper_ch> bananas in pajamas
01:03 <@krzee> planted some hot ass peppers today
01:03 <@krzee> almost time to harvest my cherries
01:07 <@krzee> so pokmo did you run the tcpdump?
01:07 < pokmo> krzee, hmm i'm trying
01:07 < pokmo> but i'm not getting any output
01:08 < pokmo> even with -v
01:08 < pokmo> with or without the vpn
01:08 <@krzee> hmm
01:09 <@krzee> you SURE you can ping the server vpn ip after connecting?
01:09 <@krzee> show me both logs at verb 5
01:09 <@krzee> !logs
01:09 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
01:09 < pokmo> krzee, the client can ping the vpn server
01:09 < pokmo> krzee, i can continue working with the same ssh connection
01:09 <@krzee> what vpn server ip is it pinging/
01:10 < pokmo> krzee, see, i can't actually ping the server's external IP. but i can continue with the SSH connection
01:10 < pokmo> it's shared host
01:10 <@krzee> by vpn ip i mean like 10.8,0.1 or whatever the vpn subnet is
01:10 <@krzee> not the internet ip
01:10 < pokmo> oh
01:10 <@krzee> lol
01:10 <@krzee> i think we figured it out
01:11 <@krzee> on the flowchart you should have been stuck on the first question
01:11 <@krzee> get those logs
01:11 <@krzee> we'll get you fixed up
01:12 < pokmo> hmm
01:12 < pokmo> let me open the flowchart again
01:12 <@krzee> it says can you ping the vpn ip?
01:12 <@krzee> if not, fix your vpn :D
01:12 <@krzee> either way, get me those logs
01:12 <@krzee> then we can move forward
01:12 <@krzee> anything you do besides that you're just delaying the fix
01:13 < pokmo> ok let me grab those
01:13 < pokmo> here's client's https://dpaste.de/6Gyc
01:14 < pokmo> actually
01:14 < pokmo> i'll shorten it
01:14 <@krzee> PPTP!?
01:14 <@krzee> dude
01:14 < pokmo> clean it up
01:14 <@krzee> !notcompat
01:14 <@vpnHelper> "notcompat" is (#1) IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible., or (#2) OpenVPN connects only to OpenVPN
01:14 <@krzee> !pptp
01:14 <@vpnHelper> "pptp" is (#1) PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
01:14 <@vpnHelper> read about why to not use pptp, or (#2) Why not to use it: http://en.wikipedia.org/wiki/Pptp#Security, or (#3) https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
01:14 < pokmo> yeah, that's another one. not the one i'm working with
01:14 < pokmo> a dummy one
01:14 < pokmo> i tried to see if it's shimo
01:14 <@krzee> dummy is right lol
01:15 <@krzee> !logfile
01:15 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
01:15 < pokmo> krzee, https://dpaste.de/687V
01:15 <@krzee> see !logfile above
01:15 <@krzee> i only want openvpn
01:15 < pokmo> right
01:16 <@krzee> add log /path/to/log in your configs and adjust accordingly
01:16 <@krzee> and verb should be 5
01:18 < pokmo> ok
01:22 <@krzee> then restart openvpn on the server, then the client
01:22 <@krzee> then pastebin those logfiles
01:23 <@krzee> what you were looking at was useless
01:24 < pokmo> krzee, hopefully i did it right
01:24 < pokmo> here's the server log https://dpaste.de/NTG8
01:24 <@krzee> these look like the right logfikes
01:24 <@krzee> logfiles*
01:24 < pokmo> :D
01:25 <@krzee> other?
01:26 < pokmo> i must say that i can't ping 10.8.0.1
01:26 <@krzee> good we found the problem, other sides log?
01:27 < pokmo> just a sec
01:27 <@krzee> cool ill take a dab while you do that
01:28 <@krzee> !krzee
01:28 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20, or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg, or (#3) location: moon base where he smokes moonajuana, or (#4) takes bonghits on the freeswitch teleconference
01:28 < pokmo> trying to get tunnelblick to connect.. :\
01:29 <@krzee> you dont need it to connect, you need it to give you a logfile
01:29 <@krzee> by importing a config that you gave it that says what i gave you
01:30 <@krzee> when we're done you can reimport without it
01:30 <@krzee> its temp
01:30 <@krzee> im sure theres another way, but i dont use osx anymore so i cant look
01:30 <@krzee> maybe they have a log tab, i think i remember that
01:30 <@krzee> i do love tunnelblick
01:31 <@krzee> but we dont want the tunnelblick log, we want the openvpn log
01:31 < pokmo> oh ok
01:32 <@krzee> it needs to look similar to the one you just posted in the beginning
01:32 <@krzee> so like, you could make the logfile on your desktop and verb 5, then import to tunnelblick again
01:33 <@krzee> then we fix
01:33 <@krzee> then you reimport without the logfile and goto like verb 3
01:34 < pokmo> oh god
01:35 < pokmo> i can ping using tunnelblick
01:35 < pokmo> o_o
01:35 <@krzee> umm
01:35 <@krzee> you werent using tunnelblick the whole time?
01:35 <@krzee> what were you using?
01:35 < pokmo> krzee, no, shimo
01:35 <@krzee> umm
01:35 <@krzee> lemme google that
01:35 <@krzee> never heard
01:35 < pokmo> i had to pay for it too!
01:36 <@krzee> ouch
01:36 <@krzee> tunnelbick is greatness
01:36 < pokmo> tell me about it
01:36 <@krzee> i wish linux had such a nice openvpn interface
01:36 < pokmo> grrrr
01:36 <@krzee> well, lesson learned!
01:36 <@krzee> so... does the rest work?
01:36 <@krzee> you'll notice tunnelblick has a tab for enabling the dns push
01:36 < pokmo> yeah, pinging, dns, all works
01:36 < pokmo> i used to use tunnelblick
01:37 < pokmo> thanks a lot for your time
01:37 < pokmo> i think i'll just ditch shimo
01:37 <@krzee> no problem
01:37 <@krzee> yes, i would
01:37 < pokmo> a waste of time and money...
01:37 <@krzee> you aint gunna get better than tunnelblick anyways
01:37 <@krzee> if you do, come tell me about it :D
01:38 <@krzee> i feel the same way about 'openvpn for android'
01:38 <@krzee> nothing similar for linux or freebsd
01:38 < pokmo> i know
01:38 < pokmo> thanks a lot again
01:38 <@krzee> np
01:39 <@krzee> !rob0
01:39 < pokmo> funny enough. shimo now works
01:39 < pokmo> wonder if tunnelblick "woke" something up
01:39 <@krzee> !learn rob0 as is actually /dev/rob0 rumor has it that he is an AI project by google, but nobody can confirm.
01:39 <@vpnHelper> Joo got it.
01:40 <@krzee> !forget rob0
01:40 <@vpnHelper> Joo got it.
01:40 <@krzee> !learn rob0 as is actually /dev/rob0 (because 0>5). Rumor has it that he is an AI project by google, but nobody can confirm.
01:40 <@vpnHelper> Joo got it.
01:40 <@krzee> hmm
01:40 <@krzee> maybe shimo didnt load the tun module right
01:41 <@krzee> you could reboot and see
01:41 <@krzee> you could try shimo after fresh boot, if it doesnt work then try to load tun manually and try shimo again
01:42 <@krzee> maybe you could get a refund in exchange for a bug report? :D
01:42 <@krzee> also include your exact osx version if you do report
01:43 <@krzee> what about the free trial!? you paid before trying?
01:44 <@krzee> whoa i see 1 feature of shimo that has been requested but not really doable
01:44 <@krzee> trigger automation
01:45 < pokmo> krzee, yeah i'll try that
01:45 <@ordex> what is shimo?
01:45 < pokmo> krzee, yeah, i'd used it for almost 3 months
01:45 < pokmo> ordex, a vpn client for OSX
01:45 <@krzee> people want to be able to only connect when not home (connecting through home) but the only possibility for that is to have a wrapper script start openvpn that sees what subnet its on and hopefully you used a rare one for home
01:46 <@krzee> ordex: a pay client he bought
01:46 <@ordex> openvpn client ?
01:46 <@krzee> it didnt work, then he used tunnelblick and it worked, then shimo worked
01:46 <@ordex> ah ok
01:46 <@ordex> lol
01:46 < pokmo> :(
01:46 <@krzee> so im guessing it didnt load tun right
01:46 <@ordex> maybe some missing dep that got installed with tunnelbrick?
01:46 <@ordex> maybe
01:46 <@ordex> dunno
01:46 <@krzee> reboot would tell
01:46 < pokmo> i've had tunnelblick installed all along though
01:46 < pokmo> i shall reboot and see
01:46 < pokmo> brb
01:47 <@krzee> either way i solved his issue tho, now we're just bs'ing :D
01:53 < pokmo> looks like shimo works now too
01:53 < pokmo> oh well! i'll just make do with it
01:53 <@krzee> haha nice
01:53 < pokmo> krzee, yeah haha
01:53 < pokmo> the magic of tunnelblick
01:53 <@krzee> set your verb to 3 and comment your logfile if you like
01:53 < pokmo> fixes anything in its path..
01:59 < pokmo> krzee, but it's all working fine now. there's probably not much interesting :\
02:00 <@krzee> exactly, thats why you dont need verb 5 and a logfile anymore
02:00 <@krzee> verb 5 writes every packet to the log in the form of RWRWRW
02:00 <@krzee> R for read W for write
02:00 <@krzee> would tell me about firewall issues
02:01 <@krzee> if theres nothing interesting, id say you dont need that
02:17 < meepmeep> !pfsense
02:17 <@vpnHelper> "pfsense" is (#1) dont use the web gui for configuring openvpn, you need to understand the config and logfiles, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
02:49 <+hyper_ch> woohoo, internet at home works again :)
02:53 <@ordex> hyper_ch: supa! :D
03:54 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds]
03:55 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
03:55 -!- mode/#openvpn [+v s7r] by ChanServ
04:05 <+hyper_ch> krzee: https://www.theguardian.com/world/2017/may/22/un-experts-hacked-sanctions-north-korea-cyber-attack  - '“The zip file was sent with a highly personalized message which shows the hackers have very detailed insight into the panel’s current investigations structure and working methods,” read the email, which was sent on 8 May.'
04:05 <@vpnHelper> Title: UN experts hacked while investigating violations of sanctions on North Korea | World news | The Guardian (at www.theguardian.com)
04:49 < frodox> krzee, could you improve your docs (https://secure-computing.net/wiki/index.php/OpenVPN/Routing) with IP addresses of clients/servers ?
04:49 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at secure-computing.net)
04:49 < frodox> *please
04:51 <+hyper_ch> I'm sure krzee has the capabilities to improve that
04:53 < frodox> Am I right, that I can just use client with VMs (kvm-NAT) like it's subnet behind it?
04:54 <@ordex> it's just like any other client
04:59 < frodox> Just want to be sure there are no any side-notes because of that :)
05:51 < david89> Hello. My work environment forces us to use an HTTP proxy. I need to connect to an OpenVPN server via UDP, would it be possible_?
05:51 <+hyper_ch> !udp
05:51 <+hyper_ch> hmm
05:53 < david89> hyper_ch: what did the bot say?
05:54 <+hyper_ch> you can see it yourself
05:54 < david89> !udp
05:54 < david89> not sure how it works..
05:54 <+hyper_ch> you did it just fine
05:54 < david89> I didn't receive a PM or anythinh
05:54 <+hyper_ch> and that means ...
05:55 < david89> that !udp works the same as !god
05:55 < david89> !god
05:55 < david89> see?
05:55 <+hyper_ch> so udp is god
05:55 < david89> no, !udp doesn't exist
05:56 <@plaisthos> david89: not possible
06:11 < frodox> :D
06:37 < dan_j> Hi.
06:38 < dan_j> I'm using openvpn and the client often loses connection. It's a windows client with a windows server. How can I get it to monitor and reconnect if it loses connection?
06:49 < omgs> Hi. I'm using openvpn with user certificates. The users have the same user certificate, and by default the get the same IP. I've tried setting the "duplicate-cn" directive and restarting, but it doesn't seem to work.
06:49 < omgs> How can I manage to see the assigned ip addresses?
06:51 < omgs> Or how can I manage to see the current real running config?
07:03 < rob0> why not just generate more keys and certs?
07:12 < omgs> rob0, I know it's a solution, and in the future it will be done, but in the short term I need a solution to solve this.
07:14 < havoc> omgs: IPs in use (if handed out by the ovpn server) will be listed in the --status file
07:17 < omgs> havoc, sorry, but in that file I can see the public IP, not the assigned address. Is there any command (openvpn related, apart from netstat) that allows to see this info?
07:18 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has quit [Ping timeout: 240 seconds]
07:18 < rob0> !management
07:19 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface, or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN, or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
07:19 < rob0> We don't know how you configured it, so you might not have that.
07:21 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
07:21 -!- mode/#openvpn [+v hyper_ch] by ChanServ
07:43 < frodox> ah, wow, my routing works! It's magic! :D
08:13 < jiquera> @plaisthos, when using OpenVPN for Android, if a config fille has an inline p12 file, and the app asks to store it in the keystore is it still stored on sdcard somewhere? (eg. copy of the config file) or is it removed from the config?
08:18 <@plaisthos> openvpn for android does not remove your imported file
08:19 <@plaisthos> but openvpn for android itself does have another copy of the pkcs12 key stored anywhere
08:19 <@plaisthos> cacert and cert might be in some caches but defenitively not the key
08:19 <@plaisthos> bugs aside it should not be possible to extra a key of the Android keystore
08:19 <@plaisthos> extract
08:26 < jiquera> does
08:26 < jiquera> or does NOT
08:26 < jiquera> ?
08:26 < jiquera> the rest of your story sort of implies a NOT is missing in your second sentence
08:28 < jiquera> so once the config file is imported and removed (and i allowed the key to be stored in the key store)... the key only exists in the keystore
09:17 < johnfg> For some reason, openvpn client will start from the cli, but fails with systemd.
09:18 < rob0> then that's a systemd/distro issue, not an openvpn one
09:18 < johnfg> What I did to get it to start at all, it *not* being the firewall, was I had to change the `remote church.spirit.org 1194` to `remote 192.168.0.107 1194`
09:19 < johnfg> rob0: except that all my clients have been unable to connect, as of Friday.
09:23 < havoc> johnfg: https://uname.pingveno.net/blog/index.php/post/2015/05/23/Migrate-an-OpenVPN-configuration-to-Debian-8-%28Jessie%29-with-systemd
09:23 <@vpnHelper> Title: Migrate an OpenVPN configuration to Debian 8 (Jessie) with systemd - # uname -a (at uname.pingveno.net)
09:24 < havoc> it's only an issue with new installs of a systemd machine, upgrades from sysinit to systemd do the conversion
09:25 < johnfg> havoc: Thanks.  I'll reread it.  But this debian jessie has been an openvpn server ever since the upgrade from wheezy to jessie, so for years.
09:26 < havoc> hmm, then it shouldn't be an issue, bu that article will tell you how to check the systemd deps, and how to create them if they don't exist
09:26 < havoc> it worked for me :)
09:28 < johnfg> Did you see what's going on between centos (client2) and debian?  openvpn starts fine from the cli, but fails with systemctl.
09:29 < johnfg> Doesn't systemd use /etc/openvpn/client.conf as well?
09:30 < johnfg> havoc: btw...I have a vm of debian scratch, client6, and it had been working fine...until Friday.
09:30 < havoc> I just did the "systemctl enable openvpn@CONF_NAME.service" and all was well
09:30 < havoc> but you can look in /etc/systemd/system/multi-user.target.wants/ and /lib/systemd/system/, as decribed in that article, to verify that it's setup correctly
09:33 < johnfg> One thing I saw and wondered about last night, was $i that's in the script.  I saw it, but didn't see it defined.
09:36 < johnfg> havoc: debian starts and runs fine.  it's the server.  It's the clients that *seem* to be the problem.
09:39 <@plaisthos> implementing fancy graphs :)
09:39 <@plaisthos> http://imgur.com/a/tNGvM
09:39 <@vpnHelper> Title: Imgur: The most awesome images on the Internet (at imgur.com)
09:40 < havoc> johnfg: sorry, I'm at the end of my useful contribution, that's all I got
10:00 < JrWebDev> is it me or do openvpn clients on laptops,tablets & phones drain the heck out of the battery?
10:00 < JrWebDev> ive noticed when i turn on vpn the battery drains fast
10:01 < JrWebDev> not sure if this is true for all VPN's
10:01 <+hyper_ch> depends
10:04 <@plaisthos> JrWebDev: for phones see the FAQ
10:04 <@plaisthos> !android
10:04 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html, or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android, or (#3) For a difference between the clients see http://ics-openvpn.blinkt.de/FAQ.html#faq_androids_clients_title, or
10:04 <@vpnHelper> (#4) Really old (<4.0) see !android-old
10:04 <@plaisthos> and that also applies to some degrees to other devices
10:08 < JrWebDev> thanks plaisthos hyper_ch
10:08 <+hyper_ch> JrWebDev: what do you use openvpn for on your phone?
10:09 < havoc> vpn is crypto, which is math, which uses cpu, which uses electricity, which drains mattery
10:09 < havoc> how much depends on how much traffic
10:10 < JrWebDev> hyper_ch, phone was experiment
10:10 < JrWebDev> just to see how it functioned and i use it personally for home related things
10:10 <+hyper_ch> JrWebDev: using LLama or Tasker you could set different conditions on when to turn it on/off
10:10 <@plaisthos> in phones the crypto is for most use cases negliable
10:10 <+hyper_ch> that could be a battery saver
10:10 < JrWebDev> havoc, cool thanks
10:11 < havoc> JrWebDev: plaisthos is the expert on it here
10:11 < havoc> but you're welcome to my [user] observations :)
10:11 < JrWebDev> cool no problem
10:11 < JrWebDev> just wondering how it is
10:11 <+hyper_ch> I wonder if a higher keep alive won't be beneficial to phone battery.... because if the connection breaks/gets closed, so much more energy is needed to build up a new connection (or so I heard)... so having a permanent connection might use less power than constantly re-establishing one
10:11 < havoc> I use it on my phone too, but I don't leave it connected when not being actively used
10:12 < JrWebDev> is it possible to use openvpn with ldap active directory in the community edition?
10:12 < havoc> JrWebDev: my guess is yes, as there's a debian package for it
10:12 <+hyper_ch> ldap? /me shivers
10:12 < JrWebDev> just wondering if its normal to drain battery.  Not sure if all vpns do the same or if openvpn uses more battery than others
10:13 <@plaisthos> JrWebDev: have you read the FAQ already?
10:13 <+hyper_ch> e.g. I use a sip over ovpn... so I set tasker to enable it only when I'm not at home/office where I have sip hardphones
10:14 < JrWebDev> yes i read the battery consumption part
10:15 < JrWebDev> thats cool hyper_ch
10:15 < JrWebDev> Is there any enterprise level hardware that works best with OpenVPN
10:16 < JrWebDev> such as a router that supports OpenVPN already in the web console or what not
10:16 <+hyper_ch> openwrt has openvpn support
10:16 < JrWebDev> ive seen some small routers
10:16 <+hyper_ch> I have now a turris omnia which nicely satisfies my gbit internet... comes with openwrt
10:16 <@plaisthos> JrWebDev: good configured android client has almost no impact on battery life, badly configured (e.g. low ping interval) will kill your battery
10:16 < johnfg> I actually think that centos *does* have a specific problem.  When I changed the debian/scratch client to `remote 192.168.0.107 1194` it connected and is up and running with systemd.
10:16 < havoc> I use openvpn on some Ubiquiti (ubnt.com) routers, but I wouldn't call them "enterprise"
10:17 < johnfg> Have no idea why I had to change a line that had been that way for years, but if it works, np, I guess.
10:17 < havoc> I've heard that Mikrotik routers support openvpn too, but haven't used them myself
10:18  * plaisthos conjures up dazo, Fedora/Rehdat genie
10:18 <+hyper_ch> but what do you need "enterprise" variant for?
10:18 <+hyper_ch> why yum when you can have deb?
10:19 < JrWebDev> deb is best
10:19 < JrWebDev> well i wanna use open vpn for mid size company
10:19 < JrWebDev> instead of cisco or something like that
10:19 <+hyper_ch> get a cheap computer with second gen intel cpus (wie aes-ni support) and you can use that as openvpn server
10:20 < JrWebDev> true that could work
10:20 <+hyper_ch> does the vpn server need to be on the router?
10:22 <@plaisthos> other enterprise solution will probably also have an extra box for vpn
10:23  * dazo looks up
10:23  * hyper_ch gives dazo a cookie
10:23 <@krzee> !blame
10:23 <@vpnHelper> "blame" is (#1) According to Bushmills, it's always krzee's fault, or (#2) According to krzee, it's always dazo's fault, or (#3) and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments, or (#4) cron2 says its always d12fk's fault (and sometimes the customers), or (#5) if it is crypto blame syzzer and plai for acking
10:23  * dazo blames krzee today
10:23 <@krzee> haha
10:24 < vutral> lol
10:24 < vutral> windows clients arent very straightforward
10:24 < vutral> even if i bundle the configfile
10:24 <+hyper_ch> they should finally hurry up and change ISP at office.... 75/75 is just not good enough
10:24 <@krzee> its the same as a linux client for the most part
10:24 < vutral> 80% of the time interface setup failes with mysterious error messages
10:24 <@krzee> and then you read the logfile
10:24 <@krzee> like in linux
10:24 < vutral> sure
10:25 <+hyper_ch> log files? on windows? oO
10:25 <@krzee> hyper_ch: umm yes
10:25 < vutral> but tap-windows setup is complicated
10:25 <+hyper_ch> I thought windows is all about registry
10:25 <@krzee> --log works the same in windows
10:25 <+hyper_ch> not such petty things like log files
10:25 < vutral> too complicated for many users
10:25 <+hyper_ch> vutral: why tap?
10:25 <@krzee> vutral: the same as in other OS's
10:25 < vutral> well if i decipher the log i still cannot fix the interface setup problems on some systems
10:26 < vutral> well my windows 7 works fine
10:26 < vutral> but on windows 10 i got nothing to work recently
10:26 <+hyper_ch> you could always upgrade them to linux
10:26 <@dazo> johnfg: did you figure out the systemd stuff?
10:26 < vutral> the daemon probably shouldnt exit the retrying
10:26 <@krzee> vutral: are you trying to ask for help?
10:26 <@plaisthos> vutral: It is just starting the openvn installer
10:27 <@plaisthos> that is not that compilcated
10:27 <+hyper_ch> plaisthos: don't underestimates the creatures between keyboard and chair
10:27 < vutral> well i only know openvpn exits on windows 10 with an fatal error in interface setup or ip configuration
10:27 < vutral> i have no idea where the problem is the configuration works
10:28 <@dazo> johnfg: be sure to use a fairly recent centos/epel package ... and prefer to use openvpn-{client,server}@ unit files instead of the openvpn@ unit file  .... even though the latter have been slightly improved in the 2.4 package, the two former ones have some additional hardening advantages
10:28 <@plaisthos> vutral: read the log/read the error message
10:29 < vutral> when i get back to that box sure
10:29 < JrWebDev> maybe i should use a raspberry pi for the mid size 100 user enterprise :P
10:29 < vutral> embedded systems are nice for openvpn
10:29 < JrWebDev> i wonder if it would actually work decently
10:29 < vutral> i like making vpn routers on rpi or other
10:29 <@plaisthos> JrWebDev: depends on the speed you require
10:29 < JrWebDev> i mean if you have 100 users i feel like you would need 10gbps card not a 1gbps but idk
10:30 < JrWebDev> not sure if its neccesary but yeah
10:30 <@dazo> johnfg: aslo, have a look at /usr/share/doc/openvpn-2.4*/README.systemd
10:30 < skyroveRR> Hey plaisthos and dazo :)
10:30 <@dazo> hey!
10:30 <@plaisthos> hey!
10:30 < skyroveRR> plaisthos: love your android client, it's so well-built, well-featured and stable :)
10:31 <@krzee> ^ strongly agree
10:31 <@plaisthos> skyroveRR: thanks
10:31 <+hyper_ch> if that 100-user mid-size company only has a current 10/10mbps internet connection, than a rpi should be able to handle it
10:31 < skyroveRR> I've used it ever since I owned my first android.
10:31 <@krzee> frodox: what are you talking about regarding my doc?
10:31 <@krzee> frodox: i dont understand
10:32 <+hyper_ch> I use OpenVPN Connect currently
10:32 <+hyper_ch> and I noticed, that I can't download stuff from playstore while vpn runs
10:32 <+hyper_ch> it can browse the playstore just fine though
10:33 < frodox> krzee, https://secure-computing.net/wiki/index.php/OpenVPN/Routing this page. You said yesterday you wrote it for me :D
10:33 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at secure-computing.net)
10:34 <+hyper_ch> plaisthos: which is your client?
10:34 <@krzee> haha
10:34 <@krzee> gotchya, so you were joking and dont have suggestions for improvement, right?
10:35 <+hyper_ch> krzee: that image with the 3 comps and the cloud in the middle... it looks so like previous millennium... it needs some overhaul :)
10:35 <@krzee> bah, thats how computing works!
10:35 <@krzee> clouds bro
10:35 < skyroveRR> So, guys, upto openvpn 2.3.10, I used to successfully build openvpn statically by passing on the LDFLAGS=-all-static to make. What's changed in the 2.4.2 version that it no longer produces a statically linked openvpn binary?
10:35 <@krzee> its all clouds!
10:36 <+hyper_ch> nah, the image itself looks like from the previous millennium... you need a 2017 or better 2018 version of it... that makes it look more modrn
10:37 < skyroveRR> To be more detailed, I used to pass on this: ./configure --prefix=/usr --enable-static --disable-shared --enable-ssl --enable-crypto --enable-iproute2 --disable-lzo --disable-plugin-auth-pam; make V=s CC=<CC> LDFLAGS=-all-static LIBS="-lssl -lcrypto", and erm yes, I cross compile for ARM.
10:37 -!- alexandre9099_ is now known as alexandre9099
10:37 < frodox> krzee, no. I have a suggestion - please, specify clients' ips. Like server - 10.10.2.1, client1 - 10.10.2.4 and 10.10.1.1, client3 - 10.10.2.3 and 10.10.3.1
10:38 <+hyper_ch> (me suggests to frodox to make a pull request)
10:38 < frodox> hyper_ch, I don't see where to? any github page?
10:39 <+hyper_ch> frodox: don't ask me...all I know about git I learned here https://xkcd.com/1597/
10:39 <@vpnHelper> Title: xkcd: Git (at xkcd.com)
10:40 < frodox> hyper_ch, so, I had make a pull request here :)
10:40 <@krzee> frodox: i tell what subnet each client is on, saying their specific IP would have no point and just add useless information
10:40 <+hyper_ch> :)
10:40 <@krzee> useless information is an extra chance to confuse somebody for no reason
10:41 < frodox> krzee, well, yes and no. There is note, that it is an example. So, to completely understand what's going on, this is necessary
10:41 < frodox> for newbies
10:42 <@krzee> thanks, ill consider your suggestion
10:42 < skyroveRR> Erm... anyone?
10:45  * hyper_ch thinks you'er just doing it wrong... somehow
10:45 < skyroveRR> ?
10:45 <@dazo> skyroveRR: I honestly dunno ... but you might do it wrong ....
10:45 <+hyper_ch> ha, same answer as dazo... I guess I become smart slowly :)
10:46 <@dazo> ./configure --prefix=/usr --enable-static --disable-shared --enable-ssl --enable-crypto --enable-iproute2 --disable-lzo --disable-plugin-auth-pam  CC=<CC> LDFLAGS="-all-static -lssl -lcrypto" && make V=s
10:46 <+hyper_ch> skyroveRR: any reason you want to compile static?
10:46 <@dazo> but I'll admit, I've never needed to do static builds
10:46 < skyroveRR> hyper_ch: yeah, just part of the fun I have in building a distro with a majority of statically linked binaries.. :)
10:47 <+hyper_ch> what's the benefit of statically linked binaries?
10:48 < skyroveRR> Save you from dll hells and constant libc and library upgrades.
10:48 <@dazo> hyper_ch: no external dependencies .... so if the base distro ships openssl-0.9.8, you can do a static build against openssl-1.0.x (and lots of other goodies) ... and just copy the binary to the host and it'll work
10:48 <+hyper_ch> there are dlls on linux? oO
10:48 <@dazo> hyper_ch: they're called shard objects (.so)
10:48 < skyroveRR> No dlls, but there are .so
10:49 <+hyper_ch> hmmm, ok :)
10:49 <+hyper_ch> well, good luck :)
10:50 <@krzee> skyroveRR: i had to compile for an embedded system that i couldnt update
10:50 < skyroveRR> So, like I was saying, the above configure options upto 2.3.10 chewed out a statically linked openvpn binary, but in 2.4.2, those very options don't appear to compile a statically linked binary.
10:50 <@krzee> solution was to toss the libs in a chroot and run openvpn from inside a chroot
10:50 < skyroveRR> krzee: I'm already doing all of this in chroot.
10:50 <@krzee> no like openvpn --chroot but rather chroot . path/to/openvpn
10:50 < skyroveRR> Oh.
10:50 <@krzee> riiight
10:50 <@dazo> skyroveRR: did you see my slight suggestion of a modified ./configure?  Put all those "compiler variables" to the ./configure ... that will ensure they are saved and properly propagated throughout in the whole build system
10:51 < skyroveRR> I was meaning to say that I do all these compiles in the chroot.
10:51 <@krzee> cause then its a real full env, and i can use all updated libs
10:51 < skyroveRR> dazo: ok, give me a moment while I try out your suggestion :)
10:52 < skyroveRR> dazo: err sorry, I did notice yours, but I thought you might have accidentally copy-pasted that from mine.
10:52  * dazo need to head out for some food 
10:52 <@krzee> i had no choice because my embedded system is so old the libc isnt compat
10:53 < skyroveRR> Compiling.
10:58 <@krzee> https://www.xkcd.com/303/
10:58 <@vpnHelper> Title: xkcd: Compiling (at www.xkcd.com)
10:58 < skyroveRR> dazo: hmm, LDFLAGS won't take -all-static in the configure script; it fails.
10:58 <@ordex> krzee: ;P
11:07 < skyroveRR> dazo: http://pktsurf.in/files/sc03.png seems the "-ldl" seems to be passed on to the compiler when it tries to produce the openvpn binary, followed by the .so files.... so in short, -all-static doesn't get picked up either while passing it to configure or while running make..
11:08 <@krzee> make a trac ticket?
11:09 < skyroveRR> >.>
11:18 < johnfg> dazo: Will do.  Just got to the office.  There's a very moving display going on in our area of Montana for a murdered sheriff's deputy who's funeral is today.
11:21 < johnfg> dazo: I still can't figure out why the centos systemd script doesn't work, but I'll read that which you recommended.
11:25 < johnfg> dazo: You're the man!  I forgot that centos does its systemd differently, and puts its client.conf in /etc/openvpn/client.
11:26 < johnfg> Once I changed that from `remote church.spirit.org 1194` to `remote 192.168.0.107 1194` all's good.
11:26 < johnfg> dazo: Thanks.  One additional question: Any idea why, after years, I had to change to the IP of the server?
11:28 < johnfg> dazo: guess what?  There's actually an update for openvpn today, when I ran yum update.
11:33 < asfherf> Quick
11:33 < asfherf> blah
11:33 < asfherf> Quick Question!
11:33 < asfherf> Like ultra quick.
11:34 < asfherf>  I know I can use auth-username-password
11:34 < asfherf> to call to a script file
11:34 < asfherf> and username-as-common-name
11:34 < asfherf> Can I call to a PHP script?
11:34 < asfherf> or python or perl
11:35 < asfherf> Literally anything that isn't bash
11:36 < asfherf> So I have to go AFK! If anyone has any details pm me them or nick alert me please, It's greatly appreciated.
12:10 <@dazo> asfherf: yes ... just use --auth-user-pass-verify /usr/bin/{perl,python,php,whatever} /full/path/to/your/script
12:53 < asfherf> dazo:
12:53 < asfherf> So it just passes it as runtime args
12:53 < asfherf> like script $username $password
13:26 < skyroveRR> Hey dazo, kindly feel free to see my screenshot :) http://pktsurf.in/files/sc03.png
13:28 < asfherf> skyroveRR:
13:28 < asfherf> why.jpg
13:28 < skyroveRR> ?
13:29 < skyroveRR> asfherf: which mac have you got? :)
13:29 < asfherf> I don't use a mac.
13:29 < skyroveRR> Err wait, not a mac..
13:29 < asfherf> I use Ubuntu
13:29 < skyroveRR> Ah :)
13:30 < rob0> And the banker never wears a mac ... in the pouring rain (very strange!)
13:30 < asfherf> I need to virtualize OSX
13:54 <@dazo> skyroveRR: didn't that work as expected?
13:54 < skyroveRR> It didn't.
13:55 < skyroveRR> It still compiled a dynamically linked binary.
13:55 <@dazo> ldd ./src/openvpn/openvpn?
13:55 < skyroveRR> Erm, I'm inside a chroot, so I don't have ldd.
13:56 < skyroveRR> But the deps are basically libcrypto, libssl and libc
13:56 < skyroveRR> # objdump -p openvpn | grep NEEDED
13:56 < skyroveRR>   NEEDED               libssl.so.39
13:56 < skyroveRR>   NEEDED               libcrypto.so.38
13:56 < skyroveRR>   NEEDED               libc.so
13:57 <@dazo> libc isn't unexpected, but yeah, I see the those others are ugly
14:03 < skyroveRR> dazo: meh, what changes did you guys make anyways in the configure scripts? -ldl is being appended everywhere.
14:07 <@dazo> $ git log --follow configure.ac
14:08 < skyroveRR> I'm not using git..
14:08 < skyroveRR> :)
14:10 <@dazo> your loss ;-)
14:11 <@dazo> skyroveRR: It would be quite valuable if you could do a git bisect for us ... that helps pin-pointing where it broke
14:11 <@dazo> The routine is:  $ git bisect start
14:11 <@dazo> $ git bisect good v2.3.16
14:12 <@dazo> $ git bisect bad master
14:12 <@dazo> then do a build as you usually do ... you might need to do: autoreconf -vi  before your ./configure
14:13 <@dazo> then evaluate the openvpn binary
14:13 <@dazo> if it is how you expect it to be, do:  git bisect good
14:13 <@dazo> and if it is not static linked, do: git bisect bad
14:14 <@dazo> you'll do this 5-10 times or something like that ... and then it will tell you which commit broke static linking
14:14 <@dazo> that is quite useful for us to debug on further
14:14 <@dazo> (and once done, you can do: git bisect reset    .... which puts you back at the starting point)
14:59 < _moep_> !welcome
14:59 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
14:59 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
18:09 -!- Turla is now known as Captain_Beezay
--- Log closed Tue May 23 18:10:41 2017
--- Log opened Tue May 23 18:11:25 2017
18:11 -!- Irssi: #openvpn: Total of 312 nicks [8 ops, 0 halfops, 4 voices, 300 normal]
18:11 -!- mode/#openvpn [+o ecrist_] by ChanServ
18:12 -!- Irssi: Join to #openvpn was synced in 45 secs
19:46 < dirac1> Hello, some help: https://ptpb.pw/zu4S this is server side :/
20:09 <@krzee> dirac1:
20:09 <@krzee> !configs
20:09 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
20:13 <@krzee> your problem is likely either mismatched options or a messed up ta.key or it's key-drection
20:48 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 272 seconds]
21:02 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
21:02 -!- mode/#openvpn [+o syzzer] by ChanServ
21:50 <@ordex> !krzee
21:50 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20, or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg, or (#3) location: moon base where he smokes moonajuana, or (#4) takes bonghits on the freeswitch teleconference
21:52 <@ordex> !vpnHelper
21:52 <@vpnHelper> "vpnHelper" is "bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
21:53 <@ordex> !ecrist
21:53 <@vpnHelper> "ecrist" is http://www.youtube.com/watch?v=0Veqz8W98iA
22:14 <@krzee> my favorite thing is when people come in, use the bot, and find their solution themselves from the bot
22:18 <@krzee> !rob0
22:18 <@vpnHelper> "rob0" is is actually /dev/rob0 (because 0>5). Rumor has it that he is an AI project by google, but nobody can confirm.
22:18 <@krzee> !dazo
22:18 <@vpnHelper> "dazo" is The project name krzee always forgets .... eurephia ... http://www.eurephia.net/
22:18 <@krzee> lol
22:18 <@krzee> i could never remember the name of that thing, but i could remember he made it :D
22:19 <@ordex> :D
22:20 <@ordex> !talk
22:20 <@ordex> !something
22:20 <@ordex> :P
22:20 <@krzee> !factoids
22:20 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
22:22 <@ordex> !kiss
22:22 <@vpnHelper> "kiss" is Keep It Simple Stupid
22:22 <@ordex> rox
22:22 <@ordex> :D
22:23 <@krzee> !botsnacl
22:23 <@krzee> !botsnack
22:23 <@vpnHelper> "botsnack" is Om nom nom!
22:34 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 240 seconds]
22:36 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:36 -!- mode/#openvpn [+o syzzer] by ChanServ
22:37 <@ordex> !marja
22:48 <+hyper_ch> krzee: WE'RE ALL GONNA DIE - https://www.theregister.co.uk/2017/05/24/last_week_openvpn_client_is_secure_brthis_week_unpatched_bug_in_openvpn_server/
22:48 <@vpnHelper> Title: Last week: 'OpenVPN client is secure!' This week: 'Unpatched bug in OpenVPN server' • The Register (at www.theregister.co.uk)
22:49 <+hyper_ch> "French security outfit Sysdream has gone public with a vulnerability in the admin interface for OpenVPN's server."  --> admin interface?
22:49 <+hyper_ch> ah, openvpn-as
23:06 < dirac1> Hello i made a mistake creating the cert key for the server, used a 2048 bit Key size but the PEM.. is 4096 what can i do?.
23:26 <@krzee> why not just make another?
23:28 <@krzee> hyper_ch: ya seems to be just AS, but still interesting
23:28 <@krzee> i hadnt heard
23:28 <@krzee> (but i hear nothing about as in general)
23:29 < dirac1> I'm still having issues and i don't know why :/
23:30 <@krzee> you never did what i said so i cant help you
23:32 < dirac1> did it.
23:33 < dirac1> Im getting the client/server logs.
23:34 <@krzee> 3 hours ago i said:
23:34 <@krzee> !configs
23:34 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
23:34 <@krzee> you didnt post them since then yet
23:36 < dirac1> client : https://ptpb.pw/CcLB server: https://ptpb.pw/LndA
23:38 -!- linuxmodder_ is now known as linuxmodder
23:42 < dirac1> server config: https://ptpb.pw/vJhb client config: https://ptpb.pw/vJhb
23:44 <@krzee> !certverify
23:44 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt, or (#2) also make sure you use the same ca.crt on both sides by checking their md5
23:44 <@krzee> i see you got past your hmac problem
23:45 < dirac1> Yes
23:46 < dirac1> ca.crt and server.crt are OK.
23:48 <@krzee> and client side
23:48 <@krzee> then check md5sum on ca.crt on both sides match
23:49 <@krzee> you know... like !certverify says
23:49 < dirac1> client side OK
23:52 < dirac1> Yes the MD5 are the same.
23:53 <@krzee> you're testing each side on the machines themselves, right?
23:54 <@krzee> like not on the CA
23:54 < dirac1> Yes
23:55 < dirac1> Let me test again the client side.
23:55 <@krzee> ya that doesnt seem right
23:55 <@krzee> cause if you run the test with openssl on both sides and md5 the ca.crt on both sides matches you should get same results as openvpn
23:56 <@krzee> oh
23:56 <@krzee> unsupported certificate purpose
23:56 <@krzee> lemme see
23:57 <@krzee> you posted the same link for client conf and server conf
23:57 <@krzee> and you didnt give me the log from openvpn starting
23:57 <@krzee> verb 4 please
23:58 <@krzee> well 5 is fine too
23:58 <@krzee> (i see server has 5)
23:58 < dirac1> Ok, tested again client side and is ok, let me get you the whole Log.
23:59 <@krzee> i bet client config will tell me
23:59 <@krzee> i bet you're trying to verify its a server cert, but didnt make the server cert the way you verify expects
--- Day changed Wed May 24 2017
00:00 <@krzee> however, until you post the client config, the world will not know
00:05 < dirac1> client.ovpn : https://ptpb.pw/kjo9 ; client.log : https://ptpb.pw/qUHI ; server.log : https://ptpb.pw/FYDi
00:10 < dirac1> Ugh..
00:22 < dirac1> krzee...?
00:28 < dirac1> :c
00:36 <@krzee> comment this line in client config:
00:36 <@krzee> remote-cert-tls server
00:36 <@krzee> does that make it work?
00:36 <@krzee> if so, we should try something else
00:36 < dirac1> let me do it.
00:37 < dirac1> if i'm using nm-openvpn i have to reload the *.ovpn file?
00:37 < dirac1> or i can simply retry the connection?
00:38 <@krzee> dunno, you should not use network manager until you get openvpn working
00:38 <@krzee> then import the working openvpn config and be done
00:38 < dirac1> wait up, then how i should test the config file?.
00:38 <@krzee> by running openvpn :D
00:39 <@krzee> openvpn /path/to/config        as root
00:39 <@krzee> that should do it
00:39 < dirac1> ok ok
00:40 < dirac1> it asks me to express where is the ta.key
00:40 < dirac1> (is in the same folder)
00:40 <@krzee> !fullpath
00:40 <@krzee> !path
00:40 <@vpnHelper> "path" is (#1) use full paths in your config!, or (#2) if you use windows, see !winpath
00:44 < dirac1> same error
00:51 <@krzee> ok show me the new log, you may want to specify a logfile
00:51 <@krzee> !logfile
00:51 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
00:51 <@krzee> then start will give me the config in long format too
00:58 < dirac1> https://ptpb.pw/aJQy : new.log
00:59 < dirac1> :/
01:02 <@krzee> how did you make these certs?
01:03 < dirac1> easy-rsa following DigitalOcean guide.
01:03 <@krzee> could you try with the easy-rsa guide?
01:03 <@krzee> theres something weird with these
01:03 <@krzee> !easy-rsa
01:03 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
01:04 < dirac1> what could be wrong?
01:04 < dirac1> I'll have to delete the other easy-rsa stuffs?
01:04 <@krzee> ya i would start over on my pki
01:04 <@krzee> im not sure whats wrong honestly
01:04 <@krzee> but its with the certs
01:05 < dirac1> I'll do it, but tomorrow, really late here. Thanks for your help. i'll be back tomorrow after re-doing the easy rsa.
01:06 <@krzee> cool good luck!
01:06 <@krzee> and goodnight
01:06 < dirac1> Thanks!
04:18 < kooistra9> !welcome
04:18 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
04:18 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
04:18 < kooistra9> Hello anyone active :) ?
04:21 < kooistra9> if anyone is here i could use someone to provide me new insight :) ?
04:30 <@ordex> there quite some people, but you better ask your question first :)
04:30 <@ordex> !ask
04:30 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
04:32 < kooistra9> Haha sorry well the issue is about Acces-server so dont know if anyone is willing to help or redirect me to acces-server channel which is almost empty. Ive set up a site to site formation, i can acces my Server lan, from client but not vice versa
04:33 < kooistra9> any common issues known ?
04:38 <@ordex> !as
04:38 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
04:38 <@ordex> I'd suggest to idle there somemore
04:38 <@ordex> people atre spread all over the world, so they may answer later
04:40 < kooistra9> +Oke Thx :)
07:04 <@ecrist_> ordex: ?
07:18 <+hyper_ch> krzee: finally we can have Windows Defender on Linux - now I feel safe :)  https://twitter.com/taviso/status/867134496935563264
07:28 -!- Ekho- is now known as Ekho
09:46 < dirac1> krzee, are you there?.
10:45 -!- You're now known as ecrist
10:53 -!- mrjk__ is now known as mrjk
11:10 < jamesl> !goal
11:10 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:10 < [E]sc> i would like to know if it is possible to run both openvpn's client and server on one machine...
11:11 < skyroveRR> [E]sc: why not?
11:14 <@dazo> [E]sc: that works like a charm
11:21 < [E]sc> skyroveRR, dazo thanks.  i'm trying to configure my openvpn on debian jessie, but it doesn't seem to work.  ifconfig shows that tun0 & tun1 are present, my client initialized completed (?) and my server is active/running and shows there's no errors.
11:23 <@ordex> [E]sc: so what's not working ?
11:24 < [E]sc> ordex, when i try to check online if my ip has been changed, it shows up as the same.  i'm not sure if my configuration is wrong? or something else i'm missing.
11:25 <@ordex> that's likely a routing problem
11:25 <@ordex> dazo: what's the bot factoid for this ?
11:26 <@ordex> !redirect
11:26 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
11:26 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
11:26 <@ordex> [E]sc: ^^
11:27 < [E]sc> ordex, thanks. I will have a look at that.
11:28 <@ordex> np
11:28 <@ordex> there are a couple of things to setup and to check. so better following what vpnHelper said first
11:31 <@dazo> !factoids
11:31 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
11:31 <@dazo> ordex: ^^ ;-)
11:31 <@ordex> :P
12:26 < segwent> !25/8
12:26 <@vpnHelper> "25/8" is God Save the Queen! This IP block is assigned for use by the UK Ministry of Defense. If it's used by someone not the UK MoD, they're probably trying (and failing) to be clever. If you're doing this, use RFC1918 space (see: !randomsubnet for ideas.) Or better, use IPv6.
12:27 < segwent> Good job there is no God !
12:55 < nb> !randomsubnet
12:55 <@vpnHelper> '"randomsubnet" is (#1) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `, or (#2) Or try this perl oneliner: `perl -e \'printf 10.%d.%d.0/24\n , int(rand(256)), int(rand(256));\'`'
13:18 < segwent> !firestarter
13:18 <@vpnHelper> "firestarter" is if you use firestarter to config your firewall you may want to see http://jcape.ignore-your.tv/2006/08/03/openvpn-and-firestarter/ for help
13:18 < segwent> !forget firestarter
13:18 <@vpnHelper> Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
13:19 < segwent> ^^ server is goone
13:31 < Aviv> Hello - I have the following scenrio. I have Machine A and Machine B. I've created OpenVPN Server (AWS). Now machine A = 172.28.224.10 and machine B 172.28.224.100 (OpenVPN GW 172.27.224.1). When I traceroute machine B from machine A, for some reason I see my next-hop is OpenVPN GW. Why is that? It's on the same subnet, why it's using OpenVPN GW? I want to do a man in the middle. For example, I set in machine A my default GW 172.28.224
13:31 < Aviv> set source-route on machibe-B
13:32 < Aviv> But no traffic goes into 172.28.224.100.. It goes to OPenVPN GW and then I have no idea where it goes
13:36 <@krzee> Aviv: clients can only connect to eachother through the server
13:37 <@krzee> you cant do what you were hoping to
13:37 < Aviv> It can't be done with OpenVPN?
13:37 <@krzee> client B cannot be in between the connection of client A and the openvpn server
13:38 <@krzee> !vpn
13:38 <@vpnHelper> "vpn" is http://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html for a basic rundown of what a vpn is
13:38 < Aviv> There is no way I can transfer all my traffic from client A thru client B?
13:38 <@krzee> no
13:38 <@krzee> that goes against the idea of what a vpn is
13:38 <@krzee> lol
13:39 < Aviv> Yeiks.. Spent 9 hours on this shit :P
13:39 < Aviv> could have just send a message here and solve all my problems..
13:39 <@krzee> picture a vpn as like a virtual ethernet cable between 2 machines over a network
13:39 < Aviv> Yep, make sense
13:39 <@krzee> client A has its own virtual network cable, as does client B
13:40 <@krzee> you could attempt it MITM the actual vpn connection itself
13:40 <@krzee> *if* the configs dont stop that from happening
13:40 <@krzee> !mitm
13:40 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: remote-cert-tls server in the client config
13:40 < Aviv> that bot is smarter then me
13:41 <@krzee> but if client B was between client A and the server, he could present his client config to each side and if the client doesnt check that the server IS a server, then you could mitm the vpn itself
13:41 <@krzee> however, that would require much custom code by you
13:41 <@krzee> and if you could do that, you wouldnt have needed to ask about it most likely ;]
13:41 < Aviv> Yep.. Maybe IPSec will resolve this issue?
13:41 <@krzee> nah
13:41 < Aviv> Blat
13:41 <@krzee> a vpn goes against what you want
13:41 <@krzee> you're like hey how can i make a vpn not a vpn?
13:41 <@krzee> answer is, by not using a vpn
13:42 < Aviv> with IPSec site2site is possible?
13:42 <@krzee> dunno, ask somewhere that supports it
13:42 < Aviv> Thanks man, you are great
13:50 <@krzee> np =]
13:50 <@krzee> i know hamachi allows client to client
13:50 <@krzee> dunno if it can do your goal
13:50 <@krzee> cause we only do openvpn here
14:21 < segwent> !gvpe
14:21 <@vpnHelper> "gvpe" is http://software.schmorp.de/pkg/gvpe.html <Bushmills> Unlike other virtual private  network" solutions which merely create a single tunnel, GVPE creates a real network with multiple endpoints. free, opensource, for nixes, meant for those looking for a vpn with direct peer connections. those who'd be sent to hamachi otherwise.
14:21 < segwent> ar
16:11 <@krzee> oh nice hadnt seen that one
16:23 < segwent> krzee: looks ok
17:25 < omgs> Hi. I was wondering how to manage the following strategy for a bunch of servers using openvpn from different companies.
17:26 < omgs> What I want is use a custom certificate for myself and my partners as IT team. These client certificates should be allowed in every different host of every company.
17:28 < omgs> Apart, the companies can have their own certificates, together with ours, BUT these should not be able to connect to any other company, only the own company.
17:29 < omgs> For that, I have created a "root" CA ("A"), and subCAs of this, so they would be "AA", "AB", etc.
17:31 < omgs> I can get my certificate to work, but as long as I distribute as "ca" param the chain of "A" and "AX", a certificate from "AB" can login into "AA" (any can log into any because of "A" in the chain, if I'm not wrong)
17:32 < omgs> If I just put "AB" as ca param, then the "self-signed certificate" error shows in the logs and I can't login. How can I solve this?
17:35 < segwent> !cert_chains
17:35 < segwent> oo .. it not work now ?
17:36 < segwent> !certchains
17:36 < segwent> !cert_ chains
17:36 < segwent> !cert_chains
17:36 <@vpnHelper> "cert_chains" is https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains ... JJK actually mentions that scenario in this page
17:36 <@vpnHelper> "cert_chains" is https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains ... JJK actually mentions that scenario in this page
17:36 < rob0> !lag
17:37 < segwent> !lol
17:44 < segwent> I press space bar at end
17:45 < omgs> segwent, thanks. I'm not sure to understand the chained certs part.
17:45 < segwent> omgs: you read the wiki ?
17:45 < omgs> Yes
17:46 < segwent> oh .. so you need ca.crt you see ?
17:46 < omgs> I have a "root" CA ("A") and a subCA ("AA"). The server (and client) certificates are signed by the subCA.
17:47 < omgs> What is "client.crt", taking that there can be many different client certificates for every subCA?
17:48 < omgs> Why can't "server.crt" be signed by the subCA?
17:49 < segwent> are you use easyrsa ?
17:52 < omgs> No, i use xca
17:54 < omgs> I understand a bit better now, so I wonder how to chain for "A" and "AA" but not allowing for "AB"
17:55 < omgs> Can I use several "ca" declarations in the config file?
17:58 < segwent> omgs: only one --ca per config
17:58 < segwent> one is used only
17:59 < segwent> ot cat into cert file maybe ?
17:59 < segwent> or*
18:00 < omgs> Ok. How should be the chained part for a "ca" with subCA? Maybe "cat server.crt subCA.crt ca.crt > chained.crt"?
18:00 < segwent> i not try myself before
18:02 < omgs> How does openvpn "know" if the ca.crt is chained or stacked?
18:03 < segwent> access to root ca cert is key, i think sub-ca is way to make money
18:05 < omgs> How does openvpn "know" if the ca.crt is chained or stacked? (sorry if you already read this line)
18:06 < segwent> stack is "many ca's" .. chain is "one ca"
18:06 < omgs> I don't want to make money of a subCA, but if that were the case, how would I build the chained cert for the ca directive?
18:07 < segwent> ^^
18:13 < segwent> sign a client cert by sub-ca ?
18:21 < dirac1> Guys i'll generate my server certificates again, any procedure to delete all the old information?.
18:25 < dirac1> Just _ rm -rf, ok i'll do it.
18:29 < omgs> segwent, yes, in fact, the example shows the client certificate signed by subCA
18:30 < omgs> But I'm afraid that the example for the chain  allows any certificate signed by  the ca.cert ca, and I want to avoid that.
18:45 < dirac1> Help for some reason i have multiple openssl-xx.xx.cnf in my /easy-rsa folder, should i remove them and leave just the one i'm using? openssl-1.0.0.cnf
18:50 < segwent> omgs: is not "avoidable" for openvpn
18:51 < segwent> ca cert is prerequisite .. you must verify to root ca
19:04 <@krzee> out of curiosirt, whats your actual goal / use case omgs?
19:05 <@krzee> oh nevermind i found it above
19:05 <@krzee> so you want to give them pki they can admin themselves, while keeping the ability to still make your own entrance
19:06 < omgs> krzee, yes, and I guess that by providing the companies a subCA from ours, it should work, but I get some things not working.
19:07 <@krzee> gotchya, i have never delved in to that
19:07 <@krzee> i just make a different pki for each network, and have a script for choosing which to use when making a cert
19:07 < omgs> The first is that when I directly use the subCA, I can't login because I get that the cert is self-signed (or something else), but when I manage to login, the user can login anywhere
19:09 <@krzee> maybe this will help in some way
19:09 <@krzee> !certverify
19:09 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt, or (#2) also make sure you use the same ca.crt on both sides by checking their md5
19:10 <@krzee> the client will use its ca.crt to verify the servers certificate is valid
19:10 <@krzee> the server will use its ca.crt to verify the clients certificate is valid
19:10 <@krzee> since i dont use chaining thats as helpful as i can be
19:11 < omgs> krzee, but how to avoid that a user can login other sites with the same root CA but different subCA?
19:11 < segwent> krzee: can openvpn verify cert without root ca.crt access by client ?
19:12 <@krzee> dont know the answer to either, i dont use subCAs
19:12 < segwent> cleint must have ca.crt .. no ?
19:12 < segwent> even if server is sub-*
19:13 < segwent> from easyrsa certs must match like that ?
19:14 < mojtaba> Hello, I have configured openvpn on a raspberry pi, and I can connect to it successfully.
19:14 < segwent> !ca
19:14 < mojtaba> The only problem that I am facing is that I can not resolve DNS requests.
19:15 < mojtaba> Does anybody know what should I do?
19:16 <@krzee> google it? try to figure out how subCAs work, its not actually openvpn specific
19:16 <@krzee> the openvpn specific part i told you above
19:16 <@krzee> the server will use its ca.crt to verify the clients certificate is valid
19:16 <@krzee> the client will use its ca.crt to verify the servers certificate is valid
19:16 < omgs> mojtaba, I'd check the resulting routes, to see routing is not through raspberry
19:16 <@krzee> oh wrong guy sorry
19:16 < mojtaba> omgs: In the server.conf file?
19:17 <@krzee> mojtaba: are you redirecting gateway over the vpn?
19:17 < omgs> mojtaba, no, that looks a client issue
19:17 < mojtaba> krzee: how can I check that? in client.config file? ( I have an ovpn file for the client.)
19:18 < mojtaba> I cannot even ping google.com
19:18 < mojtaba> But I have access to my LAN
19:19 < omgs> mojtaba, Not sure, but check if you have "nobind" in your config file.
19:19 < mojtaba> omgs: which one? client or server?
19:19 < omgs> mojtaba, client
19:19 <@krzee> sounds to me like you're redirecting internet over the vpn but using your ISPs nameserver
19:20 <@krzee> you can change your dns to 8.8.8.8 on the client and it'll just work
19:20 <@krzee> or:
19:20 <@krzee> !pushdns
19:20 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for
19:20 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option
19:20 < mojtaba> omgs: Yes I have nobind
19:21 <@krzee> mojtaba: can you ping 8.8.8.8?
19:21 < omgs> mojtaba, do you connect to your vpn via internet or your network?
19:21 <@krzee> omgs: this is actually a normal issue
19:21 < mojtaba> omgs: I connect to internet using cafe's internet.
19:21 < mojtaba> And then I connect to my vpn server.
19:21 < mojtaba> After that I cannot ping google.com
19:21 <@krzee> mojtaba: ping 8.8.8.8?
19:22 < mojtaba> when I am connected to vpn.
19:22 < mojtaba> krzee: yes
19:22 <@krzee> now change your computers DNS server to 8.8.8.8
19:22 <@krzee> boom, works
19:23 < mojtaba> thanks
19:23 <@krzee> np
19:24 <@krzee> the nameserver you were using is not configured to allow requests from your VPN server's IP
19:24 <@krzee> so when you redirect internet over the vpn, the nameserver stops working for you
19:25 <@krzee> you can configure openvpn to change the DNS for you, see !pushdns if you want that
19:25 < mojtaba> sure
19:25 < mojtaba> thanks again
19:25 <@krzee> np
19:27 <@krzee> !learn brokedns as Odds are you are using a nameserver that is not configured to allow requests from your VPN's server IP. When you redirect your internet over the vpn the nameserver sees you as coming from the server IP and stops responding to your dns queries. you can verify this by pinging 8.8.8.8, and can fix this by setting your nameserver to 8.8.8.8 (or any other publicly accessible dns server). you can make openvpn do this for you by
19:27 <@vpnHelper> Joo got it.
19:27 <@krzee> seeing !pushdns
19:27 <@krzee> grr
19:27 <@krzee> !forget brokedns
19:27 <@vpnHelper> Joo got it.
19:28 <@krzee> !learn brokendns as Odds are you are using a nameserver that is not configured to allow requests from your VPN's server IP. When you redirect your internet over the vpn the nameserver sees you as coming from the server IP and stops responding to your dns queries. you can verify this by pinging 8.8.8.8, and can fix this by setting your nameserver to 8.8.8.8 (or any other publicly accessible dns server)
19:28 <@vpnHelper> Joo got it.
19:28 <@krzee> !learn brokendns as you can make openvpn do this for you by seeing !pushdns
19:28 <@vpnHelper> Joo got it.
19:31 < omgs> mojtaba, so you use your raspberry as a proxy, right?
19:31 <@krzee> yes, he's using:
19:31 <@krzee> !redirect
19:31 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
19:31 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
19:32 < mojtaba> omgs: yes
20:28 < dirac1> krzee, hi, i'm back.
20:29 <@krzee> used easy-rsa3 and followed the easy-rsa3 guide?
20:29 <@krzee> (assuming im remembering the right thing)
20:35 < dirac1> ugh.. nope, could you send me again the guide.
20:36 <@krzee> !easy-rsa
20:36 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
20:41 < dirac1> Oh this is completely different.
20:45 < dirac1> krzee, i did in other way, and i'm having a new log.
20:46 < dirac1> krzee: https://ptpb.pw/c1M9
20:47 < dirac1> The "other way" was just doing the cert again with calm.. following one of the guides i used.
20:47 < dirac1> isn't the whole log, just the error.
20:48 < dirac1> I think i don't have active the tun module.
20:50 < dirac1> Oh i just installed openvpn in this machine..
20:54 < dirac1> Help?.
21:09 <@ordex> load it ?
21:09 <@ordex> if it doesn't load, install it ? :)
21:15 < dirac1> if the "sudo openvpn *.ovpn" writes WrWrWrWr.. is working?
21:15 <@ordex> never seen that :D
21:15 <@ordex> hopefully you have only one file matching *.ovpn?
21:15 < dirac1> lol yeah
21:15 < dirac1> Well it do the whole authentication assigns me a IP..
21:16 < dirac1> And says "initialization sequecen completed"
21:17 < dirac1> But sometimes says...Bad LZO compression
21:17 < dirac1> ordex?
21:19 <@ordex> is lzo enabled on both sides ?
21:19 < dirac1> I think so
21:22 <@ordex> dunno, maybe you can post the logs of both sides
21:22 < dirac1> ordex wasn't but now appears this: Wed May 24 22:14:52 2017 us=502429 ERROR: Linux route add command failed: external program exited with error status: 2
21:22 < dirac1> But is working aswell.
21:23 < dirac1> i think that error is because i'm doing it using just the "sudo openvpn my.ovpn", and not using a program to route (networkmanager)
21:24 <@krzee> dirac1: its hard to try and help you when we try to work on something you do something else and come with new errors
21:24 <@krzee> assuming yesterday you were the guy with the bad certs
21:24 < dirac1> Yup
21:24 < dirac1> But is working now
21:24 <@krzee> cool
21:24 <@krzee> then ill stop trying to read the scroll!
21:24 <@krzee> haha
21:25 < dirac1> but..but wait.. i have that error.. from up there.
21:25 < dirac1> But i imply is beacause im doing it without the nm intervention
21:25 <@krzee> show me the entire log if you want me to look
21:26 < dirac1> Ok
21:30 <@krzee> haha now i see ordex had just asked for that too
21:30 <@krzee> and i agree with him, both sides better
21:38 < dirac1> client: https://ptpb.pw/k2eX server: https://ptpb.pw/0BaS
21:38 < dirac1> krzee.
21:39 <@krzee> RTNETLINK answers: File exists
21:39 <@krzee> you're adding a route that already exists in your routing table
21:39 <@krzee> so nothing happens, ignore it
21:40 < dirac1> Oh...
21:40 <@krzee> thats the only error i see
21:40 < dirac1> But that route is on my server side ? why it shows is in the client?
21:41 <@krzee> please read what --redirect-gateway does in the manual
21:41 <@krzee> !man
21:41 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
21:41 <@krzee> not what it accomplishes, but HOW it does that
21:41 <@krzee> step 1 is the route in question
21:42 < dirac1> Ok
21:45 < dirac1> the link says krzee, but i don't have it on my client.ovpn.
21:45 < dirac1> Woops the "the link says" not supposed to be there.
21:45 <@krzee> huh?
21:46 <@krzee> !push
21:46 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
21:46 < dirac1> I don't have the --redirect-gateway on my client config.
21:46 <@krzee> ya, you push it to the client from the server, same same
21:46 < dirac1> D: But i didn't do it..
21:47 <@krzee> its there
21:47 < rob0> I did it!
21:47 <@krzee> thats how you redirect your internet connection over the vpn
21:47 <@krzee> !rob0
21:47 <@vpnHelper> "rob0" is is actually /dev/rob0 (because 0>5). Rumor has it that he is an AI project by google, but nobody can confirm.
21:47 <@ordex> lol
21:47  * rob0 mutters something incomprehensible
21:48 <@krzee> encrypted by the google AI custom encryption methinks
21:48 < rob0> lol @ the 0>5 part, nice touch
21:48 <@krzee> thanks :D
21:48 <@krzee> https://techcrunch.com/2016/10/28/googles-ai-creates-its-own-inhuman-encryption/
21:48 <@vpnHelper> Title: Googles AI creates its own inhuman encryption | TechCrunch (at techcrunch.com)
21:49 < dirac1> i swear i didn't do it..
21:49 <@krzee> May 25 02:19:22 magrathea ovpn-server[7248]: DellDan/xxx.xx.xxx.xxx:51399 SENT CONTROL [DellDan]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)
21:50 <@krzee> its there!
21:50 < dirac1> I know.. i saw it D:
21:50 < dirac1> OMG!
21:50 <@krzee> !blog
21:50 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
21:50 <@krzee> thats what you get for blindly following lame google links i guess?
21:51 < dirac1> Ugh i used one from Linode.
21:51 <@krzee> is your goal to redirect your clients internet over the vpn?
21:51 < dirac1> And.. one from Digital Ocean.
21:51 <@krzee> exactly my point
21:51 <@krzee> !blog
21:51 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
21:51 < dirac1> Yes.
21:51 < dirac1> :)
21:51 < dirac1> This is a simple VPN server for me..
21:51 <@krzee> yes your goal is to redirect your clients internet over the vpn?
21:51 < dirac1> Yes.
21:52 <@krzee> ok well thats what redirect-gateway does
21:52 <@krzee> now go to both your config files
21:52 <@krzee> see every config option, and go read about it in the manual
21:52 <@krzee> learn how your setup is configured :-p
21:54 < dirac1> Found it, yes now i remember .
21:54 < dirac1> The next step is to add this to My networkManager as a user?.
21:56 <@krzee> if you like
21:56 <@krzee> irrelevant to here
21:58 < dirac1> Uh..
22:01 < dirac1> I'm connected... but for some reason i can't use firefox.
22:01 < dirac1> And i just can ping to the devices inside the network (me and the server)
22:22 <@krzee> !redirect
22:22 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
22:22 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
22:22 <@krzee> use the flowchart
22:24 < rob0> ... Luke!
22:29 <@ordex> I am your father @_@
22:34 < skyroveRR> !windows
22:34 <@vpnHelper> "windows" is (#1) computers are like air conditioners, they work well until you open windows., or (#2) http://secure-computing.net/files/windows.jpg for funny, or (#3) http://secure-computing.net/files/windows_2.jpg for more funny
22:36 < skyroveRR> Hey, is the older 2.3.10 or something binary meant for XP capable of acting as a server as well or just as a client? Need to make it into a server...
22:37 < skyroveRR> * older openvpn binary for windows XP.
22:43  * skyroveRR is confused..
22:44 <@krzee> both
22:44 <@krzee> based on your config
22:44 < skyroveRR> And it'll use TAP mode, right? Or tun?
22:44 < skyroveRR> * TUN
22:45 <@krzee> whatever
22:45 < skyroveRR> ..
22:45 < skyroveRR> Alright.
22:47 < skyroveRR> krzee: openvpn on windows is something I've never ventured into.
22:49 <@krzee> samesame
22:49 <@krzee> except full paths are a lil different
22:49 <@krzee> and if you want autostart, after you get it working manually you can use the windows service
22:49 <@krzee> theres some windows specific options in the manual as well
22:51 < skyroveRR> Yeah, I read the howto, but I was just confused because the howto wasn't clear whether I'd have to access services.msc on some REAL windows server like WIndows 2K3/2K8/2K12 or a windows client system like XP and the like..
22:51 <@krzee> all of the above
22:52 <@ordex> samesame but different!
22:54 <@krzee> !'
22:54 <@krzee> somebody gets it!
23:12 < pylearner> I changed the hostname of my server and having issues getting openvpn back up and running
23:14 <@krzee> !logs
23:14 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
23:18 < saliak_> I’m getting “TLS Error: cannot locate HMAC in incoming packet” when trying to connect to my server.  I have included tls-auth inline in my openvpn config file.  any ideas? or ways to get more detail?
23:24 <@krzee> when you added tls-auth inline did you also use key-direction?
23:24 <@krzee> !ios
23:24 <@vpnHelper> "ios" is (#1) See the iOS FAQ here - https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html, or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline might be useful
23:24 <@krzee> see #2 for info
23:38 < saliak_> yeah
23:43 < saliak_> i’ve been following https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04.     also having issues with ./build-key client1.   for some reason it’s not able to load the CA private key
23:48 <@krzee> !blog
23:48 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
23:48 <@krzee> for generating certs use:
23:49 <@krzee> !easy-rsa
23:49 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
23:49 <@krzee> thats version 3 ^
23:51 < saliak_> ok
23:52 <@krzee> i personally used xca last time i used something, it was pretty nice but nobody has made a step by step walkthrough
23:52 <@krzee> theres just:
23:52 <@krzee> !xca
23:52 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa., or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA
23:52 <@krzee> but when i used it, i started with that and made some changes for myself
23:52 < saliak_> hrm
23:52 < saliak_> i’m not sure what’s wrong with the tools that i was using
23:53 < saliak_> but i guess we just assume it’s wrong?
23:53 <@krzee> not sure either, i dont know the walkthrough you were following... but i can tell you that learning whats going on is better
23:53 <@krzee> so once you make your pki we can work towards whatever your goal is
23:54 < saliak_> ok
23:54 <@krzee> !goal
23:54 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
--- Day changed Thu May 25 2017
00:00 < saliak_> I would like to access my work LAN on the road
00:14 <@krzee> !serverlan
00:14 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
00:36 <@ordex> !theresafactoidforeverything
00:36 <@ordex> !almost!
00:39 <@krzee> it's been a long process lol
00:39 <@krzee> i think i started vpnHelper somewhere around 2009 maybe
00:39 <@krzee> just kinda guessing
00:39 <@krzee> maybe 2008
00:43 <@krzee> he keeps growing, sometimes i read !factoids and get surprised at some of his stuff
00:43 <@krzee> !factoids
00:43 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
00:44 <@krzee> lol i see as has gotten polluted again :D
00:53 <@ordex> :P
00:53 <@ordex> !wikipedia
00:53 <@ordex> I Wanted to push it to its limits
00:55 <@krzee> boom cleaned it
00:55 <@krzee> next !factoids update will have that empty key clear
00:55 <@krzee> sqlite> delete from factoids where key_id=262;
01:04 <@ordex> how about 42 ?
01:04 <@ordex> !next
01:04 <@ordex> nothing ..
01:04 <@ordex> !help
01:04 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
01:04 <@ordex> !list
01:04 <@vpnHelper> Admin, BadWords, Channel, ChannelLogger, Config, Factoids, FloodPrevent, Misc, Owner, Relay, Seen, Services, User, Weather, and Web
01:05 <@ordex> !help weather
01:05 <@vpnHelper> (weather <US zip code | US/Canada city, state | Foreign city, country>) -- Returns the approximate weather conditions for a given city.
01:05 <@ordex> !weather 'Hong Kong'
01:05 <@vpnHelper> Error: Could not find weather information.  (This may be a bug. If you think it is, please file a bug report at <http://sourceforge.net/tr acker/?func=add&group_id=58965&atid=489447>.)
01:05 <@ordex> ...
01:05 <@ordex> fail
01:05 <@ordex> !weather 'Rome, ITaly'
01:05 <@vpnHelper> Error: Could not find weather information.  (This may be a bug. If you think it is, please file a bug report at <http://sourceforge.net/tr acker/?func=add&group_id=58965&atid=489447>.)
01:05 <@ordex> !weather Rome, Italy
01:05 <@vpnHelper> Error: Could not find weather information.  (This may be a bug. If you think it is, please file a bug report at <http://sourceforge.net/tr acker/?func=add&group_id=58965&atid=489447>.)
01:06 <@ordex> krzee: do something !
01:06 <@ordex> :D
01:07 <@krzee> !plugin
01:07 <@krzee> !help plugin
01:07 <@vpnHelper> Error: There is no command "plugin".
01:08 <@krzee> !help unload
01:08 <@vpnHelper> (unload <plugin>) -- Unloads the callback by name; use the 'list' command to see a list of the currently loaded callbacks. Obviously, the Owner plugin can't be unloaded.
01:08 <@krzee> !help unload weather
01:08 <@vpnHelper> Error: There is no command "unload weather".
01:08 <@krzee> !unload weather
01:08 <@vpnHelper> Joo got it.
01:08 <@krzee> boom something has been done
01:08 <@krzee> !weather rome
01:09 <@krzee> if you're clever i know how you can crash him
01:09 <@krzee> !msg
01:09 <@vpnHelper> "msg" is (#1) to see vpnHelper's factoids in msg instead of the channel, /msg vpnHelper factoids whatis #openvpn <key>, or (#2) so to see !configs in msg, you would type /msg vpnHelper factoids whatis #openvpn configs, or (#3) you can also just see !factoids for a link to the full list of what the bot knows
01:13 <@ordex> :P
01:13 <@ordex> I don't want to crash it
01:13 <@ordex> I only wanted to know the weather
01:13 <@ordex> :D
01:21 <@krzee> haha
01:27 <@ordex> !help seen
01:27 <@vpnHelper> (seen [<channel>] <nick>) -- Returns the last time <nick> was seen and what <nick> was last seen saying. <channel> is only necessary if the message isn't sent on the channel itself.
01:27 <@ordex> !seen ordex
01:27 <@vpnHelper> ordex was last seen in #openvpn 4 seconds ago: <ordex> !help seen
01:36 < skyroveRR> !seen plaisthos
01:36 <@vpnHelper> plaisthos was last seen in #openvpn 1 day, 15 hours, 4 minutes, and 56 seconds ago: <plaisthos> skyroveRR: thanks
01:36 < skyroveRR> Nice.
07:29 < moeSizlak> how can i listen on multiple ports (same server & config)
07:58 < pylearner> if i changed my hostname to my machine do i need to rebuild certificates etc
08:00 < segwent> moeSizlak: one --port per config
08:00 < segwent> pylearner: pki is valid what ever your host name is .. but if you want the CN = hostname you need a new cert/key
08:01 < pylearner> segwent, i imagine i am having other issues
08:10 < pylearner> segwent, on second thought i have to start the server with systemctl start openvpn@oldhostname
08:10 < pylearner> so i am assuming i assigned a cn = or somehting
08:10 < segwent> @oldhostname is incorrect .. it is @configfilename
08:11 < pylearner> segwent, ok so i just need to rename config file
08:12 < segwent> if you want to .. it is just a filename
08:12 < pylearner> so openvpn@name.conf
08:12 < segwent> !systemd
08:12 <@vpnHelper> "systemd" is (#1) the devil!, or (#2) At least for those who wants keep living in the past ...., or (#3) Have troubles with OpenVPN and systemd? Try reaching out to dazo
08:13 < segwent> well .. it is openvpn@filename.service
08:13 < ExoUNX> daaaaamn you systemd! you strike again!
08:13 < segwent> the .conf is iplied via the systemd unit file in use
08:13 < segwent> systemd is uber cool :D
08:15 < pylearner> when trying to start the server i get an error opening config file name.conf
08:17 < segwent> what is $name of config file and $where is it located ?
08:19 < pylearner> Error opening configuration file:
08:19 < pylearner> server.conf is the name of the config file
08:20 < segwent> and so '# systemctl start openvpn@server'
08:21 < segwent> # = as root .. maybe sudo
08:21 < pylearner> Socket bind failed on local address [AF_INET]192.168.0.2:1194
08:21 < pylearner> now i get this
08:21 < pylearner> my ip is now 192.168.0.100
08:22 < pylearner> ok removed local that ip in config all is well
08:22  * segwent hangs 10
11:25 < DArqueBishop> jamesl: if you haven't read it yet...
11:25 < DArqueBishop> !howto
11:25 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
11:25 < DArqueBishop> Also...
11:25 < DArqueBishop> !redirect
11:25 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
11:25 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
11:32 < jamesl> !welcome
11:32 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
11:32 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
11:32 < jamesl> !1925
11:32 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
11:42 < jamesl> !def1
11:42 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
11:56 < vahe> hi all, help pls https://bpaste.net/show/14f31d48bdb7
11:57 < DArqueBishop> vahe:
11:57 < DArqueBishop> !logs
11:57 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
11:58 < vahe> !logfile
11:58 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
11:59 < [E]sc> !nat
11:59 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
12:03 < vahe> omg
12:07 < vahe> !man
12:07 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
12:08 < vahe> DArqueBishop: and can you explain in a normal language?
12:08 < vahe> :D
12:08 <@krzee> !logfile
12:08 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
12:08 <@krzee> without real logs we cant help
12:09 < vahe> service openvpn --log start?
12:09 <@krzee> lol no
12:09  * skyroveRR throws a furry cat at krzee 
12:09 <@krzee> put an entry in your openvpn config to specify a logfile
12:09 <@krzee> bbl
12:09 < vahe> there written very romantic but I have now just run OpenVPN
12:10 < vahe> I do not know much English and do not understand
12:11 < vahe> krzee: can tell example?
12:11 < vahe> # openvpn --daemon ?
12:11 < vahe> or what?
12:12 < vahe> config ?specify?
12:15 < vahe> why the program does not create a log by default?
12:17 < rob0> By [a very sensible] default, --daemon sends all logging to syslog.
12:18 < rob0> Another very sensible default is that --daemon must be specified.  While troubleshooting a new config, you can run it without that, and you see all the logging right there in console.
12:19 < rob0> see also "--verb" in the manual.
12:21 < rob0> You might also not understand that service(8) is a thing provided by your distro.  Here we support openvpn, not the scripts your distro uses to activate and control it.
12:21 < rob0> Sigh.
12:50 < [E]sc> !def1
12:50 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
12:51 < [E]sc> !man
12:51 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
15:49 < jamesl> thanks
15:49 < jamesl> you just helped me do it!
15:49 < jamesl> I did it! my VPN works!
15:49 < jamesl> wooo!
15:58 < rob0> the bot helped you figure it out?  Awesome, congrats!
16:04 < eugenmayer> hello. I have a routed connection to a server. My tunnel network is 172.21.0.0/24, the dest LAN is 10.1.0.0/16 .. while the actual "LAN" of the server i cannot to is 10.1.7.0/24 . I can access 10.1.7.0/24 without any issues, but i cannot access 10.1.6.0/24
16:05 < eugenmayer> 10.1.6.0 is offered using a tinc tunnel https://hastebin.com/ulosimepil.cs
16:05 <@vpnHelper> Title: hastebin (at hastebin.com)
16:05 < eugenmayer> using tcpdump, i see that the package arrives at the opn interface ( ICMP ) but never goes further to tinc0
17:48 < xx00__> hi — I’m running into a DNS error (I think) when trying to install openVPN on a router running OpenWRT
17:48 < xx00__> I’m running into this: wget: bad address 'downloads.openwrt.org'
17:48 < xx00__> [6:39pm]
17:48 < xx00__> From reading the OpenWRT folders, it seems that it could be caused by dnsmasq from /etc/init.d
17:55 < rob0> that is not an openvpn problem
17:58 < xx00__> what IRC channel would you recommend?
18:01 < rob0> #openwrt is probably best for openwrt issues
18:25 < xx00__> thanks
19:21 < segwent> ?
19:22 < segwent> just testing connect
19:36 <@krzee> lol
21:19 <@ordex> aloha
21:22 < saliak_> I’ve got openvpn working to where i can connect to my VPN and connect to systems and resources by their LAN IP.  I would like the network to be bridged, however, so all the bonjour/Avahi stuff works.   I followed https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, the first example, but itdoesn’t work (dont’ see the network file shares, etc.).  should it work (broadcast messages go from the Lan back to the tun ?
21:27 -!- xx00___ is now known as xx00__
21:58 -!- saliak_ is now known as saliak
22:20 < _FBi> saliak, can you ping them?  (
22:21 < saliak> yeah, i can get to everything, but the broadcast packets don’t go between
22:21 < saliak> my understanding is that is the difference between real bridging, and a route
22:21 < saliak> but this is all new stuff for me.
22:21 < _FBi> do they have a firewall?
22:22 < _FBi> new for me, I'm trying to help brain storm
22:22 < saliak> when i connect my computer to my LAN, all my network shares appear so i don’t think it’s related to them
22:22 < saliak> there is a firewall on my vpn server, but my policy between VPN and LOC is to accept both ways
22:22 < saliak> I’ve also tried creating a bridged network interface.  give me a sec, creating the gist with all the info
22:27 <@ordex> saliak: are you using tun or tap to connect to your LAN ?
22:28 < _FBi> ^
22:29 <@ordex> >
22:29 < saliak> i’ve tried both.  tun works in the case where i can connect to my network, but need to access everything by ip address and don’t see broadcast
22:30 < saliak> tap should be used for bridged, right?  i’ve tried that as well, but it works even less (can’t get to anything on the network
22:31 <@ordex> if you want to forward broadcast traffic, then you definitely need to use tap and bridge it with your LAN on the server side
22:31 <@ordex> tun won't transport broadcast
22:31 <@ordex> so you have to focus on tap and make it work, if that's the goal
22:32 <@ordex> !routelan
22:32 <@ordex> mh
22:32 <@ordex> !factoids
22:32 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
22:33 <@ordex> !bridging
22:33 <@vpnHelper> "bridging" is (#1) Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you, or (#2) See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
22:33 <@ordex> ok, this is the guide you are following already
22:33 <@ordex> where do you get stuck ?
22:36 < saliak> https://gist.github.com/kailasnarendran/8b3c5723a7848eff48806798f25df573
22:36 <@vpnHelper> Title: gist:8b3c5723a7848eff48806798f25df573 · GitHub (at gist.github.com)
22:36 < saliak> orderx: yeah, ive been following that
22:37 < saliak> which was the basis for https://gist.github.com/kailasnarendran/8b3c5723a7848eff48806798f25df573
22:37 <@vpnHelper> Title: gist:8b3c5723a7848eff48806798f25df573 · GitHub (at gist.github.com)
22:37 <@ordex> what is this ?
22:37 < saliak> ]i’ve also tried creating the bridged interface
22:37 <@ordex> why do you have the same ip on both eth2 and br0 ?
22:38 < saliak> it’s my server conf as well as my shorewall rules (basically allowing packets between vpn/loc/fw and drop from net.    i’m trying to bridge my vpn connection (tap0 when bridged) to eth2.  when i connect routed (as described in the BridgingAndRouting in wiki), i dont get the broadcast
22:39 <@ordex> yeah, the second part is expected
22:39 < saliak> orderx great question.  i’ve never bridged before and dont’r eally uynderstand it or what it really even is.
22:39 <@ordex> argh
22:40 <@ordex> then before getting to the vpn you should first understand what bridging means
22:40 < saliak> yes
22:40 <@ordex> this is not an openvpn concept but something you can play with in general
22:40 <@ordex> if that concept is not clear you just risk to run in circle for days
22:40 < saliak> any good resource to review?
22:41 <@ordex> mhhh not sure
22:41 <@ordex> I haven't searched something about that in a while
22:41 <@ordex> maybe krzee has some suggestions
23:13 < saliak> orderx : hows this look for a bridging overview?
23:14 < saliak> seems pretty easy, but gives me litte insight into why things don’t work
23:18 <@ordex> ?
23:18 <@ordex> what ?
23:24 < saliak> orderx: sorry, https://wiki.debian.org/BridgeNetworkConnections
23:24 <@vpnHelper> Title: BridgeNetworkConnections - Debian Wiki (at wiki.debian.org)
23:28 <@ordex> saliak: if you don't spell my nick correctly you will never highlight me :P
23:28 < saliak> ah, right
23:28 <@ordex> saliak: that looks like a guide to configure bridging on debian
23:28 <@ordex> saliak: I think you need to understand what bridging means first
23:28 <@ordex> before configuring it
23:29 < saliak> ordex: yeah.  haha, it does provide a example (dorm room).  anyway, still looking for something better.
--- Day changed Fri May 26 2017
00:52 < jayjo> If I have an access server in aws using openvpn, I can remotely connect to the vpc and private subnet from anywhere. Can I somehow include my home network into that vpc?
01:16 <@krzee> jayjo:
01:16 <@krzee> !AS
01:16 <@vpnHelper> "AS" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
01:19 <@krzee> ordex: actually i cant help people with bridge setups
01:19 <@krzee> i just convince them why they want tun instead of tap
01:19 <@krzee> until eventually theres a decent reason to extend layer2 over to other networks
01:19 <@krzee> then i leave them alone and wish them luck
01:20 <@krzee> but if anybody needs help with a routed setup, np
01:51 <@ordex> :D
01:51 <@ordex> krok
01:51 <@ordex> krzee: ok
01:56 < skyroveRR> Hey plaisthos, is there a way to debug your android app? :) I've got the app on my Samsung phone running android 6.0, and it seems that if you turn on the data connection, but don't get internet connectivity, and you still try to bring up the VPN tunnel, the app will become unresponsive for a few seconds till it realises there's no network. I mean, no button or menu bar works while the VPN tunnel is
01:56 < skyroveRR> being bought up.
02:53 < b3d0u1n> Is there a place I can get support for / report bugs related specifically to the iOS client?
04:09 < UNIm95> Hi 2 all.
04:14 < UNIm95> I have problem with OpenVPN client config. Under Linux(Ubuntu, CentOS) OpenVPN works great. When I export linux config to Windows i cannot get connection.
04:14 < UNIm95> After some tests i noticed that without option route '192.168.5.0' '255.255.255.0' '0.0.0.0' it works under Windows too.
04:14 < UNIm95> But this option routes traffic only for hosts in 192.168.5.* network.
04:14 < UNIm95> I cannot get connection from Windows host in 192.168.5.* network
04:17 < UNIm95> How should i change config to enable routing to hosts in 192.168.5.* but the whole Internet should be accessed directly without VPN?
04:48 <@ordex> why 0.0.0.0 at the end ?
04:48 <@ordex> shouldn't that be the gateway ?
05:03 < UNIm95> ordex: which gateway? of 192.168.5.* network?
05:04 < cristian> !welcome
05:04 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
05:04 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
05:06 <@ordex> UNIm95: yap
05:07 <@ordex> UNIm95: from the man: --route network/IP [netmask] [gateway] [metric]
05:07 < UNIm95> ordex: but this will route all traffic thought VPN. But i need it only for some hosts
05:09 <@ordex> what do you mean with "this" ?
05:09 <@ordex> you said you are using the option route and I just pasted the usage of that option
05:10 <@ordex> what you are specifying as 0.0.0.0 is what the route option expects to be the gateway
05:10 <@ordex> if you just want to route over the VPN, maybe you should just no specify any specific gateway
05:10 <@ordex> UNIm95: ^^
05:16 < UNIm95> ordex: I have understood option route <network> <mask> as "routing only for hosts in <networt> <mask>
05:16 < UNIm95> here is link for my actual config that works under linux: http://pasteall.org/411755
05:16 < UNIm95> if i change 0.0.0.0 to gateway-ip it stops working under linux but works under windows.
05:17 <@ordex> why don't you just omit the gateway IP if the goal is to routw that subnet over the VPN ?
05:17 <@ordex> *route
05:17 <@ordex> it could be that the linux command is a bit smarter and ignores the 0.0.0.0 while on windows this fails
05:18 <@ordex> you could just specify route 192.168.5.0 255.255.255.0
05:18 < UNIm95> ordex: Ok. I'm trying it now
05:23 < UNIm95> ordex: you are right! but there is still some problems
05:23 < UNIm95>  Now i got connections in Windows with hosts in 192.168.5.* network but all traffic under widows goes through  VPN.
05:23 < UNIm95> In linux google is accessed directly. I checked it with traceroute command
05:23 <@ordex> uhm
05:24 <@ordex> could you paste your windows config please?
05:24 <@ordex> (and also the server config)
05:31 < UNIm95> ordex This config, that i pasted, was exported from NetworManager GUI(ubuntu) and is used with windows too. I only deleted 0.0.0.0 in win config.
05:31 < UNIm95> Server config: http://pasteall.org/411771
05:31 < UNIm95> It all is pretty default
05:32 <@ordex> !config
05:32 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
05:32 <@ordex> !configs
05:32 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
05:32 <@ordex> UNIm95: ^^ please check this - better remove the comments, otherwise it become cumbersome to read it
05:36 < UNIm95> ordex: http://pasteall.org/411774 OS Debian 7
05:36 <@ordex> UNIm95: 	1	push "redirect-gateway def1"
05:37 <@ordex> you configured the server to inject the default route via the VPN
05:37 <@ordex> it is expected that all the traffic goes through the VPN
05:38 < UNIm95> ordex: Damn! I have forgot to remove this option!
05:38 < UNIm95> wait a minute.
05:45 < UNIm95> Under windows works! Under linux too!
05:45 < UNIm95> ordex Thanks! But now i have other question: Why Linux has ignored this option on server side?
05:53 <@ordex> I have no idea
05:53 <@ordex> the log may know why
07:44 <@krzee> UNIm95: whats that question?
07:45 <@krzee> what option did it ignore server-side?
08:14 < UNIm95> krzee: Linux host have ignored option push "redirect-gateway def1" Windows host not
08:20 <@ecrist> lgos?
08:20 <@ecrist> logs even
10:14 <@krzee> UNIm95: you'll need to post logs of it if youd like us to take a look
10:15 <@krzee> !logs
10:15 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
10:15 <@krzee> because we use that feature often with linux, it works fine
10:46 < skyroveRR> Evening.
11:08 < nicola_pav> hi all. I installed openvpn-as for centos on AWS linux AMI that is similar
11:08 < nicola_pav> I am having errors when I start the server
11:09 < nicola_pav> Linux ifconfig failed: could not execute external program
11:09 < nicola_pav> any hint please what could it be?
11:17 < UNIm95> krzee: I noticed the difference. In NM GUI i checked Ignore received routes. This why Linux ignored  VPN server option push "redirect-gateway def1"
11:17 <@krzee> ahh ok, ya nm fail
11:30 < [E]sc> i'm using openvpn with the server and client on the same machine,..when i tried checking if it was working, the IP shows up the same on those dns testers.  is this normal because i routed it through the same computer? or is my openvpn not configured correctly?
11:30 < jayjo> is there anything that openvpn access server can do that openvpn on its own (community edition) is not capable of?
11:32 < rob0> jayjo, it has a GUI and an automatic user configurator, but in terms of network functionality, the GPL version is probably ahead of AS.
11:33 < rob0> [E]sc, "server and client on the same machine" makes my head hurt.  What is the goal of this?
11:35 < [E]sc> rob0, sorry i'm new, i was hoping to create a VPN... but i only have one machine...so i guess this doesn't work then?
11:48 < jiquera> @plaisthos openvpn for android keeps crashing on OnePlus3t when using credential store
11:49 < rob0> Usually a VPN is a means to an end, such as to secure communications from one host/LAN to another.  Communications on one machine are already secure (against network attacks, that is.)
11:49 < jiquera> using the same config file without importing but using the pkcs12 data inline works fine
11:49 < rob0> If an attacker is able to sniff traffic on your loopback interface, you have already lost.
11:50 < jiquera> it asks me to send a crashdump... but im a bit reluctant due to data sensitivity here
12:00 < [E]sc> rob0, so i guess using this method so i could browse the web securely was the wrong way?
12:02 < jiquera> @plaisthos also it remembers the password i set after switching between keystore and inline file.... this might not be desirable as it means that the full credentials are also stored outside of the keystore
12:10 < rob0> Ah, so THAT was your goal, [E]sc ... no, all you can do is replace your IP address with your IP address, so no, that does not secure your web browsing at all.
12:12 < [E]sc> rob0, now i understand,...is there a way to create what i want using the limited resources i have?
12:14 < rob0> I think some VPN services have free trials or free levels of service, but I don't use anything like that.
12:14 < rob0> Another option is to get a VPS and set up your VPN through that.
12:24 <@krzee> i use openvpn for android on oneplus 3t
12:24 <@krzee> but no credentials stored
12:25 <@krzee> if you wanna gimme a temp account or something id be happy to test it from here to see if it happens here too
12:25 <@krzee> im on oxygenOS 4.1.3 android 7.1.1
12:25 <@krzee> jiquera: ^
12:26 <@krzee> if i dont have the same problem we can figure out whats different for you... if i do then i can help plaisthos with his bug report
12:27 < jiquera> ehhhm... wait im having dinner plus i need to think how to do this without exposing data
12:27 < jiquera> is it possible for you to quickly put your certs in a pkcs12 and try it on your own server?
12:27 <@krzee> understood and fair
12:28 <@krzee> oh you just have certs?
12:28 <@krzee> i assumed login/pass
12:28 <@krzee> why dont you just use inline like android wants?
12:28 <@krzee> is that some sort of issue?
12:28 < jiquera> i generated p12 with easyrsa and then b64 with openssl
12:29 <@krzee> nice is there an issue with just tossing the crt ca and key into the config?
12:29 <@krzee> android wont need to keep the files, it'll put them inline
12:29 <@krzee> !inline
12:29 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV, or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
12:29 <@krzee> like, is this worth me helping to figure out?
12:30 <@krzee> cause if you just want it to work, i can get you working easy
12:31 <@krzee> or is this something you need to do a lot of and having p12 will help a ton?
12:31 <@ecrist> Anyone on windows in here?
12:31 <@ecrist> Don't try going to file:///c:/$MFT/foo
12:31 <@krzee> i almost hit !ask before i saw who asked it
12:31 <@krzee> hahahah
12:31 < jiquera_> and im back
12:32 <@krzee> ecrist: what happens?
12:32 < jiquera_> i got dropped :p
12:32 <@ecrist> krzee: your system hardlocks
12:32 <@ecrist> only way out is to force a reboot
12:32 < jiquera_> using the webinterface here :)
12:32 <@krzee> jiquera_:
12:32 <@ecrist> no way to patch for it yet
12:32 <@krzee> [10:22] <krzee> nice is there an issue with just tossing the crt ca and key into the config?
12:32 <@krzee> [10:22] <krzee> android wont need to keep the files, it'll put them inline
12:32 <@krzee> [10:22] <krzee> !inline
12:32 <@krzee> [10:22] <vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV, or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
12:32 <@krzee> [10:22] <-- pdobrogost (uid195495@gateway/web/irccloud.com/x-zcwqmufkynrnhdrn) has left this server (Quit: Connection closed for inactivity).
12:32 <@krzee> [10:22] <krzee> like, is this worth me helping to figure out?
12:32 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
12:32 <@krzee> [10:23] <-- stefanauss (~stefanaus@95.142.177.153) has left this server (Ping timeout: 268 seconds).
12:32 <@krzee> [10:23] <krzee> cause if you just want it to work, i can get you working easy
12:32 <@krzee> [10:24] <krzee> or is this something you need to do a lot of and having p12 will help a ton?
12:32 <@krzee> ecrist: awesome!
12:33 < jiquera_> well the point is that users need to be able to do this themselves
12:33 < jiquera_> but fair enough
12:33 < jiquera_> i go for a working solution now
12:33 < jiquera_> that'll help
12:34 < [E]sc> rob0, thanks for much. i'll look into that.
12:35 < jiquera_> just so you know where it goes wrong: I have config with inline pkcs12; when i import it in the app it asks to import the certs into android keystore; I say yes + pass and allow the app access; then in the config I can see it can access the credentials; but when i start the connection it crashes
12:36 < jiquera_> well not the app but the process doing the tunnel
12:36 < jiquera_> not sure if I use the correct naming... is it clear?
12:39 <@krzee> cool i will give it a shot too
12:39 <@krzee> but now i dont need to hurry for you ;]
12:39 <@krzee> if you couldnt get working id hurry more for ya
12:39 <@krzee> ya, i get what you mean
12:40 < jiquera_> nah i have connection, just want to up the security
13:02 < anexit> Running a openvpn server, whats the best way to upgrade the cyphers without breaking 300 clients?
13:03 < anexit> WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
13:03 < anexit> Would love to mitigate this ^
13:03 < jayjo> is there any reason open vpn would need to run on its own instance, or can it be on my primary aws instance (currently only one)
13:04 <@krzee> jiquera_: up the security how?
13:04 <@krzee> using a p12 over inline certs should not be more secure
13:04 < jiquera_> by not storing keys and their passwords in the internal storage
13:04 <@krzee> either way once your device has been rooted you're done with
13:04 < jiquera_> no but using android keystore should be
13:04 <@krzee> as an attacker i see no difference
13:05 <@krzee> it's just a matter of taste in my opinion
13:06 < jiquera_> rooting fair enough... but at the moment any app with storage access basically has access to the vpn
13:06 < jiquera_> eg. the galery happ
13:06 < jiquera_> app
13:06 <@krzee> umm no
13:06 <@krzee> you remove the files after you setup the vpn
13:06 <@krzee> they arent needed after you import
13:06 < jiquera_> yeah i do
13:06 <@krzee> so, no
13:06 <@krzee> gallery wouldnt have access
13:06 <@krzee> unless gallery scores root ;]
13:06 < jiquera_> but they're still stored in the app cach right?
13:06 <@krzee> not for all apps to see
13:07 <@krzee> root, sure
13:07 < jiquera_> fair enough
13:07 < jiquera_> well ok maybe it wont make much of a difference... however it shouldnt crash regardless :p
13:09 <@krzee> right, it should not
13:09 <@krzee> that much im sure of!
13:09 <@krzee> haha
13:52 <@krzee> !p12
13:52 <@vpnHelper> "p12" is openssl pkcs12 -export -out filename.p12 -inkey filename.key -in filename.crt -certfile ca.crt
14:29 <@krzee> ok made my p12 inline config jiquera
14:30 <@krzee> tested in linux and it works, going to test on oneplus 3t now
14:33 <@krzee> ya man, works fine here
14:33 <@krzee> no crash, im connected after importing the cert into android keystore
14:34 <@krzee> jiquera: ^
14:34 < jiquera> ok hm
14:34 <@krzee> oh and then i had to choose which cert from keystore and give openvpn permission to it, of course
14:34 <@krzee> but never crashed, connected in just fine
14:34 < jiquera> yeah did the same
14:34 < jiquera> hmmm
14:35 < jiquera> then maybe it's a combination with some weird config settings or something...?
14:35 <@krzee> you also on oxygen 4.1.3?
14:35 < jiquera> i mean it works just fine without the import
14:35 <@krzee> dunno, i can try yours if you want me to
14:35 < jiquera> yup
14:35 <@krzee> but i understand not wanting me to
14:36 <@krzee> you dont know me... i wouldnt expect you to
14:36 < jiquera> well i can setup something but it will take time (which i dont have now)
14:36 < jiquera> do you use tls-crypt?
14:36 <@krzee> not on that config
14:36 < jiquera> shouldn't matter right?
14:36 <@krzee> right
14:37 <@krzee> however, who knows whats doing it
14:38 < jiquera> I'll try a few things tomorrow, and create test account for you guys
14:39 < jiquera> i'm a bit puzzled that it works fine if I'm not using the keystore... sort of indicates it's not the config
14:39 <@krzee> well
14:39 <@krzee> works fine for me when it is
14:39 < jiquera> yeah true that
14:39 < jiquera> hehe
14:39 <@krzee> sort of indicates its your device
14:40 < jiquera> did you root your phone?
14:40 <@krzee> lemme check
14:40 <@krzee> shouldnt matter tho
14:40 <@krzee> unless you're doing other stuff
14:40 <@krzee> like a buggy xposed addon or something
14:40 < jiquera> and you didn't import anything besides what the openvpn app does
14:40 <@krzee> nah this one isnt rooted
14:40 <@krzee> ya i just let it walk me through the process
14:41 < jiquera> yeah same here
14:41 <@krzee> i had to manually select my ta.key cause it wasnt auto found
14:41 < jiquera> maybe i disabled some google thing that it needs...
14:41 <@krzee> but i normally select all my files so thats pretty normal for me
14:41 <@krzee> disabling google services permissions gives ALL SORTS of random fubars
14:41 <@krzee> dunno if that could be one
14:41 < jiquera> yeah but usually i stay away from services
14:42 < jiquera> i only disable apps like music store etc
14:42 <@krzee> i mean like the google playstore, and other google apps
14:42 < jiquera> but ill check
14:42 <@krzee> oh well i disable those apps too
14:42 < jiquera> nah thats all good
14:42 <@krzee> but not permissions from google apps like playstore etc
14:43 < jiquera> google drive?
14:44 < jiquera> oki i'll enable everything again tomorrow and retry
14:48 < jayjo> I'm trying to connect to openvpn from an ubuntu machine, I downloaded the client with apt-get install openvpn, how do I retrieve the client.ovpn file?
14:50 < jiquera> krzee: did you have password on your pkcs12 file?
15:02 < jayjo> I found it - sorry
16:08 < linuxplease> hi. any ideas what's going on here? this works fine on el5 https://pastebin.com/raw/ZQLXS2jB
17:13 < linuxplease>  nevermind my question im an idiot
17:22 <@krzee> i usually ignore the ones that come with 0 explanation and 0 questions
17:42 <@krzee> plaisthos: that guy had something messed up on his phone, i have the same phone as him and inline p12 works fine, even with encrypted privatekey
18:14 < sentriz> hello, i'm trying to only route 192.168.1.x traffic though my ovpn server. `route-nopull; route 192.168.1.0 255.255.255.0` doesn't work - when i connect to the server and google "what is my ip" it shows the server's ip - even though that isnt lan traffic. here is the config: http://termbin.com/mift
18:15 < sentriz> please highlight me if you've got a reply. thank you :)
18:32 < TheSov> having a bit of a routing issue between 2 networks wherein there is a openvpn host on one side and a client router on the other.
18:32 < TheSov> seems the client router can connect fine and a static route has been entered in the local gateway but up attempt to connect i get TTL errors
18:32 < TheSov> little help?
--- Day changed Sat May 27 2017
08:52 <@krzee> TheSov: still having your problem?
08:53 <@krzee> sentriz: you control the server? why would you be using route-nopull? just configure routes how you want them!
08:53 <@krzee> TheSov: see !route if you are trying to route to/from the lans
10:29 < sideonee> hey all. i am running LEDE Reboot 17.01.0 r3205-59508e3 on a Linksys WRT1900ACS. ive noticed that after a while the vpn connection to privateinternetaccess will get stale, the tunnel appears up, but i only see oneway traffic. this seems to happen every day or two. i am also running openvpn-policy-routing with a strict deny if the tunnel is down. i wonder if the tunnel is dropping and not reconnecting properly even through the
10:29 < sideonee> tunnel is formed?  heres my conf ->   https://pastebin.com/ei7H3J8p  Any ideas? tia.
10:29 < sideonee> here is the reconnect log from this morn. https://pastebin.com/vfZMfEsk
10:30 < sideonee> would ping-restart help?
10:34 <@krzee> you need support from your provider
10:34 <@krzee> !provider
10:34 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team., or (#2) Please contact their support team.
10:44 < SviMik> !gigabit
10:44 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
11:29 -!- remirol is now known as lorimer
13:33 -!- rob0 is now known as _smug_
13:33 -!- _smug_ is now known as rob0
21:27 -!- alexandre9099_ is now known as alexandre9099
--- Day changed Sun May 28 2017
01:29 -!- alexandre9099_ is now known as alexandre9099
06:07 < Haxxa> Hi Guys, Before I post my openvpn log would there be anything sensitive I would like to remove first?
06:11 < Haxxa> I changed ISP and my OpenVPN connection now seems to dropout often: http://paste.debian.net/947784/
08:23 < Kaylas> hi, with the latest update i can't use openvpn , it will return "OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned"
08:23 < Kaylas> any suggest?
11:13 < relaz> Hi everybody, somebody who knows how to give the same ip to clients even from two different servers?
11:13 < relaz> I didnt find any command in the manual
15:13 <@krzee> hey SCHAPiE
15:13 < SCHAPiE> so yeah, i delved into OpenSSL, LibreSSL, OpenVPN
15:13 <@krzee> better here, the devs try to pay attention to eachothers scroll in there
15:13 < SCHAPiE> kewl, understood
15:13 <@krzee> SCHAPiE: have you checked out mbedtls?
15:14 < SCHAPiE> yeah i have
15:14 < SCHAPiE> it's PolarSSL right?
15:14 < SCHAPiE> the new name
15:14 <@krzee> right
15:14 <@krzee> iirc after ARM bought it, they named it mbedtls
15:14 < SCHAPiE> Dutch government makes OpenVPN-NL, their own fork
15:14 < SCHAPiE> although, with a deprecated line of PolarSSL
15:14 <@krzee> because it shines in embedded systems
15:15 < SCHAPiE> it makes me suspicious
15:15 <@krzee> actually thats foxconn, they worked direct with the openvpn on it
15:15 < SCHAPiE> yeah indeed, FOX IT
15:15 <@krzee> (the company hired by NL to do it)
15:15 < SCHAPiE> FOXCONN makes macbooks for apple, in CHina :P
15:15 <@krzee> oops, i always do that :D
15:16 <@krzee> but ya, nothing suspicious there
15:16 <@krzee> they had to pass a serious audit for the code to be used, they cant just track a projects code
15:16 < SCHAPiE> https://openvpn.fox-it.com/about.html
15:16 <@vpnHelper> Title: OpenVPN-NL (at openvpn.fox-it.com)
15:16 < SCHAPiE> the info here, is old as well
15:16 < SCHAPiE> BF-CBC is not the default anymore, for a while
15:16 < SCHAPiE> using SHA1 neither
15:17 <@krzee> not for *that* long, but the changes they made are still good
15:17 < SCHAPiE> i think they still use polar 1.3.something
15:17 <@krzee> they were just ahead of the game
15:17 < SCHAPiE> or 1.2.smt even
15:17 <@krzee> ill be slow for a bit, gotta work now =/
15:17 < SCHAPiE> cool
15:17 < SCHAPiE> gonna make food in a moment
15:17 < SCHAPiE> late dinner todayt
15:17 < SCHAPiE> -t\
15:18 < SCHAPiE> bashin' that kb
15:18 < SCHAPiE> Data Channel Decrypt: Cipher 'CAMELLIA-256-CBC' initialized with 256 bit key
15:19 < SCHAPiE> Data Channel Decrypt: Using 512 bit message hash 'streebog512' for HMAC authentication
15:19 < SCHAPiE> Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-CHACHA20-POLY1305, 4096 bit RSA
15:19 < SCHAPiE> i like to use uncommon ciphers
15:19 < SCHAPiE> and hashes
15:19 < SCHAPiE> got nothing to hide rly, but still
15:20 < SCHAPiE> the idea of using the avantgarde of crypto stuff, in a correct manner, feels good
15:20 < SCHAPiE> https://en.wikipedia.org/wiki/Streebog
15:21 <@vpnHelper> Title: Streebog - Wikipedia (at en.wikipedia.org)
15:21 < SCHAPiE> the Руссиан response to SHA3
15:22 < SCHAPiE> that Chacha20 thing is from DJB, it's in 1.1.x as well iirc (OpenSSL)
15:22 < SCHAPiE> i'm not an expert, but i try to understand it all
15:22 <@krzee> im making the switch to ec
15:22 < SCHAPiE> i want a safe curve first
15:22 <@krzee> but instead of uncommon, im going to common
15:22 <@krzee> using the same curve as bitcoin
15:22 < SCHAPiE> until that time, it's my custom DH params, with DHE
15:22 < SCHAPiE> not ECDHE
15:23 <@krzee> i figure if that gets broken, ill probably hear about it before anybody tries to attack me lol
15:23 < SCHAPiE> theoretical safety is important imo
15:23 < SCHAPiE> we have the tools to make it NSA-proof, theoretically
15:23 < SCHAPiE> from what is out there, it should be possible
15:24 <@krzee> the nsa will own the endpoints and laugh at the crypto
15:24 < SCHAPiE> even if nothing to hide
15:24 <@krzee> you can make it fbi proof tho maybe lol
15:24 < SCHAPiE> true
15:24 < SCHAPiE> but still
15:24 <@krzee> i feel you tho, i feel strongly about crypto as well
15:24 < SCHAPiE> everything updated, crypto sophisticated, looking at the traffic, etc
15:25 < SCHAPiE> a lot of secrecy can be obtained
15:25 <@krzee> im guessing theres around 321 people here who do
15:25 <@krzee> im certain vpnHelper is indifferent
15:25 < SCHAPiE> to all the Windows users: use the installer from the OpenVPN page, then inspect the code from my build
15:26 < SCHAPiE> if you like it, use it
15:26 < SCHAPiE> https://woohooyeah.nl/openvpn-built-with-libressl-windows-binaries/
15:26 <@vpnHelper> Title: OpenVPN built with LibreSSL Windows binaries | Woohoo Yeah (at woohooyeah.nl)
15:26 < SCHAPiE> this is not a commercial
15:26 < SCHAPiE> just a fyi
15:27 < SCHAPiE> Git backs it
15:27 < _moep_> why should I build it by myself and run it then under windows?
15:27 < SCHAPiE> in that situation, downloading that premade build seems like a convenient thing, _moep_
15:28 <@krzee> or you could just use the official binaries
15:28 < SCHAPiE> there's no official binaries built with LibreSSL though
15:28 < SCHAPiE> i provide them, just for the windoze
15:29 <@krzee> ya, but thats not a big deal
15:29 < SCHAPiE> i could offer other platforms too
15:29 <@krzee> thats all im saying
15:29 < SCHAPiE> kewl
15:29 <@krzee> the avg person wont care
15:29 < SCHAPiE> i feel ya bro
15:29 < SCHAPiE> absolutely
15:29 <@krzee> the people who do will find ya, first page on google
15:29 < Shaan> Hi guys Im trying to configure openvpn, but for some odd reason i cant for the life of me set the push dns option to use the openvpn server rather then a third party service like google or opendns
15:29 < Shaan> could anyone offer any clarification for this
15:29 < SCHAPiE> like, to use a German word, "Überhaupt"
15:29 < SCHAPiE> not by default
15:30 < SCHAPiE> it depends on the admin
15:30 <@krzee> Shaan: shouldnt matter which you use so long as the vpn client can reach a dns server at the address you put while on the vpn
15:30 <@krzee> !pushdns
15:30 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for
15:30 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option
15:30 < SCHAPiE> DNS is a separate story, true
15:31 < SCHAPiE> i made my own 6-to-4 tunnel
15:31 < SCHAPiE> using NDP
15:31 < SCHAPiE> works excellently
15:31 < Shaan> krzee: how do i set it to use the openvpn server i tried.  push "dhcp-option DNS 10.8.0.0"
15:31 < SCHAPiE> some firewalls that recognize the cipher, block the traffic outbound
15:31 <@krzee> thats a network address, you need to use the IP address
15:31 < Shaan> krzee: however that doesn't seem to work, instead i get cannot resolve errors.
15:31 < Shaan> krzee: external public ip?
15:32 <@krzee> im guessing your servers IP will be 10.8.0.0
15:32 <@krzee> err
15:32 <@krzee> im guessing your servers IP will be 10.8.0.1
15:32 < Shaan> krzee: I tried that too however it did not work aswell, only thing that seems to work is when i set a third party dns server like google
15:32 < SCHAPiE> test-ipv6.com gives me a 20/20
15:32 < Shaan> krzee: I tried both of those.
15:32 <@krzee> Shaan: i doubt your dns server is listening on the VPN ip then
15:32 < Shaan> krzee: mind if i paste my config on pastebin for you to take a quick peek?
15:32 < SCHAPiE> or well, 19/20 because of no RDNS on the client
15:32 <@krzee> googles servers work because their servers work
15:33 <@krzee> show me your netstat -ln
15:33 <@krzee> i dont need to see your config
15:34 <@krzee> Shaan: the deal here is that if your dns server doesnt work, your vpn client cant use it :D
15:34 <@krzee> theres nothing special about googles nameserver other than its configured properly... openvpn doesnt care which you set
15:34 < Shaan> krzee: netstat -ln output http://termbin.com/0cie
15:35 < SCHAPiE> http://storage1.static.itmages.com/i/17/0528/h_1496003267_8394030_e9af3ce9b7.png
15:35 < SCHAPiE> ip6 is glorious
15:35 <@krzee> dude you dont even have a nameserver listening
15:35 < SCHAPiE> i did -rn
15:35 < Shaan> krzee: isn't there one automaticlly installed by default on ubuntu?
15:36 < Shaan> I guess not.
15:36 <@krzee> thats almost as ugly as an openwrt firewall SCHAPiE
15:36 < SCHAPiE> it works completely as intended
15:36 <@krzee> Shaan:
15:36 < SCHAPiE> that's erver-side eh
15:36 <@krzee> !notovpn
15:36 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn.
15:36 < SCHAPiE> *server
15:37 < SCHAPiE> bbl, time to make food
15:39 < Shaan> krzee: thanks!.
15:41 <@krzee> yw =]
15:41 < Shaan> 3
16:37 -!- _FBi is now known as iBF_
16:38 -!- iBF_ is now known as _FBi
17:01 < wmchris> hello. I have an issue with my openvpn system. It connects fine, but I can't ping the openvpn server or the client from within the bridge. Firewall is disabled, comp-lzo is enabled on client and server. I dunno how I could debug this, because my log files all look fine. Server: Debian, Client: OSX
17:02 < wmchris> (Aka I can't ping the openvpn server itself with its internal ip address)
17:25 <@krzee> why bridging?
17:25 <@krzee> if you dont need bridging i can help you with a routed setup
17:25 <@krzee> !tunortap
17:25 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
17:25 <@vpnHelper> rooted/jailbroken) support only tun
17:28 < wmchris> I need the bridge, because in the end I want to forward an public ip address from the host to another machine which doesn't have the possibility to get its own IP address by the ISP :/
17:31 <@krzee> ahh so you'll have the client get the IP direct from the isp over the bridge?
17:33 <@krzee> if so, pretty cool! yep you'll be needing a bridge, sorry i cant really be of much help tho... im sure somebody else will pop in
17:57 < skered> Like wanting to run tcp and udp openvpn you need two instances running (this might change in future releases)  however is the same true for udp and udp6?
17:57 < skered> Do you need two openvpn instances for udp and upd6?
17:58 <@krzee> no
17:58 <@krzee> proto udp6 will force both, proto udp will let the OS decide
18:00 < skered> Ok lets hope pfsense does the right thing here... brb
18:04 < skered> Ok... I think it was right but the client export package needs some work.
18:04 < skered> ipv6 appears to be working
18:07 < wmchris> Seems like I found the problem, but not the solution to my issue: tunnel (TCP, TAP) is currently active - I'm connected and I got an ip from OpenVPN. Client: TAP0 device is fine, Server: TAP0 device is DOWN.
18:08 < wmchris> This is not normal, or?
18:08 < wmchris> (Bridged setup)+
18:12 < wmchris> Ok found the issue. Bridge-up script didn't get $tap var correctly.
18:13 < wmchris> So it was down all the time.
18:13 <@krzee> ahh
18:13 <@krzee> !script
18:13 <@vpnHelper> "script" is (#1) See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR, or (#2) to see all vars available to a script, you can env > /tmp/env, or (#3) if using bash you can put exec 2>&1 in the first line of your script and it will send all error output to
18:13 <@vpnHelper> your openvpn log. set -x as well to show your commands as they are executed
18:13 <@krzee> hopefully the tips in #2 and #3 help a little
18:14 < wmchris> I fixed it already. :-)
18:14 <@krzee> good =]
18:17 < skered> krzee: proto upd6   forcing both udp and udp6 tied to given version?  pfsense when set to UDP6 is using "proto udp6" however attempting to connect via udp doesn't work.
18:17 < skered> Or am I misunderstanding "force both"
18:19 <@krzee> proto udp6 should open both sockets
18:20 < skered> Ok... it's also setting 'local $IPv6-address'
18:21 < skered> In that cause it would only be IPv6?
18:27 <@krzee> !man
18:27 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
18:27 <@krzee> see --proto
18:28 <@krzee> then see --bind [ipv6only]
18:31 < skered> Ok I think I see the problem pfsense is openvpn 2.3
18:34 <@krzee> ahh
18:35 <@krzee> well there we go
18:35 <@krzee> OpenVPN 2.3 cannot auto-determine whether to use IPv4 or IPv6 (or automatically try whatever is available) - full dual-stack functionality is available starting with OpenVPN 2.4.0
18:35 <@krzee> (from 2.3 manual)
18:35 <@krzee> good call
18:36 < skered> Appears 2.4 will include... 2.4
18:36  * skered waits
18:37 <@krzee> well its also just freebsd
18:38 <@krzee> you could always just login to ssh install the newer version and setup the config by hand
18:38 <@krzee> but i never used pfsense i always just ssh in
18:39 < skered> Yeah, that might be the next step for myself.  Stop using GUI firewalls.
20:05 <@ordex> morning !
20:25 < desnudopenguino> after setting up a tunnel with openvpn, is there a way to force network activity through the vpn tunnel vs the established ethernet/wifi device?
20:44 <+hyper_ch> !def1 > desnudopenguino
20:44 <+hyper_ch> !def1
20:44 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
20:44 <+hyper_ch> hmmm
21:04 < Shaan> Hi guys I have a slight problem when i was setting up OpenVN in the config it set my ip as if it was static
21:04 < Shaan> How can i set it to DHCP
21:06 < Shaan> here is my current openvpn config http://termbin.com/11pn
21:08 <@ordex> Shaan: if you check "—server" option in the man page, you'll see that it expands to a set of options that take care for you of allocating a subnet for your clients
21:08 <@ordex> Shaan: therefore the "—ifconfig" statement should not be there
21:09 <@ordex> this way your clients will just get an IP from the pool you selected (similar to DHCP, although it is not real DHCP)
21:09 < Shaan> ordex: can you please rephrase Im sorry i didn't understand what you said.
21:09 <@ordex> Shaan: ops sorry. my suggestion is just to read the man page. Search for the "—server" option
21:09 <@ordex> it will explain you that it is already doing what you want
21:09 < Shaan> ordex: no, i dont think you understand Ive got a vpn server running behind my cable modem, my ISP hands out dynamic IP's but the way the config is generated it thinks that the one i IP i have is static.
21:10 <@ordex> ah
21:10 <@ordex> I thought you were talking about the clients
21:10 <@ordex> sorry
21:10 < Shaan> no problem
21:10 <@ordex> what makes you think the config "assumes" there is a static IP ?
21:10 < Shaan> well
21:10 < Shaan> push "route 99.247.44.0 255.255.254.0"
21:11 <@ordex> what is that ?
21:11 < Shaan> that and when it was doing config generation it thought i had a static ip for some reason
21:11 < Shaan> thats in the config
21:11 < Shaan> that was generated
21:11 < Shaan> I dont know, why.
21:12 <@ordex> well, me neither :P I mean, to me that looks like a random network that you want to route through the VPN
21:12 <@ordex> is that related to your server ?
21:12 <@ordex> and when you say "config generation", what are you talking about exactly ?
21:13 <@ordex> the comment of that route says "your local subnet" - do you have your own subnet behind the server? or you just get 1 IP from the ISP ?
21:13 < Shaan> just one ip
21:13 < Shaan> ordex pivipn installation script generated the config file for me
21:14 < Shaan> I wish i could get a more thorough understanding of the config file so i could just create a new fresh one
21:14 <@ordex> ok, then I think there was some misunderstanding when you generated the config. I don't think that statement is useful at all (
21:14 <@ordex> (
21:14 <@ordex> unless you have a real reason)
21:14 <@ordex> Shaan: you could start from a sample config from openvpn.net
21:15 <@ordex> and remove from it all the unneeded options (it is precisely commented, so understanding that should be easier than reading a generated config)
21:15 <@ordex> and use the man page to understand what the various options do
21:15 < desnudopenguino> +hyper_ch: thanks!
21:16 < Shaan> ordex: I will look for one thats on openvpn.net
21:16 <@ordex> oky
21:38 < Shaan> ordex: do you know what this option is for?
21:38 < Shaan>  bypass-dhcp
21:39 <@ordex> I should read the man. I think it is some windows thing, but I might be wrong
21:40 <@ordex> yeah, seems to be mostly for windows clients
21:41 <@ordex> Shaan: usually in the server config there is nothing regarding its own DHCP
21:41 < Shaan> ya google found the page finally thanks
21:41 <@ordex> because it does not really need to know
22:14 < jasonwc> Is there any timeline for integrating full 2.4 feature support in the OpenVPN Connect Android client.  The last time I tried it, it did not support tls-crypt.
22:15 < jasonwc> It does support tls-auth and most of the features from 2.4 seem to work - I'm using ECDHE and AES256-GCM
22:28 < Shaan> Hi guys I'm back so my issue is now.. once ive changed the openvpn server ip from the default 10.8.0.0 to 10.10.0.0
22:28 < Shaan> I simply cannot visit any website ping any ip or resolve any domain
22:30 < jasonwc> I wasn't here for your prior conversation.  What is the LAN subnet on both sides?
22:31 < Shaan> pardon?
22:31 < Shaan> when i use the default 10.8.0.0 ip everything works fine..
22:32 < jasonwc> Right, which would occur if you are using the same subnet inside the tunnel and outside
22:32 < jasonwc> I'm asking what is your subnet of the host
22:33 < Shaan> umm its a dynamic ip assigned by DHCP from ISP
22:33 < jasonwc> No, the LAN
22:33 < Shaan> jasonwc: there is no LAN
22:33 < Shaan> its a cable modem > raspberry pi running openvpn
22:33 < jasonwc> Say you are connecting two sites and they both use 192.168.1.0.  It's going to clearly break.
22:33 < jasonwc> The network inside the tunnel must be unique
22:34 < jasonwc> If it works with 10.8.0.0 but not 10.10.0.0, you either have a configuration issue, or one of the sides is using 10.10.0.0 as its LAN subnet
22:34 < jasonwc> Can you share your server and client configuration?
22:36 < jasonwc> The WAN IP address isn't the issue.  My question was whether the device you are using to connect to the OpenVPN server and the internal OpenVPN network is on the same subnet.
22:37 < Shaan> jasonwc: what configs you want me to share?
22:38 < jasonwc> the server and client configuration files
22:39 < jasonwc> !welcome
22:39 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
22:39 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
22:40 < Shaan> jasonwc: http://termbin.com/lmg0
22:40 < jasonwc> Is there a reason you are running over TCP?
22:40 < Shaan> just want to blend with openssl traffic on 443.
22:41 < Shaan> and i read tcp is more reliable
22:41 < Shaan> due to ack packets etc
22:41 < jasonwc> It's the opposite.
22:41 < jasonwc> UDP will always be more reliable because tunneling TCP over TCP is likely to cause terrible performance on congested links.
22:42 < jasonwc> "Connectionless protocols such as UDP are always preferable when tunneling traffic. TCP is connection oriented with guaranteed delivery, so any lost packets are retransmitted. This sounds like a good idea on the surface but TCP retransmissions will cause performance to degrade significantly on heavily loaded Internet connections or those with consistent packet loss."
22:42 < jasonwc> If reliability is important, the application will support TCP inside the tunnel.
22:44 < Shaan> well, i guess i'll address that after i get some basic connectivity first
22:44 < jasonwc> Well, you are routing all traffic through the gateway but you aren't pushing DNS
22:44 < Shaan> I am eager to know whats causing this issue givent he fact that only thing i changed was the IP subnet that the tun0 was using and issuing
22:45 < Shaan> push "dhcp-option DNS 10.10.0.1"
22:45 < jasonwc> What is the IP address of the machine you are using to connect to the OpenVPN server
22:45 < Shaan> 10.10.0.1
22:46 < jasonwc> ah, so you're trying to use OpenVPN as the DNS server.  I haven't tried that or seen it in configs.
22:46 < jasonwc> Have you tried with a public DNS?
22:46 < jasonwc> Try 8.8.8.8 or 208.67.222.222
22:46 < jasonwc> If 10.8.0.0 works but 10.10.0.0 doesn't, that suggests your client is on the 10.10.0.0 subnet.
22:47 < jasonwc> I can't see why else one would work and the other wouldn't
22:47 < jasonwc> Is there any reason you included these settings for sndbuf, rcvbuf etc?
22:48 < Shaan> i noticed performance
22:48 < jasonwc> You still haven't said the IP of the client
22:49 < Shaan> 99.247.44.25
22:49 < jasonwc> ah, so you have public IP addresses on both sides?
22:49 < jasonwc> i.e. no NAT on either side
22:52 < jasonwc> !config
22:52 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
22:52 < jasonwc> #config
22:53 < jasonwc> !configs
22:53 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
22:54 < jasonwc> Shaan: Your config seems needlessly complex, which is not what you want when troubleshooting
22:54 < jasonwc> I'm doing the same thing you are, and here's mine
22:54 < jasonwc> https://pastebin.com/9A5wfQY2
22:54 < jasonwc> you can ignore the IPV6 stuff, and encryption settings
22:54 < jasonwc> you don't need it
22:55 < jasonwc> you should not need to set the mtu or use mssfix unless you have a specific reason
22:55 < jasonwc> the sndbuf and recvbuf settings are the same, I suspect
22:56 < jasonwc> you dont' need topology subnet, and you don't need to push the route for the server or client - it's automatic
22:57 < desnudopenguino> Shaan: are you trying to set the client ip(s) using DHCP? or something else?
22:57 < Shaan> desnudopenguino: no, I am not doing anything like that
22:58 < jasonwc> Shaan: Try something like this - https://pastebin.com/EznmKxFV
23:00 < jasonwc> I'm not sure why your configuration is so complex; this is a fairly straightforward setup
23:00 < Shaan> jasonwc: do i not have to update iptables or what not or something to let it know that ip changed from 10.8.0.0 to 10.10.0.0
23:01 < desnudopenguino> Shaan: sorry, saw your post from ~2 hrs ago
23:01 < jasonwc> Shaan: Well, you definitely need to let the traffic through your firewall
23:02 < jasonwc> but that has nothing to do with the internal subnet of the VPN
23:02 < jasonwc> That is the subnet used inside the tunnel
23:03 < Shaan> ya but doesn't iptables need to know how to handle this traffic?
23:03 < jasonwc> your firewall needs to allow the OpenVPN traffic to pass through.  You also need IPv4 forwarding enabled for redirect-gateway to actually work.
23:04 < jasonwc> But presumaby you've done those things as you said it was working with 10.8.0.0
23:04 < jasonwc> When you were using 10.8.0.0, did you check for your IP while connected over the VPN?
23:04 < jasonwc> If redirect-gateway was worning, your public IP should show as the IP of the VPN server, not your client's IP
23:06 < jasonwc> !redirect
23:06 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
23:06 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
23:06 < Shaan> jasonwc: it was working when it was 10.8.0.0
23:06 < Shaan> but i havent updated iptables or anything else after changing it to 10.10.0.0
23:06 < Shaan> !ipforward
23:06 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
23:06 < jasonwc> I think you need to read more about how OpenVPN works.
23:07 < jasonwc> The internal subnet of the VPN server has no bearing on your firewall rules
23:07 < Shaan> !linipforward
23:07 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
23:07 < skyroveRR> !winipforward
23:07 <@vpnHelper> "winipforward" is (#1) reboot after enabling it, or (#2) https://support.microsoft.com/EN-US/kb/230082 to enable ip forwarding on windows
23:07 < skyroveRR> Interesting.
23:07 < skyroveRR> (the windows part.)
23:07 < jasonwc> I suppose it is possible you have firewall rules blocking all outbound traffic unless whitelisted or something
23:08 < Shaan> jasonwc: dont i need to enable forwarding in iptables with the new 10.10.0.0
23:09 < jasonwc> yeah, you would need something like "iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE"
23:09 < jasonwc> that assumes NAT
23:11 < jasonwc> Shaan: Have you tested the server WITHOUT redirect-gateway to see if it works otherwise?
23:11 < jasonwc> If so, then yeah, you're probably is likely with the need to properly configure forwarding
23:13 < jasonwc> It really is best to start simple.  Confirm that the VPN works and you can send traffic through it.  Then get redirect-gateway working.
23:14 < jasonwc> Also, if everything worked - as you say - for 10.8.0.0, why bother changing it?
23:18 < Shaan> I'm missing something clearly
23:18 < Shaan> i just changed it back to 10.8.0.0 and it worked like a charm
23:19 < Shaan> soon as i change it to 10.10.0.0 it wont work
23:19 < jasonwc> then the problem isn't with your OpenVPN configuration
23:19 < Shaan> i tried the above iptables command didn't do crap
23:19 < jasonwc> it's with your forwarding rules
23:19 < jasonwc> so, just leave it at 10.8.0.0
23:19 < jasonwc> I would definitely confirm it's actually working
23:19 < jasonwc> whatismyip.com
23:19 < Shaan> it is working
23:19 < jasonwc> to verify the IP address is that of the VPN server and not the client
23:19 < Shaan> thats what i did first..
23:19 < jasonwc> ok, then just leave it :)
23:20 < Shaan> well i would prefer if i can get it to 10.10
23:20 < jasonwc> also, is your client and server using OpenVPN 2.4?
23:20 < Shaan> i dont suppose you could point me in the right direction?
23:20 < Shaan> no 2.3 i beleive
23:20 < jasonwc> ah, ok
23:20 < jasonwc> Is there a particular reason you want 10.10.0.0?
23:20 < Shaan> well it will work better with my home vpn
23:21 < jasonwc> Why?
23:22 < jasonwc> This might help
23:22 < jasonwc> https://www.linode.com/docs/networking/vpn/tunnel-your-internet-traffic-through-an-openvpn-server
23:22 <@vpnHelper> Title: Tunnel Your Internet Traffic Through an OpenVPN Server (at www.linode.com)
23:23 < jasonwc> It shows firewall rules and forwarding rules
23:24 < jasonwc> -A FORWARD -i tun0 -o eth0 -s 10.10.0.0/24 -j ACCEPT
23:24 < jasonwc> A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
23:25 < jasonwc> iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE
23:44 < pizzaops> Google is failing me. Is there a page somewhere that documents all the `.ovpn` file directives?
23:45 <@ordex> you can find some config files well commented on openvpn.net, otherwise the man page explains each directive one by one
23:46 <@ordex> !man
23:46 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
23:46 <@ordex> pizzaops: ^
23:46 < Shaan> .win 4
23:47 < pizzaops> I looked at the example configs.
23:47 <@ordex> if you want more details, then check the man page
23:47 < pizzaops> oh i see the ovpn directives are roughly the same as the --thing commands?
23:48 < pizzaops> (im only a client user not an admin, so im not that familiar)
23:48 <@ordex> they are the same. they can be specified on the command line (with —something) or directly in the config file
23:48 < pizzaops> I ask because `ovpn` is literally not in the man page for 2.4
23:48 < pizzaops> Thanks for your help.
23:48 <@ordex> the man page does not talk about 'ovpn' but only about 'config file'
23:49 <@ordex> still, you can directly read the option description in the man
23:49 <@ordex> np
23:57 <@krzee> !--
23:57 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
23:57 <@krzee> configs are generally .ovpn in windows and .conf in linux, but can be whatever you want when calling openvpn yourself
23:59 < jasonwc> The pfsense book states, "An OpenVPN server instance can currently only bind to either IPv4 or IPv6, but not both at the same time."  I assume this applies to OpenVPN 2.3.x, as that is what exists in the latest stable release of pfsense.  However, I'm using OpenVPN 2.4, and my server definitely listens on both IPV4 and IPV6.  Is this claim accurate for 2.3?
--- Day changed Mon May 29 2017
00:13 <@krzee> yes, see --proto in the manpages for 2.3 and 2.4
00:13 <@krzee> !man
00:13 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
00:16 < jasonwc> Ah, thanks @krzee - "OpenVPN 2.3 cannot auto-determine whether to use IPv4 or IPv6 (or automatically try whatever is available) - full dual-stack functionality is available starting with OpenVPN 2.4.0"
00:16 < jasonwc> That explains it nicely
00:18 <@krzee> =]
01:26 -!- piklu- is now known as pikly
01:26 -!- pikly is now known as piklu
02:29 < relaz> I have like two servers and I need to get the same ip address to the client, it doesnt matter from which server. I read the entire manual but I didnt find a solution, any help? Thanks
02:30 < skyroveRR> relaz: what do you mean "same ip address to the client" ?
02:32 <@ordex> my guess: s/get/assign/
02:32 < relaz> the servers are in failover
02:33 < relaz> so if one server give an ip address to a client and go down I want that the second server give the same ip address to the client, hope this is clear :)
03:04 < relaz> guys I was reading this article: https://dnaeon.github.io/static-ip-addresses-in-openvpn/ but if we use ifconfig in the client we already get a static ip for it. Can somebody clarify the difference? Thanks
03:04 <@vpnHelper> Title: Static IP addresses in OpenVPN – Marin Atanasov Nikolov – A place about Open Source Software, Operating Systems and some random thoughts (at dnaeon.github.io)
03:06 < relaz> I mean if I use ifconfig ip subnet in the client I already use a static ip, what is the difference?
03:18 < relaz> or the difference is just that we handle everything on the server, so we dont have to set every client with a fix ip?
05:55 < Cubox> !welcome
05:55 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
05:55 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
05:55 < Cubox> !paste
05:55 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
05:55 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
05:58 < Cubox> Hello! I am having trouble making Openvpn work with my setup... Server config http://paste.cubox.me/aKi1P Client config : http://paste.cubox.me/qoOsu Error log : https://paste.cubox.me/jefJJ Keys : http://paste.cubox.me/lzopd
05:59 < Cubox> I keep getting no shared ciphers... This exact config worked until I updated my client. I am not sure from which version to 2.4.2, but I was greeted with this since. I have redone all keys since to try to make it work.
05:59 <@dazo> Cubox: first real potential trouble is from your certificate:
05:59 <@dazo>                 Public-Key: (512 bit)
05:59 <@dazo> 512 bit keys are horrendously weak, that should be at least 2048 bits
05:59 < Cubox> it's an EC
06:00 <@dazo> hahah!  indeed! sorry!
06:00 < Cubox> curve is brainpoolP512r1
06:00 <@dazo> yeah .... but is that supported on both server and client side?
06:01 < Cubox> they are supposed to be both same libressl version and openvpn version
06:01 < Cubox> (Am checking to make sure)
06:01 <@dazo> okay ... you don't have --tls-cipher in the server config, only the client
06:01 <@dazo> openvpn --show-tls   should give a hint
06:02 <@dazo> openvpn --show-curves
06:02 < Cubox> I have tls-cipher on the client?
06:02 < Cubox> (Both client and server openvpn --version give the exact same output)
06:03 <@dazo> gee ... I need t fetch lunch soon :/  ... no, you have ecdh-curve
06:03 < Cubox> Oh, true
06:03 <@dazo> in client config only, not server
06:04 <@dazo> openvpn --show-curves should indicate which curves each side supports
06:04 < Cubox> both clients have the same output to openvpn --show-curves | grep brainpoolP512r1
06:04 <@dazo> great
06:04 <@dazo> then it is probably the missing --ecdh-curve on the server side
06:05 <@dazo> I'm wondering if this TLS error message is just a bit misleading in regards to EC ...
06:05 <@dazo> May 29 12:47:44 Lif openvpn[23352]: 78.215.10.44 TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
06:05 < yarddog> i updated my distro that broke airvpn, isnt there an http address to use in lieu of it? most the time that is
06:05 < Cubox> client show tls http://paste.cubox.me/1wbsx server http://paste.cubox.me/Vpjc9
06:06 < Cubox> I don't get why they are different...
06:06 <@dazo> yarddog: this isn't the airvpn support channel ... so hard to say
06:06 < yarddog> yeah i thought i'd ask,sorry man
06:06 < yarddog> since it's openvpn
06:07 <@dazo> yarddog: openvpn is used by 100s of VPN service providers .... we support users configuring their own servers here mostly
06:07 < Cubox> dazo: added edch-curve and nothing different. Still got an error.
06:07 <@dazo> Cubox: --tls-cipher was my decoy ... you're using --ec-curve
06:07 <@dazo> Cubox: can you boost the --verb to 4 on server and client and pastebin both logs?
06:08 < Cubox> server log was verb 4 iirc
06:08 <@dazo> please send the complete log then, just to see if there are other details there too
06:12 < Cubox> Server full verb4 log https://paste.cubox.me/Ttmcl
06:14 <@dazo> Cubox: got the client logs too?
06:18 <@dazo> Cubox: the " OpenSSL: error:140270C1:SSL routines:ACCEPT_SR_CLNT_HELLO_C:no shared cipher" together with the log line I pasted above are related to a mismatch between --ec-curves and/or --tls-cipher ... which is why I pointed you in that direction
06:19 <@dazo> but with the same --ec-curves on boths sides .... there are something odd going on
06:20 < Cubox> dazo: I am trying to find the logs on the client x) For some reason they won't write to disk...
06:20 <@dazo> Cubox: which distro?
06:20 < Cubox> opnsense / FreeBSD
06:20 < Cubox> since the update logs are not written to /var/log/openvpn.log
06:21 < Cubox> (same update that broke openvpn)
06:21 < bitfawkes> hello, I would like to connect 2 server in vpn, can someone show me the way?
06:21 <@dazo> !howto
06:21 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
06:21 <@dazo> bitfawkes: start with #3 ^^^
06:21 < bitfawkes> please I just need a tutorial
06:23 < bitfawkes> I have 2 server and I would like to do RPC call between them over internet
06:23 <@dazo> bitfawkes: #3 is the tutorial
06:23 < bitfawkes> oh I just see now
06:23 < bitfawkes> thanks
06:26 < Cubox> dazo: full openvpn client verb4 log https://paste.cubox.me/QqIdQ
06:29 < bitfawkes> my server are not in lan, they have public ip address
06:36 <@dazo> bitfawkes: that's no issue
06:36 <@dazo> !goal
06:36 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:37 < Cubox> https://github.com/OpenVPN/openvpn/commit/a44eac2bf47416b35609c37b10eb803dd61945ed <- I think I found the origin of my problems
06:37 <@vpnHelper> Title: Further restrict default cipher list · OpenVPN/openvpn@a44eac2 · GitHub (at github.com)
06:40 <@dazo> syzzer: ^^^ do you have a chance to look at the log files from Cubox?   Seems to be some issues with "SSL routines:ACCEPT_SR_CLNT_HELLO_C:no shared cipher" when using EC certificates and --ec-curve
06:40 < bitfawkes> I would like to allow RPC call (bitcoin RPC) between 2 server in the same lan infrastructure
06:40 <@dazo> syzzer: client log: https://paste.cubox.me/QqIdQ ... server log: https://paste.cubox.me/Ttmcl
06:40 < Cubox> dazo: thanks for your help!
06:41 < bitfawkes> them share the same gateway
06:41 <@dazo> Cubox: syzzer is our crypto nerd ... and he have worked with these things, so he might have an idea .... and he is behind plenty of these crypto related patches
06:42 < Cubox> dazo: yeah, he commited the change I linked with changing default ciphers
06:42 < Cubox> I'm trying to see if that is the origin of my problems
06:43 <@dazo> Cubox: unfortunately, he is quite loaded these days :/
06:43 <@dazo> bitfawkes: then you don't need to use any routing ... but your RPC calls need to use the VPN IP addresses directly
06:43 < bitfawkes> I think yes
06:45 < bitfawkes> how to set?
06:48 <@dazo> bitfawkes: when you follow the "getting started" guide, skip the "setting up routes" ... you will have a server with 10.8.0.1, and the client will have another IP in that scope
06:48 <@dazo> bitfawkes: then configure your application to use those IP addresses
06:48 < bitfawkes> I try, thanks
06:49 <@plaisthos> Cubox: you probably restricted client and or servers tls-cipher list so much that no common cipher remains
06:49 <@plaisthos> hence the error
06:50 <@plaisthos> and if that commit you mentions breaks your setup, then other side has a wacky cipher list/tls library
06:50 <@plaisthos> keep in mind ec support requires OpenVPN 2.4+ on both sides
06:54 < usernaem> Hi guys
06:56 <@dazo> plaisthos: both sides run v2.4.2
06:56 <@dazo> (according to log files)
06:57 < usernaem> Do I understand correctly that unless my vpn provider has a valid trusted SSL certificate for domains I visit over https, there is no way they can intercept my plaintext traffic?
06:58 <@dazo> usernaem: hmmm ... that doesn't sound quite correct
06:59 <@dazo> usernaem: A VPN connection between a client and server is encrypted, so on the public Internet it will hard to catch your packets
06:59 <@dazo> usernaem: but the VPN service provider will decrypt the network packets and send them further
07:00 <@dazo> usernaem: but if you pass https packets over the VPN ... the VPN service provider will just see https packets, which are also encrypted
07:00 < Cubox> plaisthos: I have openvpn 2.4.2 on both sides, with the exact same version of libressl. And on top of that I do not change tls-cipher anywhere in my conf...
07:05 < usernaem> dazo: aha, I see how the already-HTTPS data is safe, though I am concerned about my outcoming plaintext traffic: passwords etc. For example, I visit a site that requires authentication, however the VPN provider just re-routes this request to an internal malicious server set up for this site and they feed me a fake login page where I enter my login credentials
07:07 < usernaem> Since the domain name I am trying to connect to is sent in plaintext as a TLS client hello field, they will have no problems detecting which domain I need
07:08 < usernaem> I am just curious whether it is safe enough to enter the login credentials after I verify that the SSL certificate is issued by a trusted CA
07:15  * hyper_ch thinks if you want to be safe, it's best to unplug the computer from power source and network, put it into a really thick metal box and store it in your basement
07:15 < rob0> your basement might not be safe
07:18 <+hyper_ch> don't you trash-talk my basement!
07:18 < havoc> also need fire surpression, and environmental controls
07:19 < usernaem> nah, it's just a really phishy VPN provider
07:19 < havoc> and there is no substitute for human monitoring/oversight
07:19 <+hyper_ch> then why not use a reliable vpn provider?
07:19 < usernaem> I am not familiar enough with VPN to know whether the VPN server will have the same TLS key material as me
07:20 < usernaem> If it doesn't then why pay more when I can get away with a phishy one
07:20 <+hyper_ch> the same TLS key material?
07:21 < usernaem> The symmetric encryption key used to encrypt data sent/received by the content origin server
07:21 < Cubox> usernaem: the question you are asking can apply even outside of a VPN. Anyone that gets your packets (can be your ISP, your employer) can intercept and modify data if it's not in HTTPS
07:21 < Cubox> if it's HTTPS, unless they can generate a certificate valid for the website you want to access, they won't be able to get your password
07:21 <+hyper_ch> (some argue they can intercept and modify even when it's https)
07:22 < Cubox> hyper_ch: even without a valid cert?
07:22 <+hyper_ch> interception is simple
07:22 <+hyper_ch> modify also... however modify it in a way you want might be harder
07:22 < Cubox> but my browser shows a big red warning
07:23 <+hyper_ch> interception - ISP just needs to record all your traffic
07:23 < Cubox> they won't be able to see content if it's in HTTPS, right?
07:23 <+hyper_ch> encryption can be hacked
07:24 <+hyper_ch> it's just a question on how much effort you want to put in
07:24 <@plaisthos> Cubox: did you explcitly disable normal dh?
07:24 < Cubox> plaisthos: yes, with dh none
07:25 <@plaisthos> Cubox: did you test what cipher tls agree on without dh none?
07:25 <+hyper_ch> also, if webserver still uses sha1 for some reason (I think winXP is one of the reasons) you might be at a risk
07:26 <@plaisthos> also we don't really support libressl, so I can only speak for OpenSSL but for openssl 1.0.1 OpenVPN tries to guess the used curve from the certificate
07:26 <@plaisthos> probably libressl is similar
07:27 < Cubox> plaisthos: I tried adding the curve in the config, just in case
07:27 < Cubox> (generating dh 4096, will try with dh back)
07:28 < usernaem> hyper_ch: Sha1 is the certificate signature algorithm, it is a part of the cert and it's not really up to teh server to decide; all modern browsers will freak out when they see a sha-1 cert, even on XP
07:28 <+hyper_ch> still, it's a ssl connection to a server and might not consider it safe
07:29 < Cubox> is my IE 6 considered modern usernaem? /s
07:30 <@plaisthos> ie 6 depens on the platform ssl library
07:30 <@plaisthos> not sure if xp got patched to reject sha1 but iirc it did
07:35 < usernaem> Cubox: why not, it uses win api for crypto, iirc one of the SP3 follow-up patches caused all sha1 certs to be invalid for tls web extended key usage just before microsoft dropped support for xp
07:41 < usernaem> hyper_ch: I'm not paranoid enough to question ssl, I am just curious what part VPN plays in this. If VPN only operates on the transport level below TLS, then it is pretty much the same thing as trusting the ISP
07:41 <+hyper_ch> you need to trust also the vpn provider
07:41 <+hyper_ch> I don't know what your motivation is for using a vpn
07:41 <+hyper_ch> depending on that you might have wrong ideas about it
07:41 < Cubox> with a VPN, the VPN provider becomes your ISP basically usernaem
07:42 < Cubox> since they are in charge of taking your packets and sending them to the internet, as your ISP does at your home
07:45 < usernaem> Well I trust them to send my encrypted packets
07:46 < usernaem> Thanks, I think I get it now: everything's cool unless there is a bad cert
07:49 < relaz> when you want to give static ip address from the server, it is correct to create the certificate file in ccd and put the string ifconfig-push ip client ip seerver? Because when I launch the client it seems that the server is restarting all the time with: SIGTERM[hard,init_instance] received, process exiting Thanks
07:50 <@krzee> "then it is pretty much the same thing as trusting the ISP"    <-- if you use a vpn service then exactly this
07:50 <@krzee> !static
07:50 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder, or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range, or (#5) See also: !addressing
07:50 <@krzee> relaz: depends on topology
07:51 <@krzee> !topology
07:51 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
07:52 < relaz> topology is tun
07:52 < rob0> no
07:52 <@krzee> do you use topology subnet>?
07:53 <@krzee> if so first client probably got .2 as its ip
07:53 <@krzee> if not they got .6
07:53 <@krzee> (assuming normal --server with /24 vpn subnet)
07:53 < rob0> offer void where taxed or prohibited :)
07:53 <@krzee> hah
07:56 < usernaem> Can I use wildcards with allow-pull-fqdn?
07:59 <@krzee> --allow-pull-fqdn
07:59 <@krzee> Allow client to pull DNS names from server (rather than being limited to IP address) for --ifconfig, --route, and --route-gateway.
07:59 <@krzee> doesnt take an option, so where would the wildcard go?
08:01 < usernaem> It kind of enables domains in 'route' directives, so it is possible to route whitelisted domains only
08:02 < usernaem> But I suppose it just resolves those domains from the VPN server end and then uses the resulting IP addresses to substitute the domains, more like config sugar
08:03 < relaz> krz, yes I use subnet, the point is that I created a cert file in ccd with a string ifconfig-push client ip server ip, so the ip it should be static
08:04 < usernaem> I tried routing *.domain, but it routed the zone apex only, a subdomain with a different IP was routed through my default net interface :<
08:05 < usernaem> Probably I done goofed though, but there is close to none info about this switch behavior
08:06 < Cubox> plaisthos: even with a dh file, I still get the same error (The server has no TLS ciphersuites in common with the client.)
08:14 < relaz> ok I try with ccd ifconfig-push ip client and subnet because it is subnet topology but it is still the same
08:22 < relaz> the server goes in connection establieshed connection reset
08:30 < relaz> ccd ifconfig-push is a configuration just to set in the server right?
08:33 <@krzee> relaz: see this again
08:33 <@krzee> !static
08:33 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder, or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range, or (#5) See also: !addressing
08:33 <@krzee> if you use topology subnet then you want to use subnet style, which is not client ip server ip, it is client ip subnet
08:34 <@krzee> !ccd
08:34 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
08:35 < relaz> I wrote up that I changed ip client subnet
08:35 < relaz> but it still doesnt work
08:36 < relaz> it loose the connection with the server
08:36 <@krzee> then theres something else going on
08:36 <@krzee> !configs
08:36 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
08:36 <@krzee> !logs
08:36 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
08:36 <@krzee> verb 5 please ^
08:38 < relaz> ok but if I paste here the client and the server I will receive a temp ban how can I do that?
08:40 < rob0> !paste
08:40 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
08:40 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
08:49 < relaz> it is enough go to https://gist.github.com/ and paste the conf there right?
08:49 <@vpnHelper> Title: Create a new Gist · GitHub (at gist.github.com)
08:50 <@syzzer> Cubox: O
08:50 <@syzzer> aargh
08:50 <@syzzer> I'm not too familiar with all the LibreSSL pecularities, but a starting point might be to use --tls-cipher DEFAULT, and see what that does
08:51 <@syzzer> that 'reverts' the 'restrict cipher set' commit
08:53 <@krzee> relaz: yes
08:53 <@krzee> which the bot told you
08:53 <@syzzer> and to be clear: we do not support LibreSSL.  We won't break support op purpose, and do accept trivial patches if that makes using LibreSSL possible again.  But people using openvpn+libressl are basically on their woen.
08:54 <@syzzer> *own
08:55 <@krzee> g'day syzzer
08:56 < relaz> krx, https://gist.github.com/anonymous/9f35459b27cbcc88c33263cfac6b1031
08:56 <@vpnHelper> Title: openvpn · GitHub (at gist.github.com)
08:56 <@syzzer> hi krzee :)
08:57 <@krzee> i said verb 5 relaz
08:57 <@krzee> pls try again
08:58 <@krzee> and comment out all your mtu tuning stuff from both sides while trying to get the connection up
08:58 <@krzee> then you can play after
08:58 <@krzee> first you want it working, then you can mess around with mtu frag mssfix etc etc
08:59 <@krzee> your push route needs a subnet
08:59 <@krzee> (i think?)
09:00 <@krzee> nevermind, default it'll make it a host, thats fine
09:00 < skyroveRR> \o krzee
09:01 < relaz> ok with 5 the outpuit is the same
09:01 <@krzee> relaz: is there a reason you dont use --server and instead you rebuild it?
09:02 <@krzee> the config is unnecessarily complicated, would you like to simplify it?
09:05 <@krzee> relaz: how did you end up with this config?
09:05 <@krzee> you make it by hand, given by somebody, or some blog?
09:09 <@krzee> hey skyroveRR
09:10 < relaz> it was edited by a colleague as well
09:10 <@krzee> so by hand by 2 people? or some blog post that another guy edited after?
09:11 < Cubox> syzzer: I will try that, thanks
09:11 < relaz> I dont use server becuase I define already the ip server and ip range with ifconfig ifconfig pool
09:11 <@krzee> yes i see that, but im not so sure you did it all right, so i ask again more clearly... what was your goal in specifying that stuff manually?
09:12 < relaz> yes for me it is fine to simplify it as long as I understand how it work and to make it works
09:12 <@krzee> what did you hope to accomplish differently than --server, so that i may help you do it
09:12 < relaz> as I said a colleage gave me it to work on it with some new machines
09:12 <@krzee> well if thats the case why dont you start with a simple config, get it working, then change things
09:13 <@krzee> so you know when your changes break it, and can go back and try again
09:13 < Cubox> syzzer: Even with tls-cipher set to DEFAULT on both client and server, I still get TLS error: The server has no TLS ciphersuites in common with the client.
09:13 < relaz> I have to give a certain ip to the server and define a ip pool for clients for this I used different parameters
09:13 <@krzee> you're trying to start with overriding a bunch of things, then dont know why it doesnt work... start with a simple more generic config and then change 1 thing at a time
09:13 <+hyper_ch> 15:57:56 krzee  relaz: how did you end up with this config?  --> probably google :)
09:15 <@krzee> to be fair, in almost everything else "google it" is the right answer... but theres a few things like openvpn where its not
09:16 < relaz> ok can you help me to simplyfy it and see if it is working?
09:16 <@krzee> sure, post the client config now too
09:21 <@krzee> you can comment the hostname in --remote
09:22 <@krzee> i dont need to see it as the connection *is* being made
09:22 <@krzee> can hide it i mean, if you want (i see you hid the filenames for cert and key in the server config :D )
09:24 < relaz> I mean I think there is no point to hide here because we are talking about private ip so there are no sensitive data
09:24 <@krzee> i need the client config
09:24 < relaz> I have problem to paste it
09:24 <@krzee> which does have public address in its --remote entry, however you're right that it doesnt matter
09:25 <@krzee> whats the problem?
09:25 <+hyper_ch> krzee: the !google factoid in #bash  greybot  Google is NOT a preferred source for learning bash, because almost all the "tutorials" and scripts out there are JUNK. Instead, ask a good question here or refer to the Guide and FAQ (see topic)   :)
09:25 < relaz> when I gave a name on github I receive: Contents can't be empty
09:25 <@krzee> hyper_ch: bash is another good example
09:25 < relaz> but I wrote a name
09:26 <@krzee> relaz: you'll figure it out
09:26 <@krzee> if you can admin a vpn you can definitely figure out how to get me the config =]
09:26 < Cubox> I am trying to use openvpn-mbedtls to see if my problem was related to libressl or not
09:26 <@krzee> Cubox: i prefer mbedtls myself
09:27 <+hyper_ch> relaz: there's other pastebin services as well in case github has issues :)
09:31 < Cubox> krzee: well, even with mbedtls I have the same exact error message
09:31 <@krzee> Cubox: i didnt see all the scroll, can i see your configs?
09:31 < relaz> krz, this is the client https://paste.fedoraproject.org/paste/ZoC6oZJ6phRFzNJI~OQRkF5M1UNdIGYhyRLivL9gydE=
09:31 < relaz> it is on windows
09:31 <@plaisthos> Cubox: mbedtls on both sides?
09:31 < Cubox> Hello! I am having trouble making Openvpn work with my setup... Server config http://paste.cubox.me/aKi1P Client config : http://paste.cubox.me/qoOsu Error log : https://paste.cubox.me/jefJJ Keys : http://paste.cubox.me/lzopd
09:31 < Cubox> plaisthos: yes
09:32 < Cubox> openvpn --version on both side is the exact same output
09:32 < relaz> krz, is it clear now?
09:33 <@krzee> relaz: now i can help you simplify
09:33 <@plaisthos> Cubox: openvpn --show-tls
09:33 <@plaisthos> is that also similar
09:33 <@krzee> once you get it connecting and pinging you can play
09:33 < Cubox> http://paste.cubox.me/oKHMK on server, http://paste.cubox.me/iAsHx on client
09:34 < Cubox> (they are identical unless I am mistaken)
09:34 <@plaisthos> double checked that no tls-cipher is set on either side?
09:35 <@krzee> relaz: try this:  https://gist.github.com/anonymous/b437a6b49eff6a5edd404480dd14918f
09:35 <@vpnHelper> Title: client.ovpn · GitHub (at gist.github.com)
09:36 < Cubox> plaisthos: alright, it just worked
09:36 < Cubox> so it was libressl
09:36 <@krzee> nice!
09:36 < Cubox> and mbedtls don't like to have tls-cipher DEFAULT in the config
09:36 <@plaisthos> Cubox: with mbedtls on both sides?
09:36 < Cubox> (was a leftover from a previous test)
09:36 < Cubox> plaisthos: yes
09:37 <@krzee> relaz: make sure you are using the proper filename for key and cert
09:37 <@krzee> since your post doesnt have them on client or server
09:39 <@krzee> oh relaz i just noticed your client has --log-append and --status set to the same file, change one of the filenames
09:39 < Cubox> Thank you all for your time with this! I won't tag anyone to not disturb, but thanks :)
09:39 <@krzee> (in the post i gave you to use)
09:40 < Cubox> I guess it should be noted somewhere in the documentation that libressl can make unexcpected behaviour, and to test with mbedtls/openssl (if you already don't mention it!)
09:40 < rob0> Dungeons and Dragons is just a lot of Saxon Violence.\ODOB
09:41 < rob0> opps, keyboard mishap :)
09:41 <+hyper_ch> DnD 3.5 :)
09:43 < relaz> krz, thanks I saw the configurations
09:44 < relaz> the point is that in the server I need to give it an ip and a range for this I put ifconfig and ip pool, with just server I loose that
09:45 <+hyper_ch> need to give an ip?
09:46 < relaz> yes the server has to have a particular ip
09:46 < relaz> if I use just server parameter I wont use it
09:47 < relaz> if the conf is in windows can I comment the parameter like in linux with #?
09:48 <+hyper_ch> what's wrong with server being x.x.x.1 in the subnet?
09:48 < relaz> my manager want a particular ip so I have to do as he said :)
09:48 <+hyper_ch> replace your manager
09:48 <@krzee> Cubox: libressl isnt supported at all
09:48 < rob0> yep
09:49 <@krzee> Cubox: so like, its always use at your own risk, dont you have to patch the configure file to even make it work?
09:49 <+hyper_ch> I think it's strange.. ovpn server acts as router for the subnet.... so it should have .1
09:49 <@krzee> relaz: sure, but FIRST you get a setup that works
09:49 <@krzee> THEN you tinker with settings
09:50 < rob0> also might be able to redirect the desired IP to .1
09:50 <@krzee> that way you know what broke it when you break it
09:50 <@krzee> you were tinkering with too many settings before having a working setup.
09:50 < relaz> I didnt start straight with that setup
09:50 <@krzee> you had mtu settings, mssfix settings, fragment settings, engine settings, rebuilt --server from scratch
09:51 < relaz> with just server was working and even after with a particular server ip it was working
09:51 <@krzee> cool, now since you dont know how you broke it start simple and work back to custom
09:51 < relaz> it stopped when I tried to assign static ips
09:51 <@krzee> that's my advise
09:51 <@krzee> advice*
09:52 <@krzee> if you read the troubleshooting openvpn book you'll get similar advice ;]
09:52 <@krzee> !book
09:52 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) Troubleshooting OpenVPN (April, 2017) by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
09:52 <@krzee> (shameless plug)
09:54 < relaz> krz, ok in windows if I want to comment something in the conf file it is the same like linux can I use #?
09:54 <+hyper_ch> can one truly master OpenVPN?
09:54 < relaz> so I can just comment what is not in the files you sent me and move it forward
09:55 <@krzee> yes
09:56 < relaz> ok thanks
09:56 <@krzee> ; or # is fine no matter the OS
09:56 < relaz> k
09:56 <+hyper_ch> # is prettier
09:56 <@krzee> i agree :D
09:56 <@krzee> likely cause i do a lot of bash
09:56 <@krzee> making a script in another window right now actually
09:57 <+hyper_ch> :)
09:59 < Cubox> krzee: no patching needed on FreeBSD once you have set LibreSSL as a replacement for OpenSSL. However until someone (probably you) mentionned it, I did not know that it was not supported
09:59 < Cubox> Or at least I was naive thinking that this could not be blamed on libressl :/
10:00 <@plaisthos> The problem with libressl it claims to have OpneSSL compatible API
10:00 <@plaisthos> but does not really have it
10:00 <@plaisthos> so you end up with bizzare errors like this
10:01 <@plaisthos> we are happy to accept patches to make libressl work better but don't spend time on debugging/testing with libressl
10:01 < Cubox> This is the second time I encounter a really crippling issue with libressl...
10:02 < Cubox> for a few months, on my setup, certificates from Google were considered invalid by libressl, because of a cross-signing of a cert that was deprecated
10:03 < Cubox> and since very few people use libressl instead of openssl on major software, little solution is provided on the internet...
10:04 < BlackBishop> so .. I have this config https://paste.fedoraproject.org/paste/HIMq5e9N5bqjYuFcn-FAwl5M1UNdIGYhyRLivL9gydE=
10:05 < BlackBishop> my issue is that for some reason while pinging a name ( dns has split view ) .. 2 things happen:
10:05 < BlackBishop> the dns request goes through my local ns .. and through the dns pushed by the vpn server
10:06 < BlackBishop> if my local ns answers with something .. when pinging a host .. I'll ping the ip resolved by my server
10:06 < BlackBishop> if my ns doesn't answer ( as for an internal only address ) .. I get the internal ip and I ping that one
10:06 < BlackBishop> anyone seen this ?
10:08 < BlackBishop> an example would be .. test.domain.tld - split view, internal 172.16.1.19, external x.x.x.19, something.domain.tld - internal only 172.16.1.20
10:08 < BlackBishop> ping test.domain.tld -> x.x.x.19 ; ping something.domain.tld -> 172.16.1.20
10:08 < BlackBishop> Using a wireshark I see the request to test.domain.tld going through my main lan ns and via the vpn !
10:09 <@syzzer> Cubox: good that the issue is resolved for you!  This quite likely has to do with LibreSSL's funky version reporting.  Iirc, LibreSSL reports as 'openssl 1.0.1', and openssl 1.0.1 had a troublesome ECDH API.
10:09 < BlackBishop> and for some reason the result coming from my local lan ns is primary :| If it yells nxdomain, it uses the result from the vpn provided dns
10:09 <@syzzer> so we might be working around issues in openssl 1.0.1 while libressl has 'fixed' those
10:10 <@syzzer> anyway, we might want to consider printing a warning in configure.ac if we detect LibreSSL
10:11 < Cubox> any kind of clue letting people know that if there is an issue, try with openssl first before looking into anything else :)
10:12 <@plaisthos> syzzer: better on startup
10:12 <@syzzer> plaisthos: yeah, probably
10:12 <@plaisthos> users might otherwise never see the warnings
10:13 <@plaisthos> "Warning: Libressl detected, OpenVPN has only been tested with OpenSSL."
10:13 <@plaisthos> "Warning: Libressl detected, OpenVPN has only been tested with OpenSSL and relies on API compatibility for LibreSSL (which is not perfect)."
10:17 < relaz> krz, how comes that when I rename the client.ovpn I dont see it anymore as openvpn file buit notepad?
10:17 < hays> can someone help me figure out whats going on here? here are client logs; https://bpaste.net/show/39153d8d429e
10:18 < Cubox> <root@Lif>-<~> λ grep LIBRESSL /usr/local/include/openssl/opensslv.h
10:18 < Cubox> #define LIBRESSL_VERSION_NUMBER 0x2050400fL
10:19 < Cubox> plaisthos: for libressl detection, this seems to be the supported way
10:21 < hays> I've got my iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
10:21 <@ordex> hays: server log ?
10:21 <@ordex> and !configs
10:21 <@ordex> !configs
10:21 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
10:25 <@syzzer> "Warning: you are using LibreSSL.  This might work but we don't promise anything and can break at any moment."
10:25 < BlackBishop> hmm, It seems I'm hitting this bug: https://community.openvpn.net/openvpn/ticket/605
10:26 < BlackBishop> and I am running 2.4.2
10:27 <@syzzer> BlackBishop: and you are using --block-outside-dns ?
10:27 < hays> ordex: https://bpaste.net/show/fbdc94bdad03
10:28 < BlackBishop> ow
10:28 < BlackBishop> nice
10:29 < BlackBishop> yeey, thanks.
10:29 <@ordex> hays: I got 404
10:29 < hays> ordex: sorry: https://bpaste.net/show/6dfb742dd515
10:30 < hays> the server is remote, so im able to ssh to it, and the firewall looks right and hasn't changed. at least my part of it..
10:30 < hays> maybe something upstream out of my control could have changed
10:32 <@plaisthos> syzzer: sounds better
10:32 <@ordex> honestly I don't know . maybe by increasing the verb to 4 we might see something more. for sure it is not a network problem because client and server are talking
10:36 < relaz> to make a client file for windows is enought rename the txt file in ovpn? because it doesnt work the system see a txt file
10:36 < relaz> any help?
10:37 < hays> ordex: https://bpaste.net/show/3998d12c0c1b
10:37 < hays> this is with verb=6
10:38 < hays> client is running 2.4.2
10:38 < hays> server is 2.3.4
10:38 < hays> could that be a problem?
10:39 < Cubox> Is Github the main repo for openvpn?
10:42 <@plaisthos> !git
10:42 <@vpnHelper> "git" is (#1) The public git trees are here: a) git://git.code.sf.net/p/openvpn/openvpn, b) https://gitlab.com/openvpn/openvpn.git, c) https://github.com/OpenVPN/openvpn/, or (#2) All of these git locations should always be in sync and identical, if not something bad has happened and you should inform the developers ASAP, or (#3) See !git-doc how to use git, or (#4) git troubles?
10:42 <@vpnHelper> http://justinhileman.info/article/git-pretty/git-pretty.png
10:44 < hays> ordex: hold on.. i found something wrong.
10:44 < hays> the VPS can't get out to the internet. !!
10:48 < hays> i can get in but not out.. that's werid
10:50 < relaz> Krz, are you still there?
10:58 <@krzee> ya kinda
10:58 <@krzee> in and out, have people fumigating and various other workers digging and stuff
10:59 <@krzee> but im here now!
10:59 < relaz> it is still the same, weird thing is that the error is the log is the same even if the confs are different now
10:59 <@krzee> relaz: wanna show me the configs exactly as you're using now and the logs to go with them?
10:59 <@krzee> also be sure you're looking at the new log
10:59 < relaz> oky
10:59 <@krzee> timestamps
10:59 <@krzee> !logfile
11:00 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
11:00 <@krzee> you have log-append so the new log will always be appended to the old
11:00 <@krzee> so if you're looking at the start of the file, it wont change at all, because you configured it that way
11:06 <@krzee> say krzee when you reply so i look, ill be writing a script in the other window
11:13 < relaz> krzee are you talking with me?
11:14 < relaz> did you see the logs?
11:17 <@krzee> no, im waiting for you to post them
11:33 <@krzee> ..do you plan on doing that?
13:05 < wmchris> Hi. Is it possible to push two IP adresses to the same tap interface (like eth0, eth0:0, eth0:1 etc.) by connection to an vpn?
13:05 < wmchris> I have a special setup where I need multiple internal ip adresses over the same openvpn tunnel
13:07 < rob0> first thing, those ifconfig alias names ARE NOT interfaces
13:07 < rob0> second, usually tap is a bad idea, why do you think you want tap?
13:07 < wmchris> Tunneling public ip to another server.
13:08 < wmchris> I need level 2 for my setup.
13:08 < rob0> Linux net-tools (including ifconfig(8) and route(8)) are buggy and unmaintained for nearly 20 years.
13:11 < wmchris> However the tunnel works fine, but I need two client ips - of course I could simply add another virtual interface, but maybe there is a more clean solution?
13:23 < rob0> "virtual interface"?
14:59 -!- davimore_ is now known as davimore
17:24 < PrincessBob> !goal
17:24 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:24 < PrincessBob> !goal using a txt file to auto enter the id/password for windows 10... gives me errors
17:28 < PrincessBob> http://prntscr.com/fdl81w   directory where my config files are        http://prntscr.com/fdl8bb  my config file    http://prntscr.com/fdl8p2   log file of error http://prntscr.com/fdl8p2
17:28 <@vpnHelper> Title: Screenshot by Lightshot (at prntscr.com)
17:28 < PrincessBob> thanks for any help possible...
17:30 < PrincessBob> running windows 10 home 64 bit  openvpn gui 11.6.0.0  in admin...
17:51 < PrincessBob> http://prntscr.com/fdlg4g  is the 'correct'   log-file picture
17:51 <@vpnHelper> Title: Screenshot by Lightshot (at prntscr.com)
21:51 < simple_alex> Hi
21:52 < Uranio-235> simple_alex: hi...
21:53 < simple_alex> I have a problem with OpenVPN connect on android 6, can somebody help me here ?
21:54 < simple_alex> could not find solution in faq and google
22:12 <@ordex> !as
22:12 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
22:14 <@ordex> simple_alex: ^
22:18 < simple_alex> you are saying - OpenVPN Connect for iOS/Android - is commersial products  ?
22:19 < simple_alex> I've got OpenVPN connect for Andriod for free
22:19 <@ordex> simple_alex: that doesn't mean it is not commercial :P
22:20 < simple_alex> agree
22:20 <@ordex> it is provided by openvpn Technologies, inc. which means it is not maintained by the open source community
22:20 < simple_alex> so this is not right place for the questions about ?
22:20 <@ordex> here you only find the open source community working on the open source project
22:21 <@ordex> right
22:21 < simple_alex> ok thanks
22:21 <@ordex> np
22:21 < jayjo> How can I check if openvpn is running and accepting or listening for connections?
22:22 < jayjo> I am running on Ubuntu 16.04 LTS
22:22 < rob0> if you set it up for this, you have it:
22:22 < rob0> !management
22:22 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface, or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN, or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
22:23 < rob0> if you didn't, you have OS tools to check if it's running and if a socket is bound
23:12 < simple_alex> can you advise open source openVPN client for Android ?
23:13 < skyroveRR> "openvpn for android", simple_alex
23:13 < skyroveRR> Written by plaisthos whom you can find here :)
23:14 < simple_alex> thank you very much )
23:18 <@krzee> its actually opensource openvpn
23:18 <@krzee> what is your real question?
23:18 <+hyper_ch> I've been using OpenVPN Connect this far - works also fine
23:19 <+hyper_ch> but maybe I should switch to plaisthos' client so that I can bug him :)
23:20 <@krzee> i love his client
23:20 <+hyper_ch> with the openvpn connect I could just import the .conf (or rather .ovpn) file that contains keys and certs and works
23:21 <+hyper_ch> but while it's running, I can't download stuff from playstore
23:21 <+hyper_ch> been meaning to switch... but just never got around
23:23 <@krzee> his imports too
23:23 <@krzee> i normally need to import the keys and other files by hand, but thats quick and easy
23:23 <@krzee> and 1 time
23:24 <+hyper_ch> even if they are in the config file integrated?
23:24 <@krzee> plaisthos: you should make it scan same dir when given no path and the filename is in same dir if you ever get time :)
23:24 <+hyper_ch> (or make inline certs/keys work if it doesn't already)
23:24 <@krzee> if theyre inline then no problem, his importer puts them inline
23:24 <+hyper_ch> nice
23:25 <@krzee> it can also import pkcs12 into the android cert store
23:25 <@krzee> so its kinda whatever you want
23:26 <+hyper_ch> plaisthos = arne=
23:26 <+hyper_ch> ?
23:28 <+hyper_ch> yeah, I think that's him
23:28 <@krzee> yessir
23:28 <@krzee> look at his ident
23:28 <+hyper_ch> forgot about whois :)
23:51 <+hyper_ch> same issue... when arne's ovpn client runs I can't download from playstore either
23:56 <+hyper_ch> gotta get antoher raspberry today
23:58 < _FBi> good night guys!
--- Day changed Tue May 30 2017
00:11 <@krzee> hyper_ch: maybe they dont allow connections from where you bounce through
00:11 <@krzee> gnite _FBi
02:05 < murkx> Hi, i got a problem, windows 10 won't hold the connection and ends with status code 1 (after creators Update) (net-sh syntax probably has changed)
02:43 < relaz> krzee, are you there?
03:14 < phx> morning
03:15 < phx> using openvpn2.4, is there a way to disable cert verification? I have a peer with an expired cert, and if i could make openvpn to accept it, i could put the renewed certificate in place
04:34 -!- Netsplit *.net <-> *.split quits: @krzee
04:38 < relaz> who can give me an hand with a server configuration that doesnt work?
04:51 <@ordex> !ask
04:51 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
04:51 <@ordex> !configs
04:51 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
04:51 <@ordex> !logs
04:51 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
05:17 < relaz> I notice that to make my server working I have to create a empty dir in ccd, anybody know the reason?
05:20 <@ordex> !configs
05:20 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
05:20 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
05:20 -!- ServerMode/#openvpn [+o krzee] by barjavel.freenode.net
05:25 -!- stefanauss_ is now known as stefanauss
05:44 <@ordex> relaz: ^^ that was for you :)
06:22 < relaz> This is the server and logs, I noticed that I have to put an empty dir in ccd path to make the server work, and from the logs it seems that the server is not working but it works
06:22 < relaz> https://paste.fedoraproject.org/paste/ebGY4Hn5HlBYX72bS5OIfl5M1UNdIGYhyRLivL9gydE=
06:22 < relaz> any opinion? Thnaks
06:27 <+hyper_ch> krzee: well, I don't route everything through the vpn... and the endpoint is at the office... so when I'm connected to the office endpoint I shouldn't be able to access playstore eitehr when openvpn is not running
06:30 < relaz> ordex, I did that in the link :)
06:55 <@dazo> relaz: that log extract you provided indicates that the server closed the VPN tunnel completely for your client ... I strongly doubt that works
06:56 <@dazo> if it works, your client is either connected to a different VPN server instance, or the traffic goes over the LAN
06:56 <@dazo> (considering client IP is 192.168.1.163)
07:10 < relaz> the point is that I can see the tun interface and ping it
07:45 <@dazo> relaz: on the server or client?
07:46 <@dazo> Tue May 30 10:18:01 2017 us=293157 192.168.1.163:53174 Fatal TLS error (check_tls_errors_co), restarting
07:46 <@dazo> Tue May 30 10:18:01 2017 us=293162 192.168.1.163:53174 SIGUSR1[soft,tls-error] received, client-instance restarting
07:46 <@dazo> Tue May 30 10:18:01 2017 us=293195 TCP/UDP: Closing socket
07:46 <@dazo> those three lines indicates that the client was rejected by the server and the server closed the TCP connection
07:47 <@dazo> that is not discussable, that is the absolute and only truth
07:47 <@dazo> so ... run:  ps faxuww | grep openvpn
07:47 <@dazo> on the client
08:11 < relaz> dazo, if I want to set stati ip clients in the server, I read this article:https://dnaeon.github.io/static-ip-addresses-in-openvpn/
08:11 <@vpnHelper> Title: Static IP addresses in OpenVPN – Marin Atanasov Nikolov – A place about Open Source Software, Operating Systems and some random thoughts (at dnaeon.github.io)
08:13 < relaz> so I created the string client-config-dir /etc/openvpn/ccd/static_clients and inside the directory I create a file with ifconfig push ip client subnet mask
08:13 < relaz> but it doesnt work
08:15 < relaz> I set the permission with R openvpn:openvpn on the ccd dir also
08:15 < relaz> what I am doing wrong? I can paste the confs if you want
08:17 <@dazo> relaz: bump --verb in server config to 4 and pastebin the complete log from openvpn starts and until you stop the server process
08:24 < relaz> dazo, https://paste.fedoraproject.org/paste/S2v8wMAVxoiPQEdTukycC15M1UNdIGYhyRLivL9gydE=
08:28 < relaz> I read that the best practice to asssign static ips is with ifconfig-pool-persist
08:28 < relaz> so apparently no need of ccd and client conf, can somebody confirm?
08:29 < rob0> What's best might depend on your needs and other configuration, so no, that can't be confirmed.  But it is another way to do it.
08:32 <@dazo> relaz: that is not a complete log file with --verb 4
08:34 <@dazo> relaz: --ifconfig-pool-persist will not guarantee that an IP address is reserved for one particular client over time .... it is more like a guidance for the IP pool management logic, so if the pool is exhausted, openvpn will re-use an "inactive" IP address regardless if it is listed in the ipp file or not
08:35 < relaz> ok
08:36  * dazo heads out for a while
08:48 < relaz> dazo, this the confs and log https://paste.fedoraproject.org/paste/NmV4akhUKabECWUZhomq5l5M1UNdIGYhyRLivL9gydE=
08:49 < relaz> please have a look, I dont know what else can I change
09:16 <@krzee> actually it can be confirmed that it is NOT the best way
09:16 <@krzee> !ipp
09:16 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
09:18 <@krzee> relaz: about time you posted those, i checked back hours later yesterday and nothing... so what happened when you used --server instead of rebuilding it manually?
09:18 <@krzee> did *that* setup work?
09:20 < relaz> krz, I try the conf but it didnt work out
09:20 <@krzee> so with normal --server it didnt work?
09:20 <@krzee> yet you decided to make it more complicated anyways?
09:20 <@krzee> you didnt get the idea?
09:20 < relaz> yes I started again from just the server and biuld up
09:21 < relaz> and now Iam here again
09:22 <@krzee> but i asked if it worked with --server and you just said no
09:22 < relaz> I tried the conf that you sent me
09:22 < relaz> with the server and client
09:22 <@krzee> and it had problems?
09:22 < relaz> but it didnt work out
09:22 <@krzee> so you decided screw it, instead of fixing my setup ill make it more complicated
09:22 <@krzee> lol
09:22 <@krzee> good luck dude
09:23 < relaz> so this morning I tried to ping you to let you know that
09:23 < relaz> but you were away
09:23  * rob0 glues krzee to his IRC client
09:23 < rob0> that'll make you stick around!
09:23 <@krzee> ya no kidding rob
09:24 <@krzee> how dare i not be there 15 hours later when he gets around to ignoring my advice?
09:24 <@krzee> lol
09:24 <@krzee> if the simple config i gave you had problems you need to go back to the simple config and get help with that
09:25 < relaz> this is what I did
09:25 <@krzee> you dont discard the simpleness and go more complex
09:25 < relaz> I started again
09:25 <@krzee> umm no, you went back to wrong/complex
09:25 < relaz> no
09:25 < relaz> this is the last of 3 conf that I tried today
09:25 <@krzee> you didnt copy --server right, and its more complex than you should be troubleshooting right now
09:25 < relaz> I started from the basic one amd move up
09:26 <@krzee> since thats not even your problem it would be a waste of time to help you with it
09:26 <@krzee> you dont move back up until simple WORKS
09:26 <@krzee> welcome to troubleshooting *everything*
09:26 <@krzee> lol
09:26 < relaz> if you want I can paste the first one and the second one that was working
09:26 <@krzee> nah im going to /ignore instead
09:26 <@krzee> goodluck with the others
09:27 < relaz> thanks very much, this is the right spirit of the chan right
09:28 <@krzee> im a volunteer, if people ignore me i ignore them back
09:29 < relaz> I modified your conf from the basic
09:29 < rob0> I'll also add: krzee does a heck of a lot to help people, and he did try to help you also.
09:30 < relaz> I am saying that I modified the conf you gave me and moved up
09:30 < relaz> if you want I can even show you
09:30 < relaz> but now I am at the same level of yesterday
09:31 < relaz> the basi is working it is when I try to give a static ip to the clients that it stop
09:32 < relaz> the basic*
10:07 <@krzee> !as
10:07 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
10:07 <@krzee> very nice
10:07 <@krzee> hasnt gotten broken yet lol
11:30 < ConflictX> Hello :) How can i route though an over VPN client to act as a router?
11:30 <@krzee> what do you mean?
11:30 <@krzee> !goal
11:30 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:31 < ConflictX> ok, i have to VPC in aws. i need to connect between them. so i made a vpn server on 172.31.0.0/16, then created a machine on 172.20.0.0/16 and established a vpn connect to the public IP of 172.31.0.0/16.
11:32 <@krzee> so you want to access a lan behind the server
11:32 <@krzee> !serverlan
11:32 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
11:33 < ConflictX> krzee i get it but i want the VPN client to act as a route since i cant connect every machine at 172.20 to the vpn
11:34 < rob0> sonds like a !serverlan to me
11:34 <@krzee> right, but the vpn server can reach them over its lan, right?
11:34 < ConflictX> i dont understand what route do i need to add? 172.31 -> VPN CLIENT (router) -> VPN SERVER -> 172.31.
11:34 <@krzee> if so, thats !serverlan
11:34 < ConflictX> ok serverlan
11:35 < ConflictX> is ti iptables?
11:35 < rob0> so read the factoid and follow the flochart
11:35 <@krzee> !serverlan
11:35 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
11:35 <@krzee> ^^
11:35 < ConflictX> ok, let me see
11:35 < ConflictX> !route
11:35 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
12:15 <@plaisthos> krzee: it should already do that (scan in the same path)
12:16 <@krzee> oh weird, it never picks mine up
12:16 <@krzee> but then i click each one and pick manually, works every time
12:16 <@krzee> totally not an inconvenience
12:16 <@plaisthos> on modern android's it might guess the path wrong or does not even have the permission to read from the sdcard
12:17 <@krzee> well when i choose it lets me pick the file
12:17 <@krzee> so its gotta have permissions
12:17 <@plaisthos> but I think it should a text, click here to try or something like that
12:18 <@krzee> ya click here and choose each file, totally works
12:18 <@krzee> thats why its totally not an issue
12:18 <@plaisthos> then you probably have the permission and it did not find them
12:18 <@krzee> ya that ^
12:18 <@krzee> but its always just a subdir on the sd card that contained the imported config
12:19 <@krzee> by sd i mean internal storage
12:20 <@krzee> with no paths in the config file, just filenames that exist in the same subdir
12:20 <@plaisthos> when you import it next time look at the importing from URL if that looks like the app could get the path from that
12:22 <@krzee> it looks hella weird
12:22 <@krzee> importing config file from source content://com.android.externalstorage.documents/document/primary%3Amomvpn%2Fconfig.ovpn
12:23 <@krzee> i guess that explains that :D
12:23 <@plaisthos> that is actually is not that wird
12:23 <@krzee> oh, is to me
12:23 < rad1928> can i use iphone with openvpn
12:23 <@krzee> rad1928: yes
12:23 <@krzee> !iphone
12:23 <@vpnHelper> "iphone" is (#1) OpenVPN Connect is now available for iOS in the App Store (see also: !connect), or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline
12:23 <@plaisthos> my app should try to decode that to /sdcard/momvpn/Fconfig.ovpn
12:24 <@krzee> not the F, that was part of the / i guess
12:24 < rad1928> thanks
12:24 <@krzee> np
12:25 <@plaisthos> >>> urllib2.unquote("primary%3Amomvpn%2Fconfig.ovpn")
12:25 <@plaisthos> 'primary:momvpn/config.ovpn'
12:26 <@krzee> werd
12:26 <@krzee> ya its /sdcard/momvpn/config.ovpn when in adb
12:27 <@plaisthos> ah previous android version did not do urlencode (e.g. no %2F for /
12:27 <@krzee> and /sdcard is aka /storage/self/primary
12:29 <@plaisthos> yeah
12:29 <@krzee> lemme know if theres anything else you want me to do/try, i have it all handy
12:30 <@krzee> both normal and with inline p12 since i tested that other guys problem and determined it was him
12:30 <@plaisthos> nah, it is just a gimmicky feature nowaday, don't put too much effort in it
12:30 <@krzee> ya i dont blame ya, its so easy to just pick the files anyways
12:30 <@plaisthos> most people providing profile for openvpn nowaday have inline files anyways
12:32 <@krzee> i was unaware of that
12:32 <@krzee> its not a very common source of questions in here (inline stuff)
12:32 <@plaisthos> for the larger VPN provider
12:32 <@plaisthos> inline just almost always works
12:32 <@krzee> but you get far more android specific tickets so i def believe you
12:32 <@krzee> oh thats true too
13:01 <+hyper_ch> krzee: https://hardware.slashdot.org/story/17/05/30/171253/us-supreme-court-protects-consumers-right-to-refill-ink-cartridges-in-precedent-setting-lexmark-vs-impression-case
13:01 <@vpnHelper> Title: US Supreme Court Protects Consumers' Right To Refill Ink Cartridges In Precedent-Setting Lexmark vs Impression Case - Slashdot (at hardware.slashdot.org)
13:02 <@krzee> silly they needed the supreme court for that, but at least they got it right
13:02 <+hyper_ch> ink is more worth than gold ;)
13:02 <+hyper_ch> at least with "genuine" products
13:02 <@krzee> umm, i have a few pounds  of ink to trade you for gold of equal weight
13:03 <@krzee> and i can make the trade as often as you like
13:03 <+hyper_ch> ;)
13:03 <+hyper_ch> krzee: https://twitter.com/AaaaCushn/status/869187928085454848/video/1
13:04 <@plaisthos> hyper_ch: the openvpn on Android vs playstore is mainly a weird mtu/dns stuff
13:04 <@krzee> looks a little windy
13:04 <@plaisthos> but it is vpn depened and not app dependent
13:04 <@plaisthos> it works fine on on my devices
13:04 <+hyper_ch> krzee: you only have eyes for the girl it seems ;)
13:04 <@krzee> and the plants
13:05 <+hyper_ch> but the save electricty ;)
13:05 <+hyper_ch> no need to power those doors by electricity
13:07 <@krzee> hah i dare you to use one
13:08 <+hyper_ch> I'm swiss... I'm too slow for that
14:34 <@ecrist> krzee: I think that SCOTUS ruling is going to be far reaching
14:35 <@ecrist> I think it will roll into the "right to repair" stuff floating around, too
14:35 <@ecrist> like John Deere selling tractors but denying "licenses" for replaced parts claiming the software that runs the tractor is only licensed and not sold with the hardware
16:38 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Disconnected.]
16:39 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
16:39 -!- mode/#openvpn [+v s7r] by ChanServ
16:48 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Disconnected.]
16:49 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
16:49 -!- mode/#openvpn [+v s7r] by ChanServ
18:15 < mojtaba> Hello, does anybody know how can I issue timed client certificates?
18:15 < mojtaba> I want it to be revoked, e.g., after a month.
18:53 <@krzee> when you make the certs you should be able to say how long they are valid for
18:53 <@krzee> if not, its in the openssl.cnf
18:53 <@krzee> all PKI has a start and end date for validity
18:54 <@krzee> so they're all "timed certs"
19:01 <@krzee> ecrist: wow i hadnt heard about the john deer thing... im not even sure how i feel about that
19:02 <@krzee> i mean its their license to sell or not, so i support their decision... but on the other hand i dont like it at all and i strongly disagree that anything about the tractor somebody buys is actually licensed
19:03 <@krzee> but just because you own the tractor and the software on it, doesnt mean that they have to change their software to allow aftermarket mods
19:31 <@krzee> but they cant stop people from figuring it out
19:33 < havoc> krzee, ecrist: I think, legally speaking, it's going to be defining "tangible"
19:34 < havoc> think "vs. intellectual property"
19:35 <@krzee> how are they tryikng to stop people?
19:35 < havoc> although they can get around it already by redefining the purchase
19:36 < havoc> you're "leasing" vs. "buying", so it's not really yours, and the owner can dictate how it's used
19:36 < havoc> krzee: they can't necessarily stop someone, yet, but they can sue them
19:37 <@krzee> see, i dont like that
19:37 < havoc> self-bricking ECMs :(
19:37 < havoc> that would stop people
19:37 < havoc> Meraki's on that track now
19:37 <@krzee> if they did something special so only their stuff works, then id say they should be able to
19:38 <@krzee> but others should be able to try and get around that
19:38 <@krzee> much like iphone jailbreaking
19:38 < havoc> all they have to do is have it phone home periodically, or every time it's used
19:38 < havoc> krzee: that will likely be illegal
19:38 < havoc> at least that's the road this Society is on :(
19:38 <@krzee> not in the case of the iphone...
19:39 <@krzee> apple tried to get court to say jailbreaking is illegal
19:39 < havoc> just wait a few years
19:39 <@krzee> court said once the user buys it its theirs and they can jailbreak if they wanna
19:39 < havoc> there can always be another ruling
19:39 <@krzee> so apple tries to stop it through technology, and people bypass it
19:39 <@krzee> and the cat/mouse game continues
19:39 < havoc> yes
19:40 <@krzee> well ya im only talking about current law not conjecture about the future changes
19:40 < havoc> I'm juts commenting on the trends as I see them
19:40 < havoc> I sincerely hope to be mistaken
19:40 <@krzee> i dont disagree, but we're still here now
19:40 < havoc> ..or dead by the time it all happens
19:43 < havoc> legal is a bitch :(
19:44 < havoc> Wifie and I just turned down a ~$1500USD job primarily due to liability
19:44 < havoc> we're not legally/financially equiped for it yet
19:45 < havoc> heh, "Wife"
19:47 <@krzee> hey wifie was valid
19:47 < havoc> good enough :)
20:30 < icasdri_> Has anyone successfully used both chroot and client-config-dir options together. No matter what I do (even chmod 777 on the client config dir) it results in Permission Denied on the read attempt (when a client connects)
20:35 <@krzee> is the ccd dir a full path relative to the chroot?
20:35 <@krzee> maybe its not finding it
20:43 < icasdri> So it was finding the ccd... but I pinned down the problem. The although it had r-x (or rwx in the case of 777) on the ccd, I forgot to give it r-x (only r--) on the chroot directory itself. And so it was tripping up on entering the parent. Thanks!
20:44 <@krzee> ahh
21:57 -!- alexandre9099_ is now known as alexandre9099
--- Day changed Wed May 31 2017
00:13 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Disconnected.]
00:14 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
00:14 -!- mode/#openvpn [+v s7r] by ChanServ
01:24 < yuken_> Hi! Not 100% sure where to look for this issue. Followed DigitalOcean's guide on setting up OpenVPN, getting: https://gist.github.com/YukenK/b7eb64c7c96bbd4599ffe6315455507d
01:24 <@vpnHelper> Title: gist:b7eb64c7c96bbd4599ffe6315455507d · GitHub (at gist.github.com)
01:24 < yuken_> I am using a local SOCKS5 proxy.
01:28 < yuken_> ... Wait, my apologies. My problem, I believe, was using UDP rather than TCP and trying to use a SOCKS5 proxy with that. maybe.
04:08 -!- vader-_ is now known as vader-
04:08 -!- DanQuinney_ is now known as DanQuinney
04:08 -!- guampa_ is now known as guampa
04:09 -!- NightMonkey_ is now known as NightMonkey
04:10 -!- marlinc_ is now known as marlinc
04:10 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds]
04:13 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
04:13 -!- mode/#openvpn [+o mattock] by ChanServ
05:13 < lg188> Hi, I tried setting up an openvpn with udp and 1194 but the port doesn't seem to be listening
05:18 <@dazo> lg188: As root, run netstat -lntup | grep openvpn  .... that should give a clue
05:18 <@dazo> if you see it there ... then it's a firewall issue most likely
05:18 < lg188> snap
05:19 < lg188> it's there without LISTEN
05:19 < lg188> the tcp one is
05:19 < lg188> has it*
05:19 <+hyper_ch> !configs
05:19 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
05:20 <+hyper_ch> ah, too late :)
05:20 < lg188> the tcp and udp one are identical excpt for the port setting, port and cert files
05:20 < lg188> but I must have messed up the routing
05:21 < BtbN> UDP does not LISTEN
05:21 < BtbN> it's connectionless
05:23 < lg188> Mhm fair point BtbN
05:23 <@dazo> BtbN: It is listed in netstat ... it does not have the "listen()" call TCP sockets need, but it is listed as listening in netstat
05:23 < BtbN> it is, but not as LISTENing
05:23 <@dazo> ahh, right
05:24 <@dazo> I see what you mean now :)
05:24 < BtbN> there just aren't two types of UDP socket, they are all equal.
05:24 < BtbN> While for TCP one can be listening or not
05:25 < lg188> it's the -l thing, right
05:26 < lg188> ah I see the problem
05:26 < lg188> a wrong tls direction, again
05:27 <@dazo> lg188: not quite ... -l lists all sockets which can another (local or remote) socket can connect to
05:27 <@dazo> :)
05:27 <@dazo> lg188: if you're on v2.4 with all your clients ... you could move towards --tls-crypt instead of --tls-auth .... where you also don't need to care about tls direction
05:53 < lg188> dazo: I have no garantuee about that, but I'll write it down
06:18 < BaltecoTroll> dudes, i've got working eth bridge but can't ping anything except the server. and i see the messages Wed May 31 16:07:03 2017 us=987938 ow/10.20.0.109:2104 MULTI: bad source address from client [ff:be:12:58:87:fc], packet dropped
06:18 < BaltecoTroll> looks like i've forgot something?
08:13 -!- DeathShot_ is now known as DeathShot
10:24 -!- ptx0_ is now known as ptx0
12:46 < pinguin5> !welcome
12:46 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
12:46 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
12:47 < skyroveRR> !iporder
12:47 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
12:48 < skyroveRR> !mac
12:48 <@vpnHelper> "mac" is Use Tunnelblick for the Mac. (https://tunnelblick.net/)
12:48 < skyroveRR> !apple
12:48 < skyroveRR> !linux
12:48 < skyroveRR> !windows
12:48 <@vpnHelper> "windows" is (#1) computers are like air conditioners, they work well until you open windows., or (#2) http://secure-computing.net/files/windows.jpg for funny, or (#3) http://secure-computing.net/files/windows_2.jpg for more funny
12:48 < skyroveRR> !microsoft
12:48 < skyroveRR> !tip
12:48 < skyroveRR> !tips
12:48 < skyroveRR> !1925
12:48 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
12:49 < pinguin5> !goal
12:49 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:50 < pinguin5> !ask
12:50 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
12:51 < pinguin5> !paste
12:51 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee
12:52 <@vpnHelper> is also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
12:52 < pinguin5> !configs
12:52 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
13:07 < pinguin5> Hi, can someone please take a look at this configuration/output and maybe spot some errors, thank you https://gist.github.com/anonymous/1066622cafc174136d297325fb38fbcd
13:07 <@vpnHelper> Title: gist:1066622cafc174136d297325fb38fbcd · GitHub (at gist.github.com)
13:39 < BaltecoTroll> !help
13:39 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
13:51 < BaltecoTroll> dudes? any help with bridge config? i have working server-client link, no iptables/selinux, they _can_ ping each other but client can't ping other hosts. https://pastebin.com/R8Dz19Xu - here some logs and config
13:55 < DArqueBishop> BaltecoTroll: do you have IP forwarding enabled?
13:55 < DArqueBishop> !ipforward
13:55 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
13:55 < rob0> pinguin5, if no "initial packet received from [your client]", then the packet did not get there.
13:56 < rob0> perhaps a firewall issue?
13:57 < pinguin5> thank you for your answer, firewall accepts everything at the moment for testing
13:57 < BaltecoTroll> DArqueBishop https://pastebin.com/BexVS1bY
13:58 < BaltecoTroll> btw. it's vm under ms hyperv. is it important?
13:58 < pinguin5> but isnt there are problem on the server side if the last output is only "UDPv4 link remote: [undef]" shouldnt it be "Initialization Sequence Completed" even if no client connected yet?
14:01 < rob0> no
14:02 < pinguin5> oh ok, good to know that
14:04 < pinguin5> but it seems that the openvpn server does not run properly because netstat -l | grep 1194 returns nothing
14:04 < rob0> it's a UDP socket
14:05 < rob0> and without -n maybe the port name is used?  Lose the grep
14:06 < pinguin5> true with -n "udp        0      0 0.0.0.0:1194            0.0.0.0:* "
14:15 < pinguin5> do I really need the forwarding in iptables if only one client in the subnet needs to connect to the server (in the same subnet)
14:23 < pinguin5> thank you for your help rob8, but I need to leave now, I need to inspect that later, bye
17:22 -!- hanna` is now known as hanna
17:30 < iratedownloader> can OpenVPN be configured to connect only when on a specific WiFi network in windows?
17:33 <@dazo> iratedownloader: not openvpn itself, you'll need to have some other tools activating your VPN tunnel ... I don't know of such tools though, but might be possible to use powershell
17:34  * dazo is not a Windows user ... so not of much help for concrete windows solutions
17:34 < iratedownloader> i want to automate with Private internet access, it itself doesn't have a solution...@dazo are you an android user?
17:35 <@dazo> Yeah, I use CM release currently (haven't had time to upgrade to lineagos yet)
17:36 < iratedownloader> how could I achieve something like this on android? Like I want PIA to turn On everywhere except my home network...is such a setup possible?
17:36 <@dazo> I've not tried that .... plaisthos might have some ideas, though
17:37 < iratedownloader> kk....
18:56 <@krzee> theres an android app that can do a lot named tasker
18:56 <@krzee> no idea if it can start a tunnel or not tho
19:30 <@krzee> i guess it could if it was CLI openvpn compiled for android
19:30 <@krzee> cause then tasker could run scripts that start/stop the tunnel based on which wifi you're on
19:50 < lorimer> i've actually been looking at that some on my own phone. on trusted wifis i dont need the tunnel, but on hotel wifis i'd like to have a hook to autoconnect immediately upon T&C accept or similar
19:51 < lorimer> not sure what events are exposed internally to android for that sort of thing (autoaccept t&c), but i haven't looked closely either so.
19:56 <@krzee> me neither, i think you need to start it manually
20:42 <@ordex> morning
22:18 <@krzee> moin
22:34 <@ordex> :)
--- Day changed Thu Jun 01 2017
01:07 <+hyper_ch> krzee: online?
02:09 < bm371613> !welcome
02:09 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
02:09 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
02:11 < bm371613> !goal lower client CPU usage (100%)
02:12 < bm371613> !goal
02:12 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
02:13 < bm371613> I would like to lower client CPU usage, which is 100%
02:16 <@ordex> bm371613: the openvpn process by itself is taking 100% ?
02:16 <@ordex> are we talking about the server ?
02:17 < bm371613> ordex: client
02:18 <@ordex> oh ok..are you doing a lot of traffic ? or does it happen also when the client is idle ?
02:18 < bm371613> no traffic at all
02:18 < bm371613> right after it's started
02:19 <@ordex> bm371613: maybe the log may help. not sure which verbosity might be the right one…but how about increasing verb to 4, launching the client and then pasting the log ?
02:34 < bm371613> !paste
02:34 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee
02:34 <@vpnHelper> is also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
02:37 < bm371613> ordex: https://pastebin.com/raw/5S7V6pF6
03:03 <@ordex> bm371613: seems like the client isn't doing much
03:04 <@ordex> bm371613: did you verify with top that openvpn is really the process holding the cpu ?
03:04 <@ordex> maybe it is just a trigger something else
03:08 < bm371613> I see in htop that this tmux new -s vpn "openvpn --config /home/bartek/.openvpn/uber.ovpn --verb 4 2>&1 | tee /tmp/vpn.log"
03:08 < bm371613> takes 100% CPU
03:09 < jiquera> what does the following message mean: "WARNING: Failed to stat CRL file, not (re)loading CRL."
03:11 <@ordex> jiquera: something is wrong with your crl file: did you specify a non-existent file? or did you move it after startup?
03:12 <@ordex> bm371613: how about the openvpn process alone? there should be a line with it, no ?
03:13 < jiquera> lemme check the filepaths etc
03:14 < jiquera> i specified crl-verify in the config file with an absolute path
03:14 < jiquera> and at that location is a file which contains b64 text starting with -----BEGIN X509 CRL-----
03:15 < jiquera> thats how it's supposed to be?
03:15 < jiquera> ca.crl is generated by easyrsa
03:15 < bm371613> ordex: ah I think you're right, after switching to process tree view I see openvpn separately and it's not consuming CPU. I did not expect tmux to do that. thanks for help!
03:16 < jiquera> but now you mention it... i do drop root rights
03:16 <@ordex> bm371613: np
03:16 <@ordex> jiquera: maybe the file is not accessible then
03:16 < jiquera> rw-r--r--
03:17 < jiquera> is that accessible by nobody?
03:17 < jiquera> it should be right?
03:17 < jiquera> read all?
03:18 < jiquera> it has a file date in 1970 (due to time initialisation issues)... does that matter?
03:33 < jiquera> touched the file
03:33 < jiquera> didnt help
03:34 < jiquera> ah for statting you probably need read access to the parent folder right
03:34 < jiquera> i think it goes wrong there
03:51 < jiquera> yup confirmed, stat requires execute right on all the folders... which i dont have because i wanted everything in one folder... pffff and we redesign the setup again :)
05:06 < mgcrea> Hey, I've had trouble with corrupted SSL packets on latest Intel NUC CAYS (Apollo Lake), I've opened a ticket (#897) and was aked to join IRC for realtime debug, if anyone wants to help I'm up for some debugging. Thanks!
05:28 < aryan123> Hello, anyone around please ?
05:32 <+hyper_ch> no
05:32 < aryan123> Hello !
05:32 < aryan123> hyper_ch: thanks
05:33 < aryan123> whiile I try to connect to the server, I get error L=:  ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Thu Jun 01 16:10:11 2017 VERIFY EKU O
05:33 < aryan123> whereas I have allowed the udp to go through
05:34 <+hyper_ch> !configs
05:34 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
05:36 < aryan123> hyper_ch: what may be the issue for the stuck on that ?
05:37 <+hyper_ch> see above
05:42 <+hyper_ch> !configs > aryan123
05:42 <+hyper_ch> !configs
05:42 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
05:42 < aryan123> hyper_ch: here it is http://dpaste.com/3G9HBP1
05:43 < aryan123> should I also send you the iptables -S ?
05:44 <+hyper_ch> nah..... looks pretty find though
05:46 < aryan123> hyper_ch: so, what may be the issue ? Firewall ?
05:48 <+hyper_ch> whats in the log?
05:53 < aryan123> hyper_ch: its working in TCP but not in UDP
05:53 < aryan123> may be the UDP is blocked through my VPN server's ISP ?
05:53 <+hyper_ch> maybe... tried another port with udb?
05:53 <+hyper_ch> udp
05:55 < aryan123> no, didn't :P
05:56 < aryan123> shall I try
05:56 < aryan123> ?
05:56 <+hyper_ch> 546/547 could be options
05:56 <+hyper_ch> dhcpv6 client/server
05:56 < aryan123> UDP is faster than TCP ?
05:56 <+hyper_ch> yes
05:56 <+hyper_ch> as it doesn't check if packages comes in right order or something
05:57 <+hyper_ch> but there's smarter people here that can better explain it
05:57 <+hyper_ch> or port 53 (dns) - just for testing
06:04 < wget> Hello everyone. What's the best bet to push dns option using openvpn?
06:04 < wget> I tried with the dns servers fields in the opnsense webui, used the advanced configuration by specifying push "dhcp-option DNS <IP address>", even tried on the client side, but this is not working :-/
06:04 < wget> I'm using OpenVPN 2.4.2 on freebsd (opnsense)
06:04 < aryan123> hyper_ch: 546 worked :D
06:05 < aryan123> thanks
06:05 < wget> I'm aware there is a change with 2.4 "Do not restart dns client service as a part of --register-dns processing"
06:05 < wget> https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
06:05 <@vpnHelper> Title: ChangesInOpenvpn24 – OpenVPN Community (at community.openvpn.net)
06:12 < aryan123> hyper_ch: and now, not working :(
06:14 <+hyper_ch> no idea
06:14 < aryan123> does ISPs block UDP ?
06:20 <@ordex> you should ask your ISP :P
06:20 <@ordex> hehe
06:26 < aryan123> :P ordex
09:42 < mgcrea> Hello, anyone around to help debug https://community.openvpn.net/openvpn/ticket/897?
09:42 <@vpnHelper> Title: #897 (OpenVPN not working (tls-auth) on Apollo Lake?) – OpenVPN Community (at community.openvpn.net)
09:56 <@plaisthos> mgcrea: I replied to your ticket
09:57 < mgcrea> Thanks! By other client do you have sth in mind? I only always used OpenVPN on Ubuntu
09:57 < mgcrea> I'll try the client configs right away!
09:57 <@plaisthos> not on this processor
09:58 <@plaisthos> since you expliclity mentioned Apollo Lake
09:58 <@plaisthos> so it is not clear if Apollo Lake or non Apollo Lake makes a diffrence from the ticket
09:59 < mgcrea> We have almost every model of Intel NUC with the exact same setup and we don't have issues with OpenVPN.
09:59 < mgcrea> So it looks like there is something with this CPU or network card.
09:59 <@plaisthos> might be an openssl bug
10:00 <@plaisthos> if you feel adventerous you can also compile openvpn with mbedtls
10:02 < mgcrea> Tried tls-version/tls-cipher switches but no luck.
10:03 < mgcrea> Regarding mbedtls, would https://launchpad.net/~chris-lea/+archive/ubuntu/openvpn-mbedtls work?
10:03 <@vpnHelper> Title: openvpn-mbedtls : chris lea (at launchpad.net)
10:06 < mgcrea> Hum, no more luck with mbed-tls.
11:50 < zamba> how do i set up routed multicast over an openvpn tunnel?
12:48 < Ariel_> Hello, is it true that apps like Onavo can speed up your internet connection ? (by compressing data)
14:22 < RoyK> any ideas where I can find docs on using let's encrypt certificates with openvpn? All I can find on google is about AS, which I donæ't have
14:23 < anexit> RoyK: Not much to it, just have LE gen the ca and key files
14:23 < anexit> You could probably hack easy-rsa
14:24 < anexit> but if using LE.. then just use certbot to gen the files
14:24 < anexit> The only concern is.. you need a way for users to pull new key files
14:25 < anexit> -> devices
14:27 < DArqueBishop> RoyK: if you care at ALL about security, you don't.
14:27 < DArqueBishop> Anyone with a valid LE certificate would be able to connect.
14:30  * RoyK has learned that availability == security, so that must be a win-win situation
14:31 < DArqueBishop> No.
14:33 < DArqueBishop> I mean, if you WANT to do it, sure, but it's akin to not locking the doors.
14:39 < Tykling> surely he means on the server side
14:41 < DArqueBishop> Tykling: like I said, if you use a public CA for certs then ANYONE with a cert signed by that CA will have access to your VPN.
14:41 < DArqueBishop> The much safer and saner option is to use your own private CA.
14:42 < Tykling> DArqueBishop: that makes no sense but I'm too tired to argue :)
17:41 < SCHAPiE> anyone else using streebog for HMAC?
18:36 <@krzee> Tykling: it makes sense if you understand pki
18:37 <@krzee> !pki
18:37 <@vpnHelper> "pki" is (#1) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed specially as a server (see !servercert), or (#2) !certman for various PKI management tools, or (#3) see !intro-to-pki
18:37 <@krzee> in the context of openvpn you want self-signed PKI
18:37 <@krzee> from your own CA
19:28 -!- alexandre9099_ is now known as alexandre9099
20:33 < iratedownloader> commands to turn OpenVPN On and off via cmd?
21:33 < iratedownloader> When I launch openVPN, i want to automatically connect to a specific server whose config file has been loaded in OpenVPN...how can I do that? And is there an exit openVPN command line?
21:51 < iratedownloader> When I launch openVPN, i want to automatically connect to a specific server whose config file has been loaded in OpenVPN...how can I do that? And is there an exit openVPN command line?
21:52 < vectr0n> no need to repeat, the chan is slow atm,  have to wait
21:53 <@ordex> iratedownloader: on windows?
21:53 < iratedownloader> Yes
22:04 < iratedownloader> And since replies are slow...Here is my next question, How can I configure a kill switch to work with OpenVPN on Windows 10
--- Day changed Fri Jun 02 2017
00:14 <@krzee> iratedownloader: what OS are we talking about for the auto-connect and exit openvpn?
00:14 <@krzee> and wtf do you mean by killswitch? and what would the killswitch do?
00:22  * krzee thinks the killswitch should make the computer explode
00:24 <@krzee> iratedownloader: assuming you want the autostart thing on windows, you probably want to be using the windows service instead of the GUI
00:24 <@krzee> as for stopping openvpn from CLI in windows, i have no idea honestly... im not much of a windows user
01:06 < iratedownloader> @krzee look up what kill switches are in VPN software, they can explain better than me typing here.
01:51 <@krzee> meh
01:52 <@krzee> dont really care enough, if you decide to explain what you want feel free, or dont
02:04 < iratedownloader> God, so much attitude to answer a question... NVM, thanks for your help.. I'm glad people like are in a minority here on freenode. :)
02:05 < iratedownloader> *like you
02:57 <@krzee> lol he came to a help channel and told me to google what he wanted
02:57 <@krzee> i should put more work into helping him than him?
02:58 < vincenet> !welcome
02:58 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
02:58 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
02:58 <@krzee> !goal
02:58 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
02:59 < vincenet> !howto
02:59 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
03:00 < vincenet> !route
03:00 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
03:09 < vincenet> hello, I am looking for keywords to improve my working config. I try to describe the problem:
03:10 <@krzee> ok
03:10 <@krzee> !goal
03:10 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
03:15 < vincenet> on a dragino board (openWrt), before setting up the openVpn, I can access the board using ethernet and wifi and also the board can connect to internet using a 3g dongle. But after start the openvpn client, only one of these interface work (not all together) like an exclusive feature. As example, if I let the 3g connect to server using vpn, then connect the ethernet and disconnect usb dongle to stop, it will recover the link only af
03:15 < vincenet> I am not sure bridging feature is a good start to correct this, am I correct ?
03:16 <@krzee> no
03:16 <@krzee> so let me ask a couple things
03:16 <@krzee> the openwrt machine is running openvpn as a client, and redirects its internet over the vpn connection?
03:18 < vincenet> it is not the aim but I think it is indeed the current behaviour. Goal of the vpn is simply to use ssh command from server.
03:19 <@krzee> do you run the server?
03:19 < vincenet> yes
03:19 <@krzee> !configs
03:19 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
03:20 <@krzee> do that and give me the links to them, ill tell you if you're redirecting your internet over the vpn and how to stop it
03:20 <@krzee> im guessing you followed some blog from google
03:21 <@krzee> usually its right to google how to do something, but with openvpn thats not often the case =/
03:21 <@krzee> !blog
03:21 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
03:23 < vincenet> !paste
03:23 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee
03:23 <@vpnHelper> is also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
03:29 < vincenet> @krzee please find my config here https://paste.fedoraproject.org/paste/5zh5Lon3f2VnjCxOLna6s15M1UNdIGYhyRLivL9gydE=/raw
03:33 <@krzee> and server?
03:36 <@krzee> oh sorry its in ther
03:36 <@krzee> ok, so what lan subnet is the client on
03:36 <@krzee> ?
03:37 <@krzee> and what lan subnet is the server on, or is it on one?
03:39 < vincenet> i am copying ifconfig
03:40 <@krzee> are you trying to share lans behind the server or client?
03:42 < vincenet> yes, behind the client : (server output) cat /etc/openvpn/ccd/client15  iroute 192.20.115.0 255.255.255.0
03:43 <@krzee> but your server doesnt have client-config-dir /etc/openvpn/ccd
03:44 <@krzee> so that ccd entry never gets used
03:44 <@krzee> !ccd
03:44 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
03:44 <@krzee> what is 192.168.1.0 ?
03:45 < vincenet> see https://paste.fedoraproject.org/paste/K7qRa7ItRWe9sEeLnPvCR15M1UNdIGYhyRLivL9gydE=/raw and read : yes, behind the client : (server output) cat /etc/openvpn/ccd/client15  iroute 192.20.115.0 255.255.255.0
03:45 < vincenet> 192.168.1.0 lan on server side
03:45 <@krzee> remove that push route
03:45 <@krzee> thats your problem
03:46 <@krzee> your server is pushing a route to your client telling it to route that subnet over the vpn
03:46 <@krzee> but your client has that subnet on eth0
03:46 <@krzee> so funny stuff happens
03:46 <@krzee> and your client lan could not have been working because of the ccd thing above ^
03:47 <@krzee> so fix those 2 things and let me know how it is
03:47 <@krzee> and do you need other clients to be able to access 192.20.115.0?
03:48 < vincenet> yes
03:48 <@krzee> !clientlan
03:48 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
03:48 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
03:48 < vincenet> in fact no
03:48 <@krzee> just the server needs to access it?
03:48 <@krzee> then you dont need the push route, you still need the rest
03:49 < vincenet> but I need to create an other subnet behind the client
03:49 <@krzee> whatever, just treat it the same
03:49 <@krzee> to openvpn its just another lan behind that client
03:49 < vincenet> maybe I should setup a dhcp server on dragino (remote) side.
03:49 <@krzee> why?
03:50 <@krzee> oh for its lan?
03:50 <@krzee> thats outside the scope of here
03:50 < vincenet> yes I will see after
03:50 <@krzee> did you do those 2 things?
03:50 < vincenet> I was confusing because for testing purpose I am in the same lan !
03:51 <@krzee> then you really cant push the lan subnet over the vpn
03:51 <@krzee> lol
03:52 < vincenet> let me try the things, I come back in few minutes
03:52 <@krzee> need more help before i leave?
03:52 <@krzee> read my doc at !route a few times
03:52 <@krzee> and do the 2 things i said to do, and then follow !clientlan
03:52 < vincenet> I think I understand my error, thanks
03:52 <@krzee> np
03:54 <@krzee> oh and you may want to change ciphers
03:54 <@krzee> !sweet32
03:54 < vincenet> I would like to see an other approach
03:54 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32
03:54 <@krzee> what other approach? you just need to properly configure your routing
03:55 < vincenet> may be I want only 3g interface use vpn
03:55 <@krzee> then set the route to your vpn server to use that interface
03:55 <@krzee> thats just basic networking ;]
03:56 <@krzee> unrelated to the openvpn stuff
03:59 <@krzee> if you happen to not understand how a routing table works, stop now and learn that first
03:59 <@krzee> it's necessary for your goal
04:01 < vincenet> at that moment, I only comment the push line
04:01 < vincenet> that breaks previous client
04:02 <@krzee> ya that had no purpose in your config
04:02 <@krzee> except to break stuff
04:04 < vincenet> may be you need my use of open vpn and my understanding to correct me.
04:05 <@krzee> you were supposed to have explained that already, if you have been hiding part of your goal thats on you
04:06 <@krzee> but since you cant share the server lan to the client who is on the same lan, i am certain the only purpose it served was breaking stuff
04:07 < vincenet> I need to precise what is other client installation to keep compatibility
04:08 <@krzee> also if it was on the same lan why would you obfuscate the remote line?
04:10 < vincenet> so for previous remote client (one 3g router + one computer board). from server I do ssh root@192.20.114.1 to access the router or ssh root@192.20.114.2 to access the computer behind.
04:10 <@krzee> and once again
04:10 <@krzee> !clientlan
04:10 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
04:10 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
04:11 <@krzee> which means you need:
04:11 <@krzee> !ccd
04:11 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
04:11 <@krzee> which isnt in your server config
04:11 <@krzee> but i told you this already, so im going to sleep
04:11 <@krzee> goodnight =]
04:11 < vincenet> thanks and goodnight
04:15 <@ordex> night? mah
15:43 < ldiamond_> I can't connect to my openvpn server. Server says "TLS: Initial packet from [AF_INET]"
15:44 < ldiamond_> The client says 'Server poll timeout, trying next'
15:44 < ldiamond_> my firewall is supposed to have 1194 open
15:44 < ldiamond_> the server does get the "initial packet"
15:47 < ldiamond_> 4
15:47 <@dazo> ldiamond_: boost --verb to 4 on the server side and see if it says something more useful
15:47 <@dazo> or even --verb 5 ... that gives you lots of RW markers when a packet is received or sent
15:48 < rob0> or maybe verb 5?  to get the WR for each Write and Read?
15:48 < rob0> gmta
15:48 <@dazo> if you only see a single R and several W ... that sounds like a firewall issue, where you only allow NEW packets and not ESTABLISHED packets
15:50 < ldiamond_> dazo: upped to 11: https://gist.github.com/lewisdiamond/bc5c86dde50dacfef41642ab1f47b8b2
15:50 <@vpnHelper> Title: gist:bc5c86dde50dacfef41642ab1f47b8b2 · GitHub (at gist.github.com)
15:56 -!- |Mike| [mike@2001:19f0:5001:21c::3] has quit [Read error: No route to host]
16:00 < ldiamond_> sry if you responded
16:00 < ldiamond_> I didnt get it I was disconnected
16:00 < ldiamond_> trying to fix it
16:01 <@krzee> they did, we want to see verb 5 logs from both sides
16:02 < ldiamond_> can I set the log level on android?
16:05 < ldiamond_> I set verb 5 in my .ovpn and doesn't show anything more
16:06 < ldiamond_> idk if it works on android though
16:14 < ldiamond_> getting a laptop ready to test it
16:14 < ldiamond_> bb in 1hr
16:34 <@krzee> ya i agree with that, test from a computer before a phone
16:35 < Invisius> hi all, having some trouble on my linux boxes using networkmanager. they won't accept MD5-based .ca certs anymore
16:35 < Invisius> is there any way to generate a sha256 ciper cert with the easyrsa?
16:36 <@krzee> thats not the cipher its the hash, but yes
16:36 <@krzee> !easy-rsa
16:36 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
16:37 < Invisius> ok thanks, I'll have a read
17:35 <@krzee> Invisius: hows that going?
17:42 -!- hanna` is now known as hanna
17:49 -!- marcoslater_ is now known as marcoslater
17:53 < jasonwc> Is the OpenVPN for Android app in any way affiliated with the OpenVPN project?  I was previously using the official OpenVPN connect app but it has not been updated since May 2016 and does not support tls-crypt.  The OpenVPN for Android app supports tls-crypt and allows tweaking config settings, which is nice. Can anyone comment as to whether this app is secure?
17:54 < Eugene> !android
17:54 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html, or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android, or (#3) For a difference between the clients see http://ics-openvpn.blinkt.de/FAQ.html#faq_androids_clients_title, or (#4)
17:54 <@vpnHelper> Really old (<4.0) see !android-old
17:55 < Eugene> Presumably you're referring to the same package; this is the recommended open-source client still, yes.
17:56 < jasonwc> Yes, that is the one I am using.
17:57 < jasonwc> I didn't realize that the official OpenVPN Connect app was closed source until I read the FAQ.
17:57 < Eugene> Yup, its part of the Access-Server Suite. Same basic thing inside as the open-source package
17:59 < jasonwc> The code appears to be older on the OpenVPN connect app, given that it hasn't been updated since May 2016. It supports most of the 2.4 features such as AES-GCM, but not all, since tls-crypt doesn't work.  OpenVPN for Android shows the version as 2.5 (May 11, 2017) build
18:00 < Eugene> I honestly don't even use Android any more, sorry
18:01 < jasonwc> np, you've already answered my question.  Thanks.
18:01 < jasonwc> I just wanted to make sure I wasn't using some random app that is infested with malware :)
18:02 < Eugene> Presumably not, but there is a reason that we link directly to the Play store listing: android packaging is shit
18:02 < Eugene> Google's review process for malware basically doesn't exist, and never really has. So much garbage in their store
18:03 < jasonwc> Yup, hence my concern
18:03 < jasonwc> I'll be moving to iOS when the iPhone 8 releases.  I started using Android for the Nexus program and they killed that.
18:03 < jasonwc> They want a closed garden too; they just have a shittier one.
18:05 < Eugene> I started way back with the G1 because it was a linux phone. And indeed, they are not commited to open hardware. They honestly never were - the Nexus program was an internal device-acquisitions program for their developers that they opened for "developers" - it was never seriously intended or capable of being a useful device for normal people.
18:06 < Eugene> I gave up and bought an iPhone SE. Much cheaper than the flagship model
18:06 < Eugene> Once upon a time there was an actual Android Open Source Project that cared. All of those people have been promoted or quit etc
18:25 < jasonwc> Yeah, it's too bad.  The security is awful as well.
18:26 < jasonwc> And the user experience is just poor.  Despite the faster hardware, iOS has always felt smoother/more responsive.
18:43 < Eugene> That is directly attributable to iOS' "native code" vs Android's JVM stack
18:43 < Eugene> Turn out that UX responsiveness of Java sucks ass. Who knew?
19:32 <@krzee> Eugene: connect is actually opensource too, but its a totally different code source, it is "openvpn 3" which is a c++ rewrite that is wire compatible
19:32 <@krzee> !connect
19:32 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide, or (#2) the source is here: https://github.com/OpenVPN/openvpn3 except for the portion that may not be released
19:32 <@vpnHelper> because of NDA with apple (for its vpn API), or (#3) It is impossible to retrieve your configuration from Connect itself. This is by design. Keep a copy of your config (and any certs/keys/etc that go with it) someplace safe, and where you can find it later
19:32 <@krzee> source there ^
21:10 < Classsic> hi everybody newbie here :)
21:11 < Classsic> somebody know if I allow client-to-client the traffic go through server?
21:12 <@ordex> the traffic always goes through the server
21:12 <@ordex> although it doesn'
21:12 <@ordex> t get spitted out
21:12 < Classsic> i'm not sure about that
21:14 <@ordex> then try :P
21:15 <@ordex> clients establish connections with the server only, therefore the traffic must pass from there
21:15 <@ordex> they do not establish direct connections between themselves
21:17 < Classsic> ok, because sometime when clients are on same lan, I think go p2p connection
21:22 < ldiamond1> Alright I didnt change anything to my server and now I can connect to it
21:22 < ldiamond1> anyways... I connect to the VPN but I can't reach the router
21:23 < ldiamond1> i.e. 10.1.1.1 doesnt respond
21:25 < ldiamond1> there's a route saying 10.1.1.1 via 10.1.1.5 dev tun0 on the client
22:28 < Classsic> how I can set dhcp range?
23:06 <@krzee> Classsic:
23:06 <@krzee> !goal
23:06 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
23:06  * skyroveRR throws a large cookie at krzee 
23:06 < skyroveRR> o.o
23:06 <@krzee> !botsnack
23:06 <@vpnHelper> "botsnack" is Om nom nom!
23:07  * krzee gave it to vpnHelper
23:07 < skyroveRR> o.o
23:16 < Classsic> ok, I need cluster vpn for more than 1000 clients, like mesh network.
23:19 < Classsic> not, really mesh, but something like that.
23:34 < classsic_> ?
23:34 < Eugene> krzee - is that related to the iOS code too?
23:42 <@krzee> Eugene: yes, only the parts that are specific to the NDA signed with apple are not included
23:42 <@krzee> classsic_: ok so you will want to run a few vpn servers and link them to eachother
23:43 <@krzee> classsic_: depending on your servers you may be able to handle that on a single server with multiple server processes
23:43 <@krzee> openvpn is single threaded, so you can only handle so many clients per core
23:43 <@krzee> but you may run multiple instances on different ip:port
23:44 <@krzee> each one will need a different --server subnet, and then you'll need proper routing
23:44 <@krzee> if you're talking some sort of mesh you'll need to master routing protocols that are outside the scope of this channel
23:45 < classsic_> ok, maybe openvpn is not intended for my porpose
23:49 <@krzee> many people and companies have achieved your goal with it
23:49 <@krzee> and with any solution you use, know that layer2 is a bad idea
23:49 <@krzee> it doesnt scale to the level you want
--- Day changed Sat Jun 03 2017
01:19 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 255 seconds]
01:23 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
01:23 -!- mode/#openvpn [+o dazo] by ChanServ
02:29 < multi_io> does anyone use the https://hub.docker.com/r/kylemanna/openvpn/ image and can tell me whether it REQUIRES you to generate a client certificate?
02:30 < multi_io> my client will have chaging IPs and no hostname or anything, and I'm afraid it'll want to validate those against something in the client cert.
04:11 < pagz> !goal
04:11 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:12 -!- whoa2 is now known as whoa
05:24 < labelette> hi, is there a simple way to identify the root of a saturating process in a openvpn server? how to correlate the PID with a specific client connection?
05:50 <@ordex> labelette: I think you have one single PID (matching the openvpn server) for all the connected clients
05:51 < labelette> @ordex: yep I think you are right I was doing some investigation after sending my message here and I went to the same conclusion..
05:51 < labelette> @ordex: so you think there is no way to know better about which instance/user is using the cpu
05:52 <@ordex> I Don't think it is that easy
05:52 <@ordex> it might well be all of them combined
05:53 <@ordex> not just one
05:53 <@ordex> you may check the traffic per client and see who's doing more than others
05:57 < labelette> ordex: yep that's weird as for the same level of global trafic on the server another server has only 10% cpu usage
05:57 < labelette> so perhaps it is something else
06:00 <@ordex> how about increasing a bit the log level and see if you get something ?
06:00 <@ordex> are the settings exactly the same ?
06:00 <@ordex> maybe there is a higher numnber of reconnection/renegotiations
06:01 < labelette> ordex: yep settings are the same, perhaps increasing log is a good idea
08:30 <@krzee> labelette:
08:30 <@krzee> try the management interface
08:30 <@krzee> maybe in status you can see counters going up
08:30 <@krzee> !management
08:30 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface, or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN, or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
08:52 -!- Vampire0_ is now known as Vampire0
08:55 < labelette> krzee: thanks interesting will take a look as we already monitor the server
08:56 <@krzee> if its cpu odds are its mostly going to packet switching between userland and kernel
08:56 <@krzee> more and more traffic should make that go up
08:57 <@krzee> so id assume scanning the Bytes Received,Bytes Sent for each user every 5min or so should make it very oibvious
08:57 <@krzee> obvious*
08:58 <@krzee> then depending on what your server is an your TOS you could even sniff the VPN ip on the tun device and see what the traffic is
08:59 <@krzee> like if its an office server and you suspect the user is torrenting on it or something
10:27 < labelette> krzee: yep that's weird as a restart of openvpn didnt solve the issue only during the restart
10:28 <@krzee> well im sure everything reconnected and started going back at it
10:28 < labelette> exactly
10:28 <@krzee> how much throughput do you have going through tun device?
10:28 <@krzee> iftop may help
10:28 < labelette> so there is a way to have a table like with the top talker client ?
10:29 <@krzee> did you see what i told you about the management interface?
10:29 < labelette> yes I did , I am unfamiliar to this but I am taking a look
10:31 <@krzee> !factoids mana
10:31 < labelette> it is very unlikely an issue on this as I am comparing both server together and I see a total of 20mbit/s
10:31 <@krzee> !factoids search mana
10:31 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface, or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN, or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
10:31 <@krzee> whats the cpu?
10:31 <@krzee> remember, openvpn only uses 1 core
10:32 < labelette> krzee: yep it is not too strong it is a vm I need to see with the guy who build it
10:33 < labelette> but I have about 4 times the trafic on the other server and cpu is sleeping
10:33 <@krzee> heh
10:34 <@krzee> so its virtual inside virtual
10:34 < labelette> :)
15:48 < pagz> is the web gui only apart of the AS package ?
15:51 < rob0> not sure about Windows, but for Unix/Linux, yes.
16:04 < pagz> yeah linux package is what im running.... thanks
16:45 < h22turbo> Can somebody tell me the "common" cause of slow OpenVPN performance? I setup OpenVPN on my server (dedi @ ovh in canada). It's 100 mbit/s unmetered... speedtested and verified speeds are good. My home cable internet is also 100 mbit down and 10 mbit up... speedtested and everything is good. Now, when i connect to my VPN, i can only get 6-8 mbit/s doing anything. speedtest, downloading a torrent or anything etc etc. Does anyone know the common causes
16:45 < h22turbo> for slow VPN performance or tell me where i should start troubleshooting?
16:56 <@krzee> !speed
16:56 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help., or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded), or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu), or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links, or (#5) less likely are issues with bad
16:56 <@vpnHelper> TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs), or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp), or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better., or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no), or
16:56 <@vpnHelper> (#9) a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them.
19:25 < h22turbo> htop shows 0% CPU usage... and uptime shows load average: 0.00, 0.00, 0.00
19:25 < h22turbo> so it isn't CPU
19:25 < h22turbo> !mtu
19:25 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting, or (#3) useful info here: https://forum.pfsense.org/index.php?topic=67080.0
19:28 < mete> you're using tcp or udp h22turbo?
19:28 < h22turbo> udp
19:28 < mete> how are you measuring the speed?
19:28 < mete> what mtu size are you using for the tunnel?
19:29 < h22turbo> trying to find that out now...
19:30 < mete> syslog should have an entry ;)(
19:30 < h22turbo> ive tried speedtest, downloading stuff (like debian and ubuntu iso and torrents)
19:30 < mete> so no real speedtest
19:30 < mete> try to test with iperf
19:31 < mete> !speedtest
19:31 < mete> !iperf
19:33 < h22turbo> sbin/ifconfig tun0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
19:33 < h22turbo> 1500 MTU
19:39 < mete> ok, I wouls first check if you can use 1500 MTU
19:40 < mete> are you on win or nix at home?
19:42 < h22turbo> actually i have openvpn on my dd-wrt router (netgear r8000)
19:42 < h22turbo> but, ive tried it on my windows 10 box too
19:42 < h22turbo> and my debian box
19:43 < mete> so we go with your windows pc
19:43 < mete> ping -l 1472 your-server-ip
19:43 < mete> as your-server-ip you use the external ip of yor ovh server, so that no vpn is involved
19:44 < h22turbo> just ran iperf
19:44 < mete> of course - ping can't be blocked on the ovh server for this test
19:44 < h22turbo> my debian box to my server....
19:44 < h22turbo> [ ID] Interval        Transfer    Bandwidth       Write/Err  Rtry    Cwnd/RTT
19:44 < h22turbo> [  4] 0.00-113.23 sec   109 MBytes  8.09 Mbits/sec  1/0         85      238K/235991 us
19:44 < h22turbo> [  4] MSS size 1448 bytes (MTU 1500 bytes, ethernet)
19:44 < h22turbo> 8 mbit/s
19:45 < h22turbo> thats what i usually get! server is 100 mbit and my home cable is 100 mbit
19:46 < mete> I'm waiting for the ping test :p
19:47 -!- mode/#openvpn [+v mete] by krzee
19:47 <+mete> oh thanks krzee
19:48 <@krzee> o/
19:48 < h22turbo> umm, since everything goes through my dd-wrt router, should i ping test from the router?
19:49 <+mete> from your windows box is fine h22turbo
19:49 < h22turbo> ugh, i'll have to restart
19:49 <+mete> as LAN is normally ehternet, there is an MTU of 1500, so this is no problem
19:49 < h22turbo> im dual booting lol
19:49 <+mete> you can also do from your debian
19:49 < h22turbo> yea, ill do from deb
19:49 <+mete> doesn't matter, but command will be slightli different
19:50 <+mete> ping -s 1472
19:50 < h22turbo> yea, ive done this before long time ago... and my max was 1500 before it fragmented. actually 14xx something, then you added the additional stuff
19:50 < h22turbo> and it equaled 1500
19:50 < h22turbo> but, let me try again
19:56 <+mete> now his router died :o
19:57 <@krzee> those bastards!
19:57 <@krzee> :D
19:58 < h22turbo> oops
19:58 < h22turbo> iptables -F with INPUT policy to DROP is not cool....
19:58 < h22turbo> :)
19:58 < h22turbo> ok, back to ping test with no iptables
19:59 <+mete> xD
20:01 < h22turbo> 10 packets transmitted, 10 received, 0% packet loss, time 9012ms
20:01 < h22turbo> rtt min/avg/max/mdev = 48.654/49.613/51.008/0.704 ms
20:06 <+mete> hm, should then be OK in my eyes
20:07 <@krzee> your openwrt router is the vpn endpoint or not?
20:08 <@krzee> like, is openvpn running on the router?
20:11 <+mete> so guys, I wish you a great evening, I'm going to bed, it's 3 AM here
20:11 <@krzee> gnite
20:14 < h22turbo> my dd-wrt router is the client
20:14 < h22turbo> my OVH dedicated server is the OpenVPN server
20:16 <@krzee> ok so run iperf to the VPN ip and watch the cpu on the client
20:16 <@krzee> on dd-wrt
20:16 <@krzee> you said 0%, but i doubt the router is at 0% when maxing your vpn connection
20:17 < h22turbo> ok. and i cant figure out how i did the MTU fragment test a long time ago. I've tried 1482 1492 1500 1520 and they all say 10 transmitted, 10 received, 0% packet loss etc
20:18 <@krzee> it'll also tell us the difference, as we know you get 8MB/s without the vpn
20:18 < h22turbo> i cant get it to say it fragmented like i did last time
20:18 <@krzee> i dunno, maybe try direct from the router
20:18 < h22turbo> i did...
20:18 < h22turbo> same thing...
20:18 <@krzee> he was right it should be fine from either, but i usually test from the endpoints
20:18 <@krzee> weird
20:19 < h22turbo> ok... iperf on dd-wrt router to my dedi (no iptables)
20:20 <@krzee> to vpn ip, while watching cpu on dd-wrt
20:24 < h22turbo> CPU went to 4%
20:24 <@krzee> heh so thats not it
20:24 <@krzee> what did iperf report?
20:25 < h22turbo> [ ID] Interval       Transfer     Bandwidth
20:25 < h22turbo> [  4]  0.0-10.3 sec  9.13 MBytes  7.44 Mbits/sec
20:25 < h22turbo> 10 sec....
20:25 <@krzee> umm
20:25 < h22turbo> [  5]  0.0-30.6 sec  28.6 MBytes  7.86 Mbits/sec
20:25 < h22turbo> 30 sec... and CPU went to 3-4% on dd-wrt
20:26 <@krzee> thats quite close to what you said you got for iperf without the vpn
20:26 <@krzee> 8.09 v 7.86
20:26 <@krzee> !whatis speed 7
20:26 <@vpnHelper> if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better.
20:32 <@krzee>  h22turbo, you saw my reply?
20:33 < h22turbo> yea...
20:33 < h22turbo> dont know why im only getting 7-8 mbit/s to my server
20:33 <@krzee> so you seem to have a very similar connection to the server with and without the vpn
20:33 < h22turbo> no iptables on either end.... no VPN connection....
20:34 <@krzee> could it be the direction of the test? you have 10mbit upload...
20:34 < h22turbo> im trying it the other way now...
20:35 < h22turbo> from dedi to me....
20:35 < h22turbo> [  3]  0.0-30.0 sec   192 MBytes  53.7 Mbits/sec
20:35 < h22turbo> CPU on dd-wrt was 15-18%
20:36 <@krzee> with or without vpn?
20:38 < h22turbo> without VPN
20:38 < h22turbo> and CPU on dedi is 1% during iperf test
20:38 < h22turbo> [  3]  0.0-60.1 sec   396 MBytes  55.2 Mbits/sec
20:41 <@krzee> sure, id expect your router to be the weakpoint if it were cpu
20:41 <@krzee> now try on vpn that direction while watching iperf
20:42 <@krzee> btw thank you for following directions, makes it much easier trying to help =]
20:42 <@krzee> youd be surprised how many people seem to have issues with that :-p
20:58 <@krzee> so hows the results with vpn?
21:11 < h22turbo> sry... got testing some stuff myself haha
21:12 < h22turbo> back to 7-8 mbit/s on VPN
21:19 <@krzee> but what were you testing on your own...? you changed things?
21:19 <@krzee> tests are only very valid when nothing changes between them
21:20 <@krzee> if you do 3 of 4 tests and then change things, and complete test 4, pretty invalid
21:20 <@krzee> please test iperf with and without vpn again\\\\\\\\\\\\\\\\
21:21 < h22turbo> i was just doing traceroutes and pings
21:22 < h22turbo> and tried iperf with UDP instead of TCP proto
21:22 <@krzee> oh i see
21:22 <@krzee> anything to report?
21:23 <@krzee> (with iperf)
21:24 < h22turbo> VPN is on now...
21:25 < h22turbo> Dedi (VPN Server) to me (dd-wrt router):
21:25 < h22turbo> [  3]  0.0-30.0 sec   185 MBytes  51.7 Mbits/sec
21:25 < h22turbo> so, im confused? lol
21:25 <@krzee> using vpn IPs?
21:25 < h22turbo> i've been getting 7-8 mbit/s for 3-4 days now
21:25 < h22turbo> yep
21:26 <@krzee> but are you sure you werent getting 7-8 mbit upload, or possibly to internet IPs?
21:27 <@krzee> like, i bet the comparison is apples to oranges
21:28 < h22turbo> i was getting 7-8 mbit/s both ways...
21:28 < h22turbo> from server to me, or me to server
21:28 < h22turbo> and my dedi (vpn server) only has 1 IP
21:29 < h22turbo> from me to dedi i get 7-8 mbit/s but that is expected since i only have 10 mbit/s up cable connection
21:29 <@krzee> ya thats pretty good speed vs what you pay
21:29 <@krzee> like you got what you were promised
21:29 <@krzee> and it was the same with and without vpn
21:30 < h22turbo> but, if i tried to download a torrent or anything while connected to my VPN, i was only downloading at 7-8 mbit/s too
21:30 <@krzee> dude a torrent doesnt come from your vpn server
21:30 < h22turbo> and it should be waaaay faster than that
21:30 <@krzee> you understand thats NOT a valid test, right?
21:30 < h22turbo> anything... just using that as one example
21:30 <@krzee> but it comes from the internet THROUGH the vpn server
21:31 < h22turbo> right
21:46 <@krzee> so to vpn ip and public ip you are getting similar results?
22:16 < MeXIst3nZ> Please, please, please let there be some way to provide a list of which applications should NOT get routed through the VPN...
22:16 < MeXIst3nZ> Having major issues as a result of everything going through the VPN.
22:17 < MeXIst3nZ> For example, Thunderbird fetches through the VPN (no settings in Thunderbird to turn it off) and causes security notifications.
22:17 < MeXIst3nZ> "Somebody got your password" nonsense.
22:17 < MeXIst3nZ> And I don't want PuTTY to connect via SSH through the VPN either.
22:18 < MeXIst3nZ> And specific sites in Firefox also shouldn't use the VPN, but that seems impossible...
22:18 < rob0> no, there's no easy way to route by app
22:18 < rob0> !routebyapp
22:18 < MeXIst3nZ> rob0: You're kidding, I take it? :/
22:18 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination., or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
22:18 <@vpnHelper> policies you set. For Linux, read about !lartc
22:18 < MeXIst3nZ> Okay, so that's not gonna happen...
22:18 < MeXIst3nZ> (Windows)
22:19 < rob0> kidding?
22:19 < MeXIst3nZ> rob0: Well, one would assume that this would be a basic feature, thought of in the v1.0 or earlier?
22:20 < rob0> it's really not even possible without kernel extensions, and then the configuration would be in the kernel, not openvpn
22:20 < MeXIst3nZ> Doesn't it seem like a very reasonable requirement to be able to exclude certain applications and domains from going through the VPN?
22:21 < MeXIst3nZ> Not sure why it would have to go through the kernel, but I'm definitely no expert on this.
22:21 < MeXIst3nZ> I mean, maybe I'm missing something here. Maybe it "doesn't really matter" if something goes over the VPN if it's encrypted anyway, but it certainly has a psychological feeling to it...
22:21 < MeXIst3nZ> Especially if some things *aren't* encrypted.
22:22 < MeXIst3nZ> Or if you, for example, need to "auth by location/ISP" for some things.
22:22 < MeXIst3nZ> Or if you need to play some real-time game where it's too slow to go over the VPN.
22:23 < MeXIst3nZ> Few applications seem to have the concept of being able to "connect directly" without using the system proxy.
22:25 < MeXIst3nZ> I wonder why the first issue I run into when doing anything is always unheard of...
22:29 < MeXIst3nZ> Or, for example, if I need to download a torrent. It says "P2P allowed? No." on most of my VPN's servers. Not sure if that means it would be blocked entirely, or I'd be sent angry letters or something. No way in my BitTorrent client to "bypass VPN".
22:29 < MeXIst3nZ> rob0: Still around?
22:30 < rob0> not really, going afk in a few
22:31 < MeXIst3nZ> Sigh. :/
22:31 < rob0> well, I can't help with Windows anyway
22:31 < MeXIst3nZ> Seems to me it would be something entirely within OpenVPN...
22:32 < rob0> policy routing is probably doable in Windows also, but I don't know if anyone outside of Redmond knows how
22:33 < MeXIst3nZ> This has got to be a joke.
22:34 < MeXIst3nZ> If you are really serious about this, any VPN is basically worthless?
22:36 < rob0> openvpn has use for me, but perhaps my use case is not the same as yours?
22:36 < MeXIst3nZ> rob0: How do you deal with what I explained above?
22:36 < MeXIst3nZ> rob0: Why is it "all or nothing" with OpenVPN
22:36 < MeXIst3nZ> *?
22:38 < rob0> I use the vpn for secured connections to remote sites.  I don't redirect all traffic through the vpn.  Routing is done by IP address, and VPN addresses go through openvpn.
22:38 < MeXIst3nZ> ?
22:38 < rob0> Again,  perhaps my use case is not the same as yours?
22:38 < MeXIst3nZ> "I don't redirect all traffic through the vpn."
22:38 < MeXIst3nZ> How?
22:39 < rob0> how?
22:39 < MeXIst3nZ> Where is the option in OpenVPN to do that?
22:39 < rob0> the default is NOT to do that
22:39 < rob0> !redirect-gateway
22:39 < rob0> !redirect
22:39 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
22:39 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
22:40 < MeXIst3nZ> How can the default not be to send it all through the VPN? That makes no sense.
22:40 < rob0> okay
22:40 < MeXIst3nZ> Then what does it send by default?
22:40 < rob0> !route
22:40 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
22:41 < rob0> at minimum, it's point-to-point
22:41 < MeXIst3nZ> All I want is a little config file with a list of .exes to exclude.
22:41 < MeXIst3nZ> And another config (or the same) for domains.
22:41 < rob0> we don't have that here
22:41 < MeXIst3nZ> Okay, so then OpenVPN is actually a security risk?
22:42 < rob0> have you looked at other vpn software?
22:42 < rob0> don't troll
22:42 < Eugene> What do you think openvpn is?
22:51 < fnljk> depends who could be a risk to you.. sure it may be an extra security risk, by itself for appearing as what it is possibly attracting attention or attackers,for example.
22:52 < fnljk> ..as such,best only use tactically, with care..  besides the normal casual stuff ofc..assuming u'd be k exposing yaself as familiar with such n all then =]
22:52 < MeXIst3nZ> ?!
22:53 < fnljk> sorry, i's be an outlander..poor english, not native tonguee
22:53 < MeXIst3nZ> This feels unreal.
22:54 < MeXIst3nZ> You cannot possibly be understanding what I'm asking.
22:54 < fnljk> sry, I proly didn't. barely read some lines up tbh.
22:54 < MeXIst3nZ> All I want is a little config file with a list of .exes to exclude.
22:54 < MeXIst3nZ> Why is this not a 5-second problem?
22:56 < fnljk> exes to exclude.. sry if still far off.. you have openvpn srv on ..win/nix/unknown,  but a openvpn client on a windows box where you run it as administrator and force all connections thru the vpn .. but want to exclude a few specific .exe files traffic from being included by it..?
22:57 < MeXIst3nZ> I have a Windows PC. I run OpenVPN and am connected to a VPN. I want to EXCLUDE (not use the VPN) for specific programs, such as Deluge, Thunderbird, PuTTY.
22:57 < MeXIst3nZ> fnljk: Clear?
22:57 < MeXIst3nZ> (None of those provide their own way to bypass the VPN.)
22:58 < fnljk> i think u may simplt be able to use the standard windows tool  route.exe.. have u tried playing with that, or similar (?) .. ?
22:59 < MeXIst3nZ> Never used. No idea how to use.
22:59 < fnljk> some combination perhaps even if need be..  not sure how openvpn enforces itself to encapsulate all traffic before encrypting and shipping it off and away, but would have to get out of that somehow..either avoid, or send traffic out elsewhere to be processed into plaintext again and then wherever
22:59 < fnljk> oh, yeah cool, so good thats possibly one opportunity the
22:59 < fnljk> then'.
23:00 < fnljk> ..be goodif you did succeed, if you'd say here, possibly also even what command(s) you used.
23:00 < fnljk> Id presume Openvpn doing little if any more than playing with Windows' routing table as such anyway.. hmh
23:01 < fnljk> i mean for forcing .. whatever wherever.. hm. if not, that it may be overriden or avoided somehow with that at least
23:01 < fnljk> or... did you try firewall too maybe... or some kinda traffic shaper of sorts..
23:02 <@krzee> MeXIst3nZ: if you run the server you can run a socks server on the vpn ip
23:02 <@krzee> then use an app such as proxifier (not free, does work for windows)
23:02 < MeXIst3nZ> I don't run the server... What? It's a VPN company's server.
23:02 < fnljk> how about using things like pluggable transports by default anyway,...shadowsocks, stunnel or such too mayb, for additional possibilities ..potentially?
23:02 <@krzee> it will give you the option to use specific apps with the socks server
23:03 <@krzee> and if the socks server runs on the vpn ip, then it means you're choosing what to route over the vpn
23:03 <@krzee> MeXIst3nZ: if you dont run the server then there is nothing you can do for your goal in windows that i know of
23:03 < MeXIst3nZ> Am I dreaming? Is this reality? It seems impossible for me to make myself understood.
23:03 < MeXIst3nZ> Why would the server have anything whatsoever to do with this?
23:04 < MeXIst3nZ> This is all about my local PC and whether or not it should be using the VPN for specific applications.
23:04 < fnljk> except maybe create a virtual interface to tunnel other specific traffic thru rather, somehow not have it include what openvpn does..somehow, maybe?
23:05 < fnljk> i still think u should try check out "route.exe" more too.. believe its quite powerful,more than initial looks may indicate
23:06 < fnljk> dno what kinda traffic, protocol ,ports etc. the otehr stuff would be running on, how often/much etc. either but ..
23:07 < fnljk> ..also , which widows verison.. and eventually opportunities to install/run other things to accomplish this too.
23:07 <@krzee> MeXIst3nZ: because windows doesnt give you the ability to change routing based on app, but if you controlled the server you could setup a socks server on it and then install and pay for an app like proxifier to selectively route over it
23:07 <@krzee> since you dont control the server, and you run windows, you can not do what you asked about
23:08 <@krzee> if you ran linux or freebsd you could setup a second routing table and setup specific apps to go over whichever routing table you want
23:08 < MeXIst3nZ> So then OpenVPN is broken by design.
23:08 < fnljk> how about you Before telling Openvpn to force all traffic thru it, already occupy some as being busy,preventing openvpn from tampering further with it (despite then running as admin)..?
23:08 < MeXIst3nZ> That's the only conclusion I can come to.
23:09 < MeXIst3nZ> Or "VPNs" in general.
23:09 < fnljk> i mean, kinda like runnign chained openvpn clients, with a plain-text/non-ecnrypted in the middle /first of it all
23:10 < fnljk> well, lol, you cant even have checked out route.exe much at all..
23:10 <@krzee> whatever MeXIst3nZ, you can believe its broken if you want, or maybe you can learn about networking... either way you wont achieve your goal
23:10 < fnljk> it has alotof  functionality, for alot of things...
23:10 <@krzee> !vpn
23:10 <@vpnHelper> "vpn" is http://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html for a basic rundown of what a vpn is
23:11 < MeXIst3nZ> If the only option is to route ALL traffic across the world, or none at all, without doing bizarre low-level networking hacking, then yes, I consider it broken by design.
23:11 < MeXIst3nZ> And not user-friendly in the least bit.
23:11 < MeXIst3nZ> And a straight-up danger to novice computer users.
23:11 <@krzee> you can also route based on subnet, but if you understood how your routing table works youd know that
23:12 -!- MeXIst3nZ was kicked from #openvpn by krzee [doesnt sound like this is going anywhere]
23:12 < MeXIst3nZ> Fuck off.
23:12 <@krzee> funny he says it and then does it
23:13 < fnljk> bizarre low level network hacking.. i think its kindof a pretty basic tool actually.. best check it out (google).. i dont really know it either, besides rememebring having used it for many things thru the years, and also used by other programs often aswell
23:13 < fnljk> ...the route.exe thing in windows i meant ^ :d
23:13 <@krzee> route command is bizzare and low level?
23:14 < fnljk> owell, having a bad day i guess..   wanted just ppl to give him the recipe in 1-2-3 ..cant always have that, heh.. may be better for some to learn more on themselves anyway on the way to succeeding with such complicated/unusual things:o)
23:14 <@krzee> id say it should be fully understood before you even try running openvpn :D
23:14 <@krzee> but his solution didnt exist in windows
23:14 <@krzee> he just didnt understand networking is all
23:15 < fnljk> hmh. owell.  aggression never helps much anyway:|
23:15 <@krzee> ;]
23:15 < fnljk> ...im sure he'll learn , that too.. eventually=]
23:15 <@krzee> if he tries he will
23:15 <@krzee> complainers usually dont get too far tho
23:15 < fnljk> mm
--- Day changed Sun Jun 04 2017
00:13 < pagz> hi reading the wiki on ipv6 connectivity, i want to provide ipv6 inside the tunnel, my isp provides me a static ipv4 address and a dynamic ::/64 block anyone able to point me in the right direction
00:30 < rob0> krzee, I have absolutely no idea about networking basics, but I have some advanced networking wants that openvpn should have provided me by means of a few simple commands.  Since you say it can't do that I'm going to throw a fit, and you'd better fix your broken software!
00:31 < rob0> (I will say, I saw it coming.)
00:56 -!- MuffinMedic is now known as Evan
00:58 -!- Evan is now known as StudMuffin
00:59 -!- StudMuffin is now known as MuffinMedic
04:17 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 255 seconds]
04:19 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
04:19 -!- mode/#openvpn [+o dazo] by ChanServ
08:58 <+mete> h22turbo: have you got the tunnel working with good speeds?
09:31 < h22turbo> last night i tested it and it would go up to 50-55 mbit/s
09:32 < h22turbo> from dedi to me, which should be a little faster since we are both 100 mbit
09:32 <+mete> 50-55 with iperf?
09:32 < h22turbo> yea
09:32 <+mete> 1 thread?
09:33 < h22turbo> yea? i guess... isn't openvpn single thread anyways?
09:33 <+mete> what speeds are you getting when using iperf "directly", without vpn?
09:33 <+mete>        -P, --parallel n
09:33 <+mete>               number of parallel client threads to run
09:34 < h22turbo> without VPN, i was 60-65 mbit/s last night
09:34 <+mete> so you can't get over these 60-65mbit anyway with vpn, so this is a good result I think
09:34 <+mete> try it with multiple threads
09:34 <+mete> 3 or 4 I would suggest in this scenario
09:34 < h22turbo> ok. i was wanting to test it this morning a little anyways
09:35 <+mete> what have you changed to get these better speeds?
09:35 < h22turbo> nothing... other than disable iptables on both ends and turned of the lzo whatever it is compression
09:36 < h22turbo> i read somewhere to turn that off while troubleshooting
09:39 < h22turbo> VPN ON, Me to VPN = 30.5 sec  28.6 MBytes  7.86 Mbits/sec
11:41 < Expression93> !welcome
11:41 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
11:41 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
11:41 <@vpnHelper> you
11:42 < Expression93> !goal
11:42 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:42 < Expression93> I would like to access the internet over my vpn
11:43 < Expression93> Well I don't get specifically how I should use that bot... anyway I've been following guides from DigitalOcean on how to configure an OpenVPN server on Debian. I think I got the server part working okay, but I am having trouble connecting with the OpenVPN Client on my Windows PC.
11:44 < Expression93> !paste
11:44 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2)
11:44 <@vpnHelper> paste.ee is also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
11:46 < Expression93> Here's the output of client.log from my PC: https://gist.github.com/Express93/570d2e80e73f20474d4e2eb2c1f320f8
11:46 <@vpnHelper> Title: client.log · GitHub (at gist.github.com)
12:25 <@ordex> Expression93: I think the error is clear, no ? Sun Jun 04 17:32:45 2017 RESOLVE: Cannot resolve host address: my-server-1:MYSERVERIP (The specified class was not found.
12:27 < Expression93> Well what does "The specified class was not found." mean? I don't get that part. To my knowledge, it should be working. @ordex
12:30 <@ordex> !configs
12:30 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
12:30 <@ordex> Expression93: ^^ just the one from the client should be enough at the moment
12:38 < Expression93> ordex: Sorry had to step away from my computer for a few minutes, will paste it now.
12:41 < Expression93> ordex: https://gist.github.com/Express93/1c7361e584539bddd30ee52c2e4cdabc
12:41 <@vpnHelper> Title: client.ovpn · GitHub (at gist.github.com)
12:43 <@ordex> Expression93: I guess you did not read the entire message pasted by the bot ..
12:44 < Expression93> Uhmm?
12:44 <@ordex> Expression93: btw, let's assume you did read it :) now the log points you to what seems wrong in the config
12:44 <@ordex> remote my-server-1 MYSERVERIP
12:44 <@ordex> what is my-server-1 ? is it a hostname you have in your hosts ?
12:47 < Expression93> Oh... yeah I dun fucked up didn't I... hahaha learn to read guide properly in future... but I'm not sure what I missed with the output of !configs? Anyway I now get this error:
12:47 < Expression93> Sun Jun 04 18:39:17 2017 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
12:48 < Expression93> Except for doing that grep thing... which I can't do as I am on Windows.
12:48 <@ordex> actually that is what I was referring to :P, because reading through the comments is quite difficult
12:48 <@ordex> anyway
12:49 <@ordex> I haven't understood if you ficed it or not
12:49 <@ordex> *fixed
12:50 < Expression93> Yeah sorry... I'm doing all this on my desktop pc now which is windows... so I couldn't grep the comments out... anyway... I fixed the remote line... to the following: remote MYSERVERIP 1194
12:50 < Expression93> But when trying to connect I now get the error that I pasted above (connection reset by peer).
12:54 < Expression93> ordex ^
12:55 <@ordex> sorry I got disconnected what did you write?
12:56 < Expression93> <Expression93> Yeah sorry... I'm doing all this on my desktop pc now which is windows... so I couldn't grep the comments out... anyway... I fixed the remote line... to the following: remote MYSERVERIP 1194
12:56 < Expression93> <Expression93> But when trying to connect I now get the error that I pasted above (connection reset by peer).
12:58 <@ordex> that sounds like a firewall issue
13:00 < Expression93> Well... last I checked I had no firewall running on my server, other than IPTables, which I'm pretty sure I've configured to accept anything and everything.
15:22 < Expression93> Still unable to resolve my issue with connecting. Getting Connection reset by peer (WSAECONNRESET) (code=10054)
15:22 < Expression93>  - No firewall on server, iptables allows everything, my pc has a firewall but it's configured to allow openvpn to connect.
15:39 < fa0> A server I connect to I found out added in an option for Windows users, 'block-outside-dns', but I run Linux so at the command line I get this message;
15:39 < fa0> Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.3.14)
15:39 < fa0> Is there anyway I can silence this?
15:54 -!- n-st- is now known as n-st
16:31 < BrainError404> Someone knows good free openvpn server who give a stable connection?
16:31 < BrainError404> *servers
17:52 < AIRG-> !welcome
17:52 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
17:52 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
--- Day changed Mon Jun 05 2017
04:50 < CodingFree> hi, may I ask technical questiosn here or is there a channel for that?
04:55 < CodingFree> Well, I'll ask this there, I am using Windows and openvpn.exe file.config works fine, however the client doesn't seem to be able to be able to open a connection, It has some problems with the interfaces
04:56 < CodingFree> I don't know how to debug it beyong the log files
04:56 < CodingFree> beyond*
04:56 < CodingFree> I am not looking for a magical solution, I am looking for any clue about any additional way to debug it
05:05 < WhizzWr> CodingFree: increase the debug verbose level, and put it in pastebin maybe
06:46 -!- |Mike| [mike@2001:19f0:5001:21c::3] has joined #openvpn
06:46 < |Mike|> re!
11:40 < physkets> Hello! I was wondering if someone could help me fiqure out what benefits there ae to compiling with '--enable-systemd'
11:40 < physkets> From looking into things I see tha tit means that query_user_exec() is used instead of query_user_exec_builtin()
11:40 < physkets> But could someone tell me what that actually means?
11:43 < rob0> There is a developer channel which might be better for that question.  As an enduser myself, I don't know.  But I'd suggest that if your distro uses systemd AND if you plan to run openvpn from the system startup scripts, you probably need that enabled.
11:55 < physkets> rob0: Oh, okay, I'll ask there; And my distro (Manjaro) offers both systemd as well as openrc, but the openrc version has lots of systemd deps because its parent distro (Arch) only packages for systemd
11:55 < physkets> An no, I don't plan on starting it using startup scripts; I always start manually
12:13 < rob0> I suspect you could get by without it, then.  Easy enough to test.
12:14 < physkets> rob0: Yep, I hope so... will try to test soon...
12:15 < physkets> I'm in the process of calculating possible changes necessary to remove all systemd dependencies
16:45 < r3muxd> Hello! After upgrading to Windows 10, I can no longer connect through OpenVPN. I have tried reinstalling OpenVPN and turning off firewall. Logs: https://pastebin.com/viUAHy0N
16:45 < r3muxd> !welcome
16:45 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
16:45 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
16:45 < r3muxd> !goal 'After upgrading to Windows 10, I can no longer connect through OpenVPN. I have tried reinstalling OpenVPN and turning off firewall. Logs: https://pastebin.com/viUAHy0N'
16:48 < DArqueBishop> r3muxd: two questions. 1) Are you running OpenVPN with admin privileges? 2) Have you tried reinstalling OpenVPN?
16:48 < DArqueBishop> Wait.
16:48 < DArqueBishop> You answered #2.
16:48 < DArqueBishop> Sorry.
16:48 < Eugene> You need to "Delete all TAP virtual adapters" and then "Add new"
16:48 < Eugene> There should be two shortcuts in the Start Menu folder for openvpn to do this
16:49 < r3muxd> I am running it with admin.
16:49 < Eugene> Updating to windows 10 broke something with the network stack; you need to completely nuke it. Uninstalling isn't enough ;-)
16:49 < r3muxd> ROOT\NET\0001                                               : Remove failed
16:49 < Eugene> Cool, I have absolutely no idea.
16:50 < r3muxd> Also, by uninstalled I mean "uninstalled, ran "dir /a /s /b *openvpn*" and then deleted everything in the results, and then searched in the registry for 30 minutes to find something openvpn related."
16:50 < Eugene>  That's..... not an uninstall
16:50 < Eugene> And you wonder why the system is broken?
16:55 < temuccio> !welcome
16:55 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
16:55 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
16:56 < temuccio> Hello all. I have one router fritz.box with vpn server enable....I can connect at it with openvpn? Now I use vpnc and works fine, but doesn't have a script to recovery automatically the connection
17:00 < r3muxd> oh, i mean after uninstalling.
17:01 < r3muxd> also, all I really found was the uninstall entry and a few tools leftover in program files\openvpn.
17:02 < r3muxd> and also, i have vbox installed, in ndis5 mode.
17:08 < r3muxd> So I removed and added a(ll) TAP adapters, but it still doesn't work.
17:09 < r3muxd> rebooting now..
17:09 < Eugene> wtf is a fritz box
17:10 < Eugene> Oh they're cute https://en.avm.de/products/fritzbox/
17:10 <@vpnHelper> Title: FRITZ!Box | AVM International (at en.avm.de)
17:15 < r3muxd> OK, so I made OVPN run as admin. Now it fails as follows:
17:15 < r3muxd> NETSH: C:\Windows\system32\netsh.exe interface ipv6 set address interface=2 fdda:d0d0:cafe:1197::100c store=active
17:15 < r3muxd> ERROR: netsh command failed: returned error code 1
17:15 < r3muxd> What should I do?
17:20 < Eugene> I would take the Windows installation out back and format it. I've never had an upgrade to 10 work right with anything "funky" like openvpn being installed
17:20 < Eugene> Dealing with upgrade woes are beyond the scope of this channel
17:20 < RedMercury> I have openvpn setup between two hosts (lan to lan), with appropriate routing.  The first machine (lan.static-cast.net) has the subnet 10.0.1.0/24, the second machine (linode.static-cast.net) I've assigned 10.9.0.1 in the openvpn client config dir
17:21 < r3muxd> Should I go to #openvpn-windows?
17:21 < Eugene> Sure
17:21 < RedMercury> Everything connects, and I can ssh from the first network into 10.9.0.1, however any traffic back complains in no route to host
17:21 < RedMercury> my routing table is here:https://pastebin.com/6h9aBbEV
17:21 < Eugene> You're trying to route the Linode 192.168.128.0/17 network over openvpn? Won't work
17:21 < RedMercury> linoe.static-cast.net has a route that covers 10.0.1.0/255.255.255.0
17:22 < RedMercury> *linode
17:22 < Eugene> Or are you trying to set up an overlay network?
17:22 < RedMercury> no Eugene, I've removed that
17:22 < RedMercury> this is an overlay
17:22 < Eugene> Overlay networks are a pain in the ass; openvpn is not a good choice for one
17:23 < RedMercury> I just want to route between two private subnets using openvpn
17:23 < Eugene> I recommend spending your time making your application(s) work over IPv6, and with security on-the-wire. SSH and TLS are usually involved.
17:23 < RedMercury> between the gateways
17:23 < RedMercury> I want to host my freeipa replicate in linode, but away from the internet..
17:23 < RedMercury> *replica
17:23 < Eugene> So set up TLS ;-)
17:24 < RedMercury> thats a lot of effort to go through when I've essentially done most of the work
17:24 < RedMercury> all I'm missing is a route
17:25 < Eugene> I'll put this another way: Linodes are not networks that you control. They have restrictions that make routing things difficult, and, as somebody who does exactly what you are trying to do, I'm telling you that it doesn't work
17:25 < RedMercury> its a vps hosting provider with a static ip, not sure what's so hard
17:26 < RedMercury> it seems to have a pretty simple set of routes
17:26 < Eugene> They have hypervsiro-level restrictions
17:26 < RedMercury> and the routes on the instance itself are simple
17:26 < Eugene> That's why it doesn't work right
17:26 < Eugene> If you want it to work you need to have all your traffic cross the VPN, and deal entirely with internal IP addresses
17:27 < RedMercury> that's what I'm doing
17:27 < RedMercury> 10.*
17:27 < Eugene> !configs
17:27 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
17:28 < Eugene> That routing table doesn't look like what you're describing, but that's probably what the problem is, heh
17:29 < RedMercury> https://pastebin.com/WwaJnFHV
17:30 < Eugene> Why are you pushing an ifconfig from the wrong subnet
17:30 < Eugene> Why is 10.9 involved at all
17:30 < RedMercury> I want to push a new ip to the client
17:30 < RedMercury> From the sample config: # Then add this line to ccd/Thelonious:
17:30 < RedMercury> #   ifconfig-push 10.9.0.1 10.9.0.2
17:31 < Eugene> You generally use an IP that matches the --server block ;-)
17:31 < RedMercury> it's literally in the sample.
17:31 < RedMercury> "
17:31 < RedMercury> # EXAMPLE: Suppose you want to give
17:31 < RedMercury> # Thelonious a fixed VPN IP address of 10.9.0.1."
17:31 < Eugene> Quoting man pages ain't gonna work - I dont actually care about your problem, buddy
17:32 < Eugene> I'm telling you the issue I see, go try and fix it
17:32 < RedMercury> I want to give the client the ip 10.9.0.1, like in the instructions
17:33 < Eugene> Well, you can't
17:33 < RedMercury> my reference to the man page was more of a question along the lines of "well, whats the delta here":
17:33 < Eugene> Your server block says 10.8.0.0/24
17:33 < Eugene> If you read the man page entry for --server, you would know that the server thus gets 10.8.0.1 for itself
17:33 < Eugene> Since you're not using --topology, it will default to net30, and the first address available to hand to a client would be 10.8.0.5
17:33 < RedMercury> I can see that, and it seems you can give other subnets out as well
17:34 < Eugene> You can give any subnet you like, but if the server ain't using that subnet it doesn't matter a diddly
17:34 < RedMercury> ok, let me read on topology
17:34 < RedMercury> fyi my server can easily ping 10.9.0.1, even ssh to the client on it
17:35 < Eugene> Yes, but there's no way for 10.9.0.1 to reach the server on 10.8.0.1
17:35 < Eugene> Because the client hasn't been told about 10.8.0.0/24 ;-)
17:35 < RedMercury> https://pastebin.com/6h9aBbEV isn't that on line 6?
17:36 < Eugene> Actually, that route is in the table.... which must mean that its just the tun device being wacky
17:36 < Eugene> In any case: don't do it that way. Give the client a proper IP, in the 10.8.0 block
17:36 < Eugene> !topology
17:36 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
17:37 < Eugene> And use subnet - its way saner. You get 10.8.0.1, .2, .3, .4, etc
17:37 < Eugene> Instead of weird /30 P2p tunnels that give those confusing routes
17:37 < RedMercury> ok, sounds like subnet is the way to go anyway
17:37 < RedMercury> thanks!
17:37 < RedMercury> so you can still push an ip into a client with ccd?
17:38 < Eugene> Sure, just has to be a valid IP
17:46 < RedMercury> so the server in my client has an ip of 10.8.0.1, that's great and all
17:46 < RedMercury> but I also want to be able to access it from 10.0.1.1 from my client too
17:47 < RedMercury> I can actually ping 10.0.1.1 and it goes over the vpn
17:47 < RedMercury> and returns, yet ssh'ing has no route to host (?)
17:53 < RedMercury> hmm
17:53 < RedMercury> actually its working
17:53 < RedMercury> interestingly I can't ssh to the server machine itself on the private network, but I can ssh to another box on the private network (from the client)
17:53 < r3muxd> So I'm 99% sure I figured this out. It tries to make a route to interface 5. Only that's supposed to be a name like Local Area Network, not 5.
17:54 < r3muxd> Maybe if I edit the config?
17:54 < r3muxd> I seriously cannot figure out how it's getting "5" as an interface.
17:57 < r3muxd> Also, "TAP-Windows Adapter V9" has its cable disconnected, despite being a virtual interface.
17:59 < Eugene> r3muxd - in powershell; `get-netadapter`
17:59 < r3muxd> OK, so I've figured it out (I think?) The 5 is a index number. Running "netsh interface ipv6 show interfaces" shows that there is no 5 in the indexes. What should I do to change that though?
17:59 < Eugene> Ah yup, there it is
18:00 < Eugene> No idea - windows networking is a shitshow.
18:00 < r3muxd> https://pastebin.com/7Qac8y6p
18:00 < r3muxd> that's get-netadapter
18:00 < Eugene> The TAP adapter is "disconnected" because there is not an openvpn.exe process attached to it ;-)
18:00 < Eugene> Aha, there it is
18:00 < Eugene> You have the wrong TAP adapter installed!
18:00 < Eugene> Did you at some point install the commercial Private Tunnel application?
18:01 < r3muxd> No, but I did install the Mullvad client (and then remove it and TAP)
18:01 < Eugene> Never heard of it
18:01 < Eugene> What you need to do is clear ALL of the TAP adapters, and ALL of the drivers that they installed. This is left as an exercise to the viewer.
18:01 < Eugene> Good luck doing that now that you've "cleaned" the registry of the openvpn entries
18:02 < r3muxd> (I was just exaggerating with the registry one, sorry)
18:02 < Eugene> Well that's even more of a disservice - you're giving us bad info
18:02 < r3muxd> So I uninstalled TAP, but there's still "TAP Adapter V9 for Private Tunnel"
18:02 < Eugene> Yup, that's a different thing
18:03 < r3muxd> Remove it through Device Manager, I'm guessing?
18:04 < RedMercury> seems that it is "administratively blocked" Eugene
18:04 < RedMercury> I see this in my linode's dmesg -  CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
18:04 < RedMercury> I bet that's related..
18:05 < Eugene> RedMercury - told you they do weird things ;-)
18:05 < r3muxd> Nope, still stuck on Interface 5.
18:05 < Eugene> Its actually /not/ weird is the funny thing: they compile the kernel with a pretty minimal setup
18:05 < RedMercury> they also disable selinux
18:05 < RedMercury> grr
18:05 < Eugene> But they have ebtables rules going on the host
18:05 < Eugene> Nope; they don't build it WITH selinux
18:05 < Eugene> It is a non-default feature for linux
18:05 < RedMercury> so is userland..
18:06 < RedMercury> linux is just a kernel after all
18:06 < RedMercury> ;)
18:06 < Eugene> It makes sense if you think like a hosting company. Kernel upgrades are hard
18:06 < Eugene> They make it easier to run distro kernels nowadays
18:37 < cnrsygn> Hello
18:38 < cnrsygn> I am a new comer
18:38 < cnrsygn> Have a good day/evening/night
18:39 < cnrsygn> What should i do to ask a question? I need help with OpenVPN
18:40 < cnrsygn> By the way i am from Türkiye
21:45 < r3muxd> OpenVPN is issuing the wrong commands to netsh. It's passing an incorrect interface= parameter, which keeps on being somehow completely wrong each boot.
22:01 < RedMercury> moved the whole thing over to google cloud platform and the routing problems disappeared
--- Day changed Tue Jun 06 2017
02:33 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 255 seconds]
02:35 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
02:35 -!- mode/#openvpn [+o dazo] by ChanServ
05:42 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 258 seconds]
05:44 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
05:44 -!- mode/#openvpn [+o dazo] by ChanServ
07:14 <+hyper_ch> krzee: https://www.schneier.com/blog/archives/2017/06/spear_phishing_.html
07:14 <@vpnHelper> Title: Spear Phishing Attacks - Schneier on Security (at www.schneier.com)
08:43 < r3muxd> OK, so this is going to drive me mad. OpenVPN passes a completely wrong interface parameter to netsh no matter what I do.
08:43 < r3muxd> What I've tried:
08:44 < r3muxd> Uninstalling TAP, any VPN related software, OpenVPN and reinstalling OpenVPN (multiple times)
08:44 < r3muxd> Replacing the config for OpenVPN (once)
08:44 < r3muxd> What I have not tried:
08:44 < r3muxd> Reinstalling Windows
08:44 < r3muxd> Chanting to the tech god Cthulu
08:44 < r3muxd> Setting my PC on fire
09:18 <@krzee> r3muxd: send the config (no comments) and log at verb 4 please
09:19 < r3muxd> here's the .ovpn file: https://pastebin.com/yetBMDRH
09:19 < r3muxd> Here's the logs: https://pastebin.com/T08ULtDM
09:20 <@krzee> full of comments
09:20 < r3muxd> sorry
09:20 <@krzee> i dont want a 75 line file when theres 12 lines of information
09:20 < r3muxd> here's the one without comments:
09:20 < r3muxd> https://pastebin.com/iuGPZ5HE
09:21 <@krzee> with like 30 blank lines
09:21 <@krzee> lol
09:21 < r3muxd> https://pastebin.com/RJfw9J3b
09:21 < r3muxd> sorry
09:21 <@krzee> thank you, so much easier to read
09:22 <@krzee> whyd you add --service ?
09:24 < r3muxd> I don't think I did
09:24 < r3muxd> should I try to fix that?
09:24 < r3muxd> also here's a cmd log:
09:24 < r3muxd> https://pastebin.com/RJfw9J3b
09:24 < r3muxd> oh wait no, i'm incompetent
09:24 < r3muxd> https://pastebin.com/t3uuZanJ
09:24 <@krzee> oh do you not run the server, and were given this config by a provider?
09:24 < r3muxd> yup
09:24 < r3muxd> this issue only appeared recently
09:25 < r3muxd> (i'm not even sure if it's related to the win10 upgrade)
09:25 <@krzee> i see
09:25 < r3muxd> it tries to run netsh with interface=3
09:25 < r3muxd> and if you look at the cmd log there is no interface 3
09:26 <@krzee> usually we send people to their providers tech support, but i dont think your issue is related to the provider so no reason for that now
09:26 < r3muxd> for some reason, that "interface=3" stays even after redownloading the config, removing openvpn and tap and reinstalling them
09:27 <@krzee> this isnt a problem im familiar with, let me look into it
09:27 < r3muxd> sorry for the logs with 30 blank lines
09:27 <@krzee> no problem man
09:28 <@krzee> try openvpn --show-adapters
09:28 <@krzee> then maybe you can select the adapter manually with --dev-node
09:28 <@krzee> !man
09:28 < r3muxd> https://pastebin.com/f0mWUTbQ
09:28 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
09:28 <@krzee> oh umm did you rename your tap device?
09:29 < r3muxd> maybe?
09:29 < r3muxd> oh yeah, i did
09:29 < r3muxd> sorry
09:29 <@krzee> ahh there we goes
09:29 < r3muxd> i renamed it from "Ethernet 2" to "tap0"
09:29 < r3muxd> or not?
09:29 <@krzee> ahh well there we go
09:29 <@krzee> now you need --dev-node
09:30 < r3muxd> it's not appearing as that
09:30 <@krzee> reinstall tap device and dont rename
09:30 <@krzee> see how that goes
09:30 < r3muxd> oh, sorry. i reinstalled tap since renaming it
09:30 < r3muxd> let me try again...
09:31 <@krzee> (im not well versed in windows, but trying for ya ;] )
09:31 < r3muxd> just reinstalled tap again, trying now
09:31 < r3muxd> nope, still trying "interface=3"
09:31 <@krzee> shows up in --show-adapters ?
09:31 < r3muxd> the guid changed when I reinstalled it and ran --show-adapters
09:31 < r3muxd> other than that, nothing
09:32 <@krzee> so its still showing as "ethernet" ?
09:32 < r3muxd> yup
09:32 <@krzee> but a new GUID ?
09:32 < r3muxd> if I run "netsh int ipv6 show interfaces" it shows up as isatap.home
09:32 < r3muxd> yup
09:32 <@krzee> i dunno whats up with windows, but you better try --dev-node
09:32 < r3muxd> can i use command-line arguments from the gui?
09:32 <@krzee> !--
09:32 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
09:33 <@krzee> you can, but you dont need to
09:33 <@krzee> if you wanted to, youd use openvpn --<options> --config config.ovpn
09:34 <@krzee> you will also need --dev-type
09:34 <@krzee> --dev-type tun and --dev-node GUID
09:35 <@krzee> toss them into the config without --
09:35 < r3muxd> ok, trying now
09:35 < r3muxd> at the end?
09:35 <@krzee> sure
09:35 <@krzee> i think you want the GUID in its braces, but if that explodes on you then try without
09:36 < r3muxd> so I put "dev-type tun" and "dev-node {9D4DD336-6554-42AF-949D-A3D464B9C366}" into the config, and still nothing
09:37 < r3muxd> is there a way to make the config not use netsh?
09:37 <@krzee> show me config, log, and new --show-adapters
09:37 <@krzee> (new ones)
09:38 < r3muxd> config: https://pastebin.com/F2GRGFPP
09:39 < r3muxd> log: https://pastebin.com/unadb0Kt
09:39 < r3muxd> openvpn --show-adapters: https://pastebin.com/uMXy0480
09:40 <@krzee> you're using normal unmodified openvpn?
09:40 <@krzee> or something custom from the provider?
09:41 < r3muxd> normal, unmodded ovpn
09:41 < r3muxd> i followed the guide here: https://www.mullvad.net/guides/windows-openvpn-installation/
09:41 <@vpnHelper> Title: Mullvad | Guides (at www.mullvad.net)
09:41 <@krzee> have you disabled ipv6 on your windows?
09:41 < r3muxd> nope
09:41 < r3muxd> should i?
09:41 <@krzee> nah im just stuck
09:41 < r3muxd> what if I tried the offical client?
09:41 <@krzee> grasping ;]
09:41 <@krzee> umm, arent you?
09:42 <@krzee> you said normal unmodified openvpn
09:42 < r3muxd> i mean the client from the vpn company
09:42 <@krzee> im confused
09:42 <@krzee> are you saying that they provide an app but you're using ours instead?
09:42 < r3muxd> yup
09:42 < r3muxd> it says they support it
09:43 <@krzee> i see, i cant see that being the issue
09:43 <@krzee> i just wanted to be sure one of their mods wasnt messing you up
09:43 <@krzee> oh this is verb 3
09:43 <@krzee> lets get me a verb 4 log please
09:44 <@krzee> not sure it'll help, but never debug under verb 4
09:44 <@krzee> !verb
09:44 <@vpnHelper> "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info, or (#2) verb 5 is good for finding firewall problems, verb 4 for troubleshooting anything else, and 3 is good for every day usage., or (#3) Anything more than 5 is for developer debugging only (special debug build needed)
09:44 < r3muxd> should i add "verb 4" to the end of the config.ovpn?
09:44 <@krzee> you already have verb 3 in it
09:44 <@krzee> change the 3 to a 4
09:45 < r3muxd> ok
09:45 <@krzee> when everything is happy, feel free to go back to 3
09:45 <@krzee> while you do that, im going to step away and squeeze some rosin
09:45 <@krzee> brb
09:46 < r3muxd> here's the log: g
09:46 < r3muxd> what
09:46 < r3muxd> https://pastebin.com/0hMH4mr7
09:47 < r3muxd> so i searched a line from the log that was giving me trouble before but now works
09:47 < r3muxd> and i found this: http://www.tek-tips.com/viewthread.cfm?qid=1653032
09:47 <@vpnHelper> Title: openVPN client on Win 7 - Virtual Private Networks (VPN) - Tek-Tips (at www.tek-tips.com)
09:55 < r3muxd> so i installed their fancy wrapper around ovpn
09:55 < r3muxd> it's running into the same issues
09:55 < r3muxd> i'm just gonna reinstall windows now
09:56 <@krzee> hes probably right to reinstall windows
09:57 <@krzee> but hes wrong to think that link applied to him
09:59 < devonrevenge> Hi thar I have a vpn not starting, the startup keeps restarting even, the error I get is "No server certificate verification method has been enabled. "
09:59 <@krzee> !logs
09:59 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
09:59 <@krzee> thats a warning not an error, gimme logs from both sides with verb 5
09:59 <@krzee> and ill take a look for ya
10:00 <@krzee> devonrevenge: you run both sides of the vpn, right?
10:01 < devonrevenge> wait im supposed to put the client cert somewhere arent I
10:01 < devonrevenge> sbeen a while
10:01 < devonrevenge> gettin logs
10:02 < devonrevenge> https://hastebin.com/inibexazaz.sql
10:02 <@vpnHelper> Title: hastebin (at hastebin.com)
10:03 <@krzee> i asked for verb 5
10:03 <@krzee> and both sides
10:03 < devonrevenge> what is that again, I knew this last year
10:03 <@krzee> and starting from the start
10:03 <@krzee> !verb
10:03 <@vpnHelper> "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info, or (#2) verb 5 is good for finding firewall problems, verb 4 for troubleshooting anything else, and 3 is good for every day usage., or (#3) Anything more than 5 is for developer debugging only (special debug build needed)
10:03 <@krzee> so kill openvpn on the server and client
10:03 <@krzee> change theior configs to verb 5
10:03 < devonrevenge> the server isnt mine
10:03 <@krzee> start both sides and send me both new logfiles
10:03 < devonrevenge> only haff the client
10:03 <@krzee> oh dude you need help from your provider
10:04 <@krzee> !provider
10:04 < devonrevenge> ahh
10:04 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team., or (#2) Please contact their support team.
10:04 <@krzee> =]
10:04 < devonrevenge> thanks tho
10:04 <@krzee> their side of the logs will probably help you
10:04 < cnrsygn> Hello again
10:05 <@krzee> hello darkness my old friend
10:05 < devonrevenge> so just basic how it works, you usually whack a config cert in client folder in openvpn and then type openvpn connect
10:05 <@krzee> type openvpn connect?
10:05 < devonrevenge> and everything simply works and nothing is complicated and everyone is happy and we all eat ice cream because no one
10:05 < devonrevenge> is lactose intollerant
10:06 <@krzee> actually devon, get me that verb 5 log
10:06 <@krzee> MAYBE i can see an issue from your side
10:06 < devonrevenge> so the cert goes into the client
10:06 < devonrevenge> yeah the provider is rock solid
10:06 <@krzee> ill try, but you probably need your provider
10:06 <@krzee> sure, but theyd need to support you
10:06 <@krzee> you see, you're using their service
10:06 <@krzee> you're their paying customer
10:07 <@krzee> AND they see the other side of the logs
10:07 <@krzee> i doubt they're trying to send me their logfiles to help you
10:07 < cnrsygn> Dear friends, i need help for openvpn. Is anybody available?
10:07 < cnrsygn> I want to ask a question.
10:07 <@krzee> !ask
10:07 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
10:08 < cnrsygn> Thank you :)
10:09 < cnrsygn> Okay, i am ready to ask :)
10:09 < cnrsygn> I am having a problem about server poll timeout
10:10 < cnrsygn> And i am a newbie
10:11 <@krzee> !timeouty
10:11 <@krzee> !timeout
10:11 <@vpnHelper> "timeout" is if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or one of the ISPs blocks it
10:11 < cnrsygn> On mobile, i can connect to my vpn server but at school i can not connect because i am receiving this
10:12 < cnrsygn> I am using 80 tcp port
10:12 < cnrsygn> İ have tried 443 tcp/udp ports
10:12 < cnrsygn> My schoolnis behind a firewall
10:12 <@krzee> sounds like your school blocks it
10:13 < cnrsygn> But how can it block tcp 80
10:13 < cnrsygn> I can open usual websites
10:13 <@krzee> by using a firewall that does deep packet inspection (DPI)
10:13 < cnrsygn> I can open a website on my ip too
10:13 <@krzee> it recognizes and blocks openvpn
10:13 <@krzee> do you run your server by chance?
10:14 < cnrsygn> No, i have put a website on it and requested to unblock my server
10:14 <@krzee> or do you use a vpn provider?
10:14 < cnrsygn> They unblocked
10:14 < cnrsygn> I used a vps
10:14 <@krzee> so web to your ip works, but vpn to port 80 tcp on same server does not work?
10:15 < cnrsygn> Yes that is right
10:15 <@krzee> ya they do DPI on their firewall, they are not just blindly blocking by port
10:15 < cnrsygn> I am stopping httpd
10:15 <@krzee> they block the openvpn protocol
10:15 <@krzee> soooo
10:15 < cnrsygn> Opening openvpn
10:15 <@krzee> you can probably defeat that
10:15 <@krzee> !obfs
10:15 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols, or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation, or (#3) in client/server mode an admin can know that openvpn is being used.
10:15 <@vpnHelper> in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
10:16 < cnrsygn> Hahha really? :)
10:16 <@krzee> so the easiest would be to try a statickey connection on port 443 tcp
10:16 <@krzee> !statickey
10:16 <@vpnHelper> "statickey" is (#1) you can use static keys by using --secret </path/to/key>, or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time., or (#3) see !forwardsecurity for more info
10:16 < cnrsygn> I will try this thank you for your help i hope i can achieve this
10:16 <@krzee> that might get past them as there is no openvpn handshake
10:16 <@krzee> if not, try obfsproxy
10:16 < devonrevenge> wait its been a while right? so I was trying to set up an openvpn connection with a .conf file and not a .ovpn file
10:17 < cnrsygn> Okay first i will try static key and than obfs
10:17 <@krzee> devonrevenge: in windows?
10:17 < cnrsygn> Thank you very much krzee.
10:17 <@krzee> cnrsygn: no problem, hope it helps!
10:19 < devonrevenge> nah linux
10:22 < devonrevenge> nah that is what you do isnt it
10:27 <@krzee> devonrevenge: .conf is fine in linux
10:27 <@krzee> in fact linux startup scripts will start any .conf in the /etc/openvpn directory
10:28 <@krzee> at least last i knew, theres been a switch to systemd which i dont understand yet
10:28 < devonrevenge> theres no way the server side will support me
10:28 < devonrevenge> im using arch
10:28 < devonrevenge> how do I get the --verb to work then? openvpn --verb 5 rah rah rah
10:28 <@krzee> devonrevenge: i did tell you to get me a verb 5 log
10:28 <@krzee> [07:58] <krzee> actually devon, get me that verb 5 log
10:28 <@krzee> [07:58] <krzee> MAYBE i can see an issue from your side
10:28 <@krzee> [07:58] <devonrevenge> so the cert goes into the client
10:29 <@krzee> [07:58] <krzee> ill try, but you probably need your provider
10:29 <@krzee> you change verb to 5 in the config
10:29 <@krzee> !man
10:29 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
10:29 < devonrevenge> ahh
10:29 < devonrevenge> might have to reset su command cant remember it
10:29 < devonrevenge> :/
10:30 < devonrevenge> not going to be taking the oscp course anytime soon at this rate
10:34 < devonrevenge> here https://hastebin.com/eyidetijap.pas
10:34 <@vpnHelper> Title: hastebin (at hastebin.com)
10:35 <@krzee> your firewall is blocking your tun device
10:35 <@krzee> allow INPUT and OUTPUT on tun+
10:35 < devonrevenge> ohhhh
10:35 < devonrevenge> krzee you are rly cool I want to be like you
10:35 <@krzee> and thats why we use verb 5 =]
10:35 < devonrevenge> where in the thing does it say that
10:35 <@krzee> you see the WW
10:36 < devonrevenge> oh yeah
10:36 <@krzee> WWTue Jun  6 16:26:20 2017 us=439857 Connection reset, restarting [0]
10:36 <@krzee> you're writing out packets
10:36 <@krzee> no reading them tho
10:36 < devonrevenge> what does that mean and where do I read about this stuff so I can be a person who knows what it is
10:36 < devonrevenge> is there a book on linux firewalls?
10:36 <@krzee> !man
10:36 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
10:36 <@krzee> but also
10:36 <@krzee> !book
10:36 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) Troubleshooting OpenVPN (April, 2017) by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
10:36 < devonrevenge> ooh
10:36 <@krzee> the verb 5 part is definitely covered in the new troubleshooting book
10:37 <@krzee> id know, since i did the tech review on it :D
10:37 < devonrevenge> yeah and it was easy in the end
10:37 < devonrevenge> :D
10:38 < devonrevenge> theres quite a lot on linux firewalls
10:38 <@krzee> yep and theres a help channel for it too
10:38 <@krzee> ##netfilter
10:38 <@krzee> oops i mean
10:38 <@krzee> #netfilter
10:39 <@krzee> i didnt realize they were official!
10:39 < MeXIst3nZ> Where is the option (which should be default, even) to connect on startup? What's the point of starting OpenVPN on boot if it doesn't actually connect?
10:40 <@krzee> MeXIst3nZ: that has nothing to do with openvpn, its up to your OS... what os do you use?
10:40 < MeXIst3nZ> Also, every so often when I've been surfing around for hours, I look down in the corner and the OpenVPN icon is not green. It's empty. It's silently disconnected. This is just... bad.
10:40 < MeXIst3nZ> krzee: Huh? How can that have to do with my OS?
10:40 < MeXIst3nZ> Windows.
10:40 <@krzee> because your OS starts apps
10:40 < MeXIst3nZ> krzee: Did you read what I asked? Clearly not.
10:41 <@krzee> you need to start openvpn as a service
10:41 <@krzee> the windows service
10:41 <@krzee> but if you keep being combative ill just kick you from the channel
10:41 <@krzee> your choice, be a normal person or talk down to me and get kicked
10:41 < MeXIst3nZ> NOT start on boot. CONNECT on startup (of OpenVPN).
10:42 < devonrevenge> ahh kk
10:42 -!- MeXIst3nZ was kicked from #openvpn by krzee [use the windows openvpn service]
10:42 <@krzee> guess he chose the wrong one
10:42 < MeXIst3nZ> You are the most hostile pieces of shit I've ever encountered. Your software fucking sucks, and you suck even more.
10:42 <@krzee> lol noobs
10:42 < DArqueBishop> No, a troll.
10:42 < megadorus> Haha he left so fast you couldn't even kick him again. I bet he's feeling awesome now :D
10:43 < DArqueBishop> He appeared on #centos yesterday asking if it was related to some "one cent" software.
10:44 <@krzee> oh lol i see
10:44 <@krzee> so i caught on quickly this time!
10:45 <@krzee> hey my kick msg still did answer his question too :D
10:46 < rob0> I would suggest a +b for that one.  He was trolling the first time here also.
10:47 < DArqueBishop> Pardon my language, but I recognized him purely due to how shitty his nick was.
10:49 < megadorus> Is it allowed to ask questions in here if you're not using the regular OpenVPN client? (I'm using AirVPN's open source client Eddie)
10:51 <@krzee> anybody familiar with the syntax for banning based on registered name?
10:51 < rob0> yes but he has no account
10:52 < rob0> it's $a:accountname
10:52 <@krzee> oh i thought we were +r
10:52 < rob0> oh, are we?
10:52 <@krzee> megadorus: kinda depends on the question, just be ready for us to tell you to get support from them
10:53 <@krzee> ;]
10:53 <@krzee> cause its probably likely... but depends on the question
10:55 < skyroveRR> o/ krzee
10:56 <@krzee> hey skyroveRR
10:59 < megadorus> Yeah I already got support for them, they're fixing the issue with the next release of their software, I was just curious if you had any ideas that I could try in the meantime. Okay, so AirVPN's client offers an easy setup to route certain IPs outside of the VPN tunnel. This feature used to work flawlessly when I had Windows 8.1 installed, but since I switched to Win 7 it only works with the "Network Lock" feature disabled. Now what's weird is that
10:59 < megadorus> when I set routes for certain "What's my IP" sites to see if it actually works, for one site it seems to work (even with "Network Lock" enabled) but most sites I can't visit because they get blocked by the "Network Lock" feature.
11:00 <@krzee> so, you want to bypass redirect-gateway, but only for certain IPs/subnets?
11:00 < rob0> When Eddie said he didn't like his teddy, you knew he was a no-good kid.  But when he threatened your life with a switchblade knife ...
11:01 < skyroveRR> ????
11:01 < megadorus> I'm not entirely sure what you mean by redirect-gateway, but I want to use the VPN connection for everything except for visiting a small amount of certain websites (They should be accessed outside of the VPN tunnel through my real IP).
11:01 <@krzee> redirect-gateway is the option config option that sends your internet stuff over the vpn
11:01 < rob0> skyroveRR, haha, an obsucre reference to a cult film from the 1970s :)
11:02 <@krzee> (changes your default route)
11:02 < rob0> !redirect
11:02 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
11:02 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
11:02 <@krzee> !redirect-bypass
11:02 < rob0> *obscure
11:02 <@krzee> !factoids search bypass
11:02 <@vpnHelper> No keys matched that query.
11:02 <@krzee> !factoids search redirect
11:02 <@vpnHelper> 'redirect', 'redirect-policy', 'redirect_ignore', and 'redirect_ips'
11:02 <@krzee> wtf somebody got rid of it!?
11:03 <@krzee> !splitroute
11:03 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/viewtopic.php?t=7175#p8056 to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet, or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
11:03 <@krzee> ohhhhh here it is
11:03 <@krzee> !route_override
11:03 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet, or (#2) you can read about the net_gateway variable in --route in the manual (!man), or (#3) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
11:03 <@krzee> !learn redirect_bypass as [route_override]
11:03 <@vpnHelper> Joo got it.
11:04 <@krzee> so 'route <ip> <netmask> net_gateway
11:06 < megadorus> Thank you, krzee :) I'll go ahead and try it right now and see if it works.
11:06 < megadorus> Brb :)
11:09 <@krzee> !forget redirect_bypass
11:09 <@vpnHelper> Joo got it.
11:09 <@krzee> !redirect_bypass
11:10 <@krzee> !learn redirect_bypass as route <ip> <netmask> net_gateway  to to override --redirect-gateway for a certain subnet. note that net_gateway is internal to openvpn and should not be changed
11:10 <@vpnHelper> Joo got it.
11:11 <@krzee> !learn redirect_bypass as to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
11:11 <@vpnHelper> Joo got it.
11:11 <@krzee> !forget route_override
11:11 <@vpnHelper> Error: 3 factoids have that key.  Please specify which one to remove, or use * to designate all of them.
11:11 <@krzee> !forget route_override *
11:11 <@vpnHelper> Joo got it.
11:11 <@krzee> !learn route_override as [redirect_bypass]
11:11 <@vpnHelper> Joo got it.
11:11 <@krzee> !route_override
11:11 <@vpnHelper> "route_override" is "redirect_bypass" is (#1) route <ip> <netmask> net_gateway to to override --redirect-gateway for a certain subnet. note that net_gateway is internal to openvpn and should not be changed, or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
11:13 < devonrevenge> how does one allow openvpn through ones firewalls? one is still not succeeding
11:13 < devonrevenge> I need to know what i have to let through I guess
11:17 < devonrevenge> So what ports devices addresses does openvpn use and how do I find out what they are so I can get iptables to leave this alone
11:18 < Renich> good day, OpenVPN community! I hope everything is fine; encrypted and secure overall! ;)
11:18 < devonrevenge> xD
11:18 < megadorus> krzee, unfortunately it didn't work.
11:18 < Renich> I ran into this HowTo: https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux but I can't get more than 20 Mbps off my virtual machines. I am trying to connect two of them. One in Washington and the other in Miami.
11:18 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net)
11:19 < Renich> I was wondering. Over the internet, should we use MTU higher than 1500?
11:19 < devonrevenge> how do I find which port openvpn is using
11:19 < Renich> Also, if anyone could help with some tips and stuff, it would be cool
11:20 <@krzee> !speed
11:20 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help., or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded), or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu), or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links, or (#5) less likely are issues with bad
11:20 <@vpnHelper> TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs), or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp), or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better., or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no), or
11:20 <@vpnHelper> (#9) a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them.
11:21 < megadorus> Tried it with multiple netmasks. I tried the one the VPN client listed as VPN gateway (255.255.0.0), the one from my Ethernet connection (255.255.255.0) and the one the VPN client used itself for writing these routes inside the ovpn file (255.255.255.255).
11:22 < Renich> wow!
11:22 < Renich> cool
11:23 < Renich> !mtu
11:23 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting, or (#3) useful info here: https://forum.pfsense.org/index.php?topic=67080.0
11:27 < rob0> devonrevenge, again, when verb 5 has both Ws and Rs, your tunnel is getting through.  Perhaps you need to permit the tun device, as krzee already mentioned?
11:27 < devonrevenge> yeah thats totally it, how do I do that
11:28 < rob0> !factoids search -values iptables
11:28 <@vpnHelper> (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
11:28 < rob0> !factoids search --values iptables
11:28 <@vpnHelper> 'lintrafaccnt', 'linportforward', 'linportforward', 'ldap_iptables', 'linipforward', 'shaping', 'fail2ban', 'iptables-rules', 'linnat', 'linnat', 'firewall', 'iptables', 'netfilter', 'frozentux', and 'service_behind_client'
11:28 < rob0> !iptables-rules
11:28 <@vpnHelper> "iptables-rules" is When posting iptables rules, please use the `iptables-save` syntax as it is easiest to read. While we try to be helpful, #netfilter may be more appropriate for complex netfilter issues
11:28 < rob0> !iptables
11:28 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this., or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG, or (#3) These are just the basics to get you started
11:29 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter
11:29 < rob0> hmm, well
11:29 < rob0> it's iptables -vI INPUT -i tun+ -j ACCEPT
11:30 < devonrevenge> its justrestarting :/
11:30 < rob0> and perhaps also (esp. on a server) iptables -vI FORWARD -i tun+ -j ACCEPT
11:30 < megadorus> krzee, would it maybe help if I posted a link to the ovpn commands that my client uses?
11:30 < rob0> what does "restarting" mean?
11:30 < Renich> It doesn't work when I /msg vpnHelper...
11:30 < devonrevenge> I think the devil is in my desktop, giong to have to burn it
11:31 < devonrevenge> after outputing whatever its outputing it likes to say Restart pause, 5 seconds
11:33 < rob0> oh, openvpn is restarting?
11:34 < devonrevenge> https://hastebin.com/noqenuhepu.pas
11:34 <@vpnHelper> Title: hastebin (at hastebin.com)
11:34 < devonrevenge> yeah
11:37 < rob0> Tue Jun  6 17:23:42 2017 us=488368 SIGUSR1[soft,connection-reset] received, process restarting
11:37 < rob0> search the man page for "SIGUSR1"
11:37 < devonrevenge> tk, man linux or openvpn?
11:38 < megadorus> !netmask
11:38 < rob0> openvpn of course
11:39 < rob0> is there a "man linux"?
11:39 < skyroveRR> Or "man woman" rather
11:39 < devonrevenge> I mean man pages
11:40 < devonrevenge> I got the openvpn site up
11:40 < devonrevenge> so it says something about not needing the old firewall stuffs on 443
11:40 < rob0> search the openvpn man page for "SIGUSR1"
11:40 < devonrevenge> cos is the ssl port
11:41 < rob0> Don't confuse https with openvpn
11:42 < devonrevenge> you know why people like me dont learn to use man pages and debuggers, because they will "get round to learning properly later"
11:42 < devonrevenge> doing things properly is alian and difficult
11:42 < devonrevenge> Im lucky im not still working the kitchens
11:43 < devonrevenge> one day people with my span will rule the world
11:43 < r3muxd> OK, so just incase anyone had the same issue as me, try reinstalling Windows.
11:43 < skyroveRR> lol
11:44 < skyroveRR> Anything happens with a windows machine, "reinstall windows" is the solution.
11:44 < skyroveRR> Which is what I love about windows.
11:44 < skyroveRR> Get rid of a virus? Reinstall windows. Get back a missing .dll? Reinstall windows. Deleted a critical system file? Reinstall windows.
11:45 < devonrevenge> So I found why ISGUSR1 pops up, something to do with dhcpcd
11:46 < devonrevenge> skyroveRR: I had an hp stream 7 tablet, it had some kind of wierd architecture which meant that an "true" signal had to be sent to the wifi firmware every few seconds or it would shut down
11:46 < devonrevenge> so you couldnt reinstall windows because you needed this binary
11:46 < megadorus> I hope you're wrong, skyroveRR, because I only finished setting up my Windows a few days ago :(
11:47 < skyroveRR> Yeah
11:48 <@krzee> rob0: his log shows he has a firewalls problem
11:49 <@krzee> WWTue Jun  6 16:26:20 2017 us=439857 Connection reset, restarting [0]
11:50 < rob0> oh, no R?
11:50 <@krzee> right
11:51 <@krzee> told him to allow input and output for tun+
11:51 <@krzee> not sure if he did
11:51 < devonrevenge> I did that if its me
11:51 <@krzee> yep you
11:51 <@krzee> ok so post new log
11:51 < devonrevenge> I got W and R I just got the old restart
11:51 < devonrevenge> no change
11:52 <@krzee> new log verb 5
11:52 < rob0> oh, it's on TCP (why?)
11:52 < devonrevenge> k
11:53 < devonrevenge> https://hastebin.com/zovujijoke.sql
11:53 <@vpnHelper> Title: hastebin (at hastebin.com)
11:53 <@krzee> yep now you need support from your provider
11:53 <@krzee> !provider
11:53 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team., or (#2) Please contact their support team.
11:53 <@krzee> we fixed your firewall problem, now we cant help you further
11:54 < devonrevenge> ahh, okay
11:54 < devonrevenge> the provider is a pentesting lab lol
11:54 < devonrevenge> https://lab.pentestit.ru/how-to-connect
11:54 <@vpnHelper> Title: Penetration test lab "Test lab" | Pentestit (at lab.pentestit.ru)
11:55 <@krzee> well their logs should have a better idea of whats up
11:55 <@krzee> rob0: you agree?
11:55 < devonrevenge> though they could have done a bit more explaining - heres a thing though, I learned a wee lesson; I wanted to practice these ctfs so I could do OSCP, your supposed to have basic networking knowledge however theres a big hole in networking
11:56 < devonrevenge> what are your backgrounds? I should just read the man pages you say?
11:57 <@krzee> im self-taught, lots of manpages and experimenting
11:57 <@krzee> ##networking is another good help channel
11:57 < devonrevenge> tk thanks
11:57 <@krzee> they have less of a defined focus than we do here
11:57 <@krzee> here we only do openvpn, they do it all
11:57 <@krzee> (and have like 900 more people)
12:00 < rob0> krzee, yep
12:00 < devonrevenge> ah tk, I dont know where to start with networking I know about packets and frames and udp tcp etc, its the layer above
12:00 < devonrevenge> nats and firewalls
12:00 < Renich> topic
12:01 < Renich> hehehe... missed the /
12:05  * Renich is depressed: https://0bin.net/paste/hkdMYmnpwzw3fhBw#wXs5u4Hv37R3js8CZN-NrgMiqLl/pf3nzhuGNOT8Vcb
12:05 < Renich> oh, well, done with txqueuelen and mtu; let's move on on the recommendations
12:05 < megadorus> Anyone care to look at these ovpn settings to see if they can spot a reason why the "route" feature won't work?
12:05 < megadorus> https://paste.debian.net/hidden/e5780dde/
12:06 <@krzee> Renich: wow thats a biiiiiig difference
12:06 <@krzee> i hope you find your fix!
12:06 < Renich> krzee: yeah, me too.
12:07 < Renich> !speed
12:07 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help., or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded), or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu), or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links, or (#5) less likely are issues with bad
12:07 <@vpnHelper> TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs), or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp), or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better., or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no),
12:07 <@vpnHelper> or (#9) a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them.
12:07 <@krzee> megadorus: the route command looks fine, maybe its because its a modified openvpn (we may be at that point i mentioned where we have to point at the people who made the app you're using)
12:09 < megadorus> Got it. I will try one more thing, I'll create a ovpn file inside the client area and use it with the regular OpenVPN client.
12:21 < megadorus> krzee, now with the regular OpenVPN client it's working... kind of. With one route it works, but with another two I added later it doesn't work.
12:22 < megadorus> https://paste.debian.net/hidden/c45f5599/
12:22 <@krzee> did you restart openvpn after?
12:22 < megadorus> No, just disconnected and reconnected.
12:23 <@krzee> that should be fine
12:23 < megadorus> But that's exactly what I did when adding the first route, and it worked without restarting the client.
12:24 <@krzee> what happens when openvpn tries to add the route?
12:24 <@krzee> you should see it get added in your logs and then it should be in your routing table
12:24 <@krzee> look at those things
12:26 < megadorus> Aw man, I screwed up :( I used the wrong netmask for the two routes that didn't work.
12:26 < megadorus> Brb ^^
12:28 < megadorus> Okay, great, now all three routes are working.
12:30 < megadorus> Thanks for your help so far, krzee, really appreciate it :)
12:32 <@krzee> yw
12:32 < megadorus> Will this command help me to lock down all connections outside the tunnel (except for the set routes, of course)?
12:32 < megadorus> redirect-gateway def1
12:33 <@krzee> you probably already have that being pushed at you from the server
12:33 <@krzee> since you dont control the server, i cant tell you
12:33 < megadorus> Aah, okay.
12:35 < megadorus> But that wouldn't help me if the connection to the VPN dropped, right?
12:35 < megadorus> Then Windows would just fall back to the regular internet connection I imagine.
12:37 <@krzee> without def1 youd have no default route when openvpn dies
12:37 <@krzee> def1 allows you to still have one
12:37 <@krzee> !def1
12:37 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
12:38 <@krzee> but really, what you're talking about is the job of your firewall
12:38 <@krzee> i dont use windows, so i dont know if it can do this without an extra outbound firewall app
12:39 <@krzee> but what you are saying is that you only want traffic to the vpn provider and specific other subnets to go out the internet adapter, and everything else should go out the vpn tunnel
12:39 <@krzee> so you should be makeing firewall rules to enfore that if you care
12:39 <@krzee> !notovpn
12:39 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn.
12:39 <@krzee> ;]
12:41 < megadorus> Huh. Now that you mentioned it so clearly I feel like a complete idiot for trying to mess around with OpenVPN configurations for that very problem ^^
12:41 < megadorus> But yeah, you hit the nail right on the head, that's exactly what I want to achieve :)
12:42 < megadorus> Again, thank you so much for your help! Will read up on Windows and firewalls then :)
12:42 <@krzee> you're welcome
12:42 <@krzee> if you cant find how to easily do it in windows, there ARE definitely apps that will help
12:42 <@krzee> outbound firewall apps
12:42 <@krzee> but hey, maybe the windows firewall is good enough by now, im not sure
12:43 < megadorus> Yeah, I do have one as part of Bitdefender Internet Security.
12:43 <@krzee> ahh there ya go!
13:44 < |Mike|> unf unf unf
16:41 < |Mike|> ohai xx00__
16:47 < xx00__> hi
17:47 < arlion[w]> Hi, having some problems with openvpn 2.4 server. I enabled comp lz4 for 2.4 clients. Howevor my 2.3 client is not able to connect. To remedy that, I enabled comp-lzo and elft lz4 enabled in the server configuration. Now my client isn't able to get on but my 2.3 client is able to
17:48 < arlion[w]> Any advice to either make the server accept both compression algorithms or have my 2.4 client accept standard comp-lzo?
17:50 < |Mike|> update the 2.3 clients asap? :-)
17:51 < arlion[w]> i just asked him to check if he has updates.
17:51 < arlion[w]> one moment
17:51 < arlion[w]> nope, not avail on ubuntu 16.04
17:52 < |Mike|> then update the system os?
17:53 < arlion[w]> ubuntu 16.04 is a long term support OS
17:53 < |Mike|> Is the pkg available in backports?
17:53 < arlion[w]> it is a current and standard os
17:53 < |Mike|> (fyi; not running ubuntu atm)
17:53 < arlion[w]> I noticed
17:53 < arlion[w]> Got any advice on the openvpn front?
17:54 < |Mike|> Raspbian, Debian, OpenBSD and many other.
17:55 < arlion[w]> changing OS is not neccessary as ubuntu 16.04 is a standard and long term supported OS
17:56 < |Mike|> Zesty is having 2.4.0 tho.
17:56 < arlion[w]> Thanks for wasting my time.
17:56 < |Mike|> You've wasted your own time Sir. Don't blame me.
17:58 < |Mike|> arlion[w]: Long term supported OS has it's pros and cons as you've noticed.
18:00 < |Mike|> Deal with it, make your people use backports or a latest version of the Ubuntu operating system for desktop PCs and laptops
18:01 < |Mike|> arlion[w]: ^
18:02 < |Mike|> No comunnication is fine with me as well.
18:03 < |Mike|> - The end
18:04 < arlion[w]> back
18:04 < arlion[w]> that was me jumping back on my vpn
18:04 <@dazo> arlion[w]: look at the community wiki .. there's some pointers to our repositories with more bleeding edge openvpn ... but as |Mike| says, LTS distros doesn't move fast forward on package rebases
18:04 < arlion[w]> When I added comp-lzo support I didn't have the full syntax there. Figuered it out by reading the man page.
18:06 <@dazo> yeah, 2.4 is much more grumpy on the config syntax .... where 2.3 and older would silently ignore faulty configurations - or only partially apply it
18:06 < arlion[w]> |Mike|: there are many people different people that come across these channels. Especially in support channels I think a modest amount of respect comes with a support channel.
18:07 < arlion[w]> Myself, I was going nuts trying a bunch of different things trying to get openvpn server to get working
18:07 < arlion[w]> I ask that you consider to sympathize with some of the people that come across here and try to support in a way they find useful.
18:07 <@dazo> arlion[w]: |Mike| has been around here for a very long time ... and he is quite respected here too ... you might not agree with that today, which is fine, but he does help out here quite a lot
18:08 < rob0> <cough> entitlement </cough>
18:08 < arlion[w]> I understand that he may be well respected amoung this community, but I do not know him. So my only experience with him was this short conversation.
18:09 < rob0> and you judged his input useless, without really knowing if it was or not.  Yes, respect is a good idea.  Show some.
18:10 <@dazo> rob0++
18:10 < arlion[w]> upgrading or changing OS is not a feasible option for everyone.
18:11 <@dazo> lets drop this discussion ... it leads nowhere, really
18:11 < arlion[w]> I acknowledged that it was not possible so I was seeking alternative troubleshooting points that I hoped to gain from the application.
18:12 < Eugene> ur a title
18:16 <@dazo> hmm ... just looked at the irc stats .... wonder where (and why!) pekster is hiding ....
18:18  * dazo calls it a day
18:18 < |Mike|> Thanks dazo and rob0
18:19 < |Mike|> I was about to hit enter on reply to arlion[w] but he decided to walk away. Fine by me :-)
18:19 < |Mike|> s/on/an
18:21 < |Mike|> LTS has pros and cons as I mentioned. Pros are stability and the cons are outdated - but stable- software jmo.
18:23 < rob0> dazo, yes, we haven't seen pekster in ages, in other channels also.
18:24 < |Mike|> rob0: a random grep on pekster only shows urls from vpnHelper
18:24 < rob0> |Mike|, I am hypersensitive to hyperentitled people who beg for help and don't appreciate what they get.
18:28 < |Mike|> rob0: same here and exactly the reason why I didn't respond after his "back" message
18:29 < rob0> !sweet
18:29 <@vpnHelper> "sweet" is http://sweet.nodns4.us/ =(
18:30 < rob0> ^^ my web page for them :)
18:30 < |Mike|> Sounds as the kiwi "sweet as!"
18:33 < |Mike|> Loving the page. Bookmarked!
18:36 < rob0> yw :)
23:17 <@krzee> nice i need to remember !sweet
--- Day changed Wed Jun 07 2017
00:41 -!- DeathShot_ is now known as DeathShot
02:56 < poorandunlucky> can i connect to an OpenVPN server using Windows 10's built-in VPN libraries or do I absolutely need to install the OpenVPN connect client?
03:00 <@ordex> poorandunlucky: you need to install openvpn. but it does not need to be Connect. You can also install the 100% open source community version
03:02 < poorandunlucky> well that's not possible, because there's no OpenVPN application for Windows 10 Mobile.
03:03 < poorandunlucky> I need to connect my phone to OpenVPN... so unless someone has a better idea, it looks like I configured a daemon for no reason, because I'm going to have to configure SoftEther.
03:10 < tx> are there any applications for windows 10 mobile?
03:13 < poorandunlucky> tx the necessary, and there's Windows App Studio that lets you release Windows 10 store apps under 5 minutes from a website... it converts XML-compliant HTML to XAML, and JS to VC I think...  they even had a Windows Insider release that could run Android apps natively.
03:15 < poorandunlucky> tx: I don't need all the crap in Android stores... a lot of it has spyware, bloatware, it's made by people who can't code for shit and it eats up the battery, makes the device a radiator...  i'm happy with my Windows phone...  I can also use it under the glaring noon sun!
03:15 < tx> You're saying windows devs are better?
03:15 < rob0> but you'll be using it without openvpn :)
03:15 < tx> According to what you've just said most are just conversions, or indeed android apps anyway!
03:15 < tx> :P
03:15 < tx> (well, maybe soon)
03:16 < poorandunlucky> tx: they pulled out the feature from the main branch, though...
03:16 < poorandunlucky> maybe they're still working on it, idk... it was called project iris, I think...
03:18 < poorandunlucky> tx: most Android apps Are websites... honestly, there's no real reason you'd want to build anything more complex than a web application these days, anyway... for most purposes...
03:18 < poorandunlucky> wow, great... a dog's tongue on my face.  groundbreaking.
03:19 < poorandunlucky> oh, look, another instant messaging thing nobody's going to use...  "what IM do you use?  i have what's app, WeChat, kik, SnapChat ....."  "dude, just send me an e-mail.  i get push notifications and they're all threaded in conversations."
03:20 < tx> Sorry, I may have stuck a nerve.
03:21 < tx> If you want you can PM, otherwise I think I've taken the topic of openvpn a bit astray. :P
03:22 < poorandunlucky> naw, it's ok... it's just been a topic that's been itching me these past few days...
03:23 < poorandunlucky> now i'm just unhappy with OpenVPN because i was led to believe that it was a standards-compliant software, but it's just like MySQL... it's a proprietary thing that has a free "community edition".
03:24 < poorandunlucky> part, but in the end, it's not compliant with anything that resembles it, and if you start building with it, you're stuck to it.
03:25 < poorandunlucky> Anyway, OpenVPN's not going to start speaking L2TP or even PPTP because of me, so I best get started with SoftEther....
03:25 < poorandunlucky> at least I have all my certificates ready..
03:25 < poorandunlucky> peace!
03:26 < poorandunlucky> see ya 'round, tx, and you should try a Windows phone  : P  they're fun  : )
03:27 <+hyper_ch> that was weird
03:28 < tx> PPTP...
03:28 < tx> jesus.
04:21 < rkzzy> anyone have a link for a working internet kill switch for windows?
04:28 <@dazo> I've probably never seen a better matching nick name to the contents of a discussion .... poorandunlucky ..... yeah, when really considering PPTP support, you are poor and unlucky
04:31 <+hyper_ch> tx: you didn't rush to the next mobile store and get a Windows Phone?
04:35 <@ordex> dazo: LOL
04:36 < tx> iirc windows mobile has some weird special permissions you need to ask for
04:37 < tx> to get the VPN permission, anyway.
04:47 <@dazo> !pptp
04:47 <@vpnHelper> "pptp" is (#1) PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
04:47 <@vpnHelper> read about why to not use pptp, or (#2) Why not to use it: http://en.wikipedia.org/wiki/Pptp#Security, or (#3) https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
04:48 <@dazo> hmmm .... perhaps we can shape that one up a bit further .... "If you consider PPTP, you can just as well consider plain text protocols instead. Less overhead and probably easier to setup to"
04:55 <@ordex> we could also suggest these people to switch off the laptop and do something else :P
04:56 <@dazo> so in essence .... "Please return your laptop to the shop you bought it" ..... ?
04:58 <@ordex> :D
04:58 <@ordex> yes!
04:58 <@dazo> ;-)
05:11 < tx> Argument for PPTP: People will be expecting you to be using encryption
05:11 < tx> not bother to even check / monitor the network
05:11 < tx> stupidity is the future, next step is telnet and ftp. :P
05:15 <+hyper_ch> I like telnet
05:15 <+hyper_ch> it's greta to check resonse for mailsever when troubleshooting
06:11 < p1kachu_> Hi Guys,
06:12 < p1kachu_> I am trying to add my user to to use preconfigured openVPN setup by my team and facing this error while connecting through tunnelblick
06:13 < p1kachu_> 2017-06-07 16:26:15 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=IN, ST=Maharashtra, L=Mumbai, O=XXX India Pvt. Ltd., OU=MyOrganizationalUnit, CN=server, name=EasyRSA, emailAddress=xxx@xxx.com 2017-06-07 16:26:15 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 2017-06-07 16:26:15 TLS_ERROR: BIO read tls_read_plaintext error 2017-06-07 16:26:15 TLS Error: TLS obje
06:13 < p1kachu_> Can some tell me what is wrong ?? My peers didn't do anything different than me for VPN access.
06:16 < p1kachu_> !goal
06:16 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:17 < p1kachu_> I would like to connect to VPN but it's giving me error 2017-06-07 16:26:15 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=IN, ST=Maharashtra, L=Mumbai, O=XXX India Pvt. Ltd., OU=MyOrganizationalUnit, CN=server, name=EasyRSA, emailAddress=xxx@xxx.com 2017-06-07 16:26:15 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 2017-06-07 16:26:15 TLS_ERROR: BIO read tls_read
06:25 <@dazo> p1kachu_: looks like you're using a certificate not signed by a CA your VPN server or client expects (don't know where the OpenSSL error comes from ... so hard to be more concrete)
06:25 < adoua> hi guys, is it possible to restrict openvpn server to accept connection only from user, who present certificate with specific CN? We have sitation where same CA is used for all our servers and users. Currently there is a need to allow access to server only for one user. Quick way is to make new CA and issue certificate only for that server/user. But I wander if it is possible to restrict access in our
06:25 < adoua> seitiation. I've tried to search for this, but apparently, my google-fu is weak. Appreciate if you can point me to some direction
06:27 <@dazo> adoua: yes, that is possible .... the easiest approach is to use --client-config-dir (aka ccd) and have a file in that directory named DEFAULT which contains 'disable' on a single line
06:27 <@dazo> adoua: then you add a single file for each CN you want to allow .... but there are some details you need to checkout, as if CN=Test User ... the filename will need to be Test_User
06:27 <@dazo> (the man page describes that quite well)
06:29 < p1kachu_> dazo: I am using self signed certificate, may be I am required to add root cert to my local machine?
06:29 <@dazo> p1kachu_: self-signed certificates does not work ... the remote side cannot validate the authenticity of self-signed certs
06:29 <@dazo> hence you need a proper CA
06:30 <@dazo> CA certificate, I mean
06:30 < adoua> dazo: thanks, got it. Used ccd for static ips before, will check it for access restriction. Thanks
06:31 <@dazo> adoua: --disable should be described in the man page ... and it is truly primarily useful for CCDs only :)
06:32 < p1kachu_> dazo: but I may have read that If I add a own root cerificate to my root certificates of my machine then the self signed certificates should work the same way as other CA verified certs, Anything here I might be missing?
06:49 < p1kachu_> Now the error changed to 2017-06-07 17:10:45 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=IN, ST=xxx, L=xxx, O=xxx India Pvt. Ltd., OU=MyOrganizationalUnit, CN=Grofers India Pvt. Ltd. CA, name=EasyRSA, emailAddress=xxx@xxx.com 2017-06-07 17:10:45 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 2017-06-07 17:10:45 TLS_ERROR: BIO read tls_read_plaintext error
06:49 < p1kachu_> <b>error=self signed certificate in certificate chain:</b>
06:51 <@dazo> p1kachu_: the CA root certificate are usually self-signed ... but the server/client certificates must be signed by the  CA root certificate key
07:04 <+hyper_ch> p1kachu_: do you generate all the certs or do users submit a request for signing?
07:56 < murkx> hey, does someone have an idea why i can use my smb-shares (windows server) but if i wanna open a document, it's loading indefinitely?
08:10 <+hyper_ch> "windows"
08:10 <+hyper_ch> :)
08:13 < murkx> can't change that... not my choice...
08:15 <+hyper_ch> no idea, samba works fine here through the vpn
08:17 < DArqueBishop> !notovpn
08:17 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn.
08:17 < DArqueBishop> As in, you might want to check your SMB logs first.
08:17 <+hyper_ch> no to vpn
08:17 <+hyper_ch> no to vpn?
08:18 <+hyper_ch> :)
08:20 < murkx> yea, thought someone might experienced something similar and had to set the mss or similar... anyway..
08:56 <+hyper_ch> murkx: as said, my samba server runs fine through the vpn..: I could give you my config but not sure if that's any helpful
08:59 <+hyper_ch> you could fire up samba in a vm and test that then
09:06 < murkx> good idea, thx hyper_ch
09:10 <+hyper_ch> murkx: samba.conf  https://paste.simplylinux.ch/view/raw/d06f6f66
09:10 <+hyper_ch> jus have a few more shares that I removed there
09:11 <+hyper_ch> and that's what I use to connect to it  https://github.com/sjau/nixos/blob/master/configuration.nix#L135
09:11 <@vpnHelper> Title: nixos/configuration.nix at master · sjau/nixos · GitHub (at github.com)
09:29 < murkx> hyper_ch: i just figured out, it really is an mtu problem on the client side...
09:29 <+hyper_ch> !mtu
09:29 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting, or (#3) useful info here: https://forum.pfsense.org/index.php?topic=67080.0
09:35 < murkx> now i didn't set the mss, i put a "tun-mtu 1300" into the server.conf... i know i should use the mss... so the syntax for the conf-file is: fragment 1300 ?
09:38 < murkx> got it.. now figuring out the exact size... thanks hyper_ch
09:38 <+hyper_ch> 1 < x < 10000
09:39 < murkx> good advice...
09:39 < murkx> ;)
09:41 <+hyper_ch> your welcome
09:41 <+hyper_ch> you're
12:10 < elektromacumba> hello, i've installed openvpn in a single device connected to the router, i can surf in internet through the vpn but i'munable to access at local resources . what's wrong?
12:13 < elektromacumba> !heartbleed
12:13 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl, or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised., or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected., or (#4)
12:13 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed, or (#5) http://xkcd.com/1354/
12:34 < PsynoKhi0> hello, I'm considering a hub-and-spoke topology for remote access of networks behind existing routers/gateways (the spoke nodes being mikrotik routers), the gist being giving our field technicians the ability to remotely support e.g. CCTV equipment sitting on LANs separated from our customers' infrastructure, to limit the changes needed on their topology. AFAIK mikrotik as of now only supports TCP
12:34 < PsynoKhi0> mode, no LZO nor TLS... I actually think TCP's a plus for our use case, though, beyond logical topology considerations, do you see any aspect we should be especially careful about?
12:39 < elektromacumba> i'm unable to reach lan client  but only  access through internet
13:30 -!- Vampire0_ is now known as Vampire0
13:30 < sparxy_> Hi all! I'm trying to get my Windows client to use the dns server over the VPN link, but I do not want all traffic routed . I have the "PUSH DNS" option in my server config but it never seems to apply to the computer. Any ideas?
14:13 -!- bezaban is now known as process
14:44 -!- process is now known as bezaban
16:31 -!- danhunsaker_ [sid145261@openvpn/corp/danhunsaker] has joined #openvpn
16:31 -!- mode/#openvpn [+o danhunsaker_] by ChanServ
16:37 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has quit [Ping timeout: 240 seconds]
16:37 -!- danhunsaker_ is now known as danhunsaker
16:45 < a1exus> hello
16:45 < a1exus> I used https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html in order to get tunnel between 2 points, how do I introduce 3rd point in this scenario?
16:45 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
16:50 < a1exus> anyone?
17:00 < bezaban> a1exus: one if the disadvantages listed on that page is: Limited scalability -- one client, one server
17:01 < bezaban> while I haven't tried it I would assume that means you can have one client and one server.
17:01 < a1exus> ok
17:01 < a1exus> maybe that's not working for me then
17:02 < a1exus> can I use openvpn to establish vpn between 3 nodes somehow? maybe another setup?
17:02 < bezaban> yeah sure, other setups cater to this fine
17:02 < bezaban> 2 or more clients connecting to server sharing a virtual private network
17:04 < a1exus> can you recommend howto or something that can help me? i'm new to openvpn
17:04 < a1exus> that page worked fine for me, i was able to do 2 nodes, but now i need 3rd
17:10 < bezaban> a1exus: hmm. https://openvpn.net/index.php/open-source/documentation/howto.html#quick should work, just don't to the static key route, but use easy-rsa to generate certs
17:10 <@vpnHelper> Title: HOWTO (at openvpn.net)
17:10 < a1exus> ok
17:10 < a1exus> i'll do some reading
17:10 < a1exus> thank you
17:14 < bezaban> a1exus: also if you only have linux clients (possibly mac) I would recommend 'topology subnet'
17:14 < bezaban> but that is a personal preference I guess
17:16 < bezaban> someone else might know better quickstart guides, I'm not well oriented in the docs, but since noone else was replying I figured I'd try
17:16 < bezaban> but past midnight, so nn!
17:18 < fnljk_> here may be guide on use of 3 vpns , with a twist even.. (the outer ones potentially not knowing of each other, if separated well...it sounds.. i dunno), if any info neway..orrelated at all (unsure)..~> https://github.com/cryptostorm/voodoo.network
17:18 <@vpnHelper> Title: GitHub - cryptostorm/voodoo.network: voodoo networking: post-VPN session obfuscation for a post-Snowden world (at github.com)
17:19 < fnljk_> also if anyone would find useful, there are some auto-install scripts "road warrior" for openvpn on pages like  github.com/Angristan , /Nyr   etc..some with various other functionality n such...
17:20 < fnljk_> also, note how u may get vps-server for just a coupel dollars pear YEAR with soem good deals as seen on webhostingtalk, lowendbox etc... kvm and fde, paying with bitcoin and using fake id all easily doable, enabling much more control and fguncitonality too.. or at least some additional possibility for using tactically..for whatever...   besides, much cheaper than most VPN providers, even renting s
17:20 < fnljk_> ..several of them at once and it'd still be
17:22 < fnljk_> another fairly easy auto-  setu pmight be one such as this.. also with some optional ones, extras etc. ontop of it all too.. ~> https://github.com/jlund/streisand  , much similar as well if searching around , Github has much good!
17:22 <@vpnHelper> Title: GitHub - jlund/streisand: Streisand sets up a new server running L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, a Tor bridge, and WireGuard. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists. (at github.com)
18:12 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 255 seconds]
18:18 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
18:18 -!- mode/#openvpn [+o dazo] by ChanServ
18:47 < |Mike|> Ahoy skippers!
22:08 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:17 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:17 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Day changed Thu Jun 08 2017
01:35 -!- def_jam is now known as eb0t
01:35 -!- eb0t is now known as eblip
01:51 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds]
01:51 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
01:51 -!- mode/#openvpn [+v s7r] by ChanServ
03:36 <+hyper_ch> krzee: lawful interception ->  There was at least one security incident in Driebergen: De Volkskrant describes that during a meeting with FBI and FSB, a Russian official came to a member of the Dutch police team, pointed at someone from the FBI and said "he is copying your data". An investigator went looking and saw that indeed the American had a thumb drive in a police laptop and was copying Dutch information.  https://electrospaces.blogspot.ch/
03:36 <@vpnHelper> Title: Electrospaces.net (at electrospaces.blogspot.ch)
03:36 <+hyper_ch> 2017/06/dutch-russian-cyber-crime-case-reveals.html
06:17 < jeeger> Hey! I'm a bit confused about the "kernel" routes that OpenVPN creates. Why is tun0 a "point-to-point" link to 10.8.0.2? Where does that address come from? My tun0 IP has the address 10.8.0.1 ("server 10.8.0.0 255.255.255.0" in config file).
06:20 < jeeger> !welcome
06:20 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
06:20 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
06:21 < skyroveRR> !1925
06:21 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
06:22 < jeeger> !route
06:22 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
06:23 < jeeger> !/30
06:23 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
06:23 < jeeger> !topology
06:23 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
06:30 < rob0> jeeger, ^^ those last two have your anwser
06:31 < jeeger> rob0: Yeah, that was surprisingly helpful for a bot :)
06:32 < rob0> vpnHelper++
06:32 < jeeger> I've activated the subnet topology, and the point-to-point link/routes disappeared
06:32 < rob0> the net30 stuff is the ancient default, which nobody should still be using
06:33 < rob0> eventually (after a proper mourning period) the default will change to subnet
06:34 < jeeger> ah, cool, and now my pings work as well.
06:34 < jeeger> This was very instructive.
06:37 < jeeger> Now if works with my windows client as well, I'm impressed :)
06:39 < jeeger> Yep, works. Cool, that was a fruitful visit. Thanks for your help, vpnHelper!
06:39 < jeeger> See ya!
09:33 < ghormoon> hi, what's current best replacement for update-resolv-conf script for centos 7? I've found some rewritten one using nmcli, but that doesn't work out of the box, so if I should dig into it or I'm just bad at googling up the correct scripts/packages?
11:47 < gehidore> !welcome
11:47 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
11:47 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
12:36 < gehidore> moin, I've got an issue where my linux clients can connect with no issue and access resources in the servers network yet this single windows client throws mostly silent errors (only visible server side with verbosity of 7) and on the client doesn't seem to get a default gateway server config:
12:36 < gehidore> https://gist.githubusercontent.com/gehidore/3057e7657a46abd80495c3a7e118fd4a/raw/e220a901fdd23e97ced78c9b8b8eb945f35edc7b/lcww.conf client config: https://gist.githubusercontent.com/gehidore/d3e67b60c440b573db584902edf9a4c2/raw/d2b6c5ab9b0c8ea7496ab61067192b3b86a2c8c9/lcww.ovpn client log:
12:36 < gehidore> https://gist.githubusercontent.com/gehidore/28866d0bf508d283f624fc2db88baa0b/raw/bc3e8acfba988d43026a67f45d678dfbad09e38b/client.log
12:38 < gehidore> course now I see that windows seems to /want/ to use tap when I thought I was telling it to use tun instead
12:39 < gehidore> but I've banged my head on the wall for a couple days so I'm sure it's something puny that is obvious and I'm just not seeing it
14:33 < krav> Hey, does anyone know why openvpn would only start up one tunnel when run as a daemon, but runs the profile fine when run on it's own?
14:55 < Eugene> krav - how are you starting it "as a daemon" ? What OS?
15:15 < krav> Eugene: debian linux, using systemd.
15:15 < krav> When i start a profile by hand, it starts without a hitch
15:16 < krav> when i start multiple profiles by systemd, it only starts 1 of the 2
15:22 < krav> I'm trying to create a triangle of openvpn systems talking to each other so i can stand up a HA instance of openvpn-as
15:35 <@dazo> krav: how do you use systemctl to start the tunnels?
15:36 < krav> systemctl start openvpn
15:36 < krav> after stopping it.
15:37 <@dazo> which openvpn version are you using?
15:38 < krav> dazo: 1.0.1t
15:38 < krav> for the library
15:38 < krav> 2.3.4 x86_64-pc-linux-gnu for the version
15:39 <@dazo> ehh ... okay ... I have no idea how the openvpn-as service files works .... the upstream community version (which we primarily support here) have brand new unit files, which is a vast improvement over those generic ones which tries to simulate the old rc.d scripts
15:40 < krav> well. here's the weird thing
15:40 < krav> it works on the other 2 hosts. which are also debian.
15:40 <@dazo> running openvpn-as?
15:40 < krav> yeah
15:40 < krav> and openvpn
15:40 < krav> well. one is just a gluster host
15:40 < Eugene> krav - you want the openvpn@connection-name units
15:40 < Eugene> Eg, for /etc/openvpn/foo.conf: `systemctl start openvpn@foo`
15:40 < krav> but same build of openvpn.
15:40 < Eugene> Also
15:40 < Eugene> !as
15:40  * Eugene pokes vpnHelper 
15:40 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
15:40 <@dazo> well, that's the oddity with this horrendously bad unit files .... works somewhere, but not alwasy
15:40 < Eugene> You want #openvpn-as
15:41 < krav> Eugene: for as yeah, but this is working with openvpn
15:41 < krav> as i'm using that to create a VPN between the hosts.
15:41 <@dazo> krav: if you are using openvpn-as .... #openvpn-as is the place to go
15:41 < Eugene> You mentioned AS. Is this AS or not?
15:41 < Eugene> We do not support AS
15:42 < krav> Eugene: i am building an openvpn AS cluster, which means i have to build openvpn (non-as) connections between hosts to encrypt glusterFS traffic (it's unencrypted by default)
15:42 <@dazo> if you use upstream openvpn, upgrade to v2.4.0 ... get the new unit files, and most of your struggles will be improved ... and if not, then grab me, as I've spent quite some time fixing those unit files upstream
15:42 < krav> my problem is getting the openvpn (non as) profiles with static keys working :)
15:42 < Eugene> I can't even begin to imagine what could go wrong by having AS and vanilla openvpn on the same box. Good luck
15:43 < Eugene> Doesn't mean that it will, just that it could and we're not in the business of troubleshooting weirdness like this. The AS people are - its their product
15:44 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds]
15:45 < krav> makes sense.
15:46 < krav> the problem is purely that in order to have a hot failover, you have to run glusterFS in that product.
15:46 < krav> and glusterFS isnt encrypted.
15:52 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
15:52 -!- mode/#openvpn [+o krzee] by ChanServ
15:54 < krav> but yeah. thank you for the help anyways.
16:07 < krav> alright. a bit more info, the profile won't actually work with systemctl start openvpn at all.
16:07 < krav> the one that wasn't starting.
16:07 < krav> hmmmm. will keep looking
16:09 <@dazo> krav: okay, so this is a client, using upstream openvpn against an openvpn-as server?
16:09 < krav> nope
16:09 < krav> it's a simple openvpn p-t-p connection
16:09 < krav> with a static key on both ends
16:10 <@dazo> ahh, okay ... is one of the sides running -as at all?
16:10  * dazo got a need to sort out the confusion
16:12 < krav> not in this connection whatsoever.
16:13 <@dazo> okay, good .... it will anyhow help tremendously if you manage to move up to openvpn v2.4 though ... Here's a file describing the new unit files (I'm trying to get that one into the upstream releases too) http://pkgs.fedoraproject.org/cgit/rpms/openvpn.git/tree/README.systemd?h=epel7
16:13 < krav> one is running -as, but it's running seperately on different ports.
16:13 <@vpnHelper> Title: README.systemd - rpms/openvpn.git - openvpn (at pkgs.fedoraproject.org)
16:13 <@dazo> okay, now things begins to make sense again
16:13 < krav> as a different service, it's not included in this connection at all
16:13 <@dazo> good
16:13 < krav> got it. I'm not sure debian will let me without custom compiling the package
16:15 <@dazo> the thing is that on Debian, they've added a "try to simulate rc.d/init.d script" approach for openvpn in systemd .... which depends on a lot of moving parts
16:15 < krav> and one of those is probably broken
16:15 <@dazo> so I've managed to get Debian, Fedora (and RHEL via EPEL), Arch and hopefully a few more have come along too ... to use the more fine grained approach as described in the URL above
16:16 <@dazo> now ... with 2.3 ... those unit files does not work as well as with v2.4 .... as 2.4 have been instrumented better for systemd integration
16:16 < krav> so 2.4 is a LOT better in terms of integration
16:16 <@dazo> yes
16:18 <@dazo> with 2.4, we use Type=notify .... where the openvpn binary calls sd_notify() which speaks "directly" with systemd about its current status ... and systemd is capable of tracking each tunnel independently
16:18 < krav> oh nice!
16:19 < krav> so you can get the 2.4 stuff in backports it looks like
16:19 <@dazo> and with a little extra systemd trick (systemctl edit openvpn-{client,server}@CONFIG ... you can even add possibility for systemd to automatically restart the openvpn tunnel if it dies unexpectedly
16:19 < krav> but nowhere else.
16:19  * dazo checks our own upstream Debian repos
16:20 < krav> at least for stable
16:20 <@dazo> http://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
16:20 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net)
16:21 < gehidore> problem resolved... lots of user error
16:21 < gehidore> failed to NAT the network bridge inside the server to the tun... and some other wildcards
16:21 < gehidore> cheers, thanks for the input!
16:40 < krav> dazo: upgraded to 2.4. fixed my problem
16:40 < krav> as a heads up, debian jessie is stuck on 2.3, so you may see people with similar issues again.
16:41 <@dazo> krav: yeah, most probably :/
16:42 <@dazo> but good to hear 2.4 worked :)
16:42 <@dazo> I can still claim it works better! ;-)
16:42 < krav> you can :)
16:43 < krav> now to make sure puppet gets updated properly
22:08 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:18 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:18 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Day changed Fri Jun 09 2017
02:29 < MeXIst3nZ> The authors of OpenVPN have a mental illness. They've got to, because there just is no way to make this worthless piece of shit connect automatically. I've wasted so much time on this now, following all sorts of shitty guides, searching, asking, trying, doing everything in my power to accomplish the most basic imaginable task. No. It's not possible. They have consciously made this impossible just to waste everyone's time and piss everyone off all
02:29 < MeXIst3nZ> day. This is how they get paid. Since it's free software, and nobody donates money, they get paid through sadism. Nobody on this planet could ever convince me otherwise. No other explanation adds up. It's just such an ULTRA-BASIC, crucial feature. It's not some "obscure edge case". It's truly the most fundamental feature that anyone could imagine. And it's not possible. Don't bother linking me to some guide -- I've tried them all. (Except the truly
02:29 < MeXIst3nZ> insane ones which involve numerous steps and scheduled tasks and shit like that -- I refuse to go through that out of principle.)
03:30 < Kyoshiro> hi !
03:31 < Kyoshiro> I'm having a routing problem with my openvpn setup (I think)
03:31 < Kyoshiro> I changed hosting and I decided to setup a KVM virtual machine in order to ease future change of hardware, and now my OpenVPN is a KVM guest behind a NAT
03:32 < Kyoshiro> my host has the public IP and masquerades 192.168.122.0/24 network for the VM
03:33 < Kyoshiro> my OpenVPN setup uses tun with 10.1.0.0/24 network, so I added masquerade rules for 10.1.0.0/24 too
03:33 < Kyoshiro> my client is able to connect to the VPN without trouble, but it can't access the internet, and when I use tcpdump on the host I can see the incoming packets but not the returning ones
03:33 < Kyoshiro> can anyone help me ?
03:41 < Kyoshiro> here is an extract of my KVM host's firewall and routes configuration http://paste.debian.net/hidden/046f5f61/
03:41 < Kyoshiro> there is no firewall on the guest
03:45 < Kyoshiro> I'm pretty sure I'm missing a route or something like that, I tried (shown in the pastebin) to add a route for 10.1.0.0/24 via 192.168.122.1 but well, doesn't seem to work
03:46 < Kyoshiro> (sorry if that's not the right channel to ask)
03:49 < Kyoshiro> also, if it's not recommended to run openvpn behind a NAT on a VM please tell me, I'll move it to the host instead
05:19 < MeXIst3nZ> Kyoshiro: Yeah... good luck getting help by these sadists. :/
05:19 < MeXIst3nZ> *from
05:21 <@ordex> Kyoshiro: it does not make any difference where you run the *client* as soon as it can reach the server
05:21 <@ordex> of course, NAT might affect performance, but this is a general statement with NAT that has nothing to do with openvpn
05:22 <@ordex> Kyoshiro: I haven't seen the problem statement - I was disconnected I think
05:22 < Kyoshiro> hi ordex
05:23 < Kyoshiro> I changed hosting and I decided to setup a KVM virtual machine in order to ease future change of hardware, and now my OpenVPN is a KVM guest behind a NAT, my host has the public IP and masquerades 192.168.122.0/24 network for the VM, my OpenVPN setup uses tun with 10.1.0.0/24 network, so I added masquerade rules for 10.1.0.0/24 too
05:23 < Kyoshiro> problem is : my client is able to connect to the VPN without trouble, but it can't access the internet, and when I use tcpdump on the host I can see the incoming packets but not the returning ones
05:24 < Kyoshiro> I know this is not really an OpenVPN issue, but most certainly a routing one, although if someone can help me it'd be great
05:24 <@ordex> Kyoshiro: is the server running on KVM ?
05:24 < Kyoshiro> yeah the openvpn server is on a KVM virtual machine
05:25 < Kyoshiro> I can connect with no trouble and get an IP etc, ping the VPN server IP but no internet access
05:25 <@ordex> can you paste the output of "ip route" "iptables -t nat -nL" "iptables -nL" and "ifconfig -a" when ran on the KVM ?
05:27 <@ordex> Kyoshiro: ^^
05:28 < Kyoshiro> http://paste.debian.net/hidden/fc757bee/ for ip routes and addresses
05:28 < Kyoshiro> there is strictly no firewall configured /iptables rules on the VM
05:29 < Kyoshiro> policy is accept for all and I echoed 1 in net.ipv4.ip_forward
05:41 <@ordex> Kyoshiro: the nat table should have something
05:41 <@ordex> no ?
05:41 <@ordex> otherwise where are you doing the masquerading ?
05:42 < Kyoshiro> it's empty, I'm doing it on the KVM host
05:42 < MeXIst3nZ> Why isn't there a simple checkbox in the GUI settings (which is ticked by default) which says something like "Autoconnect to last used VPN on start"?
05:42 < Kyoshiro> as for the filtering of allowed services, in the FORWARD table
05:42 <@ordex> Kyoshiro: is the output you gave me from the KVM or from the host system ?
05:42 < Kyoshiro> the routes and rules on the hosts are available here http://paste.debian.net/hidden/046f5f61/
05:43 < Kyoshiro> http://paste.debian.net/hidden/fc757bee/ is on the KVM guest, running OpenVPN
05:43 <@ordex> Kyoshiro: the masquerading must be done by the gateway, which in your case are *both* the KVM and the host
05:43 <@ordex> basically you have two layers of NAT right now that you have to configure
05:44 < Kyoshiro> so I should add masquerading for 10.1.0.0/24 using 192.168.122.10 on the KVM guest ?
05:44 <@ordex> one on the KVM (to allow vpn clients to get to the host) and one on the host (to allow everybody to get onto internet)
05:44 < Kyoshiro> I see, I'll try that
05:45 <@ordex> I don't know what "using 192.168.122.10" means, but yes, you have t add masquerading for 10.1.0.0/24 on the KVM
05:45 <@ordex> and make sure ip_forward is enabled on both
05:45 < Kyoshiro> for now other services like web server and email work fine
05:45 < Kyoshiro> yeah it is :)
05:45 < Kyoshiro> I'll try thanks
05:45 <@ordex> np
05:45 <@ordex> another thing might be to have NAt only on the host
05:45 <@ordex> and do plain routing (no NAT) between host and KVM
05:46 <@ordex> (maybe this is what you were tyring to do ?
05:46 <@ordex> it might be easier[tm]
05:46 < Kyoshiro> I think I have no choice as I have only one public IP in fact
05:47 <@ordex> that's fine
05:47 <@ordex> that's where you *must* do NAT
05:47 < Kyoshiro> I tried using bridged config but that was not possible iirc
05:48 <@ordex> routing, not bridging
05:48 <@ordex> you could tell the host where the 10.1.0.0/24 network is with a route
05:48 <@ordex> and the KVM should be able to forward those without NAT
05:50 < Kyoshiro> I see
05:51 < Kyoshiro> yeah that's what I tried to do adding a route on the host
05:53 < Kyoshiro> well, it works with masquerading on the VPN network on the KVM guest too
05:53 < Kyoshiro> thank you very much ordex
05:53 < Kyoshiro> I'll try later to use routing instead of NAT though, you're right could be better
05:55 < skyroveRR> Kyoshiro: substituting routing for firewalling will almost always leave behind a mess.
05:55 < Kyoshiro> why is that ?
05:56 < Kyoshiro> ah you mean it's better to use routing right ?
05:56 < skyroveRR> Yeah
05:57 < Kyoshiro> yeah of course, I just didn't know how to do that when using a KVM guest on another network, I'll have to read proper doc before ^^
05:57 < Kyoshiro> I'm not very well versed on routing
05:58 <@ordex> Kyoshiro: should be pretty easy as soon as you understand where are the networks and who is the gw to them
06:01 < Kyoshiro> yeah ok
06:01 < Kyoshiro> thanks for your help :)
06:17 <@ordex> np
06:34 < MeXIst3nZ> Why isn't there a simple checkbox in the GUI settings (which is ticked by default) which says something like "Autoconnect to last used VPN on start"?
06:49 <@ordex> MeXIst3nZ: which gui ?
06:50  * ordex does not use any gui
06:51 < MeXIst3nZ> ordex: ?
06:51 < MeXIst3nZ> The OpenVPN GUI.
06:51 < MeXIst3nZ> What else?
06:51 < MeXIst3nZ> Surely even non-Windows OpenVPN has a GUI?
06:51 < MeXIst3nZ> If not, that's even worse.
06:52 < MeXIst3nZ> Anyway... this is on Windows 10.
06:52 <@ordex> oh ok
06:52 < MeXIst3nZ> Why am I not getting through to anyone?
06:52 < MeXIst3nZ> Is this a parallell universe?
06:52 <@ordex> probably other people are busy doing other stuff :P
06:52 < MeXIst3nZ> Where automatic connect isn't a requirement for 100% of the users?
06:53 < MeXIst3nZ> But why do I even have to waste my time asking about this? Why is it even a problem?
06:53 < MeXIst3nZ> Why isn't that simple checkbox just available?
06:53 <@ordex> apparently nobody cared, I don't know
06:53 < MeXIst3nZ> How is it possible that nobody has thought to add this?
06:53 < MeXIst3nZ> So every single time when you start your computer, you want to click manually multiple times just to connect to the VPN?
06:53 <@ordex> you can open a feature wish on trac if you want
06:53 < MeXIst3nZ> ...
06:54 <@ordex> I don't use windows, so I don't know
06:54 < MeXIst3nZ> Has nothing to do with Windows.
06:54 < MeXIst3nZ> Has everything to do with OpenVPN.
06:54 <@ordex> openvpn is just a daemon, it depends on how the surrounding environment is configured
06:54 <@ordex> in my linux workstation openvpn starts just automatically
06:54 <@ordex> because of the linux init scripts
06:54 <@ordex> maybe windows has something similar ? I have no clue to be honest
06:55 < MeXIst3nZ> OpenVPN itself starts automatically, but it *doesn't connect to the VPN*.
06:55 < MeXIst3nZ> Again, it has zero to do with Windows.
06:55 < MeXIst3nZ> It has 100% to do with OpenVPN.
06:55 <@ordex> the openvpn client tries to connect when it is started
06:55 <@ordex> it is not a standalone software
06:55 < MeXIst3nZ> Clearly false.
06:55 <@ordex> you are mixing the gui with the client
06:55 < MeXIst3nZ> I'm not an insider developer. I'm a computer user who wants to use my VPN.
06:56 < MeXIst3nZ> And OpenVPN is somehow the industry standard.
06:56 < MeXIst3nZ> I don't really care about if the GUI window is internally thought of as a separate project.
06:56 <@ordex> sure, you can do whatever you want
06:56 < MeXIst3nZ> So... why doesn't it have a way to make it CONNECT when it starts?
06:56 < MeXIst3nZ> Why require me to manually do this every single time?
06:58 < skyroveRR> ... did you check services.msc, MeXIst3nZ ?
07:01 < skyroveRR> and msconfig also? did you try googling on how to autostart stuff on windows? you've been bitching around for the last 8 hours because you didn't have time to use a brain and google.
07:02 < skyroveRR> ordex: he's become renowned on ##networking for his behaviour.
07:03 <@ordex> mah
07:03 <@ordex> I wanted to help, but he does not want
07:04 < MeXIst3nZ> If you want to help so much, how come you don't type anything?
07:04 < MeXIst3nZ> I ask a simple question, but nobody is able to even understand what I mean.
07:04 < MeXIst3nZ> This has wasted so much of my time already. I don't expect this to be resolved.
07:08 <@ordex> MeXIst3nZ: your question is "why" - and I said I don't know why :)
07:08 <@ordex> what else can I do? and even if you understand why, how is that going to help ?
07:09 < MeXIst3nZ> ordex: To me, this is like walking into a store where the doors have to be opened manually by each customer, with a crank thing, to enter the store.
07:09 <@ordex> MeXIst3nZ: maybe this is the prblem. this is not a store, this is an open source project, run by volounteers
07:09 <@ordex> *ran
07:10 < MeXIst3nZ> ordex: It just doesn't add up.
07:11 <@ordex> uhm
07:11 <@ordex> ok
07:11 <@ordex> feel free to do something to improve it
07:12 < MeXIst3nZ> ordex: I'm trying to imagine millions of people who wake up each day, turn on their computers and then manually remember to click several times and wait for the OpenVPN GUI to connect to the VPN, because it doesn't do it automatically.
07:12 < MeXIst3nZ> I cannot imagine this being the case, so I must be missing something.
07:12 < MeXIst3nZ> (I don't trust the custom clients made by VPN companies.)
07:13 < skyroveRR> ... did you open services.msc utility, MeXIst3nZ ?
07:13 < havoc> krzee has told him to use services many times, and has kicked him many times
07:14 < havoc> you both are wasting your time
07:14 < skyroveRR> Hmm.
07:14 < MeXIst3nZ> "use services"?
07:14 < MeXIst3nZ> When hovering the concisely named options in the OpenVPN GUI settings, there is no information as to what they mean.
07:14 < MeXIst3nZ> Same goes for searching on their site and on the web.
07:15 < MeXIst3nZ> Where is the "[ ] Auto connect" checkbox? What "services" are you talking about?
07:15 < skyroveRR> *sigh*
07:16 < skyroveRR> havoc: want some beer? :)
07:16 < havoc> skyroveRR: a bit too early for me (07:00 here)
07:16 < skyroveRR> :)
07:17 < MeXIst3nZ> Still waiting for a single reply to this.
07:17 <@ordex> MeXIst3nZ: keep on waiting :P
07:17 < havoc> ^^^^ a reply
07:17 < MeXIst3nZ> ordex!*@* added to ignore list.
07:17 < MeXIst3nZ> Asshole.
07:17 <@ordex> :D
07:17  * ordex is safe now
07:17 < MeXIst3nZ> OpenVPN = broken piece of shit.
07:18 -!- ordex is now known as ordex2
07:18 <@ordex2> MeXIst3nZ: just don't use it
07:18 -!- ordex2 is now known as ordex
07:19 < MeXIst3nZ> As if there's an alternative, you dumb idiot.
07:19 < MeXIst3nZ> And even if there were, I would still want to know why this is.
07:19 < MeXIst3nZ> Because it's bizarre.
07:24 < rob0> MeXIst3nZ, enough.  Nobody is interested in your trolling.  The door is over there --> do you need help getting to it?
07:25 -!- mode/#openvpn [+o rob0] by ChanServ
07:25 -!- mode/#openvpn [+q MeXIst3nZ!*@*] by rob0
07:25 < skyroveRR> :)
07:25 <@rob0> I thought we were +r here or something
07:26 <@rob0> oh, he has an account
07:26 < skyroveRR> How hard is it to run "services.msc" in the run window...
07:26 -!- mode/#openvpn [+b $a:MeXIst3nZ] by rob0
07:27 < skyroveRR> rob0: :D
07:27 <@rob0> MeXIst3nZ, by now, don't bother coming back.
07:27 -!- MeXIst3nZ was kicked from #openvpn by rob0 [gone]
07:27 -!- mode/#openvpn [-o rob0] by ChanServ
07:28 < rob0> ordex, sorry, I just have had enough of that worthless troll.
07:28 < rob0> You deserved the fun of kicking him.
07:30 < rob0> skyroveRR, :)
07:31 <@ordex> np :)
07:53 < |Mike|> yay, no more trolls <3
07:56 < skyroveRR> rob0: hopefully the whining in your pm hasn't started...
08:11 < rob0> He whined.  He was ignored. :)
08:14 < Aviv> Hello all - I have setup OpenVPN with the following setup: OpenVPN server: 172.2.8.2 with DG 172.2.8.1. Once I connect from WAN everything fine. Now, when I change the DG to 172.2.8.100 (man-in-th-middle machine, one of our product features) - I can the following error: Connection reset, restarting [-1]' SIGUSR1[soft,connection-reset] received, client-instance restarting'
08:15 < Aviv> any ideas what am I doing wrong?
08:16 < Aviv> I can telnet port 9443, but no reply
08:17 < DArqueBishop> Aviv: it would help if we could see your configs/logs.
08:17 < DArqueBishop> !configs
08:17 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
08:17 < DArqueBishop> !logs
08:17 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
08:17 < DArqueBishop> Aside from that, I'm not sure I understand what you're saying. Are you trying to change the default gateway on the clients to 172.2.8.100, or the server?
08:18 < DArqueBishop> In other news, I see I missed the troll.
08:18 < rob0> :D
08:19 < rob0> yeah, likewise, not sure what you're doing with this DG change
08:20 < Aviv> Well, what I am trying to do is when a user connect to OpenVPN will surf thru 172.2.8.100 and not thru 172.2.8.1 which is the default gateway of our network
08:22 < DArqueBishop> Aviv: in that case, you'll need to do some firewall magic to direct such traffic from the VPN network to 100.
08:22 < Aviv> What I am trying to establish is Company B will connect to our OpenVPN and will surf thru our MITM machine... tried many method, failed everytime
08:33 < czart__> Hey guys, could I provide access for clients through their public keys? (similarly as it is done in SSH) Currently, I generate certificate/keys for each client on a server and copy this data to a client. For increased security, I protect the keys with a password.
08:35 < rob0> ideally the user would generate her OWN key, send the CA a CSR, and the CSR is signed by the CA to produce a certificate
08:35 < mrtnt> I used an OpenVPN client in corporate environment and received bunch of routes which were installed in my PC. I was able to access hosts in those networks. Now I added an additional route to 8.8.8.8/32 via the same gateway and tun0 interface, but looks like traffic to 8.8.8.8 got blackholed. Is there an OpenVPN server configuration option which allows through only traffic destioned to networks/routes which
08:35 < mrtnt> were initially defined in OpenVPN server?
08:35 < rob0> (then there is no secure transfer needed)
08:36 < rob0> czart__, anyway, you are more or less describing the default mode of operation of openvpn
08:36 < Aviv> how can I do source-route override in OpenVPN?
08:36 < |Mike|> ehh mrtnt.... 8.8.8.8 == Google's public DNS.
08:37 < |Mike|> Use an RFC1918 address, might be easier ;-)
08:37 < |Mike|> Using*
08:37 < Aviv> ignore the subnet
08:37 < Aviv> will be changed
08:40 < mrtnt> |Mike|: it shouldn't matter which destination network I use. Without "ip route add 8.8.8.8/32 via 10.10.10.1 dev tun0" I was able to ping 8.8.8.8. Once I added this host route, I was no longer able to ping 8.8.8.8.
08:42 < mrtnt> |Mike|: this made me wonder, am I allowed to manually add network to OpenVPN tunnel. Looks like I'm not. Is is possible to configure this in OpenVPN server, i.e one could do "ip route add <any_ip> via 10.10.10.1 dev tun0" and it would simply go through the tunnel.
08:43 < Aviv> I am using OpenVPN OVF - where can I find server.conf? can't find it anywhere :)
08:43 < czart__> rob0: many thanks, I will attempt follow the way you indicated. In fact, I am a CA so I will be able to sign CSR and produce the final certificate.
08:44 <@ordex> mrtnt: maybe the problem is that o nthe server side, such traffic is not allowed?
08:45 <@ordex> maybe on the server side the admin has enabled only some networks to be forwarded
08:46 < |Mike|> Might be a better solution to contact the network admin imho
09:03 < DArqueBishop> OVF?
09:03 < DArqueBishop> Is this an Access Server thing?
09:04 <@dazo> DArqueBishop: doesn't ring a bell here
09:05 < DArqueBishop> dazo: I didn't think standard OpenVPN provided appliances.
09:05 <@dazo> it might be some appliance providers have licensed OpenVPN AS
09:06 < mrtnt> ordex: I'm pretty sure that the problem is on the server side. I was simply wondering is there an "forward-only-installed-routes" option or something similar in OpenVPN server which prohibits OpenVPN server to forward traffic to manually added routes.
09:06 < DArqueBishop> I should say, VM appliances.
09:06 <@ordex> mrtnt: ah ok
09:07 <@dazo> DArqueBishop: in that case .... https://openvpn.net/index.php/access-server/overview.html
09:07 <@ordex> no there is nothing in this case (where the server is the GW)
09:07 <@vpnHelper> Title: Access Server Overview (at openvpn.net)
09:07 < DArqueBishop> mrtnt: it sounds less like "problem on the server side" and "deliberate behavior configured by the network administrator".
09:07 < DArqueBishop> s/and/and more/
09:14 < mrtnt> DArqueBishop, ordex: in short, there are OpenVPN servers which might allow clients to install manually additional routes besides the ones received from the server?
09:14 <@dazo> yes
09:17 < DArqueBishop> mrtnt: yes, but on the other hand if the routing on the server side doesn't support your routes, then your manually added routes would not work.
09:20 < DArqueBishop> I should also point out a non-technical consideration: if I was your corporate network admin and found out that you were trying to bypass the company DNS servers without permission, I'd be more than a little peeved and would have a few words with your supervisor.
09:54 < mrtnt> dazo, DArqueBishop: thanks!
10:11 -!- mode/#openvpn [+vvv |Mike| DArqueBishop Eugene] by krzee
10:11 -!- mode/#openvpn [+v _FBi] by krzee
17:04 <+Eugene> I have an interesting OpenVPN(I think?) issue. I have two pfsense machines, one server and one client. I can dump the configs if it matters, but this is a more conceptual problem
17:05 <+Eugene> Both ends have a LAN behind them. On the server's end there is a RADIUS server. The client's end has a WiFI Access Point(Unifi, but again, not important) that is attempting to do auth to the backend server, over the tunnel
17:06 <+Eugene> TCP and ICMP taffic works great. RADIUS(UDP) traffic does not
17:07 <+Eugene> In tcpdump, I can see the UDP packet leave the WAP, enter the client-pfsense, goes out the ovpnc1 interface. It comes in the ovpns1 interface, out em1, all that is happy
17:08 <+Eugene> The RADIUS Response packet follows the reverse path: into the server-pfsense, out the ovpns1 interface. But here's where it gets weird. The packet going out the door has a size of 1470. The packet coming in the door on the client either is truncated down to ~90 bytes, or doesn't appear at all
17:08 <+Eugene> I /suspect/ that this is a MTU problem, but I have a dozen other pfsense clients running the same config for different sites, no problemo
17:09 <+Eugene> Another possibility is the Internet in between(this site is out in the woods; DSL uplink), but I would expect to see more randomness in the packet loss
17:09 <+Eugene> The truncation is particularly odd, and I honestly don't know where to go from here. Ideas?
17:10 <+Eugene> I can give tcpdump output, but I may need to cleanse crypto keys from it(stupid radius)
17:29 < sielicki> !welcome
17:29 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
17:29 < sielicki> !goal
17:29 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
17:29 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:33 < sielicki> On a desktop linux system acting as an openvpn client, I'd like to have the openvpn client run in the default network namespace, and have the tun interface be moved into another network namespace. This way I can run other applications inside that namespace and contrain them to different routes than my default namespace.
17:33 < sielicki> I've naively tried moving the tunnel interface into another namespace, but this breaks openvpn as it loses track of the interface and panics.
17:36 < sielicki> If this isn't currently possible in openvpn, I wonder if it would be possible to have two executables, basically just break-off the portion of openvpn that is tracking the tunnel interface. You could have them communicate over a unix socket. Then you could place one in the default namespace, one in the isolated namespace, and get this done without any kind of nat, etc.
17:37 < sielicki> constrain*
17:51 <@krzee> sielicki: sorry i dont understand your goal, what do you mean by namespace?
18:03 < sielicki> krzee: namespaces are a new-ish kernel feature (since 3.0 or so) that abstracts away a portion of the kernel and makes it look like an isolated instance, hidden away from the global resource. (paraphrasing from man page)
18:03 < sielicki> Better explanation here: http://man7.org/linux/man-pages/man7/namespaces.7.html
18:03 <@vpnHelper> Title: namespaces(7) - Linux manual page (at man7.org)
18:04 < sielicki> So if you create a network namespace, every process operating inside that namespace doesn't see anything else outside of it (from a network perspective).
18:04  * krzee tags in rob0 and Eugene
18:04 <@krzee> unfortunately since i dunno namespaces i wont be of much help
18:04 <@krzee> i assume one of those 2 i just pinged know more than me about it
18:04 < sielicki> You do not need to isolate everything at once, though. So docker, LXC, systemd-nspawn, etc... These tend to isolate everything at once. The filesystem, the network, pids, /etc/passwd, etc.
18:05 <@krzee> sounds like a network jail
18:05 <@krzee> never heard of it tho
18:05 < sielicki> But you could choose to just isolate the network. So among two process, they might see the same filesystem as the other, but would see different network interfaces and routes.
18:05 <@krzee> interesting
18:06 < sielicki> It's kind of like a freebsd jail, though I'm not sure that freebsd jails allow you to selectively choose mix and match namespaces like that?
18:07 < sielicki> "selectively-choose/mix-and-match"*
18:08 < sielicki> I'm about to make a 2 hour drive, so I won't be here for a bit. But my bouncer will make sure I see any response. Thanks krzee.
18:31 <+Eugene> sielicki - honestly I don't even fuck around with namespaces or cgroups or any of this new linux shit. Sorry krzee overestimates my competence
18:31 <+Eugene> I really do not think that the implemetnation is any good from a security perspective. I don't trust linux that fr
18:31 <+Eugene> far
19:08 < nicokil> hello
19:09 < nicokil> Can someone help me setup vpn server / vpn client ?
19:09 < nicokil> I did the whole setup but its not working but it is connected without errors
19:16 <@dazo> !welcome
19:16 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
19:16 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
19:16 <@dazo> meh
23:18 < tiny> I'd like to ignore DNS from server. Look like i need to use this option but where do I put it into a client file? Using network manager ... pull-filter ignore "dhcp-option DNS"
23:24 < sielicki> Eugene: hey no worries. It's a question that is probably better suited for a mailing list anyway.
23:24 < sielicki> It's been seen that user namespaces are definitely a big problem from a security standpoint. So your worries are justified.
23:25 < sielicki> I think that network namespaces are a bit less complicated though, fwiw I trust the implementation.
23:27 < sielicki> Just to elaborate on it, the reason I'd be interested in such an ability is that any program ran with `ip netns exec openvpn-namespace <program>` would abstract away the routing table from that program.
23:28 < sielicki> so the only route they would see is the routes on the tun interface.
23:29 < sielicki> Whereas in a normal openvpn setup, you're going to still have a route in your table for a few things, maybe your lan, definitely the server you're connecting to, etc. Using namespaces would ensure that programs would not be able to use those routes.
23:30 < sielicki> Have you guys heard of the wireguard project? One cool thing about their in-kernel setup is that you can move the wireguard interface to another namespace, and because it's in-kernel nothing breaks. So you essentially can create the wireguard tunnel in the default namespace, move it to its own network namespace, and get the results described above
23:31 < sielicki> I just wonder how openvpn could accomplish the same results. One approach is to use a separate executables like I described earlier. There's probably a more elegant way to do it though.
23:31 < sielicki> sorry for the wall of text.
23:35 < tiny> Can i ignore DNS servers pushed from openvpn server on a linux client?
23:42 < sielicki> tiny: by default I don't think openvpn touches resolv.conf. What distribution are you using?
23:42 < tiny> mint
23:42 < tiny> sielicki: I think network-manager is doing it.
23:43 < sielicki> tiny: I was just about to ask you if you were using network-manager. :)
23:43 < sielicki> are you configuring openvpn connections via the networkmanager openvpn addon?
23:43 < tiny> well unfortunately yes ... one day i'm going back to good'ol shell scripts
23:43 < tiny> sielicki: yes, i imported them
23:44 < sielicki> I believe theres an option somewhere in there about DNS. I don't personally use networkmanager so I can't check for you.
23:44 <+Eugene> Meh, not like anybody else is saying anything. Wall o' text away! I do on occasion
23:44 < tiny> sielicki: what do you use?
23:45 < sielicki> I just use plain dhcpcd
--- Day changed Sat Jun 10 2017
00:07 <+Eugene> !ubuntu
00:07 <@vpnHelper> "ubuntu" is dont use network manager to configure your vpns! get it working via commandline and then import to network manager if you want to use it.
00:16 < tiny> i did import it!
00:16 < tiny> i just can't figure out what option to use to disable DNS push from server.
00:28 <+Eugene> Good, good.
00:28 <+Eugene> I don't know that you can with Network Manager. Its kinda like that.
00:37 < skyroveRR> Now Mexinist3nz is terrorising ##networking :(
07:06 < zx2c4> hey sielicki glad you like the namespace stuff
07:06 < zx2c4> in wireguard i mean
07:06 < zx2c4> btw if you or anyone else wants some wireguard stickers -- https://lists.zx2c4.com/pipermail/wireguard/2017-May/001338.html -- im mailing them for free
07:06 <@vpnHelper> Title: I will mail you WireGuard stickers (at lists.zx2c4.com)
07:08 < zx2c4> heres the whole writeup on the network namespace stuff -- www.wireguard.io/netns/
07:08 < zx2c4> various useful topologies with it
07:23 < ert67> Hello servere config:  https://pastebin.com/aCn5wMPe  client config: https://pastebin.com/gEvbuEd6
07:24 < ert67> Trying to setup a very basic OPENVPN tunnel to my server, tired many config changes, this is latest based off of docs.
07:29 < rob0> does either of those include "verb 4" logs?
07:32 < ert67> They do not, i imagine theuy should?
07:36 < ert67> rob0, from client using --verb 4 flag
07:36 < ert67> https://pastebin.com/GWUnCqKR
07:37 < ert67> Now from that last line it seems like it should be working, i beleive, but again I'm not usre
07:37 < ert67> real sure
07:38 < ert67> Except this glaringly obvious issue my eyes never seemed to see before: Sat Jun 10 06:27:04 2017 us=890313 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
14:34 < skrp> is there a difference between tunnel encrypted traffic vs file encryption via openssl?
14:36 < skrp> certain ppl say that over X number of gb vpn traffic can been decrypted as the tunnel is more obfuscation, but I can't manage to find the code and/or resource to research it
15:25 < sielicki> zx2c4: didn't realize you were idle here, haha. Wireguard is really shaping up to be something awesome.
15:26 < sielicki> big fan of password store as well. Cool that your post was a headline on this weeks lwn as well.
15:36 < zx2c4> sielicki: glad you like them!
15:36 < zx2c4> indeed i idle in here
15:36 < zx2c4> ive actually read everyline of openvpn
21:32 -!- krzie [ba06014b@openvpn/community/support/krzee] has joined #openvpn
21:32 -!- mode/#openvpn [+o krzie] by ChanServ
22:31 < hubot> recv_socks_reply: TCP port read timeout expired: Operation now in progress (errno=115)
22:31 < hubot> I can't connect to OpenVPN through socks proxy
22:32 <@krzie> can other apps connect through it?
22:32 < hubot> Yes
22:33 <@krzie> whats your socks server software say about it?
22:33 <@krzie> like, logs
22:35 < hubot> tor
22:36 < hubot> openvpn --config xxx.ovpn
22:39 <@krzie> oh ive never tried running openvpn over tor
23:13 < hubot> Makefile:674: recipe for target 'crypto.o' failed
23:13 < hubot> I can't compile OpenVPN from source
--- Day changed Sun Jun 11 2017
05:14 < hubot> Sun Jun 11 12:06:04 2017 [*.opengw.net] Inactivity timeout (--ping-restart), restarting
07:12 < skyroveRR> hubot: ?
07:56 <@ordex> hubot: maybe you should provide the full log
07:56 <@ordex> hubot: you are running openvpn over tcp, aren't you ?
09:13 <@krzee> ordex: you just made me realize just how bad that should be... openvpn over tcp over horribly lagged tcp (tor)
10:34 < gtt> I launched an openvpn server like this: sudo openvpn --dev tun1 --ifconfig 10.9.8.1 10.9.8.2
10:35 < gtt> and then did this on the client: sudo openvpn --remote foo.com --dev tun1 --ifconfig 10.9.8.2 10.9.8.1
10:35 < gtt> the connection worked, but what kind of configuration is this? I know it is not recommended as it is both without tls and authentication
10:36 < gtt> but for my purposes today, it works. Now I'm wondering how can I actually route my traffic through it
10:37 < BtbN> probably an unencrypted unauthenticated one
10:44 < gtt> nss
12:40 < hubot> ordex: https://paste.debian.net/971041/
12:40 < hubot> config file: https://paste.debian.net/971042/
12:56 <@krzee> hubot: can you set the config to verb 5, and then repost the config without the comments and blank lines, and the log with verb 5
12:57 <@krzee> omg and NEVER post the <key> info
12:57 <@krzee> i recommend changing that now
12:57 <@krzee> you just gave out access to your vpn man
12:58 <@krzee> (i have a feeling that i'll see your problem with verb 5)
13:02 < hubot> https://paste.debian.net/971047/
13:08 <@krzee> hmm weird, you're reading from tun but dont seem to be writing to it
13:08 <@krzee> almost like some sort of routing issue or something?
13:09 <@krzee> can i see your routing table before and after starting openvpn?
13:09 <@krzee> like before starting, and after connection is successful (before it disconnects)
14:02 < nalecz> !welcome
14:02 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
14:02 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
14:50 < hubot> I haven't internet connection in OpenVPN
18:21 <@krzie> hubot: right, read above where i asked you to show your routing table before and after connecting with openvpn
22:33 < CRCinAU> so with 2.4.2, is auth token still broken?
23:24 < CRCinAU> it seems that I still get the original password back to my auth-user-pass-verify script instead of the token that was sent via 'push "auth-token blah"'
--- Day changed Mon Jun 12 2017
03:59 <@dazo> CRCinAU: did you send a question regarding this to the user-ML?
04:03 < CRCinAU> ah.
04:03 < CRCinAU> dazo: yes, yes I did.
04:03 <@dazo> okay, then I don't need to explain once again :)
04:03 < CRCinAU> I replied back... but SF mailing lists are soooooo sloooooowwwww
04:04 <@dazo> yeah ... we're pondering to replace it with something else, but such things takes time
04:04 < CRCinAU> So the client config is generated by the NetworkManager plugin for openvpn...
04:04 <@dazo> hmmmmm
04:04 <@dazo> which distro are you on?  which version of NM?
04:04 < CRCinAU> I'm using Fedora 26
04:04 < CRCinAU> ummm lemme grab a version
04:04 <@dazo> okay, that's fairly recent NM version
04:05 < CRCinAU> NetworkManager-1.8.0-4.fc26.x86_64
04:05  * dazo is also doing openvpn package maintenance for Fedora + Fedora EPEL
04:05 < CRCinAU> plasma-nm-openvpn-5.9.5-1.fc26.x86_64
04:05 < CRCinAU> ^^ for KDE
04:05 <@dazo> right
04:05 < CRCinAU> so my question was - is there a way to verify if its using the auth-nocache?
04:05 < CRCinAU> and can it be told not to?
04:06 <@dazo> ps faxuww | grep openvpn :)  NM-openvpn actually imports the openvpn config and puts it into some storage of its own ... and re-generates the config on the command line, with the additional tweaks needed for NM integration
04:07 < CRCinAU> hrrmm
04:07 < CRCinAU> lemme see
04:07 <@dazo> and ... NM adds --auth-nocache
04:08 < CRCinAU> hah
04:08 < CRCinAU> yum
04:08 < CRCinAU> err yup
04:08 < CRCinAU> --auth-nocache
04:08 <@dazo> I'll send an e-mail to the NM-openvpn developer and see how this can be fixed
04:08 < CRCinAU> I spent ages wondering what the hell I was doing wrong when I was setting a token, but getting the OTP back on a reneg
04:09 < CRCinAU> but I wonder.....
04:09 < CRCinAU> doesn't --auth-nocache imply it forgets the password too?
04:09 < CRCinAU> or am I misunderstanding?
04:10 <@dazo> yes, it does ... because NM does the password caching/storing (using keyring daemon)
04:10 < CRCinAU> ahhhhhh... S.O.A.B ;)
04:10 < CRCinAU> so now I properly understand the problem.
04:11 <@dazo> NM have improved vastly over the last few years .... but it often steps too much on the toes of OpenVPN, which hits so many various VPN configurations in odd ways
04:11 < CRCinAU> so its not that openvpn is remembering it and discarding the token.
04:11 < CRCinAU> its that it discards both token and password.
04:12 <@dazo> yes
04:12 < CRCinAU> but when openvpn does a reneg, it goes "HEY FOO, GIMME YOUR PW!" - which is fed by NM to openvpn and away we go on the reneg...
04:12 <@dazo> correct
04:13 < CRCinAU> frigging light-bulb moment.
04:13 <@dazo> --auth-nocache is currently quite ugly ... I can apply the fix we have in a scratch build, so you can test that .... but I'd like to have this fixed independently in NM too
04:14 < CRCinAU> yeah - so the logic fix is along the lines of.... if client has a auth-token provided, and auth-nocache is specified, forget the password but keep the token... or simply replace password with token and tell the auth-noconfig part to piss off ;)
04:15 <@dazo> the latter one is the one which we've chosen :)
04:15 < CRCinAU> makes sense....
04:15 < CRCinAU> so the other part is that this is purely a client side issue...
04:15 < CRCinAU> I'm more than happy to test the fix if you have a client build for F26 I can try.
04:16 <@dazo> correct, which is why I'm thinking this should be fixed in NM too ... as this hits everyone running anything older than a future v2.4 release with this fix
04:16 < CRCinAU> I've spent the best part of a day cursing at the boogeyman ;)
04:16 <@dazo> thx!  I need 30-40 minutes or so, and I'll have something ready for you
04:17 < CRCinAU> I've been set for months with reneg disabled - but finally had the motivation to try and fix that....
04:18 < CRCinAU> plus, somewhat happy to contribute my yubikey script to contrib if it all works as well
04:18 <@dazo> that'd be cool! .... I've been wanting to write a proper yubikey plug-in for openvpn ... just haven't had time for it
04:18 < CRCinAU> honestly, it was the easy part ;)
04:19 < CRCinAU> but its a auth-user-verify whatever it is script
04:19 < CRCinAU> just looking for a smart way to generate the token that makes it really hard to figure out
04:19 < CRCinAU> am I right in assuming you can't push a new token to the client as part of the reneg?
04:21 <@dazo> That is something I have never really tested, in theory there shouldn't be anything holding back that ... but the hard thing is to figure out how to make openvpn re-issue another round of PUSH_REQUEST/PUSH_REPLY
04:22 < CRCinAU> cos that would be uber-nice ;)
04:22 < CRCinAU> just sayin' ;)
04:22 <@dazo> yeah, I know :)
04:22 < CRCinAU> then you could also roll over the token on a reneg
04:23 < CRCinAU> Sorry - I'm the type of guy that gives people awesome ideas that then ends up taking months of their lives as things get implemented ;) LOL
04:23 <@dazo> I was thinking about that for the --auth-gen-token feature too ... but the initial attempts failed badly, so it was put on the "later release" list :)
04:24 < CRCinAU> well, tbh... I'm not sure how the auth-gen-token part works.... but that not working is what started me down this path
04:24 <@dazo> and I wanted to enable this possibility also for scripts and plug-ins too
04:24 < CRCinAU> but its probably mostly redundant if auth-gen-token works.
04:25 <@dazo> auth-gen-token is a band-aid for auth-scripts/plugins not implementing pushing auth-tokens .... so when --auth-gen-token is enabled, the server itself will push the auth-token ... and never call the auth script/plugin again until it fails or the token have expired
04:25 < CRCinAU> *nods*
04:25 < CRCinAU> I like the idea... but 1) it needs to be a somewhat unique token - as token mishandling = pwned VPN :P
04:26 <@dazo> the proper place to have auth-token is in auth plugins/script ... as then you can do the session/account accounting (restrict how long users can be connected, how much data to push, connect hours, etc)
04:26 < CRCinAU> See, I'd also like a way to know if I'm handling an initial connection or a renegotiation....
04:26 < CRCinAU> it seems the environment is the same between both
04:27 <@dazo> that's a good idea actually
04:27 < CRCinAU> such as: 'script_context' => 'init'
04:27 < CRCinAU> ^^ but that's on a reneg
04:27 <@dazo> well, actually you can already do that
04:27 <@dazo> or ....
04:27 <@dazo> I think you can do some tweaks with --setenv in the auth plugin/script .... when you prepare the auth-token
04:28 < CRCinAU> I didn't find anything in the environment that was different between the initial and reneg stages....
04:28 <@dazo> But I need to dive in the env code paths to be fully sure if it or if it won't work
04:28 <@dazo> with --setenv ... you can set env variables yourself
04:29 < CRCinAU> but I think I'm going to do some special handling to try and make the same script handle both client-connect (to generate the token) and auth-user-pass-verify (for authentication)
04:29 <@dazo> that makes sense
04:33 < CRCinAU> also... is there a list of exit codes for scripts to do stuff?
04:33 < CRCinAU> or is it purely 0 / 1 ?
04:33 <@dazo> it's currently only 0/1
04:33 < CRCinAU> ie 0 = success, 1 = failed?
04:33 < CRCinAU> ok
04:33 <@dazo> correct
04:34 < CRCinAU> it would be nice to be able to do a "2 = terminate connection" which cleanly closes the link etc etc
04:34 < CRCinAU> andh maybe others
04:34 < CRCinAU> otherwise with UDP etc, you end up with half open links for a while
04:35 <@dazo> well, yeah ... that's kinda hard with SSL/TLS ... if the failure is in the TLS layers ....as then there exist no link between client and server where such a "trusted" message could be communicated
04:35 < CRCinAU> hrrrrm
04:36 <@dazo> until the TLS layer have been established, the client is completely untrusted by the server ... as there have not been any kind of authentication or session key exchange
04:38 < CRCinAU> dammit
04:38 < CRCinAU> now I'm re-writing my yubikey script
04:40 <@dazo> :-P
04:41 <@dazo> I've been working on a brand new Linux client using the new OpenVPN 3 code base .... I'm at the fourth attempt now, and finally it seems to take a good shape :)
04:41 < CRCinAU> see, when I know what the problem was, I can write code properly instead of having shit together.
04:41 <@dazo> :)
04:45 < CRCinAU> ok - complete rewrite of the YubiKey code.... lets see how bad I screwed up
04:48 < CRCinAU> LOL
04:48 < CRCinAU> openvpn[29791]: Yubikey Authentication failed with OK
04:48 < CRCinAU> ummmmm... ok? ;)
04:49 <@dazo> hahaha ... that's .... interesting! :)
04:50 <@dazo> sounds like something the Japanese could answer to "Can you trust me?"  .... "Yes, I cannot trust you"
04:50 < CRCinAU> regex fuckup ;)
04:51 < CRCinAU> ok - that works.....
04:51 < CRCinAU> I was checking m/status=(.*)/ - but I think that included at least \n on the end...
04:52 < CRCinAU> changing to m/status=(/w+)/ is happier
04:53 <@dazo> :)
04:53 < CRCinAU> So that's the yubikey part written......
04:53 < CRCinAU> now for the client-connect parts....
04:53 <@dazo> Almost done with the local F26 builds ... if it passes local mock build, I'll send it to the Fedora builders as a scratch build
04:56 < CRCinAU> so for the token......
04:56 < CRCinAU> it doesn't really matter what it is, as long as its reproducable?
04:57 <@dazo> yes, correct ... and preferably unique across sessions
04:57 < CRCinAU> I guess that kind of rules out using crypt for it
04:57 <@dazo> hashes will work
04:57 < CRCinAU> so as this is kind of a new area for me.....
04:57 <@dazo> auth-gen-token actually takes 256 bits of randomness and encodes that as base64
04:58 < CRCinAU> what's the difference between a hash an a hmac whatever?
04:59 < CRCinAU> ie salt + data vs hmac data + secret
04:59 <@dazo> okay, simply said ... a hash is basically just a one-way "encoding" of various data into a fixed length output ... the length and how to come to that result is defined by the algorithm
04:59 <@dazo> hashes are always identical when the input is the same
05:00 < CRCinAU> cos what I'm thinking... so make it somewhat less likely to get insecure tokens......
05:00 <@dazo> HMAC adds a "signature" on a hash ... so when both sender and receiver have a shared key, they can authenticate the hash as "I can trust this hash"
05:00 < CRCinAU> hmmm - so hmac preferred over hash...
05:02 <@dazo> and then there is the salt .... that is to make the hashes different, even if the input is identical ... so what's commonly happening here is that you do generate a salt, appends data and hashes it.  Then you take the salt + the hash and preservers that as the output to be used
05:02 < CRCinAU> dazo: are you a perl guy by chance? :P
05:02 <@dazo> the receiving side receives the salt+hash, extracts the salt ... and does a new hash with the data in question together with the salt ... appends the salt, and the output should be identical
05:03 <@dazo> CRCinAU: I still have deep scars after I had to implement some recurring invoicing 13-14 years ago .... still trying to recover
05:03 < CRCinAU> hhahahaha
05:03 < CRCinAU> but I can run code by you for comment? :)
05:03 <@dazo> yeah, I can at least give it a shot :)
05:04 < CRCinAU> https://paste.fedoraproject.org/paste/ZA2ML0dmJJkd644InmNnGA
05:05 < CRCinAU> trying to figure out a way to gather at least some unique factors without having to set manual 'secrets' in the code
05:07 <@dazo> right ... you will need to do some caching somewhere .... perhaps using some of the IP address/port variables + $username ... put the data into a file in /var/cache with a strict umask
05:08 < CRCinAU> but won't those values be the same every time?
05:08 < CRCinAU> unless the users IP changes or the server restarts?
05:09 <@dazo> the IP/port will be identical for each client ... there's also tls_digest env variables carrying the certificate fingerprint values which are unique
05:10 < CRCinAU> ah - I don't use certs - so I probably don't get that
05:10 <@dazo> ahh
05:10 <@dazo> you need some unique identity of each client ... and save the auth-token (or to be able reproduce to generate the token value)
05:11 < CRCinAU> or use values that don't change unless an abnormal event happens - which in that case the connection breaks anyway
05:12 < CRCinAU> this is a good sign too:
05:12 < CRCinAU> openvpn[29791]: Validating YubiKey input for username
05:12 < CRCinAU> openvpn[29791]: Yubikey Authentication failed with status: REPLAYED_OTP
05:12 <@dazo> you could extract some static values from ifconfig on the tun/tap interface(based dev env variables) ... openvpn pid ... grab a few more of those, and you have a somewhat weak key which in this case should be reasonably okay
05:12 <@dazo> yeah
05:13 <@dazo> https://koji.fedoraproject.org/koji/taskinfo?taskID=19992472 ... here's an openvpn build with the auth-nocache+auth-token fix
05:13 <@vpnHelper> Title: buildArch (openvpn-2.4.2-2_ovpn1.fc26.src.rpm, x86_64) | Task Info | koji (at koji.fedoraproject.org)
05:13 < CRCinAU> awesome.
05:13 < CRCinAU> let me finish the token part here - then I'll grab it
05:13 <@dazo> :)
05:13 < CRCinAU> then at least if the auth fails - but I see a token.... job done...
05:14 <@dazo> :)
05:15 < CRCinAU> hahahah
05:16 < CRCinAU> encode_base64 is putting in a new line at 80 chars.....
05:16 < CRCinAU> that'll screw everything.
05:17 < CRCinAU> yay
05:17 < CRCinAU> that works perfectly :D :D
05:22 < CRCinAU> ok - so installing that package on my laptop
05:24 < CRCinAU> ok - token sent......
05:25 < CRCinAU> hrrrm
05:25 < CRCinAU> I still get the OTP back....
05:26 < CRCinAU> dazo: can I PM you for a minute?
05:48 < CRCinAU> ok
05:48 < CRCinAU> dazo: even with that update, I still get the OTP back....
05:56 <@dazo> CRCinAU: hmmmm .... that's odd ... can you see anything in the client log?
06:00 < CRCinAU> client log shows: auth-token received, disabling auth-nocache for the autnetication token
06:00 < CRCinAU> excuse the typos :)
06:16 < alexandre9099> hi, i'm trying to configure ovpn on arch linux (server and client), but when connecting to server i get " write to TUN/TAP : Invalid argument (code=22)"
06:17 < alexandre9099> the connection is completed ( Initialization Sequence Completed) but then i get that error
06:18 < alexandre9099> this on client
08:05 < BtbN> does your kernel have tun support?
08:11 <+hyper_ch> alexandre9099: is it a vps?
10:05 < Elvanor> Hello. I am trying to setup a VPN between a client in a 192.168.0.x LAN (behind a router) and a server that has a direct connection to the internet
10:05 < Elvanor> I made progress, but now the client cannot ping anything outside of the server, and in the server log I have: Mon Jun 12 10:17:50 2017 us=149340 client1/95.165.131.184:49091 MULTI: bad source address from client [192.168.0.3], packet dropped
10:05 < Elvanor> lots of line like this
10:06 < Elvanor> 192.168.0.3 is the IP of the client, on its LAN
10:35 <@dazo> Elvanor: the LAN you try to reach ("behind a router") ... is that router the VPN client?
10:43 < Elvanor> dazo: yes
10:44 < Elvanor> well, to be precise, I have a PC behind a router. That's the PC the VPN client
10:44 < Elvanor> Not the Router.
10:45 <@dazo> okay .... so you need to do a few things here
10:45 <@dazo> first, you need to add iroute in a CCD file on your server
10:45 <@dazo> !clientlan
10:45 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
10:45 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
10:45 <@dazo> that describes most of that
10:47 < Elvanor> Looks complex :-)
10:47 <@dazo> then ... in addition, as your VPN Client is on the router itself .... on the _router_  you must add a new routing entry .... which ensures packets from your LAN (192.168.0.0/2, I presume) _to_ your server LAN gets routed _via_  your VPN client
10:47 < Elvanor> What's strange is that I cannot even ping the server
10:47 <@dazo> Elvanor: well, VPNs are complex
10:47 < Elvanor> dazo: no, the VPN client is NOT on the router itself
10:48 <@dazo> right, I was missing the "NOT" in my statement
10:48 <@dazo> you still need that route on your router
10:48 < Elvanor> why?
10:48 < Elvanor> it seems to me that from the point of view of the router, all it sees is traffic to 10.100.0.5
10:49 < Elvanor> which is translated to the remote IP of server
10:50 <@dazo> so a packet comes from your VPN server's LAN ... say IP 172.16.2.2 .... tries to ping 192.168.0.40 .... the VPN server picks up that packet,sends it to your VPN client, and that client sends that packet on the client LAN and hits 192.168.0.40 just fine.   Then .40 responds, but don't know where that one should go, so it sends it to the default gateway.  Your default gateway (router) doesn't know this IP address either, so it sends it out on the
10:50 <@dazo> Internet
10:50 <@dazo> so you need what is called a return route on the default gateway, which says that packets going to 172.16.2.0/24 needs to go via your VPN client
10:51 <+DArqueBishop> I might be wrong, but I think Elvanor was saying the client couldn't connect to anything other than his server and that was his issue. He didn't say anything about needing to access the client LAN from other clients.
10:51 < Elvanor> DArqueBishop: indeed, I dont need that
10:51  * dazo re-reads everything once again
10:52 < Elvanor> (my bad: I can currently ping the server from the client0
10:52 < Elvanor> it's pinging everything else (like ping www.apple.com) that fails
10:52 <+DArqueBishop> Elvanor:
10:52 <+DArqueBishop> !redirect
10:52 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
10:52 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
10:52 < Elvanor> I've added that to the server file: push "redirect-gateway def1 bypass-dhcp"
10:52 <@dazo> yes, that sounds more plausible
10:53 <@dazo> why adding bypass-dhcp?
10:53 < Elvanor> if I understood correctly, that creates the necessary routes on the client
10:53 < Elvanor> dazo: no idea, I copied and pasted that
10:53 <@dazo> !blog
10:53 < Elvanor> I guess this is not necessary
10:53 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
10:53 <@dazo> correct ... bypass-dhcp is seldom needed
10:53 <@dazo> it's written by fools
10:53 <@dazo> !howto
10:53 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
10:54 <@dazo> #3 covers what you need to know about setting up a VPN, and it tries to explain why you need the various options and how they work
10:54 < Elvanor> ok I removed it
10:54 < Elvanor> iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp1s0 -j MASQUERADE
10:54 < Elvanor> this is what I ran on the server
10:55 <+DArqueBishop> Is 10.100.0.0/24 your VPN subnet?
10:55 <+DArqueBishop> Also, did you enable IP forwarding in the kernel?
10:55 <+DArqueBishop> !linipforward
10:55 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
10:56 < Elvanor> brithombar openvpn # cat /proc/sys/net/ipv4/ip_forward
10:56 < Elvanor> 0
10:56 < Elvanor> damn
10:56 < Elvanor> looks like I found the problem
10:56 < Elvanor> I think iptables should have complained on that command then...
10:56 < Elvanor> instead of silently accepting it
10:56 < Elvanor> let me enable it
10:57 < skyroveRR> lol
10:57 <@dazo> ip_forward have nothing to do with iptables
10:57 < skyroveRR> Openvpn will not babysit for everything, Elvanor
10:57 <@dazo> both are needed, but have different responsibilities
11:17 < systest> I have multiple VPN endpoints and I don't want to maintain separate CA/Certs for each.  Is there a mechanism to decide WHICH certs are allowed to access a VPN (other than "revoking" those that shouldn't be there?)
11:53 < Elvanor> I am now trying to setup OpenVPN on another client (a NAS, not my own computer). OpenVPN is unfortunately started with --route-noexec, is there a way I can override that in the config file?
12:50  * systest answers their own question
12:50 < systest> looks like tls-verify opiton will allow me to do what I want
12:53 < systest> or possibly `verify-x509-name <name> <type>`
13:30 < PipeItToDevNull> how do I begin troubleshooting network issues. I can connect to my VPN just fine, and local resources such as the ZNC (which functions fine) but I cannot leave that network (ping 8.8.8.8 goes nowhere)
13:31 < bezaban> your default gateway would be your 'exit'
13:31 < bezaban> it's route related
13:36 < PipeItToDevNull> My client is using 10.8.0.5 as its gateway
13:38 < PipeItToDevNull> If the server is .1 should that not be the gateway for the clients?
14:21 -!- skyroveRR_ is now known as skyroveRR
14:52 < PipeItToDevNull> Ok. Neither the client nor the server can ping this mystery .5, but they can ping eachother. Can I force the gateway to be .1 or is that not how it is supposed to work?
14:57 < datarecal> !welcome
14:57 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
14:57 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
14:58 < datarecal> !goal need to fix our openvpn setup
14:59 < datarecal> anyone have any idea on where I can start to diagnose this : https://paste2.org/4sd1GKzW it was working perfectly yesterday now this is what i am getting in the client
16:11  * tga_ reads the topic and wonders whether his problem is really the firewall
20:41 <@krzee> anybody here looking for help?
20:41  * krzee just popped in
21:47 < justinitguru> Hello, anyone up for a question?
21:52 <@krzee> !ask
21:52 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
21:59 < justinitguru> Im using OpenVPN as a client and server on the same machine. I need the clients that connect to the server to see the routes on the eth0 interface on the machine
22:00 < justinitguru> so that i can see the remote client network. I have tried pushing the routes,
22:38 <@krzie> justinitguru: what do you mean by client and server on same machine, you mean that the client connects to some other machine, right?
22:38 <@krzie> and if so, then does that client redirect its internet over that vpn?
22:39 <@krzie> no matter what the answer to those, im sure you will want to read this:
22:39 <@krzie> !route
22:39 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
22:41 < justinitguru> correct
22:42 < justinitguru> no, the client does not redirect
22:42 < justinitguru> i setup the client to connect to another Openvpn server to provide network to network
22:42 <@krzie> ok cool then as long as it doesnt use a conflicting subnet it wont be a problem
22:42 < justinitguru> then on each of those networks, i set manual routes to see the other network
22:42 < justinitguru> that it working for me
22:43 < justinitguru> but now i need the server to show the routes to the mobile clients for that distant network
22:43 <@krzie> where is "the distant network" ?
22:44 <@krzie> is it behind a client?
22:45 <@krzie> i may need some sort of diagram to understand your goal
22:45 <@krzie> !diag
22:45 <@krzie> !diagram
22:45 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle
22:45 < justinitguru> Network1 (Home-Openvpn-server1) - 172.16.0.0/24  is client that connect to Network2 (Datacenter-Openvpn-server1) - 10.20.35.0
22:45 <@krzie> oh you are trying to do vpnchains
22:46 <@krzie> you need to master an understanding of this writeup:
22:46 <@krzie> !route
22:46 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
22:46 <@krzie> when you understand that well enough, you can do your vpnchains
22:46 < justinitguru> on Home-OpenVpn-server1 i also have a sever setup
22:46 < justinitguru> ok, ill read it now
22:46 < justinitguru> thanks
22:46 <@krzie> np
22:47 <@krzie> !vpnchains
22:48 <@krzie> https://secure-computing.net/wiki/index.php/OpenVPN/VpnChains
22:48 <@vpnHelper> Title: OpenVPN/VpnChains - Secure Computing Wiki (at secure-computing.net)
22:48 <@krzie> i made that writeup, it wont show you how to do it, cause that is simply a strong understanding of !route, but you may find it interesting
22:51 < justinitguru> ok this is great
22:51 < justinitguru> my router is 172.16.0.1, i assumed it would use the routes from the router
22:52 < justinitguru> the openvpn server on 172.16.0.4 is using the default route .01
22:52 < justinitguru> push "redirect-gateway def1 bypass-dhcp" doesnt pass the routes?
22:55 <@krzie> that sets the default gateway
22:55 <@krzie> i thought you werent doing that?
22:58 < justinitguru> i am for the Server side of Home-Openvpn-server1
22:59 <@krzie> as long as you're setting your routes right i think it should be fine, but maybe you'd be smart to disable that while getting the more complex stuff working
22:59 <@krzie> you shouldnt really be relying on default route for the vpnchain stuff anyways
23:00 <@krzie> but id still say not to make it more complex than it needs to be while trying something new
23:02 < justinitguru> im making a quick map
23:17 < justinitguru> i sent you a pm
23:23 <@krzie> you still need a mastery of !route
23:23 <@krzie> if you beat that page into your head you can do your vpnchains
23:23 < skyroveRR> !route
23:23 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
23:36 < justinitguru> thanks, with that guide i understand now. I was able to get it working
23:36 < justinitguru> and learned alot in the process
23:39 <@krzie> good job =]
23:39 <@krzie> may i ask what the issue ended up being?
23:39 <@krzie> curious what my doc helped you with ;]
23:40 < justinitguru> Did you see the network map?
23:40 <@krzie> i did
23:42 < justinitguru> on the datacenter openvpn server, i added - route 10.9.0.0 255.255.255.0
23:43 < justinitguru> for the mobile vpn LAN on the Home openvpn server
23:43 < justinitguru> then under the cdd file i added iroute 10.9.0.0 ""
23:43 <@krzie> ahh yes the iroute got ya
23:44 <@krzie> you got it fast, well done
23:44 <@krzie> i had to snoop in source to figure that out :D
23:45 < justinitguru> on the home Openvpn
23:45 < justinitguru> im not pushing any routes
23:46 < justinitguru> no cdd configs
23:47 < justinitguru> its just using the routes i have set in the network router
23:47 < jmanfatty> !welcome
23:47 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
23:47 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
23:48 < jmanfatty> !1925
23:48 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
23:48 < jmanfatty> !ovpnuke
23:48 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
23:49 < jmanfatty> !poodle
23:49 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has, or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
23:49 < jmanfatty> !heartbleed
23:49 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl, or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised., or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected., or (#4)
23:49 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed, or (#5) http://xkcd.com/1354/
23:49 < jmanfatty> !sweet32
23:49 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32
--- Day changed Tue Jun 13 2017
00:02 <@krzie> !security
00:02 <@vpnHelper> "security" is (#1) "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview, or (#2) see !wrench, or (#3) https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements for security announcements
06:33 <+hyper_ch> krzee: https://blog.torproject.org/blog/tor-browser-70-released
06:33 <@vpnHelper> Title: Tor Browser 7.0 is released | The Tor Blog (at blog.torproject.org)
06:51 < aditsu_> hi, how can I solve "CRL has expired"? I use easy-rsa
06:57 <@dazo> aditsu_: you need to regenerate the CA .... in your easy-rsa $KEY_DIR directory, run: openssl ca -gencrl -out crl.pem -config "$KEY_CONFIG"
06:57 <@dazo> you might want to tweak the default_crl_days= settings in your openssl-*.cnf file though
06:57 <@dazo> (default is 30 days)
06:58 <@dazo> $KEY_CONFIG should point at your proper openssl-*.cnf .... you'll get that by sourcing ./vars
06:59 <@dazo> ecrist: as I'm poking at easy-rsa-2 stuff in the Fedora/EPEL packages .... is easy-rsa 3 production ready?  Should I update the Fedora packages to use this new version?
07:00 < aditsu_> dazo: thanks.. this stuff should be better documented/announced and made easier to fix
07:00 <@ecrist> dazo: for Linux it should be fine.
07:00 < aditsu_> so by default it will barf again in 30 days? pfft
07:00 <@ecrist> I need to repackage the windows release as it's missing some binaries.
07:00 <@dazo> aditsu_: well, easy-rsa 2 is fairly horrendous ... hence we have a newer version 3 out there
07:01 <@dazo> aditsu_: but .... easy-rsa is just one of many alternatives .... I personally prefer xca for doing certificate management ....
07:02 < aditsu_> hmm, looks like I have an easy-rsa that used to come with openvpn.. now it's a separate package, but I don't have that installed
07:03 < aditsu_> anyway, let me fix openvpn first using your instructions
07:05 < aditsu_> dazo: you said "regenerate the CA", I guess you meant CRL?
07:05 <@dazo> yeah
07:05 <@dazo> sorry!
07:06 < aditsu_> no worries :)
07:08 < aditsu_> wow, I just realized I have a newer crl in the key dir, that openvpn probably doesn't know about >_<
07:09 < aditsu_> 140471560263320:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:584:line 150
07:10 <@dazo> aditsu_: that's why we've moved away from openvpn's former built in CRL parser/checker and rather use the CRL code base inside the SSL/TLS libraries ... too little error checking
07:11 < aditsu_> the error refers to a line from the config file: organizationalUnitName_default = $ENV::KEY_OU
07:12 <@dazo> did you remember to source ./vars?
07:12 < aditsu_> yes
07:12 < aditsu_> I don't have a KEY_OU though
07:13 < aditsu_> is that the problem?
07:13 <@dazo> checking the openssl configs now
07:15 < aditsu_> same problem with KEY_CN
07:15 <@dazo> sounds like vars have not been sourced to me
07:15 <@dazo> . ./vars
07:15 < aditsu_> they're not defined in vars
07:16 < aditsu_> what should KEY_CN be? the server name?
07:16 <@dazo> yeah
07:17 <@dazo> have a look at revoke-full .... that's where I extract the CRL generation
07:17 <@dazo> and it explicitly sets:
07:17 <@dazo>     export KEY_CN=""
07:17 <@dazo>     export KEY_OU=""
07:17 <@dazo>     export KEY_NAME=""
07:19 < aditsu_> oh! so it was not about vars then
07:19 < aditsu_> and I can make them all empty, great
07:20 <@dazo> yeah, seems so .... you need ./vars though to get $KEY_CONFIG
07:20 <@dazo> (but you can extract that too from ./vars)
08:25 <+hyper_ch> krzee: https://www.schneier.com/blog/archives/2017/06/security_flaws_1.html
08:25 <@vpnHelper> Title: Security Flaws in 4G VoLTE - Schneier on Security (at www.schneier.com)
09:09 < coreyo> !welcom
09:09 < coreyo> !welcome
09:09 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
09:09 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
09:12 < coreyo> !route
09:12 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
09:15 < alexandre9099> !goal 'have internet access trough openvpn'
09:16 < alexandre9099> !goal
09:16 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:16 < alexandre9099> hmm, ok
09:16 < alexandre9099> !interface
09:16 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6), or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn', or (#4)
09:16 <@vpnHelper> For Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes)
09:20 < coreyo> I have a little mini PC that I'm using as a router.  I have an openvpn set up at the router-level over my entire lan.  However, I'd like to exclude my media boxes from using the VPN so that netflix, hulu, etc. will still work.  Is there a way to specify that a range of IP addresses should be routed to the default gateway instead of the VPN tunnel?  Ideally, having an automatic way to configure this client/router side would be best.
09:28 < coreyo> It was suggested in a forum post that I could add something like this to the server side: push "route 10.10.3.224 255.255.255.224 net_gateway".  Is that correct, and could that be instead implemented on the client config?
10:10 < _Maik_> hello thery, Im searching for a solution to get a failover ip on top of multiple openvpn connections to work
10:19 < SipriusPT> Hello guys
10:21 < SipriusPT> I have a OpenVPN server where I am trying to force all client generated traffic through the tunnel
10:21 < SipriusPT> but when they are connected
10:21 < SipriusPT> they are only able to comunicate with the remote lan where the server is
10:21 < SipriusPT> DNS is working weel
10:21 < SipriusPT> well
10:22 < SipriusPT> but cannot reach the destination
10:22 < SipriusPT> and I siriusly dont know why
10:23 < SipriusPT> have already search for identical simptoms but till now no success with those solutions
10:23 < SipriusPT> anyone knows what can cause this sort of problem?
10:43 < coreyo>  SipriusPT I'm here for help as well, but you might try looking at your routing table on both the client and the server as well as double check that ip forwarding is enabled and that masquerading is set up properly if you're connecting at the router level.
10:48 <@ordex> coreyo: is openvpn client running on the mini-PC ?
10:48 <@ordex> is the mini-PC the lan GW for all your devices?
10:54 < coreyo> ordex, yessir to both
10:55 <@ordex> coreyo: then the clients will just send all the packets to the miniPC/GW - there is not much else they can do
10:55 <@ordex> it's the GW/miniPC that should set up some exception
10:55 < coreyo> ordex, I think that I may have found a working solution, although I'm not sure if it's the best.  In my iptables script I have the following (enp3so is my WAN interface):
10:55 <@ordex> like some policy routing (just an example)
10:56 < coreyo> -A POSTROUTING -s 10.10.3.224/27 -o enp3s0 -j MASQUERADE
10:56 < coreyo> -A POSTROUTING -s 10.0.0.0/8 -o tun0 -j MASQUERADE
10:56 < Eugene> !redirect
10:56 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
10:56 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
10:56 <@ordex> uhm
10:56 < coreyo> then in my router's client opvn configuration, I have inserted the following line: route 10.10.3.224 255.255.255.224 net_gateway
10:56 < Eugene> SipriusPT - flowchart ^
10:57 < coreyo> that SEEMS to be working for now, although I haven't thoroughly tested it
10:57 <@ordex> coreyo: does it really work ?
10:57 < coreyo> netflix is working on my roku, and ipleak is showing my other devices as having the vpn IP
10:57 <@ordex> do you see packets from 10.10.3.224/27 going out enp3s0 (instead of tun0)?
10:57 < Eugene> coreyo - you need policy routing to do what you're asking
10:58 <@ordex> yeah I agree with Eugene
10:58 < coreyo> sure, any links that might have an example?
10:58 < Eugene> !lartc
10:58 <@ordex> !policyrouting
10:58 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux, or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
10:58 <@ordex> tjhere you go :P
11:00 <@ordex> I wonder how old is this article..I remember reading on lartc when I was really young :D
11:00 < coreyo> ordex, Eugene, thanks, I need to run, but I'll take a look when I get back from the gym.  Thanks for your help.
11:04 < SipriusPT> thanks coreyo, from server I am able to ping from it to internet
11:04 < SipriusPT> I have openvpn installed in pfsense
11:04 < SipriusPT> there is an option to ping from each interface
11:05 < SipriusPT> at windows
11:05 < SipriusPT> give me a min to paste it here
11:06 < SipriusPT> at windows is where is the user
11:06 < SipriusPT> pfsense is in one router
11:06 < SipriusPT> just to clarify
11:11 < SipriusPT> here is the table but I need some help to interpret/debug: https://prnt.sc/fjbcfo
11:12 <@vpnHelper> Title: Screenshot by Lightshot (at prnt.sc)
11:13 < SipriusPT> what you mean with masquerading coreyo?
11:13 < SipriusPT> I have access to all the intranet where the server is
11:14 < SipriusPT> this is being done from windows 10 user to pfsense router openvpn server
12:00 < ponky> hello, is it possible to route traffic between multiple server instances (two separate servers running on a single machine)
12:01 < ponky> with one server i can use client-to-client and route traffic with iroute, but is that possible if i run multiple servers ?
12:03 < ponky> well, i can do that with linux routing tables, but i'd prefer to do it with openvpn config
13:47 < coreyo> Eugene, ordex, what would be the difference between my original solution: "route 10.10.3.224 255.255.255.224 net_gateway"  and the proposed solution in the lartc link?
13:47 < coreyo> ip rule add from 10.10.3.224/27 table novpn
13:47 < coreyo> ip route add default via 10.10.3.1 dev enp3s0 table novpn
13:47 < coreyo> ip route flush cache:
13:47 < coreyo> novpn being the routing table that I created
15:34 < ExoUNX> what's the best way to route "all" internet traffic over openvpn
15:35 < ExoUNX> but keep some ports accessible on the original IP?
15:36 < Eugene> ponky - sure, you just need to have different VPN subnets for each server. Thats common for balancing setups
15:36 < ponky> Eugene: i do
15:37 < Eugene> openvpn doesn't care if you use openvpn to talk between the servers or a vanilla LAN with routes
15:38 < Eugene> coreyo - I don't know what you're doing in that route line offhand?
15:38 < ponky> i have 10.0.0.0/24 for routers (.1 is the openvpn) and 10.0.1.0/24 for clients, if i add iroute 10.20.0.0/24 for router1 in ccd, the route does not get added
15:39 < ponky> but if i do ip rou a 10.20.0.0/24 via 10.0.0.2  then it works
15:39 < ponky> i thought iroute should do that automatically?
15:39 < Eugene> You need route for the whole-server config, and then an iroute to identify the client that route belongs to
15:40 < ponky> ye i have added route 10.20.0.0 255.255.255.0 in server.conf
15:40 < ponky> but still nothing
15:40 < coreyo> Eugene, the idea is to take all machines assigned  IP 10.0.3.224 - 10.0.3.255 and route their traffic through the WAN gateway rather than the VPN tunnel (tun0 with gateway 10.8.0.1)
15:40 < ponky> 10.0.1.0 and 10.0.0.0 are different openvpn instances
15:40 < ponky> one is udp one tcp
15:40 < Eugene> coreyo - yeah, thats a textbook application of policy routing
15:42 < coreyo> Eugene, what's the difference between the the two routing policies that I pasted?  At first glance, they seem to do the same thing to me, however I can't seem to get the one on the example page that you linked to work
15:42 < Eugene> Well, "route" isn't a routing policy.... and ip rule is?
15:43 < Eugene> The two things you are talking about are completely different, so I don't understand the question
15:45 < ExoUNX> or is it possible to redirect just ethernet adapter?
15:45 < ExoUNX> just one ethernet adapter*
15:46 < Eugene> !routebyapp
15:46 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination., or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
15:46 <@vpnHelper> policies you set. For Linux, read about !lartc
15:46 < ExoUNX> I have 1 IPv4 address that's being redirect by the VPN, but I still want SSH accessible over the original IP...
15:46 < Eugene> Do your redirect-gateway through a SOCKS proxy over the VPN, or do policy routing
15:47 < coreyo> ExoUNX, if you're looking for specific browser-based services like netflix or hulu, you can use a browser-based proxy setup
15:50 < ExoUNX> SOCKS should be adequate
15:52 < coreyo> Eugene, ahh, I see my mistake in the routing rule.  I've got a little subnet behind my local lan that I'm using as a test pocket.  I had the wrong subnet in the configuration.  If I want this to be automatic when the vpn client connects on the router, would all of this go into a script called with the 'up' parameter in the client opvn config?
15:52 < Eugene> That's a good place for it
15:53 < coreyo> Eugene, do you know offhand if a configuration can have multiple up statements, or do they all have to be placed into a bash script and called together?
15:53 < Eugene> I believe just one
15:53 < Eugene> But that is something I haven't tested
15:54 < coreyo> Eugene, okay, thanks for your help.  I've already spent a couple of days on this.  Good to have it figured out.
15:55 < ExoUNX> is there documentation or a guide on the SOCKS -> OpenVPN Client
15:56 < coreyo> ExoUNX, the SOCKS would bypass the VPN altogether as a separate entity
15:56 < Eugene> !socks
15:56 < Eugene> Guess not
15:56 < ExoUNX> !underwear
15:56 < ExoUNX> darn
15:56 < coreyo> you could set one up locally at the router level, or you could set on up on the same node running your VPN server, however the latter requires special software like dante, iiuc
16:00 < ExoUNX> can'
16:00 < ExoUNX> can't seem to find any relevant info over google
16:01 < coreyo> something like this: https://www.google.com/search?q=setting+up+a+socks+server+on+linux&oq=setting+up+a+socks+server+on+linux&aqs=chrome..69i57j69i65l2j69i60l3.3751j0j7&sourceid=chrome&ie=UTF-8
16:01 <@vpnHelper> Title: setting up a socks server on linux - Google Search (at www.google.com)
16:02 < coreyo> likewise, you could set up a tinyproxy server on your router to do basic VPN bypassing
16:07 < ExoUNX> ty
16:08 < ExoUNX> talk to you tomorrow
16:17 < ponky> Eugene: route 10.20.0.0 255.255.255.0   in server.conf and     iroute 10.20.0.0 255.255.255.0     in ccd/router1
16:17 < ponky> that should work?
16:18 < ponky> there's also ifconfig-push 10.20.0.2 255.255.255.0  before iroute in ccd file
16:19 < ponky> ifconfig-push 10.0.0.2 255.255.255.0 *
16:19 < ponky> packets get forwarded out via def gw unless i set ip rou a 10.20.0.0/24 via 10.0.0.2
16:27 < ponky> i guess it's not working because the clients are under different openvpn process
16:27 < ponky> and iroute does some in-process routing because i dont see any rules added to routing tables
16:34 < ponky> ah, route needs gateway as well, so iroute is not enough :)
17:03 < coreyo> Eugene, one last question, do you happen to know if there's a way to get linux network manager to reconnect if the vpn server goes down and comes back up?  I'm not sure if it's not connecting, or if it's just taking a long time to do so.
17:03 < Eugene> Yeah, don't use network manager ;-)
17:04 < coreyo> Eugene, how about the openvpn client itself?
17:05 < Eugene> See --keepalive in the man page
17:09 < coreyo> Eugene, this can be specified in the server and client configs as an alternative to commandline params?
17:10 < Eugene> !--
17:10 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
17:10 < coreyo> Eugene, that's handy.  Thanks.
17:28 < elricsfate> Hello all
17:28 < elricsfate> Having some real difficulties here
17:28 < elricsfate> Spinning up an OpenVPN instance within AWS. Ubuntu Client, Ubuntu based Server.
17:28 < elricsfate> When connected to the VPN I am able to access the local network on AWS. On my client I am not able to access the internet AT ALL even when using IP addresses
17:29 < elricsfate> Is there anything in particular I can look at here?
17:31 < Eugene> !redirect
17:31 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
17:31 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
17:31 < Eugene> elricsfate - flowchart ^
17:31 < rob0> and see also /topic
17:32 < Eugene> Random uninformed best guess: AWS VPC has funny NAT stuff.
17:32 < elricsfate> I believe I have already configured many of the things you're referring to
17:32 < elricsfate> push DNS for example has been configured and Iptables rules for masquerading have been configured
17:33 < elricsfate> https://paste.fedoraproject.org/paste/ZbShM5A5ACPZwFD3Yg0jUg
17:33 < elricsfate> that's my server.conf
17:33 < rob0> "push DNS"? --dhcp-option is Windows-only, unless you're using some kludge
17:35 < elricsfate> https://paste.fedoraproject.org/paste/1E0No-xrQU1xZQT9Zv7~fA
17:35 < elricsfate> Forwarding and masquerading setup there
17:35 < elricsfate> along with my IPv4 rules
17:35 < elricsfate> it's not just DNS that is the issue rob0
17:35 < elricsfate> I'm unable to access the internet at all from the client
17:36 < datarecal> hey everyone, having issues i switched openvpn to listen on 1194 and greped a netstat is it supposed to show 0.0.0.0:1194 i tried to telnet in as well and that didnt work
17:36 < elricsfate> Let me double check on NAT but I think I have that too
17:37 < datarecal> i keep getting tls handshake fail but nothing on the server side of the logs or anything. been trying to fix this for 2 days. Everythign was working until we rebooted the server
17:37 < elricsfate> https://paste.fedoraproject.org/paste/RPyFbxNw4LrPAVcJd-iJyQ
17:37 < elricsfate> This is the client
17:37 < elricsfate> !NAT
17:37 <@vpnHelper> "NAT" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
17:40 < elricsfate> !linat
17:41 < elricsfate> !linnat
17:41 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
17:41 < elricsfate> Is there something worth checking on the VPC/Subnet that might be wrong rob0 Eugene ?
17:42 < elricsfate> Because I ran the above command
17:42 < Eugene> `iptables-save` & https://vomitb.in
17:42 < rob0> toss a -c on that
17:43 < elricsfate> on what rob0 ?
17:43 < rob0> vomit bin?
17:43 < rob0> iptables-save -c
17:43 < Eugene> I enjoy purchasing silly domains
17:43 < rob0> haha
17:45 < elricsfate> mmm
17:45 < elricsfate> One second
17:48 < elricsfate> Well I found one issue
17:48 < elricsfate> Probably with my cloudformation script
17:48 < elricsfate> Causing some rules to not be loaded
17:48 < elricsfate> I'll be back
17:48 < datarecal> should netstat -ltnup show 0.0.0.0:1194 or should it be the public facing ip address
17:56 < elricsfate> Alright guys I checked and made sure all my rules were imported and ran my masquerade rule again, it's still not working
17:56 < elricsfate> Either DNS or IP access
17:56 < elricsfate> https://paste.fedoraproject.org/paste/6E24L0vwIZNvKVc1HytWZg
17:58 < elricsfate> I've gone through the flow chart and I'm stuck. I have amde sure that everything up to "is nat enabled" is actually enabled
17:58 < datarecal> I do get this in my logs is this something : UDPv4 link local (bound): [undef]
17:59 < datarecal> here is the full bootup from the log : https://paste2.org/Ma0sHUjd
18:03 < elricsfate> It says I might have a firewall issue if I have everything enabled but even flushing the Iptables rule.
18:03 < elricsfate> I'm looking at my network ACLs on AWS and they allow everything
18:04 < elricsfate> In the security group assigned tot he VPN, all outbound traffic is allowed
18:04 < elricsfate> There is nothing else I know to look at, is there any further guidance you guys can give? I'd really appreciate it.
18:07 < Eugene> `iptables -L -t nat`
18:07 < rob0> that wasn't iptables-save -c
18:08 < Eugene> Eh I take what I can get
18:08 < elricsfate> I can do that but it didn't output anything rob
18:09 < elricsfate> https://paste.fedoraproject.org/paste/m8AuwFKo3BNBDCrMwPw6Nw Eugene
18:10 < Eugene> It doesn't, unless you use sudo ;-)
18:10 < rob0> if it didn't output anything, then you wouldn't see anything for iptables -L
18:10 < Eugene> Which you did there
18:11 < Eugene> Yeah, need the full iptables-save output
18:11 < elricsfate> https://paste.fedoraproject.org/paste/GzN0eeGI1Cz1sIfYfrLimQ Eugene
18:11 < Eugene> Oh yay
18:11 < Eugene> Annnnd whats `ip addr show say
18:12 < Eugene> `ip addr show`
18:12 < Eugene> I have a guess, but I want to wait to know for sure
18:12 < rob0> forwarding not enabled
18:12 < Eugene> My money is on your default device not being eth0
18:13 < rob0> see the filter/FORWARD chain counters
18:13 < elricsfate> rob0: How can I check if it's currently active?
18:13 < Eugene> What does `ip addr show` say
18:13 < rob0> !ipforward
18:13 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
18:13 < elricsfate> Because catting out the file that it's in shows it's enabled net.ipv4.ip_forward=1
18:13 < Eugene> And no, I don't think its that. See how he has a counter in POSTROUTING's table, but not the rules that would match
18:13 < elricsfate> Nope. It's eth0 Eugene
18:13 < rob0> !linipforward
18:13 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
18:14 < Eugene> It wouldn't get to POSTROUTING if ipforward was off? I think
18:14 < rob0> even if forwarding is enabled, it's not happening
18:14 < Eugene> cat the /proc it talks about
18:14 < Eugene> sysctl only applies at boot
18:14 < Eugene> sysctl.conf*
18:14  * elricsfate face palms intensely
18:14 < elricsfate> You're right
18:14 < elricsfate> I enabled it after reboot but NOT before rebooting
18:14 < Eugene> rob0++
18:15 < elricsfate> Good call rob0
18:15 < elricsfate> Let me test now
18:15 < rob0> Hmmm.  I thought the !redirect flowchart mentioned IP forwarding.
18:15 < Eugene> It does, but his checking was based on a bad assumption
18:16 < Eugene> And now I need to go re-read a man page, because apparently the counters in itpables-save dont' work how I thought
18:16 < Eugene> Heh
18:16 < rob0> packet:byte
18:16 < Eugene> Yes, but /where/ ;-)
18:17  * elricsfate sighs heavily
18:17 < elricsfate> Good call rob0
18:17 < elricsfate> Works great rob0
18:17 < rob0> with -c they are dumped per rule; without -c, only per built-in chain
18:17 < elricsfate> As Eugene mentioned it was a misunderstanding on my part
18:17 < rob0> good, yw
18:17 < elricsfate> I actually know that's how proc and permenance works but forgot in my frustration
18:18 < Eugene> !beer
18:18 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
18:21 < elricsfate> Thanks again gents
18:32 <+_FBi> I'm having a water.  these coors light are garbage
19:05 < datarecal> rob0 any chance you could help me out
19:45 <@krzee> datarecal: i dont see your problem in the scroll
19:45 <@krzee> !goal
19:45 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:58 < datarecal> hey krzee i did the goal yesterday ill do it again
20:58 < datarecal> !goal find out why openvpn is complaining about a tls handshake error, openvpn was working had to reboot the server and it stopped working
20:58 < datarecal> https://paste2.org/4sd1GKzW
21:00 < datarecal> https://paste2.org/dX7cZvw3 full server startup
21:00 <@krzee> thats not much info, how about both sides logs with verb 4
21:01 < datarecal> ok one second this is an ipfire/openvpn need to figure out how to increase verbosity
21:02 <@krzee> its in the config
21:02 <@krzee> !verb
21:02 <@vpnHelper> "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info, or (#2) verb 5 is good for finding firewall problems, verb 4 for troubleshooting anything else, and 3 is good for every day usage., or (#3) Anything more than 5 is for developer debugging only (special debug build needed)
21:04 <@krzee> also possibly useful:
21:04 <@krzee> !logfile
21:04 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
21:13 < datarecal> https://paste2.org/OEPN1488
21:15 < datarecal> client : https://paste2.org/f85P4WLg
21:19 < datarecal> krzee could it be : UDPv4 link local (bound): [undef] through my google search's most people have the ip there
21:20 <@krzee> your server log didnt include the client trying to connect
21:22 < datarecal> its not showing anything in the log for the connection
21:22 < datarecal> everything is routed in ipfire to /var/log/messages its not showing anything for roadwarrior
21:24 <@krzee> !logfile
21:24 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
21:24 <@krzee> if you're sure the server shows nothing, you're trying to connect to the wrong server
21:25 <@krzee> and also i recommend upgrading the server openvpn if possiblwe
21:25 < datarecal> its showing the connection on the interface : https://paste2.org/cWeHjFcp
21:26 <@krzee> specify a logfile in the config and get me the full log
21:51 <@krzee> !factoids search --values tun+
21:51 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
22:01 <@krzee> !install
22:01 <@krzee> !download
22:01 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn, or (#2) in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs
22:34 <@krzee> got datarecal sorted as a sidejob =]
22:35 <@krzee> (not all msgs get ignored!)
23:07 <+_FBi> vpnHelper might not like !install haha
23:13 <@krzee> lol
--- Day changed Wed Jun 14 2017
05:16 -!- krzie [ba06014b@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds]
06:46 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 268 seconds]
06:59 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
06:59 -!- mode/#openvpn [+v s7r] by ChanServ
07:25 < relaz> Hi guys, when I set the openvpnclient.conf and openvpnserver.conf the parameter port has to be set on the same number right? thanks
07:29 < rob0> The client has to connect to the same address/protocol+port as the server is listening on.  A basic networking fact.
07:31 <+hyper_ch> (and don't forget firewall rules on the server side to let that port pass)
08:49 < dionysus69> hello all
08:49 < dionysus69> I need some guidance, can anyone help me understand some basics?
08:51 < dionysus69> thing is that I have to stick with windows environment unfortunately so here's my setup. I have windows server with openvpn server with tap bridged adapter, and let's say I have 10 other windows clients with also tap adapters
08:51 < dionysus69> the reason I have this setup is because probably it was the easiest
08:52 < dionysus69> can anyone explain to me how would I switch to tun setup? what I would need to do? what tun is exactly and what routes if any would I have to setup?
09:04 <+DArqueBishop> dionysus69: the "TAP" adapter in Windows does both tap and tun.
09:05 < dionysus69> ok that's something already, so I need tap no matter what
09:05 <+DArqueBishop> No, the device in Windows is called "TAP-Windows Adapter", but in the config file you'd put "dev tun".
09:05 <+DArqueBishop> !howto
09:05 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
09:06 < dionysus69> so lets say 192.168.0.0 is the network behind server and 192.168.100.0 is the network behind clients, how would the tun setup look like for this kind of env?
09:06  * DArqueBishop points to the HOWTO linked above.
09:06 <+DArqueBishop> Believe me when I say that the HOWTO will probably answer 99% of your questions.
09:06 < dionysus69> I have read that more or less :D
09:07 < dionysus69> it's hard to navigate when you have specific questions :S
09:07 <+DArqueBishop> You're best reading the whole thing.
09:07 <+DArqueBishop> Also:
09:07 <+DArqueBishop> !clientlan
09:07 < dionysus69> ok one question then
09:07 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see
09:07 <@vpnHelper> !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
09:07 < dionysus69> if I restart server service, are the connections dropped or it restarts fast enough that it just lags for a sec or two and then resumes
09:07 <+DArqueBishop> The connections are dropped.
09:08 <+DArqueBishop> However, the clients should be able to reconnect on their own.
09:08 < dionysus69> yep
09:08 < dionysus69> one more thing :D
09:09 < dionysus69> the new service version that came with ovpn 2.4+, I had problem with it. clients were disconnected very often and stuff so I had to go back to 2.3.x
09:10 <+DArqueBishop> Also, bridging/TAP is never an easier solution, and is almost never recommended unless you have an actual use case for it.
09:10 < dionysus69> was that common with maybe windows or I just had something misconfigured?
09:10 < dionysus69> so whats the use case for bridging? I bridged because clients automatically get access to server lan
09:12 <+DArqueBishop> Generally, the most common use case is if you need support for broadcasting.
09:14 < dionysus69> nvm
09:14 < dionysus69> I dont get it thus I dont need it :D
09:14 < dionysus69> never met use for broadcast address except for when I used wake on lan
09:15 < simpledat> Im using OpenVPN via command line to connect to my VPN on my current Linux distro. My problem is, I can't find any way to add a killswitch or prevent fallback to my default connection when the VPN goes out. Basically, I want to find a simple method to prevent my VPN to fallback to default connection if it goes out. I just want my connection to be dead until the VPN connection is restored?
09:22 < dionysus69> DArqueBishop: also, if my clients have different lans behind them, do I need to set route for it in server config for each of them separately ?
09:24 <+DArqueBishop> dionysus69: do you want the client LANs to be accessible to the server LAN?
09:28 < dionysus69> hmm not really
09:28 < dionysus69> didnt think about that
09:28 < dionysus69> I thought it had to be in any case
09:28 < dionysus69> i didnt think in terms of that
09:29 < dionysus69> so the clients are in domain and atm I have vpn server ip as the primary dns so clients resolve Vpn domain
09:30 <+DArqueBishop> Again, I highly recommend you read the links in the !howto factoid above.
09:30 < dionysus69> will anything change in terms of domain connection if I remove bridge and setup to tun
09:30 < dionysus69> ok ok :D will do :D
09:30 < dionysus69> thanks :) i ll be back though probbaly with more questions sometime later :D
09:59 -!- xx00___ is now known as xx00__
10:12 < Romeyo> !welcome
10:12 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
10:12 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
10:12 < Romeyo> !goal I wouldl ike to access the internet over my vpn
10:13 < Romeyo> !goal I would like to access the internet over my vpn
10:14 < Romeyo> I have openvon 2.4.2 compiled using rpm and installed on the server which runs on cent os 6.9, and have 2.4.2 client installed. I am unable to access internet after connecting to openvpn
10:16 < icasdri> Do you have ip_forwarding enabled and some firewall rule to route traffic?
10:17 < rob0> BTW the "welcome" factoid explicitly said "!goal <whatever" is not understood by the bot.
10:17 < rob0> !redirect
10:17 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
10:17 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
10:17 < rob0> ^^ go through the flowchart
10:19 < Romeyo> nvmd, found the issue, thanks :)
10:19 < Romeyo> i didn't allow tunnel traffic in iptables
10:21 < Romeyo> thank you
10:35 <+|Mike|> df
10:35 < rob0> 0kb
12:26 < jasondockers> I can't get any socks proxies to work
12:27 < jasondockers> I select "socks proxy", and enter the address and port
12:27 < jasondockers> they're all valid
12:27 < jasondockers> but I receive recv() errors
12:30 <@ordex> !logs
12:30 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
12:30 <@ordex> !configs
12:30 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
12:34 <@ordex> jasondockers: ^^^
13:04 < zoredache> Can key-based authentication be used in a point-to-point setup?  Almost all the guides and so on only show using a static key for that type of setup.
13:05 < BtbN> only hand out one cert, and it's essentially point to point
13:11 < zoredache> I actually want to be in --mode p2p, I want to test using an external tool for routing (OSPF), from what I have been reading that doesn't work in --mode server, which does its own internal routing.  But it isn't clear from the manual, if --tls-server works in --mode p2p
13:19 < BtbN> just disable client-to-client and there is no internal routing?
13:19 < BtbN> and with just one client, there is none anyway
13:22 < zoredache> But I need routing.  I need to route a subnet, from the 'server' to the client, which in --mode server requires an iroute statement.  But that isn't required in --mode p2p
13:22 < zoredache> Anyway, I went and tried it.  It seems to be working.
13:27 < BtbN> why would routing not work in normal mode?
13:28 < zoredache> The problem is that I cannot use an external tool to manage routing in server mode.
13:31 < zoredache> If you want to go back to the start.  Right now I am using OpenVPN for site-to-site routing.  I have ~12 sites going through connected to one server.  That is has become a problem, because OpenVPN is single threaded.  The server, is sitting at 100% usage of a single core during peak hours lately.  But the openvpn server has multiple CPUs, and lots of cores.  So to solve that I guess I need to run more server instances on the
13:31 < zoredache> main box.
13:31 < zoredache> One solution seemed like it would be to just run lots of point-to-point instances, one for each site.  Then to setup quagga to manage the routing.
13:32 < zoredache> I have even been considering adding some links between the sites, so I can get more of a mesh.  Again, that would require a dynamic routing protocol.  Everything I read says Quagga won't work with openvpn unless in --mode p2p
13:33 < BtbN> I don't see what would possible prevent you from setting up routes in whatever way you like.
13:35 < zoredache> The point is, that I don't want to have to define routes at all.  I want that to be dynamic.
13:36 < BtbN> That doesn't make any sense
13:36 < zoredache> It does
13:37 < zoredache> BGP, OSPF, RIP, EIGRP, are all protocls that allow routers to negotiate routes automatically.
13:38 < zoredache> On large networks, you don't go around statically defining for complex connections on each individual router.
13:38 < BtbN> I have never heard of anyone doing BGP or OSPF over a VPN
13:39 < BtbN> I still don't see any reason why the mode openvpn is in would have any effect on any of those protocols though.
13:40 < zoredache> When in mode-server the OpenVPN server handles some of the routing between clients.  Hence the iroute directive.  You can't just add routes in the kernel, and have OpenVPN know how to direct traffic through a particular client
13:40 < BtbN> it only handles routing between multiple clients of client-to-client is set
13:41 < BtbN> otherwise it hands all routing to the linux ip stack
13:41 < BtbN> And if you only have exactly one client per OpenVPN server, there is no other client to send stuff to.
13:48 < coreyo> Is there a preferred way to have the 'down' script run with root privileges after running openvpn as the default nobody/nogroup?  In addition to the down script being run without root priviliges, I noticed that it causes a few errors on shutdown in the logs.
13:49 < coreyo> I saw an openvpn plugin that causes a fork, keeping a root process alive.  I also came up with a solution involving a line in /etc/sudoers
13:58 < bezaban> coreyo: all I can say is that I would like a good solution to that too
13:58 < bezaban> routes seem to go away with interface iirc, but would like to be able to cleanup explicitly
14:00 < bezaban> especially with regards to changing dns resolvers. I'm currently doing a python bit to solve that and restore old resolvers. Might have to wrap the whole thing
14:00 < bezaban> if I'm missing something I'd love input too :)
14:04 < bezaban> coreyo: whats the plugin?
14:04 < bezaban> oh and a sudoers nopasswd entry i presume?
14:29 < coreyo> bezaban, precisely, I am running openvpn at the router level, so magic has to happen via masquerading and policy routing when the tun0 interface goes up and down
14:29 < coreyo> let me see if I can find the plugin again
14:29 < coreyo> https://github.com/OpenVPN/openvpn/tree/master/src/plugins/down-root
14:29 <@vpnHelper> Title: openvpn/src/plugins/down-root at master · OpenVPN/openvpn · GitHub (at github.com)
14:29 < bezaban> coreyo: cheers
14:30 < coreyo> it seems like both of those solutions could potentially cause theoretical security risks, but probably not likely enough to worry about
14:31 < bezaban> coreyo: oh, and to be explicit: you're calling a sudoer entry using /etc/sudoers with 'sudo command' in openvpn config?
14:31 < coreyo> yeah, you have to quote it "/usr/bin/sudo /path/to/my/down/script.sh"
14:31 < coreyo> alternatively, you could have a sudo wrapper script that called another script, but I didn't see any good reason to overcomplicate things
14:32 < bezaban> coreyo: in that case I would likely prefer not dropping to 'nobody:nobody', but a completely different user tailored for that task, as nobody:nobody is used by other programs
14:32 < coreyo> yeah, I created openvpn:openvpn just for that reason
14:32 < bezaban> coreyo: good thinking
14:32 < coreyo> and then probably a good idea to chmod 700 on that script to keep anyone from seeing it at all
14:33 < bezaban> coreyo: PLOL
14:33 < bezaban> er. PLOP
14:33 < bezaban> POLP* even
14:33  * bezaban sighs
14:33 < coreyo> I have never encountered that acronym before, so I just learned something useful today
14:34 < bezaban>  principle of least privilege
14:34 < bezaban> yeah :)
14:34 < coreyo> yeah, I googled it :)
14:34 < bezaban> sounds like you are security oriented. :)
14:34 < coreyo> that pretty much sums up the majority of linux server security
14:35 < bezaban> it does indeed. Do you do it professionally?
14:35 < coreyo> No, I'm a programmer, but I prefer to focus on opensource technologies and tend toward python
14:38 < bezaban> oh, thats a great combination. I have CS background, but no real experience with dev other than has been mandated by working in ops.
14:39 < coreyo> I was introduced to debian in college about 18 years ago and have been screwing with it ever since
14:40 < bezaban> I find security people can be either mostly ops with programming background, like myself, or devs with an interest in ops. Ultimately I think the mindset and ability to get an overview is key though
14:41 < coreyo> I'm only getting into openvpn now because of congress' complete FCC reversal on ISPs
14:42 < coreyo> It's been a while since I've messed with iptables and ip route
14:42 < bezaban> coreyo: do you develop on linux?
14:43 < bezaban> 18 years of debian may mean a lot, but debian was young then so you've probably learnt a lot. A college utilizing it at that point sounds a bit crazy though
14:44 < bezaban> I started with redhat 21 years ago and my hobby has payed off a lot more than my education :)
14:45 < coreyo> yeah, I moved on to ubuntu and then linux mint, but I knew very early on that debian would beat out redhat and then gentoo
14:45 < coreyo> I haven't contributed much to the linux community in years, but I do all of my developmnet on linux platforms.  I still can't get away from gvim as my everyday text editor
14:47 < bezaban> I use vim myself, some common ground there. Not that editor wars have anything going for them
14:47 < coreyo> I got my degrees at IU.  There was a lot going on there, good and bad, but we had a lot of big names come over from Rice University and they were all functional programmers.  CS101 and several other classes were taught in Scheme, and the professors all had unix ports for all of the tools that we used, so a lot of us didn't have to use windows.
14:48 < coreyo> well, I never saw the appeal of emacs and I believe that it definitively lost ... although I may get flamed here in a moment
14:48 < bezaban> coreyo: neat! I attended uni a bit later.
14:48 < bezaban> no scheme :P
14:49 < bezaban> simula
14:50 < bezaban> but was transitioned into java, so hardly did any simula
14:51 < coreyo> Kent Dybvig taught our compilers class.  He's the author of the Chez Scheme compiler.  At the end of the semester, he showed us how far the other schools' curriculums and none of even made it 30% as far as our class, so that was a once in a lifetime experience
14:51 < coreyo> yeah, we were heavy into java too ... I liked it the first semester and then pretty much have hated it since
14:52 < bezaban> I ended up running the student networks and hardly got anything done, had a crisis and did a degree in criminology, but got dragged back into linux ops by an old neighbour
14:52 < coreyo> yeah, there's a debate about whether or not computer science is a science or a skill
14:53 < coreyo> I'd have to say that, unless you are on the theory side, it's probably more of a skill, although it probably requires more brainpower than most skills that one would acquire
14:53 < bezaban> but I will say, I learned more of what I do today doing non-curricular activities
14:53 < coreyo> of course, I learned to program my first summer by writing a php-based mp3 server
14:53 < coreyo> when I came back for my next semester, I was already ahead of my classmates by several semesters
14:54 < bezaban> my first 'real' pre-uni programming was probably delphi or basic (if that counts)
14:54 < bezaban> coreyo: yeah, aced the first year
14:54 < coreyo> oooh, basic, I never understood the reasoning for its syntax
14:55 < bezaban> there's a reasoning?
14:55 < coreyo> lol
14:55 < coreyo> just seemed hideously inefficient and overcomplicated
14:55 < bezaban> never did much with it, but has an irc client that was scripted with delphi
14:55 < coreyo> non intuitive
14:55 < coreyo> I never messed with delphi
14:55 < bezaban> good for you
14:55 < bezaban> :P
14:56 < bezaban> trying to remember the name of the client
14:56 < coreyo> The most awesome language I think I've used is Haskell
14:56 < bezaban> NO!
14:56 < bezaban> you can run xmonad then
14:56 < bezaban> xmonad is a tiling window manager, it only requires a deep understanding of internals and haskell to configure it :P
14:57 < coreyo> I do enjoy ruby, but I think that language gets a bit carried away with elegance to the point that it becomes counter productive
14:57 < coreyo> honestly, I'm not sure that I ever acquired a deep understanding of haskell
14:57 < coreyo> I'd love to pick it up again and work with it seriously
14:58 < bezaban> I did like ruby at a point
14:58 < coreyo> There were a lot of things that were a mystery to me then that seem so obvious to me now
14:58 < bezaban> but then python fixed everything that I would ever need
14:58 < coreyo> ruby and python are so similar in terms of programming philosophy
14:58 < coreyo> yeah ... except multithreading ...
14:58 < bezaban> exactly, that's what drew me to ruby in the first place
14:59 < bezaban> well. what I need is rarely multithreaded, there are devs for that
14:59 < coreyo> at the end of the day, you can write the same program that you would in python, in ruby and save 1 - 2 characters per line
14:59 < coreyo> and they've spent SOOO much time making that possible
15:00 < coreyo> and generally speaking, python is still faster for single-threaded functions, although the difference is probably splitting hairs
15:00 < bezaban> while automation is not supposed to be overly resource-intensive, most tasks I need to do should complete in reasonable time and hasn't really got much to gain from automation
15:00 < bezaban> much to gain from optimization*
15:01 < coreyo> generally speaking, I think that optimization has more to do with experience
15:01 < coreyo> instead of optimizing existing tasks, you learn from previous tasks and make your next project better
15:01 < bezaban> bottlenecks are usually in database or other places
15:01 < coreyo> right, I/O and not cpu driven
15:01 < bezaban> yeah. resilience is more important often
15:02 < coreyo> however, working with MySQL and SQLAlchemy, you find that how you query and update can be the difference between days and seconds
15:02 < coreyo> quite literally
15:02 < bezaban> SQLAlchemy?
15:02 < bezaban> googled it ;)
15:02 < coreyo> yeah, that's the model-driven relational database library for python
15:03 < coreyo> it's quite brilliantly designed and the standard today, but it takes years to really learn the ins and outs of what's going on behind the black box functionality
15:03 < bezaban> could that help me with some really silly joins (due to bad db design)?
15:04 < bezaban> hm. no, it doesn't map the db into memory. Trying to figure ut what it does
15:05 < coreyo> that depends heavily on what you're doing.  It does some craziness with transactions and local caching that can make optimization a lot simpler, but by the same token you can really make things worse in terms of optimization if you are unaware of some of its nuances.
15:05 < coreyo> it helps map DB entries into memory on the client side
15:06 < coreyo> depending on the database backend that you use, you can even have pull in batches from the same single query to reduce memory footprint
15:06 < coreyo> *have it pull in
15:08 < bezaban> might work for a problem I have at work, using 'standard' py libs. However I have 2 days left, so wont worry about that :P
15:10 < bezaban> $oldjob has a terrible legacy DB developed by some russians that a colleague 'knew from the internet' in early startup days
15:10 < bezaban> many - many seemed like a good idea at the time
15:11 < coreyo> so there is another approach that I haven't tried wrt openvpn up and openvpn down
15:11 < bezaban> yes, let's focus on that
15:11 < coreyo> you can stop the system daemon from running and have everything handled in /etc/network/interfaces with its up/down parameters
15:12 < coreyo> so you'd have an interface entry for tun0
15:13 < coreyo> more simply, have up and down start and stop the openvpn daemon with something like "systemctl start openvpn@myconfig"
15:13 < coreyo> then tag on whatever else needs to be done
15:13 < bezaban> oh, my setup is slightly different - you're running from a router non-interactively. This setup uses smartcard authentication, so needs to be run interactively (but had to recompile without systemd support due to a systemd-ask-pass bug (or openvpn not predicting that behaviour))
15:14 < coreyo> I'm not sure if that would cause any timing/dependency issues with script execution or trying to bring up the interface tun0 before the wan/lan interfaces
15:14 < bezaban> coreyo: don't think it should
15:15 < bezaban> coreyo: and you would pair that with the sudoers entry?
15:15 < coreyo> my routing scripts would require the WAN interface to be up so that I could determine its gateway
15:15 < bezaban> how would it work if you run openvpn binary suid openvpn
15:15 < bezaban> how would that work with permission drops
15:16 < bezaban> likely same result. hmm
15:16 < coreyo> well, presumably you'd be calling sudo ifup tun0
15:16 < coreyo> sudo ifdown tun0
15:16 < coreyo> all of which would be executed at the root command, as would the preup, predown scripts
15:16 < bezaban> would only really move the 'problem'
15:17 < coreyo> however, if the openvpn connection failed in the backend and couldn't reconnect, that might cause a different sort of problem
15:17 < coreyo> I haven't tried implementing it yet, so I don't yet know all of the pitfalls
15:17 < bezaban> you either need some main process running as root, like apache model forking lower privileged children. or you have to allow some escalation
15:19 < bezaban> or alternatively something external monitoring state, which will help on separation, but pitfalls
15:19 < bezaban> I guess it's time to draw up a threat model
15:20 < bezaban> what are you defending against, where are you anchoring your trust
15:55 < coreyo> all that I really care about is having my ISP collect my traffic information and sell it to the highest bidder
17:00 <@krzee>  [11:40] <coreyo> Is there a preferred way to have the 'down' script run with root privileges after running openvpn as the default nobody/nogroup?  In addition to the down script being run without root priviliges, I noticed that it causes a few errors on shutdown in the logs.
17:00 <@krzee> sudo!
17:01 <@krzee> make a wrapper script that calls the down script but uses sudo, boom script runs as root
17:01 <@krzee> then configure that user in sudo to be able to run that script without a password
17:17 < bezaban> krzee: yeah, coreyo had a solution that worked like that. Also logically that is the only thing that really works for re-escalation
17:18 < bezaban> or never drop privs, but former is much preferred
17:19 < bezaban> krzee: wait. why would down script run as root if openvpn is configured to drop privs?
17:19 <@krzee> it wouldnt, it runs as the user openvpn dropped to
17:19 < bezaban> krzee: then I understand you
17:19 <@krzee> that was his issue, sudo would need to be configured for that user to run a script
17:19 < bezaban> krzee: aye
17:19 <@krzee> then youd make the script openvpn runs just call sudo otherscript.sh
17:21 < bezaban> krzee: absolutely. I don't really see a problem with that, but isolate the NOPASSWD entry from any other users
17:21 <@krzee> and only allow the openvpn user to call that script
17:21 <@krzee> which should be only writable by root
17:22 <@krzee> dont wanna let that user run just anything, otherwise why drop in the first place ;]
17:22 < bezaban> krzee: what threats do you avoiding by dropping privileges in the first place?
17:23 <@krzee> sandboxxing apps into their own low privileged users is a common practice
17:23 < bezaban> arbituary traffic over the tunnel that might do something unexpected
17:23 < bezaban> yeah
17:23 <@krzee> that way if a remote exploit becomes available for that app, it only gives low level access
17:23  * bezaban nods
17:23 <@krzee> then they need to break root still
17:24 < bezaban> it's just the balance of things that need to switch security context that can be hard
17:24 <@krzee> meh, sudo
17:24 <@krzee> its made for that
17:25 < bezaban> meh I guess, but nice to initiate and drop.
17:25 <@krzee> right, you dont often *need* root on a down script
17:25 < bezaban> it's the escalations that need some extra attention
17:25 <@krzee> but if you do, sudo is there
17:25 < bezaban> aye, and can filter
17:26 < bezaban> but those can be hard to get right. In this case it's trivial, I agree :)
17:27 < bezaban> one approach could be just allowing group write for the dropped privilege account to adjust resolv.conf (if that was the problem), rather than granting root access
17:28 <@krzee> ahh true i didnt think about dns
17:28 <@krzee> ya thats another solution
17:28 <@krzee> might break after a system upgrade i dunno if that gets checked
17:28 < bezaban> seems a bit overkill
17:28 <@krzee> but i assume it would stay as is
17:29 <@krzee> nah nevermind that wouldnt get clobbered
17:29 < bezaban> yeah. I've had to do a home made approach for systems that don't have the resolvconf package (which I also assume is a third party solution?)
17:30 <@krzee> i just choose to do it manually where needed
17:30 <@krzee> i have an easy time with bash tho
17:30 < bezaban> but sort of special cased I guess. I want DNS from within the tunnel - reverted on tunnel drop. Guess I can work around it with design, but not quite the result I want
17:34 <@krzee> ya that makes sense, so sudo again
17:34 <@krzee> youd just need to copy the old, and put it back on --down
17:35 < rob0> what specifically are you wanting?  Tunnel-only names, or general recursive queries?
17:35 <@krzee> oh strong point, i see a dnsmasq tutorial coming
17:35 <@krzee> :D
17:35 < rob0> :)
17:36 <@krzee> the dns ninja is in the house!
17:39 <@krzee> bezaban: you should answer rob0's question, he is well suited to give you advice
17:39 < bezaban> rob0: general recursive queries
17:40 < bezaban> I to TSIG signed dns via the tunnel as well as some internal zones
17:40 < bezaban> mostly to be comfortable though
17:43 < bezaban> but I have a good solution now I think, I've been working on writing something to replace resolvconf for redhat based distros, which keeps state of old network, so I can restore those settings without doing a dhcp renew (assuming it's a dhcp configured network)
17:45 < bezaban> network manager wont work with smart card auth
17:54 -!- skipyyty is now known as caliculk
17:59 < rob0> My dnsmasq tutorial probably isn't exactly what you need, but if you had dnsmasq pointed at an upstream server like Google (or, what I do, my own named on 127.0.0.1:1053), the reversion occurs with the change of default route.
18:00 < rob0> same thing if you simply have "nameserver 8.8.8.8" in your resolv.conf
18:01 < bezaban> yeah, it's more about handling the re-escalation on shutdown, which I think has been covered
18:02 < bezaban> oh wait. how would a localhost route be dropped?
18:02 < bezaban> well, not route, but resolver
18:03 < bezaban> I run a localhost bind9 resolver on a lot of my clients to do the tsig signing, but this is what I want to avoid and use the one available via the tunnel
18:03 < rob0> named doing recursion uses the system default route when sending iterative queries
18:03 < bezaban> dnscrypt might have a wider feature set and tsig signing might be old fashioned
18:04 < bezaban> rob0: ah right, well I don't really want a default route, only access to internal resources with internal dns
18:04 < rob0> dnscrypt is a different protocol, which most resolver libraries probably do not support
18:04 < bezaban> I run my own resolvers, so that should be solvable
18:05 < rob0> oh, now you say internal DNS, but I thought we were talking about [outside] recursive queries
18:05 < rob0> anyway,
18:05 < rob0> !dnsmasq
18:05 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
18:09 < bezaban> yeah. 'internal' as such as run bind9 on the inside of a vpn, inside I have a caching resolver that does TSIG to authorative dns servers that allow recursive lookups with that key
18:10 < bezaban> end goal is to vpn into this network, use the internal caching bind9 resolver, which in turn does TSIG signed queries to my public authorative DNS
18:11 < rob0> why not just do the recursion directly?  What is the advantage of using TSIG to the other recursive server?
18:12 < bezaban> rob0: split dns inside the tunnel
18:12 < bezaban> and to do TSIG from a client is hard, it's easy from bind9 to bind9, but not from a client to bind9
18:13 < rob0> yes
18:13 < bezaban> if I can do regular dns within the tunnel, then the tunnel internal DNS can handle TSIG
18:14 < bezaban> I've ended up having to do local bind9 installs on my clients and point DNS at 127.0.0.1
18:14 < bezaban> which breaks on public networks or captive portals
18:15 < rob0> yes, I do that on my own laptop, and I do encounter that problem
18:15 < bezaban> mm
18:15 < bezaban> tried to do it with dnsmasq too
18:16 < bezaban> happy you follow me :)
19:11 < gtt> should there be any weird issues if I try to connect to a company's vpn through another self hosted ptp openvpn vpn set up by myself?
19:12 < gtt> I mean, could there be any detectable traces that might trigger funny things like authentication errors (from the company's vpn) or any other weirdness
19:13 < fnljk> hopefully ur company approve of the setup and security of it all, then... why would there be any issues
19:13 < fnljk> besides the host/ip  from that other box.. and possible other bits of data.. I dunno..hm.
19:14 < gtt> the other box is a digital ocean server, and the only reason I'm using it to connect to the company vpn is because I can't via my isp's router (for some reason), and I've been able to nail it down to my isp's router
19:15 < gtt> I can connect fine from everywhere else
19:16 < gtt> the thing is I haven't connected in a while, and it's first time I'm trying to do it from my apartment anyway, as it's annoying to have to go out
19:16 < gtt> and I don't know if my credentials are wrong (will get an answer but in a few hours), or if it's the entire setup faulty to befgin with
19:18 < gtt> I thought of coming here because I was thinking about the issue in a more abstract way that it's related to the design of vpn's in the first place
19:18 < MacGyver> gtt: You mean tunnel one VPN connection through another?
19:19 < MacGyver> gtt: Or VPN to the digital ocean server, and then run another VPN client on that?
19:19 < gtt> ideally, a vpn should just capture your packets, apply a layer on top of them (leave them unchanged), and then spit them out at the other end unnencapsuled, so could in theory this be traceable? the fact that my packets traversed a vpn?
19:19 < MacGyver> gtt: The second is suspect from a policy-perspective (I imagine your company wants your eyes on the machine connecting to its network), the first might have issues depending on what the company VPN uses.
19:21 < gtt> MacGyver: I mean connecting to the company vpn via my digital ocean server. The goal is to vpn to my company, but for the reasons I just explained I ahve to go through another host with another ip
19:21 < MacGyver> gtt: That doesn't answer my question.
19:21 < MacGyver> gtt: Where will the company's VPN client be running?
19:22 < MacGyver> gtt: I understand what you want to do, the question is how you want to do it in terms of layering / routing / switching.
19:22 < gtt> in my laptop, inside a windows virtual machine. Because the company's vpn client is a forticlient
19:23 < MacGyver> Okay, then that's basically as though you were physically sitting, with the laptop, in the digital ocean data centre, and connecting to the company VPN from there.
19:23 < gtt> I mean it's a proprietary vpn server they have called fortigate, and I'm running the forticlient in my windows vm (arch host)
19:23 < MacGyver> So policy-wise that shouldn't be an issue.
19:24 < MacGyver> Then the only question remaining is: *can* openvpn carry fortigate traffic?
19:24 < MacGyver> If it's simply a UDP or TCP connection, the answer is trivially yes.
19:27 < MacGyver> Think of it this way:
19:28 < MacGyver> What you're doing is no different than going to an airport wifi, or a starbucks.
19:28 < MacGyver> The only thing that matters is whether the network actually accepts the traffic your fortigate client is generating.
19:29 < MacGyver> The one thing I can think of is weird MTU issues for fortigate because of the layering.
19:29 < MacGyver> As in, since OpenVPN has some overhead, the MTU is slightly reduced; fortigate might not take that into account and run with degraded performance because it tries to send slightly more bytes per packet than can fit in the openvpn encapsulation.
19:58 < gtt> MacGyver: exactly that's why I ws thinking about it abstractly, there shouldn't be any problem as it's like I'm actually sitting at that digital ocean server. About the traffic that forticlient generates I very much doubt it being anything other than udp.
19:59 < gtt> In fact the xml configuration file I was given, has several mentions of udp settings and none for tcp
20:00 < gtt> it would be very odd and unlikely for it to be generating anything other udp/tcp traffic
20:01 < gtt> also the error I get is very specific, "Invalid credentials". Through my own isp router I can't even get that, it just timeouts trying to establish communication with the fortigate server, even though the server itself is reachable (I can get icmp replies from it)
20:03 < gtt> so it's probably some weird firewalling that my isp's router is doing, but how could I know, the thing barely lets me change the ssid for the wireless, let alone show/change settings for firewalling
20:14 < MacGyver> gtt: Invalid credentials probably really does mean invalid credentials. The only way to check would be to go to a normal connection that can carry the company VPN.
20:42 < gtt> MacGyver: it was indeed just that, they had changed password
20:43 < gtt> what made me paranoid was the fact that this was coincidentally the first time trying to connect like this
20:47 < MacGyver> Makes sense.
20:47 < MacGyver> Glad it works now.
--- Day changed Thu Jun 15 2017
05:45 < _Maik_> hey, i have a strange question. Is this Setup in any way possible? https://postimg.org/image/83qvz7277/
05:45 <@vpnHelper> Title: 3site-vpn — Postimage.io (at postimg.org)
06:39 <+|Mike|> _Maik_: why would you like to run 2 servers? :-)
07:08 < _Maik_> |Mike|: failover, and so on
07:12 < gebbione> hi guys
07:12 < gebbione> I have just installed openvpn on a remote machine
07:12 < gebbione> and for some addresses i want the VPN public address to be used
07:12 < gebbione> only for those addresses
07:12 < gebbione> my local machine is a Mac
07:13 < gebbione> is there a specific way on my local machine to tell it to use the VPN address instead of my local?
07:13 < gebbione> my local client on the Mac has notified me that my ip is still the same and it is not picking the VPN address
08:05 -!- gthank is now known as gthank_away
08:05 -!- gthank_away is now known as gthank
08:05 -!- gthank is now known as gthank_away
08:05 -!- gthank_away is now known as gthank
08:13 <@krzee> gebbione: sure, instead of using --redirect-gateway just add --route entries for the networks you want to reach over the vpn
08:13 <@krzee> lol missed him by seconds
08:27 < TheSin> I see in the subject TAP/Bridge is a bad idea, and I assume it's why I can only get a max of 700k/s currently.  What's the alternative when I need mdns accross the VPN?
09:05 < pity> Hi, guys. Is is possible to build an OpenVPN client for iOS, just for internal use.
09:07 < rob0> TheSin, mdns and VPN are a strange mix.
09:08 < TheSin> it's inter office connect, and we use a lot of mdns, I have it working 100% and super reliable but I can't get it over 700k/s which sucks
09:09 < rob0> pity, I think the biggest part of that question would be specific to your iOS, such as: how to have a complete build environment.
09:10 < TheSin> orignially I with tcp I could only hit about 300k, switching to udp and upping the send/recv buffers to max I can not hit 700k, but it seems no matter what i try I can't get more, been playing with mtu but I doubt that is the issue
09:10 < rob0> TheSin, here's what I did for DNS in VPN:
09:10 < rob0> !dnsmasq
09:10 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
09:10 < TheSin> I didnt' think dnsmasq was mdns or avahi friendly
09:11 < pity> rob0: That's not a problem. The problem is I can't find any docs for build iOS app by now.
09:12 < pity> rob0: I use openvpn in a team in China, there's no official app in App Store in China, so I wonder if I could build it by myself.
09:13 < rob0> TheSin, I don't suppose it is, but I am suggesting that as your network grows, you might need to reduce your reliance on mdns and autoconfig.
09:14 < rob0> pity, I don't have iOS, so I can't suggest anything about how to build software for it.
09:14 < gtt> I have set up a ptp openvpn server, and I've already set the routes for it, except for the default route. I don't want to route everything through the vpn, I just want to route the traffic from a windows vm with an interface bridged to my ethernet card and ip 192.168.0.150. So in a sense, I'd like to setup routes so that only the traffic incoming from that ip gets routed through the vpn
09:17 < TheSin> rob0, but it's sooo convient :D
09:19 < gtt> btw I'm using a routed vpn (tun1 interface)
09:20 < rob0> gtt, policy routing with an alternate route table (different default route) and rules to select the traffic to route that way.
09:21 < gtt> rob0: that sounds involved, I was looking for something simpler are you sure that is the only way?
09:22 < rob0> maybe put the client on the vm and use --redirect_gateway?
09:22 <@krzee> pity: you may be able to build the opensource openvpn, but definitely not the ios connect app that is in the normal istore... the vpn API part is not opensource
09:22 <@krzee> !connect
09:22 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide, or (#2) the source is here: https://github.com/OpenVPN/openvpn3 except for the portion that may not be released
09:22 <@vpnHelper> because of NDA with apple (for its vpn API), or (#3) It is impossible to retrieve your configuration from Connect itself. This is by design. Keep a copy of your config (and any certs/keys/etc that go with it) someplace safe, and where you can find it later
09:23 <@krzee> once upon a time people made an ios version of the opensource app, but since the vpn API and ios connect i havent heard anything about that
09:28 < gtt> rob0: right, that is easier
09:30 < gtt> rob0: well, I'll see how that works, because coincidentally, I'll be using this vpn in order to connect to a different vpn
09:31 < gtt> I'll try it up and see if that works
09:31 < gtt> (I've already tried it succesfully by connecting to the openvpn on the linux host, and then connecting to the company vpn on the windows guest, however I was routing all the traffic in the linux host to the openvpn)
09:36 < pity> krzee: So is't impossible to use openvpn client for iOS in China....
09:38 <+hyper_ch> I wonder who tortures themselves with iOS...
09:39 < pity> hyper_ch: not use it much on iOS
10:29 < Angs> I have this server.con and client.conf https://pastebin.com/UGdzzkaW I can ping the clients from the server, but clients can't ping each others. What do I need to do for server to route openvpn traffic among the clients?
10:34 < Angs> ok I found, I needed
10:34 < Angs> client-to-client
10:41 < rob0> --client-to-client bypasses your firewall, so if that fixes it, your firewall was blocking inter-client traffic.
14:08 < gebbione> hi folks, I have set up my VPN, I can connect to it but my machine does not gain the VPN public address
14:09 < gebbione> i.e. it is still visible with its public ip instead of the VPN ip
14:09 < gebbione> how can i force traffic through the vpn for specific resources i.e., sites its
14:26 < Eugene> !redirect
14:26 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
14:26 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
14:26 < Eugene> !routebyapp
14:26 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination., or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
14:26 <@vpnHelper> policies you set. For Linux, read about !lartc
14:27 < Eugene> Redirect is used to send all traffic. If you only want some sites then you need to do a SOCKS proxy or policy routing magick
14:37 < gebbione> !welcome
14:37 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
14:37 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
16:26 -!- fractal_ is now known as _fractal_
16:38 < Grobo> Hi. Is it possible to put redirect-gateway in a ccd file instead of the server's config? Or will that not do what I want? I only want certain clients to redirect all their traffic
16:50 < mojtaba> Hello, does anybody know how log download and upload bandwidth?
16:50 < mojtaba> I know how to use client-connect, disconnect scripts.
17:21 < jasondockers> trying to use a socks5 proxy: recv_socks_reply: TCP port read failed on recv()
17:34 < jasondockers> I'm trying to use the socks proxy "nl-proxy.privateinternetaccess.com" on port 1080 with credentials
17:35 < jasondockers> https://gist.github.com/anonymous/1daecd3be2a7734171a04829ea87aebf
17:35 <@vpnHelper> Title: log.txt · GitHub (at gist.github.com)
17:37 < MacGyver> 109.201.154.212:0 is not a valid IP/port combination for TCP.
17:37 < MacGyver> That's what that error is telling you.
17:37 < MacGyver> It's trying to connect to port 0.
17:38 < jasondockers> MacGyver, I specified port 1080
17:38 < MacGyver> Well it doesn't seem to be listening to you.
17:38 < jasondockers> I agree
17:39 < jasondockers> I'm using the "settings" gui dialog to set the server and port
17:40 < MacGyver> I'd expect to see port 0 only for the selection of the outgoing port for "random port above 1024".
17:42 < jasondockers> I can't figure this out :(
17:42 < jasondockers> I've been at it for a day
17:44 < rob0> "'settings' gui dialog"?  What is that?  Could it be:
17:44 < rob0> !as
17:44 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
17:44 < jasondockers> it's from github
17:45 < jasondockers> maybe I can set the socks proxy in the config
17:45 < jasondockers> is the line socks-proxy server port authfile?
17:49 < rob0> --socks-proxy server [port] [authfile]
17:51 < jasondockers> well, I'm now getting "Thu Jun 15 18:42:57 2017 Attempting to establish TCP connection with [AF_INET]198.105.254.130:1080 [nonblock]
17:51 < jasondockers> "
17:52 < jasondockers> and it's taking a minute+
17:53 <@krzee> from github? got a link?
17:54 < jasondockers> github.com/openvpn/openvpn-gui
17:55 < jasondockers> I wish this would work :(. It's for the most wholesome use ever. I just don't want an old friend to know where I live before connecting to his VPN
17:56 < MacGyver> Wait what.
17:56 < MacGyver> How are those things related?
17:56 < jasondockers> I thought a socks proxy will mask my actual IP?
17:57 < MacGyver> Oh, right, there's a socks proxy involved.
17:57 < MacGyver> Nvm.
17:57 < jasondockers> yeah, I can't get it to work
17:57 < jasondockers> I bought a socks proxy and it doesn't work :[
17:57 <@krzee> oh windows
17:57 <@krzee> !download
17:57 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn, or (#2) in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs
17:57 < MacGyver> (How granular do you want them to not know where you live?
17:57 <@krzee> openvpn for windows has a gui
17:57 < MacGyver> It's not as though geoip is accurate to a household level.)
17:58 < jasondockers> I don't mind the same country
17:58 < jasondockers> the proxy I'm trying to use is based out of the netherlands
17:59 < jasondockers> also, can I even use a socks proxy with udp?
17:59 <@krzee> depends on the socks proxy
17:59 <@krzee> dante can proxy udp over it, but cannot listen on UDP
17:59 < jasondockers> well, at the moment I just want to get connected to the socks proxy
17:59 < jasondockers> then I'll worry about the rest
17:59 <@krzee> maybe some other socks proxy can listen on UDP, i dont know of one though
18:01 < jasondockers> I'm alright with using any proxy
18:01 < jasondockers> after all the vpn traffic will be encrypted
18:02 < MacGyver> VPN-over-tor?
18:03 < jasondockers> oh
18:03 < jasondockers> fuck it
18:03 < jasondockers> I'll do that
18:03 <@krzee> oh that github you gave IS the official openvpn gui for windows, it's been bundled with the windows installer at !download for a long long time, there shouldnt be much reason to use that github
18:03 <@krzee> vpn over tor will be more difficult than a normal socks
18:03 < jasondockers> whoops, language. sorry
18:03 <@krzee> and will still need to be TCP to work
18:03 < jasondockers> oh, that's true.
18:04 < jasondockers> I don't get why it doesn't work
18:04 < jasondockers> I've tried like 15 socks proxies
18:04 <@krzee> you using tcp for the server and client?
18:04 <@krzee> and have you tested the socks with something like a web browser?
18:08 < rob0> With some ISPs, your IP address tells very little about where you are.
18:09 < rob0> With others, it might pinpoint you to a metro area.
18:09 < jasondockers> it's forcing me to provide credentials
18:09 < jasondockers> Thu Jun 15 19:00:30 2017 socks_handshake: Socks proxy returned unexpected auth
18:09 < jasondockers> but this new proxy doesn't take any
18:09 < jasondockers> :S
18:10 < rob0> go to a nearby hotspot and connect [to the friend's VPN] from there
18:10 < jasondockers> rob0, I'd rather use a socks proxy :p
18:11 <@krzee> can you use the socks with your web browser?
18:12 < rob0> also, there's a nonzero chance that your friend already knows your IP address; perhaps from email headers or other means.
18:12 <@krzee> oh and for the record, if performance sucks when doing this,  its because you're going to be tunneling tcp in tcp in tcp
18:12 <@krzee> !tcp
18:12 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay
18:12 <@krzee> so like the tcp in tcp above, except you then put THAT in tcp too lol
18:13 < jasondockers> I don't think gmail will expose my ip
18:13 < jasondockers> anyway I doubt they'll check the headers
18:15 < jasondockers> krzee, thanks
18:15 <@krzee> <krzee> can you use the socks with your web browser?
18:15 < jasondockers> no
18:16 <@krzee> til youve got that fixed, dont even bother with openvpn
18:16 <@krzee> you need your socks server working before you can hope openvpn will connect to it, and openvpn wont help you debug it any
18:16 < jasondockers> krzee, it's not my socks server
18:17 <@krzee> if its not working with a web browser maybe you need to run your own so you can configure it properly
18:17 <@krzee> what you just googled for some open ones?
18:18 < jasondockers> my vpn service comes with a socks proxy
18:18 < rob0> IIRC gmail hides your IP if you use the webmail interface, but if you use a regular MUA of your own, they do not.
18:18 < jasondockers> private internet access
18:18 <@krzee> oh dude
18:18 <@krzee> you should be talking to them
18:18 <@krzee> !provider
18:18 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team., or (#2) Please contact their support team.
18:18 < jasondockers> like they'll help
18:18 < jasondockers> I also tried random free ones
18:18 < jasondockers> though since they don't take authentication my client fails to connect
18:18 < jasondockers> the client *always* provides authentication
18:19 <@krzee> they may or may not support their customers
18:19 <@krzee> we wont
18:19 < jasondockers> so I think that qualifies as a openvpn problem
18:19 <@krzee> so there you go :D
18:19 <@krzee> we'd need server side access to have a chance
18:19 <@krzee> cant help debug your nonworking socks when you dont run it
18:20 <@krzee> !provider
18:20 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team., or (#2) Please contact their support team.
18:20 < jasondockers> it's the client's fault that it provides auth when it's not required
18:20 < jasondockers> not the provider's fault
18:22 < jasondockers> I'm just trying to figure out how to configure openvpn so it doesn't try to use authentication with a socks proxy
18:25 < jasondockers> wait a second, the client should automatically figure out the auth method: switch (buf[1]) { case 0: /* no authentication */ break;
18:28 < jasondockers> IT WORKS
18:28 < jasondockers> hallelujah
18:29 <@ordex> time to pop champagne!
18:29 <@ordex> :)
18:47 <@krzee> nice!
18:47 <@krzee> good job dude
19:59 < gtt> that's some legendary quit message
19:59 <@krzee> lol ya thats pretty good
20:00 <@krzee> i wouldnt have seen it if you didnt mention
20:00 < Eugene> "what's a quit message"
--- Day changed Fri Jun 16 2017
05:51 < obinoob> Hi
06:14 < obinoob> I'm using openvp server ubuntu, I can connect and ping server ip from client and also open some (not all) intranet websites. I can't surf the web when connected to VPN however all firewall rules are correct, ipv4 forward and all ca, crt or keys are well generated! Something is wrong definitely
06:15 < obinoob> anyone available to help me please?
06:16 < obinoob> seems like routing or dns issues i can provide conf files...
06:21 <@dazo> !redirect
06:21 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
06:21 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
06:28 < obinoob> vpnHelper: thank you :) that graphic helped a lot, I'm stuck at "is NAT enabled on the VPN subnet"? I guess yes I've added: DEFAULT_FORWARD_POLICY="ACCEPT"
06:29 < obinoob> and *nat :POSTROUTING ACCEPT [0:0]  -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE COMMIT
06:31 <@dazo> !vpnhelper
06:31 <@vpnHelper> "vpnhelper" is "bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
06:32 < obinoob> dazo: sorry :)
06:33 < obinoob> dazo: i've checked the ufw and ports are opened without any exception
06:35 < obinoob> server network is 192.168.10.0/24 my local network is 192.168.1.0/24 this makes two different networks so no need to use "redirect gateway local" option...
06:48 < obinoob> this is all my configurations it takes two seconds to read https://gist.github.com/fccpt/d344c05d4d625da69f562ac5b4d0ac65
06:48 <@vpnHelper> Title: openvpn.txt · GitHub (at gist.github.com)
06:52 < obinoob> what am I missing here?
06:55 < obinoob> do I have to pay some kind of fee to join the club or...
06:56 < obinoob> not sure whats the #openvpn doing here but hey thank you very much for all of your help
07:15 <@ecrist> good morning folks
07:15 <@ecrist> good evening ordex 
07:15 <@ordex> good afternoon ecrist
08:20 <@krzee> g'morning
08:33 -!- You're now known as ecrist-away
08:34 -!- You're now known as ecrist-away-to-a
08:34 -!- You're now known as ecrist
08:39 <+|Mike|> morning krzee
09:00 <@krzee> how ya been man
09:01 < Brumbazz> Hi guys. I upgraded my debian from wheezy to stretch yesterday with (almost) success. I had an openvpn client running which where connected to my openvpn server. After I did the reboot, my openvpn client is not able to establish and keep a connection to my openvpn server. I'm getting the following error "Key [AF_INET]<server ip>:443 [0] not initialized (yet), dropping packet.". After the upgrade, the
09:01 < Brumbazz> log was spammed with that message. I noted from the example configs, that they all had "cipher ...", so I tried to put that into my client as well as servers config. It significantly reduced the number of errors (the one I just mentioned) to three, but the openvpn client then times out and restarts the connection. The openvpn server doesn't give any information about why the client complains and then
09:01 < Brumbazz> disconnects.
09:02 <@krzee> !logs
09:02 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
09:02 <@krzee> verb 4
09:02 <@krzee> !logfile
09:02 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
09:02 <@krzee> make sure its verb 4 or 5, not higher or lower
09:03 <+|Mike|> 6 my love, 6 ;)
09:04 <@krzee> or 6 if you want help from mike instead of me :D
09:05 < Brumbazz> server: https://pastebin.com/FwUbgyyU
09:06 < Brumbazz> client: https://pastebin.com/jGuQBaVK
09:07 < Brumbazz> server with 6: https://pastebin.com/arnvA2iF
09:08 <@krzee> lol |Mike|
09:08 < Brumbazz> client with 6: https://pastebin.com/2zRjczRK
09:08 < Brumbazz> Thanks :)
09:09 < rob0> krzee, what do the lowercase "rrrrrr" mean?
09:10 <@krzee> 5 -- Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
09:10 < rob0> oh
09:10 < rob0> so it looks like the tunnel is established
09:11 < rob0> but no "w"
09:11 <@krzee> nah but its worse
09:12 <@krzee> Fri Jun 16 16:38:11 2017 us=271975 newcastle.mmmi-lab/10.80.12.13:40684 MULTI: no dynamic or static remote --ifconfig address is available for newcastle.mmmi-lab/10.80.12.13:40684
09:12 <@krzee> hey Brumbazz
09:12 <@krzee> !configs
09:12 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
09:12 < Brumbazz> Hey krzee, just a sec :>
09:12 < rob0> ah, yes
09:12 <@krzee> we also wanna see /etc/openvpn/clients/newcastle.mmmi-lab
09:13 < Brumbazz> server: https://pastebin.com/92tBNhqY
09:13 < Brumbazz> sure!
09:14 < Brumbazz> newcastle.mmmi-lab is empty :)
09:14 <@krzee> ok, and client
09:15 < Brumbazz> https://pastebin.com/pM1bQPEq
09:15 < Brumbazz> and client :>
09:15 <@krzee> !goal
09:15 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:16 < Brumbazz> hm, my goal is make the client part of the openvpn-network so that people can work from home :>  The client which can't connect is running the DHCP server, however the server got a static IP on the openvpn interface.
09:17 <@krzee> ok so you want to share the lan which is behind the openvpn server?
09:17 < Brumbazz> more like the other way around - I want to make the openvpn server a part of the lan :>
09:18 < Brumbazz> Was that confusing  ?
09:18 <@krzee> well, let me make some suggestions
09:18 <@krzee> but first
09:18 <@krzee> is there some layer2 protocol you need to work over the vpn?
09:19 < Brumbazz> I use VLAN tagged packets over the VPN
09:22 <@krzee> let me tell you how i do it
09:22 <@krzee> i set the vpn as its own subnet, using dev tun, then i setup proper routing like i documented here:
09:23 <@krzee> !route
09:23 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
09:23 <@krzee> with whatever firewall rules i want set on the server for access control
09:23 < Brumbazz> I'm not really inrerested in changing my network infrastructure as it worked flawless before the upgrade :/
09:24 <@krzee> im guessing you could probably mark packets tagged from there as well, but i dont do vlan tagging so im not sure
09:24 <@krzee> oh sorry i missed that part
09:24 < Brumbazz> interested *
09:24 <@krzee> dazo: ^
09:25 < Brumbazz> No worries krzee  - it's just that annoying error I'm getting that makes my tunnel restart :>
09:26 <@krzee> i assumed that ip addressing warning was the problem, but i remember learning about the setup you have from jjk's cookbook actually
09:26 <@krzee> and if it worked before upgrading, i agree it should now too
09:28 < Brumbazz> ahh ye okay but yeah I think so too :>
09:28 <@krzee> is it possible your firewall changed?
09:28  * dazo looks up
09:29  * rob0 looks away
09:30  * krzee looks down
09:30 < Brumbazz> krzee:  I haven't changed anything, only done the upgrade :> Do you know what can cause that error I'm seeing ?
09:31 <@krzee> very much no, but dazo is now reading our scroll which includes your logs and configs (except client config is impossible to read) so hopefully he'll have a clue, we'll see ;]
09:31 <@dazo> Brumbazz: you're running a modified openvpn 2.4 server?
09:33 <@dazo> *client* I mean
09:34 < Brumbazz> dazo:  no, just from debian stretch repo :)
09:34 <@dazo> hmmm ... odd .... OpenVPN 2.4.0 [git:master/d73f7253d939e293+]
09:34 < Brumbazz> krzee:  sounds great !  Why is client config impossible to read ? Anythig I've done ?
09:34 < Brumbazz> anything  *
09:34 < CentiZen> Hi all, hope this isn't a stupid question but I've been banging my head against this for about 24 hours
09:35 < Brumbazz>   Installed: 2.4.0-6
09:35 <@dazo> the "git:" stuff is added when compiling from a git tree .... the + means there are modified files which have not been committed
09:35 < CentiZen> I'm using the built in OpenVPN server on a Cisco LPT214 - and I'm pretty sure I have at least the first part working. I can get a client to connect.
09:35 < CentiZen> But once I do, pretty much all internet traffic stops working on the device
09:37 < CentiZen> I'd love to troubleshoot further but I'm pretty new to this and don't want to mess things up more
09:37 < Brumbazz> dazo:  I'm not lying, I just did an apt-get install and yesterday an upgrade :/
09:38 <@dazo> Brumbazz: might be some short-cuts the package maintainer have done :/ .... still trying to understand what happens
09:38 < Brumbazz> https://raspberrypi.stackexchange.com/questions/68554/pivpn-doesnt-cover-my-public-ip-address-but-the-connection-happen <- that guy  has that in his package too :/
09:38 <@vpnHelper> Title: pi 2 - PIVPN doesnt cover my public IP address but the connection happen - Raspberry Pi Stack Exchange (at raspberrypi.stackexchange.com)
09:39 < Brumbazz> dazo:  I see
09:41 <@dazo> Brumbazz: hmmm ... is it possible for you to try to run a test using openvpn 2.3 on the client .... --verb 5
09:41 <@dazo> I'm a bit puzzled by this line:
09:41 <@dazo> [server] WRRFri Jun 16 15:55:45 2017 us=550756 PUSH: Received control message: 'PUSH_REPLY'
09:42 <@dazo> s/server/client/
09:42 <@dazo> and this one from the server:
09:42 <@dazo> Fri Jun 16 16:38:12 2017 us=447749 newcastle.mmmi-lab/10.80.12.13:40684 SENT CONTROL [newcastle.mmmi-lab]: 'PUSH_REPLY' (status=1)
09:42 <@dazo> that's an empty push message ... I wouldn't expect that
09:43 < Brumbazz> dazo: you want me to downgrade my server to 2.3 ? (just to be sure)
09:43 <@dazo> server is fine, server is already at 2.3, according to your logs ... the client runs 2.4
09:44 < Brumbazz> yes, sorry
09:44 < Brumbazz> hm, do you want me to compile it then or ?
09:46 < Brumbazz> ah I found the package in repo, just a sec
09:47 < Brumbazz> It seems to be working :O
09:47 < Brumbazz> haven't received that error in a min now - before it showed up after a few seconds
09:48 < Brumbazz> I'll just send you the log
09:48 < Brumbazz> https://pastebin.com/iT8hC4Md
09:48 < Brumbazz> client verb 5
09:50 < Brumbazz> it's still up, so great success I would say. However it doesn't explain why it's not working with 2.4 :/
09:53 <@dazo> Brumbazz: that's actually what I wanted to see ... if this was a regression ... and it seems to be
09:54  * dazo glares at the new logs
09:54 < Brumbazz> What do you mean by regression ?
09:54 <@dazo> that a configuration which worked with 2.3 doesn't work in 2.4
09:54 < Brumbazz> ahhh, thanks
09:57 <@dazo> Brumbazz: it would be great if you can file a new bug ticket on this issue .... please provide these logs, versions of what works and what breaks and configs .... http://community.openvpn.net/openvpn/newticket
09:57 <@dazo> I have a hunch what's happening ... but I want to point the right guys at this issue
09:58 <@dazo> hmmmmmmm
09:58 <@dazo> Can you try the 2.4 client again, and add 'ncp-disable' to your config?
09:58 < Brumbazz> yeah, ofc. 2 sec :>
09:59 < Brumbazz> same error
09:59 < Brumbazz> RFri Jun 16 16:51:22 2017 us=203048 Key [AF_INET]10.141.50.11:443 [0] not initialized (yet), dropping packet.
10:00 < Brumbazz> Do you want log ?
10:00 <@dazo> hrmpf .... okay, then it's a bit harder to pin-point potential issues
10:00 <@dazo> no, that's okay ... we need a new ticket on this one
10:01 < Brumbazz> Alright :> I haven't tried to file a bug report, however I'm up for trying. Would it be ok if I post it here before posting it on your webpage ?
10:02 <@dazo> Brumbazz: nah, that's okay ... do your best and we'll fix what's needed
10:02 <@dazo> Brumbazz: mention that --ncp-disable on the client does not help
10:03 < Brumbazz> I will do that :) thanks for your help ! It's fine by me that it's only working with 2.3 :> I'll start writing the bug report right away
10:04 <@dazo> Brumbazz: what I believe is part of the issue is that you have an tunnel without IP addresses configured by OpenVPN .... I'll dig up some extra info to attach to the ticket too
10:04 < Brumbazz> ohhhh, yes okay :> Cool !
10:09 < Brumbazz> dazo:  is it ok to link the pastebins ?
10:12 <@dazo> Brumbazz: I'd prefer if we can have them as file attachments ... pastebins might disappear
10:12 < Brumbazz> Roger that
10:12 <@dazo> Brumbazz: just hold a sec .... I'll find the proper debug level .... we might need --verb 7 or more, checking what we need
10:12 <@dazo> I've noticed a few key differences
10:13 < Brumbazz> Alright :>
10:14 <@dazo> yes, --verb 7 from the 2.3 and 2.4 client logs will help
10:14 < Brumbazz> Alright, 2 sec
10:14 <@dazo> The v2.4 log is completely lacking "Data Channel Encrypt" log lines
10:15 <@dazo> plus "Data Channel Decrypt"
10:15 <@dazo> hence the "not initialized (yet)" log line
10:16  * dazo need to run for dinner with family
10:16 < Brumbazz> oh interesting,
10:16 < Brumbazz> https://pastebin.com/EiRZn5vq <- 2.4
10:16 < Brumbazz> oh fair dazo
10:16 < Brumbazz> do you know when you will be back ?
10:16 <@dazo> in a couple of hours or so
10:17 < Brumbazz> oh yes okay
10:17 < rob0> unless they slip him a Mickey
10:17 < rob0> (it IS family, after all)
10:17 <@dazo> but attach these --verb 7 logs together with server logs + configs ... and we'll have a good starting point
10:17 <@dazo> hehehe
10:18  * dazo runs
10:18 < Brumbazz> https://pastebin.com/idMHAQA1 2.3
10:18 < Brumbazz> you mean client right ?
10:18 < Brumbazz> but yeah sure, I'll do that :>
10:18 < Brumbazz> ah ye, server logs + configs + client with 2.3 and 2.4 rihgt ?
10:18 < Brumbazz> right *
10:20 < Brumbazz> I assume yes :>
10:36 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Disconnected.]
10:37 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:37 -!- mode/#openvpn [+v s7r] by ChanServ
11:01 < Brumbazz> maan, now I uploaded the logs + configs in a .tar.gz - maybe I shouldn't have done that :s
11:17 < joze_> hi i have an openvpn server running on local network with push "dhcp-option DNS 192.168.20.1" set to local DNS server in order to access intranet websites what should i do in order to have internet access when connected to VPN?
12:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 246 seconds]
12:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
12:10 -!- mode/#openvpn [+o syzzer] by ChanServ
13:06 < simpledat> ERROR: Linux route add command failed: external program exited with error status: 2
13:06 < simpledat> RTNETLINK answers: File exists
13:06 < simpledat> what does this mean?
13:07 < simpledat> what should I do? I use this https://github.com/wknapik/vpnfailsafe with openvpn
13:07 <@vpnHelper> Title: GitHub - wknapik/vpnfailsafe: IP leak prevention for OpenVPN (at github.com)
13:07 <@ordex> simpledat: it simply means that openvpn is trying to add a route that it already exists
13:07 <@ordex> probably you have already set a route that is being pushed ? or you configured it twice ?
13:08 <@ordex> generally, that could be ignored, but you may want to clean it up
13:08 <@ordex> simpledat: ^^
13:09 < simpledat> ordex: what do you mean by configured it twice?
13:09 < simpledat> I just Save vpnfailsafe.sh in /etc/openvpn, make it executable and add the following lines to /etc/openvpn/<your_provider>.conf:
13:10 < skyroveRR> Hi ordex
13:10 <@ordex> simpledat: if you provide the full log, this issue might get easier to understand
13:10 <@ordex> !logs
13:10 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
13:10 <@ordex> hi skyroveRR :)
13:11 < simpledat> ordex: verb 4 is enough?
13:11 <@ordex> should be
13:11 <@ordex> dazo is the one who knows all the verb levels by heart :D
13:11 < simpledat> ordex: may I ask you, what did you mean by configured it twice?
13:12 <@ordex> simpledat: one possibility for this error is that openvpn is trying to add the same route twice
13:12 < simpledat> ordex: did you ask if I run vpnfailsafe twice?
13:12 <@ordex> and this might happen if, for example, a route is configured on both the client and also on the server as 'push
13:12 <@ordex> option
13:12 <@ordex> nono
13:12 < simpledat> ok
13:12 < simpledat> ah
13:12 < simpledat> :)
13:12 <@ordex> I don't think that error is related to the script
13:12 <@ordex> that's printed bythe openvpn core
13:13 < simpledat> ordex: brb
13:13 <@ordex> if you also have both configs, it might be easier to understand what's going on
13:13 <@ordex> sure
13:13 <@ordex> !configs
13:13 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
13:14 < simpledat> ordex: I got the client.conf but no server conf. Cause Im not the VPN provider.
13:14 < simpledat> I just got the client.conf from my VPN provider :)
13:15 < Gill> Hey!
13:15 < doverZ> hello, going to expose my situation if someone could help. Have a working VPN network on windows server 2012, and for some reasons i need to deploy a second vpn network, have created another network adapter using the TAP v9 driver (already installed and used by the first network). Also have the certificates, config files, etc for the server and one test client. The thing is that i cannot find how to register another service
13:15 < doverZ> referencing the new config files using the new TAP adapter. Anyone know which parameters should i use or any other method? (using now command line openvpnserv2.exe .... , installasservice)
13:16 < Gill> I was wondering if its possible to add subnets from the command line. I googled around and havent found a solution. TIA
13:16 < joze_> why am I receiving opendns ips from openvpn server when server.conf is set to: push "dhcp-option DNS 192.168.10.1"?
13:21 <@ordex> Gill: what do you exactly mean ?
13:21 < Gill> ordex: hi thanks!
13:21 < Gill> under routing i have this box Specify the private subnets to which all clients should be given access (as 'network/netmask_bits', one per line):
13:22 < Gill> id like to set those private subnets from the command line
13:22 <@ordex> joze_: what does the log says ?
13:22 <@ordex> Gill: under routing? box? what are you exactly talking about? openvpn is a command line tool ...
13:23 < Gill> i am in the OpenVPN gui
13:23 <@ordex> oh, the windows one ?
13:23 < Gill> nope linux
13:23 < Gill> AWS AMI for it
13:23 <@ordex> oh, never used it - I don't think it is part of the community project
13:23 <@ordex> I am not sure what that boxes are about
13:23 < Gill> oh
13:24 <@ordex> one thing I can tell you
13:24 <@ordex> is that you may want to read the man at the section describing --route
13:24 <@ordex> that might be what you are looking for, the description should clarify
13:25 < simpledat> ok im back
13:25 <@ordex> if that's what you need, then you can push this option to all the clients by using the 'push' statement
13:25 < simpledat> logs: http://paste.debian.net/971759/
13:25 < Gill> thanks!
13:26 <@ordex> Gill: np
13:26 < simpledat> openvpn client conf: http://paste.debian.net/971760/
13:26 <@ordex> Gill: in the worst case you can ask the AWS/AMI support about how to translate those boxes into actual openvpn options
13:26 < Gill> true
13:27 <@ordex> simpledat: it looks like those routes simply already exists before openvpn tries to add them
13:27 < simpledat> ordex: do you need more logs?
13:27 < joze_> ordex: not much https://pastebin.com/dUjei4D1
13:27 < simpledat> ordex: what does it really mean?
13:29 <@ordex> simpledat: is it possible that the vpnfailsafe script is adding those routes already ?
13:29 <@ordex> because the script is executed *before* openvpn would try to add its own routes
13:30 <@ordex> therefore it might be that the script is already adding them and when openvpn tries to do the same it hits this issue
13:30 < simpledat> ordex: I dont really know
13:30 < simpledat> ordex: here is the script btw https://raw.githubusercontent.com/wknapik/vpnfailsafe/master/vpnfailsafe.sh
13:30 <@ordex> what happens if you comment out the script from the config ?
13:31 < simpledat> ordex: Should I try it? Then I have to disconnect again.
13:32 <@ordex> simpledat: yeah
13:32 <@ordex> simpledat: easy way to check that :)
13:32 <@ordex> joze_: what is that ? does not look like an openvpn log
13:32 <@ordex> !logs
13:32 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
13:33 <@ordex> joze_: and please make sure verb is set to 4 as described above
13:33 < joze_> ordex: what you mean from client or server?
13:33 < joze_> yes it is
13:33 <@ordex> client
13:33 <@ordex> anyway: bbl
13:37 < simpledat> ordex: So what should I do then?
13:38 < joze_> ordex: https://pastebin.com/zLT76tj7
13:39 < joze_> ordex: that is the log from viscosity
13:39 < simpledat> It says
13:39 < simpledat> "RTNETLINK answers: File exists" errors can be ignored safely. They appear when OpenVPN tries to set up a route, that's already been created by vpnfailsafe. Adding the "route-noexec" option will tell OpenVPN to leave routing to vpnfailsafe and prevent those errors from appearing.
13:40 <@krzee> doverZ: did you find your answer?
13:41 <@krzee> https://openvpn.net/index.php/open-source/documentation/install.html?start=1
13:41 <@vpnHelper> Title: Installation Notes (at openvpn.net)
13:41 <@krzee> skip to Running OpenVPN as a Windows Service
13:42 < simpledat> ordex: so should I ignore it?
13:48 < joze_> ordex: please take a look at syslog and you will find some answer https://pastebin.com/A69Nw2YE
13:57 < joze_> ordex: can you spot SENT CONTROL [remoteuser]: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
14:04 < doverZ> krzee: nope, havent found a solution, also checked the documentation part u linked... im just stuck in the final step need to tell windows when adding a new service that i want it to use another folder of config files (the tap adapter can be referenced inside the server.ovpn file)
14:04 < joze_> any ideia why am I receiving opendns ips from openvpn server when I don't have it on my server config?
14:32 < simpledat> hi
14:32 < simpledat> yes the RTNETLINK answers: File exists dissapear after I remove the script from openvpn client conf
14:33 < simpledat> so what does it mean?
14:34 <@ordex> simpledat: so as I guessed, the routes are installed by the script and then openvpn tries to reconfigure the same
14:34 <@ordex> simpledat: apparently the author of the script is also suggesting to ignore them or use route-noexec
14:35 <@ordex> simpledat: right ?
14:35 < simpledat> ordex: I think so
14:35 < simpledat> https://github.com/wknapik/vpnfailsafe
14:35 <@vpnHelper> Title: GitHub - wknapik/vpnfailsafe: IP leak prevention for OpenVPN (at github.com)
14:35 < simpledat> "RTNETLINK answers: File exists" errors can be ignored safely. They appear when OpenVPN tries to set up a route, that's already been created by vpnfailsafe. Adding the "route-noexec" option will tell OpenVPN to leave routing to vpnfailsafe and prevent those errors from appearing.
14:35 <@ordex> simpledat: yeah. than this was already predicted by the script creator
14:35 < simpledat> ordex: Should I really ignore them then?
14:36 <@ordex> yeah
14:36 < simpledat> ok :)
14:36 <@ordex> or use route-noexec to avoid openvpn from trying to install them at all
14:36 < simpledat> Dependencies are minimal (listed in the PKGBUILD file). One assumption is that the VPN server will push at least one DNS to the client.
14:36 < simpledat> what does this mean?
14:37 <@ordex> joze_: it's the server pushing the openDNS IPs - can you share the server config ?
14:37 <@ordex> simpledat: why don't you contact the script author directly? :P might be easier hehe
14:38 <@ordex> it want the server to push a DNS
14:38 <@ordex> an openvpn server can push several options and that is saying that is expected to have at least one DNS pushed
14:38 < joze_> ordex: yes I've also noticed something strange https://pastebin.com/2rUbg6vC
14:39 < joze_> ordex: I've one DNS being pushed... anyway I thought this could be some miss configuration so I've purged, removed etc and came across this at install moment https://postimg.org/image/l0ln09wu5/227e685a/
14:39 <@vpnHelper> Title: openvpn-install — Postimage.io (at postimg.org)
14:39 <@ordex> joze_: how about pasting the server log too while the client connects? this way we can see the push options from the server side..although … the client is pretty clear
14:41 < joze_> ordex: I couldn't find anything besides the first file I submitted and syslog output traced by tail -f while clients connected
14:41 < joze_> ordex: this is it https://pastebin.com/A69Nw2YE
14:42 <@ordex> joze_: the dns comment was for simpledat
14:43 <@ordex> joze_: well the server log is consistent. it is pushing the open dns ips
14:43 <@ordex> hm
14:44 < joze_> ordex: but the server conf has none...
14:44 <@ordex> joze_: any chance you arerunning some customized/rebranded code ?
14:44 < joze_> nope coming from apt-get repo
14:44 <@ordex> what openvpn version are you running on the server ?
14:45 < joze_> however I found something very strange look at the bottom https://postimg.org/image/l0ln09wu5/227e685a/
14:45 <@vpnHelper> Title: openvpn-install — Postimage.io (at postimg.org)
14:46 < simpledat> ordex: I dont know the author. :P So the openvpn server has one DNS pushed atleast? How do I know this?
14:46 <@ordex> simpledat: you should check the client log to see if you are receiving a DNS
14:47 <@ordex> joze_: well, but the server is running, right? so the config file is there I think ?
14:47 <@ordex> joze_: maybe you are running another config from the one you have pasted ?
14:47 < simpledat> ordex: May you check the log file I paste to you and tell me please? :)
14:47 <@ordex> joze_: how about sending the log to a file so that you can restart the server and collect the *whole* log in the file ?
14:49 <@ordex> simpledat: this part of the "pushed options" is what you are looking for: dhcp-option DNS 46.227....
14:49 <@ordex> so it seems some DNS is being pushed
14:50 < joze_> ordex: strange but after sudo apt-get purge --auto-remove I can only spor one openvpn service so I need to reinstall and maker sure that everything is ok I will take five minutes and I get back to you
14:50 < simpledat> order: ok thank you
14:50 <@ordex> joze_: well, before reinstalling
14:51 <@ordex> joze_: what's the content of /etc/openvpn/
14:52 < joze_> ordex: none directory does not exist
14:52 <@ordex> oh ok, then where do you put your config ? how do you run your server ?
14:59 <@krzee> doverZ: it will start openvpn on all the .ovpn files in the config dir, if you want a second config to start just toss it in there with .ovpn file extension
14:59 <@krzee> it reads the config file directory and starts up a separate OpenVPN process for each config file.
15:05 <@ordex> joze_: ^^
15:06 < joze_> ordex: lost connection with server now ... :(
15:06 < joze_> ordex: a problem never comes alone I guess
15:06 < joze_> but hey thank you very much I guess I'll come back latter
15:07 <@ordex> joze_: np :)
15:32 < doverZ> krzee yea tried now but im testing it on a separate folder, the error i get now is that openvpn.exe doesnt recognize the tap adapter ive created for the second vpn
15:32 < doverZ> krzee i created it through the windows wizard from devices manager
15:43 < doverZ> going to retry again after a while, now have something else to do, will write the solution or the error :p
16:27 < CentiZen> Hi all, hope this isn't a stupid question but I've been banging my head against this for about 24 hours
16:27 < CentiZen> I'm using the built in OpenVPN server on a Cisco LPT214 - and I'm pretty sure I have at least the first part working. I can get a client to connect.
16:27 < CentiZen> But once I do, pretty much all internet traffic stops working on the device
16:27 < CentiZen> I'd love to troubleshoot further but I'm pretty new to this and don't want to mess things up more
16:27 < CentiZen> any ideas?
17:52 < doverZ> krzee, found the problem
17:52 < doverZ> openvpn doesnt like windows wizard adapters xd, had to go to "C:\Program Files\TAP-Windows"
17:52 < doverZ> then inside the bin folder
17:52 < doverZ> tapinstall.exe install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
17:53 < doverZ> this creates a new adapter, to check that it works fine, can check using this command: openvpn --show-adapters
17:54 < doverZ> for the second and next VPNs on windows, is a must to reference them inside the ovpn server file
17:55 < doverZ> linux is easier, but in my case had to do with a windows server instance
17:55 < doverZ> and the thing im going to try now is to register my own service, so both vpns have independent service instances too
17:56 < doverZ> this is the best for maintenance
18:34 < joze_> ordex: I'm starting to think I'm having some serious trouble with openvpn server check this out https://postimg.org/image/rhwn001rt/
18:34 <@vpnHelper> Title: openvpn — Postimage.io (at postimg.org)
18:34 -!- deetwelv- is now known as deetwelve
18:35 < joze_> not sure what openvpn@server is doing there as a second option for openvp service anyone with similiar situation?
18:38 < doverZ> not sure if i can clear ur doubts
18:38 < doverZ> u wondering why u see openvpn@THIS?
18:38 < doverZ> on linux u can use that syntax to create as many VPNs as u want
18:39 < doverZ> systemctl start openvpn@server1 ... then do again systemctl start openvpn@server2
18:39 < doverZ> but before this u will need to create new adapters, 1 per extra vpn u add
18:40 < doverZ> is that what u wanted to know?
18:40 < joze_> doverZ: yes and also because I'm having some trouble trying to understand why i'm getting two opendns ip addresses if my server config has only one address from my remote DNS server :(
18:41 < joze_> doverZ: hold on, I only want to know if it is normal to have those two service options there if I only installed on openvpn server and configured only on server.conf file
18:42 < doverZ> yea its ok
18:42 < doverZ> but i guess that if u want to use only one vpn without diving into extra steps
18:42 < doverZ> just systemctl start openvpn should work
18:43 < doverZ> that is the same than systemctl start openvpn@server
18:43 < doverZ> about the dns idk if i can help
18:44 < joze_> doverZ: my vpn server is working the problem is that the clients are receiving two opendns ips when there is only one being pushed by server and that DNS ip is from local network machine
18:45 < joze_> so i thought that those two instances of openvpn server could being messing up
18:46 < joze_> but I'm not sure of nothing of that the only thing I'm sure is that there is not a single DNS server serving openDNS ips in remote network
18:46 < joze_> so can only be caused by opendns
18:46 < joze_> but as i said earlier server.conf is pushing only local DNS ip address
18:47 < joze_> *caused by openvpn
18:48 < joze_> doverZ: do you understand what I mean? Sorry for my terrible english
18:48 < doverZ> never used those settings, just the basic ones, yes i understood
18:49 < doverZ> are u using the latest version of openvpn?
18:49 < joze_> apt-get install openvpn
18:50 < joze_> that is what i did
18:50 < doverZ> are u using the vpn to get internet access through it?
18:50 < joze_> I need remote LAN DNS resolution and internet
18:51 < joze_> everything must pass through VPN
18:51 < doverZ> yea
18:52 < doverZ> if u get 2 opendns is ok
18:52 < doverZ> as its specified
18:52 < doverZ> but
18:52 < doverZ> i think u need 1 opendns and 1 of ur local network dns
18:52 < doverZ> for ur custom services
18:52 < doverZ> right?
18:52 < doverZ> try to modify the second value
18:52 < doverZ> of server.ovpn
18:52 < doverZ> the second push at dns settings
18:53 < doverZ> and put there the ip u want
18:53 < doverZ> of ur remote local dns
18:53 < joze_> I should be fine the thing is I didn't specified a single opendns ip in server conf
18:53 < joze_> *it
18:53 < doverZ> ;push "dhcp-option DNS 208.67.222.222"
18:53 < doverZ> ;push "dhcp-option DNS 208.67.220.220"
18:53 < doverZ> they come by default commented for me
18:53 < doverZ> but maybe not in the version u installed
18:53 < doverZ> if u dont want them
18:53 < joze_> yes I've removed both from my config
18:54 < doverZ> yea
18:54 < doverZ> then restart the service
18:54 < doverZ> to apply changes
18:54 < doverZ> its obvious but i use to forget this sometimes xd
18:54 < joze_> I have
18:54 < joze_> take a look at my server config
18:55 < joze_> https://pastebin.com/P56tnVxs
18:56 < joze_> I've tried a few thing by now I don't get where opendns come from do you get it now?
18:56 < doverZ> yea lol
18:56 < doverZ> btw
18:57 < doverZ> this version isnt the latest, withc distro are u using?
18:59 < joze_> doverZ: OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
19:01 < doverZ> im using 2.4.2-l601
19:01 < doverZ> recently had issues with that
19:01 < doverZ> connecting to an old server
19:01 < doverZ> like yours
19:01 < doverZ> with the new client
19:01 < doverZ> because of ciphers stuff
19:02 < doverZ> so updated the server
19:02 < doverZ> to the latest version
19:02 < joze_> ubuntu 16.04 has this version in repository
19:03 < doverZ> https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
19:03 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net)
19:03 < doverZ> i guess u can use the repos from this link
19:03 < doverZ> to get more updated versions
19:04 < doverZ> maybe u can uninstall that version u have
19:04 < doverZ> then install this new
19:04 < doverZ> and retry the config
19:05 < doverZ> im fighting too with something about this but on windows xd
19:05 < doverZ> now trying to create a new service from an exe with parameters
19:06 < doverZ> life on linux is much easier :p
19:07 < joze_> doverZ: I agree
19:08 < joze_> I removed purged deleted burned the installed release and I'm installing stable for xentai
19:09 < doverZ> good
19:09 < doverZ> oh
19:09 < doverZ> today is the release day of debian 9
19:14 < doverZ> btw
19:14 < doverZ> would recommend u to use the google dns
19:14 < doverZ> instead of opendns
19:14 < doverZ> i realised sometimes
19:14 < doverZ> that they blocked sometimes
19:14 < doverZ> russian websites
19:14 < doverZ> and others
19:14 < doverZ> also porn!
19:14 < doverZ> lol
19:14 < doverZ> they r dead for me since then :p
19:15 < joze_> doverZ: ;)
19:15 < joze_> OpenVPN 2.4.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 11 2017
19:15 < doverZ> nice
19:15 < doverZ> now retry the config
19:15 < doverZ> and test it
19:16 < doverZ> but dont paste ur old
19:16 < doverZ> parameters
19:16 < doverZ> just modify the example server.ovpn
19:16 < doverZ> from .../openvpnfolder/sample-config
19:22 < doverZ> how is it going
19:29 < joze_> doverZ: can't connect I've set client verbose to 4
19:29 < joze_> a huge output
19:32 < doverZ> make sure u have every shared parameter between server and client the same
19:32 < doverZ> which client version u have?
19:32 < doverZ> make sure its 2.4.2 too
19:33 < doverZ> can check the config files for server and client if u paste them
19:33 < joze_> I'm running viscosity client
19:33 < joze_> https://pastebin.com/1H99KR0i
19:33 < joze_> this is client log
19:35 < doverZ> i bet that what happened
19:35 < doverZ> is that u dont have a tls key
19:35 < doverZ> on the client cfg file
19:36 < doverZ> find smth like this
19:36 < doverZ> tls-auth ta.key 1
19:36 < doverZ> and comment it
19:36 < doverZ> and on server.ovpn too
19:36 < doverZ> tls-auth ta.key 0 # This file is secret
19:36 < joze_> doverZ: I don't have it and in the earlier connection didn't to
19:36 < doverZ> comment this other line
19:36 < doverZ> then comment only the server file
19:36 < doverZ> that line
19:36 < doverZ> tls-auth ta.key 0 # This file is secret
19:37 < joze_> ok ok let me recheck
19:37 < doverZ> stop the service
19:37 < doverZ> comment
19:37 < doverZ> and restart service
19:37 < doverZ> today checking internet for my issues found a guy using this other client
19:37 < doverZ> for mac
19:37 < doverZ> https://tunnelblick.net/
19:37 <@vpnHelper> Title: Tunnelblick | Free open source OpenVPN VPN client server software for Mac OS X and macOS (at tunnelblick.net)
19:37 < doverZ> i dont have mac so cant tell
19:38 < doverZ> but for first try the commenting of that line
19:38 < doverZ> by default is on
19:38 < doverZ> so it requires each client
19:38 < doverZ> to have that ta.key file
19:38 < doverZ> if not u wont connect
19:38 < doverZ> so commenting it makes it work
19:38 < doverZ> although that file gives extra security to the vpn, so is good to have
19:39 < joze_> doverZ: how can I generate that file
19:39 < joze_> with easyrsa?
19:39 < doverZ> yea
19:39 < doverZ> wait
19:40 < doverZ> no
19:40 < doverZ> with openvpn command
19:40 < doverZ> openvpn --genkey --secret ta.key
19:40 < joze_> but probably i need to restart and go through out the process of generating all server keys crt etc?
19:40 < doverZ> yes of course
19:40 < doverZ> but the ta key is just that
19:41 < doverZ> generate and place it at server where u have the ovpn
19:41 < doverZ> and also on the client folder
19:41 < doverZ> on ur pc
19:41 < joze_> ok so i've removed the ta key from config
19:41 < doverZ> but
19:41 < joze_> and restarted the service
19:41 < doverZ> first
19:41 < doverZ> avoid the ta.key
19:41 < joze_> but still can't connect
19:41 < doverZ> do it simple
19:41 < doverZ> then add stuff
19:41 < doverZ> u need certs
19:41 < doverZ> if u havent created
19:42 < joze_> I have certs I'm using the old certs i had
19:42 < joze_> server.crt server.key ca.crt
19:42 < doverZ> and u have client crts too?
19:42 < joze_> from old server configuration and clients as well
19:43 < doverZ> u got the same error?
19:43 < joze_> yes
19:43 < joze_> Jun 17 01:33:28: us=18116 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
19:43 < doverZ> u commented the TLS line?
19:43 < joze_> I am on the remote server via ssh
19:43 < joze_> yes I have
19:43 < doverZ> check the client config
19:44 < doverZ> for that lines too if there s smth similar
19:44 < doverZ> comment
19:47 < joze_> doverZ: I will copy a new conf file and pass cert keys ca etc
19:49 < doverZ> yep
20:04 < joze_> dover going to sleep thank you man for all of your help but it didnt worked I will be back on monday ;)
20:04 < doverZ> ok
20:04 < doverZ> gn
20:05 < joze_> thank you have a great day if it's the case ;)
20:49 < PrincessBob> windows 10.. openvpn 2.4.2      does it matter where i place --block-outside-dns?
20:51 < Eugene> !--
20:51 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
20:51 < Eugene> PrincessBob ^
20:54 < PrincessBob> well    im just trying t ofix dns leak
20:54 < PrincessBob> and the method i used for vista.. doesnt work on windows 10 :)
20:54 < PrincessBob> ok.. so i can do without the --
20:55 < PrincessBob> ty Eugene :)... but does it matter where in the config file that line is?
20:56 < Eugene> The config file is not ordered
20:56 < PrincessBob> ohh.. so its not like step 1.. step 2.. step 3?
20:56 < Eugene> Nope
20:57 < PrincessBob> what other neat things are worthy to put in a config file?
20:57 < PrincessBob> im a noob at this
20:57 < Eugene> I believe <connection> blocks are the only thing that matters order-wise? I'm sure you can find an edge case if you try hard enough, but generally no, anywhere is fine
20:57 < Eugene> "Everything you need to make the VPN work" ;-)
20:58 < Eugene> Here is my server.conf, for reference https://vomitb.in/1UYbSE0nKZ
20:58 < PrincessBob> then why didnt my vpns downloaded config files have it in it??
20:58 < PrincessBob> thats what i dont get...
20:58 < PrincessBob> grumbles
20:58 < PrincessBob> ty
20:58 < Eugene> Noooormally you put as much of the config into the server side as possible, and then push options to the client
20:59 < Eugene> Backing up.... what are you "downloading" a config file from? A pfsense router or similar/
21:00 < Eugene> And please note that my server.conf is littered with garbage
21:03 < PrincessBob> my vpn
21:03 < PrincessBob> im a simple user
21:03 < PrincessBob> :)
21:04 < PrincessBob> my experience has been.. vpn downloaded config files...  are 'lacking'
21:04 < PrincessBob> for all i know.. there is a config to turn my laptop into a shiny disco ball!
21:04 < PrincessBob> and durnit.. i don't wanna miss out
21:05 < Eugene> What is your server?
21:05 < PrincessBob> I use torguard
21:08 < Eugene> Ah. We can't support provider-sourced VPN configs
21:09 < PrincessBob> you just helped me :)
21:09 < PrincessBob> ppppttthh
21:09 < PrincessBob> how else is openvpn used?
21:09 < PrincessBob> to log into user ran servers?
21:16 < Eugene> !both
21:16 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
21:17 < Eugene> We generally support server admins; end-user help is their problem
21:17 < Eugene> Mostly because the client can't do a damn thing if the server isn't set up for it
21:18 < PrincessBob> ohhh
21:18 < PrincessBob> so you help the server people
21:18 < PrincessBob> gotcha!
21:18  * PrincessBob nods
21:19 < Eugene> Nothing personal, just that we can't actually /do/ anything for you
21:19 < PrincessBob> you helped me a lot :)
21:19 < Eugene> Great!
21:19 < Eugene> !beer
21:19 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
21:22 < PrincessBob> well thank you for your help Eugene :)
23:29 < rad1928_> is there a way to route all my home traffic out openvpn hosted on aws ?
--- Day changed Sat Jun 17 2017
00:29 <@krzee> rad1928_: sure
00:29 <@krzee> !redirect
00:29 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
00:29 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
02:13 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 260 seconds]
02:14 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
02:14 -!- mode/#openvpn [+v RBecker] by ChanServ
04:37 < joze_> hi I'm getting "Exiting due to fatal error" what is killing this process https://pastebin.com/KNLxtZx5
04:38 < joze_> I've upgraded to the latest stable version
07:34 < Protected> Good afternoon. I'm having trouble getting openvpn to play nice with the CSF firewall. Does anyone here happen to have past experience with this setup, or does anyone know where I can ask for help with this setup?
07:35 < Protected> Just to be clear, the exact same openvpn setup works flawlessly if the firewall is off.
07:36 < obinood> is there any chance of passing all trafic throught vpn and access remote LAN DNS? When I connect via vpn and query remote DNS machine I get this:
07:37 < obinood> nslookup 8.8.8.8 Server:		192.168.20.1 Address:	192.168.20.1#53  ** server can't find 8.8.8.8.in-addr.arpa: REFUSED
07:38 < Protected> Is that address in the vpn range or in the remote LAN range?
07:38 < obinood> Protected: that address you mean google's DNS?
07:39 < Protected> Your objective is to use 8.8.8.8 as your DNS server, but route traffic to it through the vpn?
07:39 < obinood> Protected: this ip 192.168.20.1 is the remote DNS server that is being pushed to clients
07:39 < Protected> Ok...
07:40 < Protected> And you don't want that?
07:40 < obinood> Protected: no my objective it to have access to remote DNS which I have but also resolve web
07:41 < obinood> Protected: so now I can browse remote LAN but still need browse the web
07:41 < Hink> Has anyone else here on Windows 10 been experiencing a really slow connection with the OpenVPN GUI client after the Windows 10 Creator update?
07:41 < Protected> obinood, I think I understand, but that is probably a dns configuration issue
07:42 < obinood> Protected: yes but remote DNS is well configured and everything on remote works flawlessly so probably not remote DNS server trouble I've spent a few hours troubleshooting this and I still with no answer at all
07:45 < obinood> If I push DNS 8.8.8.8 and/or DNS 8.8.4.4 I loose remote DNS server resolution but I can surf the web
07:46 < obinood> I need a solution where I can make both things
07:51 < Protected> obinood: But do you want to surf the web through the vpn, or outside the vpn?
07:52 < obinood> Protected: preferable through vpn
07:53 < obinood> Protected: is it possible to achieve this by bridging clients connection?
08:11 < obinood> anyone with a great ideia? lol
08:12 < obinood> \JOIN #linux
08:12 < obinood> sorry
08:17 < obinood> is it possible for openvpn server if server DNS can't resolve forward to gateway or any other ip
08:17 < obinood> ?
08:17 < skyroveRR> obinood: yes.
08:18 < skyroveRR> Using iptables.
08:18 < skyroveRR> Use the DNAT rule.
08:18 < obinood> skyroveRR: so I need that first it must query my DNS server and only then forward
08:19 < skyroveRR> iptables -t nat -A PREROUTING -s <VPN_client> --dport 53 -j DNAT --to <DNS_server>
08:19 < skyroveRR> No, it can query your VPN server itself, and it will DNAT to whatever DNS server you like.
08:20 < obinood> skyroveRR: this is my ufw rules
08:20 < skyroveRR> eek, don't use UFW :(
08:20 < skyroveRR> And use pastebin.
08:20 < skyroveRR> For pasting rules.
08:20 < skyroveRR> iptables-save
08:21 < obinood> ok
08:22 < obinood> but can I simply let the ufw enabled or I need to disable it?
08:22 < skyroveRR> Keep UFW enabled.
08:22 < skyroveRR> Hopefully it won't fuck around.
08:22 < skyroveRR> But I don't use that shit, so I can't tell.
08:22 < obinood> ok but I have rules there that might change behaviour I would say...
08:26 < obinood> skyroveRR: anyway this is my ufw before.rules that affect NAT https://pastebin.com/tvk96AhM
08:27 < skyroveRR> Shouldn't affect that DNAT rule :)
08:30 < obinood> skyroveRR: I can use it like this in order to affect the whole VPN network:  iptables -t nat -A PREROUTING -s 10.8.0.0/8 --dport 53 -j DNAT --to 192.168.20.1
08:30 < skyroveRR> obinood: sure, as long as you have route to 192.168.20.1, I hope :)
08:31 < skyroveRR> You can append :53 to the end of your destination IP. This way: 192.168.20.1:53
08:32 < obinood> skyroveRR: I need to fuss in iptables I can only do the basics, but that shouldn't I suppress --dport ?
08:32 < skyroveRR> obinood: and of course, that DNS server needs to know the route to your VPN network.
08:33 < skyroveRR> Well you do need the --dport.
08:33 < obinood> skyroveRR: both servers live in same machine openvpn and dns services
08:33 < skyroveRR> Ok
08:34 < obinood> are running in same server so probably i don't need any extra routing rule
09:31 <@krzee> skyroveRR: odds are he just solved the wrong goal completely, i bet he only wanted his vpn server to forward dns because he copied a config from google that used the vpn server as dns resolver while on vpn
09:31 <@krzee> lol
09:32 <@krzee> thats my bet at lest
09:33 < skyroveRR> ordex: that's what most people do, sadly :(
09:35 <@krzee> yep, and him being a webchat user increases the odds
11:32 < Protected> A second and final attempt, anyone here uses the CSF firewall with openvpn? :) Can't get them to run at the same time; vpn works perfectly if unchanged and if I just run the custom rules script I wrote for the firewall independently from it. Yes, this is 100% a firewall issue. Will also be thankful for pointers to where I can find a solution instead, if you have any.
11:35 < skyroveRR> Protected: you'll probably have luck in the ##networking channel.
11:37 < Protected> Thank you skyroveRR
13:34 < Protected> Well, painstakingly traced the packets and it ended up being something stupid, a chain whose policy was set to drop which I was used to having as accept
13:36 < skyroveRR> Protected: :D
14:09 < Sagan> !welcome
14:09 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
14:09 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
14:11 < Sagan> huh. so much text. is there an FOSS ubuntu-package for openvpn? I'm confused by reading "Purchase License" on the webpage
14:12 < Kolas> how are you trying to install it?
14:13 < Kolas> maybe i am entirely missing your point. what does
14:13 < Kolas> apt-get install openvpn
14:13 < Kolas>  do for you?
14:13 < Sagan> Kolas: I'm looking for a package, but it looks like I find a guide on another site
14:14 < Sagan> Kolas: I was not sure, if there is one, I did not tried yet, but thanks :)
14:15 < Kolas> for me on ubuntu apt-get install openvpn is working perfectly
14:17 < Sagan> Kolas: yeah, it does. but before, I looked up openvpn.net, and was confused by reading "Purchase License" on that page
14:21 < Kolas> thats openvpn access server
14:22 < Sagan> Kolas: what's the difference? Can I image that like a community maintained and an enterprise version?
14:23 < Kolas> ya
14:23 < Kolas> it has more featuers when you look at the overview
14:30 <+|Mike|> See #openvpn-as if you're looking for more info on OpenVPN-AS ;-)
14:30 < Sagan> I'm first looking for some basic start, but thanks :)
15:31 < Sagan> can somebody help me with setting up openvpn? I used this guide: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 and got stuck at step 9: systemctl start openvpn shows "active (exited)"
15:31 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com)
15:33 <+|Mike|> Sagan: see topic
15:38 < Sagan> |Mike|: which part to you mean? !goal?
15:51 < Sagan> nvm, looks like I got the error
16:01 -!- dionysus70 is now known as dionysus69
16:17 < Sagan> Is there a way to see at the server who is connected? I'm not sure if my config works, since the tunnel on windows says I'm connected, but for example I'm still connected through the old IP to IRC
16:18 -!- almostworking is now known as almstwrking
16:38 < doverZ> sagan, u can use openvpn dedicated repositories
16:38 < doverZ> for debian/ubuntu
16:38 < doverZ> https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
16:38 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net)
16:38 < doverZ> the versions there are more up to date
16:40 < Sagan> doverZ: I actually managed it to install the whole thing, but I now got the problem: My (windows) PC says, I'm connect, but anyway I'm connect through my real IP, not the IP of the server
16:42 < doverZ> ah u want to use it as a proxy, use internet through the vpn
16:42 < doverZ> u have to configure it
16:43 < doverZ> its not enabled that feature by default
16:44 < Sagan> doverZ: what do I have to add to the config that?
16:47 < doverZ> check the server.ovpn
16:47 < doverZ> all options in it are documented
16:49 < doverZ> https://www.digitalocean.com/community/tutorials/3-ways-to-securely-browse-the-internet-with-openvpn-on-debian-8
16:49 <@vpnHelper> Title: 3 Ways to Securely Browse the Internet with OpenVPN on Debian 8 | DigitalOcean (at www.digitalocean.com)
16:51 < doverZ> think that u have to add dns on the server file
16:51 < doverZ> uncomment the push lines and the gateway ones removing the ;
16:51 < doverZ> push "redirect-gateway def1"
16:51 < doverZ> #set the dns servers
16:51 < doverZ> push "dhcp-option DNS 8.8.8.8"
16:51 < doverZ> push "dhcp-option DNS 8.8.4.4"
16:51 < doverZ> smth like that
16:52 < doverZ> but where they say def1, write ur network device
16:52 < doverZ> echo 1 > /proc/sys/net/ipv4/ip_forward
16:52 < doverZ> and finally
16:52 < doverZ> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
16:54 < Sagan> will try, thx
17:01 < Sagan> doverZ: do you know if I have to adjust the client config too?
17:04 < doverZ> dont think so
17:04 < doverZ> have u tried it?
17:04 < doverZ> do systemctl restart openvpn
17:04 < doverZ> to refresh changes
17:05 < Sagan> I started and stopped it, and reconnect the client
17:05 < doverZ> u can connect to the server?
17:06 < doverZ> after u did that
17:06 < doverZ> if u are on windows
17:06 < doverZ> as the client machine
17:06 < doverZ> have to give priority to the vpn adapter
17:07 < doverZ> so its used in first place if enabled
17:07 < doverZ> meaning that u will use ur server ip
17:07 < Sagan> ah, ok
17:07 < doverZ> instead of ur home ip
17:07 < doverZ> go to the network devices window
17:07 < doverZ> at control panel
17:08 < doverZ> then press ALT to show the window menu
17:08 < doverZ> advanced - advanced settings
17:08 < doverZ> u will see a list of the connections
17:08 < doverZ> networks adapters
17:08 < doverZ> move up the vpn one
17:08 < doverZ> apply
17:08 < doverZ> and reconnect to the vpn
17:08 < doverZ> then check ur public ip after that
17:08 < doverZ> it should be the server one
17:11 < doverZ> to avoid issues
17:11 < Sagan> doverZ: the connection using the vpn worked, but windows said the "network adapter2 (VPN) has no connection to the internet
17:12 < doverZ> u applied all commands i said?
17:12 < doverZ> <doverZ> echo 1 > /proc/sys/net/ipv4/ip_forward
17:12 < doverZ> <doverZ> and finally
17:12 < doverZ> <doverZ> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
17:12 < Sagan> yeah, I did
17:12 < Sagan> succeeded without errors
17:13 < doverZ> btw to avoid issues
17:13 < doverZ> better edit this file
17:13 < doverZ> "/etc/sysctl.conf"
17:13 < doverZ> and ucomment "net.ipv4.ip_forward=1"
17:13 < Sagan> that's already uncommended
17:14 < Sagan> when I'm trying to establish connections via the tunnel currently, I get timeouts
17:14 < doverZ> it should work
17:14 < doverZ> can u check the log of the server?
17:14 < Sagan> doverZ: which log?
17:14 < doverZ> to find out whats happeneing
17:15 < Sagan> (it's xenial)
17:15 < doverZ> cat /var/log/openvpn
17:16 < Sagan> cat: /var/log/openvpn: No such file or directory
17:16 < Sagan> huh
17:17 < doverZ> add this to ur server.ovpn
17:17 < doverZ> log-append /var/log/openvpn
17:17 < doverZ> and restart the service
17:19 < Sagan> doverZ: which kind of line do you need? Send control, or somehing like that?
17:34 < doverZ> paste the whole thing
17:34 < doverZ> on pastebin
17:34 < doverZ> and share the link here
17:36 < gartral> hey all, I am having massive issues getting openvpn 15.05 Chaos Calmer to connect to my openVPN server, i really want it to cennect and route all traffic through that but it's being finicky
17:36 < gartral> i've installed openvpn-openssl and the luci-openvpn-app packages and I've configured them, I added a tun/tun0 device and bridged them but the vpn isn't starting
19:28 -!- almstwrking is now known as almostworking
19:32 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 246 seconds]
19:35 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
19:35 -!- mode/#openvpn [+v RBecker] by ChanServ
--- Day changed Sun Jun 18 2017
02:26 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 258 seconds]
02:27 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
02:27 -!- mode/#openvpn [+o syzzer] by ChanServ
04:01 < COOurb> hi, I have question about crating certificate
04:01 < COOurb> creating*
04:01 < COOurb> I should create public and private key and also certificate request for senting it to provider?
04:02 < COOurb> should I use built-in tools for it, or something else?
04:06 < COOurb> also, where I can test my settings for free?
04:12 < fnljk> exploit-db.com > remote exploits > ..whichever gets u root asap, use some proxy which u'd ofc. know are monitored anyway but wouldnt care much about as you relay thru enough to complicatea any tracking... ta...daaaa!   free servers ahoy, servers for everyone!  (no, don't .. not really. keep them to urself.).  Just a joke, of course. Not as straight-forward nor even wanting to encourage to any nefa
04:12 < fnljk> ..nefarious doings.  Just reminder.. wanna any bit of anonymity... may consider tactically relaying thru a long chain of..... uh, "unusual" relays not as easily in compliance with foreign govts requests and subpoenas n such.
04:14 < fnljk> just some loud thinking.. nonense, ofc.  personally would suggest use a neighbors wifi, open their tcp 80 and use https://letsencrypt.org/ to get a cert for it , for an easy not-so-shady testing.    also,  consider the easy-rsa toolz... ? hmmm.   intent and purposes unclear.   but, i need to walk my cat.. its been meowing long already it needs its walk..brb/bbl.
04:14 <@vpnHelper> Title: Let's Encrypt - Free SSL/TLS Certificates (at letsencrypt.org)
04:30 < COOurb> hey, guys, anyone can help me?
04:30 < COOurb> I'm kinda new to it
04:30 < COOurb> vpnHelper: hey, bot
04:39 < fnljk> what beyond the documentation found in the manual and thru google-search  are you seeking.. spill the beans, let's hear it.. Best not ask to ask, just spit out!  .. some1 knows, maybe they'd add their  input, then..     what've u got to lose anyway1
04:39 < fnljk> ..no well.. be that way then.. do it ur way, however. good luck
04:41 < COOurb> ok, I'm lamer, but wanna know what means all these configuration entries
04:41 < COOurb> because I've downloaded .ovpn config file with cert/keys in it
04:42 < COOurb> And wanna know what they means
04:42 < COOurb> what tls-auth means?
04:42 < COOurb> is it server's open-key?
04:42 < COOurb> you know, to encrypt server you sending to server
04:42 < COOurb> or something else?
04:44 < COOurb> how it's usually works? Usually in my organisation I create "key"+"request fot sert" and manually send it (with all corresponging documents and signs) to "cert center"
04:44 < COOurb> So, same methods here?
04:46 < Kolas> i think the easiest for you would be to start from what you are trying to do.
04:47 < Kolas> and go through the process and it will all be much clearer
04:47 < COOurb> I wanna secure my connection
04:47 < Kolas> so you have a client and a server?
04:48 < COOurb> I've download openvpn and install it
04:48 < Kolas> so you have a client and a server?
04:48 < COOurb> I have only client now
04:48 < Kolas> where is your server?
04:49 < COOurb> nowhere, just thinking what to do next
04:49 < Kolas> options
04:49 < Kolas> you could go with a paid vpn
04:49 < Kolas> and then just configure your client to connect to it
04:49 < Kolas> or you could go with a paid VPS
04:49 < Kolas> and set up an openvpn server there. and then connect your client to that
04:49 < COOurb> yep, but is there any free "promo" time?
04:50 < Kolas> that depends on the paid vpn company i guess
04:50 < COOurb> also I wanna know what all these parameters mean
04:50 < Kolas> i think most of them you can just google very easily
04:51 < COOurb> what should I get from vpn-server to start
04:51 < Kolas> https://technet.microsoft.com/en-us/library/cc779919(v=ws.10).aspx
04:51 < COOurb> nope, I can't. Perhaps third page of google
04:51 < Kolas> here from your friends at microsoft some stuff about vpn
04:51 < Kolas> you are in luck there is the link for you :D
04:52 < Kolas> first you have to decide if you want to pay for a VPN service somebody provides.. i have no preference there...
04:52 < Kolas> depends a bit what you want to use the vpn for
04:52 < Kolas> or if you want to pay for your own server (vps) to set up an openvpn server yourself
04:52 < COOurb> web-browsing, mostly
04:53 < COOurb> no, I don't need own server
04:53 < Kolas> ok.
04:53 < Kolas> that should make the whole process simpler
04:54 < COOurb> just don't wanna be a monky and wanna understand how it works, to be able to fix it if it will break
04:54 < COOurb> monley*
04:54 < COOurb> monkey*
04:54 < COOurb> damn
04:54 < COOurb> thanks for the link
04:55 < Kolas> i am no expert by any stretch of the imagination
04:55 < Kolas> but it either works or doesnt. if you buy the service from someone else they should provide you with all the configuration files and info you need
04:55 < Kolas> and if its broken its most likely on there end
04:56 < Kolas> maybe spend some time here and see what other people like to use https://www.reddit.com/r/VPN/
04:56 <@vpnHelper> Title: Virtual Private Networks (at www.reddit.com)
04:56 < COOurb> yes, so to find out what broken and where I should get knowledge
04:57 < Kolas> did you study the link i sent to you in all detail
04:57 < Kolas> and have committed it to memory?
04:57 < Kolas> ;D
04:57 < COOurb> in process
04:57 < COOurb> dude, there a lot of text, not too fast
04:58 < COOurb> also englis not my native, so it's kinda hard
04:58 < Kolas> what is your native language?
04:58 < COOurb> russian
05:00 < Kolas> https://blog.kaspersky.ru/vpn-explained/10635/
05:00 < Kolas> https://habrahabr.ru/post/67209/
05:00 <@vpnHelper> Title: OpenVPN: создание полноценного openVPN gateway / Хабрахабр (at habrahabr.ru)
05:01 < Kolas> https://openmaniak.com/ru/openvpn.php
05:01 < Kolas> third link looks nice..
05:01 < Kolas> judging by the pictures ;D
05:02 < COOurb> danke, but I start from MS
05:02 < Kolas> good luck!
05:03 < COOurb> thx
05:44 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
05:47 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
05:47 -!- mode/#openvpn [+v RBecker] by ChanServ
07:42 < jkliemann> why can I use aes-180-gcm in server mode but not in p2p mode?
07:42 < jkliemann> *aes-128-gcm
08:01 <@krzee> see if using tls-client and tls-server fix that
08:15 < Sagan> I don't know much about subnets, but I get the error that the local and the remote endpints are not within the same 255.255.255.252 subnet. The remote has 255.255.255.0, but how can I see what my client is using, and adjust this?
09:05 < jkliemann> krzee that is normal server client mode and working (incompatible with --secret), but i require p2p mode
09:06 < jkliemann> also i cant ping ipv6 through the tunnel, ipv4 is working fine
09:07 < jkliemann> but when i ping ipv6, i cann see the pings with tcpdump only on one side
09:24 < jkliemann> it seems that openvpn doesnt recognize its own ipv6 address, it also doesnt appear in the status log. does anyone know how to fix that?
09:25 < BtbN> gcm ciphers don't work in p2p mode.
09:25 < BtbN> they require a pki
09:26 < jkliemann> BtbN ah thanks
09:27 < BtbN> p2p mode in general is not exactly secure, and pfs is impossible
09:27 < jkliemann> Well I had the problem that ipv6 forwarding did only work in p2p mode
09:27 < BtbN> I don't see any reason why that would care about the mode openvpn is in.
09:28 < BtbN> If you setup a tls-server with a single client, it's equivalent, but a bit more compley due to the certificate management
09:29 < jkliemann> I dont see any reason either but with non p2p openvpn would not route any addresses from my LAN but in p2p it works
09:29 < BtbN> you misconfigured it then.
09:30 < BtbN> openvpn is also uninvolved with routing. Your kernel does that.
09:30 < jkliemann> are there any changes from openvpn 2.3 to 2.4 regarding ipv6?
09:32 < BtbN> bunch of bugfixes I'd assume.
09:33 < jkliemann> i have two similar configs ( I diffed them, only changes are the address prefixed due to different servers), with openvpn 2.4 the ipv6 address does not appear in the status log anymore
09:33 < BtbN> Is your openvpn 2.4 even built with IPV6 support?
09:33 < jkliemann> its from debian, I'd wonder if not
09:34 < jkliemann> how can I check that?
09:34 < BtbN> I'd assume the distro version to support it
09:34 < BtbN> Just a configuration issue then
09:35 < jkliemann> as I said, the config is identical, also the adresses and routes get pushed correctly
09:41 < jkliemann> if i tcpdump the tun device i can see pings only on pinging sidebut not on the other side
13:33 <@ordex> skyroveRR: what do most people do ?
15:28 -!- arunpyasi_ is now known as arunpyasi
17:21 < jkliemann> does openvpn allow "foreign" addresses through its tunnel?
17:25 < BtbN> that's up to the kernel
17:26 < jkliemann> i read a bit through the config and I think ethernet bridging is what i want
17:27 < BtbN> openvpn is at layer 3, there is no ethernet involved. Unless you use tap, which you most likely don't want.
17:28 < jkliemann> well, what I want to do is, I have a ipv4 and a ipv6 net in my lan, I want to route both through the openvpn, and ipv4 without nat
17:28 < BtbN> ok
17:29 < jkliemann> when I disable masquerading, ipv4 seems not to be let through the tunnel, only packets with source addresses given by the openvpn seem to be able to pass the tunnel
17:30 < BtbN> You most likely misconfigured the routing/firewall on the client and/or server
17:31 < jkliemann> well iptables masquerading is the switch, when I check with tcpdump, the packets leave the tun interface on the client but dont appear on the server
17:32 < jkliemann> when I enable masquerading, it works fine
17:33 < jkliemann> iptables policies are on ACCEPT and even if the routes were wrong on the server, it should at least reach the server
17:36 < BtbN> openvpn does not limit anything there
17:36 < BtbN> unless you configure it to do so, which I'm not even sure is possible
17:42 < Sauvin> I have very slow connexion, and no firewall.
17:43 < Sauvin> Ping times to Google usually 27-28ms, right now very often well over a second. Download speeds 10-15% of what I usually get without VPN.
19:36 < ExoUNX_> good even
19:36 < ExoUNX_> ing
19:37 < ExoUNX_> I want to route a subnet through an OpenVPN client
19:37 < ExoUNX_> but "route 192.168.5.0/24" through the client doesn't appear to work
20:08 < Sauvin> And I can't submit a ticket because the goddamn page doesn't render properly.
20:08 < Sauvin> I can't submit the CAPTCHA!
20:43 < Bock> Dinked with some ports and suchlike and it seems to have produced some dramatic results. I think I'm at a bit over 50% pre-openvpn speeds now.
21:27 < Haxxa> Anyway to remotely check openvpn server version?
21:57 -!- Bock is now known as Sauvin
22:39 < skyroveRR> ordex: hmm?
22:58 -!- ReimuHakurei_ is now known as ReimuHakurei
23:03 < fnljk> Haxxa: ..try see if  "os tcp/ip browser fingerprinting"  on  browserleaks.com/ip   has any info u could use to guesstimate such
23:04 < fnljk> atleast i remember it finding things like ... sha1... whatever else bit of info on that i was using openvpn,  on a  private host, likely default config, not running locally (in some router in-between) too
--- Day changed Mon Jun 19 2017
00:23 -!- SKYWARN is now known as ilken
01:33 <@ordex> skyroveRR: you wrote me something yesterday :P maybe it was not forme
01:57 < skyroveRR> ordex: uh... what was it? :D :D
03:03 <@ordex> skyroveRR: dunno :P I should scroll back a couple of days
03:03 < skyroveRR> :)
03:04 < skyroveRR> ordex: isn't batman some kind of a protocol (in the host you're connecting from?) :)
03:07 <@ordex> skyroveRR: yes, batman-adv is a wireless mesh routing protocol on layer 2
03:07 < skyroveRR> What device and which OS do you run batman from?
03:08 <@ordex> batman-adv a linux kernel module, so in theory it runs wherever you can run linux. but usually I run it on wireless routers
03:08 <@ordex> still, people run them on servers interconnecting other routers
03:08 < skyroveRR> Oh.
03:09 <@ordex> pretty easy to run as it comes with almost no config settings and pretty safe defaults for what is tunable
03:10 < skyroveRR> Does it come with most kernels or do you need to recompile the kernel?
03:10 < skyroveRR> I mean, does it come enabled by default?
03:10 <@ordex> it is part of the upstream kernel
03:10 <@ordex> so it depends on your distro
03:10 <@ordex> if it's already compiled or not
03:10 < skyroveRR> Oh, I have batman :D
03:11 <@ordex> most of the distro have a package for it, i.e. debian has something called kmod-batman-adv I believe
03:11 <@ordex> :D
03:11 < skyroveRR> CONFIG_BATMAN_ADV it is.
03:11 < skyroveRR> Set to modular.
03:11 <@ordex> right!
03:11 < skyroveRR> And rest is built-in.
03:12 <@ordex> yeah, the rest are just options that can be compiled-out to save space if you don't need them (on an embedded device)
03:12 <@ordex> then you can install a tool called batctl which is a userspace thing that helps running/configuring it
03:13 < skyroveRR> Right..
03:13 <@ordex> open-mesh.org and #batman on freenode can be useful if you want to deepen some more :)
03:13 < skyroveRR> Thanks
03:13 <@ordex> I am there too
03:13 <@ordex> np!
03:49 < arunpyasi> hi everyone, what may be the reason for windows client able to ping the ubuntu server but ubuntu server not able top ping the windows client ?
05:43 < operhiem1> !welcome
05:43 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
05:43 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
05:43 < operhiem1> !1925
05:43 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
05:45 < operhiem1> !goal
05:45 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:49 < operhiem1> I have a VPN provider that pushes a 0.0.0.0 route, which I'd like to apply only for traffic from a specific user. From what I've found so far I can mark packets with the user's UID and mangle them to use a different routing table, then set rp_filter to loose mode so responses make it back. (?) Is there a way I'm missing to configure routes to be added to a non-default routing table, or do I have to hard-code
05:49 < operhiem1> the route?
05:54 <@ordex> operhiem1: I don't think you can tell openvpn to use a specific routing table (although this might be an interesting feature) - you can use a a script on the client side to configure that, instead of hardcoding everything
05:54 <@ordex> operhiem1: not sure why you'd need rp_filter?
05:55 <@ordex> anyway bbl
05:57 < operhiem1> ordex: I've seen things about using a script clientside but have nothing else to go on for how to do it more specifically. Do you have pointers?
05:59 < operhiem1> I'm not sure either on rp_filter - something about IP spoofing protection dropping desirable packets in such a configuration. That's what things like https://jamielinux.com/blog/bypass-openvpn-for-a-specific-unix-user/ and https://arstechnica.com/civis/viewtopic.php?p=23954245#p23954245 suggest anyway.
05:59 <@vpnHelper> Title: Bypass OpenVPN for a specific Unix user — Jamie Nguyen (at jamielinux.com)
08:57 < ExoUNX> for the openvpn client, what's the best way to route a subnet through it. I tried "route 192.168.5.0/24" and it didn't seem to work
10:06 < Protected> Where did you write that?
10:27 <@dazo> ExoUNX: routing a subnet behind the VPN server ... or behind the client?
10:48 < ExoUNX> well I have access to a client
10:48 < ExoUNX> so I'd assume the client
10:49 < ExoUNX> Protected, I wrote that in the client config
13:28 -!- KCinJP_ is now known as KCinJP
13:28 -!- ctracey_ is now known as ctracey
13:28 -!- BuildTheRobots_ is now known as BuildTheRobots
16:18 -!- krzie [40207a28@openvpn/community/support/krzee] has joined #openvpn
16:18 -!- mode/#openvpn [+o krzie] by ChanServ
16:18 <@krzie> bored at the office, anybody looking for help? :D
16:19 <+DArqueBishop> Do what I've been doing. Spend your downtime at work watching Doctor Who. ;-)
16:26 <@krzie> never watched it
17:47 -!- scan` is now known as scan
18:09 < vectr0n> any plans to add stretch builds to the apt repo?
18:36 < LunixA380> Hello, I have a problem with a server VPN. OpenVPN 2.4.2 x86_64-redhat-linux-gnu. Basically I copied a working config file and used it on a server with a new openvpn version. I was n Openvpn 2.3 on the other server. The VPN is a P2P VPN mode.
18:37 < LunixA380> The problem is that I get this error message: Error: inet prefix is expected rather than "10.XXX.XXX.1/-1"
18:37 < LunixA380> Config file is on its way
18:43 < LunixA380> Config: https://paste.fedoraproject.org/paste/z-BTO~VkCZc-vULd7EX~7Q
19:00 <@krzie> LunixA380: if the config works for sure on 2.3 but not 2.4 its a bug
19:00 <@krzie> !trac
19:00 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker., or (#2) if you have a forum login, use that for trac, its the same database.
19:01 <@krzie> please file a bug report there with your config and logs (verb 7) of it connecting in both 2.3 and 2.4
19:03 < LunixA380> I'll test that precisely
19:03 < LunixA380> I have still the other version in a VM with the config file
19:11 < LunixA380> I just confirmed that. OpenVPN 2.3.13 vs. OpenVPN 2.4.2. A guy on the OpenVPN forum has the same bug but did not provided the config file.
19:11 < LunixA380> krzie: Will I expose my key by mistake via --verb 7?
19:12 < LunixA380> Should I create a false OpenVPN key I will throw away for the matters of the test?
19:12 < LunixA380> (And of the bub report)
19:12 < LunixA380> bug***
19:12 <@krzie> im not sure if it will, a temp key would be a good idea
19:12 <@krzie> rotating your static key is always a good idea as well
19:12 <@krzie> as there is no forward security with it
19:12 <@krzie> !forwardsecurity
19:12 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can not decrypt past traffic, or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured
19:15 < LunixA380> The Perfect Forward Secrecy, like the thing provides DH in TLS. I did not thought about that in OpenVPN, bout you're right
19:15 <@krzie> be back in a bit from krzee
19:15 -!- krzie [40207a28@openvpn/community/support/krzee] has quit [Quit: Page closed]
19:21 -!- |Mike| [mike@2001:19f0:5001:21c::3] has quit [Write error: Broken pipe]
19:23 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Write error: Broken pipe]
19:23 -!- madduck_ is now known as madduck
19:23 -!- nbastin_ is now known as nbastin
19:24 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
19:24 -!- mode/#openvpn [+o vpnHelper] by ChanServ
19:31 < LunixA380> I forgot to tell, thanks for the reply
20:12 < Abbott> I can connect to my vpn with opnvpn gui, but I can't get the windows service to work. Why would this be? Is there somewhere I can view the error output of the service?
23:08 < johnnyfive> Yo yo! I'm not really sure where to go with this, as googling is failing me, so hopefully someone here can point me in the right direction. I have an openvpn connection utilizing google auth 2FA. It works when I connect via CLI, but trying any applets or systray/gui tools, it fails. Linux Mint/Ubuntu based. Any thoughts?
23:35 <+_FBi> you lost me at yo
--- Day changed Tue Jun 20 2017
00:30 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds]
00:30 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
00:30 -!- mode/#openvpn [+v s7r] by ChanServ
00:31 <+hyper_ch> krzee: https://www.upguard.com/breaches/the-rnc-files
00:31 <@vpnHelper> Title: The RNC Files: Inside the Largest US Voter Data Leak (at www.upguard.com)
00:37 < skyroveRR> _FBi: lol
00:38 <+hyper_ch> _FBi: https://en.wikipedia.org/wiki/Yo-Yo_(rapper)
00:39 <+hyper_ch> just to clear up your confusion :)
01:18 -!- SWAT_ is now known as SWAT
02:46 < steveeJ> Hey, does the 2.4.2 release still include the management functionality? I've been using it with an unofficial GUI that can talk to the management service but it's defunct now
03:24 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
03:26 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
03:26 -!- mode/#openvpn [+v RBecker] by ChanServ
04:19 < swensson> Hey! Trying to install openvpn, what's the Challange password for?
05:05 -!- ikonia_ is now known as ikonia
05:17 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has left #openvpn ["Konversation terminated!"]
05:43 < swensson> unknown openvpn event occurred transport eror on MYIPADDRHERE network_eof_error
07:10 <@ecrist> steveeJ: yes, OpenVPN still includes the management interface.
07:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
07:10 < steveeJ> ecrist: does it work with the new interactive service, or does it require the legacy service?
07:10 < steveeJ> (windows)
07:11 <@ecrist> I though work with both, iirc
07:13 <@ecrist> wow, I can't english today.
07:13 <@ecrist> It should*
07:14 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
07:14 -!- mode/#openvpn [+o syzzer] by ChanServ
09:32 < SQUelcher> Hi
09:35 < SQUelcher> I'm running a openvpn setup with 2.3.4 as server and 2.3.9 as client. On a crappy router at my parents' home, ipv6 isn't working properly, so Tue Jun 20 16:19:49 2017 /sbin/ifconfig tun0 add 2001:470:7025:ff00::1016/64 fails with ifconfig: SIOCSIFADDR: Permission denied. Is there a way to disable ipv6 for this certain client?
09:38 <@ordex> SQUelcher: that is quite ancient … however, is that message creating any trouble? I think you can ignore it, no ?
09:39 < SQUelcher> ordex: Linux ifconfig inet6 failed: external program exited with error status: 1 - Exiting due to fatal error isn't looking that promising )
09:39 < SQUelcher> ;)
09:39 < SQUelcher> ordex: Debian jessie on server side, ancient, of course...
09:42 < SQUelcher> ordex: I've just upgraded on server side so push-remove ifconfig-ipv6 became available, considering at as solved :)
09:47 <@ordex> cool :)
09:50 -!- badpixel_ is now known as badpixel
09:54 < joze_> hi I need to serve android users windows and linux what should i go with tun or tap?
09:57 < joze__> hi I need to serve android users windows and linux what should i go with tun or tap?
10:05 <+DArqueBishop> joze__: unless you have a specific use case that requires tap, you should always go with tun.
10:06 < joze__> DArqueBishop: nice
10:06 < joze__> DArqueBishop: I am able to connect from OSX, Linux, Android but from windows I can't! It makes no sense
10:07 < joze__> DArqueBishop: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
10:07 <+DArqueBishop> In fact, if Android is anything like iOS, tap isn't even supported.
10:08 < joze__> can I push --script-security 2 ?
10:24 <@ordex> joze__: I Don't think you can
11:40 < masterkorp> hello
11:41 < masterkorp> is it possible to set one client to not get the default route option?
11:41 < masterkorp> I want the other routes, but not the default one
11:51 <@dazo> masterkorp: on openvpn 2.4, you can use --pull-filter
12:01 <@ecrist> masterkorp: yes
12:01 <@ecrist> setup a --client-config-dir option in your server config
12:01 <@ecrist> in that directory, create a file called DEFAULT
12:02 <@ecrist> put your push "route def1 a/a/a/a" line in that file
12:02 <@ecrist> for the client you do NOT want to get that route, create an empty file
12:02 <@ecrist> this is discussed and an example shown in the Mastering OpenVPN book
12:02 <@ecrist> !books
12:03 <@ecrist> !book
12:03 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) Troubleshooting OpenVPN (April, 2017) by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
12:04 < havoc> I'm gonna remember that, for when I'm asked for "documentation" on my design ;)
12:04 < havoc> I'll also suggest Tanenbaum's Networking
12:06 < havoc> s/Networking/Computer Networks/
12:16 < masterkorp> dazo: yeah, i actually used that
12:44 < johnnyfive> !welcome
12:44 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
12:44 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
12:46 < johnnyfive> !goal I would like for the nm-applet, when connecting, to query for the google 2FA code instead of failing.
12:46 < johnnyfive> !goal
12:46 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:47 < johnnyfive> I would like for the nm-applet, when connecting, to query for the Google 2FA code instead of failing
13:32 < pwrcycle> on CentOS 7, how do I specifiy multiple config files for multiple daemons when running: sudo systemctl start openvpn@server.service
13:33 < SQUelcher> bye
13:33 < pwrcycle> i have it working labeled server.conf  I'm looking to do server.udp.conf and server.tcp.conf  Suggestions?
13:49 < operhiem1> pwrcycle: That looks like it would work? What problem are you having with it?
13:50 < operhiem1> johnnyfive: Your VPN uses 2FA? That prompting sounds like a NetworkManager problem if I understand correctly.
13:51 < johnnyfive> operhiem1: Possibly? There's not much on the net about it, some conflicting information. Haven't spent a *ton* of time on it yet, just hoping someone has seen this before. If not i'll have to investigate deeper on my own
13:52 < pwrcycle> operhiem1: from my /var/log/messages:  "openvpn: Options error: In [CMD-LINE]:1: Error opening configuration file: server.conf
13:53 < pwrcycle> so when i set my conf to be named server.conf  it worked.  but I want to tun 2 openvpn daesmons. one for tcp and one for udp.  question is how do i specify a conf file name?
13:53 < pwrcycle> and how do i set it so it starts both of these services on reboot?
14:30 -!- ghoti_ is now known as ghoti
14:40 -!- dionysus70 is now known as dionysus69
17:02 < operhiem1> pwrcycle: run "systemctl enable" for them
17:23 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Write error: Broken pipe]
17:23 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
17:23 -!- mode/#openvpn [+o vpnHelper] by ChanServ
18:02 -!- Vampire0_ is now known as Vampire0
20:26 -!- r00t^2_ is now known as r00t^2
22:08 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Quit: ZNC - http://znc.in]
22:18 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:18 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Day changed Wed Jun 21 2017
00:28 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
00:28 -!- mode/#openvpn [+v hyper_ch] by ChanServ
03:04 < jkliemann> does anyone know how I can troubleshoot mtu issues? with some tcp connections, it connects but cant send data through the tunnel
06:29 -!- dazo changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire /topic || Current Release: 2.4.3 (21 June 2017) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || Your problem is probably firewall. Really || TAP/bridging is almost always a bad idea || Vulninfo: !heartbleed !poodle !ovpnuke !sweet32 || Patience is a virtue
08:00 <+hyper_ch> krzee:   http://spritesmods.com/?art=hddhack
08:00 <@vpnHelper> Title: Sprites mods - Hard disk hacking - Intro (at spritesmods.com)
08:39 < catphish> i'm looking at https://packages.ubuntu.com/xenial/openvpn and i'm a little concerned that this hasn't had an update since 02 Feb 2016
08:39 <@vpnHelper> Title: Ubuntu – Details of package openvpn in xenial (at packages.ubuntu.com)
08:39 < catphish> am i missing something, or is this potentially rather insecure?
08:43 <@ecrist> catphish: we don't maintain distribution packages, only our official packages
08:44 <@ecrist> there have been a lot of updates, including security updates, since the release of that package.
08:44 < catphish> ecrist: that was my concern? who is we?
08:45 < catphish> not sure where that first question mark came from :)
08:45 < catphish> so does the debian maintainer need a nudge here?
08:46 <@ecrist> yes, but you can always download the source and build/install it: https://openvpn.net/index.php/open-source/downloads.html
08:46 <@vpnHelper> Title: Downloads (at openvpn.net)
08:46 <@ecrist> there was a release today, btw, that includes some important security updates.
08:47 < catphish> that's what prompted my question
08:48 < catphish> i have a policy of using ubuntu packages, they tend to get updated better than trying to keep on top of building everything myself
08:48 < catphish> unusually that doesn't seem to be working out so well here
08:49 < catphish> thanks anyway, i will see if i can poke the maintainer
08:50 < agustafson> Hey all having some trouble here. I am trying to connect as a user I killed/recreated and getting TLS errors.
08:50 < agustafson>  Authenticate/Decrypt packet error: packet HMAC authentication failed
08:50 < agustafson> TLS Error: incoming packet authentication failed from [AF_INET]123.123.123.123:14026
08:51 < agustafson> From my reading this is usually a key mismatch but if I diff the key in easy-rsa/keys with the key I am using they match
08:55 < agustafson> First certificate in index.txt looks like: R       270225164734Z   170620175309Z   4A      unknown /C=US/ST=IL/L=Indianapolis/O=company LLC/CN=agustafson/name=Company LLC/emailAddress=agustafson@company.com
08:56 < agustafson> second valid one looks like V       270618175408Z           5E      unknown /C=US/ST=IL/L=Indianapolis/O=company LLC/CN=agustafson/name=Company LLC/emailAddress=agustafson@company.com
08:56 <@ecrist> HMAC is separate from the certificate.
08:59 < agustafson> ta.key matches and client has tls-auth ta.key 1 and the server has tls-auth ta.key 0
09:02 <@dazo> agustafson: if you have HMAC auth failure ... that indicates that something is wrong with either the --tls-auth key file (must be identical on both sides), the key direction (0/1) must be different from server and client ... or that --auth is not identical on both sides
09:03 <@dazo> I don't recall I've ever experienced HMAC failures in other scenarios ... unless there's been connectivity issues and packets have been mangled on the way (where the HMAC failure indeed is correct)
09:05 < agustafson> dazo: What do you mean by --auth? The user password?
09:10 <@dazo> agustafson: --auth defines the authentication algorithm.  If not provided, it is SHA1 unless the data channel cipher is AES-GCM, then --auth is ignored (and GCM is used)
10:13 <@krzee> nice link hyper_ch
10:14 <+hyper_ch> I only understood a fraction of what he actually did... :) but interesting to know that you can run a linux kernel on a hard disk
10:14 <@ordex> lol
10:15 <@ordex> linux can run everywhere !
10:15 <+hyper_ch> also interesting that you can make non-clonable hdds
10:15 <@krzee> http://bofh.nikhef.nl/events/OHM/video/d2-t1-13-20130801-2300-hard_disks_more_than_just_block_devices-sprite_tm.m4v
10:19 <+hyper_ch> krzee's gears are now turning to figure how what he can do now with hdds
10:30 < agustafson> dazo: Thanks for the help it looks like there was a mismatch for the auth. I thought I broke something earlier but it turns out this has been broken for a year or so
10:56 <@krzee> omg hyper_ch
10:56 <@krzee> this can change everything
10:56 <@krzee> dude, imagine your HD has malware that attacks an app you run
10:56 <@krzee> when you analyze it the HD gives you the uninfected file
10:57 <@krzee> same when you copy it
10:57 <@krzee> but when it executes, it injects the payload
10:58 <@krzee> screw a kernel backdoor when you have better access to the stored data than the kernel itseld
10:58 <@krzee> itself*
11:28 < rkzzy> can someone confirm that the 2.4.3 release is signed by a different key than 2.4.2?
11:34 <@krzee> https://openvpn.net/index.php/open-source/documentation/sig.html
11:34 <@vpnHelper> Title: File Signatures (at openvpn.net)
11:35 <@krzee> so ya, confirmed
11:37 < Eugene> Relevant: https://xkcd.com/1181/
11:37 <@vpnHelper> Title: xkcd: PGP (at xkcd.com)
11:49 < rkzzy> anyone know what could cause "Error: pushed cipher not allowed - aes-128-cbc not in AES-128-CBC or AES-256-GCM:AES-128-GCM"?
11:56 <@krzee> looks like case sensitivity
12:55 <@ecrist> what krzee said
12:55 <@ecrist> aes-128-cbc != AES-128-CBC
12:57 < rkzzy> thank you
13:16 < Eugene> Well this looks boring https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/
13:16 <@vpnHelper> Title: The OpenVPN post-audit bug bonanza Guido Vranken (at guidovranken.wordpress.com)
13:16 < Eugene> Good fuzzing, but I don't see anything very exciting(decrypt)
14:10 < mefistofeles> https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1699551 any news/comments on this?
14:10 <@vpnHelper> Title: Bug #1699551 “nm-openvpn connection fails with error: invalid ci...” : Bugs : network-manager-openvpn package : Ubuntu (at bugs.launchpad.net)
14:27 <@dazo> mefistofeles: that looks more like a NetworkManager-openvpn plug-in bug than something related to the core OpenVPN
14:28 < mefistofeles> Oh yes, it is
14:28 < mefistofeles> dazo: I don't really know why I asked here tbh haha sorry
14:28 < mefistofeles> I knew that from the start xD
14:29 <@dazo> but it also smells like a misconfiguration too .... kinda like a 2.4 client tries to negotiate cipher with a 2.3 server
14:29 <@dazo> which will not work
14:30 < mefistofeles> dazo: that may also be the case
14:30 <@dazo> or that it is a 2.4 server with --ncp-disable
14:30 <@dazo> (which effectively behaves more like a 2.3 server)
14:31 <@dazo> but this error does confuse me somewhat:
14:31 <@dazo> juin 21 18:26:24 hostname nm-openvpn[6585]: Error: pushed cipher not allowed - aes-128-cbc not in AES-128-CBC or AES-256-GCM:AES-128-GCM
14:31 < mefistofeles> dazo: ok, I'm going to look into that, thanks for the feedback
14:31 <@dazo> try running openvpn from the command line with the same config, and see how that works
14:32 < MacGyver> dazo: It's probably case-sensitive.
14:33 <@dazo> hmmmm .... that is plausible
14:33 < Eugene> On what insane platform is that case sensitive
14:35 < MacGyver> Whether it *should* be case-sensitive is not the issue.
14:35 < MacGyver> But that's the most likely explanation for that particular error.
14:38 < Eugene> No, what I'm saying is that doesn't make any sense: I just tested, and it works fine with aes-128-cbc, AES-128-CBC, and AeS-128-cBc
14:39 < Eugene> Oh, nm-openvpn! You're using NetworkManager
14:39 < Eugene> Don't do that
14:39 < Eugene> `openvpn` does not care about the case. NetworkManager is pants-on-head stupid about parsing openvpn config files, and is notoriously difficult to get its knobss working correctly
14:39 < Eugene> mefistofeles ^
14:41 < mefistofeles> let me read
14:41 < mefistofeles> yeah, I thought so
14:42 < mefistofeles> thanks for the advice
14:46 <@krzee> ahh yes
14:46 <@krzee> always get openvpn working without NM
14:46 <@krzee> then import to nm if you want
14:47 <@krzee> then if something doesnt work,you know its nm's fault =]
14:47 < mefistofeles> yeah, I'll do that
14:47 <@krzee> pants-on-head stupid, i like that Eugene
14:56 < _FBi> that's the difference between runtime virus (Packed) verse not packed that can be scanned normally
15:17 -!- yang is now known as yang2
17:17 -!- nb_ is now known as nb
18:19 -!- almostworking is now known as deluge
18:24 < nesoi> hello, is there any good set of openVPN benchmarks for lower-cost routers?
18:26 -!- deluge is now known as almostworking
18:35 < nesoi> or alternatively: what routers can do openVPN at over 50Mbps?
18:54 <@krzee> nesoi: no
18:54 <@krzee> unfortunately nobody has done all that
18:55 < nesoi> odd, it seems easy to do
18:56 < nesoi> krzee:  another question: does openVPN take advantage of multi-cores or is it single threaded?
18:56 <@krzee> single threaded
18:56 <@krzee> and if it seems easy to do, please do
18:56 < nesoi> it seems easy to do if you are into it :)
18:57 <@krzee> be the change you wish to see ;]
18:58 < Eugene> nesoi - no. Benchmarking across different devices with different settings, unknown internet connnections, and trying to compare different VPN solutions vs hardware? That is a recipe for crying into a baggie
18:59 < Eugene> Generally speaking, any x86 CPU that was manufactured in the past 3-5 years should not have a problem with 50Mbps. Embedded(ARM) chips are a different beast entirely.
18:59 <@krzee> youd have to do it in a single location
18:59 <@krzee> with same configs
18:59 < Eugene> Ideally you would do it on a dedicated RFC2544 lab ;-)
18:59 < Eugene> But who owns one of those?
18:59 < nesoi> Eugene:  how about ARM chips? I don't know what routers have x86
18:59 <@krzee> preferably with the same version of lede
19:00 < Eugene> nesoi - "who knows". ARM is such a big umbrella term that its a crapshoot.
19:00 <@krzee> there'd be a financial investment in buying all the equipment
19:00 <@krzee> which is the #1 reason i'll never bother
19:00 < Eugene> I can recommend, from personal experience, the pfsense-branded routers from Netgate available on pfsense.org. Even the SG-1000 is fine, but don't try to push gigabit through it
19:01 < Eugene> We did and it overheated and broke. Oops.
19:01 <@krzee> lol
19:01 < nesoi> what thruput did you get with it Eugene?
19:01 < Eugene> We got full gigabit out of it.... until it crashed and wouldn't power back on
19:02 < Eugene> It was too hot to touch
19:02 < nesoi> Eugene:  was it running openVPN? or just as a firewall?
19:02 < Eugene> This was a pure packet-forwarding burn-in test, and not indicative of real-world performance with a typical DSL/Coax line
19:02 < Eugene> We decided not to deploy that model in production, heh
19:02 <@krzee> lol
19:02 <@krzee> ya i guess not
19:03 < nesoi> so not actually germane to the question of what to use as a router with openVPS :)
19:03 < nesoi> VPN
19:03 <@krzee> you already got that answered
19:04 <@krzee> answer was nope
19:04 <@krzee> then he told you some info he hoped youd find useful
19:04 < nesoi> could have been his personal experence
19:04 < nesoi> and appeared to be
19:04 < nesoi> since it followed the question
19:04 < nesoi> "what to use for open VPN? I can recommend, from personal experience, the pfsense-branded routers from Netgate available on http://pfsense.org/."
19:04 <@vpnHelper> Title: pfsense 404 Page Not Found (at pfsense.org)
19:05 < nesoi> seems like a sequitur
19:05 <@krzee> nobody is getting gigabit with openvpn on a home router, that much i can guarantee
19:05 < nesoi> looking for 50Mbps +
19:05 <@krzee> maybe somebody else will see this and have a suggestion for you
19:09 < Eugene> My personal and professional recommendation is above. Buy from them, or don't. /shrug
19:10 < Eugene> If you would like a more in-depth recommendation, my rates start at $100/hour
19:10 < nesoi> Eugene:  thanks. did you happen to do any openVPN thruput tests?
19:10 < Eugene> I do not know of any proper RFC2544 throughput tests of openvpn by anybody. These are very difficult to do in a meaningful way - there are too many variables and the numbers won't match your environment at all
19:11 < Eugene> !tryit
19:11 < Eugene> !tias
19:11  * Eugene smacks vpnHelper 
19:11 < nesoi> I found one, but it was from a long time ago
19:11 < nesoi> seemed to be getting about 8Mbps with a 200MHz ARM
19:12 < Eugene> Which means absolutely nothing. Extrapolation is useless with ARM instructions
19:12 < Eugene> Its like asking "what speed can a car made of aluminum go"
19:20 < nesoi> hence my asking here if anyone has any recommendations ! :)
19:23 < nesoi> so let me see if I've got this straight. What you all are saying is: a) it's hard to do perfect tests, so there's no point in doing any tests b) no one has done any tests c) there's no way to know how well anything will perform d) therefore you should not even try to find out if anything is likely to work in any ballpark speed and should instead just…. e) ??
19:34 < Grobo> is there a .conf option to disable IPv6?
20:13 < Grobo> I want to disable ipv6 on the tun adapter
21:32 <@krzee> !man
21:32 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
21:37 <@krzee> Grobo: you control your server?
21:39 <@krzee> it shouldnt be doing ipv6 over the vpn unless your server is configured to do it
21:39 <@krzee> if thats the case, we can set your client to ignore the ipv6 stuff
21:40 <@krzee> you would look at the options pushed to you in verb 4 logfile, then youd ignore the ipv6 options with --pull-filter
22:28 < Grobo> krzee: yes, I control it. It's on FreeBSD.
22:28 < Grobo> rc.conf has "none" for ipv6 interfaces but the tun adapter created by openVPN doesn
22:28 < Grobo> doesn't seem to honor/recognise that
--- Day changed Thu Jun 22 2017
00:11 <+hyper_ch> krzee: https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/
00:11 <@vpnHelper> Title: The OpenVPN post-audit bug bonanza Guido Vranken (at guidovranken.wordpress.com)
00:12 <+hyper_ch> krzee: question is, how does that go with SSD drives? I tend to think, SSDs require even more cpu etc. to manage the data
02:19 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 246 seconds]
02:20 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
02:20 -!- mode/#openvpn [+v RBecker] by ChanServ
06:28 < _FBi> old news, but: http://feedproxy.google.com/~r/TheHackersNews/~3/ZUIbCLB_oNc/openvpn-security-flaw_21.html
06:28 <@vpnHelper> Title: Critical RCE Flaw Found in OpenVPN that Escaped Two Recent Security Audits (at feedproxy.google.com)
07:03 <@ecrist> _FBi: note teh release yesterday.  I believe that researcher contacted us prior to public disclosure and all of those are fixed in yesterday's release.
07:04 <+hyper_ch> there was a release yesterday?
07:04 <@ecrist> actually, i *know* the fixes were in yesterday's release.
07:04 <@ecrist>  Current Release: 2.4.3 (21 June 2017)
07:04 <@ecrist> from /topic
07:04 <+hyper_ch> _FBi: old news because I posted it a few hours earlier?
07:04 <+hyper_ch> ecrist: you're not supposed to read /topic... that's been an iron clad irc rule for 20+ years
07:05 -!- mode/#openvpn [-v hyper_ch] by ecrist
07:05 <@ecrist> :)
07:05 < hyper_ch> ABUSE OF POWER!!!
07:05 <@ecrist> absolutely
07:06 < hyper_ch> HE DOESN'T EVEN DENY IT
07:06 <@ecrist> not at all
07:06 <@ordex> lol
07:06 < hyper_ch> I'll have syzzer hack your microwave!!!
07:06 < hyper_ch> and your coffee machine!!
07:06 <@ecrist> iron clad irc rule #2: +o > *
07:06 < hyper_ch> see who's laughing then
07:08 <@ecrist> note, too, that 3 of the four vulnerabilities are only exploitable *after* authentication
07:13 < umoot> is 15e15fc97f189b52aee7c90ec8355aa77469c773125110b4c2f089abecde36fb correct sha256 for 2.4.3?
07:13 < umoot> tar.xz
07:15 <@krzee> check it with pgp instead of a file hash
07:15 <@krzee> if it was wrong, and i went and downloaded it to check for you. we'd both be wrong
07:16 <@krzee> now i verified a backdoored file for you because you didnt use the proper method to check its signature
07:16 <@krzee> !download
07:16 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn, or (#2) in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs
07:16 <@krzee> https://openvpn.net/index.php/open-source/documentation/sig.html
07:16 <@vpnHelper> Title: File Signatures (at openvpn.net)
07:17 <@krzee> !factoids search signatures
07:17 <@vpnHelper> No keys matched that query.
07:17 <@krzee> !factoids search --values signatures
07:17 <@vpnHelper> No keys matched that query.
07:17 <@krzee> !learn sigs as https://openvpn.net/index.php/open-source/documentation/sig.html for how to check pgp signatures to verify download of OpenVPN releases
07:17 <@vpnHelper> Joo got it.
07:18 < umoot> I'm not asking for help with signatures. I want to confirm hashes because some distros are using now incorrect ones
07:18 <@krzee> many distros dont use our exact release tarball
07:19 <@krzee> in fact none come to mind of the top of my head
07:19 < umoot> but they build packages from it
07:22 <@krzee> i could download it just to hash it for ya, but i cant figure out how different that would be from you doing that
07:23 -!- mode/#openvpn [+v hyper_ch] by ChanServ
07:23 < umoot> I did, but I can reproduce two different hashes
07:24 < umoot> I read mailing list discussion but it was confusing
07:24 <@ecrist> krzee: freebsd does
07:24 <@ecrist> although, it's not a "distro" either
07:25 <@ecrist> umoot: you're best off downloading and verifying the signature.  If that's correct, calculate the hash yourself.
07:27 < umoot> ecrist: I'm not really asking for myself, I'm going to report bug for the distro and wanted confirm current situation
07:28 <@ecrist> my suggestion stands.
07:28 <@dazo> umoot:  https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14911.html ... this should have the proper sha values for the tar.xz files
07:28 <@vpnHelper> Title: Re: [Openvpn-devel] ***UNCHECKED*** Re: OpenVPN 2.4.3 released (with security fixes) (at www.mail-archive.com)
07:30 <@dazo> krzee: cloudflare have played tricks on us again .... so mattock uploaded some wrong files yesterday and fixed it ... and despite us purging the cloudflare cache ... we have a nasty challenge
07:30 < umoot> dazo: well, those sha values are exactly ones which didn't verify with gpg :D
07:31 <@dazo> also ... the key ID on the sig.html page is also somewhat confusing (but not wrong).  The key ID listed there is the main/master key.  While the packages are signed by a sub-key which have the key id 0xD72AF3448CC2B034
07:31 <@dazo> umoot: then it sounds "right" :)
07:32 < umoot> https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14918.html this one are proper I think
07:32 <@vpnHelper> Title: Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes) (at www.mail-archive.com)
07:34 <@dazo> $ sha256sum openvpn-2.4.3.tar.xz openvpn-2.3.17.tar.xz
07:34 <@dazo> 7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571  openvpn-2.4.3.tar.xz
07:34 <@dazo> d300029416b045666f2dc957bdde407ba97894428b5ad8433df789e793ccc1d3  openvpn-2.3.17.tar.xz
07:35 <@dazo> that should be the proper ones (at least, that's what I've pushed to Fedora builders)
07:35 <@dazo> and part of the Fedora pkg build is to verify the signature, otherwise the build fails
07:36 < umoot> but that was publishes few days ago and was changed yesterday
07:37 <@dazo> not a few days ago ... it all happened yesterday
07:38  * umoot sent a long message: umoot_2017-06-22_12:29:29.txt <https://matrix.org/_matrix/media/v1/download/matrix.org/bknCsbAiQDClwknJQqDReLlG>
07:38 <@dazo> what's the sha value of your openvpn-2.4.3.tar.xz.asc?
07:39 < umoot> sha256
07:39 < umoot> 168da89835c763919bce35728df9ac427f2124ce8696deb8f599a021b23e7348
07:39 <@dazo> $ sha256sum openvpn-2.4.3.tar.xz.asc
07:39 <@dazo> 9f5f089f4a4b3e270ddb53cb0b689f4c0bad89d7e2ee08a1d4666e7ab869f210  openvpn-2.4.3.tar.xz.asc
07:40 <@dazo> try the signature in the mail I posted in the URL above (msg14911.html)
07:42  * umoot sent a long message: umoot_2017-06-22_12:33:25.txt <https://matrix.org/_matrix/media/v1/download/matrix.org/aNNqvNozzVPuBxOBjqfqnKCN>
07:42 < umoot> so there are 2 different tar.xz and tar.xz.asc files with correct signatures
07:43 <@dazo> *sigh* probably .....
07:43  * dazo gives cloudflare some really nasty looks
07:44 < umoot> I can get both tar.xz files both only one asc key
07:44 <@dazo> eeek
07:44  * dazo runs some tests too
07:45 <@dazo> *sigh* ... that is the wrong signature :/
07:46 < umoot> which one?
07:46 <@dazo> 9f5f089f4a4b3e270ddb53cb0b689f4c0bad89d7e2ee08a1d4666e7ab869f210 that is the correct one
07:48 < umoot> hmm, but how it can successfully verify file?
07:50 <@krzee> dazo: have i mentioned how much i love cloudfare? :D
07:51 < umoot> and from where does it come from?
07:52 <@dazo> umoot: just a second ... I'm uploading sources, signature and proper hashes to a wiki page now.  I'm just fed up of this mess.
07:52 <@krzee> dazo: this specific person isnt checking a file from cloudfare, he's checking one that came from his unmentioned distro's package manager
07:52 <@dazo> which distro?
07:53 < umoot> krzee: no no, I always get it from openvpn sources
07:53 <@krzee> oh, i must have misunderstood this:
07:53 <@krzee> <umoot> I'm not asking for help with signatures. I want to confirm hashes because some distros are using now incorrect ones
07:54 <@krzee> sorry ill let dazo handle it =]
07:55 <@dazo> oh bloody h**** .... f**kn' wiki upload restrictions
07:56 < umoot> krzee: I was pointing to their build process, not binary package. I thought that sha256 sum posted by dazo is wrong and they were using it.
08:17 <@dazo> umoot: http://community.openvpn.net/openvpn/wiki/release-packages-2.4.3-2.3.17
08:17 <@vpnHelper> Title: release-packages-2.4.3-2.3.17 – OpenVPN Community (at community.openvpn.net)
08:32 < umoot> dazo: thanks, now both sha sums and gpg keys matches as you wrote before
08:34 < umoot> but no the wiki page it says hash is sha512 but presented hashes are sha256
08:36 <@dazo> duh ... that's a typo!  thx umoot, I'll fix it!
08:39 < umoot> dazo: do you know from were the other tar.xz and tar.xz.asc files come from? I looked inside archive and files are owned by user "gert" and group "wheel". Those ownerships are stripped in proper archive
08:39 <@dazo> umoot: ahh, no that is actually correct ... the SHA256 values listed there uses a SHA512 hashing as part of the signature
08:40 <@dazo> umoot: gert is the one who created the initial tarballs .... which got unpacked and re-packaged .... he is cron2 on IRC, and a trusted member of the core developers
08:42 < umoot> ok, thanks :)
08:44 <@dazo> umoot: but now I see  that the v2.3.17 still carries the gert/wheel stuff ... but the signature there have always matched, afaik .... regardless, it is all correct in regards to that wiki page (SHA256 + signatures matches the tar.xz files)
08:48 < umoot> dazo: yeah, this situation will confuse people for some time, I heard that some conspiracy theories already started :)
08:50 <@dazo> oh dear
09:27 < iateadonut> i need to connect to a windows server from linux over a VPN.  no problem there, but all my other traffic fails.
09:27 < iateadonut> i'm wondering how i can route only rdesktop through the VPN.
09:28 < iateadonut> i'm on ubuntu and have a working config file at /etc/NetworkManager/system-connections/ovpn-config
09:28 <@ordex> !configs
09:28 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
09:28 <@ordex> iateadonut: ^^
09:31 < iateadonut> do i post the *.ovpn file?
09:31 < iateadonut> !paste
09:31 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2)
09:31 <@vpnHelper> paste.ee is also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
09:34 < iateadonut> here is the .ovpn file, for what it's worth: https://paste.ee/p/2WdCG
09:34 < iateadonut> d'oh!
09:34 < iateadonut> well, it says 'block-outside-dns', but i can't even ping an outside ip address anyway
09:36 < iateadonut> anyway, just hoping i can set up ovpn to only work with rdesktop
09:38 < DArqueBishop> iateadonut: we need the server config as well.
09:39 < DArqueBishop> If routing isn't working, then it's more likely than not that the problem is on the server side.
09:39 < iateadonut> i have no idea how to route.
09:39 < iateadonut> and i don't have access to the server.
09:39 < DArqueBishop> !both
09:39 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
09:39 < iateadonut> is there some instructions on how to route only certain traffic?
09:40 < iateadonut> i see.  i guess my question is not for this room
09:40 < DArqueBishop> No, it's for the person who actually runs the server.
09:40 < iateadonut> i'm wondering how to use my VPN connection only for a single program.  i think that's a client issue.
09:41 < DArqueBishop> It doesn't work like that.
09:42 < DArqueBishop> It's likely what's happening is that new routes are being forced down by the VPN server.
09:42 < DArqueBishop> !routebyapp
09:42 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination., or (#2) Alternatively, read up about Policy Routing to make routing decisions based on
09:42 <@vpnHelper> defined policies you set. For Linux, read about !lartc
09:43 < DArqueBishop> !lartc
09:43 < iateadonut> i see.  thank you.
09:43 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux, or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
10:05 < signo-> Hey, is anyone here familiar with cipher negotiation, the --ncp-ciphers flag? I'm seeing some weirdness when it's enabled on both the client and server, it seems to always negotiate the first cipher in the servers list. Even if that cipher is not listed on the client side
10:07 <+hyper_ch> bruce schneier is :)
10:07 <+hyper_ch> I tghink
10:10 < signo-> Ahh great, I'll hang around and hopefully they show up. It seems like negotiation doesn't actually negotiate or I have no clue what it's doing. It's a 50/50 shot haha
10:40 <@dazo> signo-: can you provide configs?
10:40 <@dazo> !configs
10:40 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
10:41 < deftjack> Im looking at setting firewall rules based on CN and ip address but Im curious (have not tried) but what prevents an end user from simply changing the IP given by the OpenVPN server to one that would allow them other access?  ie: Does OpenVPN know what IP it gave a client and out right refuse to route anything else?
10:42 < signo-> Question was more conceptual, not config specific. An example would be server v2.4 specifies --ncp-ciphers AES-128-CBC:AES-192-CBC:AES256-CBC and client v2.4 specifies --cipher AES-192-CBC --ncp-ciphers AES-192-CBC then what should the cipher used by the tunnel be?
10:42 < signo-> dazo ^^
10:43 < signo-> I'm getting AES-128-CBC which seems odd unless I'm misundersanding what cipher negotiation actually does
10:46 < signo-> The docs make it sound like in v2.4 that is correct and there is no actual negotiation at the moment
11:35 < Eugene> deftjack - yes, in the normal(non-bridging) mode the server knows what client connection has what address. The client can have whatever IP it wants to have on its tun device, but the server will just ignore it
11:39 < deftjack> Eugene: ok. So if I were to have a fw rule saying 10.1.10.10 can get to 10.2.1.1 and nowhere else and another fw rule saying 10.1.10.11 can get anywhere.  Then if a client were to connect and change their ip from 10.1.10.10 to 10.1.10.11  They would just stop having any access?
11:39 < Eugene> the openvpn server process will drop packets that are not from the client's assigned ip address or a matching iroute entry
11:40 < Eugene> Before it comes out of the server's tun interface to go through the firewall
11:40 < Eugene> So yes, that client would just be broken
11:42 < deftjack> Thanks for the information. I was concerned that firewalling could just be subverted by "savvy" end users in that regard.
11:43 < deftjack> What Im thinking about doing is just blocking all traffic and adding rules as clients connect specific to them to allow access.
11:46 < Eugene> That is a choice between paranoia and convenience. I like to deal with my access layers at the actual application level :-p
11:46 < deftjack> My issue is our network is quite large and flat and I have no control from that end of things. But I know certain groups etc should simply not have any access to other areas.
11:48 < deftjack> Basically looking at creating zones(firewalld - chains iptables) and users would just be added to them based off CN. Anyhow, should prove interesting to tinker with. Again, thanks for the feedback.
11:51 <@dazo> signo-: I'm back again .... so ... --cipher AES-192-CBC defines the default, which is used if the remote side does not support NCP (either --ncp-disable or if the remote is v2.3 or older) ... when the server defines  --ncp-ciphers AES-128-CBC:AES-192-CBC:AES256-CBC, that means the server dictates to the client what it must use - in that preferred list
11:52 <@dazo> signo-: since you list AES-128-CBC first, that is the first it will check if the client supports it
11:53 <@dazo> signo-: now, there's also a twist with --ncp-ciphers and v2.3 clients .... if a recent v2.3 client connects, it can actually use AES-{128,192,256}-CBC in --cipher and it will get a connection (in this case the client dictates what it wants)
11:54 <@dazo> signo-: likewise, with a v2.4 client ... you could then add --ncp-disable --cipher AES-192-CBC ... and it will behave like the v2.3 client
11:55 <@dazo> signo-: as a side note .... why do you not list GCM ciphers?  They usually perform better, as the authentication is included in the AES-GCM cipher ... while with AES-CBC, you need the authentication in addition (--auth, which defaults to SHA1)
11:57  * dazo needs to run for a train now
12:11 < signo-> @dazo: That makes sense. My issue is why, with the settings specified in v2.4, do they come to an agreement of AES-128-CBC. The client does not list it as an allowed cipher so there shouldn't be a successful connection between the two clients, correct?
12:12 < signo-> @dazo: and we are using GCM in prod, i just happened to type the CBC ones first and didn't feel like changing it/adding the GCM ones. Thanks for the heads up though
12:48 <+hyper_ch> geez, nothing but troubles with btrfs... why do I keep trying to use it....
12:51 < DArqueBishop> hyper_ch: masochism?
12:52 <+hyper_ch> only crazy people try the same thing over and over and expecting a different result ;)
12:58 < Eugene> Or scientists
13:04 < [twisti]> hey, i set up an openvpn docker container, and successfully connected my desktop to it, and it shows up like a lan, i guess. so far so good. now id like to connect my android phone to it. i saw the app, so i expect no problem there, but i am worried that the phone will think the vpn 'lan' is a non-limited network, and start downloading app updates and stuff through it, while it in reality is
13:04 < [twisti]> routed via the mobile net
13:41 < _FBi> lol sorry hyper_ch, didn't see it.  my window is filled with JOIN/PART
13:44 < [twisti]> _FBi: right click the channel in the channel list, click events, and then set join, part, quit and nick changes to 'in status'
13:45 < _FBi> I am aware
13:48 < [twisti]> alright then
13:50 <@dazo> signo-: the server is the one who have the final word on what will be preferred.  So when the server lists AES-128-CBC first in --ncp-ciphers, if the client is capable of that cipher - that's what it chooses
13:56 <@dazo> signo-: now, there is an important detail.  This negotiation is more like a "negotiation", not comparable to the traditional TLS/SSL negotiation where client/server exchange what they support.  The server "guesses" what the client supports, based on a peer-info message (IV_NCP) the client says it supports.  IV_NCP is just an unsigned integer value
13:56 <@dazo> So the server decides which cipher to use, and pushes that value to the client.
13:57 <@dazo> what it pushes is based upon the IV_NCP of the client and --ncp-ciphers on the server side.
13:58 <@dazo> It is only if you disable NCP on the client side the client can decide a bit more ... but it has to be one of the values listed in --cipher or --ncp-cipher on the server side.
14:02 < signo-> @dazo and by capable you mean supports it, not capable as in has listed in in openvpn startup as a supported cipher?
14:02 < signo-> That explains my confusion as to why it was restarting and using a cipher it did not specify, I was expecting a more traditional negotiation
14:04 < umoot> so from client perspective it's better to disable ncp-cipher to get more leverage in negotiations :)
14:04 < signo-> @dazo: Thanks for the help by the way. Clears up a lot! Was a pain figuring it out from the short description in the Man page and testing
14:06 <@dazo> signo-: that's correct ... capable as in "expected to support that cipher"
14:08 <@dazo> umoot: no, if you use --ncp-disable on the client side ... there are no negotiation.  If you leave NCP enabled, the server will decide what is the best cipher to use ... so, if the --ncp-ciphers lists strongest ciphers first, the client will by default use what the server prefers first
14:09 <@dazo> signo-: if you have an idea how to improve the man page to make it clearer ... feel free to shoot a mail to the -devel mailing list ... it's not our intention to have a cryptic man page :)
14:13 < umoot> dazo: but if I disable ncp and set cipher  AES-256-GCM in client, server cant't override this, no?
14:28 < signo-> @dazo: While I'm here asking questions. What's the point of the clients --ncp-ciphers if the server pushes the cipher to the client and the client can accept a cipher not on that list
14:28 < signo-> client can accept a cipher not on the clients list*
14:30 <@dazo> signo-: good question.  I don't have an equally good answer on that :)
14:42 < signo-> @dazo: So this is expected?
14:42 < signo-> Whoops, that didn't do a multi line thing
14:51 < signo-> @dazo: Let me try sending this again. So this would be expected if the client had no ciphers that match the servers ciphers? The restart is what seems odd to me. Maybe it's expected but it seems like it is overwriting the local cipher
14:51 < signo-> Thu Jun 22 19:24:58 2017 us=211396 [server] Peer Connection Initiated with [AF_INET]192.168.4.1:1194
14:51 < signo-> Thu Jun 22 19:24:59 2017 us=228563 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
14:51 < signo-> Thu Jun 22 19:24:59 2017 us=231924 PUSH: Received control message: 'PUSH_REPLY,topology p2p,ping 30,ping-restart 150,ifconfig 10.8.0.4 10.8.0.1,peer-id 0,cipher AES-128-GCM'
14:51 < signo-> ........
14:51 < signo-> Thu Jun 22 19:24:59 2017 us=232144 Error: pushed cipher not allowed - AES-128-GCM not in AES-128-CBC or AES-128-CBC
14:51 < signo-> Thu Jun 22 19:24:59 2017 us=232165 OPTIONS ERROR: failed to import crypto options
14:51 < signo-> Thu Jun 22 19:24:59 2017 us=232179 ERROR: Failed to apply push options
14:51 < signo-> ......
14:51 < signo-> Thu Jun 22 19:24:59 2017 us=232394 SIGUSR1[soft,process-push-msg-failed] received, process restarting
14:51 < signo-> Thu Jun 22 19:24:59 2017 us=232445 Restart pause, 5 second(s)
14:51 < signo-> .........
14:51 < signo-> Thu Jun 22 19:25:04 2017 us=856167 [server] Peer Connection Initiated with [AF_INET]192.168.4.1:1194
14:51 < signo-> Thu Jun 22 19:25:05 2017 us=936530 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
14:51 < signo-> Thu Jun 22 19:25:11 2017 us=19102 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
14:51 < signo-> Thu Jun 22 19:25:16 2017 us=105044 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
14:54 <@dazo> signo-: is this client log?
14:54  * dazo believes so
14:54 < signo-> Yes
14:54 < signo-> Should have specified that
14:55 <@dazo> yeah, I thought so  ..... so, here the client rejects the server ... as the server does not present a cipher you have in your --ncp-ciphers list on the client side
14:56 < signo-> but then after a restart it establishes a connection with the AES-128-GCM (cipher not specified by the client)
14:56 < signo-> So the server fails then just blatantly pushes after a restart?
14:56 <@dazo> that smells like a bug though
14:56 < signo-> Seems odd
14:57 < signo-> That's what we were thinking
14:57 <@dazo> syzzer: ^^^^
14:57 < signo-> Man glad we only found 2 bugs so far. Can't have you guys kicking us out of the IRC for causing trouble haha
14:58 <@dazo> signo-: would be great if you could pastbin complete logs (server + client) plus configs (server + config) .... then we'll have something we can try to reproduce and see if it matches expectations or not
14:59 <@dazo> hehe :)
14:59 < signo-> Yeah, was making sure that was unexpected before I went and opened a bug up
14:59 < signo-> I'll open up a bug tonight with the logs + config + reproduction steps
14:59 <@dazo> we only kick out people who came with false claims .... like "--verb 5 is filling my log files"
14:59 <@dazo> signo-: cool, thx!
15:00 < signo-> Nah verb 9 is where it's at
15:00 <@dazo> :)
16:11 < signo-> @dazo: Here is the ticket https://community.openvpn.net/openvpn/ticket/906
16:11 <@vpnHelper> Title: #906 (Cipher negotiation succeeds when it should fail) – OpenVPN Community (at community.openvpn.net)
16:11 < signo-> If you need any other information in the ticket just let me know!
16:19 <@dazo> signo-: thx! this looks good!
20:36 < epon> hello, i see an option "--writepid" but when i try to use it i get this error
20:36 < epon> Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: writepid (2.4.2)
20:47 < epon> anyone know what up with that?
--- Day changed Fri Jun 23 2017
00:41 < aaa8> Hello! So Im having trouble with my VPN server. Im able to connect from my phone but I cannot load any webpage. Firewall works fine but I noticed im given no user and client ID
00:41 < aaa8> https://i.imgur.com/UWmPYOQ.jpg
00:42 < aaa8> Probably asking late anyway
00:43 <+hyper_ch> what client is that?
00:43 < aaa8> OpenVPN on iPhone
00:44 <+hyper_ch> no idea what those fields are supposed to contain
00:44 < aaa8> connecting to the server is fine (hence no firewall issues), when it comes to loading webpages, it fails
00:44 <+hyper_ch> can you open a terminal and ping?
00:44 < aaa8> Well, any hint on where I can diagnose the problem? I used this guide here: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
00:44 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com)
00:45 < aaa8> Im not running it on their servers though but it doesnt seem server specific guide
00:45 <+hyper_ch> connect to the openvpn server with a real computer and using the actual openvpn software downloadable
00:45 <+hyper_ch> once you get that working, you can try it on your phone
00:47 < aaa8> i dont think the phone is the problem tho
00:47 < aaa8> I think its because its trying to assign an ip like 10.0.8 and such
00:47 <+hyper_ch> can you debug the connection on your phone properly?
00:47 < aaa8> logs?
00:47 <+hyper_ch> if not, then use something where you can do that
00:47 < aaa8> sec
00:51 < aaa8> Here is the logs: https://pastebin.com/raw/1VHknPvQ
00:51 < aaa8> from my iPhone
00:52 < aaa8> any info? @hyper_ch
00:53 <+hyper_ch> 2017-06-23 01:39:04 SetStatus Connected
00:53 <+hyper_ch> looks fine
00:54 < aaa8> Yea i can connect to it just fine
00:54 < aaa8> but I cant load anything
00:55 <+hyper_ch> !configs
00:55 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
00:55 < aaa8> result from this command: grep VPN /var/log/syslog
00:56 < aaa8> https://pastebin.com/raw/CUkaBWk9
00:57 < aaa8> anything? @hyper_ch
00:58 <+hyper_ch> !configs
00:58 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
00:58 < aaa8> !paste
00:58 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
00:58 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
00:59 < aaa8> whats the directory?
00:59 < aaa8> or location
00:59 < aaa8> using Ubuntu server 16.04 LTS
00:59 < aaa8> @hyper_ch
01:00 <+hyper_ch> still waiting for configs
01:00 < aaa8> Where are they located....
01:01 < aaa8> Where are they located @hyper_ch
01:02 <+hyper_ch> no idea how it is on iphone
01:02 <+hyper_ch> no idea what server you use
01:02 < aaa8> wait, from my server or client?
01:02 < aaa8> okay, one sec, ill get client
01:03 < aaa8> Client config: https://pastebin.com/raw/HrAzuHdz @hyper_ch
01:04 <+hyper_ch> server and client
01:04 <+hyper_ch> !configs
01:04 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
01:05 < aaa8> Sorry, heres the server config: https://pastebin.com/raw/gMwPi5VF @hyper_ch
01:06 <+hyper_ch> is that all in one?
01:06 <+hyper_ch> server and client config?
01:06 < aaa8> first link is client config, second link is server config
01:07 <+hyper_ch> why should I click on two links if you can post it in one?
01:08 <+hyper_ch> for 15 min i have no asked you for configs.....
01:08 <+hyper_ch> It's not that hard
01:09 <+hyper_ch> please do as the vpnHelper entry says for "configs"
01:10 < aaa8> https://pastebin.com/raw/jGwiWdVe @hyper_ch
01:10 <+hyper_ch> still full of comments
01:10 <+hyper_ch> geez, I give up
01:11 < aaa8> what do you want? theres the server and theres the client
01:11 < aaa8> @hyper_ch
01:12 <+hyper_ch> read again the vpnHelper configs factoid entry
01:12 < aaa8> !paste https://pastebin.com/raw/jGwiWdVe
01:13 <+hyper_ch> vpnHelper  "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
01:15 < aaa8> Here u go: https://pastebin.com/raw/Vk6SGwJZ @hyper_ch
01:16 < aaa8> comments are gone
01:18 < aaa8> Hello? @hyper_ch
01:21 <+hyper_ch> server should have     push "route 10.8.0.0 255.255.255.0"
01:22 < aaa8> okay let me try
01:22 < aaa8> i realized its commented out
01:24 < aaa8> wait do i uncomment both of them?
01:24 < aaa8> and replace it with both?
01:24 < aaa8> or only 1
01:24 < aaa8> @hyper_ch
01:26 <+hyper_ch> I have no idea idea what you have uncommented
01:26 <+hyper_ch> I told you what is missing IMHO
01:26 < aaa8> yes, this was commented out: push "route 10.8.0.0 255.255.255.0"
01:26 < aaa8> I uncommented it
01:28 < aaa8> Can we just look at the server config WITH the comments?
01:29 < aaa8> just to see everything clearly?
01:29 <+hyper_ch> not really
01:29 <+hyper_ch> if it's commented out, it's not being parsed... hence not useful to check
01:29 < aaa8> well you said its missing, i noticed its commented out so I uncommented it
01:31 <+hyper_ch> I fail to see the point  there
01:31 <+hyper_ch> only uncommented lines are parsed by openvpn
01:31 <+hyper_ch> so what is commented out, is of no interest
01:31 < aaa8> so why did u tell me they are missing?
01:34 <+hyper_ch> 08:12:49 hyper_ch  server should have     push "route 10.8.0.0 255.255.255.0"
01:35 < aaa8> like this? https://pastebin.com/raw/20xhkQNF
01:36 < temuccio> Hello all
01:36 < temuccio> it is possible to use bonjour protocol over vpn? On internet I found discordant opinions
01:43 <+hyper_ch> aaa8: when is something commented out?
01:43 <+hyper_ch> temuccio: I see no reason why it's not possible... alas I don't really know bonjour...
01:47 <@ordex> temuccio: it is a linklocal protocol, so it would work if you use tap
01:48 <+hyper_ch> as said, I don't know bonjour :)
02:08 < temuccio> it is sufficient substitute dev tun with dev tab in configuration?
02:11 <@ordex> temuccio: this must be done on both client and server and keep in mind that this may have other implications based on your current setup
02:11 <@ordex> because you are basically switching from a layer3 to a layer2 tunnel
02:12 < temuccio> ok
02:13 < temuccio> ordex, I try to change it on client and server
02:14 <@ordex> let us know :)
02:14 <@ordex> temuccio: before testing bonjour, make sure everything is still working as before :p
02:15 < temuccio> yes, if I access to remote client I suppose that works the vpn
02:15 < temuccio> Then I testing bonjour
02:16 <@ordex> ok
02:23 < SteamedFish> I have a openvpn server with lots of users. I use pam plugin to authenticate. the server works fine at most of the time.
02:24 < SteamedFish> but when lots of users are connecting and auth at the same time(after a network outage for example) they are unable to connect.
02:26 < SteamedFish> i guess, is this because openvpn will auth users one by one instead of do it in parallel? is there any way to make it parallel?
02:31 < SteamedFish> I use openvpn-plugin-auth-pam.so for openvpn and pam_krb5.so for pam to do kerberos authenticate
03:09 < sedo> Hello! Who is up this night?
03:16 < sedo> any1 here
03:23 < sedo> !config
03:23 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
03:23 < sedo> !configs
03:23 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
03:23 <+hyper_ch> no
03:24 < sedo> I followed a guide on DigitalOcean, I can connect to the server but cant visit any website, no idea why. Here is client + server config: https://pastebin.com/raw/pb5JeXtM
03:25 < sedo> @hyper_ch
03:25 < sedo> Any idea? Anything that comes up?
03:25 <+hyper_ch> what ip does the client have?
03:26 < sedo> it says "VPN IPv4: 10.8.0.6"
03:26 <+hyper_ch> and what do your routing table on the client look like?
03:27 <+hyper_ch> beause you don't push the rout for 10.8.0.x
03:27 < sedo> where can i find this?
03:27 < sedo> doesnt show on OpenVPN
03:27 <+hyper_ch> and why do you push 10.8.1 and 10.8.2?
03:27 <+hyper_ch> distro?
03:27 < sedo> I can comment that out if that makes a problem, i was testing
03:27 < sedo> Ubuntu Server 16.04 LTS
03:28 <+hyper_ch> sudo route -n
03:29 < sedo> routing: https://pastebin.com/raw/cBijeLMu
03:30 < sedo> One thing, I dont want the VPN to see all the other computers on my network. I just need it to forward traffic
03:30 < sedo> @hyper_ch
03:32 <+hyper_ch> sedo: that's client routing table?
03:32 < sedo> i typed the command and thats what happened @hyper_ch
03:32 <+hyper_ch> sedo: that's client routing table?
03:32 <+hyper_ch> CLIENT?
03:32 < sedo> no, im sorry. My client is using windows
03:33 <+hyper_ch> 10:18:12 hyper_ch  and what do your routing table on the client look like?
03:34 <+hyper_ch> no idea about windows... windows is too complicated for me to handle
03:34 < sedo> Okay, give me a second
03:35 < temuccio> Hello all
03:36 < temuccio> hello ordex ....I have switch from tun to tap and the linux system works fine
03:36 < temuccio> But the device android/apple does't support this configuration
03:37 < temuccio> I need to dial mobile devices with bonjour protocol over VPN
03:39 < sedo> @hyper_ch routing table on client: https://pastebin.com/raw/MwwZqfD8 & OpenVPN log on client: https://pastebin.com/raw/8GcwMFdT
03:39 <+hyper_ch> that's no routing table
03:40 < sedo> then i am unable to find it - the problem is in my server
03:40 <+hyper_ch> but this looks good
03:40 <+hyper_ch> Fri Jun 23 04:24:57 2017 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5 Fri Jun 23 04:24:57 2017 Route addition via service succeeded
03:40 <+hyper_ch> is ipforwarding enabled on the server?
03:40 < sedo> the problem is that my VM is bridged to the rest of my network. My network has the ip addresses of 192.168.x.x.
03:40 < sedo> yes
03:40 < sedo> ill double check but i know i did
03:40 <+hyper_ch> cat /proc/sys/net/ipv4/ip_forward 0
03:40 <+hyper_ch> cat /proc/sys/net/ipv4/ip_forward
03:42 < adac> Over night my openvpn connections to some of my servers dropped
03:42 < sedo> I just went into "/etc/sysctl.conf" and uncommented this line: net.ipv4.ip_forward=1
03:42 < sedo> @hyper_ch
03:42 <+hyper_ch> cat /proc/sys/net/ipv4/ip_forward
03:42 <+hyper_ch> what's the output?
03:42 < sedo> 1
03:42 < adac> I investigated a bit and then, after a restart of the openvpn server did not work I restarted the clients. That made it work again
03:43 <+hyper_ch> seems all fine .... no idea
03:43 <+hyper_ch> you can ping the vpn server from the client?
03:43 <+hyper_ch> ping 10.8.0.1
03:43 < adac> now in the morning yet another server stopped working. not tun interface anymore. This now is strange. I checked the binary on the server and is oddly says:
03:44 < adac> ls -lah /usr/sbin/openvpn
03:44 < adac> -rwxr-xr-x 1 root root 675K Jun 22 17:23 /usr/sbin/openvpn
03:44 < temuccio> I need to dial mobile devices with bonjour protocol over VPN
03:44 < sedo> Yup, i can ping it. No problems @hyper_ch
03:44 <+hyper_ch> ping 8.8.8.8
03:44 < adac> on the servers where this did not happen I still have  the following output:
03:44 < adac> ls -lah /usr/sbin/openvpn
03:44 < adac> -rwxr-xr-x 1 root root 671K Feb  2  2016 /usr/sbin/openvpn
03:45 < adac> which would be correct according to the openvpn version that is installed
03:45 < sedo> @hyper_ch nope, it keeps saying the request is timing out
03:46 < adac> why did this binary  (date) suddenly changed? There was no update on these servers and all have ubuntu 16.04 installed
03:47 < adac> OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
03:47 < adac> OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
03:47 < adac> but it is both the maintainers version and there was no update at all
03:48 < sedo> @hyper_ch nope, it keeps saying the request is timing out
03:51 <+hyper_ch> sedo: here's a configuration I currently have in use:  client dev jus-law dev-type tun resolv-retry infinite nobind persist-key persist-tun  key-direction 1  ca              /etc/openvpn/jus-law/ca.crt cert            /etc/openvpn/jus-law/SJLaptop.crt key             /etc/openvpn/jus-law/SJLaptop.key tls-auth        /etc/openvpn/jus-law/ta.key 1   cipher AES-256-CBC  ns-cert-type server verb 5 mute 50  comp-lzo  remote vpn.jus-law.ch 1194 udp  sn
03:51 <+hyper_ch> paste fail :)
03:51 <+hyper_ch> https://paste.simplylinux.ch/view/82343961
03:53 < adac> looks like the auto update function is aenabled for critical packages
07:16 -!- janjust [~janjust@openvpn/community/support/janjust] has joined #openvpn
09:22 < Murda> I can include certs in client's config by using markup like: <cert>...</cert>, but how I include ta.key key there?
09:24 < DArqueBishop> Murda: Use <tls-auth></tls-auth>, and the key-direction parameter to specify if it's 0 or 1.
09:25 < DArqueBishop> As in, "key-direction 1".
09:28 <@ordex> !ios
09:28 <@vpnHelper> "ios" is (#1) See the iOS FAQ here - https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html, or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline might be useful
09:28 <@ordex> Murda: in #2 you should find also an example
09:32 < Murda> DArqueBishop, <tls-auth key-direction=1> you mean like this?
09:32 < DArqueBishop> No.
09:32 < DArqueBishop> <tls-auth>INSERT KEY HERE</tls-auth>
09:32 < DArqueBishop> key-direction 1
09:34 <@ordex> Murda: you can also check the doc I provided :P
09:44 < havoc> Murda: also look at the "INLINE FILE SUPPORT" section near the bottom of: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
09:44 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
10:21 -!- janjust [~janjust@openvpn/community/support/janjust] has quit [Quit: Leaving]
11:41 < gloin> !welcome
11:41 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
11:41 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
11:44 < gloin> Is sacli an -as only thing or is it in community? #openvpn-as is nothing but crickets so I ask here.
11:46 <@krzee> never heard of it, must be -as thing
11:46 < gloin> Thanks.
12:09 <@krzee> googled it, definitely -as only
13:57 < gthank> If I've got a VPN setup that seems to be working for most people, but I have one guy who is getting booted after like 120s
13:58 < gthank> Can anybody point me to a troubleshooting guide to help figure out what's weird for him?
14:09 <@ordex> gthank: at least the logs are really required
14:09 <@ordex> !logs
14:09 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
14:10 < gthank> ordex https://gist.github.com/gthank/5a0d8fde3d853e72519b146a60fcc627
14:10 <@vpnHelper> Title: viscosity.log · GitHub (at gist.github.com)
14:11 <@ordex> gthank: this is just a restart, no?
14:11 < gthank> the config file is coming from the OpenVPN helper in pfSense
14:11 <@ordex> can you paste it from the beginning and config it with verb 4 ?
14:11 < gthank> He gets that disconnect like every 1m45s
14:11 <@ordex> ah
14:11 <@ordex> so it works but gets disconnected every 1m45s ?
14:11 < gthank> Yes
14:11 <@ordex> seems like the ping is not working (?)
14:11 <@ordex> not sure why
14:12 < gthank> hmm… he says he's not got anything weird going on with his network
14:12 < gthank> But I'm not sure I entirely beleive that
14:12 < gthank> Since it works for me from like 5 different locations I've tested, including crappy coffee shop WiFi, and 4 or 5 other people too
14:15 < gthank> Hmm… apparently he had two clients (different machines, but the exact same config) connect from the same subnet on his side
14:15 < gthank> Perhaps that was messing with the routing
14:18 < xx00__> hi
14:18 < xx00__> I am setting up a mini router to put OpenVPN and eventually use AirVPN
14:19 < xx00__> do i set OpenVPN up as a server or a client on my router
14:19 <+hyper_ch> airvpn?
14:19 < xx00__> its a service
14:19 < Eugene> At the very least you'll get problems without --duplicate-cn
14:19 < xx00__> right now i have a router with OpenWRT
14:19 < xx00__> and I need to add OpenVPN on it
14:19 <+hyper_ch> so the router shall connect to that airvpn service
14:19 < xx00__> yes
14:19 < Eugene> I would not be at all surprised if the client's NATbox/"router" was munging the UDP connections
14:19 <+hyper_ch> and everything from the lan should go through that vpn tunnel?
14:19 < xx00__> yes
14:20 < xx00__> so what configuration to i set up OpenVPN with?  Server or client?
14:20 <+hyper_ch> client
14:20 < xx00__> ok amazing thank you
14:26 < xx00__> I am getting this error
14:26 < xx00__> Collected errors:
14:26 < xx00__>  * opkg_install_cmd: Cannot install package openvpn-openssl.
14:27 < xx00__> when i try to run: root@OpenWrt:/# opkg install openvpn-openssl
14:27 < xx00__> My OpenWRT version is: OpenWrt Attitude Adjustment 12.09-rc1
14:28 < DArqueBishop> ...
14:29 < DArqueBishop> You do realize that version of OpenWRT is nearly five years old?
14:30 < DArqueBishop> The most recent version of OpenWRT is technically the LEDE project's 17.01.2.
14:30 < xx00__> oh shit
14:30 < xx00__> i didn’t put it on the router
14:30 < xx00__> it came this way
14:31 < xx00__> can i update it from the terminal
14:32 < DArqueBishop> That's a question better suited for #openwrt or #lede-dev, or by browsing lede-project.org.
14:34 < xx00__> thank you
14:51 < gthank> Thanks for the tips about debugging, everybody
16:57 -!- xx00___ is now known as xx00__
20:14 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
20:16 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
20:16 -!- mode/#openvpn [+v RBecker] by ChanServ
22:11 < madprops> hi
22:12 < madprops> can someone tell me why do i have to do the POSTROUTING -s 10.8.0.0
22:12 < madprops> can i trust that ip?
--- Day changed Sat Jun 24 2017
00:35 <@ordex> madprops: that command is not complete
01:12 < skyroveRR> heya ordex
01:27 <@ordex> heya
01:41 <+hyper_ch> krzee: https://www.theregister.co.uk/2017/06/23/aes_256_cracked_50_seconds_200_kit/  --  ARE WE ALL GOING TO DIE NOW?
01:41 <@vpnHelper> Title: AES-256 crypto cracked in 50 secs using €200 of kit one metre away • The Register (at www.theregister.co.uk)
01:44 <@ordex> lol I am sure syzzer knows something about it :P
01:45 <+hyper_ch> about us all going to die? :(
01:47 <@ordex> nope, about the cracking tool
02:04 < Mr-Protocol> !welcome
02:04 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
02:04 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
02:04 <@vpnHelper> you
02:05 < Mr-Protocol> !goal Tunnel all traffic through the openvpn.
02:06 < Mr-Protocol> Anyone around that could help me figure out why I can no longer connect to my openVPN tunnel after updating to the 2.4.3 release?
02:09 < skyroveRR> !goal
02:09 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
02:09 < skyroveRR> "clearly"
02:11 < Mr-Protocol> I had a working setup and figured I would update to the release due to recent security audits. Now the connection times out after verifying EKU.
02:34 < Mr-Protocol> openvpn should show up as listening on 1194 if i do a netstat -l right?
02:53 < Mr-Protocol> syslog says my CRL has expired. No idea how to update it
03:36 <+hyper_ch> krzee: https://arstechnica.com/tech-policy/2017/06/supreme-court-asked-to-decide-if-us-has-right-to-data-on-foreign-servers/?comments=1
03:36 <@vpnHelper> Title: Does US have right to data on overseas servers? We’re about to find out | Ars Technica (at arstechnica.com)
03:52 < monkwitdafunk> !welcome
03:52 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
03:52 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
03:52 <@vpnHelper> you
09:09 <@krzee> hyper_ch: thats nothing new
09:09 <@krzee> sidechannel attacks of all sorts exist, and are powerfull as hell
09:10 <+hyper_ch> krzee: well, seems with $200 hardware with 1m distance it's something new :)
09:10 <@krzee> ands you can bet ordex was right about syzzer knowing about it
09:10 <+hyper_ch> at least that's the main point of that article /me thinks
09:10 <@krzee> id put a hefty sum on that
09:10 <@krzee> seeing as i also bet he likely knows every researcher involved
09:10 <+hyper_ch>  /msg syzzer can you deny any konwledge of side channel attacks.... so I can make a bet with krzee and get a lot of money? :)
09:11 <+hyper_ch> ;)
09:11 <@krzee> you see where the researchers are from?
09:11 <+hyper_ch> usually from a lab
09:11 <+hyper_ch> Fox-IT
09:11 <@krzee> that lab and syzzer's email match
09:11 <@krzee> hah
09:12 <+hyper_ch> is that like the IT departement of Fox?
09:12 <+hyper_ch> Fox Entertainment or whatever it's called
09:12 <+hyper_ch> I don't have syzzer's email
09:12 <@krzee> its the people who make openvpn-nl
09:12 <@krzee> https://openvpn.fox-it.com/
09:12 <@vpnHelper> Title: OpenVPN-NL (at openvpn.fox-it.com)
09:12 <+hyper_ch> ah
09:13 <@krzee> ordex is on the dev mail list, thats why he caught it so quick i bet ;]
09:13 <+hyper_ch> the document was written by Craig Ramsay and Jasper Lohuis.... and some others... I don't see any Syzzer in there
09:13 <@krzee> didnt say he worked on it
09:13 <+hyper_ch> :)
09:13 <@krzee> said he likely knows those who did
09:13 <+hyper_ch> despite having highlighted him so often, he remains silent
09:14 <+hyper_ch> but seen about MS, DOJ, SCOTUS?
09:15 <@krzee> huh?
09:15 <@krzee> guess not
09:15 <@krzee> i try to ignore usa as best i can
09:15 <+hyper_ch> you remember the DOJ wanting to access data host opn Azure by MS in Iureland?
09:16 <+hyper_ch> geez, can't type
09:16 <@krzee> nope but im sure european privacy laws would come into play
09:16 <@krzee> arent they stronger?
09:16 <+hyper_ch> well, the request was denied, so the DOJ asks now SCOTUS....
09:17 <+hyper_ch> https://arstechnica.com/tech-policy/2017/06/supreme-court-asked-to-decide-if-us-has-right-to-data-on-foreign-servers
09:17 <@vpnHelper> Title: Does US have right to data on overseas servers? We’re about to find out | Ars Technica (at arstechnica.com)
09:17 <+hyper_ch> if SCOTUS will side with the DOJ, I think this will have a very negative impact for MS, Google, Amazon, Facebook in Europe
09:21 <+hyper_ch> that wouldn't be too horrible though IMHO
09:21 < fnljk> lol, "have right to"... its a matter of cooperation in criminal justice just like extradition of criinals id think..?   they can't claim right to anything  just anywhere ,  or would be bad violation of sovereignty and make apparent they claim superiority and right above all others,
09:21 <+hyper_ch> fnljk: you know the US's moral superiority over everyone else due to their (military) moral highgrounds :)
09:22 < fnljk> pretty sure if some "possibly sensitive" box in china were used for something hostile.. they would not easily be able to just claim it..  and not (m)any country would go along with such international treaties allowing one to overrule others like tha
09:22 < jone2404> hi everyone, first time on here, i'm looking for some advice on an issue I have with windows client not processing server conf. push "route 192.168.1.0 255.255.255.0"
09:22 <+hyper_ch> !configs
09:22 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
09:22 <+hyper_ch> !configs > jone2404
09:22 < jone2404> thanks, will get it now
09:22 <+hyper_ch> that's still not working I guess
09:23 < jone2404> server conf:
09:23 < fnljk> hyper_ch: mm.. dangerous.. hope and think that proposal gets voted down..   otherwise..... will be hard to argue why other countries, likely far more often requesting data as such, would not be able to claim thigns from the US similarly..  aka. why the law of one or the other is more "correct"
09:23 < jone2404> https://thepasteb.in/p/66hVwnxXRA6CW
09:24 < fnljk> wouldnt b surprisd if they werent shy about hackling their way to such tho, or trying even :d
09:24 <+hyper_ch> fnljk: just think, if SCOTUS would allow the DOJ to pressure MS to hand out data stored in their Ireland DC, then it would mean governments and companies in Europe cannot use MS services anymore
09:24 < NginUS> Could someone help me, can't connect- TLS Error: TLS object -> incoming plaintext read error
09:25 <+hyper_ch> that on the other hand could (finally) break the MS monopoly on desktop computing and give rise to... well, other systems
09:25 < NginUS> !welcome
09:25 < jone2404> https://thepasteb.in/p/lOhO4BDq211UB
09:25 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
09:25 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
09:26 < NginUS> !1925
09:26 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
09:26 < NginUS> !goal
09:26 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:26 < jone2404> traffic flows ok if I set a persistent static route using netsh, just curious why windows fails to take the push
09:26 < jone2404> android works fine
09:27 < NginUS> !howto
09:27 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
09:27 < fnljk> aka  ms would no longer have customers in europe.. :]   ...but close cooperation and similar laws  in many ways...id be afraid theyd simply comply in many cases at least..
09:28 <+hyper_ch> what MS could do is split up... not just in a subsidary but a total seperate legal entity (with same stock holders)
09:28 <+hyper_ch> and soley based in europe
09:28 < fnljk> but, giving out something in own country as such if otherwise against local law.....  nah, i don't think ppl would accept such a violation of sovereignty frmo a foreign nation, and rather take the loss of MS (id doubt MS would do tho,lol) instead.  if to accept woudl mean would be hard to argue when china come demand the same
09:28 < fnljk> yeah , i guess.. :o
09:29 < jone2404> server logs show android gives: SENT CONTROL [jon]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.8.0.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet
09:29 <@krzee> jone2404: you should not push such a common subnet over the vpn
09:29 <+hyper_ch> well, in china they have a cooperation with some chinese datacenter
09:29 <@krzee> you WILL run in to problems
09:29 < jone2404> windows gives: TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
09:29 <+hyper_ch> it seems situation was the same... that you can't run a DC on your own as foreigner or something
09:29 <@krzee> thats 1 of 2 of the most common subnets
09:29 <+hyper_ch> fnljk: http://www.datacenterknowledge.com/archives/2013/05/22/microsoft-launches-azure-in-china-via-21vianet-group/
09:29 < jone2404> I only access it at work and that subnet will not be used on that site
09:29 <@vpnHelper> Title: Microsoft Launches Azure in China Via 21Vianet Group | Data Center Knowledge (at www.datacenterknowledge.com)
09:30 <@krzee> jone2404: show me your routing table before and after starting openvpn, along with a verb 4 logfile
09:30 < jone2404> ok...
09:30 <+hyper_ch> jone2404: any reason why you don't use 10.8.0.x as subnet for vpn?
09:30 <@krzee> hyper_ch: hes pushing a route, his vpn DOES use that subnet
09:31 < jone2404> sorry, I do, the 192.168 is my home net
09:31 < fnljk> yeah prolly ms only chanse to sell their services there would be to agree with somethingl ike that..
09:31 <+hyper_ch> krzee: ah, didn't see it all
09:31 <@krzee> see route-gateway var in his push_reply
09:31 <@krzee> oh and hyper_ch
09:31 <@krzee> http://eprint.iacr.org/2012/296.pdf
09:31 < fnljk> china prety crazy with their control and monitoring tho..pff =s   doesnt seem too much better here for the future heh
09:32 <@krzee> theres a <1sec sidechannel attack of AES from military grade chip in 2012
09:32 <+hyper_ch> I also like that russia demands that data on their citizens are stored on servers in russia
09:32 <+hyper_ch> krzee: can laymen like me even comprehend that?
09:32 <+hyper_ch> I'd love to see my gvt. demanding the same... but we're just too small and unimportant
09:34 < fnljk> yeah..monitoring all over, no escaping..
09:35 < fnljk> i dont think coincidental we're let aware of it all either... ~ https://en.wikipedia.org/wiki/Panopticism
09:35 <@vpnHelper> Title: Panopticism - Wikipedia (at en.wikipedia.org)
09:39 < jone2404> https://thepasteb.in/p/2RhKyNAm9AQF4
09:39 <+hyper_ch> there's a lot of routes
09:40 < jone2404> yup, at work
09:40 < jone2404> get same issue when at home over cell/data connection
09:41 <@krzee> work is client, home is server?
09:41 < jone2404> have to set static route manually to 'fix' it
09:41 < jone2404> yes, work is client
09:42 <@krzee> show me the server config pls
09:43 < jone2404> https://thepasteb.in/p/DRhjGRQLXn2Ty
09:43 < jone2404> except verb 4 now
09:43 <@krzee> comment out the ifconfig in your client config
09:43 <@krzee> for 1 thing
09:43 < jone2404> windows wont connect at all then
09:43 <@krzee> add --client
09:43 < jone2404> says it is required for dev tun
09:43 <@krzee> err just put client on its own line
09:44 <@krzee> that expands to have --pull which will allow you to process the things pushed at you, like your IP
09:44 <@krzee> and your route =]
09:45 < jone2404> so i should remove ifconfig and add a new line in client conf with just client on its own line?
09:45 <@krzee> yep
09:45 <@krzee> feel free to read up on --client and --server as well:
09:45 <@krzee> !man
09:45 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
09:46 <@krzee> !--
09:46 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
09:47 <@krzee> dude whyd you add reneg-sec 0???
09:48 <@krzee> you disabled your key renegotiation and effectively disabled forward security
09:49 <@krzee> !forwardsecurity
09:50 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can not decrypt past traffic, or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured
09:50 < jone2404> prob something I copy pasted from a blog/forum - will remove
09:50 < jone2404> or should it have a diff value?
09:50 <@krzee> in that case i suggest you go through BOTH configs
09:50 <@krzee> and the manual
09:50 <@krzee> read every option you used
09:50 < jone2404> will do, ta
09:50 <@krzee> learn how your setup works
09:50 < jone2404> TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
09:50 <@krzee> for now, doing what i said will fix
09:50 < jone2404> thanks very much
09:51 <@krzee> but doesnt mean you have a good setup
09:51 <@krzee> definitely read up
09:51 <@krzee> you're welcome =]
09:51 < jone2404> yup :)
09:51 <@krzee> oh and 1 more thing
09:51 <@krzee> i see your dh key is 3072
09:52 < jone2404> too much?
09:52 <@krzee> first, do you use RSA?
09:52 < jone2404> yes
09:52 <@krzee> is your RSA 3072?
09:53 < jone2404> cant rememeber, will check
09:53 <@krzee> not too much, personally i use 4096
09:54 <@krzee> but your dh and your rsa should be the same bitsize
09:54 <@krzee> so whatever you did for your RSA, your dh should match
09:54 < jone2404> ok, thanks for the tip
09:54 < jone2404> will check/amend as needed
09:54 <@krzee> np
09:56 < jone2404> anyway, work is piling up now, so thanks again for the help, see ya
10:31 <+hyper_ch> krzee: hmmm, you're not in the US? I always placed you there
13:56 < PrincessBob> Hello world.. it is me.. bob.. and I got another question :)
13:57 < PrincessBob> is there a way, for me to tell my vpn, in my ovpn file.. to only use port 443/https for connections?
13:58 <+hyper_ch> openvpn config files do have a port setting
13:58 <+hyper_ch> alter it for server and client and set firewall rules and you're set
13:59 < PrincessBob> ok... lemme email my vpn then..
13:59 < PrincessBob> i just wanted to make sure what i read to do.. can actually be done..
14:01 <+hyper_ch> and https uses tcp IIRC..... so you'd also need to switch to tcp
14:01 <+hyper_ch> !tcp
14:01 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay
14:02 < PrincessBob> yea...
14:02 < PrincessBob> im just learning sooooo much :)
15:09 < ohnx> is there a reason why OpenVPN would say it can't resolve an ip address?
15:10 < ohnx> I'm trying to connect to my server (running linux + OpenVPN) from my computer (running windows + OpenVPN + OpenVPN gui), but i keep getting an error that the IP couldn't be resolved
15:10 <+hyper_ch> which ip?
15:10 < ohnx> i put my server IP
15:10 <+hyper_ch> which server ip?
15:11 < ohnx> where OpenVPN is running?
15:11 <+hyper_ch> if you run openvpn on the server, how many ips does it have then?=
15:11 < ohnx> just 1
15:11 <+hyper_ch> then something is wrong with your server
15:12 < ohnx> here's the error i'm getting: http://paste.ubuntu.com/24942957/
15:12 < ohnx> hyper_ch: what could be wrong with my server? is it not listening?
15:13 <+hyper_ch> I haven't mastered the art of mindreading-over-the-internet yet
15:15 < ohnx> all i know is that the error says that resolution of the host address failed, despite the fact that i used an IP
15:15 < ohnx> and when i used a hostname, same issue
19:19 < Protected> Hey guys. I have a device with multiple local IP addresses and want to use it as a vpn "client". Only traffic originating from one of the addresses should be routed through the vpn; The rest should have nothing to do with it. How can I make this happen? (If there's an existing tutorial please just point me towards it, thanks.)
--- Day changed Sun Jun 25 2017
01:25 < wmchris> hello. Maybe someone can help me with this: I want to forward an public ip from a server to my client, which doesn't get its own public ip. At the moment I'm working with a internal bridge, then ip forward to an private ip, through openvpn to the client. This works... somehow... but It breaks all routing tables, needs masq and is ... pretty damn ugly. Is there a way to forward one IP completely through openvpn?
01:26 < wmchris> my wish would be that the tap interface on the client would get the public ip directly
02:13 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 255 seconds]
02:16 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
02:16 -!- mode/#openvpn [+v RBecker] by ChanServ
03:56 <@syzzer> hyper_ch, krzee: yeah, I definitely know the side-channels-from-distance project.  Wasn't really involved myself, just had a few chats with the interns who were.  That might even be one of the important feats - this was done by a couple of interns in about a year.
03:58 <@syzzer> They got help from some of our and some of Riscure's experts, but other than that they achieved this on their own
03:58 <@syzzer> so go figure what long-term professionals with nation-state budgets can do...
03:58 <@ordex> :S
04:42 <+hyper_ch> syzzer: so what can long-term pros with nation-state budgets do? :)
04:43 < [twisti]> i want to use openvpn on android, but i am concerned that my android device will think the openvpn simulated lan is an unmetered network and download updates and other big files through it, even though it as actually routed via my mobile connection. can anyone tell me if that is a valid concern, and if there are things i can do to prevent it ?
04:51 < y_morin> Hello! When I download openvpn-2.4.3.tar.xz from two different machines on different networks, I get two different tarballs.
04:52 <+hyper_ch> sha512sum
04:52 < y_morin> 26d25bb71c5ecfa398924b3ee3dec16b2776b3d67cf0b532c2b8a4368f1307bbd04b80ed38f0344c313aab38ec6e4e4f9bf2b3bc90bc197b2f257288e72eb5d8  autobuild/openvpn-2.4.3.tar.xz
04:52 < y_morin> b92ec769f672fa7c7a70985535754c566891f94774e4bc3aeb2141b3c168783aebeb82341635d3708978dd3254708221e2ddaae9919d4cf398318fff7d01c926  home/openvpn-2.4.3.tar.xz
04:52 < y_morin> autobuild is the incorrect one, home is the correct one (matches the sig)
04:52 <+hyper_ch> so there are difference
04:53 <+hyper_ch> no idea what the autobuild one is
04:53 < y_morin> hyper_ch: Yes, there are (I'll pasytebin a diffstat in a second)
04:53 <+hyper_ch> no need, can't help anyway
04:54 < y_morin> hyper_ch: OK.
04:57 <@ordex> y_morin: we had a wrong tarball uploaded by accident and cloudfare has been caching it for a while. so it may very well be still the cached version
04:58 < y_morin> ordex: OK, thanks the diffstat is about the build scripts: http://code.bulix.org/z6krn2-153974 , is that what the wrong tarball was about?
04:58 <@vpnHelper> Title: bulix.org / pastebin (at code.bulix.org)
04:59 <@ordex> y_morin: don't know much details as I am not involved in the packaging process, sorry
04:59 < y_morin> OK, thanks for the heads up. :-)
05:00 <@ordex> np!
05:50 <@syzzer> hyper_ch: I can only guess too - but I
05:50 <@syzzer> argh.  I
05:50 <@syzzer> I'd expect them to be able to do at least that
05:53 < COOurb> Hi. What is meaning of --tls-auth in TLS "handshaking"? I didn't read full RFC of TLS, only wikipedia. Can you tell me in few words or it's something difficult?
05:59 <@ordex> COOurb: tls-auth is something openvpn specific, I'd suggest you read the openvpn manpage first
06:00 < COOurb> ordex: yep, it says 'drop everything with incorrect signature'
06:00 <@ordex> sure, that's one of the things it says
06:00 <@ordex> but it also explains what it is
06:00 <@ordex> the paragraph is quite long actually:P
06:01 < COOurb> I'm kinda new to all that crypto-stuff and english isn't my native, so it's hard to get what it all mean
06:05 < COOurb> "where TLS control channel packets bearing an incorrect HMAC signature"
06:05 < COOurb> So it's about TLS connection management?
06:06 <@syzzer> COOurb: it's a wrapper *around* TLS
06:07 <@syzzer> to forget everything you know about TLS - and consider it just 'some insecure protocol'
06:08 <@syzzer> now each packet sent is authenticated with an HMAC, using the pre-shared tls-auth key
06:08 < COOurb> aha
06:09 < COOurb> so it's tls-auth key is used for symmetric encoding?
06:09 < COOurb> no
06:09 < COOurb> it can't be
06:10 < COOurb> when you said "authenticated with an HMAC" what did you mean?
06:10 < COOurb> signed with that tls-auth key?
06:11 <@syzzer> 'signed' is usually a term that is used for asymmetric crypto, but basically, yes
06:11 < COOurb> hm
06:21 < COOurb> is there any "diagram" how openvpn works? I mean, reading code is difficult
06:22 < COOurb> because if tls-auth is public it's will be easy to send it to all bots in botnet for ddos
06:26 <@ordex> COOurb: the key used for tls-auth(entication) is supposed to be secret
06:27 < COOurb> yes, I know it
06:28 < COOurb> so I still didn't get what for tls-auth for. For encrypting some message from client to server for... what?
06:28 < COOurb> what message
06:28 < COOurb> how it can protect from ddos?
06:28 < COOurb> it's public
06:29 <@ordex> clients send the HMAC along with control packets (used at the beginning to perform the TLS handshake - roughly) so that the server can verify they are coming from a known client (aka: a client that knows the tls-auth key)
06:30 <@ordex> if the HMAC can't be verified, then the server won't proceed with the resource allocation and the TLS handshake
06:30 <@ordex> will just 'drop everything with incorrect signature' - as you said before
06:31 <@ordex> this is what is does (a bit simplified)
06:31 < COOurb> and what about "protecting from dos"?
06:32 <@ordex> as I said, this is a mitigation because the server won't process anything having a wrong HMAC, so the daemon won't allocate any resource for it
06:34 <@ordex> COOurb: makes sense ?
06:35 < COOurb> ordex: trying to get info about HMAC constructing
06:35 < COOurb> as I said, I'm noob
06:36 <@ordex> sure, however the dos mitigation is unrelated to HMAC, meaning that, form a higher level perspective, any other cryptogaphic hash could have been used
06:36 <@ordex> (of course, with other consequences)
07:01 <@syzzer> COOurb: what ordex says.  what maybe helps to know is that computing an HMAC is much easier (and faster) than doing the TLS handshake.  So tls-auth reduces the cost of denying a malicious user from doing the entire handshake, to only doing the HMAC check.  And, "less work to deny a user" results in "better (D)DoS protection".
07:02 < COOurb> still reading about TLS (huge RFC) and searching for HMAC part in it
07:04 < COOurb> I heard about ddos on secure connection, when https requests consumed all resources
07:04 < COOurb> it's about that?
07:06 <+hyper_ch> ha, finally I can tell systemd to umount a mounted dir before shutting down the vpn :)
07:14 <@syzzer> COOurb: similar to that, yes
07:15 <+hyper_ch> dazo: https://github.com/sjau/nixos/blob/master/configuration.nix#L130
07:15 <@vpnHelper> Title: nixos/configuration.nix at master · sjau/nixos · GitHub (at github.com)
07:15 <+hyper_ch> hey syzzer, you're rather active today
07:16 <@syzzer> hyper_ch: heh, somewhat.  hanging around on the couch recovering from parties of the last two nights :')
07:16 <+hyper_ch> ah
07:16 <+hyper_ch> just fiddling with my system here
07:16 <+hyper_ch> I really like nixos meanwhile
07:18 <+hyper_ch> especially that you have one config file where you can setup the whole system
07:18 <+hyper_ch> but then, it also has its fair share of issues and challenges :)
07:18 <@syzzer> hadn't heard of it before, but this sounds interesting
07:18 <@syzzer> ah, lunch has arrived.  have to move away from the couch :p
07:19 <+hyper_ch> what distro are you using?
07:19 <+hyper_ch> good delivery service will bring it to your couch ;)
07:19 <@syzzer> mostly debian/ubuntu, "because I got used to it at some point"
07:19 <+hyper_ch> I love debian on servers
07:20 <+hyper_ch> and I use k/x/ubuntu until I changed to nixos
08:30 <+hyper_ch> hmmm, is this windows source code leak actually something good?
10:50 -!- marlinc_ is now known as marlinc
10:56 -!- dionysus70 is now known as dionysus69
12:29 < Eugene> Not really. Its mostly internal/debug binary builds. The source code has come out before(and will again). It will be of some interest to CVE hunters but thats really it
12:31 < Eugene> Qualifying Customers(Government, ENTERPRISE, development Partners) can already get access to the source repo https://www.microsoft.com/en-us/sharedsource/
12:31 < Eugene> So its not like this is even THAT sensitive
12:31 <@vpnHelper> Title: Microsoft | Shared Source Initiative (at www.microsoft.com)
12:37 < monkwitdafunk> Hi. What are you guys talking about? I never used a VPN.
12:43 < monkwitdafunk> Brb
12:50 < [twisti]> i want to use openvpn on android, but i am concerned that my android device will think the openvpn simulated lan is an unmetered network and download updates and other big files through it, even though it as actually routed via my mobile connection. can anyone tell me if that is a valid concern, and if there are things i can do to prevent it ?
13:24 < BtbN> Ask the android people how it determines a connection to be metered
14:43 <@plaisthos> [twisti]: VPN should not change metered/unmetered stat
14:43 <@plaisthos> [twisti]: unless the app develoeprs knew it better and use some bizzare self implemented logic
15:28 < epon> hey all, why do i get this error when trying to use --writepid option?
15:28 < epon> Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: write-pid (2.4.2)
16:02 < BtbN> because the option is called writepid
16:03 < epon> i have spelled it both ways and it doesn't work
16:06 < epon> sudo openvpn --writepid "/var/run/openvpn.pid" example.ovpn
16:06 < epon> Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: writepid (2.4.3)
16:30 <@plaisthos> epon: --config example.ovpn
16:30 <@plaisthos> otherwise it is interpret as seoncd parameter to writepid
18:07 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
18:18 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:18 -!- mode/#openvpn [+v s7r] by ChanServ
23:20 -!- DeathShot_ is now known as DeathShot
--- Day changed Mon Jun 26 2017
02:50 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn []
02:50 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
02:50 -!- mode/#openvpn [+v s7r] by ChanServ
02:53 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
02:55 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
02:55 -!- mode/#openvpn [+v s7r] by ChanServ
03:29 < Haxxa> I have an ipv4 only vpn (PIA) and my traffic is leaking via IPv6, I can't disable IPv6 due to been in a lxc container instead I was intending on using ipv6tables to disable traffic external to the vpn - will this work what is the best way to resolve this?
03:30 <+hyper_ch> leaking ipv6?
03:36 < Haxxa> hyper_ch, my traffic is going over ipv6 instead of the vpn
03:36 <+hyper_ch> and you want everything through the vpn?
03:36 < Haxxa> hyper_ch, correct
03:36 <+hyper_ch> !def1
03:36 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
03:38 < Haxxa> vpnHelper, thanks researching now
03:38 <+hyper_ch> vpnhelper is a bot
03:39 < Haxxa> hyper_ch, I meant to type your nick sorry
03:39 < Haxxa> I have been up since 5am this morning
03:40 <+hyper_ch> same here
03:40 < Haxxa> hyper_ch, If my vpn provider doesn't support IPv6 there is not hope of using it right, I assume it need support on both ends?
03:40 < Haxxa> *no
03:40 <+hyper_ch> you only need the routing on the client side
03:41 <+hyper_ch> but it would probably be easierst do disable ipv6
03:42 < Haxxa> hyper_ch, I am in a situation where I can't disable IPv6 due to the environment I am in  (disabling it isn't persistent) - would rejecting all ipv6 traffic using iptables(v6) andthe redirect gateway option be suitable
03:43 <+hyper_ch> no idea, sorry
03:49 < Haxxa> hyper_ch, I am getting this message: 'write UDPv4: Operation not permitted (code=1)
03:49 < Haxxa> '
03:50 <+hyper_ch> usually the def1 flag is set by the server and pushed to clients I think
03:50 <+hyper_ch> but I know too little about that
03:58 < Haxxa> hyper_ch, I added redirect but traffic is still going over ipv6
03:59 <+hyper_ch> yeah, you'll need according ruting rules for ipv6 as well I think... but I don't really know much about ipv6, sorry
05:38 < ChristianS> hi, anyone knows whether the down-root plugin can still be found somewhere in the latest debian testing (buster)?
05:38 < ChristianS> it used to be in the openvpn package (/usr/lib/openvpn/openvpn-plugin-down-root.so), but that's no longer the case
05:40 < ChristianS> ah! looks like it has been moved to /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-down-root.so
06:06 <+hyper_ch> ChristianS: what systemd version?
06:07 <+hyper_ch> if you have v233 there's a much nicer solution
06:10 < ChristianS> hyper_ch: i have systemd 233, yes
06:11 <+hyper_ch> ChristianS: sorry.... I was thinking too much ahead... I used down root to umount shares that are mounted over the vpn
06:11 <+hyper_ch> with systemd 233 you can now have extended mount attributes that make sure such shares get umounted before tunnel close
06:12 <+hyper_ch> but not sure if you need the same :)
06:12 < ChristianS> no, but thanks anyway :)
06:12 <+hyper_ch> so what do you need down-root then for?
06:18 < ChristianS> updating /etc/resolv.conf
06:35 <+hyper_ch> ChristianS: can't help you there, sorry
06:41 <@plaisthos> !learn weakmd as Your certificate is probably using MD5 and OpenSSL 1.1 does not allow that anymore. You should update your certifaces. For OpenVPN 2.4.4+ you can Use tls-cipher "DEFAULT:@SECLEVEL=0" to allow md5 signatures.
06:41 <@vpnHelper> Joo got it.
06:48 <+hyper_ch> krzee: https://lists.debian.org/debian-devel/2017/06/msg00308.html
06:48 <@vpnHelper> Title: [WARNING] Intel Skylake/Kaby Lake processors: broken hyper-threading (at lists.debian.org)
10:36 -!- ptx0 is now known as kash
10:54 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
10:56 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
10:56 -!- mode/#openvpn [+v RBecker] by ChanServ
11:52 -!- ratliff_ is now known as ratliff
12:31 <+hyper_ch> so, my Dripo has arrived... now I'll have my first attempt at cold brew coffee
12:42 < _FBi> neat
12:49 <+hyper_ch> _FBi: it sounds cool... but wiating like 3h for a coffee and drinking ice cold coffee... I'll have to see how it goes
12:50 < _FBi> I hoper its worth it lol
12:53 <+hyper_ch> it's hot outside
12:53 <+hyper_ch> so cool coffee could be nice
12:53 < _FBi> or water xD
12:54 <+hyper_ch> guess what the main ingredient is for coffee ;)
12:56 < _FBi> 99% water, 1% diuretic?
12:56 <+hyper_ch> no idea what diuretic is :)
12:56 <+hyper_ch> but sounds about right
12:57 <+hyper_ch> actually not... main ingredient - singular ;) 99%, 1% diuretic --> more than 1 ;)
13:03 < rob0> !ca
13:04 <+hyper_ch> factoid fail
13:05 < rob0> I'm going to start a new CA which will be used in part for openvpn.  Wondering, are there any suggestions for Linux other than openssl's minimal ca(1) app?
13:06 <+hyper_ch> easyrsa
13:06 <+hyper_ch> rob0: https://community.openvpn.net/openvpn/wiki/EasyRSA3-Insecure-PKI
13:06 <@vpnHelper> Title: EasyRSA3-Insecure-PKI – OpenVPN Community (at community.openvpn.net)
13:06 <+hyper_ch> if you want to generate all certs and keys
13:07 <+hyper_ch> https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto  - if you just want to cross sign or whatever it's called
13:07 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net)
13:07 <+hyper_ch> I go for the first variant myself :)
13:09 < rob0> oh I'm familiar with easyrsa, but not real happy with it :)
13:09 <+hyper_ch> and what makes you unhappy about it?
13:11 < rob0> always seemed over done to me; I'd just make my own openssl.cnf and run the ca/req/x509 commands directly
13:11 < rob0> it doesn't seem to add any features over that
13:11 <+hyper_ch> but easyrsa is so much nicer IMHO
13:12 <+hyper_ch> well, you're free to create your own certs manually :)
13:13 <+hyper_ch> hmmm, why aren't you in other channles.. I'm pretty sure I know your nick from one of my regular channels
13:15 <@ecrist> rob0: ssl-admin, or easy-rsa
13:15 <+hyper_ch> ecrist: he doesn't like easyrsa for some reason
13:16 < rob0> :)
13:16 <@ecrist> I don' either
13:16 <@ecrist> which is why I wrote ssl-admin
13:16 <@ecrist> they both have positives/negatives
13:16 <@ecrist> ironically, I'm the easyrsa maintainer
13:16 < rob0> specifically I was wanting to explore things which do not build on openssl/ca
13:16 <+hyper_ch> what's not to like about easyrsa?
13:17 <+hyper_ch> actually, I don't like that key and cert aren't in the same folder anymore
13:17 <+hyper_ch> in v3
13:17 <@ecrist> rob0: why not? 
13:18 < rob0> why not ca?  I just supposed there were more complete CA tools available.  I can't imagine folks like Thawte & Verisign (yuck) using a ca frontend :)
13:19 <+hyper_ch> they hired like 1000 indians to do that all manually
13:19 < rob0> just curious really, I will probably end up going with what I already have
13:19 <+hyper_ch> easyrsa can be totally automated/scripted....
13:19 <+hyper_ch> ss-admin probably as well
13:19 < rob0> hyper_ch, you might also know me from here.  I always getting booted out in netsplits.
13:19 <@ecrist> rob0: I suspect they're not using open-source libraries, and are using something developed in-house.
13:20 < rob0> ecrist, probably so.
13:20 <+hyper_ch> rob0: pretty sure I've seen you in other channels
13:20 <@ecrist> notably, rob0 is a chief troll^H^H^H^H^Hoper in #postfix
13:20 <+hyper_ch> ah, here, postfix and wireguard
13:21 <@ecrist> and maybe #freeswitch
13:21 <+hyper_ch> and FS of cours
13:21 <+hyper_ch> btw, ecrist, about freeswitch...can I run an idea by you?
13:21 <@ecrist> sure
13:21  * ecrist used to maintain FreeBSD freeswitch port
13:21 < rob0> actually I'm the lowest ranking op in #postfix (but I'm the only one who's there regularly :) )
13:21 <+hyper_ch> ok, lately I get a lot of annoying calls.... there's one really nice caller id tool here in switzerland - website - with a nice api
13:22 <+hyper_ch> this far, I just checked up incoming caller ids there if it's not in the database already
13:22 <@ecrist> hyper_ch: it's really easy to automate everything in FS
13:22 <+hyper_ch> ecrist: I know that....
13:22 <+hyper_ch> I have that already
13:22 <@ecrist> glad I could help
13:22 <@ecrist> :)
13:23 <+hyper_ch> so, the problem with the call center is that the caller id is not directly searchable in that website
13:23 <+hyper_ch> usually it's a 100 number block
13:23 <+hyper_ch> so if callerid is  012 345 67 89 (no result)
13:23 <+hyper_ch> then the block would be 012 345 67 00
13:23 <+hyper_ch> if I look up the block number, I do get "Call Center" return
13:23 <@ecrist> and your upstream doesn't provide CID?
13:24 < rob0> are you going to the Digium * webinar tomorrow?
13:24 <+hyper_ch> so I've been pondering, is it wise to just drop all call from numbers that do not have an entry and where the 100 block return call center?
13:25 <@ecrist> hyper_ch: that's up to you.  You could dump them into an IVR and make the potential "call center" validate the human-ness, before being routed.
13:25 <@ecrist> rob0: I am not.
13:25 <@ecrist> something silly like, "press 8 3 to continue" and disconnect the caller after 5 seconds or something
13:26 <+hyper_ch> ecrist: that's probably better
13:26 <+hyper_ch> "press 1 to continue, by pressing 1 you are confirming you're not a call center and want to sell me something... if you press 1 and you are a call center, I'm going to sue your ass off"
13:27 <@ecrist> meh, that will get ignored and nobody ever sues.  83 is not an automatic "1" that some call systems might try.
13:27 <+hyper_ch> ecrist: https://tel.search.ch  -->   044 504 23 54
13:27 <@vpnHelper> Title: Offizielles Telefonbuch der Schweiz - search.ch (at tel.search.ch)
13:27 <+hyper_ch> no result,  but 044 504 23 00 call center
13:29 <+hyper_ch> geez, my entry on mod_cidlookup in the wiki is still there for tel.search.ch :)
13:29 <+hyper_ch> I added that years ago
13:29 <+hyper_ch> and it got even moved over to confluence
13:30 <+hyper_ch> ecrist: but good input about using IVR
13:30 <+hyper_ch> I knew you were the right guy to ask
13:31 <+hyper_ch> also, you said you do freebsd things... do you use zfs?
14:07 <@ecrist> yes, I use ZFS
14:08 <+hyper_ch> took you a long time to anser that question ;)
14:09 <+hyper_ch> can normal people like me handle zfs?
14:24 < xboner> can anyone tell me where to download my .ovpn file from my access server ?
14:24 < xboner> i can download openvpn connect, but i really just want the ovpn file for a router
14:25 < xboner> jesus, im dumb nevermind the file was at the bottom
14:25 < xboner> ty guys
14:49 < kerio> xboner: no problem!
14:51 <@ecrist> xboner: see #openvpn-as for access server support
14:51 <@ecrist> hyper_ch: yes, you can handle ZFS, it's not that scary.
14:52 < xboner> ty guys
14:53 < kerio> why would zfs be hard to use
14:53 < kerio> if anything, it's much easier to use
14:54 < sudormrf> hey guys, I am trying to track something down and figure out why a thing is occurring. iOS OpenVPN app. was working fine until recently when I switched my mobile provider. now when I try to connect to my house it looks like it is doing an ipv6 DNS resolution (no IPv6 address), it then times out and never connects. what I am trying to determine is: is there a setting I can modify in the openvpn config for it to not do this (or wait longer)
14:54 < sudormrf> until it falls back to ipv4? or am I stuck with calling my mobile provider and trying to shake that tree?
14:55 < sudormrf> if I do dns lookups to my house there is no quad A record, there is an A record that points to the correct place.
14:55 < Eugene> The problem with ZFS, much like all other good software, is the annoying evangelists spouting lies. Yes, ZFS is a powerful filesystem. Its also a lot more than that, has very little in common with every other filesystem(totally different toolset and nouns), and thus violates the Rule of No Surprises for most people. So no, it is not simple or easy.
14:56 < kerio> i said easier to *use*
14:56 < sudormrf> just trying to narrow the scope here
14:56 < kerio> you can just take snapshots and then fuck things up
14:57 < kerio> knowing that you can rollback without any issue
14:57 < kerio> and boot in single user mode from an old snapshot, for instance
16:07 < rob0> Eugene, IIRC you had written something about security best practices in an x509 PKI for openvpn?  Or am I hallucinating?  Why am I seeing purple elephants in the sky? :)
16:07 < Eugene> !unpriv
16:07 <@vpnHelper> "unpriv" is see https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions.
16:08 < Eugene> PKI best practices no. I can give you some advice if you like
16:08 < Eugene> !xca
16:08 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa., or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA
16:08 < Eugene> I did make an example XCA database. I'm not doing the writeup; I've stopped using it myself. Let's Encrypt works just fine.
16:09 < Eugene> (somebody should change the bot factoid)
16:10 < rob0> LE?  You're using LE for openvpn?!? /o\
16:11 < Eugene> Yup, sure am. Works fine for the server side. Clients validate the CN is correct and additionally I'm using HMAC, then user/pass auth
16:12 < rob0> oh, so I'd still have to brute force a user/pass to connect to your VPN :)
16:12 < Eugene> After brute-forcing my HMAC key
16:14 < rob0> So, I am going to do a root CA and a secondary CA, and the secondary will sign certs that will be used for openvpn and [eventually] also for email submission & IMAP once I figure out how to manage that.
16:15 < Eugene> Who is the user base? Do you have an existing LDAP or anything like that?
16:15 < rob0> hmm, I have some in sqlite and others in passwd/shadow
16:16 < Eugene> For the most paranoid security, you want to have your Root CA live on an airgapped machine or flash drive. The intermediate CA should have a 2-year validity, and create 1 year certs. Rotate it every year, so that the end certificates always expire before the intermediate does.
16:16 < Eugene> Use your intermediates by Purpose. Eg, have one that creates Server certs, another for User certs.
16:16 < rob0> ah, good idea
16:16 < Eugene> This is not technical, but rather to prevent leaks: you won't use the ServerCA as often as the UserCA, so why expose it to risk?
16:18 < Eugene> Set up calendar reminders or Nagios alarms to warn of upcoming expirations. You WILL forget them. This is 100% of the reason why I use LE now
16:18 < rob0> haha yes, btdt, gtts
16:19 < Eugene> None of this is really openvpn-specific, just some wisdom from running internal CAs for so long
16:19 < Eugene> If you had said LDAP I would have pointed you towards auto-enrollment. You can actually use an external CA to create your LDAP "root" cert, etc
16:20 < Eugene> Windows AD has some good tooling around it, but with non-technical users there really isn't any point..... I don't use client certificates for humans because of these. User+pass works great
16:20 < rob0> fortunately I *do* have techie users
16:20 < Eugene> Server-to-server links I use either static-key mode or a 10-year-expiry one-off certificate pair
16:21 < Eugene> If you're feeling really fancy: you can use a ssh private key as an openvpn private key(they're both RSA, typically). Make a shell script that vomits out the CSR, have them copy-paste that to your enrollment admin or server, and then receive back a completed CRT
16:22 < Eugene> A friend of mine made a thing that used Github for this; extremely slick.
16:40 < kerio> that would involve using RSA ssh keys tho
16:41 < kerio> like, ew
16:45 < sudormrf> my suspicion is my issue is DNS related with my mobile provider, but am hoping someone here can clarify if there are settings I can add to an openvpn profile
19:05 <@krzee> sudormrf: try pushing 8.8.8.8 as the dns server using:
19:05 <@krzee> !pushdns
19:05 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for
19:05 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option
19:06 <@krzee> its possible that you're using your mobile providers dns server and when you redirect over the vpn you try to reach that dns server with the vpn server public IP as your source, so they properly drop it because that's not an IP they serve dns to
20:40 < sudormrf> krzee: will give it a shot
20:42 < sudormrf> I may already be doing that
20:42 < sudormrf> krzee: that should only apply after someone connects, right? or does the app look at the config and use whatever DNS servers are listed in that config to perform it's initial host name lookup?
20:43 < sudormrf> I would think it wouldn't override whatever the phone is looking at, at least not until you connected
21:03 < altker128> Hey guys, question here -- what's the highest throughput you've achieved when using OpenVPN?  What tends to be the the bottle neck, AES/SSL computation?
22:06 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 255 seconds]
22:06 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
22:06 -!- mode/#openvpn [+v RBecker] by ChanServ
23:46 <+hyper_ch> kerio: zfs is so powerful - which means it's usually also very complicated - so non-tech-people like me can be overwhelmed by it
23:46 <+hyper_ch> s/can/could/
23:51 <+hyper_ch> ecrist: ok, my setup currently is as followed. My SSD has two partitions. One for /boot and one for data. Both partitions are setup as software raid1. The /boot is then using ext4 and the data partition is then encrypted with luks...
23:52 <+hyper_ch> the reason for raid1 is that I can expand it to two drives at will... meaning I can attach external usb (3.0) drive, expand the raid to two drives, have it synced and then remove the external usb again, so if the ssd dies or gets lots, I have quickly re-setup another notebook/ssd
--- Day changed Tue Jun 27 2017
00:22 -!- s7r [~s7r@openvpn/user/s7r] has quit [Read error: Connection reset by peer]
00:22 -!- hyamamoto is now known as hiroki
00:22 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 260 seconds]
00:22 -!- s7r_ [~s7r@openvpn/user/s7r] has joined #openvpn
00:22 -!- mode/#openvpn [+v s7r_] by ChanServ
00:23 -!- s7r_ is now known as s7r
00:25 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
00:25 -!- mode/#openvpn [+v RBecker] by ChanServ
00:42 <+hyper_ch> ecrist: if you have time, I'd like to learn more about zfs :)
00:48 -!- MogDog66 is now known as MogDog
00:48 <+hyper_ch> so, I'd use the following: first create two partitions and make them each raid1 with 1 device.... 1 partition would be /boot which will remain ext4;   the other partition will use luks/dm-crypt to create encrypted partition....  once that encrypted partition is created, I'd formate it with zfs
00:50 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds]
00:50 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
00:50 -!- mode/#openvpn [+v s7r] by ChanServ
04:43 -!- nitdega_ is now known as nitdega
04:43 -!- bandroidx_ is now known as bandroidx
04:43 -!- madduck_ is now known as madduck
04:44 -!- BuildTheRobots_ is now known as BuildTheRobots
04:45 -!- Exagone314 is now known as Exagone313
06:50 < kaushal> Hi
06:50 < kaushal> I am seeing this issue
06:51 < kaushal> http://pastebin.centos.org/115561/
06:51 < kaushal> you can disable the options consistency check with --disable-occ.
06:51 < kaushal> I have setup point to point vpn tunnel and unable to ping to each other
06:51 < kaushal> very weird issue
06:52 < kaushal> On both sides i am running openvpn-2.4.1-3.el6.x86_64
06:52 < kaushal> CentOS release 6.8 (Final)
06:53 < kaushal> I can share the configs for your reference
06:55 < turlando> Hello everyone
06:57 < turlando> Maybe it's a noob question: my server is a remote server, and my client is a router for some LANs. I want to be able to reach clients on the openvpn client's LANs from within my server. I am not sure if I just need to manually add the routes to the client's LANs to my server network configuration or if I need to specify something on my client.conf
06:57 < turlando> I mean, it would be nice that the route to the router would be added when the client connects and removed when the client disconnects or so
10:09 < redrabbit> hi
10:10 < redrabbit> how can i make sure dns requests go through my openvpn link ?
10:11 <@plaisthos> !dns
10:11 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns
10:11 <@plaisthos> !pushdns
10:11 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN
10:11 <@vpnHelper> for Android and OpenVPN Connect will happily accept push dhcp-option
10:23 < redrabbit> !dns
10:23 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns
10:23 < redrabbit> #2
10:25 < redrabbit> i guess i have to use pull-resolv-conf
10:35 < reelin> !welcome
10:35 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
10:35 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
10:35 < reelin> !1925
10:35 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
10:38 < reelin> I run an ubuntu server with openVPN. When I run openvpn, it works - sudo openvpn configfile.ovpn creates the routes I need, whilst the SSH session is open. However if that session dies, when I attempt to rerun this, it produces the following error: "ERROR: Linux route add command failed: external program exited with error status: 2" which isn't resolved until reboot.
10:39 < reelin> How can I rectify this without reboot? Thanks
10:43 < sudormrf> krzee: sorry if you responded yesterday and I missed it. The setting in question wouldn't supercede the DNS of the phone, right? is there a way to adjust the time out so that it has time to fall back to ipv4?
10:43 < sudormrf> still trying to figure out where the issue is. I am more on the side of it being an issue with my mobile provider...which means it will never get solved xD
10:43 < sudormrf> but I need to eliminate all other possibilities
10:45 < redrabbit> pull-resolv-conf didnt worked
10:46 < redrabbit> i tried to add dhcp-option DNS 80.80.80.80 to the client.conf / pushing it from the server it didnt affected used dns serv
10:47 < redrabbit> still use dns from main interface
10:47 < redrabbit> and it must try to query it though the tunnel, and its not working
10:53 < sudormrf> 80.80.80.80?
10:56 < redrabbit> that part doesnt matter i guess
10:56 < redrabbit> its just a free dns service
10:58 < redrabbit> basically dns resolution dont work after i start openvpn
10:58 < redrabbit> it may be because i'm using a restritive free hotspot though
10:58 < redrabbit> pings to all ips work
10:58 < redrabbit> tunnel work
10:59 < redrabbit> it connects fine
10:59 < redrabbit> breaks dns resolution
11:00 < redrabbit> if i stop the service dns resolution works again
11:02 < PMunch> Hi, I'm having some trouble setting up my VPN. Tried following this guide: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 but I'm using Arno iptables instead of UFW, however I tried to disable it and my problem persists. I am able to connect to the VPN (networkmanager says it's okay) but I'm unable to reach anything.
11:02 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com)
11:05 < PMunch> Any ideas on what I might've done wrong?
11:06 < PMunch> I can see my connection in /etc/openvpn/openvpn-status.log
11:26 < reelin> !goal ' run an ubuntu server with openVPN. When I run openvpn, it works - sudo openvpn configfile.ovpn creates the routes I need, whilst the SSH session is open. However if that session dies, when I attempt to rerun this, it produces the following error: "ERROR: Linux route add command failed: external program exited with error status: 2" which isn't resolved until reboot. How can I rectify this without reboot? Thanks'
11:26 < PMunch> !welcome
11:26 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
11:26 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
11:27 < PMunch> !goal
11:27 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:27 < PMunch> Hi, I'm having some trouble setting up my VPN. Tried following this guide: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 but I'm using Arno iptables instead of UFW, however I tried to disable it and my problem persists. I am able to connect to the VPN (networkmanager says it's okay) but I'm unable to reach anything.
11:28 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com)
11:35 <@plaisthos> !flowchart
11:35 <@plaisthos> !flow-chart
11:35 <@plaisthos> dammit
11:35 <@plaisthos> !debug
11:35 <@plaisthos> !factoids
11:35 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
11:36 <@plaisthos> !redirect
11:36 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
11:36 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
11:36 <@plaisthos> !ipforwarding
11:36 <@plaisthos> !ipforward
11:36 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
11:36 <@krzee> !flowcharts
11:36 <@vpnHelper> "flowcharts" is (#1) from !serverlan http://www.ircpimps.org/serverlan.png, or (#2) from !clientlan http://www.ircpimps.org/clientlan.png, or (#3) from !redirect http://www.ircpimps.org/redirect.png
11:36 <@krzee> (theres multiple :D)
11:38 < webuser5-> Is it normal that I don't see 'openvpn'-type connections in wireshark although I'm connected to the OpenVPN server?
11:38 <@krzee> are you sniffing tun or eth device?
11:41 < PMunch> Tried some more and I'm able to SSH into my machine using it's virtual sub-net IP. So I definitely have a connection to the server
11:43 <@krzee> PMunch: whats your goal?
11:44 -!- webuser5- is now known as webuser5224
11:44 <@krzee> all i saw was a link to a blog, which i wont be looking at
11:44 <@krzee> because:
11:44 <@krzee> !blog
11:44 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
11:44 < PMunch> I'm trying to set up a OpenVPN on a server that I have full control over
11:44 < PMunch> And connect to it from my machine
11:44 <@krzee> !goal
11:44 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:44 <@krzee> so you just want to access the server over the vpn?
11:45 <@krzee> like so you can ssh to it and access its services over vpn?
11:45 < rob0> I need to write a brog in engrish
11:45 < PMunch> No, the server is on my university campus. I want to use the VPN so that I can access sites typically restricted to the eduroam network
11:46 <@krzee> ok so you want to route only a certain subnet that is on the internet over the vpn to show up as the vpn server's public ip to only that certain subnet?
11:47 <@krzee> !crystal
11:47 <@vpnHelper> "crystal" is (#1) Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome., or (#2) unless reiffert is here, his crystal ball is functional again
11:47 <@krzee> heheh
11:47 < PMunch> Haha, sorry. Clearly stating your goal is always hard
11:47 <@krzee> =]
11:48 < rob0> so, do you go to eduroam via a proxy, or via a special/private network?
11:49 < webuser5224> I'm probably going to describe this wrong
11:49 < PMunch> Okay, from our university network we have access to scientific papers since our university subscribes to them. What I want is to be able to appear as if I'm on the university network so that I can get access to these articles.
11:50 <@krzee> so you know the IPs or subnets of the servers that you want to proxy to, right?
11:50 < rob0> oh.  So these are sites that are basically open to the Internet, but give you special treatment from your .edu network
11:50 < webuser5224> krzee, I have a router that is connected to the internet, acts as an OpenVPN client and also provides a lan interface and a dhcp server so computers in the network can connect to the internet over it.
11:50 <@krzee> webuser5224: you asked about a wireshark question, to answer it all i need to know if what device you are sniffing
11:50 <@krzee> is*
11:51 < webuser5224> On the computer connected to the router it is eth
11:51 <@krzee> oh, no it cant see the vpn that is in front of it
11:52 < rob0> PMunch, you could set up a proxy on the .edu side of the tunnel, and point your browser at it.  Otherwise, you could:
11:52 < rob0> !redirect
11:52 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
11:52 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
11:52 < webuser5224> krzee, how exactly does that work?
11:53 <@krzee> webuser5224: the vpn is in its route, its not flowing over the computer you're sniffing
11:53 <@krzee> you can only sniff packets that pass over your interface
11:53 <@krzee> !101
11:53 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
11:53 <@krzee> i suggest #networking
11:53 <@krzee> oops i mean ##networking
11:53 < webuser5224> Why do some channels use a double '#'?
11:54 < rob0> if you could sniff VPN from a machine which is not on the VPN, the VN is not very P
11:54 <@krzee> a good question for #freenode
11:54 <@krzee> # channels are official
11:54 <@krzee> so ##openvpn was here until openvpn technologies came to irc and we became #openvpn
11:54 < rob0> s/official/associated with an on-topic project/
11:54 < webuser5224> ok, thanks
11:56 <@krzee> rob0: isnt that what makes it official?
11:57 < rob0> well, it's a minor distinction, yes
11:57 < rob0> In theory a # channel is under direct control of people who are part of the project.  But that's not always the case.
11:58 < rob0> What IS always the case, is that the people running the project could take over control of a #channel
11:59 <@krzee> ahh
11:59 <@krzee> i didnt know you could register a # without showing some sort of evidence
11:59 < rob0> I got tired of hanging out in #freenode, too much silly trolling goes on :)
12:00 <@krzee> (i wasnt part of the technical process of moving from ## to # here)
12:00 < rob0> oh yes, you can start a #channel without evidence, but you cannot set a successor owner
12:00 < PMunch> Well I tried to redirect. When I connect to the VPN I can the routes (found through netstat -nr) updating to something which looks right
12:01 <@krzee> !configs
12:01 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
12:01 < PMunch> http://ix.io/y3K
12:01 < PMunch> First block is without the VPN, second is with
12:01 < rob0> PMunch, I think you'd be better off with the proxy choice
12:02 < PMunch> 10.8.0.1 is the virtual address of the VPN
12:02 <@krzee> and i think you should only route the subnets you need to reach over the vpn
12:02 <@krzee> why the entire internet?
12:03 < PMunch> Mostly for convenience. This way I can log on to the VPN access what I need through eduroam, and disconnect
12:03 <@krzee> the way i said would be more convenient, if you didnt disconnect it wouldnt slow down your internet connection
12:04 <@krzee> and you wouldnt start reading your email over the uni network, etc
12:04 <@krzee> but hey... its your setup, do whatever you like
12:04 <@krzee> still waiting to see configs
12:04 < PMunch> Did you ask me for configs?
12:04 < PMunch> If so which ones
12:05 <@krzee> !configs
12:05 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
12:06 < PMunch> http://ix.io/y3M
12:07 < PMunch> server.conf
12:07 < PMunch> http://ix.io/y3N
12:07 < PMunch> client.ovpn
12:09 < PMunch> server OS: Ubuntu 16.04, client OS: Manjaro i3
12:09 < PMunch> Better?
12:13 < PMunch> Ey, I got it to work :)
12:14 < PMunch> It was the NET_INTERNAT_NET option in the Arno iptables config
12:14 < PMunch> When I set that to reflect the actual virtual network it works fine
12:18 < rob0> so /topic wins again :)
12:18 <@krzee> oh nice
12:18 <@krzee> i just sat to read the configs
12:18 <@krzee> glad you caught it
12:19 < PMunch> Haha, I guess. Tried to disable my firewall to ensure that it wasn't doing anything wrong, not realising that I actually needed that part of the config for the VPN to work..
12:19 <@krzee> now if you decide to only route certain subnets, all youd do is replace --redirect-gateway with --route
12:19 < PMunch> krzee, you didn't spot any horrible glaring holes in my config?
12:20 <@krzee> not a hole, but you use key-direction without tls-auth
12:21 <@krzee> oh weird, you do have tls-auth
12:21 <@krzee> but in client config its not there, i take it you removed the inline and didnt keep the tags?
12:21 <@krzee> ahh ya i see it doesnt have any of the files, so ya thats what that must be
12:22 < PMunch> I removed the inline keys yes
12:22 <@krzee> ya thats good
12:23 <@krzee> so nah it looks fine
12:23 <@krzee> just so you know, dont depend on ipp.txt for static ips
12:23 < PMunch> It has <ca>, <cert>, <key>, and <tls-auth> tags ):
12:23 <@krzee> !ipp
12:23 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
12:23 < PMunch> s/):/:)
12:44 -!- zedde is now known as Varazir
13:27 < webuser5224> I now asked for help in another channel, like suggested
13:28 < webuser5224> One question that remained: if my router is the openvpn client my computer is connected in the same lan, is the traffic unencrypted after it leaves the openvpn tunnel?
13:30 < webuser5224> If my computer was the openvpn client, it would only leave the tunnel once it reached my computer and I was wondering whether there is a difference if the tunnel only reaches the router.
13:31 < rob0> Tunnel means "encrypt/encapsulate, send to remote endpoint, remote decrypts, sends on to final destination" (the final destination could be the other endpoint or forwarded on elsewhere.)
13:32 < rob0> So it is encrypted in transit over Internet, but not after that.
16:05 < tcpdump> hey everyone - I have an openvpn server, and a client - they're both operating in tun mode, it's a pretty basic config: https://2048-bit.com/bin/?ce5e7e4aba3f2259#JdsOk8pmxzKsi2VamdNxM/mB7Vk+E2z7N9qw/dTq8Gw=
16:05 <@vpnHelper> Title: 2048-Bit.com (at 2048-bit.com)
16:05 < tcpdump> Is there any way to speed up the tunnel? Im using iperf to test and am getting about 10 Mbit/sec on the vpn link, 250 on the Wireless (LAN) and 450Mbit on the Internet.
17:48 < solstis> I have some debian boxes with syncthing setup to do off site backups for some of my clients.  I was thinking of having the debian box auto vpn into a digitalocean server I have.  From there I can VPN in and manage the remote connect VPN device and load the syncthing gui and all that good stuff.  I've tested having 3 computers connected to the VPN server, but it's hard to figure out who is who.
17:48 < solstis> I check the /etc/openvpn/openvpn.log, but only shows me lan IP it assigned and the public address.
17:48 < solstis> Is there a way to have it show the hostname of the connected computer so I can tell who is who?
17:49 < solstis> Just found about about management port and I've telnet into that and do a status but it shows me same info as openvpn.log
17:50 < solstis> Is using something like openvpn-monitor (https://github.com/furlongm/openvpn-monitor) the only way for me to track it?  I haven't tried it yet, but from the screen shots it shows the hostname.
17:50 <@vpnHelper> Title: GitHub - furlongm/openvpn-monitor: openvpn-monitor is a web based OpenVPN monitor, that shows current connection information, such as users, location and data transferred. (at github.com)
17:50 < solstis> So thinking there's gotta be a way to see the hostname so I know what IP like 10.8.0.2 is what?
17:50 < solstis> kk....so I guess openvpn-monitor it is
17:51 < solstis> is there a way to just pull it from the management port or something?  like how is openvpn-monitor able to grab that information?
17:54 < solstis> hoping so.  hate to install a web server just to find a hostname of a remote client.
17:59 < solstis> So there is no other way to get the hostname of the remote connecting client other than using openvpn-monitor?
18:02 <@dazo> solstis: ehm .... you can do exactly the same openvpn-monitor does, but you'll need to write the proper tool if you don't find anything else
18:02 <@dazo> solstis: btw ... have you looked into --status? probably use --status-version 3 (or 2)
18:05 < solstis> I've tried status 3, 4 and 5.  I'll try 2 and see what happens.
18:05 <@dazo> well ... 4 and 5 does not exist
18:05 <@dazo> !man
18:05 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
18:06 < solstis> sry was thinking log level at first
18:07 <@dazo> --status-version 3 with --status /var/lib/openvpn/status 10 .... that will update that file every 10 seconds, with a fair amount of details
18:07 <@dazo> if you require less details, try --status-version 2 instead
18:08 < solstis> thanks a lot.  trying all this now.
18:13 < solstis> status-level 2 and 3 gave more info, but no hostname or anything of the client to help me figure out who is who.
18:13 <@dazo> can you pastebin an example?
18:16 < solstis> https://pastebin.com/B4uJskWj     I put 999.999.999.999 for the IP to mask it.
18:17 < solstis> this is from status-level 2
18:18 <@dazo> solstis: the CLIENT_LIST records are a unique record per connected client ... debcloud1 is the common name of the client.  And the Virtual Address column keeps the VPN IP address of the client
18:19 < solstis> I am using the same cert for 3 clients.
18:19 <@dazo> duh
18:19 < solstis> so i guess that's my main issue
18:19 <@dazo> well, that's just stupid
18:19 < solstis> true
18:19 < solstis> but it's 3 computers for clients and no more so figured can use same one
18:20 < solstis> but learning is a must.  lol
18:20 < solstis> i'll create more certs.   next is learning how to manage all of them.
18:20 < solstis> appreciate the help.  at least it got me to next step.
18:21 <@dazo> curl -q https://pastebin.com/raw/B4uJskWj 2>/dev/null | awk -F, '/^CLIENT_LIST,/{ print $2, $4 }'
18:21 <@dazo> that's a very simple way to extract client name and VPN IP address
18:22 <@dazo> solstis: look at XCA for a nice GUI tool for CA management
18:24 < solstis> xca seems nice.  i'll read up on that.
18:24 < solstis> was thinking vpn certs where like ssh key, but way different.  that was my issue.
18:28 <@dazo> well, far down under the hood ... they are somewhat similar .... but it CAs are far more advanced
18:29 <@dazo> A certificate is a public key bundled with some meta data (Common Name, date fields, issues references, usage restrictions, etc) and a cryptographic signature created by a CA
18:30 <@dazo> In SSH context, the authorized_key is the public key.  The known_host is kind of a manually managed CA, which the servers public key is tested against
18:30 <@dazo> but with CA's ... the verification happens automatically, as you need a copy of the CA certificate on the clients and servers ... that is used to validate the signature in the client and server certificates
18:31 <@dazo> and openvpn checks that the certificates is signed by the same CA which is provided in the --ca file
18:36 < solstis> I can rename *.ovpn files and it doesn't mess with authentication does it?
18:36 < solstis> made 3 new certs but want to rename ovpn more descriptive
18:36 <@dazo> that's right ... .ovpn/.conf files are just configuration files
18:37 <@dazo> OpenVPN doesn't report the file name anywhere .... the identity of clients and servers is extracted from the certificate
18:37 < solstis> working great now.  I make the cert names the name of the hostname and now can find it.  :)
18:37 < solstis> thanks again.  saved me 10 hours of more googling
18:38 <@dazo> just one word of caution ... do *not* save the CA files on your server or clients available on the internet
18:38 <@dazo> the server only needs: ca.crt, server.key, server.crt and dh*.pem
18:38 <@dazo> the client only needs: ca.crt, client.key and client.crt
18:38 < solstis> kk i'll send to local PC and put on a thumb drive.  I've read about that somewhere and looking for it again.
18:39 <@dazo> great!
18:44 < solstis> well next part is trying to access the web gui of syncthing.  So I have 2 computers connected to digitalocean VPN.  I have a debian box and windows box.  I can putty into 10.8.0.2 but can't https://10.8.0.2:8384   I can get to GUI using https://192.168.2.11:8384 so I know GUI is working.
18:45 < solstis> write this better:  I can putty from my Windows box connected to VPN into debian box, but can't get to web GUI via VPN.  But can locally.
18:48 <@dazo> that's probably firewalling or routing
18:49 < solstis> ya..nevermind.  just found the route.  :)
--- Day changed Wed Jun 28 2017
02:47 < Ast001> Hi I have problem with openvpn, when my raspberry pi lose link for 2-4 seconds (link down in /var/log/messages) openvpn stop to work. When link up it is not connecting unless I reboot rpi. Is there any way to tell openvpn client to restart itself after link down after 4-5 seconds ?
03:50 <+hyper_ch> Ast001 already left... wanted to suggest something like monit
04:01 <@dazo> sounds more like a borken config ... my openvpn clients reconnects automatically
05:09 <+hyper_ch> dazo: that as well :)
06:29 < htafdresgi> my clients can't form connections with anything on the openvpn network
06:30 < htafdresgi> I can nmap them okay, and even telnet, but can't for instance visit a website hosted on a local machine, nor ssh
07:40 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 255 seconds]
07:41 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
07:41 -!- mode/#openvpn [+v RBecker] by ChanServ
07:52 <@dazo> htafdresgi: can you telnet to port 80 or run 'openssl s_client -connect $IP:443' to the web server over the VPN?
07:52 < htafdresgi> yes I can telnet to port 80
07:54 <@dazo> htafdresgi: do you telnet using hostname or iP?
07:55 < htafdresgi> ip
07:55 <@dazo> and when you use the webbrowser ... do you use IP or hostname?
07:55 < htafdresgi> ip
07:56 <@dazo> okay, then you need to check if you have some proxy settings ... if you can from the same host telnet but not use the webbrowser, it is a webbrowser issue
07:57 < htafdresgi> what about ssh?
07:57 < htafdresgi> I tried multiple browsers, including lynx
07:57 < htafdresgi> no proxy settings
07:57 <@dazo> then your telnet test is flawed
07:59 <@dazo> so then it is the typical issues ... a) no IP forward enabled,  b) incorrect routing,   c) firewalling
07:59 < Murda> Should I always generate new CA when i create client's certificate?
08:00 <@dazo> Murda: No, that would remove the connectivity for the existing clients
08:00 <@dazo> Murda: just create a new client certificate, copy the client.key, client.crt and ca.crt securely (over an encrypted channel if using network!) to the client ... and connect
08:01 < htafdresgi> so I think it might be incorrect routing, not sure though
08:01 < Murda> dazo, So I should use same ca.crt and ca.key for both server and Every client that I create?
08:01 < htafdresgi> yep
08:02 < temuccio> hello, I have a 3 pc connected with openvpn at one server
08:02 < daemon> hey all is anyone aware of a VPN service that offers RoutedLan
08:02 <@dazo> Murda: Yes, that is how PKI is designed to work.  The CA key should never ever be stored on host accessible over Internet (like the VPN server).  That is the most sacred file you'll probably ever going to touch
08:02 < daemon> for if I wanted to push my lan through them from a gateway
08:02 < temuccio> I have used the interface TAP for share bonjour protocol
08:03 < temuccio> but how I can add at this network a Iphone? Openvpn on this phone doesn't support TAP interface
08:03 < Murda> dazo: I only had ca.crt, but easy-rsa required me to have a .key for this.
08:03 <@dazo> Murda: The CA key is used to sign the client and server certificates.  And the CA certificate (which is distributed to servers and clients) is used to validate the signature of the certificate on the remote end
08:03 < temuccio> I need that the Iphone dialog with bojour with tic PC
08:03 < temuccio> *this
08:03 < temuccio> do you can help me?
08:03 <@dazo> Murda: if you have lost the CA key ... then you need to start all over again, and issue new certificate to all servers and clients
08:04 <@dazo> temuccio: TAP is not possible on iOS and Android.  That's how those OSes are designed to work with VPNs
08:04 <@dazo> daemon: have a look at PrivateTunnel, I believe there might be something there
08:04 < daemon> dazo, cheers
08:06 < temuccio> dazo, and it is not possible for my ios to see remote pc via bonjour?
08:07 <@dazo> temuccio: probably need to look at mdns proxying ... bonjour is Apples name for the mDNS discovery protocol
08:08 < temuccio> dazo, in this case I can use TUN with iphone?
08:08 <@dazo> yes ... and you have no other option than TUN on iOS/Android
08:08 <@dazo> it is TUN or nothing
08:09 < temuccio> ok dazo, thanks
08:20 < asdfasdf> Hi, is there any GUI to openvpn client?
08:13 <@ecrist> for Windows, yes
08:14 <@dazo> asdfasdf: which OS?
08:14 < asdfasdf> ubuntu
08:14 <@dazo> ecrist: I'd claim there is a GUI for all OSes :)
08:14 < asdfasdf> I'm using OAST, but didn't like it much
08:14 <@dazo> asdfasdf: NetworkManager have an openvpn plugin which usually works reasonably well these days
08:15 < asdfasdf> @dazo, thanks, I'm going lookup for it
08:16 <@dazo> I've actually never heard of OAST until today
08:17 < asdfasdf> @dazo, well, here it is, https://sourceforge.net/projects/oast/
08:18 <@dazo> yeah, I found it ... I see the last public SVN commit was 3-4 years ago ... and is still on jre-1.7 ... so that might be an indication
08:20 -!- asdfasdf is now known as Barones
08:27 < Barones> @dazo, thanks, the network manager worked like a charm, all I had to do was import the vpn file
08:46 < andre144k> hi all - i created an openvpn server/client...  when i started the server i get my tun0 - device, but wen i start the client it dont create the tun device...
08:46 < andre144k> here my configs on debian9 (server/client) : https://nopaste.xyz/?8993ebc71e9499bb#tcOvbv4IUHAEvk/vTalOhr6pOYIR0Dys8tuNiZYIN8g=
08:47 <+hyper_ch> you created an openvpn server/client? oO
08:48 < andre144k> one pc as server
08:48 < andre144k> another as client
08:49 <+hyper_ch> you mean you installed on server and client?
08:49 <+hyper_ch> !configs
08:49 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
08:55 < andre144k> when im starting on client:  "openvpn --config /etc/openvpn/client.conf" it seems to work well - i get at last "Initialization Sequence Completed" - i dnt see errors. on servverside it seems to be client will get a correct ip-adress (eg 10.8.0.6):  client001/192.168.10.81:1194 MULTI: primary virtual IP for client001/192.168.10.81:1194: 10.8.0.6
08:58 < andre144k> but cant ping this address from server-side, and on client-side no tun device
08:59 < andre144k> on client-side i got this msg:  [server] Inactivity timeout (--ping-restart), restarting  - so the connection must be already there...
09:38 -!- indy_ is now known as indy
09:57 -!- dionysus70 is now known as dionysus69
09:58 < andre144k> founded the problem - need option "client" inside client-config...
10:07 < TotallyNotKim> ayy. I failed to replace an certificate in time, which now is expired. I'm looking into the simplest way to solve this. Is it possible to temporary accept expired certificates, so I can use the vpn to swap the cert out?
10:32 < blackpenguin> TotallyNotKim: happened after you updated openvpn? as I found a similar problem with my network but was pretty sure it's not expired, so I downgraded the server again and it worked. (your case might be different, just thought I mention as that happened today)
13:21 <@dazo> TotallyNotKim: the easiest way out of that mess ... is to issue a new certificate
13:22 <@dazo> blackpenguin: sounds like you have an expired CRL file
13:23 <@dazo> blackpenguin: OpenVPN v2.4 is using the CRL parser inside the SSL/TLS libraries .... in v2.3 and earlier, the CRL parsing was done by OpenVPN's internal and more sloppy parser which accepted anything which looked like a CRL file - regardless if it was valid or even issued by the proper CA
13:58 -!- dionysus70 is now known as dionysus69
14:01 < cyberanger> dazo: Nice to know about the CRL parser change.
14:03 <@dazo> well, if you read up on the Changes.rst we provide, it shouldn't come as such a big surprise ... https://github.com/OpenVPN/openvpn/blob/v2.4.3/Changes.rst
14:03 <@vpnHelper> Title: openvpn/Changes.rst at v2.4.3 · OpenVPN/openvpn · GitHub (at github.com)
14:05 <@dazo> hmmm ... I see the CRL note have been misplaced under "Deprecated features" .... CRLs are _*not*_ deprecated
14:15 < Eugene> I would argue that is the correct place for it: the internal implementation IS deprecated
14:16 <@dazo> well, technically that is correct.  But from a user perspective, which implementation being used is less important.  The behavioural change this implies is much more important
14:43 < rudi_s> Hi. I'm having an issue with the duplicate-cn option. When my client changes its public IP it also gets a new VPN-IP on reconnect from the server and it seems this new IP isn't pushed to the client because after that no data is sent over the VPN. Only a restart fixes it. Any ideas?
14:44 < rudi_s> (Client 2.4.0-6+deb9u1, Server 2.3.4-5+deb8u2)
14:46 <@dazo> rudi_s: upgrade server to v2.4 ... that will give you the peer-id support which is aimed at solving exactly that issue
14:46 < rudi_s> dazo: Ah, all right. So that's unfixable with that openvpn version?
14:47 <@dazo> yeah, the change is quite intrusive on the server side.  I believe we've added the client-side support for peer-id in 2.3, but not server-side
14:47 <@dazo> http://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
14:47 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net)
14:47 <@dazo> (since I spotted you use Deb pkgs)
14:48 <@dazo> List of changes ... https://github.com/OpenVPN/openvpn/blob/v2.4.3/Changes.rst
14:48 <@vpnHelper> Title: openvpn/Changes.rst at v2.4.3 · OpenVPN/openvpn · GitHub (at github.com)
14:48 < rudi_s> dazo: Thanks. Do I need a specific 2.4 version or is 2.4.0 enough?
14:50 <@dazo> I'd go for 2.4.3, as it contains 5 CVE fixes .... unless those fixes have been ported to the package you can grab
14:50 < cyberanger> dazo: I do have a habit of skimming, also since my CRL still works despite being depreciated I didn't look into it more at the time. (figured it was old vs new, relying on the libs however is more awesome than I expected)
14:51 <@dazo> cyberanger: well, CRL itself isn't deprecated .... just the horrid old CRL parser in OpenVPN
14:51 < rudi_s> dazo: Good idea, thanks. Will do.
14:52 < rudi_s> Btw. awesome help, thank you!
14:52 <@dazo> yw!
14:55 < cyberanger> dazo: Right, which is why skimming is a bad idea (note to self) and why we sped up our multi factor auth deployment too (win-win)
14:59 < cyberanger> And thank you to the community for your efforts, really glad to see the debian package wasn't abandoned.
15:00 <@dazo> well, that package is not the official Debian packages .... if you want the LTS stable openvpn package, you need to use the Debian package
15:01 <@dazo> the ones we provide are a bit more "bleeding edge" ... but, they are used in production by many though too
15:01 <@dazo> but it is a different build environment than official Deb packages
15:18 -!- r00t^2_ is now known as r00t^2
16:29 < blackpenguin> dazo: thanks, going to check about the CRL then.
17:02 < alphor> !wecp,e
17:02 < alphor> !welcome
17:02 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
17:02 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
17:04 < alphor> !tap
17:04 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the
17:04 <@vpnHelper> protocol uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
17:04 < alphor> !tunortap
17:04 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
17:04 <@vpnHelper> rooted/jailbroken) support only tun
17:43 < SpaceBass> Hey folks - I'm looking to update my DNS server with the hostnames/IPs of remote access OpenVPN clients - anyone know what I should be searching for? I can't find any guides or tips
17:52 < backnforth> Can someone help me get openvpn installed on ubuntu.. I currently get an error when I try to add a vpn on the dropdown menu
18:45 < Eugene> SpaceBass - what? That question doesn't even make any sense.
18:45 < SpaceBass> Eugene, I want OpenVPN clients to get registered with my DNS server
18:47 < Eugene> You want a client's VPN IP address in DNS?
18:47 < Eugene> Easy way: use CCD and set static IPs for your clients based upon their certificate/username/whatever. Put these entries into your DNS zonefile.
18:47 < Eugene> Hard way: Look at --client-connect scripting in the man page
22:00 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:10 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Day changed Thu Jun 29 2017
03:43 < TotallyNotKim> dazo: sure, I'll replace it. However stupid wanna be admin on the remote site blocked our "backdoor" incase the vpn fails
03:44 < TotallyNotKim> so I hoped I could get the server to accept the certificate regardless of the expiration date, so I can swap that one out using the vpn
03:44 < TotallyNotKim> looks like it isn't possible, so I'll have to find another way in :d
03:55 < vahe> hi all , help pls https://bpaste.net/show/adac90231ec6
04:01 < TotallyNotKim> you're missing your tun/tap block device
04:02 < TotallyNotKim> mknod /dev/net/tun c 10 200
04:03 < vahe> TotallyNotKim: thanks , what is it and how not to miss?
04:04 < TotallyNotKim> eh
04:04 < TotallyNotKim> RTFM
04:04 < TotallyNotKim> ^
04:04 < TotallyNotKim> https://openvpn.net/tuntap
04:04 <@vpnHelper> Title: TUN/TAP Driver Info (at openvpn.net)
04:08 < TotallyNotKim> well, if tou're just "user" im sorry for you, 'cause the documentation of the Finchvpn thing sucks
04:08 <@ordex> before creating the device manually, make sure you have the tun mode loaded
04:09 < vahe> Thanks, how to test it ?
04:09 < vahe> tun mode loaded or not
04:10 <@ordex> like any other module
04:10 <@ordex> lsmod
04:10 <@ordex> and look for it
04:10 < vahe> aha ok
04:11 < vahe> TotallyNotKim:  thanks,   with Finchvpn  I learn and test :)
04:13 < vahe> ordex: https://bpaste.net/show/6a12b649a674 I think no (
04:13 <@ordex> try loading it
04:14 <@ordex> or maybe you have to compile/install it first
04:14 < vahe> yes i try (
04:49 < jaroslav> !welcome
04:49 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
04:49 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
04:51 < jaroslav> !howto
04:51 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
04:55 < jaroslav> !goal I would like to write my own openvpn client
04:56 < jaroslav> mmmm ;)
04:59 < jaroslav> Hi, so basically, I would like to talk to OpenVPN server programatically. My search-foo is apparently not so great, as I can't find any reference how to do this. Any tips highly appreciated. Thanks!
05:01 < BtbN> I don't think there is "openvpn as a library", you'll have to use the official client
05:03 <@ordex> I agree with BtbN
05:03 < vahe> ordex: https://bpaste.net/show/d1a753cc460d
05:03 <@ordex> jaroslav: you may want to learn how the management interface works and control the client from there (maybe this helps)
05:03 <@ordex> vahe: do you have an openvpn log produced while it was trying to start ?
05:04 <@ordex> if you have added the "log" statement in your config, you should have one
05:04 < jaroslav> ordex: basically, the thing I want to achieve is to connect to server and check if it supports a given cipher (either by trying to use different ciphers one by one, or somehow using the recently introduced cipher negotiation feature)
05:05 < jaroslav> (yes, the purpose is vulnerability scanning)
05:05 < vahe> ordex: https://bpaste.net/show/5ffb744c55b9
05:06 < jaroslav> I'm fine with low level network communication, I can open sockets and read / write binary data; that's fine. I just can't find the reference (of course if everything else fails, I'll just read the source code ;))
05:07 <@ordex> vahe: pretty clear I guess?
05:08 <@ordex> jaroslav: the openvpn protocol on the wire is not formalized in a unique document
05:08 <@ordex> that's why you can't find it
05:08 <@ordex> :P
05:08 < jaroslav> ;)
05:08 <@ordex> I'd suggest to try using the negotiation introduced recently
05:08 <@ordex> why isn't that enough ?
05:09 <@ordex> consider that implementing a full client is not just the initial handshake, but it's handling all the session and the payload data
05:09 < vahe> ordex: this  ca.crt error?
05:09 < vahe> all the problem?
05:09 <@ordex> vahe: the entire log
05:10 <@ordex> you have configured certificates that do not exist on your disk
05:12 < vahe> hand nothing was set up
05:12 < vahe> thanks ordex)  I think it is a bug
05:14 <@ordex> vahe: probably you have not configured your vpn properly ?
05:14 < jaroslav> ordex: yeah, so I think I don't need a full client, just an initial handshake. Basically: anything that allows me to say: "Yes, this server supports cipher X-Y-Z". Negotiation is awesome however: 1) I want to test also older versions, which do not support it, 2) Initially I could start with negotiation; yes, but again, I don't know how to do this without a real openvpn client.
05:16 < vahe> ordex: I did not set up, thought everything is done by the program itself for example in my Debian server it is all configured
05:17 < vahe> I have 2 OS and gentoo and Debian, in Debian it works without problems, gentoo think you will need to calibrate by hand
05:17 <@ordex> vahe: you need to configure your client, otherwise how can it connect to the right server with the right certificates?
05:18 <@ordex> jaroslav: right. you could use openvpn with the management interface to understand when the connection is succesful
05:20 < vahe> ordex: https://bpaste.net/show/fcf868e1f9b6
05:20 <@ordex> vahe: you have an openvpn.conf
05:21 <@ordex> vahe: before launching it with the init script
05:21 <@ordex> I'd suggest to make sure it starts manually, so you can work on your config
05:21 <@ordex> once you have a working config, then you can move to the init script
05:25 < vahe> ordex: I wanted to show you that in Debian it works, but there is no config file
05:25 < vahe> and in gentoo is useful, but not because of the certificates
05:26 <@ordex> vahe: no config on debian? there must be one, otherwise it starts nothing
05:26 < vahe> see
05:26 < vahe> https://bpaste.net/show/fcf868e1f9b6
05:26 < vahe> only update-resolv-conf
05:27 < vahe> but when I tried this openvpn server and has worked without problems
05:28 < vahe> and now, in turn , try to start in gentoo which has the configs but will not start due to certificate
05:28 < vahe> lol
05:28 < vahe> I can add certificates but I think this is a bug, gentoo
05:28 <@ordex> vahe: what does it mean that on debian "worked without problems" ?
05:29 <@ordex> did you manage to connect to the debian server using another client ?
05:30 <@ordex> openvpn cannot start without a proper configuration, regardless of the distribution
05:31 < vahe> ordex: https://bpaste.net/show/0d66ce0a8810 debian
05:31 < vahe> I launched without problems
05:31 <@ordex> vahe: are you kidding me ? :D
05:31 <@ordex> # openvpn FinchVPN_FREE_03_Canada_udp_8484_linux.ovpn  <<< first line
05:31 <@ordex> FinchVPN_FREE_03_Canada_udp_8484_linux.ovpn <<< configuration file
05:31 <@ordex> you are specifying one
05:32 <@ordex> you can do the same with gentoo if you have a proper config file
05:33 < vahe> ordex: https://bpaste.net/show/adac90231ec6
05:33 < vahe> gentoo
05:33 < vahe> I really don't know what's going on
05:34 <@ordex> vahe: it is written there
05:34 <@ordex> Thu Jun 29 12:56:53 2017 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
05:34 <@ordex> did you load the tun module as we discussed before ?
05:34 < vahe> ordex: I couldn't
05:35 <@ordex> why not ?
05:35 <@ordex> if that's missing, openvpn can't work
05:35 <@ordex> vahe: ^
05:36 < vahe> I don't know how)
05:36 <@ordex> tried to google on how to load a module in linux ?
05:37 < vahe> ordex: I'm talking with the admin
05:38 < vahe> now I will try to include
05:38 <@ordex> ok
05:44 < vahe> ordex: still have not answered me, can you tell me how can I generate certificates for openvpn ?
05:44 < vahe> and thank you for your help)
05:46 <@ordex> vahe: I'd suggest to read on the wiki. I can't remember by heart. but if you already have a server running, the server admin should provide the certificates
05:46 <@ordex> actually they may also be embedded in the configuration file he gave you (likely)
05:47 < vahe> ah ok thanks ordex
05:48 <@ordex> vahe: search for asyrsa
05:48 <@ordex> *easyrsa
05:48 <@ordex> if you want to create your own certificates, but really this is done by the server admin, not the client user
05:48 < vahe> aha ok thanks again
05:49 <@ordex> np
07:08 -!- dionysus70 is now known as dionysus69
07:43 < temuccio> Hello all...I try to connect my android phone at my server box via openvpn...The connection works and the device ping
07:44 < temuccio> now I can go on internet with my android (client) via VPN, and I have this error on chrome:
07:44 < temuccio> ERR_NETWORK_CHANGED
07:44 < temuccio> how I can solve it?
07:44 < temuccio> I have enable ipv4 forwarding
07:44 < temuccio> and the row in iptables
07:46 < temuccio> in the client I need to push a route?
07:51 < temuccio> I have try via opera mini browser and the problem it's the same
08:03 < temuccio> ok I have connected another remote client to my server
08:03 < temuccio> the comunication between vpn works
08:03 < temuccio> but remote client doesn't go on internet
08:59 < zx2c4> I just got a shipment of 2000 more WireGuard stickers if anybody wants me to mail them some (for free!)
08:59 <@ordex> zx2c4: would you ship everywhere ? :P
09:00 < zx2c4> ordex: i think so?
09:00 < zx2c4> maybe not out of planet earth
09:01 < temuccio> hello ordex, do you can help me with my expirience with openvpn???
09:01 <@ordex> temuccio: I don't know what ERR_NETWORK_CHANGED means, sorry
09:02 < temuccio> ordex, but on linux client why I can't navigate?
09:02 < temuccio> Suppose that have one client and one server
09:02 < temuccio> the dialog between client/server works
09:02 < temuccio> but client doesn't connection in internet
09:03 <@ordex> do you use redirect-gateway on the client ?
09:03 <@ordex> you can check the man
09:03 <@ordex> !redirect
09:03 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
09:03 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
09:03 <@ordex> temuccio: ^^^ read this above too
09:03 < temuccio> ok thanks
09:03 < temuccio> i verify
09:04 <@ordex> np
09:15 < oxagast> anyone know what a PID_ERR large diff SSL-6 READ decrypt error: bad packet ID is in openvpn server logs?
09:19 < oxagast> note: the VPN works fine it seems, but i just get a whole slew of errors filling up logs on the server
09:20 < temuccio> ordex, I have verify and I have redirect-gateway on server, i have enable ipforward and I have iptables nat rule, but doesn't works
09:21 <@ordex> "redirect-gateway on server" << it should be configured on the client
09:21 <@ordex> or pushed by the server
09:21 < temuccio> on server, with tcpdump -i tun0 I how the request from client
09:22 < temuccio> Tes I have push on the server
09:23 <@ordex> have you checked if the routing table on the linux client gets configured properly ?
09:23 <@ordex> btw
09:23 <@ordex> just to be sure, please fllow this:
09:23 <@ordex> !configs
09:23 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
09:24 < temuccio> !paste
09:24 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee
09:24 <@vpnHelper> is also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
09:27 < temuccio> this is for the server: https://paste.fedoraproject.org/paste/YQmqkZiMMVENvcj7jS3W1g
09:29 < temuccio> this is for the client: https://paste.fedoraproject.org/paste/xlOqpjQEiJ09~DCZI~j4TQ
09:30 <@ordex> temuccio: it seems correct
09:31 <@ordex> temuccio: could you please paste the output of "ip route" on the client after starting the VPN, please?
09:31 < temuccio> ok
09:31 <@ordex> temuccio: btw you should use GCM instead of CBC
09:31 <@ordex> :)
09:32 < temuccio> this is ip route on client
09:32 < temuccio> https://paste.fedoraproject.org/paste/1cSenavrFdsG7q60A21NOA
09:33 <@ordex> temuccio: the client seems well configured. then the problem must be on the server :P
09:34 <@ordex> sysctl net.ipv4.ip_forward
09:34 <@ordex> on the server gives you 1 ?
09:35 < temuccio> no, it is 0 but I have set it to 1
09:35 < temuccio> grrrr
09:35 <@ordex> where did you set it ?
09:35 <@ordex> in the sysctl.conf file ?
09:35 <@ordex> you can do: sysctl -w net.ipv4.ip_forward=1
09:35 <@ordex> to set it to 1 NOW
09:35 < temuccio> yes edit sysctl.conf
09:35 <@ordex> if you have changed it in sysctl.conf, it will be persistent across reboots
09:36 <@ordex> yeah that is read upon boot or when you restart some service (can't rmember which one)
09:36 < temuccio> ok, now it's 1
09:36 <@ordex> ok
09:36 <@ordex> can you ping something random like 8.8.8.8 fromthe client now ?
09:36 < temuccio> now works
09:37 < temuccio> :/
09:37 <@ordex> does it ?
09:37 <@ordex> cool :)
09:37 <@ordex> !ipforward
09:38 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
09:38 <@ordex> !linipforward
09:38 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
09:38 <@ordex> you should have asked vpnHelper :P
09:38 < temuccio> and works also fron android
09:38 <@ordex> he knew the answer!
09:38 < temuccio> thanks
09:39 <@ordex> np
09:39 < temuccio> the next step for me is create a server dns on server openvpn can make a domain exploring with bonjours
09:40 < temuccio> thanks ordex, I try to reboot the server to verify it's works :D
09:40 < temuccio> the store of ipfoward
09:40 <@ordex> yup
09:40 <@ordex> np
09:41 < temuccio> If you are agree, I deactive the paste on fedora
09:41 <@ordex> sure please do
10:58 < roasted> hi friends
10:59 < roasted> my openvpn suddenly stopped working. I was on 443 UDP. Switched to 443 TCP, now it works. Has anybody else seen this? Despite comcast claiming 'no' I've heard some reports of them blocking inbound UDP traffic recently.
11:04 < libertas> hi, trying to setup a OpenVPN server in a LXC container.  # openvpn --config /etc/openvpn/openvpn.conf --verb 11
11:04 < libertas> returns nothing
11:08 < libertas> from /var/log/openvpn.log
11:08 < libertas> ERROR: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (e
11:08 < libertas> rrno=13)
11:08 < libertas> the LXC container is Alpine and the host is Ubuntu server 16.04
11:09 < libertas> As there was no /dev/net/tun, I created using mknod /dev/net/tun c 10 200
11:09 < libertas> chmod 600 /dev/net/tun
11:09 < libertas> and then mounted it to LXC container with rbind option
11:10 < libertas> In container # ls -l /dev/net/
11:10 < libertas> crw-------    1 nobody   nobody     10, 200 Jun 29 14:27 tun
11:10 < libertas> so, what should I do?
11:20 < libertas> did a chmod 0666 in the host /dev/net/tun and it's working on the guest now, but don't know how secure is this option
11:21 < skyroveRR> tun is owned by root..
11:53 < DArqueBishop> roasted: my best suggestion would be to check your firewall. I'm on Comcast right now, using UDP, and can connect fine.
11:58 < BtbN> Don't use 443 udp, that might confuse some firewalls
12:16 < roasted> DArqueBishop: thanks, I got it to work on 443/UDP
12:17 < roasted> BtbN: I keep the thought of 443/TCP in my back pocket, though 443/UDP was significantly faster than 443/TCP when I was testing.
12:17 < BtbN> tcp is bad, yes
14:20 < kalipso> i have trouble setting up openvpn. i get "TLS Error: cannot locate HMAC in incoming packet from [AF_INET]xxx.xxx.xxx.xxx" on serverside when starting the client
14:20 < kalipso> on both server and client side i have an ta.key (same file) inside the openvpn folder
14:24 < kalipso> i have a statefull firewall on both ends. on serverside i accept udp on port 1194, on client side i changed nothing, do i have to add a rule here?
14:38 < rek> hello guyi'm running OpenVPN 2.3.2 x86_64-pc-linux-gnu i get the message:  TLS key negotiation failed to occur within 60 seconds (check your network connectivity) what do you think? The remote directive in the client config is the name of the server,i opened the udp port of the router i specified in the server.conf, i think i should manage iptables
14:42 < rek> i used cipher BF-CBC , if i issue openvpn --show-ciphers i don't see that kind of cipher, did they remove it? i'll use AES then
15:01 < Protected> Hello. Have a weird? issue here with ipv6 someone here might be able to help me with (my setup might be fundamentally flawed)
15:02 < Protected> I have a server running openvpn. ipv4 is fine. eth0 has an ipv6 address and tun0 has another one. My problem is that the server seems to be trying to send all traffic as the IP assigned to tun0 and I can't figure out why.
15:02 < Protected> Both addresses are in the server's public ipv6 block
15:02 < Protected> If I remove the ipv6 address from the tun0 interface, ipv6 will work normally
15:02 < kalipso> guys is openvpn checking the timezone the certs where created in? cause my error is caused by having the certs created in another timezone, now error is "certs not yet valid"
15:03 < Protected> Sorry, if this wasn't clear, even traffic originating from the server itself, having nothing to do with the vpn, is sent to eth0 under the ipv6 address assigned to tun0.
15:03 < Protected> No client connection is necessary for reproducing this issue
15:05 < rudi_s> Protected: What does ip r g $sometargetip say?
15:06 < rudi_s> Does it use the "wrong" IP?
15:06 < Protected> I'm using a google dns server as a remote targetfor testing
15:07 < Protected> 2001:4860:4860::8888 from :: via 2001:1af8:4700:a018::1 dev eth0  src 2001:1af8:4700:a018:1111::a01  metric 0\n    cache
15:07 < Protected> Where a01 is the tun0 address
15:08 < Protected> I understand the problem in theory, but I have no idea why it exists (or how to solve it)
15:08 < Protected> The address is being assigned to the interface by openvpn from the config file
15:10 < rudi_s> Protected: I'm a little confused because the IP source address selection should prefer the address of the interface.
15:11 < Protected> Right...
15:11 < rudi_s> http://www.davidc.net/networking/ipv6-source-address-selection-linux
15:11 <@vpnHelper> Title: IPv6 Source Address Selection on Linux | davidc.net (at www.davidc.net)
15:12 < Protected> What is a deprecated address, rudi_s?
15:12 < rudi_s> It would be interesting what happens if you mark the VPN IP as deprecated - but I'm not sure how that affects the VPN interface.
15:12 < Protected> The thing is
15:12 < rudi_s> An address with prefered_lft (lifetime) 0.
15:12 < Protected> eth0's address *is* marked as deprecated. It has always been. I have no idea why
15:13 < rudi_s> Oh. Then that's the issue.
15:13 < Protected> Right, sounds like it!
15:13 < Protected> Can I... undeprecate it?
15:13 < Protected> Oh, bottom of the article
15:14 < Protected> Fixed it!
15:15 < Protected> Thanks a lot, rudi_s
15:15 < rudi_s> np
15:16 < rek> i found out...it's due to iptables and the bridge script
15:19 -!- Poster|y is now known as Poster
16:17 < _ADN_> Hi Guys
16:17 < _ADN_> the crl.pem file gets expired normally quiet soon 3 month
16:17 < _ADN_> and if the server is restarted then there is a problem
16:17 < _ADN_> is there a way to extended that period?
16:18 <@dazo> _ADN_: yes, you set the CRL expiry in your CA configuration
16:19 <@dazo> _ADN_: if using easy-rsa, that's more commonly in the openssl.cnf file
16:20 < _ADN_> default_crl_days= 30
16:20 < _ADN_> yes foound it
16:20 < _ADN_> just change that to the desire days
16:20 < _ADN_> thx dazo
16:21 <@dazo> yw!
16:27 < Snoww> hi here
16:27 <@dazo> !welcome
16:27 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
16:27 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
16:30 < Snoww> Just a question guys,
16:30 < Snoww> if someone could help me :P
16:30 <@dazo> !ask
16:30 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
16:31 < Snoww> i have the same issue as mentionned here : https://forums.openvpn.net/viewtopic.php?f=33&t=24051
16:31 <@vpnHelper> Title: Android client connecting to my personal OpenVPN server, but not updating IP. - OpenVPN Support Forum (at forums.openvpn.net)
16:32 <@dazo> Snoww: have you tried "OpenVPN for Android"?
16:32 < Snoww> yes
16:32 <@dazo> Which Android version?
16:33 < Snoww> 7.1.1
16:33 <@dazo> plaisthos: known issue? ^^^^
16:34 <@dazo> krzee: ^^^^
16:34 < Snoww> (i use the same config on windows, and it works fine)
16:35 <@dazo> Snoww: plaisthos is the "OpenVPN for Android" developer ... his answer is trustworthy, but might be too late for him now (it's soon midnight in his time zone)
16:36 < Snoww> i see :)
16:36 <@dazo> and krzee just often seems to catch up and remember all these various issues :-P
16:36 < Snoww> I'll try to come back later on tomorrow
16:36 < Snoww> ho,
16:36 < Snoww> is it a known issue ?
16:37 <@dazo> I wonder if it is related to Nougat though .... since both OpenVPN Connect and OpenVPN for Android have the same issue .... their code base is very different, so it might be an indication of something ... but need to hear from plaisthos to be 100% sure
16:38 < Snoww> ok
16:39 < Snoww> i could try on a SGS6 with an older version of Andriod, just to try...
16:39 < Snoww> just to see if it could be related to such a latest version of Android...
16:41 <@dazo> that would make sense, yes
16:53 < rek> https://help.ubuntu.com/community/OpenVPN  what is /etc/openvpn/up.sh script doing for me? I created it... but i didn't see this in the official documentation of openvpn
16:53 <@vpnHelper> Title: OpenVPN - Community Help Wiki (at help.ubuntu.com)
17:16 < Snoww> re
17:16 < Snoww> I tried with an Android 6.0.1 but it leads to the same problem
21:02 < Hink> I'm having extremely slow DNS resolution after having updated Windows to the creators update. I've read through the forums and others are complaining about the same issue but I'm not really understanding if there's currently any definitive solution to fix the problem.
21:44 < Abbott> I upgraded from debian jessie to debian stretch and now I can no longer connect to local services on the openvpn server from vpn clients
21:45 < Abbott> I noticed that sysctl net.ipv4.ip_forward was set to 0, so I've changed that back, but I don't know what else I would have to check, as the configs for openvpn shouldn't have changed
21:55 -!- Abbott` is now known as Abbott
22:00 < neoweb> Does the openvpn access server allow for connecting to another server?  IE iroutes and such?
22:00 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:00 < neoweb> I want to build an access server that connects to a bunch of other VPNs and clients can access all networks.
22:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:10 -!- mode/#openvpn [+o syzzer] by ChanServ
22:18 <@ordex> !as
22:18 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
22:18 <@ordex> neoweb: ^^
--- Day changed Fri Jun 30 2017
04:58 < Snoww> Hi
04:58 < Snoww> plaisthos, are you there ?
09:13 < Snoww> plaisthos ?
11:30 <@ecrist> o.O
11:30 <@ecrist> we've hit 300+ users
11:31 -!- Irssi: #openvpn: Total of 309 nicks [9 ops, 0 halfops, 4 voices, 296 normal]
11:43 < kerio> :o
11:43  * kerio golf claps
11:48 -!- Renich_ is now known as Renich
11:58 <@ecrist> kerio: it's just a silly milestone.  when I created this channel, there were only ~20 users.  when I founded ##openvpn, there was only 4 of us.
11:58 < kerio> it's not silly
11:58 < kerio> 300 is a lot of people
11:58 <@ecrist> 295 non-ops
12:11 < theorem> :)
12:12 <+mete> ecrist: do you have any channel stats? many channels had the peak aroung ~2006 or so... nowadays unfortunately not many even knows what irc is ;)
12:12 <+mete> but congrats
12:13 <@ecrist> I have channel logs going back to 2007
12:13 <@ecrist> !ircstats
12:13 <@vpnHelper> "ircstats" is (#1) See http://secure-computing.net/logs/openvpn.html for all-time IRC stats., or (#2) See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats.
12:13 <@ecrist> 2007 is when ##openvpn was founded.
12:13 <@ecrist> 2008 is when we became "official" and dropped one of the #
12:30 <@plaisthos> Snoww: Blame Samsung
12:31 <@plaisthos> When Snoww comes back online:
12:33 <@plaisthos> Snoww: Blame Samsung. If you do not install a 0.0.0.0/0 route on a Samsung Android 6 devices it sometimes ignores VPN routes. I don't have Samsung 7.1 device so no idea if the bug is still there
12:46 <@ecrist> heh, dazo is listed in the stats and being known as 150 different nick names
12:47 <@ecrist> Eugene is in 2nd with 74 nicks
12:47 < Eugene> pisg? It always counts dumb
12:47 -!- mode/#openvpn [+o Eugene] by ChanServ
12:48 <@ecrist> systemd--
12:48 <@ecrist> karma++
12:48 -!- Eugene changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire /topic || Current Release: 2.4.3 (21 June 2017) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || Your problem is probably firewall. Really || TAP/bridging is almost always a bad idea || Vulninfo: !heartbleed !poodle !ovpnuke !sweet32 || 300 user party!
12:48 <@ecrist> yeah, pisg
12:48 -!- mode/#openvpn [+vvvv _0x5eb_ _FBi _fractal_ aasirc] by Eugene
12:48 -!- mode/#openvpn [+vvvv Abbott abra0 aguestuser agustafson] by Eugene
12:48 -!- mode/#openvpn [+vvvv akkad Alesk13 almostworking alphor] by Eugene
12:48 -!- mode/#openvpn [+vvvv Amplificator AndrewAlexMac andy09usa anexit] by Eugene
12:48 -!- mode/#openvpn [+vvvv AnnaRooks APTX arlen arunpyasi] by Eugene
12:48 -!- mode/#openvpn [+vvvv axsuul badpixel baetheus bandroidx] by Eugene
12:48 -!- mode/#openvpn [+vvvv batrick berglh bjoe2k4 blackpenguin] by Eugene
12:48 <@ecrist> heh
12:48 -!- mode/#openvpn [+vv Bock boxmein] by Eugene
12:48 -!- mode/#openvpn [+vvvv bsf BtbN BuildTheRobots caliculk] by Eugene
12:48 -!- mode/#openvpn [+vvvv Captain_Beezay catalase CGML chamunks] by Eugene
12:48 -!- mode/#openvpn [+vvvv chantra CheckYourSix chutzpah clorophormo] by Eugene
12:48 -!- mode/#openvpn [+vvvv Colti computerquip cornfeedhobo cpt-oblivious] by Eugene
12:48 -!- mode/#openvpn [+v crane] by Eugene
12:48 -!- mode/#openvpn [+vvvv ctracey Cubox cyberanger cylon512] by Eugene
12:48 -!- mode/#openvpn [+vvvv czart__ d10n D4rk D5] by Eugene
12:48 -!- mode/#openvpn [+vvvv dakar dan- dan_j DanQuinney] by Eugene
12:49 -!- mode/#openvpn [+vvvv DArqueBishop dave0x6d davimore DeathShot] by Eugene
12:49 -!- mode/#openvpn [+vvvv deetwelve Denial Dev0n direkt] by Eugene
12:49 -!- mode/#openvpn [+vvvv drcode DrMacinyasha DrNo dvl] by Eugene
12:49 -!- mode/#openvpn [+vvvv DzAirmaX e_xistense early Ekho] by Eugene
12:49 -!- mode/#openvpn [+vvvv elricsfate ender| evilgohan2 evilroots] by Eugene
12:49 -!- mode/#openvpn [+vvvv Exagone313 ExoUNX F2Knight Farshid] by Eugene
12:49 <@ecrist> I coulda just added a quick line in the access list and let chanserv do that
12:49 -!- mode/#openvpn [+vvvv freekevin fs0ciety funnel fury_] by Eugene
12:49 -!- mode/#openvpn [+vvvv fyrril gardar gffa gh0st] by Eugene
12:49 -!- mode/#openvpn [+vvvv ghormoon ghoti Gizmokid2005 gthank] by Eugene
12:49 -!- mode/#openvpn [+vvvv gtt guampa HalfEatenPie havoc] by Eugene
12:49 -!- mode/#openvpn [+vvvv Haxxa Hink hiroki hive-mind] by Eugene
12:49 -!- mode/#openvpn [+vvvv Hobbyboy htafdresgi icasdri ikonia] by Eugene
12:49 -!- mode/#openvpn [+vvvv indy infernix iNs iokill] by Eugene
12:49 -!- mode/#openvpn [+vvvv irco jacekowski JackWinter james41382] by Eugene
12:49 -!- mode/#openvpn [+vvvv jaroslav JasonO jesopo jmanfatty] by Eugene
12:49 <@ecrist> Oprah style, you get op, YOU get ap, EVERYONE gets op
12:49 -!- mode/#openvpn [+vvvv jnagro john51 johnny56_ jpwhiting] by Eugene
12:49 -!- mode/#openvpn [+vvvv k-man K1rk kash KCinJP] by Eugene
12:49 <@Eugene> Yeah but this pads the stats
12:49 -!- mode/#openvpn [+vvvv Kelsar kerio ketas Klawfinger] by Eugene
12:49 -!- mode/#openvpn [+vvvv kloeri KNERD krphop lauri] by Eugene
12:49 -!- mode/#openvpn [+vvvv lbft ld50 linear_ lorimer] by Eugene
12:49 -!- mode/#openvpn [+vvvv luckman212 MacGyver madduck madmattco] by Eugene
12:49 -!- mode/#openvpn [+vvvv marcoslater marlinc Matir mcp] by Eugene
12:49 -!- mode/#openvpn [+vvvv meepmeep mefistofeles Meow-J Merixer] by Eugene
12:49 -!- mode/#openvpn [+vvvv mgorbach Mike-- millerti MogDog] by Eugene
12:49 -!- mode/#openvpn [+vvvv Moriarty- moviuro mparisi Mr-Protocol] by Eugene
12:49 -!- mode/#openvpn [+vvvv MrAlexandr0 MrGeneral MrNice mrpops2ko] by Eugene
12:49 -!- mode/#openvpn [+vvv MrR0b07 mrtnt MuffinMedic] by Eugene
12:50 -!- mode/#openvpn [+vvvv n-st navidr nb nbastin] by Eugene
12:50 -!- mode/#openvpn [+vvvv NightMonkey Nik05 nitdega Noldorin] by Eugene
12:50 -!- mode/#openvpn [+vvvv nomad_fr noodle norkle Nothing4You] by Eugene
12:50 -!- mode/#openvpn [+vvvv NP-Hardass obscurehero ohnx olivetree_] by Eugene
12:50 -!- mode/#openvpn [+vvvv Olufunmilayo omnidan OS-16517 oxagast] by Eugene
12:50 -!- mode/#openvpn [+vvvv P4k3 parity patcable Patch] by Eugene
12:50 -!- mode/#openvpn [+vvvv pdobrogost peder peterandre Petfrogg] by Eugene
12:50 -!- mode/#openvpn [+vvvv phreakocious_ piklu Pilfers pitastrudl] by Eugene
12:50 -!- mode/#openvpn [+vvvv pizzaops Poster Poster|z pppingme] by Eugene
12:50 -!- mode/#openvpn [+vvv pwrcycle pythonsnake r00tobo] by Eugene
12:50 -!- mode/#openvpn [+vvvv r00t^2 rany_ ratliff rax-] by Eugene
12:50 -!- mode/#openvpn [+vvvv redrabbit ReimuHakurei Renich ribasushi] by Eugene
12:50 -!- mode/#openvpn [+vvvv RickyB98 riddle roasted rtjure] by Eugene
12:50 -!- mode/#openvpn [+vvvv rudi_s Ryushin sbehrens sbraz] by Eugene
12:50 <@ecrist> ecrist is either insane or just a fair op, kicking a total of 90 people!
12:50 <@ecrist> ecrist's faithful follower, EugeneKay, kicked about 66 people.
12:50 -!- mode/#openvpn [+vvvv SCHAPiE seanBE semitones_ sethkush] by Eugene
12:50 -!- mode/#openvpn [+vvvv shabius ShadniX shio shootbird] by Eugene
12:50 -!- mode/#openvpn [+vvvv sielicki SkinnyMelon skot skyroveRR] by Eugene
12:50 -!- mode/#openvpn [+vvvv Someguy123 someone SoreGums sparx] by Eugene
12:50 -!- mode/#openvpn [+vvvv Spydar007 str4nd stux subo_] by Eugene
12:50 -!- ecrist was kicked from #openvpn by Eugene [Padding stats]
--- Log closed Fri Jun 30 12:50:42 2017
--- Log opened Fri Jun 30 12:50:53 2017
12:50 -!- Irssi: #openvpn: Total of 310 nicks [9 ops, 0 halfops, 268 voices, 33 normal]
12:50 -!- mode/#openvpn [+o ecrist] by ChanServ
12:50 -!- Irssi: Join to #openvpn was synced in 1 secs
12:51 -!- mode/#openvpn [+vvvv u0m3 unholycrab vader- valkyr1e] by Eugene
12:51 -!- mode/#openvpn [+vvvv vamiry Vampire0 varazir varesa] by Eugene
12:51 -!- mode/#openvpn [+vvvv varnent vectr0n Vercas veyper] by Eugene
12:51 -!- mode/#openvpn [+vvvv Virtual war9407 weaksauce WebDawg] by Eugene
12:51 -!- mode/#openvpn [+v webuser5224] by Eugene
12:51 -!- mode/#openvpn [+vvvv whfsdude WhizzWr Willis WinstonSmith] by Eugene
12:51 -!- mode/#openvpn [+vvvv xalice xamindar_ xboner XJR-9] by Eugene
12:51 -!- mode/#openvpn [+vvvv xMopxShell yoavz zamba Zilon] by Eugene
12:51 -!- mode/#openvpn [+vvv zimboboyd zoredache zx2c4] by Eugene
12:51 <@ecrist> [310 nicks (@10 %0 +300 0)]
12:51 -!- mode/#openvpn [+v skizye] by Eugene
12:55 <@ecrist> so, you bumped your status from ~220 to ~521 now
12:55 <@ecrist> nice work.
12:55 <+hyper_ch> so many people have permission to talk... nobody talks
12:56 <+hyper_ch> so, I'll fix the last few things in my script tomorrow :)
12:56 <+hyper_ch> time to enjoy the evening
13:00 <+vectr0n> o0
13:12 -ChanServ:#openvpn- ecrist set flags +V on *!*@*
13:13 <@ecrist> gonne keep chanserv ahead of Eugene 
13:32 -!- mode/#openvpn [+v Altiare] by ChanServ
13:34 <+vectr0n> lol
13:38 -!- mode/#openvpn [+v _ADN_] by ChanServ
13:49 -!- mode/#openvpn [+v whoa] by ChanServ
14:01 -!- mode/#openvpn [+v sz0] by ChanServ
14:05 -!- mode/#openvpn [+v davimore] by ChanServ
14:18 <+theorem> is there a way to get OpenVPN running with SSL VPN without the user-based licensing restrictions ?
14:23 -!- mode/#openvpn [+v Altiare] by ChanServ
14:27 -!- mode/#openvpn [+v ShadniX] by ChanServ
14:28 -!- mode/#openvpn [+v mgorbach] by ChanServ
14:32 -!- mode/#openvpn [+v fractal_] by ChanServ
14:36 -!- mode/#openvpn [+v DArqueBishop] by ChanServ
14:40 <@dazo> I remember joining ##openvpn early in my Red Hat days .... and the transition to #openvpn
14:47 -!- mode/#openvpn [+v rek] by ChanServ
14:48 <+rek> helo everyone is anyone able to assist me to check my server.conf .... bridge and stuff? i'm having a bad time
14:53 <+rudi_s> rek: As always, just ask the precise question and if somebody knows how to help they will answer.
14:57 <+rek> i tried to create a bridged vpn on my server but there must be something wrong i followed: https://help.ubuntu.com/community/OpenVPN this documentation but then i continued with the official documentation on opnvpn site and there's something different for example in the script up and down...
14:57 <@vpnHelper> Title: OpenVPN - Community Help Wiki (at help.ubuntu.com)
15:10 <@dazo> rek: why bridging?
15:11 <@dazo> !blog
15:11 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
15:13 <@dazo> *sigh* ... that Ubuntu post is why I don't consider Ubuntu serious Linux distro ... they jump into one of the most complex openvpn configurations which requires quite some networking skills to debug ... and make it look so easy noobs eat it raw without thinking much about it ... it's a f***ing brain dead attitude by the Ubuntu community  </rant>
15:15 <+rek> dazo well initially i found this guide and i followed it
15:15 <@dazo> exactly .... and hence our !blog
15:15 <@dazo> !blog
15:15 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
15:15 <+rek> then it's cool to have the ip on the server's subnet it's cool... and it's like i'm there in my server's network
15:15 <@dazo> rek: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
15:16 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net)
15:16 <+rek> you know
15:16 <@dazo> rek: it's not cool ... it's actually a massive degrade of the VPN tunnel performance ... especially when you have more clients on VPN and LAN starting to broadcast ... like mDNS/Bonjour/zeroconf
15:17 <@dazo> tap mode has its use cases ... bridged tap mode too ... but I've been here since 2008 .... IIRC, I have experience 2-3 times where a bridge setup was the proper solution
15:18 <@dazo> for the rest, routed LAN is absolutely the right solution
15:18 <@dazo> http://community.openvpn.net/openvpn/wiki/BridgingAndRouting
15:19 <+rek> uhm so you want me to ...use a routed vpn
15:20 <+DArqueBishop> rek: do you need a bridged VPN?
15:20 <+rek> but i will not have the ip address in the same network=
15:20 <@dazo> routed tun mode over UDP is the best performing VPN setup you can get, as long as UDP traffic isn't blocked/stopped through ugly NAT firewalls
15:20 <@dazo> rek: why do you need that?
15:23 <@dazo> people insisting on bridged setup without a proper reason ... is comparable to buying this Fiat to drive on the Autobahn with no speed limits in Germany: http://3.bp.blogspot.com/-fhokMFzHpHs/UcHEBBXh4GI/AAAAAAAABVA/NnjoyebTa7Q/s1600/fiat+tractor+640+cond.jpg
15:24 <+rek> i read in a bridged vpn i can have the ip adresses in the same network on the server this is noticable isn't it?
15:25 <@dazo> nope, that's completely unnecessary ... that have actually never been a real reason for bridged network
15:25 <@dazo> (being on the same broadcast domain is, if you depend on software requiring that)
15:25 <+rek> ok so let's do a routed vpn ..the first step is to delete the br0 interface i guess
15:25 <@dazo> yupp
15:26 <@dazo> and read the "Getting started with OpenVPN" guide .... it's comprehensive, but tries to describe each option used and why you need it
15:26 <+mefistofeles> dazo: nice Fiat btw
15:27 <@dazo> hehe, I thought some of you guys here would appreciate that one :)
15:28 <+rek> ah...first of all... i didn't put a second NIC on my server in my office... i think the best should be.... eth0---internet and eth1 for internal lan or something like that however can we go on also with one nic?
15:28 <@dazo> nope ... not needed
15:28 <+rek> i'd like a fiatcoupe 20v turbo
15:28 <@dazo> the tun/tap adapters behaves like virtual network cards
15:32 <+rek> https://pastebin.com/j4TZfiMe my /etc/network/interfaces
15:33 <@dazo> rek: I dunno the details of that config format ... you should revert the bridge setup .... and I have no idea where you started
15:33 <@dazo> I can do some guessing .... but that might explode as well.
15:33 <+rek> tell me i'm listening on dazo1194 port lol
15:34 <@dazo> My guess would be to change br0 to eth0 ... and remove line 11 and 14-16
15:35 <+rek> yes now i modify my interfaces files then we need to remove the tap device
15:36 <@dazo> how did you create that tap device?
15:49 <+rek> https://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html#linuxscript with this code now i managed to delete it...putting it down
15:49 <@vpnHelper> Title: Ethernet Bridging (at openvpn.net)
15:50 <@dazo> okay ... openvpn --rmtun tap0  (or whatever your tap device is named)
15:54 <+rek> i removed with brctl or something
15:55 <+rek> ok i'm pretty ready now
16:00 -!- mode/#openvpn [+v DArqueBishop] by ChanServ
16:03 -!- mode/#openvpn [+v DArqueBishop] by ChanServ
16:18 -!- mode/#openvpn [+v whoa] by ChanServ
16:26 -!- mode/#openvpn [+v NightMonkey] by ChanServ
16:37 -!- mode/#openvpn [+v _ADN_] by ChanServ
16:53 -!- mode/#openvpn [+v Ryushin] by ChanServ
17:00 <+rek> in ubuntu 14.04 i don't have systemctl how can i run $sudo systemctl start openvpn@server ?
17:03 <+rek> sudo /etc/init.d/openvpn restart
17:03 <+rek> i did this but i didn't specify my config file i have one tough
17:24 -!- mode/#openvpn [+v Ryushin] by ChanServ
17:29 -!- mode/#openvpn [+v bed7] by ChanServ
18:04 -!- mode/#openvpn [+v webuser5224] by ChanServ
18:09 -!- mode/#openvpn [+v skizye] by ChanServ
18:28 -!- mode/#openvpn [+v Bock] by ChanServ
18:35 -!- mode/#openvpn [+v Ryushin] by ChanServ
19:10 -!- mode/#openvpn [+v davimore] by ChanServ
19:19 -!- ServerMode/#openvpn [+v aguestuser] by barjavel.freenode.net
19:50 -!- mode/#openvpn [+v bed1] by ChanServ
20:02 -!- mode/#openvpn [+v aguestuser] by ChanServ
20:04 -!- mode/#openvpn [+v bed7] by ChanServ
20:19 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
20:40 -!- mode/#openvpn [+v webuser5224] by ChanServ
20:48 -!- mode/#openvpn [+v aguestuser] by ChanServ
21:12 -!- mode/#openvpn [+v subo] by ChanServ
21:45 -!- mode/#openvpn [+v ReimuHakurei] by ChanServ
22:02 -!- mode/#openvpn [+v ReimuHakurei] by ChanServ
23:39 -!- mode/#openvpn [+v shootbird] by ChanServ
23:48 -!- mode/#openvpn [+v ShadniX] by ChanServ
23:54 -!- mode/#openvpn [+v Kolas] by ChanServ
--- Day changed Sat Jul 01 2017
00:06 -!- mode/#openvpn [+v fnlkj] by ChanServ
00:27 -!- mode/#openvpn [+v shootbird] by ChanServ
00:51 -!- mode/#openvpn [+v Ryushin] by ChanServ
01:21 <+skyroveRR> Morning
01:22 <+skyroveRR> !ovpnuke
01:22 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
01:31 -!- mode/#openvpn [+v navidr] by ChanServ
01:42 -!- mode/#openvpn [+v tunekey] by ChanServ
02:12 -!- mode/#openvpn [+v gffa] by ChanServ
02:43 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
03:05 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
03:37 -!- mode/#openvpn [+v dionysus69] by ChanServ
03:54 -!- mode/#openvpn [+v axsuul] by ChanServ
04:09 -!- mode/#openvpn [+v lg188] by ChanServ
04:09 <+lg188> Good morning
04:11 <+lg188> I was wondering if there's anything like the Access Server that's free?
04:25 -!- mode/#openvpn [+v F14W3D] by ChanServ
04:28 <+F14W3D> Hello! is there any plan to release openvpn 2.4.3 raspbian package?
04:29 <@ordex> F14W3D: that's not something the openvpn community does directly, but more the raspbian maintainer/package maintainer
04:32 <+F14W3D> ordex: hmmm ok ... will ask in raspbian channel then ... I am actually supporting pivpn project, and there are a significant number of users willing to have v 2.4.3 ... and having the script to compile from source is not a good ideia since pivpn is used for a  lot of linux newbies ..
04:35 -!- mode/#openvpn [+v dionysus69] by ChanServ
04:46 <@ordex> F14W3D: yeah I do understand, and I am all for pushing 2.4.3 to the rpi
04:49 <+F14W3D> ordex: well I will try to get to the package maintainer whatsoever to see what can be done to speed this up
05:00 -!- mode/#openvpn [+v czart_] by ChanServ
05:20 -!- mode/#openvpn [+v davimore] by ChanServ
05:34 -!- mode/#openvpn [+v gh0st] by ChanServ
05:57 -!- mode/#openvpn [+v Szadek] by ChanServ
06:21 -!- mode/#openvpn [+v mrpops2ko] by ChanServ
07:12 -!- mode/#openvpn [+v _ADN_] by ChanServ
07:15 -!- mode/#openvpn [+v dave0x6d] by ChanServ
07:53 -!- mode/#openvpn [+v JackWinter] by ChanServ
07:56 -!- mode/#openvpn [+v navidr] by ChanServ
08:05 -!- mode/#openvpn [+v luckman212] by ChanServ
08:10 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
08:12 -!- mode/#openvpn [+v rtjure] by ChanServ
08:15 -!- mode/#openvpn [+v Ryushin] by ChanServ
08:28 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
08:28 -!- mode/#openvpn [+v rizonz] by ChanServ
08:28 <+rizonz> hi guys
08:29 <+rizonz> I upgraded my pfsense box to the latest openvpn version, downloaded the latest client from the openvpn website and I have auth issues... openvpn doesn't seem to log anything
08:40 -!- mode/#openvpn [+v tunekey] by ChanServ
08:40 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
09:12 -!- mode/#openvpn [+v chamar] by ChanServ
09:13 <+chamar> Hi guy, I just got a router (Ubiquiti EdgrRouter) that include OpenVPN.  I was curious if there's pros / cons to use it instead of installing OpenVPN on a linux VM?
09:13 -!- mode/#openvpn [+v tunekey] by ChanServ
09:16 -!- mode/#openvpn [+v dionysus69] by ChanServ
09:18 -!- mode/#openvpn [+v Ryushin] by ChanServ
09:18 <+DArqueBishop> chamar: as long as it's kept updated, I don't see it being a problem. I use OpenVPN on my own router, as does another friend of mine.
09:20 <+chamar> Thanks DArqueBishop.. good point.  I'll check what's the update mechanism of that router
09:21 <@ordex> sometimes the router might not be able to perform well if the cpu is not powerfull enough. but most modern routers do
09:22 <+chamar> Ok.  I think I'll setup both and see what works best.
09:23 <+chamar> but what DArqueBishop mentions about update makes me think I would be better served by a VM.
09:23 <@ordex> chamar: don't you have the sdk from ubt to install a more recent version ?
09:23  * DArqueBishop shrugs.
09:23 <@ordex> ah I think the sdk was closed some years ago
09:24 <+chamar> no idea yet... I'm about to dig the whole thing.  I was planning how I was about to set everything up
09:24 <+DArqueBishop> Routers need to be regularly updated anyway. As long as they keep updating OpenVPN as part of it...
09:25 <@ordex> I strongly doubt a stock firmware will ship any 2.4.X openvpn anytime soon :P
09:25 <+chamar> https://community.ubnt.com/t5/EdgeMAX-Feature-Requests/Update-to-OpenVPN-2-4-0-on-Edgerouter/idi-p/1754076
09:25 <@vpnHelper> Title: Update to OpenVPN 2.4.0 on Edgerouter - Ubiquiti Networks Community (at community.ubnt.com)
09:25 <+chamar> Got your answer, I guess.
09:26 <+DArqueBishop> True. My
09:26 <+DArqueBishop> Oops.
09:26 <+DArqueBishop> I'm running LEDe
09:26 <+DArqueBishop> ... damn iPad keyboard.
09:26 <@ordex> well, then it's another story ;P
09:26 <@ordex> a better one :D
09:26 <+DArqueBishop> I'm running LEDE 17.01.2 on my own router.
09:27 <@ordex> good one ;)
09:27 <@ordex> did they upgrade to 2.4.3 ?
09:27 <+chamar> that's the second steps... flash my current router with something else.  Thanks for LEDe, I'll have a look.
09:27 <+DArqueBishop> Yeah.
09:33 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
09:38 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
09:53 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
10:07 -!- mode/#openvpn [+v rtjure] by ChanServ
10:27 -!- mode/#openvpn [+v pdobrogost_] by ChanServ
10:38 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
10:44 -!- mode/#openvpn [+v skyroveRR] by ChanServ
10:45 -!- mode/#openvpn [+v rek] by ChanServ
10:51 -!- mode/#openvpn [+v pdobrogost_] by ChanServ
10:55 -!- mode/#openvpn [+v libertas] by ChanServ
11:00 <+rek> what does create the interface tun0 ? i don't even have it
11:01 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
11:13 -!- mode/#openvpn [+v jareth_] by ChanServ
11:16 <+rek> why didn't openvpn create a tun device?
11:19 <+rek> /dev/net/tun is present
11:22 -!- mode/#openvpn [+v kaipee] by ChanServ
11:28 -!- mode/#openvpn [+v kaipee] by ChanServ
11:30 -!- mode/#openvpn [+v skyroveRR] by ChanServ
11:45 -!- mode/#openvpn [+v troulouliou_div2] by ChanServ
11:55 -!- mode/#openvpn [+v evilgohan2] by ChanServ
12:07 -!- mode/#openvpn [+v shootbird] by ChanServ
12:13 -!- mode/#openvpn [+v ReimuHakurei] by ChanServ
12:14 -!- mode/#openvpn [+v WhizzWr] by ChanServ
12:14 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
12:14 -!- mode/#openvpn [+v andy09usa] by ChanServ
12:18 -!- mode/#openvpn [+v swebb] by ChanServ
12:41 -!- mode/#openvpn [+v james41382] by ChanServ
12:43 -!- mode/#openvpn [+v ShapeShifter499] by ChanServ
12:44 -!- mode/#openvpn [+v skizye] by ChanServ
13:11 -!- mode/#openvpn [+v skizye] by ChanServ
13:33 -!- mode/#openvpn [+v dionysus69] by ChanServ
14:03 -!- mode/#openvpn [+v esters] by ChanServ
14:08 <+esters> Hi, I have been stuck with the following error message appearing in my log file - Recursive routing detected, drop tun packet to [Host] . Client is running Windows 7 SP1 with OpenVPN 2.4.3, server is running LEDE 17.01, OpenVPN 2.4.2. Log file of client - https://pastebin.com/raw/iwajWZV9
14:10 -!- mode/#openvpn [+v pdobrogost] by ChanServ
14:15 -!- mode/#openvpn [+v tunekey] by ChanServ
14:16 -!- mode/#openvpn [+v tunekey] by ChanServ
14:17 -!- mode/#openvpn [+v zorbs0ne] by ChanServ
14:17 -!- mode/#openvpn [+v tunekey] by ChanServ
14:25 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
14:29 -!- mode/#openvpn [+v tunekey] by ChanServ
14:29 -!- mode/#openvpn [+v davimore] by ChanServ
14:34 -!- mode/#openvpn [+v tunekey] by ChanServ
14:35 -!- mode/#openvpn [+v tunekey] by ChanServ
14:35 -!- mode/#openvpn [+v shootbird] by ChanServ
15:11 -!- mode/#openvpn [+v kaipee] by ChanServ
15:22 -!- mode/#openvpn [+v nitdega] by ChanServ
16:17 -!- mode/#openvpn [+v Geom] by ChanServ
16:20 -!- mode/#openvpn [+v almostworking] by ChanServ
16:22 -!- mode/#openvpn [+v Typhon] by ChanServ
16:26 -!- mode/#openvpn [+v skyroveRR] by ChanServ
16:29 -!- mode/#openvpn [+v gh0st] by ChanServ
16:58 -!- mode/#openvpn [+v navidr] by ChanServ
17:19 -!- mode/#openvpn [+v almostworking] by ChanServ
17:26 -!- mode/#openvpn [+v luckman212] by ChanServ
17:35 -!- mode/#openvpn [+v tunekey] by ChanServ
17:41 -!- mode/#openvpn [+v mundus2018] by ChanServ
18:33 -!- mode/#openvpn [+v veyper] by ChanServ
18:38 -!- mode/#openvpn [+v zulutango] by ChanServ
18:42 -!- mode/#openvpn [+v Noldorin] by ChanServ
20:33 -!- mode/#openvpn [+v fyrril] by ChanServ
21:11 -!- mode/#openvpn [+v subo_] by ChanServ
22:01 -!- mode/#openvpn [+v u0m3] by ChanServ
22:10 -!- mode/#openvpn [+v sethkush] by ChanServ
23:14 -!- mode/#openvpn [+v skizye] by ChanServ
23:28 -!- mode/#openvpn [+v Poster] by ChanServ
23:39 -!- mode/#openvpn [+v Kolas] by ChanServ
23:48 -!- mode/#openvpn [+v ShadniX] by ChanServ
23:53 -!- mode/#openvpn [+v ShapeShifter499] by ChanServ
--- Day changed Sun Jul 02 2017
00:01 -!- mode/#openvpn [+v tuxy] by ChanServ
00:01 <+tuxy> !welcome
00:01 <+tuxy> !goal
00:01 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
00:01 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
00:01 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
00:02 <+tuxy> !howto
00:02 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
00:12 <+tuxy> !goal I would like to access the internet over my vpn
00:13 <+tuxy> whoops
00:13 <+tuxy> I would like to access the internet over my vpn
00:13 <+tuxy> !I would like to access the internet over my vpn
00:14 <+tuxy> hmm
00:15 <+tuxy> am I doing this right?
00:16 -!- mode/#openvpn [+v tunekey] by ChanServ
00:27 <+xboner> tuxy what system are you trying to put openvpn server on ?
00:27 <+xboner> or are you just trying to connect to your vpn ?
00:28 <+tuxy> I'm trying to setup openvpn on a VPS and a dedicated server in two different locations
00:31 <+tuxy> on ubuntu 16.04
00:32 <+xboner> if you have 64bit
00:32 <+xboner> wget http://swupdate.openvpn.org/as/openvpn-as-2.1.9-Ubuntu16.amd_64.deb
00:33 <+tuxy> why 2.1.9?
00:33 <+xboner> then do a sudo dpkg -i
00:33 <+xboner> should be latest
00:33 <+xboner> it is
00:33 <+xboner> as = access server
00:33 <+tuxy> ahh I see
00:33 <+xboner> they also have the #openvpn-as channel
00:33 <+xboner> as well
00:34 <+tuxy> what is the difference between openvpn and openvpn-as?
00:34 <+xboner> you need to install the access server. then you can go to http://ip.ip.ip.ip:943/admin/
00:35 <+xboner> openvpn is just the client
00:35 <+tuxy> I see
00:35 <+xboner> finish the setup of the server, then you can go to ; http://ip.ip.ip.ip:943
00:35 <+xboner> login as the standard user
00:35 <+xboner> and download the client, or just the .ovpn file
00:36 <+tuxy> I used a tutorial to generate that .ovpn file from openvpn itself
00:36 <+xboner> i perfer the openvpn gui over the openvpn connect software personally
00:37 <+tuxy> I see
00:37 <+xboner> the gui will work with the .ovpn file
00:37 <+xboner> but running the server gives you download options for each os
00:37 <+xboner> the openvpn access server will generate it for you
00:37 <+tuxy> oh. so windows cant handle .ovpn?
00:37 <+xboner> it can, you will want to install the openvpn gui installer
00:38 <+xboner> or use the optional connect software in its place
00:38 <@ordex> xboner: why did you suggest to install openvpn-as commercial product when tuxy clearly did not mention that ?
00:38 <+xboner> the gui is better imo
00:38 <@ordex> openvpn-as is not needed to setup your own private VPN
00:38 -!- mode/#openvpn [+v OS-16517] by ChanServ
00:39 <+xboner> ah my fault, totally misunderstood myself then
00:39 <+tuxy> yea. i figured that already.
00:39 <@ordex> tuxy can use the opensource openvpn software both on the client and on the server
00:39 <@ordex> without the need to install the commercial AS
00:39 <+hyper_ch> what ordex said
00:39 <+tuxy> yea. when he mentioned it was a GUI, I figured it wasn't required.
00:39 <@ordex> well, openvpn-as is not just a GUI but a big bundle of software for an Enterprise solution. not sure it is what you need here :P
00:39 <@ordex> hyper_ch: aye aye!
00:40 <+tuxy> ahh I see
00:40 <+xboner> sorry tuxy for the bad advise
00:40 <@ordex> :)
00:40 <@ordex> xboner: 20 push ups! :D
00:40 <+tuxy> can I use a popular script to configure my openvpn?
00:40 <+hyper_ch> !confgen
00:40 <@vpnHelper> "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/, or (#3) you must run this in bash
00:41 <+tuxy> second link is 404
00:41 <+hyper_ch> krzee: fix your repo ;)
00:41 <@ordex> on openvpn.net there are some howtos as well I think
00:41 <@ordex> !howto
00:41 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
00:42 <@ordex> these are quite good if it is your very first time configuring openvpn
00:42 <@ordex> tuxy: ^^
00:42 <+tuxy> what about this script? https://github.com/Angristan/OpenVPN-install/blob/master/openvpn-install.sh
00:42 <@vpnHelper> Title: OpenVPN-install/openvpn-install.sh at master · Angristan/OpenVPN-install · GitHub (at github.com)
00:42 <@ordex> tuxy: third party scripts are not really recommended, unless you know exactly what the script is doing
00:43 <@ordex> you can start by reading thw howto :-p
00:43 <+hyper_ch> ordex: usually script do some automagic :)
00:43 <@ordex> :D
00:44 <+tuxy> from what I can read, that script I linked simply gets the required details from the system, generates the primes for cert file, and outputs everything to the config file
00:48 <+tuxy> ordex, I am sure you have heard of that script though
00:48 <+tuxy> would you recommend it?
00:49 <+hyper_ch> tuxy: what makes you sure ordex has heard of it?
00:51 <+tuxy> It's a popular install script for openvpn and the first result on google when searching for "openvpn install script"
00:52 <+tuxy> if he/she is a part of the community maintaining the standards of openvpn how-to guides, etc., they would be aware of what's out there, generally speaking
00:54 <+hyper_ch> and that makes us having heard of it before becasue ...?
00:56 <+tuxy> why are you arguing with me? It's a popular openvpn install script. if you dont know of it, you can jsut say so
00:56 <+tuxy> I assume you would know because of its popularity
00:57 <+tuxy> not much else to it
01:01 <+tuxy> hyper_ch, I mentioned the script because it's easier for me to use that script
01:01 <+tuxy> because I am bad at configuring things
01:03 <@ordex> tuxy: I don't know that script. usually i follow the howtos/guides on openvpn.net
01:03 <@ordex> but what do you need the script for ?
01:03 <@ordex> usually installing the openvpn package on your distro and then using easyrsa (set of scripts) is enough
01:03 <@ordex> the openvpn confguration is something you have to write yourself anyway
01:08 <+tuxy> I find that when I configure something by hand, it doesn't work
01:09 <+tuxy> it's just easier for me to install it via the script. I can read what the script is doing and I trust it.
01:09 <+tuxy> I was wondering if you had any opinions on it
01:10 <+tuxy> however, I am reading the how-to guide
01:10 -!- mode/#openvpn [+v dionysus69] by ChanServ
01:10 <+tuxy> and in the DH section, it doesnt mention how to generate 4096 prime
01:15 <@ordex> tuxy: check the man page at the --dh section
01:15 <+tuxy> but I'm using the easyrsa 3 bundle of scripts as mentioned in the guide: https://openvpn.net/index.php/open-source/documentation/howto.html#quick
01:15 <@vpnHelper> Title: HOWTO (at openvpn.net)
01:25 -!- xMopxShell is now known as xmopxshell
01:26 -!- xmopxshell is now known as xMopxShell
01:26 <@ordex> tuxy: sure, but the dh parameter is just a standalone thing, the man explains how to generate it
02:16 -!- mode/#openvpn [+v C3NT4URO] by ChanServ
02:16 <+C3NT4URO> hi all :)
02:18 <+C3NT4URO> I have a little question... I'm searching aroung Saint Google but i can't find my issue out. Is there document about how to do VPN cliente MSI installer? I've a lot of VPN and I want to make a installer up (with user, pass, and logo if it is possible)
02:19 <+C3NT4URO> I think i should download the tarball and make the changes there
02:19 <+C3NT4URO> but I'm not sure
03:01 -!- mode/#openvpn [+v czart__] by ChanServ
03:13 -!- mode/#openvpn [+v Geom] by ChanServ
03:35 -!- mode/#openvpn [+v subzero79] by ChanServ
03:36 -!- mode/#openvpn [+v luckman212] by ChanServ
03:41 -!- mode/#openvpn [+v subzero79] by ChanServ
03:43 -!- mode/#openvpn [+v subzero79] by ChanServ
04:13 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
04:40 -!- mode/#openvpn [+v gffa] by ChanServ
04:51 -!- mode/#openvpn [+v navidr] by ChanServ
05:00 -!- mode/#openvpn [+v mrpops2ko] by ChanServ
05:03 -!- mode/#openvpn [+v troulouliou_div2] by ChanServ
05:26 -!- mode/#openvpn [+v zulutango] by ChanServ
05:55 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
06:11 -!- kerio is now known as iKerio
06:11 -!- iKerio is now known as kerio
06:16 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
06:20 -!- mode/#openvpn [+v norkle] by ChanServ
06:22 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
06:32 -!- mode/#openvpn [+v dionysus69] by ChanServ
07:26 -!- mode/#openvpn [+v MrAlexandr0] by ChanServ
07:45 -!- mode/#openvpn [+v iKerio] by ChanServ
08:01 -!- mode/#openvpn [+v Ryushin] by ChanServ
08:05 <+esters> Hi, quick update on my question, turns out if I add the following line in my clients ovpn config file - pull-filter ignore "redirect-gateway local def1" the VPN connection succeeds and I am able to browse the internet and see my SMB shares.
08:06 -!- mode/#openvpn [+v dionysus69] by ChanServ
08:14 -!- iKerio is now known as kerio
08:15 -!- mode/#openvpn [+v dave0x6d] by ChanServ
08:35 -!- mode/#openvpn [+v tunekey] by ChanServ
09:38 -!- mode/#openvpn [+v Ryushin] by ChanServ
09:39 -!- mode/#openvpn [+v davimore] by ChanServ
09:40 -!- mode/#openvpn [+v dionysus69] by ChanServ
10:11 -!- mode/#openvpn [+v dionysus69] by ChanServ
11:27 -!- mode/#openvpn [+v mete-] by ChanServ
11:28 -!- mete- is now known as mete
11:47 -!- mode/#openvpn [+v early] by ChanServ
11:51 -!- mete is now known as Guest7025
11:51 -!- mode/#openvpn [+v mete-] by ChanServ
11:57 -!- mode/#openvpn [+v rtjure] by ChanServ
12:32 -!- mode/#openvpn [+v chachasmooth] by ChanServ
12:32 -!- mode/#openvpn [+v Noldorin] by ChanServ
12:34 -!- mode/#openvpn [+v skizye] by ChanServ
12:36 -!- mode/#openvpn [+v rtjure] by ChanServ
12:42 -!- mode/#openvpn [+v mete] by ChanServ
13:23 -!- mode/#openvpn [+v shio] by ChanServ
13:26 -!- mode/#openvpn [+v Renich] by ChanServ
13:34 -!- mode/#openvpn [+v Renich] by ChanServ
13:51 -!- mode/#openvpn [+v n-st] by ChanServ
13:54 -!- mode/#openvpn [+v n-st] by ChanServ
14:01 -!- mode/#openvpn [+v n-st] by ChanServ
14:03 -!- mode/#openvpn [+v johnny56_] by ChanServ
14:05 -!- mode/#openvpn [+v u0m3_] by ChanServ
14:44 -!- mode/#openvpn [+v davimore] by ChanServ
15:07 -!- mode/#openvpn [+v chachasmooth] by ChanServ
15:11 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
15:18 -!- mode/#openvpn [+v Nehemiah] by ChanServ
15:19 <+Nehemiah> What IP address is relative safe to use for my network so there the change of conflicts is reduced?
15:30 <+rudi_s> Nehemiah: Do you plan to join your VPN with other VPNs? If no, it doesn't matter, just make sure it's a RFC1918 (IPv4) or ULA (IPv6) address.
15:31 <+rudi_s> If yes, it doesn't matter for IPv4 because you will get conflicts and neither for IPv6 because ULA is unique enough so conflicts won't happen (if you properly create your ULA-range, which means random).
15:31 <+rudi_s> *you will get conflicts anyway
16:01 -!- mode/#openvpn [+v WhizzWr] by ChanServ
16:04 -!- mete is now known as Guest10909
16:04 -!- mode/#openvpn [+v mete-] by ChanServ
16:06 -!- mode/#openvpn [+v MrAlexandr0] by ChanServ
16:23 -!- mode/#openvpn [+v mete] by ChanServ
16:23 -!- mode/#openvpn [+v Snow] by ChanServ
16:33 -!- mode/#openvpn [+v WhizzWr] by ChanServ
16:38 -!- mode/#openvpn [+v troulouliou_div2] by ChanServ
16:39 -!- mode/#openvpn [+v almostworking] by ChanServ
17:17 -!- mode/#openvpn [+v stns4] by ChanServ
17:24 -!- mode/#openvpn [+v pppingme] by ChanServ
17:46 -!- mode/#openvpn [+v Ryushin] by ChanServ
19:13 -!- mode/#openvpn [+v Sweet-P] by ChanServ
20:19 -!- mode/#openvpn [+v jareth_] by ChanServ
20:48 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
20:51 -!- mode/#openvpn [+v tunekey] by ChanServ
20:56 -!- mode/#openvpn [+v tunekey] by ChanServ
21:07 -!- mode/#openvpn [+v tunekey] by ChanServ
21:10 -!- mode/#openvpn [+v subo] by ChanServ
21:12 -!- mode/#openvpn [+v tunekey] by ChanServ
21:21 -!- mode/#openvpn [+v Emperor_Earth] by ChanServ
21:44 -!- mode/#openvpn [+v chachasmooth] by ChanServ
21:50 -!- mode/#openvpn [+v Tykling] by ChanServ
22:54 -!- mode/#openvpn [+v _ADN_] by ChanServ
22:57 -!- mode/#openvpn [+v sz0] by ChanServ
23:34 -!- mode/#openvpn [+v navidr] by ChanServ
23:40 -!- mode/#openvpn [+v aguestuser] by ChanServ
23:49 -!- mode/#openvpn [+v ShadniX] by ChanServ
--- Day changed Mon Jul 03 2017
00:04 -!- mode/#openvpn [+v whoa] by ChanServ
00:20 -!- mode/#openvpn [+v _ADN_] by ChanServ
00:52 -!- mode/#openvpn [+v Kolas] by ChanServ
01:01 -!- mode/#openvpn [+v czart_] by ChanServ
01:52 -!- mode/#openvpn [+v eworm] by ChanServ
02:44 -!- mode/#openvpn [+v Kolas] by ChanServ
02:46 -!- mode/#openvpn [+v allizom] by ChanServ
02:47 -!- mode/#openvpn [+v allizom] by ChanServ
02:47 -!- mode/#openvpn [+v dionysus69] by ChanServ
03:15 -!- mode/#openvpn [+v qwerkus] by ChanServ
03:16 <+qwerkus> Hello: how can I share port 443 connection between openVPN and apache2, knowing that openVPN is installed on the router, and apache2 on a server behind the router ?
03:20 <@ordex> not sure you can do that, unless you have a way to distinguish the two connections by looking at the first packet...but this seems unfeasible to me (I might be wrong)
03:27 <+hyper_ch> qwerkus: udp vs tcp
03:27 <+hyper_ch> apache uses tcp and openvpn can use udp
03:27 <+qwerkus> yes
03:27 <+qwerkus> but my clients have only 433 and 80 available
03:28 <+hyper_ch> HTTP/S uses TCP... so let port 443 TCP go to the apache server
03:28 <+hyper_ch> and port 443 UDP to the vpn server
03:28 <+hyper_ch> only problem is if clients only have 443 TCP available
03:29 <+qwerkus> hmmm, not sure about the latter one, but wouldn't be a surprise
03:29 <@ordex> hyper_ch: I think this is his use case
03:29 <+qwerkus> is it possible to use the port-share config option ?
03:30 <+hyper_ch> ordex: I don't know...
03:30 <@ordex> qwerkus: just reading the manpage. it may work actually
03:30 <+hyper_ch> from what I've seen is that port 80, 443 are available in companies but they don't differentiate between udp/tcp and let both pass
03:30 <@ordex> qwerkus: have you tried using it ?
03:30 <@ordex> hyper_ch: oh really? usually UDP is just all killed here
03:31 <+hyper_ch> ordex: my experience is different in that regard :)
03:31 <@ordex> hehe
03:31 <@ordex> I see :)
03:31 <+qwerkus> ordex: yes, but it seems to work only with both openvpn and apache2 on the same machine - which is not my case
03:31 <+hyper_ch> qwerkus: can't you use another IP?
03:32 -!- mode/#openvpn [+v Snoww] by ChanServ
03:32 <+Snoww> Hi
03:32 <@ordex> qwerkus: "it will proxy the connection to  the  server  at  host:port" << host:port does not need to be localhost
03:32 <+Snoww> plaisthos ? Are you there ?
03:33 <+qwerkus> ordex: ok, sounds good. Yet is suspect it is conflicting with the port forwarding of the router
03:33 -!- mode/#openvpn [+v _ADN_] by ChanServ
03:33 <@ordex> qwerkus: should not, because once openvpn receives the packet it already went through the routing port forwarding
03:34 <@ordex> qwerkus: but let the experiment begin ;)
03:35 <+qwerkus> well, that would explain why it is currently not working: all 443 packets are forwarde to the webserver
03:36 <@ordex> ah
03:36 <@ordex> sorry, I didn't et that part
03:36 <@ordex> yeah, openvpn will do the "forwarding"
03:36 <@ordex> so no port forwarding on the router (where openvpn is running) is needed
03:50 -!- mode/#openvpn [+v _ADN_] by ChanServ
04:01 -!- mode/#openvpn [+v mrpops2ko] by ChanServ
04:05 -!- mode/#openvpn [+v zulutango] by ChanServ
05:07 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
05:14 -!- mode/#openvpn [+v tunekey] by ChanServ
05:38 -!- mode/#openvpn [+v chachasmooth] by ChanServ
05:46 -!- mode/#openvpn [+v aguestuser] by ChanServ
05:52 -!- mode/#openvpn [+v davimore] by ChanServ
06:06 -!- mode/#openvpn [+v WebDawg] by ChanServ
06:07 -!- mode/#openvpn [+v RAX] by ChanServ
06:07 -!- RAX is now known as rax-
06:07 <+hyper_ch> krzee: ecrist : so, got a Yealink T48 and now I have to see how I can set it up with OpenVPN
06:08 <@ordex> hyper_ch: router?
06:08 <+hyper_ch> sip phone
06:08 <+hyper_ch> http://yealink.com/product_info.aspx?ProductsCateID=1206
06:08 <@vpnHelper> Title: Yealink | UC＆C terminal, video collaboration, conference phone, IP phone (at yealink.com)
06:08 <+hyper_ch> looks a bit nicer than my current Snom 320s :)
06:10 <@ordex> hehe
06:11 <+hyper_ch> I was happy with the snom 320 or wait, I think it is 360.... but now a customer of mine forced that T48G on me ;)
06:11 <+hyper_ch> color display does indeed look nicer
06:16 <+hyper_ch> I'll free it from the shipping box tomorrow (forgot it at home)
06:56 -!- mode/#openvpn [+v davimore] by ChanServ
07:29 -!- mode/#openvpn [+v dave0x6d] by ChanServ
07:47 -!- mode/#openvpn [+v Nik05] by ChanServ
07:47 -!- mode/#openvpn [+v NonSecwitter] by ChanServ
07:58 -!- mode/#openvpn [+v chachasmooth] by ChanServ
08:23 -!- mode/#openvpn [+v ExoUNX] by ChanServ
08:24 -!- mode/#openvpn [+v Very_slow] by ChanServ
08:49 -!- mode/#openvpn [+v navidr] by ChanServ
08:54 -!- mode/#openvpn [+v xMopxShell] by ChanServ
09:02 -!- mode/#openvpn [+v jamesl] by ChanServ
09:04 <+jamesl> After upgrading openVPN on my server and restarting the service, my client is unable to connect. Nothing appears in the log, it just shows "connecting...." forever. It worked perfectly before, what happened? I can't downgrade as I can't remember what version I was on before. Currently at 2.4.0 on the server
09:05 <+jamesl> https://i.imgur.com/TDRmBLl.png this is what my client window looks like
09:08 <+hyper_ch> looks like the client isn't even loading a config
09:11 -!- mode/#openvpn [+v APTX] by ChanServ
09:22 <+jamesl> no idea why. I re-copied the .ovpn file and it's still not working. I'll try reinstalling the client
09:33 <+jamesl> hyper_ch: turns out I needed to update the client. It works now
09:41 -!- mode/#openvpn [+v [SURFnet]Rogier] by ChanServ
09:54 -!- mode/#openvpn [+v nitdega] by ChanServ
09:56 -!- mode/#openvpn [+v wolflarson] by ChanServ
09:57 <+wolflarson> Hello, one connected to my VPN my search domain and my DNS is not getting set on linux computers. If I edit my /etc/resolve.conf and add it directly everything starts routing just fine. Can anyone assist with this?
09:58 <+wolflarson> Works fine on Mac OS computers just linux that is seeing this
09:58 <+wolflarson> testing with KDE Neon (ubuntu 16.04 based)
10:14 -!- mode/#openvpn [+v Noldorin] by ChanServ
10:23 <@Eugene> !pushdns
10:23 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for
10:23 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option
10:25 <@Eugene> wolflarson - depending upon how you're invoking openvpn(eg, through a GUI wrapper like NetworkManager, TunnelBlick or Openvpn for Windows vs as a "service"), you need to have a --up script process some options, particularly pushed DNS servers. This is because there is not a good cross-platform way to do this, so `openvpn` doesn't
10:26 <@Eugene> Wow, that was a terrible explanation and I'm sorry. Brain not awake yet this morning
10:27 <@dazo> TL;DR: In Linux, use NetworkManager-openvpn ... and it all works out of the box :)
10:34 <+stns4> !windns
10:34 <@vpnHelper> "windns" is (#1) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#2) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#3) http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
11:00 -!- mode/#openvpn [+v dionysus69] by ChanServ
11:20 -!- mode/#openvpn [+v gffa] by ChanServ
11:25 -!- mode/#openvpn [+v mete] by ChanServ
11:25 -!- mode/#openvpn [+v axsuul] by ChanServ
11:25 -!- mode/#openvpn [+v ShadniX] by ChanServ
11:28 -!- mode/#openvpn [+v rtjure] by ChanServ
11:37 -!- mode/#openvpn [+v Snow] by ChanServ
11:37 <+Snow> hi
11:37 <+Snow> plaisthos ? are you there ?
12:08 -!- mode/#openvpn [+v JackWinter] by ChanServ
12:15 <+wolflarson> Eugene, dazo thank you I think I see what you mean however durring the connection I do have this message "PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DOMAIN domain.local, dhcp-options internalDNS ect "
12:15 <+wolflarson> would that not be the pushdns settings?
12:16 <@Eugene> wolflarson - yup, that's them. `openvpn` does not process the dhcp-option settings itself; they are left to an external script(or wrapper)
12:16 <+wolflarson> guess I should have ended the quotes before the ect lol
12:16 <@ecrist> suuuup biches.
12:16 <@ecrist> heh, forgot about that
12:16 <@Eugene> urmom
12:16  * ecrist leaves chanserv +v in honor of Brexit 2017
12:16 <@ecrist> 241st annum of Brexit 1776
12:16 <@Eugene> Oh god that
12:17  * ecrist chants USA! USA! USA!
12:18 <@ecrist> goo.gl/UUn6Gucontent_copyCopy short URL
12:18 <@ecrist> stupid copy/paste
12:18 <@ecrist> https://goo.gl/UUn6Gu
12:18 <@ecrist> there you go
12:19 <+wolflarson> ok got you I'll go back to exploring the networkmanager method thanks to you both!
12:19 <@ecrist> I know it's a day early, but I celebrate freedom every day
12:19 <+kerio> wait why am i voiced
12:24 <@Eugene> Every day I'm hustlin'
12:24 <@ecrist> kerio: /msg chanserv access #openvpn list
12:24 <@ecrist> also, see /topic (the last bit)
12:25 <+kerio> oic
12:55  * ecrist should change +V to +O for tomorrow. >:-)
12:56 <@Eugene> Chaos
12:56 <@ecrist> freedom
12:56 <@ecrist> and we always have chanserv. :)
12:58 -!- mode/#openvpn [+v tormoz] by ChanServ
13:01 -!- mode/#openvpn [+v dionysus70] by ChanServ
13:01 -!- dionysus70 is now known as dionysus69
13:07 -!- mode/#openvpn [+v chachasmooth] by ChanServ
13:07 -!- mode/#openvpn [+v Pro9x] by ChanServ
13:12 -!- mode/#openvpn [+v qwerkus] by ChanServ
13:14 <+qwerkus> hello, I've set up an openvpn server on a erx-sfp router. Clients seem to be alble to connect
13:15 <+qwerkus> but they cannot access the LAN (which is the point of this vpn)
13:15 <+qwerkus> what I am doing wrong ?
13:18 <+qwerkus> here is a link to the (very simple) server config: https://paste.ee/p/yjys6
13:19 <@Eugene> !serverlan
13:19 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
13:19 <@Eugene> qwerkus - flowchart ^
13:21 <+qwerkus> simple setup: LAN <---> erx-sfp router with openvpn <------ internet------> clients
13:22 -!- mode/#openvpn [+v Snow] by ChanServ
13:22 <+Snow> re
13:22 <+Snow> plaisthos ? Still not there ?
13:25 <+qwerkus> !ipforward
13:25 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
13:25 <+qwerkus> that is indeed one nice flowchart eugene
13:26 <@ecrist> qwerkus: credit goes to krzee.  Eugene is just an asshole.
13:26 <@ecrist> ;)
13:26 <@Eugene> Hey now, I'm a dick. I fuck assholes.
13:26 <@ecrist> Eugene++ for the Team America reference
13:26 <+qwerkus> i think I just learned more in a sec than in a week
13:27 <+qwerkus> !linipforward
13:27 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
13:28 <@Eugene> Your router's GUI probably has a button to do these things ^
13:28 <@Eugene> But we, of course, cannot help with that because I've never even heard of an erx
13:29 <+qwerkus> https://www.ubnt.com/edgemax/edgerouter-x-sfp/
13:29 <@Eugene> Oh, those things. I didn't know they had openvpn in them heh
13:29 <+str4nd> maybe paste "show configuration" to a pastebin?
13:29 <@Eugene> Ya, the whole router config woudl be a good start
13:31 <+qwerkus> that's a lot
13:35 <+qwerkus> here you go: https://paste.ee/p/TsQEc
13:35 <+qwerkus> I guess what I need is a DNAT rule to somehow bind switch0 and vtun0
13:53 <+qwerkus> so, any thoughts on the config ?
13:55 -!- mode/#openvpn [+v drcode] by ChanServ
13:57 <+str4nd> can you ping 192.168.1.1 and 10.71.25.1 from your notebook?
13:58 -!- mode/#openvpn [+v Kolas] by ChanServ
14:07 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has left #openvpn ["Konversation terminated!"]
14:11 -!- mode/#openvpn [+v NonSecwitter] by ChanServ
14:26 -!- mode/#openvpn [+v DrNo] by ChanServ
14:33 -!- mode/#openvpn [+v _ADN_] by ChanServ
14:40 -!- mode/#openvpn [+v johnny56_] by ChanServ
14:50 -!- mode/#openvpn [+v F14W3D] by ChanServ
14:56 <+qwerkus> str4nd: the client has quit
14:56 <+qwerkus> can't test it on local
14:56 <+qwerkus> so I have to wait until tomorrow
14:57 -!- mode/#openvpn [+v e_xistense] by ChanServ
15:17 -!- mode/#openvpn [+v stns4] by ChanServ
15:36 -!- mode/#openvpn [+v gffa] by ChanServ
16:04 -!- mode/#openvpn [+v xMopxShell] by ChanServ
16:41 -!- mode/#openvpn [+v chachasmooth] by ChanServ
16:49 -!- mode/#openvpn [+v chachasmooth] by ChanServ
17:26 -!- mode/#openvpn [+v krs93] by ChanServ
17:36 -!- mode/#openvpn [+v chachasmooth] by ChanServ
17:39 -!- phreakocious_ is now known as phreakocious
17:45 -!- mode/#openvpn [+v chachasmooth] by ChanServ
18:10 -!- mode/#openvpn [+v johnny56_] by ChanServ
18:49 -!- mode/#openvpn [+v johnny56] by ChanServ
19:02 -!- mode/#openvpn [+v xMopxShell] by ChanServ
20:32 -!- mode/#openvpn [+v Petfrogg] by ChanServ
21:04 -!- mode/#openvpn [+v davimore] by ChanServ
21:09 -!- mode/#openvpn [+v subo_] by ChanServ
21:22 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
21:33 -!- mode/#openvpn [+v chachasmooth] by ChanServ
22:25 -!- mode/#openvpn [+v krs93_] by ChanServ
22:46 -!- mode/#openvpn [+v Kolas] by ChanServ
23:01 -!- mode/#openvpn [+v czart__] by ChanServ
23:16 -!- mode/#openvpn [+v davimore] by ChanServ
23:46 -!- mode/#openvpn [+v ShadniX] by ChanServ
--- Day changed Tue Jul 04 2017
00:11 -!- mode/#openvpn [+v singer22] by ChanServ
01:35 -!- mode/#openvpn [+v eworm] by ChanServ
01:36 -!- mode/#openvpn [+v dionysus69] by ChanServ
02:04 -!- mode/#openvpn [+v [SURFnet]Rogier] by ChanServ
02:10 -!- mode/#openvpn [+v dionysus69] by ChanServ
02:14 -!- mode/#openvpn [+v davimore] by ChanServ
02:31 -!- mode/#openvpn [+v [SURFnet]Rogier] by ChanServ
02:38 -!- mode/#openvpn [+v chachasmooth] by ChanServ
03:28 -!- mode/#openvpn [+v zulutango] by ChanServ
03:31 -!- mode/#openvpn [+v surtin] by ChanServ
03:32 -!- mode/#openvpn [+v _ADN_] by ChanServ
03:40 -!- mode/#openvpn [+v xMopxShell] by ChanServ
03:41 -!- mode/#openvpn [+v [SURFnet]Rogier] by ChanServ
03:42 -!- mode/#openvpn [+v chachasmooth] by ChanServ
03:43 -!- mode/#openvpn [+v norkle] by ChanServ
03:48 -!- mode/#openvpn [+v chachasmooth] by ChanServ
03:50 -!- mode/#openvpn [+v _ADN_] by ChanServ
03:50 -!- mode/#openvpn [+v Paraxial] by ChanServ
03:50 -!- mode/#openvpn [+v chachasmooth_] by ChanServ
03:54 -!- mode/#openvpn [+v chachasmooth] by ChanServ
04:03 -!- mode/#openvpn [+v chachasmooth] by ChanServ
04:09 -!- mode/#openvpn [+v chachasmooth] by ChanServ
04:26 -!- mode/#openvpn [+v chachasmooth] by ChanServ
04:28 -!- mode/#openvpn [+v SteamedFish] by ChanServ
04:28 -!- mode/#openvpn [+v e1z0] by ChanServ
04:34 -!- mode/#openvpn [+v tunekey] by ChanServ
04:35 -!- mode/#openvpn [+v navidr] by ChanServ
04:55 -!- mode/#openvpn [+v chachasmooth] by ChanServ
05:04 -!- mode/#openvpn [+v chachasmooth] by ChanServ
05:18 -!- mode/#openvpn [+v davimore] by ChanServ
05:46 -!- mode/#openvpn [+v mrpops2ko] by ChanServ
06:03 -!- mode/#openvpn [+v [SURFnet]Rogier] by ChanServ
06:42 -!- mode/#openvpn [+v [SURFnet]Rogier] by ChanServ
06:55 -!- mode/#openvpn [+v dave0x6d] by ChanServ
06:58 -!- mode/#openvpn [+v sz0] by ChanServ
08:21 -!- mode/#openvpn [+v Denial-] by ChanServ
08:22 -!- mode/#openvpn [+v MrMojit0] by ChanServ
08:23 -!- mode/#openvpn [+v Typhon] by ChanServ
08:25 -!- mode/#openvpn [+v Denial] by ChanServ
09:01 -!- mode/#openvpn [+v OS-16517] by ChanServ
09:04 -!- mode/#openvpn [+v Petfrogg] by ChanServ
09:04 -!- mode/#openvpn [+v ShadniX] by ChanServ
09:06 -!- mode/#openvpn [+v RAX] by ChanServ
09:06 -!- RAX is now known as rax-
09:21 -!- mode/#openvpn [+v gics] by ChanServ
09:22 -!- mode/#openvpn [+v ShadniX] by ChanServ
09:25 <+gics> hello, i get "permission denied" on temporary directory, using chroot and a specific user just to run openvpn, which have the proper permissions (i can touch file in tmp dir)
09:25 <+gics> openvpn 2.4.0-6+deb9u1
09:26 -!- mode/#openvpn [+v vctrex] by ChanServ
09:26 -!- mode/#openvpn [+v davimore] by ChanServ
09:26 <+vctrex> Hi, canI beg for help here, for the moment I am hopeless
09:30 <+vctrex> I'm trying to connect to NordVpn which certs are self-signed. Everytime I am unable to make a connection because of it. I had tried updating CA certs which i had downloaded from their site, but nothing changed. May my libressl be the problem?
09:33 <@ordex> vctrex: have you asked them? I guess you are not the first one with this problem ?
09:33 <@ordex> gics: how about posting the log?
09:33 <@ordex> !logs
09:33 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
09:38 <+vctrex> https://pastebin.com/4jPweuFB
09:39 <+gics> ordex, https://paste.debian.net/hidden/4c86af79/
09:39 <@ordex> vctrex: yeah the verification fails - but i am no expert. have you tried increasing the verb to see if it prints sommething more?
09:40 <@ordex> gics: what folder did you specify to --tmp-dir ? /home/openvpn5555/jail/tmp ?
09:40 <+vctrex> ordex it looks like I am. I hear whole time one message "Did you use our tutorials?
09:41 <@ordex> :S
09:41 <+vctrex> ordex "verb?" I'm afriad I don't understand
09:41 -!- mode/#openvpn [+v Noldorin] by ChanServ
09:41 <@ordex> vctrex: check the manpage for --verb
09:41 <+gics> ordex, no, just "tmp" otherwise i got a double // at the end of /home/openvpn5555/jail
09:41 <@ordex> it's an openvpn option to set the verbosity of the log
09:42 <@ordex> gics: can you paste the config ?
09:42 <@ordex> !configs
09:42 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
09:42 -!- mode/#openvpn [+v Spydar007] by ChanServ
09:42 <@ordex> gics: client only is enough
09:44 <+gics> ordex, https://paste.debian.net/hidden/6dfa5e7e/
09:44 <+gics> just the relevant part
09:44 <+gics> if you need more i can paste it, but server side not client here
09:45 <@ordex> gics: can you double check "ls -la /home/openvpn5555/jail/tmp" ?
09:46 <+gics> ordex, -rw-r--r-- 1 openvpn5555 openvpn5555    0 lug  4 16:45 hello.txt
09:46 <@ordex> gics: this is not the entire output
09:46 <+vctrex> funny part is, that my debian maschine do not have any of these problems
09:46 <@ordex> vctrex: same libressl version ?
09:47 <+gics> ordex, just . and .. lines plus the hello.txt test file i just created, no more infos
09:47 <@ordex> right I was looking exactly for those :P
09:48 <+gics> i created hello.txt as user openvpn5555, like in the server config
09:48 <@ordex> I understand, but I wanted to see the line with .
09:48 <+gics> just to test that openvpn5555 user has the right permissions to do that
09:48 <+vctrex> openssl on /leave thx anyway
09:48 <+gics> ok, i try to paste the full output
09:49 <+gics> ordex, https://paste.debian.net/hidden/55c8a512/
09:50 <@ordex> thanks!
09:50 <@ordex> mh you clearly have wrx, weird
09:50 <+gics> everything seems right to me, speaking ok permissions, that's why i can't understand what's wrong with openvpn
09:51 <+gics> full config too?
09:51 <@ordex> gics: have you tried to touch the file after chrooting ?
09:51 <@ordex> maybe the chroot is messing up something with the user ? (just guessing)
09:51 <+gics> ordex, mmmmh no, that's an idea, i can try it
09:51 <@ordex> ok
09:52 <+gics> as root all should i do is to give chroot "path"?
09:53 <@ordex> and the shell
09:53 <@ordex> although it should take bash as default i think
09:54 <+gics> chroot: failed to run command ‘/bin/bash’: No such file or directory
09:54 <+gics> i don't remember where is configured default shell for users in linux..
09:55 <@ordex> it should be there
09:55 <@ordex> but probably it does not exist in the chroot
09:55 <@ordex> thus it can't use it when normally chroot'ing
09:56 <+gics> not founding the bash is surely the error, but now i don't know how to tell it to chroot. i don't use chroot like since 2000 :P
09:57 <@ordex> well, if you want to chroot from the terminal you'd need to create a chroot environment
09:57 <@ordex> not what you want to do now i think :D
09:59 <@ordex> gics: I am checking the code
09:59 <@ordex> hold on
10:00 <+gics> ordex, thank you! i'm looking where to specify default shell in chroot too
10:00 <@ordex> gics: btw openvpn does not enters the chroot at that time where you see the failure
10:00 <@ordex> so i don't think the chroot has nothing to do
10:00 <@ordex> openvpn is still doing bacis checks
10:01 -!- mode/#openvpn [+v iJens] by ChanServ
10:02 <+gics> ordex, oh oh, so now i know i have 2 problems instead of 1 :D
10:02 <@ordex> gics: why 2 ? :D
10:02 <@ordex> don't make it worse :D:D
10:03 <+gics> openvpn on it's own and chroot not founding bash
10:03 <@ordex> ah
10:03 <@ordex> gics: if you create /bin/bash in the chroot it will work
10:04 <@ordex> but then you also need the libraries
10:04 <@ordex> and other things ..
10:04 <@ordex> but this is not required for chrooting openvpn only
10:05 <+gics> ordex, and so best solution what would be in your opinion? Avoiding chrooting?
10:05 <@ordex> gics: I am trying to understand why you get permission error first
10:05 <@ordex> hold on
10:05 <+gics> ok, thank you again
10:08 <@ordex> gics: can you please check if /home/openvpn5555/jail/ and /home/openvpn5555/ and /home have +x for all ?I was wondering if openvpn5555 user has no search permission on the path
10:08 <@ordex> although I am not sure you would be able to cd in .....
10:09 <+gics> ordex, sure
10:09 -!- mode/#openvpn [+v OS-16517] by ChanServ
10:10 <+gics> just to say, i changed to user root group root and i got the same error: permission denied
10:10 <@ordex> are you launching openvpn as root ?
10:10 <+gics> ordex, no no, just for testing now
10:11 <+gics> permission denied doesn't exist usually for root...only for that
10:13 <+gics> ordex, x everywhere --> https://paste.debian.net/hidden/87961a3a/
10:14 <@ordex> gics: which user do you use to run openvpn ?
10:14 <@ordex> to launch it
10:14 <@ordex> is it the root user launching the process?
10:14 <+gics> ordex, from systemd
10:14 <@ordex> mh I guess it is root then
10:14 <+gics> user openvpn5555 and group openvpn5555 in the server config
10:14 <@ordex> what happens if you remove the chroot option
10:14 <@ordex> and specify --tmp-dir full path
10:14 <@ordex> ?
10:14 <+gics> i try now
10:16 <@ordex> ok
10:16 <+gics> new error: --client-config-dir fails with 'clients5555': No such file or directory
10:17 <+gics> plus the same old error about permissions
10:17 <+norkle> kid i don't know.
10:17 <@ordex> gics: the new error is due to the missing chroot
10:18 <@ordex> that folder does not exist if you do not specify the full path
10:18 <@ordex> by the way
10:18 <@ordex> same error on --tmp-dir ?
10:18 <+gics> ordex, Options error: Temporary directory (--tmp-dir) fails with '/home/openvpn5555/jail/tmp': Permission denied
10:19 <@ordex> ok
10:19 <@ordex> weird
10:19 <+gics> this works (as root) --> openvpn --config /etc/openvpn/server5555.conf --verb 4
10:20 <@ordex> ok
10:20 <@ordex> I wonder if systemd is the problem then
10:20 <+gics> i think so
10:21 <@ordex> gics: does it work also with user openvpn5555 ?
10:21 <@ordex> I mean with user/group in the config ?
10:21 <@ordex> and chroot ?
10:22 -!- mode/#openvpn [+v shio] by ChanServ
10:22 <+gics> yes, with basic config i posted to you some times ago. user/group openvpn5555 and chroot ON
10:22 <@ordex> ok
10:22 <@ordex> so openvpn is working fine..it's systemd that is not able to do the full thing
10:22 <@ordex> I wonder if systemd uses another user to start openvpn
10:23 <+gics> ordex, i'm just wondering how to check what systemd is doing :)
10:23 <@ordex> dazo is the systemd expert here :)
10:24 -!- mode/#openvpn [+v shio] by ChanServ
10:25 -!- mode/#openvpn [+v shio] by ChanServ
10:25  * dazo looks up
10:26 <@dazo> gics: can you give an executive summary of your issue?
10:27 <+gics> dazo, using jail with chroot, i get permissions denied on tmp-dir
10:27 <@dazo> okay ... the openvpn user have +x access to all directories leading to the chdir?
10:28 <@ordex> dazo: to give more context: same config works when openvpn is started by root, but does not when started via systemd
10:28 <@dazo> chroot dir
10:28 <@dazo> hmmmmm
10:29 <+gics> now i'm looking openvpn-server@.servive and i can see this line to start
10:29 <@dazo> gics: which distro?
10:29 <+gics> debian
10:29 <@dazo> okay, so no SELinux playing tricks
10:29 <+gics> just updated yesterday to new stable
10:29 <+gics> i can't paste the systemd starting line... grgrgr
10:30 <+gics> ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
10:30 <@dazo> systemctl status openvpn-server@CONFIG .... can you extract the unit file from that output and pastebin that unit file?
10:31 <+gics> i try
10:32 -!- mode/#openvpn [+v shio] by ChanServ
10:32 <+gics> dazo, https://paste.debian.net/hidden/88ed8a3c/
10:32 <+gics> i think is what you are asking me, but not 100% sure :P
10:33 <@dazo> yes, that is exactly what I needed to see :)
10:34 <@dazo> so ... first, I want to know what is producing the "Permission Denied" ... so we'll go a bit bruteforce .... can you comment out the CapabilityBoundingSet= line in the unit file?  Then do: systemctl daemon-reload .... and try to start the tunnel again
10:34 <+gics> ok
10:35 <+gics> bruteforce FTW
10:35 <@dazo> :)
10:36 <+gics> Options error: Temporary directory (--tmp-dir) fails with '/home/openvpn5555/jail/tmp': Permission denied
10:36 <+gics> same error as usually
10:36 <@dazo> okay, that's kinda good
10:37 <@dazo> hmmm
10:37 <@dazo> just a double check
10:38 <@dazo> systemctl show openvpn-server@CONFIG.service | grep CapabilityBoundingSet
10:38 <+gics> CapabilityBoundingSet=18446744073709551615
10:38 -!- mode/#openvpn [+v davimore] by ChanServ
10:38 <@dazo> wow ...
10:39 <@dazo> (that might be 64bits -1 represented as int)
10:39  * dazo double checks locally too
10:40 <+gics> in my local system is --> CapabilityBoundingSet=292034
10:40 <@dazo> yupp ... 18446744073709551615 == all capabilities enabled
10:40 -!- mode/#openvpn [+v e_xistense] by ChanServ
10:41 <@dazo> When that line is enabled, CapabilityBoundingSet=292034
10:41 <@dazo> that is good
10:41 <@dazo> so capabilities are not causing this issue
10:41 <+gics> dazo, no no wait smaller nnumber is on my laptop, not on the server
10:41 <@dazo> that's fine
10:41 <@dazo> the biggest number == no capability restriction
10:42 <@dazo> smaller number == capabilities are restricted
10:42 <+gics> dazo, ehm... i don't know what capabilities are LOL
10:42 <@ordex> gics: just to double check: are you sure the config file was exactly the same *now* and when you launched manually as root ?
10:43 <@dazo> okay, so capabilities are a way to control what kind of operations a process can do to a system ... this is more admin type of operations ... with systemd, we actually lock down what openvpn can do on a lot of areas
10:43 <@dazo> and those capabilities also restricts the root user
10:43 <+gics> ordex, yes i'm pretty sure but i can double check if needed
10:44 <@ordex> ok
10:44 <+gics> ordex, now i just need to take some time to think on dazo statement :D
10:44 <@dazo> by default all processes runs with all capabilities, so then uid/gid checks and other mechanisms (SELinux, AppArmour, SMACKS, etc)  will come after ... but if capapbilities check says no, then it's stopped very early
10:44 <@ordex> gics: sure, focus on that
10:45 <+gics> ordex, i was joking, just to say that i have a lot to learning from him about systemd
10:45 <@ordex> sure :) np
10:46  * dazo dives into what the Strech contains of security modules
10:47 <+gics> dazo, ok, following your explanation capabilities (and so systemd) are not blocking my openvpn instance from running, because of that very big number
10:47 <@dazo> correct
10:47 <@dazo> so next ... try to set PrivateTmp=false in the unit file
10:48 <@dazo> daemon-reload and re-test
10:48 <+gics> leaving capablities line commented?
10:48 <@dazo> ahh!
10:48 <@dazo> I think I see what's happening
10:48 <@dazo> ProtectHome=true
10:48 <@dazo> and you use --chroot /home....
10:49 <@dazo> I would actually recommend you to use /var/lib/openvpn/chroot-something for the chroots
10:49 <+gics> dazo, where is ProtectHome true?
10:49 <@dazo> in the unit file
10:49 <+gics> can't see that
10:49 <@dazo> hmm
10:49  * dazo double checks
10:49 <+gics> https://paste.debian.net/hidden/88ed8a3c/
10:50 <@dazo> you're right
10:50 <@ordex> dazo: btw I don't think openvpn has chroot'd already when doing the check_file routine
10:50 <+gics> i can see PrivateTmp=true
10:50 <@ordex> because it composes the filename by concatenating chroot_dir + file_name (therefore it must still be out - I think)
10:51 <@dazo> ordex: true, but those restrictions are put in place by systemd _before_ openvpn is started ... so that error would then appear before the chroot
10:51 <@ordex> ah ok
10:51 <@ordex> so that was not a chroot specific restriction from systemd. okok
10:51 <@dazo> gics: can you try the 'show | grep' trick again ... and grep for Protect?
10:51 <@ordex> sorry
10:52 <@dazo> ordex: no worries ... the security stuff in systemd can be surprising :)
10:52 <@ordex> hehe
10:52  * ordex goes to bed
10:52 <@ordex> cya
10:52 <@dazo> c'ya!
10:53 <+gics> https://paste.debian.net/hidden/922bbebd/
10:53 <+gics> ordex, bye! and thank you for your help!
10:54 <@dazo> gics: hmmm .... then trying to disable PrivateTmp= is a good shot ... but I'd also try to put the chroot inside a subdir under /var/lib/openvpn
10:54 <+gics> ok, first the privateTmp stuff then
10:54 <@dazo> yeah
10:55 <+gics> PrivateTmp=false give me the same permission error
10:56 <@dazo> okay ... if you remove --chroot from your config ... what happens then?
10:57 <+gics> 2 errors, --client-config-dir fails with 'clients5555': No such file or directory
10:57 <+gics> and the same old permissions err
10:57 <+gics> ops sorry
10:57 <+gics> Temporary directory (--tmp-dir) fails with 'tmp': No such file or directory
10:58 <@dazo> can you pastebin the complete server config?
10:58 <+gics> no permissions error this time
10:58 <+gics> yep
10:59 <@dazo> do you have SELinux on your system?
11:00 <+gics> https://paste.debian.net/hidden/749e3371/
11:00 <+gics> i don't think SElinux installed, how can i check to be sure?
11:01 <@dazo> running 'getenforced' or 'sestatus' might give some clues
11:01 <+gics> no selinux
11:01 <@dazo> (those programs should be mandatory on systems with SELinux packages installed ... without them you most likely do not have SELinux)
11:02 <+gics> both commands are not found, so no Selinux here
11:02 <+gics> 1 variable less :)
11:02 <@dazo> okay, that's "fine" :)  (I like SELinux too :-P)
11:02 <@dazo> okay ... with your config ... also comment out tmp-dir
11:02 <@dazo> as well as the client-config-dir
11:02 <@dazo> just trying to get the minimum covered
11:03 <+gics> this time i get only 1 error
11:03 <+gics> Options error: --client-config-dir fails with 'clients5555': No such file or directory
11:04 <@dazo> right ... can you take that one out too?
11:05 <+gics> Active: active (running) since Tue 2017-07-04 18:04:17 CEST; 28s ago
11:05 <+gics> yeahh!!
11:05 <@dazo> okay ... good
11:05 <+gics> systemd doesn't like chroot
11:06 <@dazo> oh, that usually works ... but need to figure out what is causing these restrictions
11:06 <@dazo> set PrivateTmp=true and re-enable the Capabilities again  (remember daemon-reload)
11:06 -!- mode/#openvpn [+v [SURFnet]Rogier] by ChanServ
11:07 -!- mode/#openvpn [+v gffa] by ChanServ
11:07 <+gics> active (running) since Tue 2017-07-04 18:06:54 CEST; 6s ago
11:07 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
11:10 <@dazo> gics: great ... so now the unit file should be the original one ... so now lets try to enable --chroot first
11:11 <+gics> no tmp-dir, no client-config dir ? only chroot?
11:11 <@dazo> only chroot
11:12 <+gics> Temporary directory (--tmp-dir) fails with '/home/openvpn5555/jail//tmp': Permission denied
11:12 <+gics> double slash
11:13 <@dazo> okay ... does '/home/openvpn5555/jail//tmp' exist?
11:13 <@dazo> okay ... does '/home/openvpn5555/jail//tmp' exist?
11:13 <@dazo> or rather '/home/openvpn5555/jail/tmp'
11:13 <+gics> not for sure, it have a double // in the path
11:13 <+gics> the latter instead exist
11:13 <@dazo> the // is usually interpreted as /
11:14 <+gics> drwxr-xr-x 2 openvpn5555 openvpn5555 4,0K lug  4 16:45 tmp
11:14 <@dazo> okay ... ls -d /home /home/openvpn5555 /home/openvpn5555/jail
11:14  * dazo need to run off for a few minutes
11:14 <+gics> ok
11:16 <+gics> https://paste.debian.net/hidden/6d509e1b/
11:32 -!- mode/#openvpn [+v aguestuser] by ChanServ
11:38 <@dazo> gics: sorry it took a while, back now
11:39 <@dazo> gics: can you try to move the chroot into /var/lib/openvpn/5555-jail ... or something like that?
11:40 <+gics> dazo, np, i just need to check the steps to do that
11:41 <@dazo> actually, it would be enough to do:  mkdir -p -m 755 /var/lib/openvpn/5555-jail/tmp; chown -R openvpn5555:  /var/lib/openvpn/5555-jail
11:42 <+gics> wow, you don't give me the time to check my notes :)
11:42 <+gics> done
11:42 <@dazo> hehe :-P
11:43 <@dazo> okay, so then change --chroot to that directory ... and see how it explodes :)
11:44 <+gics> Options error: Temporary directory (--tmp-dir) fails with '/var/lib/openvpn/5555-jail//tmp': Permission denied
11:44 <+gics> i want to crash my head. now
11:45 <@dazo> this is absolutely odd ... and there gotta be some external security layers I'm not aware of ... your config is quite bare
11:46 <@dazo> I think I'm going to install a VM with Strech and run some tests ... because this is absolutely odd
11:46 <+gics> i'm lost too
11:47 <+gics> except from reading more tuts and asking here help i don't know what to do more
11:47 <+gics> there is something that prevent starting as user openvpn5555
11:48 <@dazo> I presume you have a user created with that username ... run: id openvpn5555
11:49 <+gics> yes, for sure
11:49 <+gics> (2 users to be honest)
11:49 <+gics> uid=5002(openvpn5555) gid=5002(openvpn5555) gruppi=5002(openvpn5555)
11:49 <@dazo> okay, that's good
11:50 <@dazo> with "2 users", I presume they have different uid
11:50 <+gics> i usually run 2 openvpn instances on this vps
11:50 <+gics> uid=5001(openvpn) gid=5001(openvpn) gruppi=5001(openvpn)
11:50 <+gics> plus my regular user
11:50 <@dazo> right, okay ...
11:50 <+gics> mmmh let's try yo start as my regular user
11:51 <@dazo> hmmm ... does this also happen if you use the openvpn account?
11:54 <+gics> yes, basically what change between 2 users is only the port where openvpn listen
11:55 <@dazo> okay
11:55 <@dazo> hmmm .... grasping a straw .... can you pastebin the output of 'mount' ?
11:55 <+gics> and with my regular user is just the same permission err
11:55 <+gics> yes i copy it
11:56 <+gics> https://paste.debian.net/hidden/996bc878/
12:02 <@dazo> okay ... I have no choice than to get a stretch install .... not even any restrictions on the fs mounts
12:02 <+gics> dazo, i'm sorry for that
12:02 <@dazo> no, that's very fine!  We need to figure this out!
12:03 <+gics> dazo, ahahha, i like your attitude!
12:03 <+gics> :)
12:03 <@dazo> cat /sys/kernel/security/ima/violations ... what does that say?
12:04 <+gics> 0
12:04 <@dazo> and /sys/kernel/security/securelevel is 0 too?
12:05 <+gics> yes 0
12:06 <@dazo> wtf!?!?!   Just searched for "/sys/kernel/security"  (including the ") on DuckDuckGo ... and got an amazingly long list of hosts with the root file system exposed to the internet ... including /etc/passwd
12:07 <@dazo> http://www.navmansupport.com.au/media/sym/root/etc/passwd
12:08 <+cyberanger> dazo: never underestimate the value of a search engine to a pentester
12:08 <+cyberanger> >:-)
12:08 <@dazo> hehehe ... exactly!
12:08 <+gics> dazo, shadow is forbidden at least
12:09 <+cyberanger> gics: on every system with that flaw?
12:09 <@dazo> I'm just .... these guys deserves to be hacked, smacked and put on fire after being publicly humiliated on the town sqaure
12:09 <+gics> cyberanger, i don't know :P
12:10 <+cyberanger> dazo: Not disagreeing per say, but your wanting to add injury to insult?
12:10 <+cyberanger> ;-)
12:11 <@dazo> cyberanger: well, we need to stop the misery and demand a minimum set of standards for those not caught
12:11 <@dazo> if they fix it before getting caught, it has served its purpose :)
12:13 <+cyberanger> If they fix it before it gets worse, sadly so few do any real system hardening in my exp.
12:13 <@dazo> yeah :/
12:13 <+cyberanger> I had hoped this DevOps push might change that, and in some respects it has.
12:14 <+cyberanger> Problem is sometimes it's for the better, sometimes worse & never enough.
12:15 -!- mode/#openvpn [+v shabius] by ChanServ
12:15 <+gics> i don't understand how this is possible, why a portion of filesystem is exposed to the net??
12:16 <+gics> however google doesn't work so good in listing all website :D
12:16 <@dazo> well, one major challenge with DevOps is that you just make more web developers make ops decisions without the proper knowledge ... and the ops people gets a "container" with "I need this to run" from the devs ... and both are happy
12:18 <+cyberanger> Yeah, I was hoping for more of a hybrid process of creating programs & maintaining systems, and that's not what we got.
12:18 <+cyberanger> I guess that's why us InfoSec types have a predisposition for Liquor
12:18 <@dazo> lol ... yeah
12:20  * cyberanger is only speaking for himself, but I have noticed the trend too
12:21  * cyberanger refills the glass
12:22 <+cyberanger> Unsure if I can help with the issue, but I just woke up and started reading the backlog. curious problem gics
12:24 <+gics> 2nd glass in the morning?? o.O
12:24 <+gics> just kidding :)
12:25 <+gics> yes, very curious problem
12:25 <+cyberanger> It's not morning here, I'm just on some weird hours atm. and it's more like 4th now.
12:25 <+gics> and the worst is i don't have the ability to solve it
12:25 <+cyberanger> The coffee needs more kick however
12:28 <+gics> oh, ok, i assumed it was morning there, i read "just woke up"
12:29 <@dazo> some days it feels like I've just woke up the whole day
12:29 <+gics> dazo, you are not alone...me too
12:30 <+gics> i have to take a break, will come back for sure banging my head against that permission issue
12:31 <+gics> thank you for your help dazo
12:31 -!- mode/#openvpn [+v czart] by ChanServ
12:32 -!- mode/#openvpn [+v gics] by ChanServ
12:36 <@dazo> gics: I'm just getting ready for installing my VM ... had to make some space for it first :)
12:37 <+cyberanger> gics: all good, it is "my morning" anyway you look at it I guess (Up since the crack of noon)
12:38 <+cyberanger> I'm firing up a VM too
12:40 <+cyberanger> Or not, my strech image is broken. That's not good.
12:48 -!- mode/#openvpn [+v dionysus69] by ChanServ
12:49 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
13:03 -!- mode/#openvpn [+v shabius] by ChanServ
13:09 -!- mode/#openvpn [+v james41382] by ChanServ
13:13 <+gics> dazo, ok i'm back, if you have problem with VM and want to check some outuput i'm here :)
13:14 -!- kerio is now known as kerio_
13:14 <@dazo> gics: it's installed now ... just need to wrap my head around the typical debian ways of doing things .... I'm a Fedora/RHEL person, so I need to adjust my brain somewhat :)
13:16 <+gics> dazo, ahah ok ok, if you need just ask me (for the debian part)
13:18 -!- mode/#openvpn [+v kerio] by ChanServ
13:19 -!- mode/#openvpn [+v [SURFnet]Rogier] by ChanServ
13:45 -!- mode/#openvpn [+v Pro9x] by ChanServ
13:49 -!- mode/#openvpn [+v xMopxShell] by ChanServ
14:13 -!- mode/#openvpn [+v [SURFnet]Rogier] by ChanServ
14:16 -!- mode/#openvpn [+v wolflarson] by ChanServ
14:20 -!- mode/#openvpn [+v OS-16517] by ChanServ
15:08 -!- mode/#openvpn [+v Very_slow] by ChanServ
15:10 -!- mode/#openvpn [+v SCHAPiE] by ChanServ
15:25 <@dazo> gics: I think your host is hosed somehow .... I'll knot down exactly what I did ... but I could make the openvpn service start with --chroot
15:26 <+zorbs0ne> I setup an openvpn with that road warrior script, set the dns to 8.8.8.8 but it won't resolve now when I connect, any ideas?
15:26 <@dazo> !pushdns
15:26 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for
15:26 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option
15:26 <@dazo> oh ...
15:26 <@dazo> zorbs0ne: can you ping 8.8.8.8?
15:26 <@dazo> from the VPN client when the VPN connection is established
15:27 <+zorbs0ne> dazo: give me a second.
15:27 <@dazo> 1
15:27 <@dazo> :-P
15:29 <+zorbs0ne> yes, I can ping.
15:29 <+zorbs0ne> www.google.ca’s server DNS address could not be found.
15:29 <+zorbs0ne> I may have set it up to use 8.8.4.4
15:29 <@dazo> zorbs0ne: well, can you ping that IP?
15:30 <+zorbs0ne> yes
15:30 <+gics> dazo, thanks for taking your time and installing a VM just for helping me
15:30 <@dazo> okay ... on the client, run: host google.com 8.8.8.8
15:31 <@dazo> zorbs0ne: ^^
15:31 <@dazo> zorbs0ne: does that work?
15:31 <+gics> dazo, i just want to ask you one last thing, i found this link --> https://gist.github.com/filcab/736c105c8be417e39ab2dd93c39961eb#systemd-dealings
15:31 <@vpnHelper> Title: Small OpenVPN setup tutorial · GitHub (at gist.github.com)
15:32 -!- mode/#openvpn [+v _ADN_] by ChanServ
15:32 <+zorbs0ne> dazo: run it how?
15:32 <+zorbs0ne> in the .conf ?
15:32 <@dazo> zorbs0ne: from the command line
15:32 <+gics> for your knowledge is true that there should be a service files in /etc/systemd/system/multi-user.target.wants/ for every instance of openvpn that i run?
15:33 <@dazo> gics: haven't read it yet .... but see it uses openvpn@ ... which is not recommended by us
15:33 <@dazo> !blog
15:33 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
15:33 <+gics> lol ok
15:34 <+gics> because i haven't those files the github link speak of
15:34 <@dazo> gics: you have no idea how many insecure VPN howtos which exists .... if you have a vague idea .... multiply by 100
15:34 <+gics> dazo, i can imagine
15:34 <+zorbs0ne> dazo: how do I get to the cmd line for the client openvpn ? I'm on windows.
15:36 <+gics> dazo, have you set up 2 concurrent instance on your VM ? Because i'm starting to think the error live there
15:36 <@dazo> meh ... I'm no Windows person ... but that detail makes me recall there are some DNS caching issues in some windows versions ... just a sec
15:36 <@dazo> gics: https://paste.fedoraproject.org/paste/Y7LoXT06Y4oJnYQNMdZS2Q/raw
15:37 <+zorbs0ne> dazo: :) I saw when I connect is says Tue Jul 04 13:36:41 2017 Blocking outside dns using service succeeded.
15:37 <+zorbs0ne> see/saw.
15:37 <@dazo> zorbs0ne: right, that's one new feature in v2.4 which can be enabled
15:37 <@dazo> !windns
15:37 <@vpnHelper> "windns" is (#1) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#2) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#3) http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
15:38 <@dazo> hmmm ....
15:38 <+gics> dazo, sounds easy peasy...like it should be
15:38 <@dazo> gics: this is on a fresh deb 9 install
15:39 <@dazo> I'll try to run step 4-8 with a test2.conf on a different port too
15:39 <+gics> the pastebin have an expiration time? i want to start from there tomorrow
15:39 <@dazo> it should not expire ... if it disappears, let me know and I'll repost
15:41 <+gics>  dazo, perfect! thank you again! tomorrow i will win the battle! :))
15:41 <@dazo> gics: works fine even with an extra user (openvpn2) and a separate chroot
15:42 <+gics> dazo, good news for you bad news for me
15:43 <@dazo> gics: as I'm not capable of reproducing it ... I can't really help much more from this side, I'd have to have access to your box then ... but it is most likely not an OpenVPN issue
15:43 -!- mode/#openvpn [+v xMopxShell] by ChanServ
15:45 <+gics> dazo, yes yes i understand you perfectly, i have excluded openvpn too with last test
15:45 <+gics> *with last test, i have excluded openvpn too
15:45 <+gics> enough
15:46 <+gics> bye to all
15:53 -!- mode/#openvpn [+v MrAlexandr0] by ChanServ
16:35 -!- mode/#openvpn [+v xMopxShell] by ChanServ
16:43 -!- mode/#openvpn [+v nitdega] by ChanServ
16:52 -!- mode/#openvpn [+v peterandre] by ChanServ
17:03 -!- mode/#openvpn [+v peterandre] by ChanServ
17:08 -!- mode/#openvpn [+v megadorus] by ChanServ
17:35 -!- mode/#openvpn [+v hive-mind] by ChanServ
17:57 -!- mode/#openvpn [+v war9407] by ChanServ
18:17 -!- mode/#openvpn [+v optimus] by ChanServ
19:03 -!- mode/#openvpn [+v frank-] by ChanServ
19:18 -!- frank- is now known as thumbs
19:30 -!- mode/#openvpn [+v mrpops2ko] by ChanServ
20:01 -!- mode/#openvpn [+v rany_] by ChanServ
20:46 -!- mode/#openvpn [+v Noldorin] by ChanServ
21:08 -!- mode/#openvpn [+v subo] by ChanServ
21:21 -!- mode/#openvpn [+v Emperor_Earth] by ChanServ
21:25 -!- mode/#openvpn [+v eper3z] by ChanServ
21:51 -!- mode/#openvpn [+v chachasmooth] by ChanServ
21:58 -!- mode/#openvpn [+v davimore] by ChanServ
22:16 -!- mode/#openvpn [+v Kolas] by ChanServ
23:08 -!- mode/#openvpn [+v fyrril2] by ChanServ
23:13 -!- mode/#openvpn [+v marcoslater] by ChanServ
23:14 -!- mode/#openvpn [+v pdobrogost] by ChanServ
23:26 -!- mode/#openvpn [+v shootbird] by ChanServ
23:28 -!- mode/#openvpn [+v bandroidx] by ChanServ
23:30 -!- mode/#openvpn [+v [SURFnet]Rogier] by ChanServ
23:46 -!- mode/#openvpn [+v ShadniX] by ChanServ
--- Day changed Wed Jul 05 2017
00:04 -!- mode/#openvpn [+v luckman212] by ChanServ
00:06 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
00:22 -!- mode/#openvpn [+v chachasmooth] by ChanServ
00:28 -!- mode/#openvpn [+v bandroidx] by ChanServ
00:31 -!- mode/#openvpn [+v [SURFnet]Rogier] by ChanServ
00:54 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
00:54 -!- mode/#openvpn [+v hyper_ch] by ChanServ
01:01 -!- mode/#openvpn [+v iJens] by ChanServ
01:23 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
01:46 -!- mode/#openvpn [+v eworm] by ChanServ
01:50 -!- mode/#openvpn [+v DrNo] by ChanServ
01:50 -!- mode/#openvpn [+v dionysus69] by ChanServ
02:16 -!- mode/#openvpn [+v luckman212] by ChanServ
02:16 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
02:37 -!- mode/#openvpn [+v [SURFnet]Rogier] by ChanServ
02:44 -!- mode/#openvpn [+v Olufunmilayo] by ChanServ
03:21 -!- mode/#openvpn [+v onitlikesonic] by ChanServ
03:21 <+onitlikesonic> Hi all, for a ccd, is it possible to use another field other than the common name ?
03:21 <+onitlikesonic> for the naming of the files
03:25 -!- mode/#openvpn [+v gics] by ChanServ
03:31 -!- mode/#openvpn [+v _ADN_] by ChanServ
03:33 <@ordex> onitlikesonic: it is hardcoded. it can't be configured
03:33 <+onitlikesonic> :(
03:33 <@ordex> onitlikesonic: what field would you like to use ?
03:33 <+onitlikesonic> ok
03:35 <@ordex> onitlikesonic: ^^
03:35 <+onitlikesonic> for push "route 20.20.20.0 255.255.0.0" do i need to do anything else? i have "pull" on client configs but still dont see the route with "route" command
03:36 <@ordex> dazo: I am trying to replicate the auth-token bug following the instructions you gave me..but i think I am missing something because after typing those commands in the console the connection suceeds but nothing else happens (i.e. everything works). do i need a --reneg-something?
03:36 <@ordex> onitlikesonic: can you paste the client log ?
03:36 <@ordex> !logs
03:36 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
03:36 <@ordex> but yes, that should be enough i think
03:38 <+onitlikesonic> @ordex https://pastebin.com/dh3ALndC
03:39 <@ordex> onitlikesonic: it seems the route is properly pulled
03:39 <@ordex> but fails to be applied
03:39 <+onitlikesonic> yeah looks like it
03:39 <+onitlikesonic> any clue as to why ?
03:39 <@ordex> mh invalid argument .. weird
03:39 <@ordex> if you comment that "push" line in the server
03:40 <@ordex> and let the client start
03:40 <@ordex> can you then run that command manually to see what happens ?
03:42 <+onitlikesonic> hm
03:42 <+onitlikesonic> same invalid arg
03:43 <+onitlikesonic> well seems to be an ip problem
03:43 <+onitlikesonic> with another subnet it works
03:44 <@ordex> is the nexthop IP correct ?
03:44 <@ordex> ah
03:44 <@ordex> yes
03:44 <@ordex> 20.20.20.0 is not a valid class b network i think
03:44 <@ordex> it should be 20.20.0.0
03:44 <+onitlikesonic> yeah
03:44 <+onitlikesonic> -.-
03:44 <@ordex> :P
03:44 <+onitlikesonic> early morning
03:45 <@ordex> well, I don't have the same excuse
03:45 <@ordex> :D
03:45 <+onitlikesonic> cheers tho @ordex
03:45 <@ordex> np
03:45 -!- mode/#openvpn [+v [SURFnet]Rogier] by ChanServ
03:50 <+hyper_ch> krzee: they yealink is giving me troubles :(
03:50 -!- mode/#openvpn [+v _ADN_] by ChanServ
03:51 <@ordex> dazo: without auth-nocache it behaves as expected (no user/pass ever asked after the firts time), with it enabled it asks for them every time - am I missing something?
03:51 <@ordex> dazo: ops this discussion should be for #openvpn-devel
03:53 -!- mode/#openvpn [+v SkinnyMelon] by ChanServ
03:56 <+gics> hello and good morning
03:57 <+gics> maybe i have found the solution to yesterday problem about permissions
04:03 -!- mode/#openvpn [+v TomasCZ] by ChanServ
04:05 -!- mode/#openvpn [+v davimore] by ChanServ
04:10 <@ordex> gics: what was that ?
04:46 -!- mode/#openvpn [+v [SURFnet]Rogier] by ChanServ
04:56 <+gics> ordex, my /etc/openvpn/server/ was empty and the 2 configs server.conf and server5555.conf was in the upper directory
04:56 <@ordex> hm
04:56 <@ordex> and this was upsetting systemd ?
04:56 <+gics> moved them inside server dir and now openvon *works*
04:57 <+gics> i don't really know but i think yes
04:57 <+gics> not touched anything in systemd, so it was for that reason i think
04:57 <@ordex> ok :)
04:57 <@ordex> I wonder if this rings a bell for dazo
04:58 <+onitlikesonic> another issue: is it possible to allow ONLY ONE machine to access all others on the VPN  without having to subnet ?
04:59 <+gics> now i have another small problem with "iproute /usr/local/sbin/unpriv-ip" inside one config, when enabled the vpn doesn't start
04:59 <@ordex> onitlikesonic: you could use the pf extension
05:00 <@ordex> although not really easy to make it work right now..but that would work
05:00 <@ordex> gics: a full log would be nice again :P
05:01 <+gics> it always worked and i can find mention in an old wiki page of openvpn, but now it give me problem, PAM audit_log_acct_message() failed: Operation not permitted
05:01 <+gics> ordex, ahah ok i paste it somewhere :P
05:02 <+onitlikesonic> pf extension.. will look when back
05:02 <+onitlikesonic> lunch time :D
05:02 <+onitlikesonic> thanks
05:02 -!- mode/#openvpn [+v cbauer] by ChanServ
05:02 <@ordex> onitlikesonic: enjoy :P
05:03 <+cbauer> I'm getting errors when trying to connect to a vpn server via a given config file: https://ptpb.pw/dJXE
05:03 <+gics> ordex, https://paste.debian.net/hidden/f6f53b49/
05:03 <@ordex> gics: and if you just comment that one line "iproute" it works ?
05:03 <+cbauer> usingpen vpn --config service.ovpn --ca ca.crt
05:04 <+gics> ordex, yes, it works when commented
05:04 <+gics> tbh i don't really know what that line does
05:04 <+gics> but i can see is still here --> https://community.openvpn.net/openvpn/wiki/UnprivilegedUser
05:04 <@vpnHelper> Title: UnprivilegedUser – OpenVPN Community (at community.openvpn.net)
05:04 <@ordex> ah
05:04 <@ordex> I see
05:05 <@ordex> it's again a permission problem then
05:05 <@ordex> probably your user is not allowed to use sudo with that wrapper
05:05 <+cbauer> that's the config file: https://ptpb.pw/IY7f
05:05 <@ordex> because you are basically wrapping the ip command in a script using sudo
05:05 <@ordex> instead of calling "ip" directly
05:05 <@ordex> but some permission check if not allowing you to do so
05:06 <@ordex> it's again some distribution configuration thing
05:06 <+gics> mmmh ok
05:06 <+gics> but what's the meaning of that iproute command?
05:07 <+gics> i mean, is really needed to my vpn? because it works even without it
05:07 <@ordex> gics: iproute is used to add ip address and routes  to your interface
05:07 <@ordex> gics: not sure when it would be needed
05:08 <@ordex> gics: I think your thing will break upon reconnection
05:08 <@ordex> because you have switched to your unprivileged user and therefore upon reconnection the 'ip' command will fail because you are not root anymore
05:08 <@ordex> but if this is the server ..... then I am not sure you need that
05:08 <@ordex> because the server should[tm] use iproute only upon startup
05:09 <@ordex> cbauer: maybe the CA is expired or self-signed?
05:09 <@ordex> cbauer: not sure what would cause that, but if it worked on previous versions, usually it is because the strictier checks of the ssl library do not like your CA
05:09 <+gics> ordex, ok more clear now! i just need to do some more checking and see if so
05:09 <+gics> ordex, thank you today too :P
05:09 <@ordex> np :P
05:10 <+gics> ordex, following your thinking, adjusting sudo conf would be a solution?
05:11 -!- mode/#openvpn [+v gffa] by ChanServ
05:11 <@ordex> gics: the PAM* message makes think this is something more than just sudo
05:11 <@ordex> but for sure sudo has to be adapted following what's written in the wiki
05:11 <+cbauer> ordex: could be that openssl got updated but openvpn did not, I did try updating packages openvpn and openssl explicitly now which broke things even more
05:12 <@ordex> cbauer: if you upgraded openssl, this is likely to be the reason. but simply means that something is weird with your CA
05:12 <@ordex> (I believe)
05:14 <+cbauer> https://pastebin.com/iXCgPi9R
05:14 <+cbauer> looks like surdo is borked now because I upgraded openssl
05:14 <+cbauer> sudo*
05:15 <@ordex> yes, seems like something is borked
05:15 <@ordex> did you force the upgrade of openssl ?
05:15 <+cbauer> didn't force anything
05:15 <@ordex> openssl 1.1 has changed the api since 1.0 so all the users have to be upgraded
05:15 <+cbauer> gotta love those updates
05:15 <@ordex> allot
05:15 <@ordex> :D
05:16 <+cbauer> at least pkexec works still
05:16 <+cbauer> otherwise I wouldn't be able to use commands that require root anymore
05:16 <+cbauer> always lovely
05:18 <+cbauer> even my DE breaks now
05:19 -!- mode/#openvpn [+v fnlkj] by ChanServ
05:35 -!- mode/#openvpn [+v fyrril] by ChanServ
05:53 <+hyper_ch> krzee: https://eprint.iacr.org/2017/627.pdf
06:04 -!- mode/#openvpn [+v mrpops2ko] by ChanServ
06:06 -!- mode/#openvpn [+v optimus] by ChanServ
06:19 -!- mode/#openvpn [+v [SURFnet]Rogier] by ChanServ
06:21 <+onitlikesonic> ordex: any reason why on routing table would show things like: AC850005.ipt.ao
06:33 -!- mode/#openvpn [+v tunekey] by ChanServ
06:46 <+cbauer> looks like something router (manufacturer) specific
06:46 <+onitlikesonic> another wrong subnet... jesus, not a good day today hahaa
07:12 -!- mode/#openvpn [+v davimore] by ChanServ
07:14 -!- mode/#openvpn [+v luckman212] by ChanServ
07:17 -!- mode/#openvpn [+v [SURFnet]Rogier] by ChanServ
07:57 -!- mode/#openvpn [+v dave0x6d] by ChanServ
08:08 -!- mode/#openvpn [+v NonSecwitter] by ChanServ
08:23 -!- mode/#openvpn [+v _ADN_] by ChanServ
08:28 -!- mode/#openvpn [+v DArqueBishop] by ChanServ
08:29 -!- mode/#openvpn [+v [SURFnet]Rogier] by ChanServ
08:42 -!- mode/#openvpn [+v sz0] by ChanServ
08:44 -!- mode/#openvpn [+v navidr] by ChanServ
08:46 -!- mode/#openvpn [+v marlinc] by ChanServ
08:50 -!- mode/#openvpn [+v ExoUNX] by ChanServ
09:02 <@ordex> onitlikesonic: lol
09:05 -!- mode/#openvpn [+v Noldorin] by ChanServ
09:14 -!- mode/#openvpn [-vvvv xboner BtbN tx seanBE] by ChanServ
09:14 -!- mode/#openvpn [-vvvv DeathShot ender| themayor baetheus] by ChanServ
09:14 -!- mode/#openvpn [-vvvv bjoe2k4 jesopo ohnx Mr-Protocol] by ChanServ
09:14 -!- mode/#openvpn [-vvvv direkt cpt-oblivious ratliff NP-Hardass] by ChanServ
09:14 -!- mode/#openvpn [-vvvv dan- yoavz nb agustafson] by ChanServ
09:14 -!- mode/#openvpn [-vvvv olivetree_ mcp sbraz sbehrens] by ChanServ
09:14 -!- mode/#openvpn [-vvvv str4nd iokill kash sunrunner20] by ChanServ
09:14 -!- mode/#openvpn [-vvvv pwrcycle havoc badpixel _0x5eb_] by ChanServ
09:14 -!- mode/#openvpn [-vvvv KCinJP jnagro ctracey boxmein] by ChanServ
09:14 -!- mode/#openvpn [-vvvv madmattco cornfeedhobo MrGeneral computerquip] by ChanServ
09:14 -!- mode/#openvpn [-vvvv moviuro xalice Patch pitastrudl] by ChanServ
09:14 -!- mode/#openvpn [-vvvv ketas icasdri chamunks riddle] by ChanServ
09:14 -!- mode/#openvpn [-vvvv ikonia ghoti nbastin gardar] by ChanServ
09:14 -!- mode/#openvpn [-vvvv Alesk13 vader- gthank ld50] by ChanServ
09:14 -!- mode/#openvpn [-vvvv guampa infernix vectr0n Willis] by ChanServ
09:14 -!- mode/#openvpn [-vvvv abra0 stux chutzpah sparx] by ChanServ
09:14 -!- mode/#openvpn [-vvvv dan_j Vercas CheckYourSix Gizmokid2005] by ChanServ
09:14 -!- mode/#openvpn [-vvvv troyt deetwelve obscurehero sielicki] by ChanServ
09:14 -!- mode/#openvpn [-vvvv Captain_Beezay aasirc elricsfate zx2c4] by ChanServ
09:14 -!- mode/#openvpn [-vvvv P4k3 clorophormo MrNice skot] by ChanServ
09:14 -!- mode/#openvpn [-vvvv Zilon Amplificator F2Knight mrtnt] by ChanServ
09:14 -!- mode/#openvpn [-vvvv AnnaRooks Farshid lbft Klawfinger] by ChanServ
09:14 -!- mode/#openvpn [-vvvv Syntaxerror Talltree_ catalase Cubox] by ChanServ
09:14 -!- mode/#openvpn [-vvvv berglh patcable unholycrab pizzaops] by ChanServ
09:14 -!- mode/#openvpn [-vvvv Meow-J Matir dakar Pilfers] by ChanServ
09:14 -!- mode/#openvpn [-vvvv anexit DanQuinney CGML jpwhiting] by ChanServ
09:14 -!- mode/#openvpn [-vvvv Mike-- piklu cyberanger Poster|z] by ChanServ
09:14 -!- mode/#openvpn [-vvvv Ekho valkyr1e someone Virtual] by ChanServ
09:14 -!- mode/#openvpn [-vvvv Someguy123 MuffinMedic dvl zoredache] by ChanServ
09:14 -!- mode/#openvpn [-vvvv r00tobo fury_ DrMacinyasha krphop] by ChanServ
09:14 -!- mode/#openvpn [-vvvv Dev0n parity XJR-9 D5] by ChanServ
09:14 -!- mode/#openvpn [-vvvv varnent SoreGums varesa funnel] by ChanServ
09:14 -!- mode/#openvpn [-vvvv sur3 HalfEatenPie cylon512 omnidan] by ChanServ
09:14 -!- mode/#openvpn [-vvvv JasonO KNERD evilroots kloeri] by ChanServ
09:14 -!- mode/#openvpn [-vvvv indy hiroki peder pythonsnake] by ChanServ
09:14 -!- mode/#openvpn [-vvvv zamba meepmeep K1rk iNs] by ChanServ
09:14 -!- mode/#openvpn [-vvvv bsf mparisi zimboboyd BuildTheRobots] by ChanServ
09:14 -!- mode/#openvpn [-vvvv linear_ madduck xamindar_ semitones_] by ChanServ
09:14 -!- mode/#openvpn [-vvvv phreakocious Exagone313 noodle chantra] by ChanServ
09:14 -!- mode/#openvpn [-vvvv d10n MacGyver ribasushi tapout] by ChanServ
09:14 -!- mode/#openvpn [-vvvv nomad_fr gtt Nothing4You redrabbit] by ChanServ
09:14 -!- mode/#openvpn [-vvvv varazir tcpdump _FBi MogDog] by ChanServ
09:14 -!- mode/#openvpn [-vvvv thefinn93 D4rk rudi_s jacekowski] by ChanServ
09:14 -!- mode/#openvpn [-vvvv blackpenguin htafdresgi whfsdude r00t^2] by ChanServ
09:14 -!- mode/#openvpn [-vvvv alphor john51 k-man freekevin] by ChanServ
09:14 -!- mode/#openvpn [-vvvv jmanfatty fs0ciety jaroslav oxagast] by ChanServ
09:14 -!- mode/#openvpn [-vvvv lorimer TotallyNotKim WinstonSmith RickyB98] by ChanServ
09:14 -!- mode/#openvpn [-vvvv batrick ghormoon Colti arlen] by ChanServ
09:14 -!- mode/#openvpn [-vvvv Abbott vamiry Hobbyboy crane] by ChanServ
09:14 -!- mode/#openvpn [-vvvv caliculk Kelsar DzAirmaX irco] by ChanServ
09:14 -!- mode/#openvpn [-vvvv Merixer theorem mgorbach fractal_] by ChanServ
09:14 -!- mode/#openvpn [-vvvv NightMonkey Bock webuser5224 rizonz] by ChanServ
09:14 -!- mode/#openvpn [-vvvv evilgohan2 ReimuHakurei andy09usa swebb] by ChanServ
09:14 -!- mode/#openvpn [-vvvv esters zorbs0ne skyroveRR mundus2018] by ChanServ
09:14 -!- mode/#openvpn [-vvvv sethkush Poster Geom subzero79] by ChanServ
09:14 -!- mode/#openvpn [-vvvv early n-st u0m3_ WhizzWr] by ChanServ
09:14 -!- mode/#openvpn [-vvvv almostworking pppingme Ryushin Sweet-P] by ChanServ
09:14 -!- mode/#openvpn [-vvvv jareth_ Tykling WebDawg Nik05] by ChanServ
09:14 -!- mode/#openvpn [-vvvv APTX mete axsuul rtjure] by ChanServ
09:14 -!- mode/#openvpn [-vvvv JackWinter tormoz drcode F14W3D] by ChanServ
09:14 -!- mode/#openvpn [-vvvv stns4 johnny56 surtin norkle] by ChanServ
09:14 -!- mode/#openvpn [-vvvv Paraxial e1z0 MrMojit0 Typhon] by ChanServ
09:14 -!- mode/#openvpn [-vvvv Denial Petfrogg rax- Spydar007] by ChanServ
09:14 -!- mode/#openvpn [-vvvv shio e_xistense czart shabius] by ChanServ
09:14 -!- mode/#openvpn [-vvvv james41382 kerio OS-16517 Very_slow] by ChanServ
09:14 -!- mode/#openvpn [-vvvv SCHAPiE MrAlexandr0 xMopxShell nitdega] by ChanServ
09:14 -!- mode/#openvpn [-vvvv peterandre hive-mind war9407 thumbs] by ChanServ
09:14 -!- mode/#openvpn [-vvvv rany_ subo Emperor_Earth eper3z] by ChanServ
09:14 -!- mode/#openvpn [-vvvv Kolas marcoslater pdobrogost shootbird] by ChanServ
09:14 -!- mode/#openvpn [-vvvv ShadniX chachasmooth bandroidx iJens] by ChanServ
09:14 -!- mode/#openvpn [-vvvv eworm DrNo dionysus69 Olufunmilayo] by ChanServ
09:14 -!- mode/#openvpn [-vvvv onitlikesonic TomasCZ gffa fnlkj] by ChanServ
09:14 -!- mode/#openvpn [-vvvv fyrril mrpops2ko optimus tunekey] by ChanServ
09:14 -!- mode/#openvpn [-vvvv davimore luckman212 dave0x6d NonSecwitter] by ChanServ
09:14 -ChanServ:#openvpn- ecrist set flags -V on *!*@*
09:14 -!- mode/#openvpn [-vvvv _ADN_ DArqueBishop sz0 navidr] by ChanServ
09:14 -!- mode/#openvpn [-vvv marlinc ExoUNX Noldorin] by ChanServ
09:14 <@ecrist> heh
09:14 -!- Irssi: #openvpn: Total of 316 nicks [10 ops, 0 halfops, 3 voices, 303 normal]
09:19  * DArqueBishop has a sad.
09:20 -!- mode/#openvpn [+o DArqueBishop] by ecrist
09:28 <@ordex> ecrist: :O
09:30 <+hyper_ch> he stole voice from everyone
09:30 <@ordex> mhuauahahua
09:32 <+hyper_ch> !ecrist
09:32 <@vpnHelper> "ecrist" is http://www.youtube.com/watch?v=0Veqz8W98iA
09:32 <+hyper_ch> damn, there's already a factoid
09:33 <@ordex> lol
09:40 -!- mode/#openvpn [+v DArqueBishop] by DArqueBishop
09:41 -!- mode/#openvpn [-o DArqueBishop] by DArqueBishop
11:04 < onitlikesonic> say i want to run a script before bringing up a tunnel, whats the option? i see many "pre" commands, but what would be the one that runs before anything else?
11:12 < onitlikesonic> does the _pre also work on linux ?
11:20 < onitlikesonic> Just saw someone rejected an improvement on this :( https://community.openvpn.net/openvpn/ticket/284 quite bad since for port-knocking this would be needed -.-
11:20 <@vpnHelper> Title: #284 (Add --up-pre with the same functionality as --down-pre) – OpenVPN Community (at community.openvpn.net)
11:25 <@ecrist> onitlikesonic: it looks like there's a lot of reason it's not supported, and it's well documented in the linked trac ticket
11:26 < onitlikesonic> ecrist: only reason i see there is one guy saying it can be a "security risk" without providing any plausible reason
11:27 < onitlikesonic> ah wait. yeah there is another linked ticket
11:27 < onitlikesonic> didnt see that
11:27 <@ecrist> onitlikesonic: I suggest reading a bit closer.  There's quite a few implications.
11:29 < onitlikesonic> what prevents someone to run rogue stuff on any of the other levels of script running ? guess nothing...
11:29 < onitlikesonic> such as --up
11:30 < onitlikesonic> so still looks like an invalid argument to me
11:30 < onitlikesonic> but i'll leave it at that... will work around it somehow
12:31 < gordonfish> Hi. Has anyone had an issue with being able to turn on "Netbios over Tcpip" for TAP V9 adapter?
12:31 < gordonfish> This is on a windows 10 client
12:55 <+DArqueBishop> gordonfish: no, but then again, I generally just set it to default.
12:58 < gordonfish> DArqueBishop: Thanks, it's working now. I updated to the latest version 2.4.3 and now everything appears to be working correctly. Windows 10 can be finiky as all hell.
13:10 -!- dionysus70 is now known as dionysus69
13:33 < pvl1> can i delete the keys folder to revoke _all_ keys?
13:33 < pvl1> er, the keys in the keys folder
13:58 <+DArqueBishop> pvl1: no, because the server doesn't need to know the clients' keys.
13:58 <+DArqueBishop> !crl
13:58 <@vpnHelper> "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with
13:58 <@vpnHelper> openvpn) that will create the CRL file for you. ssl-admin will also build a crl for you, or (#3) openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem
13:59 <+DArqueBishop> Or, if you mean just create a whole new CA, then yes, that would work.
14:06 < pvl1> DArqueBishop: kinda what happened, but i realized much later that i never set my server to use new CA. so i figure, ill just make all news and start clean
14:07 <+DArqueBishop> Nope. If you're using the old CA without a CRL, those certs are still valid.
14:10 <+DArqueBishop> The server doesn't need the client keys to be able to verify them. As long as the client keys are signed by the same CA as the one the server is using and the server doesn't have the keys listed in a CRL, they'll be accepted as valid.
14:10 <+DArqueBishop> Hell, by best practice, you shouldn't even have any of the CA stuff like the client or CA keys on the OpenVPN server box to begin with.
14:11 <+DArqueBishop> (This is all provided you're only using certs to authenticate.)
14:13 < pvl1> i guess there isnt a way for the server to accept both old and new CA for auth?
14:15 <+DArqueBishop> Not really. If you've already lost the old keys/certs and absolutely need for them to be invalid, your only real option is to start over.
14:19 < pvl1> well, i want to start over to keep everything neat and tidy
16:23 < rubatdub> i have configured a openvpn access server with ldap authentication
16:24 < rubatdub> In my windows AD I have an organisation unit called utilisateurs inside I have a security group called vpnusers with users attached
16:25 < rubatdub> how can I configure my server so only members of vpnusers group  can connect ?
16:26 <+DArqueBishop> !as
16:26 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
16:26 < rubatdub> ok :)
18:35 <@krzee> DArqueBishop: you sure he was using AS?
18:36 <@krzee> oh sorry yes he was =/
18:36 <@krzee> im bad at reading today i guess
18:52 < Eugene> That's okay, so are the people who ask for AS help in here. Its right in the /topic, c'mon
19:04 <+DArqueBishop> krzee: I'm certainly guilty of it myself here, so don't feel bad. :-)
19:05 <@krzee> thanks :D
19:05 <@krzee> and solid point Eugene
19:05 <@krzee> hahah
19:16 < lunaphyte> hi.  i'm wrestling with a conundrum regarding dns and vpn connections
19:18 < Eugene> !ask
19:18 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
19:18 < lunaphyte> assuming, for the sake of discussion, when connecting to a vpn, lan connectivity is not blocked - once the vpn connection is made, the device is now effectively on two networks, at the same time - right?
19:19 < lunaphyte> thanks Eugene :)
19:19 < Eugene> Yes, for the sake of discussion, OpenVPN gives you a second "virtual" adapter which is connected to the VPN network.
19:20 < Eugene> You also (usually) get a set of routes(eg, 10.0.0.0/8) pushed along with the connection, so your computer will attempt to reach those networks through the VPN gateway
19:20 < lunaphyte> so if the device is on two networks, it's relatively common [at least in my experience] that there are hostnames which only the lan dns server knows about, and of course hostnames that only the vpn dns server knows about
19:21 < Eugene> Yup.
19:21 < lunaphyte> this is where i'm stuck - being able to resolve hostnames from both dns servers, at the same time
19:21 < Eugene> Coupla things you can do:
19:22 < Eugene> 1) run a DNS resolver on your VPN client machine, such as dnsmasq or unbound. You will need to tell it about the upstream DNS servers on each LAN/VPN and it will figure it out for you
19:22 < Eugene> 2) That sounds hard, so live with the fact that you can only talk to 1 DNS "zone" at a time(either LAN or VPN)
19:23 < Eugene> 3) Get a Real domain name, eg lunaphyte.com, and just put your internal IP addresses into the public DNS zone. This is what I do, and it works fucking fantastic
19:24 < lunaphyte> for the sake of discussion, can we set aside option 2?
19:24 < Eugene> Sure, that's just the lazy default I threw in for comedy
19:24 < lunaphyte> hah, ok :)
19:25 < Eugene> The question is really "where do you want the complexity". #1 puts it on your client, #3 puts it on the vpn server / your LAN's firewall / etc. And #2 says Fuck It and drinks a beer instead
19:26 < lunaphyte> option 1 crossed my mind, and for me, personally, that would be fine [aside from grumbling about one more thing to deal with, etc] - but obviously not too conducive for the "not so technical" user
19:27 < lunaphyte> regarding a real domain name - i think there is a caveat regarding that and split dns?
19:28 < lunaphyte> for example, i do have a real domain name, and publicly, a given hostname points to the public ip, while privately, said hostname points to the private ip
19:28 < Eugene> Just don't do split DNS
19:28 < lunaphyte> which i guess would mean a concession of accessing lan services via "nat loopback" rather than directly?
19:29 < lunaphyte> right - that would be the concession for option 3?  sorry, doesn't work with split dns?
19:29 < Eugene> Don't have an "internal" zone. Make everything under the public zone.
19:29 < Eugene> If you want a name to have a public IP, give it a public IP. If you don't, don't.
19:29 < lunaphyte> oh, i see.
19:30 < lunaphyte> then the concession is publishing rfc 1918 space in public dns
19:30 < Eugene> Correct, which is totally Fine and there are no RFCs which say you can't do that
19:30 < Eugene> Some (broken and stupid) DNS resolvers will error on such an A record, which is a violation of the RFCs and you shouldn't use them. OpenDNS used to be one such resolver
19:31 < lunaphyte> oh, for sure.  i'm not worried about rfc compliance, in this context.  more personal principles about leaking private address space
19:31 < Eugene> Example: `dig sealth.kashpureff.org`. That is my personal desktop
19:31 <@ordex> Eugene: practically a lot of ISP DNSs won't return your result when it's a private IP
19:32 <@ordex> not too many ISPs do that .. but several :(
19:32 < Eugene> ordex - "broken and stupid"
19:32 <@ordex> Eugene: sure, does not mean they do not exist :P
19:32 < Eugene> DNS is not secure or private anyway. Your firewall should handle all of the firewalling, not DNS ;-)
19:32 <@ordex> Eugene: I think that's to protect against dns rebind attacks ? no?
19:32 <@ordex> so called
19:32 < Eugene> That's the scareware that they push, yeah. Its bullshit. If your DNS is being hijacked then you have much bigger problems anyway
19:33 < lunaphyte> yeah, i guess at some level here, nat really is to blame
19:33 < Eugene> IE, somebody hijacking your traffic
19:33 < lunaphyte> that will be nice when it is a distant memory
19:33 <@ordex> https://en.wikipedia.org/wiki/DNS_rebinding << 2nd protection mentioned here is to avoid replying with private IPs
19:33 <@vpnHelper> Title: DNS rebinding - Wikipedia (at en.wikipedia.org)
19:33 < Eugene> Yup. RFC1918 is a gigantic hack designed to fix the IP scarcity problem. None of this is an issue with IPv6, because there just plain isn't private space(that people use..... it still exists but loopback-only or disconnected networks)
19:33 <@ordex> even dnsmasq does not reply unless explicitly explained to do so
19:34 < Eugene> ordex - I'm familiar with DNS attacks. /whois me and then use Google
19:34 <@ordex> Eugene: sorry :-P
19:34 < lunaphyte> hmm, one thought just occurred to me
19:34 <@ordex> just mentioning "some" source :D
19:34 < Eugene> When I say that the concern is stupid I like to think that I speak with some authority
19:35 <@ordex> alright
19:35 <@ordex> I agree with your statement before, where you say that the DNS should worry about something that it's not its responsibility
19:36 < lunaphyte> oh, darn.  no, thinking about it some more, my idea is dumb
19:36 < Eugene> I have lots of dumb ideas. Everybody does.
19:38 < lunaphyte> so is it truly a pick your poison scenario here?
19:38 < Eugene> Yup, no easy-fix sorry.
19:39 < lunaphyte> there's no elegant approach i'm to thick headed to conceive?
19:39 < lunaphyte> *too
19:39 < lunaphyte> i suppose the dns server could also have its own vpn connection
19:39 < lunaphyte> although that's ultimately not much less elegant than any of the above
19:39 < Eugene> At that point you're really just combining the two networks at the Router
19:40 < lunaphyte> another possibility which crossed my mind was an alteration of the way in which nxdomain responses are handled
19:40 < lunaphyte> which obviously has its own set of issues
19:40 < Eugene> You were right, that is a dumb idea
19:41 < Eugene> How "static" are the machine/IPs that you're trying to access?
19:41 < lunaphyte> from an end user perspective, however, i'm receptive to the argument that, if multiple nameservers are listed, and one returns nxdomain for a given query, the next should be consulted
19:41 < Eugene> You don't necessarily need to set up Dynamic DNS and all of that jazz for a public DNS zone. Just set static IPs(using RFC1918), and then put those in your public DNS zone. Tada!
19:43 < lunaphyte> private addresses can't be in the public zone for services which need to be publicly accessible
19:43 < Eugene> So put a public address in?
19:44 < lunaphyte> right, which is then the nat loopback concession
19:44 < Eugene> If you're already NATing a public IP to a private IP(which I dislike doing but I understand) then your NAT device should already know how to handle that case
19:44 < Eugene> And if it doesnt then you have a dumb NAT device
19:45 < Eugene> pfsense has a checkbox for this
19:45 < lunaphyte> yes, but that's not my point
19:45 < Eugene> Then I am confused
19:45 < lunaphyte> my point is that yes, one can do this, and yes, it may/might/probably will work, but it's dumb
19:46 < lunaphyte> e.g. the concession
19:46 < Eugene> NAT is itself a concession already, soooooo this isn't adding anything really
19:46 < lunaphyte> oh, sure it is.
19:46 < lunaphyte> it's yet another dumb thing
19:47 < Eugene> "Technical debt" is the phrase you're looking for.
19:48 < lunaphyte> i wasn't, no.
19:58 < lunaphyte> Eugene: thanks for the discussion, i appreciate it
20:49 < Eugene> !beer
20:49 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
20:49 <@ordex> lol
20:49 <@ordex> good to know :D
21:51 < schwoby> my work uses Cisco AnyConnect for the VPN service with an RSA token for dual authentication.  im having troubles getting to the VPN.  im a total noob in linxu for this type of work.  any help?
21:52 <@ordex> schwoby: not sure how we can help with anyconnect :S that's a private software from cisco ... you should ask them
21:52 <@ordex> here we deal with the open source openvpn project
21:53 < schwoby> a bit of miss-reading.  the software i found that states it works with AnyConnect is OpenConnect
21:54 < schwoby> the miss-reading was from the OpenConnect and OpenVPN, kowing that OpenConnect is a VPN...
21:55 <@ordex> I am not sure about openconnect
21:55 <@ordex> not sure what it is
21:55 <@ordex> :S
21:55 <@ordex> https://en.wikipedia.org/wiki/OpenConnect oh it's an alternative to any connect
21:55 <@vpnHelper> Title: OpenConnect - Wikipedia (at en.wikipedia.org)
21:56 < schwoby> yep, understood.  thanks for setting me correct
21:56 <@ordex> np
--- Day changed Thu Jul 06 2017
00:22 -!- x5eb is now known as _0x5eb_
00:22 -!- Hobbyboy|BNC is now known as Hobbyboy
00:22 -!- RAX is now known as rax-
00:23 -!- pdobrogost_ is now known as pdobrogost
00:23 -!- pizzaops_ is now known as pizzaops
00:45 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has quit [Ping timeout: 240 seconds]
00:47 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
00:47 -!- mode/#openvpn [+v hyper_ch] by ChanServ
01:39 < katnip> i have a connection that bounces back and forth between ethernet and wifi, when it leaves ethernet to wifi, i lose my vpn connection and it reconnects, is there a way to force it to stay with both? or switch when the hardwware switches?
01:42 <@ordex> katnip: maybe using persist-tun can be helpful
01:43 <@ordex> because it will keep the tun interface across reconnections
01:43 < katnip> do you know where i may find that?
01:46 <@ordex> katnip: it's an openvpn option you can enable in the config
01:46 <@ordex> katnip: what are you using to connect?
01:46 < katnip> i found it, it was already an option so i moved it over
01:47 < katnip> ordex, it's called Eddie
01:47 < katnip> from AirVPN
01:47 < katnip> uses openvpn
01:48 <@ordex> oh ok, no clue what that is
01:48 <@ordex> katnip: do you mean the option was already enabled ?
01:49 < katnip> i think so as a base directive, i moved it also as a custom directive
01:51 < katnip> https://airvpn.org/faq/software_directives/
01:51 <@vpnHelper> Title: OpenVPN directives - Client Software - AirVPN (at airvpn.org)
01:55 <@ordex> katnip: have you tried asking them directly ?
01:55 <@ordex> they may have customized the software
01:55 <@ordex> and they may know how to achieve this as it might be a regular request
01:56 < katnip> i may try that, ty
01:57 <+hyper_ch> krzee: ping
02:02 -!- berglh_ is now known as berglh
02:03 <@krzee> pong ,wassup
02:04 <@krzee> coding some stuff for my mom
02:04 <@ordex> krzee: that's interesting
02:04 <@krzee> katnip: when you make that change you get a different IP, your router creates the problem
02:05 <@krzee> if you kept the same IP somehow, then your problem goes away
02:05 <@krzee> maybe static IP on wifi and wireless?
02:05 <@ordex> oh right. I thought he was talking about the VPN interface and connections above :O
02:05 < katnip> yeah i dont know why the OS is doing that, some update i guess, so it goes back and forth
02:06 <@krzee> not the OS
02:06 <@krzee> the router!
02:06 <@krzee> different MAC, different dhcp IP
02:06 <@krzee> normal behavior\
02:06 < katnip> most the time the OS is on ethernet, then it bounces to wifi and back
02:06 <@krzee> oh well that would be an issue on your lan
02:06 < katnip> if i turn wifi off, im offline then
02:06 <@krzee> maybe a bad cable somewhere
02:07 <@krzee> not openvpn related tho
02:07 < katnip> ok, i thought there was a way to keep ovpn connected between the two
02:07 <@krzee> sure, matching static ips on both
02:08 <@krzee> still not openvpn related, its your router killing the connection
02:08 < katnip> hmm
02:08 <@krzee> when you get a different lan ip how would your router know its the same connection?
02:09 <@krzee> kills the internal port forwarding
02:09 <@krzee> nat table and whatnot
02:09 < katnip> im seeing what you're saying, so i need to see if i can set both to the same internal ip?
02:09 <@krzee> you can do that
02:09 <@krzee> or ideally, fix the real issue
02:09 <@krzee> but its not openvpn related
02:10 < katnip> ok
02:10 < katnip> thanks for the help
03:15 <@krzee> hyper_ch: before i pass out, still here
03:15 <+hyper_ch> krzee: yealink t48g doesn't like my openvpn file :(
03:18 <@krzee> try to find the log
03:18 <+hyper_ch> krzee: I wrote the guy at yealink
03:19 <+hyper_ch> one thing I already learnt is that  remote, proto and dev need to be on sepearte lines
03:19 <+hyper_ch> maybe the yealink didn't like all-in-one config
03:19 <@krzee> prolly hella old config
03:19 <@krzee> binary*
03:19 <+hyper_ch> I'll let you know when I know more... I thought you might already have deployed vpn on t48
03:35 <@ordex> hyper_ch: you run the openvpn client on the phone?
03:35 <@ordex> :O
03:35 <+hyper_ch> trying to
03:35 <+hyper_ch> works fine on my snom 370
03:35 <+hyper_ch> but now I was given a T48G
03:36 <@ordex> I see
03:36 <@ordex> but why not just running it on the router? (dumb quesiton)
03:36 <+hyper_ch> why should I run it on the router?
03:37 <@ordex> the phone is the only device that needs to connect to the vpn?
03:37 <+hyper_ch> no
03:37  * ordex is just talking with no context :P)
03:40  * ordex hides again :)
03:43 < katnip> what is the setting in firefox, how to connect to internet, how should that be set?
03:43 < katnip> vpn keeps disconnecting when it flips to wifi too
03:43 <+hyper_ch> katnip: could you be confusing openvpn with a proxy server?
03:43 < katnip> i dont undertand
03:45 <+hyper_ch> !goal
03:45 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
03:45 <+hyper_ch> :(
03:45 < katnip> should firefox say no proxy?
03:45 < katnip> no im not :)
03:45 < katnip> or detect proxy
03:46 <+hyper_ch> !goal
03:46 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
03:54 < katnip> hyper_ch, in firefox in preferences, it has an option as to how to connect to the internet, should that be no proxy, detect proxy, system proxy, etc...
03:54 <+hyper_ch> so you're confuging a vpn connection and a proxy server
03:54 <+hyper_ch> s/confuging/confusing/
03:54 <+hyper_ch> but you still do not state what your goal is
04:22 < Jiffy> !welcome
04:22 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
04:22 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
04:25 < Jiffy> !goal
04:25 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
04:33 < Jiffy> Hi! Hope somebody can help me. How does OpenVPN behave on client-side IP-address-changes? I have the following issue: client-server-vpn-connection is established. All fine. Client-router(!) changes IP-address, after a while client tries to reconnect but gets timeout because server does not answer. I can't even see something in the server logs, which seems strange to me. After restarting the openvpn-server client is able to reconnect just fine. Any ideas
04:33 < Jiffy> what that might be? server-side firewall got the connection attempts of the client and let them thorugh to the vpn-server, so that's not an issue. It has to to something with the openvpn server i guess, but why don't I see anything in the logs?
04:49 < jacekowski> Jiffy: what are your timeouts set to
04:49 < jacekowski> Jiffy: but it should treat connection from same client from another ip address just like a brand new client
04:54 < Jiffy> I've set keepalive 10 120 on the server. Beside that nothing timeout-specific as far as I know. I could pastebin the confs somewhere if you like. But shouldn't I see something in the logs in ANY case?
05:00 < greentea> how can I block all traffic unless connected to a server using openvpn?
05:08 <+hyper_ch> not sure what you mean
05:19 <@dazo> greentea: that's a firewall challenge .... your output rules need to deny anything on your physical network adaptors, except OpenVPN traffic
05:19 <@dazo> you might also need to allow DNS too
05:19 <+hyper_ch> and use redirect 1?
05:19 <@ordex> unless he wants to block also when disconnected
05:22 <+hyper_ch> if I only could mind-read over the internet... it would make support so much easier
05:22 <@ordex> and so efficient !
05:22 <@ordex> :D
05:22  * hyper_ch heard Master dazo is close to it :)
05:35 < greentea> +hyper_ch: I use openvpn on my devices to connect to an openvpn service. But sometimes the connection fails, and I stop being connected to the vpn service, so all my traffic goes through the regular network(I know "regular network" isn't the right term, but you know what I mean). I would like to prevent this
05:35 < greentea> @dazo: so I have to change something in my iptables rules maybe?
05:36 < greentea> any suggestion what i can change?
05:36 <+hyper_ch> see what dazo has wroten above
05:37 <+hyper_ch> dazo: wouldn't it work to set default gateway to the vpn server even if the vpn is down?
05:41 < astephanh> hi. i'm using linuxMint/Ubuntu. can i somehow configure to start a openvpn tunnel automaticly when i'm not in my home network? maybe some kind of if-up.d script or so?
05:42 <+hyper_ch> why not autostart it also when your on home network?
05:42 <@dazo> hyper_ch: well, it would for as long as the openvpn service is running ... but once that dies and pulls down its routes, then it's completely open again
05:43 < astephanh> hyper_ch, the tunnel is to my home network :)
05:43 <@dazo> astephanh: does your Mint install use systemd?
05:43 <+hyper_ch> dazo: I thought of setting default route through vpn-server on the client... not fetch with with def1
05:43 < astephanh> dazo, yes
05:44 <@dazo> hyper_ch: then you're completely blocked once openvpn stops running and it will struggle to reconnect .... much easier and safer to control this via firewall
05:44 <+hyper_ch> dazo: ah, struggle with reconnect... didn't consider that :)
05:45 <@dazo> astephanh: okay ... put your configuration file under /etc/openvpn/client .... then use systemctl enable openvpn-client@CONFIGNAME (where CONFIGNAME is the configuration file name without the .conf extension)
05:45 <@dazo> astephanh: to start the tunnel before booting, systemctl start openvpn-client@CONFIGNAME
05:46 <@dazo> and to see the client log .... journalctl -u openvpn-client@CONFIGNAME --since today
05:46 <@dazo> astephanh: IIRC, the tunnel should wait to start connecting until it is online ... but it's ages since I looked into this
05:48 <@dazo> greentea: yes, iptables rules ... in particular the OUTPUT chain
05:49 < astephanh> dazo, i only have openvpn@servia  but i'll try. can i activate the systemd service via a route?
05:50 < astephanh> that would than work like a route based ipsec tunnel
05:51 <@dazo> astephanh: hmmm ... which openvpn release?
05:51 < astephanh> shit, have to go. wife is calling :-) thx. later ..
05:51 < astephanh> 2.3 on openwrt and client 2.3 on mint18
05:51 <@dazo> astephanh: no, there's no auto-activation based on route/traffic for openvpn
05:52 <@dazo> astephanh: try upgrading to v2.4 on the mint box ... that should have the newer and improved unit files needed
05:52 < astephanh> ah :-) ok. will do
05:52 <@dazo> I don't trust the distro provided (openvpn@) unit files ... as each distro is different ..... openvpn-{client,server}@ should be what we provide, which should be fairly uniform across distros
10:16 < brethil> Is anyone successfully running a fast openvpn server? By fast I mean using full link speed between two machines. I'm currently trying to get a VPN link between two gigabit-speed machines, but only get ~90 to 120 mbit links between the two
10:17 < brethil> an iperf between the public IPs of the two machines shows gigabit speeds, but inside the VPN, it slows to a crawl
10:22 < kaipee> !welcome
10:22 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
10:22 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
10:22 <@ordex> !away
10:23 <@ordex> mah
10:23 < kaipee> !goal
10:23 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:23 < kaipee> I'm having issues with the OpenVPN GUI installer not creating TAP adapter in Windows 10
10:25 < FortunateSon> I am looking to use per user ACLs in openvpn, does openvpn have this ability natively?  I ran across this project on github, https://github.com/gdestuynder/openvpn-netfilter , which seems like it is perfect.  But I wanted to check if the functionality had been rolled into stock openvpn before I installed an external script.
10:25 <@vpnHelper> Title: GitHub - gdestuynder/openvpn-netfilter: Per VPN user network ACLs using Netfilter (at github.com)
10:26 < FortunateSon> kaipee: we had the same problem, we fixed it by installing the tap driver separately and running openvpn as an administrator.
10:30 <@dazo> FortunateSon: have a look at !eurephia
10:30 <@dazo> !eurephia
10:30 <@vpnHelper> "eurephia" is http://www.eurephia.net/
10:33 < FortunateSon> dazo: goin gnow, thank you
10:33 <@dazo> Don't go! Stay!
10:33 <@dazo> :)
10:34 <@dazo> brethil: I'm using pretty straight forward configurations .... and get about 90-95% if the line capacity
10:34 <@dazo> !configs
10:34 <@dazo> !logs
10:34 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
10:34 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
10:34 < brethil> I don't know what's wrong. I've been struggling for a month, can't get decent speeds
10:35 < brethil> right now I'm doing tests
10:35 < brethil> openvpn --dev tun --proto udp --port 1194 --secret static.key --ifconfig 10.8.0.1 10.8.0.2 --cipher aes-256-cbc --auth SHA512 --verb 3 --push "redirect-gateway def1 bypass-dhcp" --verb 4
10:35 < brethil> client set up the same way, but with --remote and the ifconfig IPs swapped
10:35 < brethil> can't get more than 30/40mbit
10:36 < brethil> curl from a speedtest server or simply speedtest-cli
10:36 <@dazo> first of all, SHA512 is wasting of CPU cycles ... SHA256 is more than enough ... that eats a few less bytes on the wire, plus you don't loose anything - security wise
10:37 <@ordex> big time
10:37 <@ordex> switch SHA256 at least
10:37 <@ordex> from the CPU perspective we have done some experiment and sha256 gives much higher throughput - without changing anything else
10:37 <@dazo> OT remark ... that bastard who put  "bypass-dhcp" in his blog was most likely clueless ... kick that out too ... but that doesn't change much for speed anyhow
10:38 <@dazo> ordex: really!?  That's good to know!
10:38 <@ordex> dazo: yeah, on an MIPS (aka a router) we have been measuring what could give a speed up
10:38 <@ordex> and switching from SHA512 to SHA256 gave the highest improvement
10:38 <@ordex> without touching the cipher
10:39 <@plaisthos> speed also depends on how the asm implementation is in openssl
10:39 <@plaisthos> e.g. bf sucks on everything but x86 since only x86 has a bf asm implementation
10:39 < brethil> lemme try... I don't think switching from 512 to 256 will change from 40mbit speeds to 400mbit speeds though
10:39 <@ordex> yeah true
10:40 <@dazo> brethil: next ... does your CPU support AES-NI?  that will also be key for performance .... iperf is plain packets, so not that much extra CPU work
10:40 < brethil> Is there anything which should *absolutely* be there in the iptables configuration?
10:40 <@dazo> not really
10:40 <@plaisthos> openssl speed -evp sha256 vs sha512 should also give you a good estimate how much raw hash speed diff is
10:40 <@plaisthos> ordex: aes-gcm should be even faster
10:40 < brethil> I think it does, can't remember how to check it?
10:41 <@dazo> grep aes /proc/cpuinfo
10:41 < brethil> no difference between 256 and 512 (from openssl speed)
10:41 < brethil> yeah, it's there dazo
10:41 < brethil> it's an i72600
10:42 <@plaisthos> /usr/local/opt/openssl@1.1/bin/openssl speed -evp aes-256-gcm shold be in the 1-2 GB/s range
10:42 <@dazo> well, the calculation of SHA256 and SHA512 are both quite fast ... but SHA512 adds a few extra byte per packet
10:42 <@plaisthos> nah it is slow compares to aes-gcm
10:42 < brethil> I suspect some kind of path mtu issues though
10:42 <@dazo> what I meant is that the difference between SHA256 and SHA512 calculations aren't that big :)
10:42 < brethil> i get some weird message when I do a tcpdump
10:43 < brethil> like
10:43 <@dazo> !gigabit
10:43 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
10:43  * dazo just remembered that one
10:43 <@dazo> MTU was the trigger :)
10:43 <@dazo> but yes, the --link-mtu can absolutely be sensitive to this
10:44 <@ordex> brethil: have you tried openssl speed on client and server ? just to be sure
10:44 < brethil> I saw that dazo
10:44 < brethil> No improvement
10:44 < brethil> these are the weird messages I see in tcpdump: UDP, bad length 1557 > 1472
10:44 < brethil> which is weird, since the MTU for the interface is 1500
10:44 <@plaisthos> openssl 1.1 speed sha256/sha512 for 1024 bytes is 331MB/425M (yes sha512 is faster for me), and aes-256-gcm gives me 2,8 GB/s
10:45 < brethil> and what's even weirder is that I see them on both server and client
10:45 < brethil> but packets larger than the max mtu shouldn't be able to pass?
10:45 <@ordex> plaisthos: hehe
10:45 < tcpdump> brethil: MTU is often auto-windowed
10:45 <@ordex> oh we have tcpdump here
10:45 < brethil> and I also get these messages with verb 4
10:45 < brethil> PID_ERR replay-window backtrack occurred
10:46 <@dazo> hmmmm .... I see I have --fragment 1200 --mssfix .... not sure if that was my performance saviour (I had to do that ages ago due to some issues)
10:46 <@plaisthos> brethil: that is bad and will hurt your speed
10:46 <@dazo> yeah
10:46 <@plaisthos> aes-256-cbc is also only 845 MB/s
10:46 <@plaisthos> so from raw crypto speed aes-256-gcm just murders sha*+cbc
10:48 <@ordex> plaisthos: wow
10:48 <@ordex> amazing
10:48 <@ordex> the signature comes for free basically
10:48 <@dazo> not surprising at all, as AES-GCM is often supported directly by the CPU ... and it does everything in a single operation
10:48 < tcpdump> plaisthos: is there a faster one?
10:49 <@dazo> tcpdump: --cipher none --auth none :-P
10:49 < tcpdump> Ive actually been wondering wat the fastest cipher is.
10:49 < tcpdump> lol dazo
10:49 <@dazo> fastest and safest?  Or just fastest?
10:49 < brethil> well
10:49 < brethil> I tried
10:49 < tcpdump> both?
10:49 <@ordex> fastest, safer and cooler ?
10:49 < brethil> openvpn --dev tun --proto udp --port 1194 --secret static.key --ifconfig 10.8.0.1 10.8.0.2 --cipher aes-256-cbc --auth SHA256 --verb 3 --push "redirect-gateway def1" --verb 0 --fragment 1200 --mssfix --sndbuf 0 --rcvbuf 0
10:50 < brethil> no luck
10:50 <@dazo> AES-GCM is considered to be the best ones with OpenVPN
10:50 < tcpdump> fastest but still encrypted.
10:50 < brethil> getting less than 1MB/sec
10:50 <@ordex> tcpdump: lol
10:50 <@plaisthos> if you have openvpn 2.4 on both sides
10:50 <@plaisthos> you will end up with aes-gcm anyway
10:50 <@dazo> brethil: try setting --link-mtu 1300 too?
10:50 < fnlkj> aes-256-cbc ain't the fastest is it.. ?
10:51 <@dazo> fnlkj: nope .... but AES-GCM requires OpenVPN 2.4 and OpenSSL 1.0.1 or newer
10:51 <@dazo> (or mbed TLS instead of OpenSSL)
10:51 < tcpdump> so aes-gcm?
10:51 < fnlkj> "AES-256 is 40% slower than AES-128, and there isn't any real reason to use a 256 bits key over a 128 bits key with AES"
10:51 < fnlkj> http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit ,  http://security.stackexchange.com/questions/6141/amount-of-simple-operations-that-is-safely-out-of-reach-for-all-humanity/6149#6149
10:51 <@vpnHelper> Title: cryptography - Why most people use 256 bit encryption instead of 128 bit? - Information Security Stack Exchange (at security.stackexchange.com)
10:52 < fnlkj> To quote the OpenVPN documentation : Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM.
10:52 < fnlkj> Currently AES is only available in its CBC mode, which is weaker than GCM.
10:52 <@krzee> stack exchange, where all the crypto masters hang out!
10:52 <@krzee> :D
10:52 < fnlkj> pre2.4, that is
10:52 <@ordex> krzee: lol
10:52 <@ordex> fnlkj: yes, GCM was introduced with 2.4
10:52 <@ordex> but it's the current stable
10:52 <@ordex> so we have it
10:53 < fnlkj> Btw. I have no idea what any of that means tbh., I just cooked up some copy pasta regurgitating for ya in hopes it seemed to display xpert skillz ^_^ ...mayb nott--- so, here's my src tbh; https://github.com/Angristan/OpenVPN-install
10:53 <@vpnHelper> Title: GitHub - Angristan/OpenVPN-install: Improved OpenVPN installer for Debian, Ubuntu, CentOS and Arch Linux (at github.com)
10:53 <@ordex> regurgitated copy pasta does not sound appealing
10:54 < fnlkj> (it's basically one of many  openvpn  auto-  download, install & configure scripts .. "road warrior") - -this one with purported focus on security
10:54 < fnlkj> the one from https://github.com/nyr  may be more commonly compatible (lower version?)
10:54 <@vpnHelper> Title: Nyr · GitHub (at github.com)
10:54 < tx> aw come on, easy rsa isn't that bad :P
10:54 < fnlkj> btw. on git may needa choose branch 2.4 , if that's desirable.
10:55 <@dazo> fnlkj: you shouldn't try to make VPN installs easy ... really ... we get all kind of questions on this channel when users of those tools realise something doesn't work .... users simply MUST learn why they need to use the various options in OpenVPN ... and even more importantly, learn how to do proper routing
10:55 <@dazo> which is why we also have this one:
10:55 <@dazo> !blog
10:55 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
10:55 < tcpdump> so is AES-128-GCM faster than cbc then?
10:55 <@dazo> AES-GCM is faster than AES+SHA
10:56 < fnlkj> yeah... I know.. not good really .generally!  I've numerous VPS servers I've paid 1-10$  for a yearly rental for tho, and numerous such ones I'd be chaning together in various ways........ I pay with btc and fake id so dun care if i screw up or wathever... or even forget some (lol),  ... id wanna just roll up a load of these some times,
10:56 < tcpdump> but only in 2.4 huh?
10:56 < tcpdump> bummer..
10:56 < brethil> dazo, can you show me your config?
10:56 <@dazo> fnlkj: "With OpenVPN's default parameters, you have a relatively weak encryption. " .... that is not entirely true any more, if running OpenVPN v2.4
10:56 < fnlkj> (btw that shits typically cheaper than a commercial VPN provider even... also with KVM may have  FDE,   dnssec/dnscrypt n whatnot in addition as well ..
10:57 < fnlkj> yeah, so if worried about security use /Angristan's  setup, and select his suggested highest-security choices (but as stated, at a significant speed loss)
10:57 < fnlkj> gm
10:57 < fnlkj> hm
10:57 < fnlkj> default parameters on 2.4 are good/strnog as-is now..? (assuming pre 2.4 wasn't, then? )..
10:58 < fnlkj> hmm...I've a buncha boxes with... i dno, but pre-2.4 that's for sure...mayb i shud try bother with that, then..hmm.
10:58 <@ordex> fnlkj: why not upgrading ?
10:58 <@plaisthos> 2.4. vs 2.4 will auto negioate aes-gcm
10:58 < fnlkj> Btw. any tips for uncommon/unusual traffic obfuscators to run ?
10:58 <@ordex> you got repos for every distro basically shipping 2.4
10:58 < fnlkj> oh...uh, not sure why....- im kinda n00b to Nix in general..some repos doesn't seem to have the 2.4 by default...or atleast didn't recently, for some reason :S
10:58 < fnlkj> hmm
10:59 <@dazo> brethil: https://paste.fedoraproject.org/paste/RG0pH3-Bl4L8QAM1MqZvnQ/raw
10:59 <@dazo> as I said, pretty straight forward config
10:59 < brethil> ye
11:00 < brethil> i'm not using compression
11:00 <@plaisthos> I am also using tun-mtu 1400 on all my VPNs
11:00 <@dazo> now, the cipher is upgraded to aes-256-gcm ... as both server and client are v2.4
11:01 < fnlkj> hmm.. actually "..dist-upgrade" on a deb8 box seemed to cough up some output.. maybe stuff happens now... was/is 2.3.14  on "VERSION="8 (jessie)"  , " 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30)" "
11:01 < brethil> interesting. enabling compression gave me a 3x increase in speed
11:01 < fnlkj> :O
11:02 < fnlkj> ..tell us !  sounds interesting.
11:02 < fnlkj> ..cool...
11:02 < fnlkj> lzma...whatever its named... something like that?
11:02 < fnlkj> If there are sevreal choices, did you try other choices , or just one so far?  Also, what's downsides (if any..) with comrpession?
11:03 <@ordex> comp-omg
11:03 <@dazo> fnlkj: also ... I see some key generating in your screenshots ..... DO NOT EVER STORE CA PRIVATE KEY ON A SERVER CONNECTED DIRECTLY TO THE INTERNET ... I mean, I'm willing to flee a man alive, roll him in salt, wait 30 minutes and put him on fire for doing that
11:03 < fnlkj> tried anything like obfs4proxy or such with openvpn... ?
11:03 < fnlkj> in my screenshots..
11:03 < fnlkj> are you spying on me?!! how!!?
11:03 < fnlkj> hmmm
11:03 < fnlkj> ...hope not... *confused* .      .               .
11:03 <@dazo> https://camo.githubusercontent.com/caf799040aa8e1b219723fe434d2beccd7238472/68747470733a2f2f6c75742e696d2f654f44546e38536139792f657543716830777a58776c7a33554e732e706e67
11:03 <@ordex> dazo: this sounds tasty
11:03 <@ordex> :P
11:04 <@dazo> lol
11:04 < fnlkj> oh.. not mine, that random github dude supplying one of them auto-  dl, install & config scripts...
11:04 <@dazo> ahh, okay .... well, my willingness to torture is still here
11:04 < fnlkj> anyway.. " DO NOT EVER STORE CA PRIVATE KEY ON A SERVER CONNECTED DIRECTLY TO THE INTERNET .".... -- thanks, good info... will try remember !
11:05 < fnlkj> ...aren't these implemented in the .ovpn config files often tho..or..? hm.
11:05 < fnlkj> or could be..can't they?
11:05 < fnlkj> <ca> ... </ca>....basically, or such...hmz.
11:05 <@dazo> fnlkj: with easy-rsa, the CA is often unencrypted .... so all I have to do is to get a copy of that file (and the ca.crt for convenience) ... and I can connect to your VPN server without your knowledge (unless you pay close attention to the log files, which quite few "I used configure script" users do)
11:06 < fnlkj> ooo..
11:06 <@dazo> --ca is the _certificate_  not the private CA key
11:07 <@dazo> hence .... such automation scripts are doomed to do really bad things to most users
11:07 < fnlkj> i'd use secure-delete / "srm" to delete the ovpn n stuff after, in hopes it'd clean up my stuff a bit more possibly,but..  possible its printed in the log file too even?...if so, is that safe to delete by default too..?
11:07 <@dazo> hence my willingness to consider torture
11:07 <@dazo> well, if you delete the CA private key ... you can no longer issue new client or server certificates ....
11:08 <@dazo> the CA stuff should ideally be stored on an offline medium, only to be activated when you need to sign a new certificate for servers or clients
11:08 < fnlkj> oh..   then I guess it remained on the server, as it'd let ya keep makin more..
11:08 <@plaisthos> I keep my ca also on my server
11:08 <@plaisthos> but I know the risks
11:09 < fnlkj> I'd typically make what I need, disconnect and abandon it.. often never goin back... hopefully having unattended-upgrades,  fail2ban n such ... stuff in there to take care of itself hopefully aslong as poss and avoid any others owning it ny time soon tleast
11:09 <@plaisthos> and if the openvpn server is compromised it does not matter if its ca is compromised too
11:09 < fnlkj> oh..
11:09 <@plaisthos> if you use the ca for more than just one openvpn server, things are different
11:09 < fnlkj> what about small encrypted file-container.. may be many reasons for having such anyway, of various kind, along with steganography methods..
11:10 < fnlkj> ...anyway.... i just need my conf files (tho i usually need just a few, i'd quickly makea  dozen at once , download them and say goodbye server after deleting all taht)
11:11 <@ordex> fnlkj: how about just generating Ca and certs on the local machine and uploading the needed certs to the server only ?:P
11:12 <@dazo> yes, that is far better!
11:12 < fnlkj> seems cert n stuff is mostly embedded into the config files, i think...here's snippet of part of one of those confs ("\n" being newline")~>   <cert> \n Certificate: \n Data: \n Version: 3 (0x2) \n Serial Number: 3 (0x3)
11:12 <@dazo> you only need the part from  "---- BEGIN" to " END -----"
11:13 < fnlkj> hm... that   much difference generating there or on my box..?    In terms of forensics/data-recovery, or
11:13 <@dazo> the local machine is probably protected by an external firewall ... if your local machine is directly hooked up to the Internet without firewall, it is bad agian
11:14 < fnlkj> btw with openssl so often releasing changes.. supposedly bloated... , other smaller kinds less often target by many etc..   don't think its a good choice to compile the lot with use of other  ssl... mbedtls,  ..or possibly libressl or such..?  or any of these incompatible or such
11:14 < fnlkj> (if nothign else just to be different (have an unexpected/unusual setup.... for...whatever reason..:d)
11:14 <@dazo> ahh ... here it is .... here's another attempt at doing the same as you do fnlkj .... and I've spent some time commenting on that too: https://gist.github.com/filcab/736c105c8be417e39ab2dd93c39961eb
11:14 <@vpnHelper> Title: Small OpenVPN setup tutorial · GitHub (at gist.github.com)
11:14 < brethil> this is insane. I'm getting 20MB/sec speeds through the public IP vs 2MB/sec speeds through the VPN. Here's my config
11:14 < brethil> http://termbin.com/7q3d
11:15 < fnlkj> o
11:15 < fnlkj> btw, don't "blame" me for those links I pasted.. none are me
11:16 < fnlkj> also, if u do have made similar....i'd suggest don't give it up; provide ANY other functionality, or even claimed/soundingly difference, lil improvement or such...and may sway some,
11:16 <@dazo> okay ... then I'll consider to shame that project with some comments :)
11:16 < fnlkj> AND....link to some cheap hosts as suggestions there, not appearing as advertising..but besure to entwine ur referral link into those addresses (just not visible besides within the html ofc.;)
11:17 < fnlkj> yeah shamewhere shame is deserved, any input on it then blast it.. would benefit me as well probably as a user of that stuff :d
11:18 < brethil> has anybody ever seen these messages in tcpdump? UDP, bad length 1557 > 1472
11:18 < brethil> (the packets going from the openvpn server to the client)
11:18 < fnlkj> are also somewhat more elaborate, extensive setups with other features .... i miss some with dnssec/dnscrypt /local resolver).. various other feats,  FDE and encrypted containers...n stuff !  (exotic kinda thingies:D)  ..here's an other funky one https://github.com/jlund/streisand
11:18 <@vpnHelper> Title: GitHub - jlund/streisand: Streisand sets up a new server running L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, a Tor bridge, and WireGuard. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists. (at github.com)
11:18 < fnlkj> "Streisand sets up a new server running L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, a Tor bridge, and WireGuard. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists. "
11:18 < fnlkj> need use of Ansible tho
11:19 < fnlkj> brethil: tcpdump.. .what about recipient , do they accept the packages as good .. ?
11:19 < fnlkj> try browserleaks.com/ip   and see if it picks up on encrypted n stuff there ? (may require enabling Javascript for that...unsure)
11:19 < skyroveRR> brethil: seems like an MTU issue...
11:19 < fnlkj> under tcp/ip os fingerprinting
11:20 < skyroveRR> brethil: what's the MTU if your interface?
11:20 < brethil> 1500
11:20 < skyroveRR> And your WAN interface?
11:20 < brethil> I don't understand how a packet bigger than the mtu can go through
11:20 < brethil> 1500
11:20 < skyroveRR> Is this your server or your client?
11:20 < brethil> server/client
11:20 < brethil> both
11:20 < skyroveRR> Both have 1500?
11:21 < brethil> yup
11:21 < skyroveRR> Paste the entire dump.
11:22 < brethil> I also see the same Bad udp length messages on the client
11:22 < fnlkj> tho it's src files mainly meant for their internal use I guess, some interesting infoz and possible configuration details/tips at ..https://github.com/cryptostorm/voodoo.network  ,  using GRE tunnels ... hummmhm
11:22 < fnlkj> 'Basically, this is a way for people to connect to [entry-node] and have their outgoing traffic routed through a remote VPS server (third;outermost,presumably) without exposing the client's real IP to that VPS, or risking the OpenVPN server keys, or leaking any DNS to the VPS (two prior..?)'
11:22 <@vpnHelper> Title: GitHub - cryptostorm/voodoo.network: voodoo networking: post-VPN session obfuscation for a post-Snowden world (at github.com)
11:23 < fnlkj> connecting to first, which relays to second..onto third. and third would not know of #1, nor would #1 know of #3's existance...hmh.
11:24 < brethil> skyroveRR, is there anything in particular you're interested in?
11:24 < brethil> Trying to set up some filters so that only the relevant traffic is there
11:25 <@dazo> restrict it to proto udp and port 1194?
11:26 < fnlkj> why port 1194, it's default and overly easily identified as openvpn just by that..
11:26 < fnlkj> ...443?53,something else..?
11:26 < brethil> I'm running on a different port
11:26 < fnlkj> ..maybe some added obfuscation/shaping to further match taht a tad bit mayb, if poss...hmh
11:27 < fnlkj> i may be overly paranoid btw.. :z
11:27 <@dazo> if you base your configuration on such automation scripts ... you're not paranoid at all .... you might be a "wanna be paranoid" but not really paranoid
11:28 <@dazo> https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
11:28 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net)
11:28 < fnlkj> i don't, usually.. or most anyawy... but for mass-use on a load at once for easily mass installing...   also, may be somewaht easy to make slight changes in them scripts too if noticing any improvements ..
11:29 < fnlkj> many VPS hosts offer service for few-dollar per year, $10/year is not rare.. most far cheaper than commercial VPN prvoders, and giving far more opportunities for all kindsa other stuff as well..
11:29 <@dazo> nothing bad about configuring VPNs ... that's great!  But trusting a random script to do the configuration for you gives you no guarantee that it is done correctly
11:30 < fnlkj> suggest check like webhostingtalk.com's vps/dedicated hosting offers section; watach it..some times V nice offers (tyipcally not lasting too long),   also lowendbox/lowendtalk  and similar sites...  just BEWARE--read the hosts ToS first, some are lame or sneaky as hell .. -_-
11:30 <@dazo> "Hey it works!!" is not a security statement
11:30 < fnlkj> id pay w bitcoin and some googled addy,.... behind a tonna relays already , too..
11:30 < fnlkj> yeah..true...
11:30 < fnlkj> also, taht guy...who knows if he changes his download links to include some malware..or something...... :o
11:30 < fnlkj> the providers of them scripts i ean
11:32 < fnlkj> https://github.com/4a256b6b3e7t3e8b7t9q7t/Debinject , veil-evasion & ..random shellcode w recent date off exploit-db of recent date,obfuscate/pack lil somehow mayb for further reassurance... and likely noone would suspect that pristine-looking .deb... i guess, eh =S ..or such simple things ..hm. (im not really into that kinda stuff...)
11:32 <@vpnHelper> Title: GitHub - 4a256b6b3e7t3e8b7t9q7t/Debinject: Inject malicious code into *.debs (at github.com)
11:38 <@dazo> fnlkj: which is why you should use packages which have been cryptographically signed, downloaded from trusted repositories and ensure signature verification is enabled.... I dunno much about .deb ... but Fedora/CentOS/RHEL does that this by default - until you install a random repository source without gpg check enabled; then packages from those sources are not validated
11:38 <@dazo> The debinject stuff is just another script kiddie ... this scenario have been known for years ... it's just someone who wrote a script to automate the process
11:38 < fnlkj> yeah.. best stick to official repos, and pray to the repo gods they keep being as fantastic as has been so far:))
11:39 < fnlkj> o..k.:s
11:40 <@dazo> but the other insane approaches also widely promoted on the net:   curl $SOME_URL | sudo /bin/bash  .... equally stupid as installing unsigned packages
11:40 <@dazo> that said, downloading a source tarball, ./configure && make && sudo make install  ... is barely better, unless you have read the code you install
11:43 < fnlkj> ha!... "open source software is so much safer.. everyone can see the vode"   (noone actually does see the code, or those who'd wouldnt be resourcefu to audit properly at all anyway...)..... think some false sense of security among many...
11:44 <@dazo> no, that's wrong conclusion
11:44 < fnlkj> ...besides, responsibility waiver with free coders...easier to excuse a "innocent coding error" which may or may not have been sanctioned by NSA as a backdoor and only be usable as such if known about... bribed , or planted agents
11:44 < fnlkj> hm?
11:45 <@dazo> if you choose to use packages, provided by distributors, which are securely handled (signed, signatures verified upon installation) ... then you can place some of the code review trust to the distributor
11:45 <@dazo> now, if you trust some random Crux Linux distribution package ... you can definitely be fooled
11:45 <@dazo> but if you choose Fedora, RHEL, CentOS, SuSE ... then those risks are considerably lower
11:45 < fnlkj> yep.. hopefully they took good care of their keys in an inexcusable manner, and are very trustworthy and well-meaning kind people.
11:46 < fnlkj> yeah, "or windows" might say eh.. numerous.. hardware and software vulns planted intentionally...  i think main diff is today theyve gotten ebtter at hiding it:d....buuuut, maybe they stopped, ...who knwos
11:48 <@dazo> well, Windows software is commonly cryptographically signed these days too, at least from serious software providers
11:48 < fnlkj> yep.   "this crypto will endure a billion years of cracking, it's un-beatable"..
11:49 < fnlkj> (two years later) "AES broken" .. meh..  may be true at the time...... that is, if all is implemented perfectly void of sabotage too..
11:49 <@krzee> its generally the implementation that is attacked, or the underlying systems
11:50 <@krzee> but ya, we also advance in understanding and find new attacks for stuff
11:50 < fnlkj> ... iwouldnt trust any of it tbh..and have numerous layers of encrypted solutions, virtualization platforms etc..depending on use/need/importance...and ofc. some creative/unexpected layers amongst that
11:50 <@krzee> then dont
11:50 <@krzee> nothing wrong with a healthy lack of trust
11:50 < fnlkj> yeah, i should emigrate to some tropical atoll live of coconuts and fish i guess
11:50 < fnlkj> :d
11:50 <@krzee> worked for me :-p
11:50 <@ordex> :D
11:50 <@dazo> lol
11:51 <@dazo> I think I know where we should have next years (2018) hackathon!
11:51 <@krzee> duuuuuuude
11:51 <@krzee> yes
11:51 < Eugene> in ur butt
11:51 <@krzee> lol glad my answer came before Eugene's
11:52 <@dazo> heh
11:52 < Eugene> Sorry, I mean
11:52 < Eugene> in ur cloud
11:53 <@krzee> not sure which of those should be more offensive
11:53 <@ordex> lol
11:54 <@krzee> found a dope program called diascope, its for making slideshows from pics
11:54 <@krzee> so ill have a script generate a diascope config and run it
11:54 <@krzee> then diascope generates a big ass script calling ffmpeg and graphicsmagick
11:54 <@krzee> and runs that
11:54 <@krzee> its like meta-meta
11:55 <@krzee> :D
11:56 <@krzee> making a script to run an app to make a script to run some apps
11:58 <@ordex> lol
11:58 <@ordex> well, that's the unix phylosophy, no ?:D
11:58 <@krzee> it is today!
11:59 <@krzee> haha
12:16 <@dazo> sounds like grub2, tbh
12:29 < brethil> dazo and everybody else trying to help me earlier. I change the auth method to sha1 instead of sha256. I now get normal speeds.
12:29 < brethil> what the fuck
12:32 < brethil> benchmarks with openssl speed show a factor of 2 in bandwidth
12:32 < brethil> and that's exactly what I'm seeing
12:33 < brethil> oh wait
12:33 < brethil> nevermind
12:33 < brethil> getting the same speeds
12:34 < brethil> openvpn --dev tun --proto udp --port 1194 --secret static.key --ifconfig 10.8.0.1 10.8.0.2 --cipher aes-256-cbc --auth SHA256 --verb 3 --push "redirect-gateway def1" --verb 4 --comp-lzo yes --fragment 0 --mssfix 0 --tun-mtu 9000 --txqueuelen 10000 --sndbuf 1000000 --rcvbuf 1000000
12:34 < brethil> current config
12:34 < brethil> finally getting good speds
12:38 < skyroveRR> brethil: :)
12:39 < brethil> sndbuf and rcvbuf helping probably
12:39 < brethil> not sure about txqueuelen
12:52 < brethil> running some tests to see which the best tun-mtu is now...
13:05 < brethil> well, seems changing MTU doesn't change speeds that much
13:06 < brethil> except for really high mtu, perhaps, but the default setting of 1500 should be fine
13:58 < brethil> so, everything runs fine with the previous command
13:58 < brethil> but
13:58 < brethil> If I use tls auth
13:59 < brethil> The speed is incredibly slow again
13:59 < brethil> and
13:59 < brethil> I get lots of Authenticate/Decrypt packet error: bad packet ID (may be a replay):
14:05 < Eugene> brethil - sounds like you have a maxed-out link(because of the testing), so packets are arriving out-of-order. See --replay-window in the man page and don't max your link ;-)
14:06 < brethil> but why am I getting these errors only when using TLS auth?
14:08 < brethil> nevermind, I'm also getting these without tls
14:08 < Eugene> Beats me, I haven't tested your exact scenario.
14:08 < Eugene> And I don't see a tcpdump / pcap so I can't hand-examine the traffic to know for certain. This is a wild-ass-guess pulled out of my ass
14:08 < Eugene> But: I'm usually right
14:10 <+hyper_ch> krzee: ecrist: dazo: Let's Encrypt will start to issue wildcard cert in january
14:10 < brethil> Hold on for a config file
14:11 < Eugene> I saw that, also ACMEv2 is going to be a Standards thing. So that's nice
14:11 < Eugene> I will be able to reopen some of my joke domains again
14:13 < brethil> Eugene http://termbin.com/x8js
14:13 < brethil> this config doesn't get more than 40mbit
14:13 < brethil> this other config gets 220mbit
14:13 < brethil> openvpn --dev tun --proto udp --port 1194 --secret static.key --ifconfig 10.8.0.1 10.8.0.2 --cipher aes-256-cbc --auth SHA256 --verb 3 --push "redirect-gateway def1" --verb 4 --comp-lzo yes --fragment 0 --mssfix 0 --tun-mtu 9000 --txqueuelen 10000 --sndbuf 1000000 --rcvbuf 1000000
14:14 < brethil> Could it be traffic shaping?
14:14 < Eugene> You appear to be mucking with buffer settings. I generally do not touch these because I assume that the openvpn/linux/etc developers are smarter than I am about network tuning unless I can prove otherwise.
14:14 < Eugene> What happens if you strip all that jank out? ;-)
14:15 < brethil> in the server.conf file?
14:15 < Eugene> Everywhere
14:16 < brethil> I mean, the buffer settings give good results when used with the command line options above
14:16 < brethil> I get crap speeds with the termbin configuration I posted above
14:19 < Eugene> I'll be Frank(you can be Eugene): random factor testing like you are doing here is not an effective use of time. Either set up a proper RFC 2544 lab and do a scientific test on the various network factors involved, or don't. We don't know anything about your network or the random shit that is going on. Generally speaking it is a Bad Idea to mess with these settings without a Good Reason, which it doesn't look like you have yet?
14:19 < Eugene> Sorry I can't be more help
14:27 < brethil> thanks, I understand Eugene. The issue is unchanged after removing all the jank
14:27 < brethil> running openvpn with the static key setup results in 220mbit speed
14:28 < brethil> running it with the config file results in crap speeds and all the replay errors
14:28 < Eugene> So now that you have a minimal setup, add pieces back until it works right. Tada, troubleshooting 101 ;-)
14:28 < Eugene> I can't do this for you
14:28 < brethil> that's what I've been doing for 1 month
14:28 < brethil> that's why I'm desperate :)
14:28 < Eugene> Normally I would list my professional rates, but I have dayjob shit to do :-(
14:28 < brethil> I'm starting to think my ISP is shaping openvpn traffic
14:28 < brethil> hehe
14:29 < Eugene> I would not be at all surprised. You can detect some of that by examing packet orders in tcpdump
14:29 < Eugene> It helps if you can get a packet dump from intermediate hops, too
14:31 < brethil> how do I do that in tcpdump?
14:32 < Eugene> Wiresharking is an advanced topic, kinda outside of our scope here. tl;dr: `tcpdump -w capture.pcap -i eth0 udp port 1194` on client+server ends, open resulting file in Wireshark and examine the orrder of packets.
14:32 < brethil> doing that now. thanks
14:32 < Eugene> You might also want to try TCP vs UDP mode, since TCP has built-in stuff to handle congestion & retransmits. Be aware that tcp-in-tcp is a Bad Idea though
14:32 < Eugene> !tcp
14:32 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay
14:33 < Eugene> But its a great troubleshooting trick
14:33 <@dazo> Eugene: I've paid attention and discussed a bit with brethil .... give him a bit more benefit of doubt, he's not as lost behind the options as many others here
14:33 < brethil> I tried running tcp a few days ago, I didn't see any improvement
14:33 < brethil> But I'll try again
14:33 < Eugene> dazo - me too, its just a lot more complex than it sounds. Sometimes starting over from zero is better ;-)
14:35 <@dazo> fair enough ... I'll admit the --sndbuf/--rcvbuf was a surprise ... I thought that was automatic these days
14:35 < brethil> yeah, no difference
14:36 <@dazo> ahh, good :)
14:36 <@dazo> (or was that tcp?)
14:36 < brethil> it was tcp
14:37 < brethil> I ultimately set the snd/rcv buf to 0, so that it is decided by the OS, that seemed to work fine
14:40 < brethil> about to examine the tcpdump out
14:42 < brethil> 68MB worth of it
14:42 < brethil> x2
14:42 < brethil> this is gonna take a while..
15:05 < brethil> I'm quite clueless here Eugene, what should I be looking for?
15:05 < Eugene> Sequence orders
15:05 < Eugene> I didn't say it was easy :-p
17:36 < mojtaba> Hello, when I disconnect the client that has been connect using command line, the disconnect-client script on the server side doesn't execute and I take this error in the client console: Linux ip addr del failed: external program exited with error status: 2
17:38 < mojtaba> But there is no problem when I disconnect a client like phone, which using openvpn client application.
17:39 < mojtaba> Does anybody know what could be wrong?
18:46 < mojtaba> Ubuntu client does not disconnect after terminating the vpn. Do you know what could be wrong?
18:47 <@krzee> do you have keepalive set?
18:48 <@krzee> or something similar so it can figure it out when a client leaves without announcing?
19:59 <@krzee> wish me luck guys, for i am in dependency hell
22:13 <@krzee> omg gcc5 takes FOREVER to build
22:13 < tx> why are you building gcc?
22:14 <@krzee> GraphicsMagick
22:14 <@krzee> on a freebsd box
22:18 <@ordex> krzee: why not building gcc6 directly ?
22:19 <@ordex> gcc version 6.3.0 (Gentoo 6.3.0 p1.0)
22:19 <@krzee> meh it said install 5, installing through ports
22:19 <@ordex> hehe
22:19 <@ordex> ok
22:20 <@krzee> on an intel atom
22:20 <@krzee> (had a little power left on the half rack, so tossed in an atom for fun)
22:24 <@krzee> but i guess with low power consumption comes a lonnnnnnnng wait for compiling this lol
22:29 <@ordex> :D
22:29 <@ordex> likely
22:30 <@krzee> well its been over 90min :D
22:31 <@krzee> id guess closer to 110 ish
23:59 <@krzee> still going
--- Day changed Fri Jul 07 2017
01:19 <@ordex> krzee: donw with it ?
01:19 <@ordex> :P
01:43 <@krzee> yep now no graphicsmagick ports build right
01:44 <@krzee> trying some imagemagick ones now
01:45 <+hyper_ch> graphicsmagick?
01:45 <+hyper_ch> is that the imagemagick for the cool people?
04:20 < devonrevenge> If I cant connect to certain ip addresses when connected with openvpn could it be that my firewall does not like the tap0 connection
04:21 < devonrevenge> and have to allow it through
04:21 < devonrevenge> or do I chown it?
04:54 < devonrevenge> I got it
05:16 < Jiffy> I have a running certificate-based openvpn-tunnel. I am sitting on the server side. How would a remote certificate change on the client work now? Do I just copy the new certificate on the client? What happens with the currently running connection while doing that?
05:21 <@ordex> Jiffy: I *guess* the client willkeep on using the ertificate that it loaded at startup until it will restart
05:21 <+hyper_ch> devonrevenge: why use tap?
05:21 <@ordex> *certificate
05:30 < Jiffy> ordex: So an invalid certificate will only be an issue during connection-process, right? Does openvpn have some functionality to disconnect clients with an invalid due certificate? Or do I have to script that or more simple should I just say disconnect once each day and let's see which client reconnects and has a valid cert?
05:31 <@ordex> Jiffy: the client will eventually renegotiate the keys and i think in this moment the connection is dropped due to an invalid certificate
05:31 <@ordex> honestly i don't know if you can force the renegotiation to happen earlier
05:31 <@ordex> Jiffy: check --reneg-sec in the man
05:31 <@ordex> I think it defaults to 3600secs
05:32 <@ordex> once every hour the client will renegotiate its sessions keys and I believe it re-uses the certificate for that. in this case it will be dropped
05:32 <@ordex> IIRC
05:35 < Jiffy> ordex: Thanks a lot. I will test that. Makes also sense to me.
05:35 <@ordex> np!
05:36 < xboner> this might be off topic, but does anyone know of an easier method than this
05:36 < xboner> https://wiki.openwrt.org/doc/howto/vpn.openvpn#tab__client1
05:37 <+hyper_ch> !goal
05:37 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:37 < xboner> access the internet through a remote vpn
05:38 <+hyper_ch> install client, setup config, all is well
05:39 < xboner> i see, i can pull all the data from a .ovpn file for the .conf files ?
05:41 <@ordex> xboner: for openvpn itself, .conf or .ovpn does not make any difference as soon as the file content is as expected
05:41 < xboner> thanks ordex
05:42 <+hyper_ch> windows client likes .ovpn files
05:42 <+hyper_ch> linux client likes .conf files
05:42 <+hyper_ch> android clients like ovpn files as well
08:01 <+DArqueBishop> iOS clients are partial to .ovpn also.
08:02 <@ordex> I think it depends on the client
08:08 <@dazo> *nix have a tradition for .conf, .cnf and .cf files instead of application specific extensions ... in particular on the configuration files
08:08 <@dazo> (in fact, many configuration files under /etc doesn't even have an extension)
08:09 <@ordex> yeah, i always believed that the concept of extension was introduced by linux
08:09 <@ordex> especially the 3 letters extension..
08:13 <+DArqueBishop> I'm pretty sure that was an MS-DOS thing.
08:13 <@ordex> yeah, could be
08:14 <+DArqueBishop> I know it's not a Linux thing because it predates Linux.
08:24 <@dazo> 3 letter extensions are probably from the 90's where lots of DOS/Windows users discovered Linux .... and "Hey, I don't need extensions?  Extensions can be 20 characters long?  No! No! No!  That is just confusing and weird!  3 letters FTW!"
08:24 <+hyper_ch> https://en.wikipedia.org/wiki/8.3_filename
08:24 <@vpnHelper> Title: 8.3 filename - Wikipedia (at en.wikipedia.org)
08:24 <@dazo> from my "simplified views of the world
08:25 <+hyper_ch> An 8.3 filename[1] (also called a short filename or SFN) is a filename convention used by old versions of DOS, versions of Microsoft Windows prior to Windows 95, and Windows NT 3.51.
08:26 <@ordex> hehe
08:26 <@ordex> ancient stuff :)
08:27 <+hyper_ch> in #bash they say not to use a file extension :) and especially not .sh
08:27 <@ordex> heh
08:28 <+hyper_ch> my scripts still all feature .sh
08:29 <+hyper_ch> greybot  Don't use extensions for your scripts. Scripts define new commands that you can run, and commands are generally not given extensions. Do you run ls.elf? Also: bash scripts are *not* sh scripts (so don't use .sh) and the extension will only cause dependencies headaches if the script gets rewritten in another language. See http://www.talisman.org/~erlkonig/documents/commandname-extensions-considered-harmful
08:29 <@vpnHelper> Title: Erlkönig: Commandname Extensions Considered Harmful (at www.talisman.org)
08:29 <+hyper_ch> generally I do agree with that.. but personally I like .sh
10:58 <@krzee> all mine end in .sh, but i;m a rebel ;]
10:59 < tx> all mine end in .exe
10:59 < tx> ;)
10:59 <@krzee> haha
11:00 < tx> fwiw I have actually seen that done
11:00 < tx> I believe an old vmware workstation installer did this
11:03 < havoc> I'm beyond caring about it, mine are inconsistient
11:51 < Eugene> VMware installers not only end in .sh, but include a tarball too
11:51 < Eugene> They're amazing balls of horror
13:28 < alex88> Hi there, route-delay has to be set in server or client config?
13:29 < alex88> I've tried client but it seems routes are assigned right after connection and on osx with tunnelblick, it adds the route but on the wrong intergace
13:29 < alex88> *interface
13:29 <@dazo> alex88: on the place where you want the delay to happen
13:29 < alex88> ok so it should be on the client but apparently it's not working
13:30 <@dazo> try contacting the tunnelblick people ... I believe they have a ML or so ... I believe they're usually quite quick to respond
13:31 < alex88> oh ok so tunnelblick isn't just a wrapper to an openvpn client? I thought that
13:31 < alex88> thanks dazo
13:32 <@dazo> alex88: tunnelblick is GUI around openvpn ... but they know more about how things behave normally on macos too
13:32 < alex88> dazo: gotcha
13:34 < alex88> anyway, just tried to remove gateway in default push route and it worked :) thanks
14:23 < brethil> reading the some openvpn logs, i read "Socket Buffers: R=[X1,X2] s S=[Y1->Y2]" where the Xs and Ys are the size of the socket buffers. Why are there two values?
14:27 < jo3rg> anyone can you help me with:
14:27 < jo3rg> Fri Jul  7 21:12:49 2017 Insufficient key material or header text not found in file '[[INLINE]]' (0/128/256 bytes found/min/max)
14:27 < jo3rg> from my point of view the ovpn config is perfectly fine....
14:27 < jo3rg> using: openvpn-2.3.17-openssl-1.0.2k
14:29 < jo3rg> here's my configuration: http://paste.debian.net/975377/
14:29 < jo3rg> without what could be possibly wrong?
15:21 <@dazo> jo3rg: that means you have embedded some key files into the openvpn config, which is incorrectly embedded
15:22 < jo3rg> dazo: thanks it's already been solved in #networking
15:22 <@dazo> okay
15:22 < jo3rg> dazo somehow it inserts one single # into my ovpn file when copying via clipboard
15:22 < jo3rg> wasn't that easy to find
15:31 < rek>  to give you an example if my server external lan is 192.168.1.0/24 and the network where i use my vpn client is also on that network is there a way to keep that network...is changing the router's lan the only option not to get a network conflict?
15:31 < rek> what about using another internal lan for the server?
15:32 <@dazo> rek: there are hacks to somewhat resolve these issues .... but they are hacks.  Conflicting subnets are an issue which you should try to fix first of all
15:33 <@dazo> with VPNs, you need to relate to a remote network ... so having two LANs overlap is just as confusing as having the same street name in two different areas in the same city
15:35 < rek> yeah but do i have to change the router's ip then... that's the only perfect way to solve the issue?
15:36 < rek> the worst problem is that i don't reach anymore outsied after a couple of seconds the client is connected to my vpn...
15:36 <@dazo> yes, that is the only way to fix this properly
15:37 <@dazo> well, changing the IP addresses should preferably be done locally to not lock yourself out
15:40 < rek> uhm...that means if i keep the common 192.168.1.1 and then i use a second ethernet card on my server and i give to it the network 10.4.0.0 for example and then i share the internet connection so that that network can reach the router (192.168.1.1) and then in server.conf i put the push "route 10.4.0.0 255.255.255.0" and then i let the client (which unfortunately also has a 192.168.1.1 router and 192.168.1.0/24 network) conne
15:40 < rek> ct ...will i have also the conflict?
17:21 < Boingo> !welcome
17:21 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
17:21 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
17:26 < Boingo> Hello all.  I know this isn't likely OpenVPN's fault, but I have been searching and reading for 2 days now and I am missing something (obviously) and hopefully someone here can point me in the right direction.  I have a Amazon EC2 instance that I am trying to get to use a VPN provided by PIA.  I can connect to the VPN fine with OpenVPN, and if I use route-nopull my SSH session to the EC2 instance stays up.
17:26 < Boingo> Without route-nopull the SSH drops (obviously). I have been trying all sorts of iptables and routes to get it to work.
17:26 < Boingo> Any pointers would be greatly appreciated.
17:27 < Boingo> I would like SSH (and a few other ports) to remain on eth0 not using the VPN, everything else over the VPN tunnel.
17:31 < Eugene> !routebyapp
17:31 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination., or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
17:31 <@vpnHelper> policies you set. For Linux, read about !lartc
17:32 < Boingo> !lartc
17:32 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux, or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
17:50 < Boingo> I have followed https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux and similar sites for days.  The commands are accepted fine, but still as soon as I start the VPN, SSH dies.
17:50 <@vpnHelper> Title: Concepts-PolicyRouting-Linux – OpenVPN Community (at community.openvpn.net)
18:36 <@krzee> hey cool, i didnt know somebody made that page!
18:36 <@krzee> !factoids search redirect
18:36 <@vpnHelper> 'redirect', 'redirect-policy', 'redirect_bypass', 'redirect_ignore', and 'redirect_ips'
18:37 <@krzee> !redirect-policy
18:37 <@vpnHelper> "redirect-policy" is If you are using --redirect-gateway and wish to maintain external access to the same system, you need Policy Routing. If using Linux, see !lartc for reading on the subject. Note that this is a somewhat advanced networking topic.
18:37 <@krzee> hmm
18:37 <@krzee> !factoids search route
18:37 <@vpnHelper> 'dlink_static_route', 'external_routes', 'iroute', 'ppp_defaultroute', 'route', 'route-nopull', 'route_outside_openvpn', 'route_outside_ovpn', 'route_override', 'routebyapp', 'router', 'splitroute', and 'winroute'
18:37 <@krzee> !splitroute
18:37 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/viewtopic.php?t=7175#p8056 to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet, or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
18:37 <@krzee> ^ thats a different way
18:37 <@krzee> instead of firewall marking
18:38 <@krzee> but it would require you to remove the policy routing stuff you already configured
18:38 <@krzee> To achieve this, the following, surprisingly simple commands were used to create a second routing table and then setup a rule for packets with the src address 91.121.199.129:
18:39 <@krzee> ip rule add from 91.121.199.129 table 10
18:39 <@krzee> ip route add default via 91.121.199.254 table 10
18:39 <@krzee> note that the first ip was his, the second ip was his normal gateway
18:40 <@krzee> that way when his vpn changes his default gateway on first routing table, the ip rule command forces packets that have the eth0 src address to go out the second routing table
18:40 <@krzee> that'll fix your problem
18:40 <@krzee> one day i should add that to the link you gave (which i didnt know existed)
18:41 <@krzee> Boingo: ^
19:15 < Boingo> Hmmmmm....
19:17 < Boingo> krzee: How could I get that to work with a dynamic IP (when the AWS EC2 instance is created, it will have a random IP)?
21:27 <@ordex> Boingo: ?
21:28 <@ordex> what is "that" ?
21:28 <@ordex> I may have missed the context
22:00 <@krzee> Boingo: by making a script that adds it after figuring out its ip
22:00 <@krzee> and instead of adding it staticly, just having the script run on boot
22:00 <@krzee> ordex: the adding of a policy routing rule
22:00 <@krzee> Boingo: first thing is first... do you solve your problem with it?
22:01 <@krzee> then you can worry about making your script
22:01 <@ordex> krzee: oh ok
22:02 <@krzee> [16:38] <krzee> To achieve this, the following, surprisingly simple commands were used to create a second routing table and then setup a rule for packets with the src address 91.121.199.129:
22:02 <@krzee> [16:38] <krzee> ip rule add from 91.121.199.129 table 10
22:02 <@krzee> [16:38] <krzee> ip route add default via 91.121.199.254 table 10
22:02 <@krzee> [16:38] <krzee> note that the first ip was his, the second ip was his normal gateway
22:02 <@krzee> [16:39] <krzee> that way when his vpn changes his default gateway on first routing table, the ip rule command forces packets that have the eth0 src address to go out the second routing table
22:02 <@krzee> ordex: ^
22:03 <@ordex> krzee: thank you :)
22:03 <@ordex> basically local packets have to go out using the original default gw
22:03 <@ordex> ?
22:06 <@krzee> when somebody connects to a vpn that redirects gateway they cannot serve their normal services on their inet ip like sshd and webserver
22:06 <@krzee> because return packets go over the vpn
22:06 <@krzee> a clear difference between those return packets and packets generated on the machine is the source address
22:07 <@krzee> so you can use source routing to say if src is eth0's ip, then go out 2nd routing table which still uses eth0's gateway
22:07 <@ordex> ah I see
22:10 <@krzee> theres a far more confusing writeup at: https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
22:10 <@vpnHelper> Title: Concepts-PolicyRouting-Linux – OpenVPN Community (at community.openvpn.net)
22:10 <@krzee> i think im about to add the solution i just gave to it
22:12 <@ordex> krzee: honestly i like the solution using the fw-mark so that you don't need to care about the changing IP
22:12 <@ordex> or you don't even need to retrieve the IP
22:12 <@krzee> werd
22:13 <@krzee> thats the nice thing about the unix world
22:13 <@krzee> so many ways to bust it
22:13 <@ordex> haha
22:13 <@ordex> :D
22:13 <@krzee> the user in this case was having problems with it, and i cant help with it
22:13 <@krzee> because i do the other way which i find far easier
22:14 <@ordex> ah ok
22:14 <@krzee> i also dont have servers on dynamic ips
22:15 <@ordex> you rich guy with static IPs!!
22:15 <@ordex> :D
22:15 <@krzee> haha
22:16 <@krzee> if that actually was the case (had to be rich for static ips) i would actually use ipv6 :D
22:16 <@ordex> :D
22:24 <@krzee> updated: https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
22:24 <@vpnHelper> Title: Concepts-PolicyRouting-Linux – OpenVPN Community (at community.openvpn.net)
22:24 <@krzee> !learn splitroute as see https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux also
22:24 <@vpnHelper> Joo got it.
22:25 <@krzee> !forget splitroute *
22:25 <@vpnHelper> Joo got it.
22:25 <@krzee> !learn splitroute as see https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet
22:25 <@vpnHelper> Joo got it.
22:25 < furkan> i have a site-to-site VPN set up, and my PC seems to be able to access everything on the remote site... but i set up a simple python web server on my PC, and i'm unable to access it from a machine from the remote site... i do receive the requests, but the other machine doesn't seem to receive the response (on the other hand, i am able to access it via telnet on the remote gateway)
22:26 < furkan> does anybody have tips on how i could narrow down the issue?
22:26 <@krzee> !learn splitroute as see !route_override for how to override --redirect-gateway for a certain subnet
22:26 <@vpnHelper> Joo got it.
22:26 <@krzee> furkan: can both sides ping eachother over the vpn?
22:27 < furkan> krzee: yeah ping works fine
22:27 <@krzee> then your problem is either firewall or the app not listening / responding on the vpn ip
22:27 <@krzee> definitely nothing to fix on the vpn if ping works
22:28 < furkan> it does respond (because i see it on tcpdump), but maybe firewall..
22:28 < furkan> although that wouldn't explain why it can access other machines, and not my PC
22:29 <@krzee> maybe firewall on your pc
22:29 < furkan> i was thinking maybe something TCP-related
22:29 <@krzee> dunno, just know its not the vpn =]
22:29 < furkan> hmm ok, thanks!
22:29 <@krzee> np!
22:29 < furkan> will report back if i figure it out lol
22:32 <@krzee> some apps such as webservers and voip servers usually require special config to respond correctly on a new ip
22:33 <@krzee> if you verify no firewalls in the way try analyzing those tcpdump packets to see if the response is what you expect
22:33 <@krzee> in wireshark or similar
22:33 <@krzee> also be sure you dont have policy routing stealing the packets off to some other routing table or something like that
22:34 <@krzee> (depending on the complexity of your setup)
22:34 < furkan> i'm actually running tcpdump right now on the remote gateway
22:34 <@krzee> if that doesnt help, maybe ##networking
22:34 < furkan> and it's receiving the HTTP responses from my PC, and forwarding it to the other machine
22:34 < furkan> this is so strange
22:35 <@krzee> tcpdump on every interface you expect to see it
22:35 <@krzee> ping, see it flow over all overfaces
22:35 <@krzee> then do the request, see where it stops
22:35 <@krzee> then you know the 2 places you need to check (last it hits, first it doesnt)
22:36 < furkan> hmm ok, will give that a shot
22:37 <@krzee> dont underestimate the step with ping
22:37 <@krzee> lets you know you're looking at the right places
22:41 <@krzee> ordex: here's the dynamic ip assuming wlan0 device $(ifconfig wlan0|awk '/Bcast/{print $2}'|cut -d: -f2)
22:42 <@ordex> yup
22:42 <@ordex> although using ifconfig should be banned :-P
22:45 <@krzee> better? $(ip a|grep -A4 wlan0|awk '/inet /{print $2}'|cut -d/ -f1)
22:50 <@krzee> if multiple ips, while read -r ip ;do ip rule add from "$ip" table 10 ;done < <(ip a|grep -A4 wlan0|awk '/inet /{print $2}'|cut -d/ -f1)
22:51 < furkan> krzee: seems like the machine is actually receiving the HTTP response, but it's just the browser that's not displaying it... what?!
22:53 <@krzee> did you analyze the contents of the response?
22:54 < furkan> not in detail, just dumping it with tcpdump and i see the HTTP OK
22:57 < furkan> well i see one difference
22:58 < furkan> when i try to access a page on 192.168.1.101, from the remote subnet, the response comes back from the same IP
22:58 < furkan> but when i access my PC (192.168.1.41), the response comes back from 192.168.1.1 instead
22:58 < furkan> so it's rewriting the source IP for some reason
22:59 < furkan> that might explain why i'm seeing the HTTP response come in, but the browser is just ignoring it
22:59 <@krzee> did you get this working by using NAT instead of proper routing?
23:00 <@krzee> bad furkan
23:00 <@krzee> :-p
23:00 < furkan> i don't think so, i have a static route set up
23:00 < furkan> but why would it rewrite .41 and not .101? they're both behind the same gateway
23:00 <@krzee> iptables-save
23:00 <@krzee> check
23:03 < furkan> i'm not sure what i should be looking for tbh
23:04 <@krzee> a nat rule on the machine thats rewriting your packet
23:04 <@krzee> where the tcpdump stops you can probably find it with a looser tcpdump
23:05 <@krzee> one that the filter catches the port instead of the ip
--- Day changed Sat Jul 08 2017
00:36 <@krzee> noooooo i forgot to save the wiki page after my edit
00:36 <@krzee> i closed the preview
00:53 <@krzee> there, now its at the bottom: https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
00:53 <@vpnHelper> Title: Concepts-PolicyRouting-Linux – OpenVPN Community (at community.openvpn.net)
01:06 < Hobz> I folks, I've had openVPN set up on my machine for a while and today, after three months of normal operation, the connection hangs at "MANAGEMENT: >STATE:1499493852,WAIT,,,,,,
01:06 < Hobz> " .  I haven't changed anything on the server, the client, or my router.  My config file is here (server IP redacted): https://pastebin.com/LBxfs6jB
01:06 < Hobz> Whoops, that was supposed to be one line
01:07 < Hobz> The client machine is Windows 10, the server is Debian 8
01:38 <@krzee> !logs
01:38 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
01:38 <@krzee> verb 5
01:38 <@krzee> on both sides!
01:38 < skyroveRR> Allo krzee :)
01:38 <@krzee> o/
01:42 < Hobz> https://pastebin.com/ZdSf5gbH
01:44 < Hobz> krzee, ^
01:46 < Hobz> I'm assuming that was directed at me
01:46 < temuccio> Hello all
01:48 <@krzee> Hobz: indeed it was... how about the server side?
01:49 < Hobz> That's going to take a bit longer to retrieve, you're looking for the config file?
01:49 <@krzee> and just so you know, line 14 of your client config has an issue
01:49 <@krzee> !--
01:49 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
01:49 < Hobz> I tried a single dash and got an error
01:50 <@krzee> no dashes
01:50 < Hobz> Ah
01:50 <@krzee> unless on commandline
01:50 <@krzee> was that log at verb 5?
01:50 < Hobz> Doesn't fix it, but then again I just changed that after I noticed I was getting a depreciation warning when i checked the logs
01:50 < Hobz> Verb 4
01:50 <@krzee> i said verb 5
01:51 < Hobz> Right, missed that
01:51 <@krzee> (and both sides)
01:51 < Hobz> Server side will take a bit to get
01:51 <@krzee> !both
01:51 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
01:51 <@krzee> !learn both as if you dont have access to both sides, come back when you do
01:51 <@vpnHelper> Joo got it.
01:52 < Hobz> I have access to it, it's just through a slow-as VNC connection
01:52 < Hobz> Here's verb 5 https://pastebin.com/MejesFJ0
01:53 <@krzee> you cut off the top again, and still looks like 4
01:54 <@krzee> are you copying from the gui and the top gets cut off or something?
01:54 < Hobz> https://pastebin.com/s9WkDXnJ
01:55 < Hobz> Yeah, that was it
01:55 <@krzee> cool thats 5
01:55 <@krzee> ok so ya you definitely need the server logfile at verb 5
01:55 <@krzee> or cant continue
01:56 < Hobz> I'll try to get that, though my connection to the server also seems to be failing for unknown reasons
01:56 < Hobz> Rebooting it remotely didn't change anything, unfortunately
01:57 <@krzee> maybe a bad link somewhere in between
01:57 <@krzee> orrrrr maybe thats the entire problem
01:57 <@krzee> lol
01:57 < Hobz> Could very well be ;)
01:57 <@krzee> maybe your server is having problems and the same reason you cant get a good connection to it with other programs is why you cant connect with openvpn
01:58 <@krzee> cause your client is writing packets, receiving none in return
01:58 < Hobz> Definitely weird
01:58 < Hobz> Just started last night, too
01:58 <@krzee> vnc issues around same time?
01:58 < Hobz> Just tried vnc this morning, went to bed last night
01:59 <@krzee> well, same since tested?
01:59 < Hobz> no change
01:59 < Hobz> Hmm, I can't ssh into anything either
01:59 <@krzee> any other internet services running? httpd or something maybe?
02:00 < Hobz> Nope
02:00 <@krzee> hehe i cant even ping your server
02:00 < Hobz> Weird
02:00 <@krzee> so ya, your server has problems
02:01 < Hobz> Well, here's hoping I don't have to rebuild the whole thing
02:01 <@krzee> good luck
02:01 < Hobz> Thanks
11:02 < furkan> krzee: i ended up moving my openvpn server from my raspberry pi to my ubiquiti gateway, to eliminate any potential problems with that extra hop... aside from that, the configuration is the same, and all seems to be working properly now
11:16 <@krzee> cool
12:40 <@krzee> so if you decide to put it back we know exactly where to look
12:40 <@krzee> but sounds like even better now anyways
12:40 <@krzee> you dont need this when its on the gateway
12:41 <@krzee> !route_outside_ovpn
12:41 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
12:48 <@krzee> furkan: ^
12:52 < furkan> krzee: yeah i think this is what i had, looking at my (currently disabled) static route right now, and for the remote subnet (192.168.10.0/24) i had specified my raspberry pi as the next hop (192.168.1.101)
12:53 < furkan> i replaced that with a different route now, routing that subnet to vtun0 (the openvpn interface)
12:53 < furkan> is that not needed, then?
12:55 < furkan> i guess what i'm asking is, do you only need static routes if the openvpn server is on a different machine than the gateway?
12:58 < furkan> and of course i still don't know why it was just that 1 single PC that was getting its source address rewritten, and not the other PCs i tried
12:58 < furkan> maybe even a bug somewhere *shrugs*
13:02 <@krzee> no
13:03 <@krzee> but you need routes totally outside openvpn when its not on the gateway
13:03 <@krzee> its routing 101
13:03 <@krzee> all explained in full here:
13:03 <@krzee> !route
13:03 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
13:21 < furkan> krzee: interesting, will read that, thanks
13:34 < kqr> i've been fighting with this for a while now... when I attempt to connect to my server (with --tls-client) the client states that it's "disabling NCP mode (--ncp-disable) because not in P2MP client or server mode"
13:35 < kqr> i was under the impression that --tls-client would allow for negotiation
14:32 < kqr> aah, apparently I need to specify --client, not --tls-client, even if I do use tls
14:49 < derekv> I have multiple field devices connecting to a vpn server and I need to migrate them to a new server with minimal risk (access is not convenient if I loose connection permenents).  these where configured with multiple remotes for this eventuallity.  however, if i shut down openvpn on the old server, I do not see any traffic coming to the new remote.  all the clients continue to try to connect to the old server. (I am runnin
14:49 < derekv> g tcpdump on both old and new server)
15:04 < derekv> version 2.3.2  https://gist.github.com/DerekV/de375616114f9f0e8ea63da30d9c82be    hopefully someone is around to quickly show me what I am bungling
15:04 <@vpnHelper> Title: client-version.txt · GitHub (at gist.github.com)
15:32 < derekv> whats crazy is that i see it trying the new ip in the client logs, but no traffic an the new server in tcpdump ... blarg
15:38 < derekv> found something ... maybe
15:55 < Eugene> derekv - <connection> blocks and resolv-retry infinite
15:56 < derekv> the thing I found wasn't it
15:56 < derekv> Eugene: is there something wrong in the client?
15:59 < Eugene> derekv - connection blocks let you specify a server failover order on the client side. Shut down the A server, clients will timeout and reconnect to B
16:00 < Eugene> resolv-retry infinite ensures that if you change DNS records around it will actually pick up on it
16:00 < Eugene> (instead of giving up)
16:01 < derekv> Eugene: I have both of those, except I am not using <connect></connect> , just have multiple remote directives.  are you able to view the link I posted?
16:01 < Eugene> That is why I am tellign you to use the blocks.....
16:02 < derekv> Ahh ok, i just wanted to be sure.
16:03 < derekv> The closest device is 40 minutes away, in a locked room we don't have the key to, and I had to schedule the current downtime 2 weeks in advance, so I'm just trying to minimize what I have to change on the client side
16:03 < derekv> going to try that now
16:03 < Eugene> Ah, I love those setups
16:06 < derekv> dude who set this up, assured me he tested failing over....  then he quit.
16:18 < derekv> success.  phew.
16:18 < derekv> i put resolv-retry outside the connection blocks after squinting at the manual
16:18 < derekv> Eugene: thank you!
--- Day changed Sun Jul 09 2017
08:15 < analogical> Why is the TAP-Windows Adapter only at 100Mbit? On a very fast openvpn connection 100Mbit becomes a bottleneck! The TAP-Windows Adapter needs to be a gigabit!!!
08:23 <@plaisthos> analogical: the speed is only informative
08:23 <@plaisthos> it does not limit the throughput
08:26 < analogical> plaisthos, "only informative" doesn't make any sense. If it doesn't limit the throughput it's actually misinformation...
14:15 < swensson> Getting crazy over this, I followed evry step and still, I can connect to the vpn but I got no internet access... https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 Linux arch
14:15 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com)
14:36 < swensson> When I use VPN, do I need to create a key etc for every device that will use it or can I use the same?
15:19 < swensson> Which of the files I generated on my vpn server should I use on the client side vpn?  Usercertificate, Ca-certificate & private key...
15:20 < BtbN> the key for the user, its signed cert and your ca cert.
15:21 < swensson> On my phone I only needed to provide a single file :O I got no key :O
15:22 < BtbN> you always need those 3.
15:22 < BtbN> If it's a PKI based VPN
15:23 < swensson> I did follow this guide... So I don't really know... https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
15:23 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com)
15:37 < swensson> Should private key be the one I created with ./build-key mykey? Ca certificate, the ca.crt and usercertificate ...?
19:54 <@ordex> morning !
19:55 <@ordex> swensson: the ca.crt is created at the beginning
19:55 <@ordex> then with build=key you usually create keys and certificate for each user
19:55 <@ordex> in the end you give the user the new key, the related cert and the ca.crt that was created at the beginning
19:56 <@ordex> swensson: you can also embed all of this in the config file and give it only to the user (can make the process easier)
19:56 <@ordex> instead of giving separate files
--- Day changed Mon Jul 10 2017
02:59 < vishesh92> Hi. I have setup openvpn server and I am pushing some routes to the clients. But some clients change their config (--redirect-gateway def1) which routes all traffic through VPN. Any idea how can I stop clients from doing this?
03:00 < kerio> firewalls
03:00 < kerio> i mean
03:01 < vishesh92> Can I do anything in openvpn server configuration?
03:01 < kerio> you can't stop clients from trying to shove packets through your VPN
03:02 < vishesh92> oh. ok. Thanks.
03:02 < kerio> idk if there's something openvpn itself can do
03:03 < vishesh92> Can't I discard those packets?
03:31 <+hyper_ch> is there something wrong with shoving traffic throughthe vpn?
04:18 -!- dionysus70 is now known as dionysus69
08:52 < Mibka> I have two edgerouter devices running openvpn. Both are cunnected to eachother in client/server mode. I can ping from server to client and vice-versa. Now I have other computers in the lan at the "client openvpn" side. If they ping, for example, the IP address of the openvpn server it doesn't get a reply for some reason. If I do "tcpdump -i vtun0" on the client, I can see the icmp echo request there. But when doing "tcmpdump -i vtun0" on the server it doesn't 
08:53 < Mibka> I'm not sure how that's possible?
08:57 <@ordex> Mibka: firewall problem ? maybe packets are dropped *after* being sent over the interface
08:57 <@ordex> also, is nat and forwarding configured properly?
08:57 < Mibka> ordex: I don't have any firewall rule related to vtun0 device so it shouldn't be the issue.
08:57 < Mibka> ordex: I don't think I need nat, right? I should be able to connect to all ip's without nat. They are all internal IP's...
08:58 <@ordex> uhm
08:58 <@ordex> either you need NAT or you need routing properly configured
08:58 < Mibka> I have routing configured
08:58 <@ordex> it depends on what you want to achieve, but one of those needs to be configured
08:58 <@ordex> ok
08:58 <@ordex> so also the iroute is configured server side?
09:00 < Mibka> Hmm, no ;) I used to have a site-to-site config but now one site does no longer have a static IP so I had to switch to server/client mode but didn't actually change routing settings in openvpn. I just removed the site-to-site related settings and changed them to server/client
09:00 < Mibka> I guess site-to-site did those iroute things automatically
09:01 <@ordex> maybe, I have never used p2pmode to be honest :P
09:01 <@ordex> *p2p mode
09:01 <@ordex> !clientlan
09:01 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
09:01 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
09:01 <@ordex> !iroute
09:01 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
09:01 <@ordex> should help I hope
09:02 < skyroveRR> Hello ordex
09:02 <@ordex> skyroveRR: hi there :)
09:02 < skyroveRR> :)
09:07 < Mibka> so, I added the iroute settings on the server but that doesn't make a difference... I still cana't see the icmp echo requests on the vtun0 device on the server when pinging from behing the lan of the client. The client's vtun0 interface shows the icmp echo requests :/
09:11 < Mibka> on the clients, computers in the lan can ping the IP address of the openvpn client (local) but pinging the ip address of the server (same ip range) won't get a reply either
09:17 <@ordex> weird
09:18 <@ordex> also no firewall on the server side I guess
09:18 <@ordex> hm
09:18 < Mibka> no firewall, idd
09:19 < Mibka> I just upped the verbosity to 11 on the server and there it shows me this : MULTI: bad source address from client [192.168.168.176], packet dropped
09:19 < Mibka> Something must be wrong with the configuration :-/
09:20 <@ordex> uhm
09:20 <@ordex> lemme chec kthe code
09:20 <@ordex> this is good hint!
09:28 < Mibka> ordex: never mind. I just found the issue. I made a very stupid mistake in my iroute entries. I fixed thos and now it's working ;)
09:28 <@ordex> aha!
09:28 <@ordex> :)
09:28 <@ordex> good to know before I'd drown in the code
09:28 <@ordex> :D
09:28 < Mibka> Sorry for this but really appreceate you take the time. Your hints helped me getting this fixed ;)
09:29 <@ordex> np :)
10:11 < Mibka> Now I want to route a public static IP address to this client with a dynamic IP address. So I set up routing to do this, and this seems to work so far. I can see packets to the public IP arrive at the vtun0 interface of the client. But can I somehow force openvpn to assign this public IP to the client's vtun0 interface as an IP alias or something?
10:11 < Mibka> Maybe I can have multiple iconfig-push lines in my ccd file?
10:33 <@ordex> Mibka: not sure that works. it would be out of the server subnet and I am not sure openvpn can handle this case
10:34 <@ordex> what if you configure this IP on the client manually ?
10:34 <@ordex> and then add an iroute+route for it as it is just another "network" (actually /32)
10:34 <@ordex> ?
10:34 <@ordex> or you want the client to get the IP from openvpn ?
10:35 <@ordex> Mibka: you could do this on the client in the --up script I believe
11:58 <@krzee> Mibka: what did you do manually to solve the issue?
11:58 <@krzee> once we know that we can have a better idea of how to automate it
12:04 <@ordex> krzee: I think he said it does not work with his new client/server setup
12:04 <@ordex> no?
12:07 < Boingo> krzee: Thanks for you pointers on the VPN.  I managed to make it work.  Set up some enviromental variables to the info I needed and it seems to work fine now.
12:13 <@krzee> nice Boingo good work
12:13 <@krzee> ordex: he said "So I set up routing to do this, and this seems to work so far"
12:14 <@krzee> but then theres a "but"
12:14 <@krzee> so im not really sure
12:14 <@ordex> ah
12:14 <@ordex> dunno :S
12:14  * krzee checks his crystal ball
12:14 <@krzee> damn. still out of service :(
12:15 <@ordex> :(
12:15 <@ordex> let me know when it goes online :D
12:15 <@ordex> and now .. I will sleep!
12:15 <@ordex> goodnihgt
12:20 <@krzee> gnite
12:20 <@krzee> but why sleep in the middle  of the day?  :-p
13:17 < gthank> !welcome
13:17 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
13:17 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
13:18 < gthank> !logs
13:18 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
13:28 < gthank> I'm trying to troubleshoot a TLS handshake failure for one of my end-users, but when I go to the server logs, the last bit of it seems to be in pure binary. Is that right?
13:40 <@krzee> what log verbosity?
13:40 <@krzee> you shouldnt need over verb 4
13:43 < gthank> krzee It's the default for pfSense
13:43 < gthank> I'm digging around for how to check/change that now
13:45 < gthank> krzee …and I just discovered pfSense is using circular log formats, so that explains the binary
13:47 < gthank> So once I use the right tools, I can see that the OpenVPN server is not seeing the incoming connection from this user at all (which I suppose makes sense, given the TLS timeout)
13:47 < gthank> https://gist.github.com/gthank/012f0f2f5849e19da4cc3c62dada4ada is what he's seeing on his end
13:48 <@vpnHelper> Title: viscosity.log · GitHub (at gist.github.com)
13:49 < gthank> !goal
13:49 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:49 < gthank> I am attempting to troubleshoot a failed connection from a Windows client
14:26 <@krzee> !pfsense
14:26 <@vpnHelper> "pfsense" is (#1) dont use the web gui for configuring openvpn, you need to understand the config and logfiles, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
14:27 <@krzee> if you get me both log files i'll take a look
20:28 < fatgeek> Hey, can I ask an OpenVPN (linux) client question here?
20:29 < fatgeek> !welcome
20:29 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
20:29 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
20:29 < fatgeek> !route
20:30 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
20:30 < fatgeek> !goal
20:30 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:32 < fatgeek> !ask
20:32 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
20:33 < fatgeek> I would like to access an OpenVPN client remotely from multiple subnets
--- Day changed Tue Jul 11 2017
01:10 <@ordex> zx2c4: if I may ask, why did you prefer starting a new project instead of trying to get your ideas into openvpn? just convenience? (I mean, this way it has been way faster)
04:12 < aditsu_> hi, at https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts it says I should set EASYRSA_DN "org", is there anything wrong with cn_only?
04:12 <@vpnHelper> Title: Create a Public Key Infrastructure Using the easy-rsa Scripts - Gentoo Wiki (at wiki.gentoo.org)
04:19 <+hyper_ch> aditsu_: do you want to create all keys yourself? or should users submit signing requests to you?
04:19 < aditsu_> signing requests? I didn't know that was a thing (for openvpn) :) I create the keys
04:19 <+hyper_ch> then use this  https://community.openvpn.net/openvpn/wiki/EasyRSA3-Insecure-PKI
04:19 <@vpnHelper> Title: EasyRSA3-Insecure-PKI – OpenVPN Community (at community.openvpn.net)
04:20 <+hyper_ch> otherwise use that https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
04:20 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net)
04:21 < aditsu_> huh, "insecure".. but from what it says, it's exactly what I had done in the past (using an older easy-rsa)
04:22 <+hyper_ch> insecure = the ca create all private keys as well and doens't just sign the requests
04:22 <+hyper_ch> aditsu_: did you ever request a ssl cert for a website?
04:23 < aditsu_> yes
04:23 <+hyper_ch> so, then you did crate your private key on your server/computer
04:23 < aditsu_> sure, and generated a csr
04:23 <+hyper_ch> with that, you did create some cert and csr
04:23 <+hyper_ch> you submitted cert and csr to the according CA
04:23 <+hyper_ch> they then signed your stuff and you got a signed cert back
04:24 <+hyper_ch> which you could then use
04:24 <+hyper_ch> so the CA never got hold of your private key
04:24 <+hyper_ch> --> secure
04:24 < aditsu_> right, I didn't realize openvpn used the same kind of system
04:24 <+hyper_ch> CA gets hold of your priv key --> insecure
04:24 <+hyper_ch> so, if you manage cert for a company or such
04:24 <+hyper_ch> you want to have the priv keys usually
04:24 <+hyper_ch> (makes things easier)
04:24 < aditsu_> I mean.. I've seen the csr files when generating the client certificates, but just assumed it's an artifact of the process
04:25 <+hyper_ch> to my undestanding, you use normal cert for openvpn encryption
04:25 < aditsu_> for openvpn, at least so far, the clients have always been either me or people who don't know what's a "certificate"
04:25 <+hyper_ch> as it would be for website ssl certs etc
04:25 <+hyper_ch> then just follow the "insecure pki" howto
04:25 <+hyper_ch> that's what I also do
04:26 < aditsu_> hmm, it seems to skip any step of editing vars
04:27 <+hyper_ch> few things have changed
04:27 <+hyper_ch> e.g. priv keys are store in seperate dir now
04:28 <+hyper_ch> not in [..]/keys anymore
04:29 < aditsu_> ok..
04:29 < aditsu_> so if I don't edit any vars, it will use cn_only?
04:30 <+hyper_ch> if you don't edit vars, you'll have default settings... some people prefer 4096 bit for example...
04:31 < aditsu_> 4096 seems unnecessary
04:31 <+hyper_ch> not sure if ECC is already supported
04:31 < aditsu_> I'm just not sure what the default settings are
04:31 <+hyper_ch> then check them
04:31 < aditsu_> how?
04:32 <+hyper_ch> would have to check myself
04:32 <+hyper_ch> if it's not in the howto
04:32 <+hyper_ch> then check the easyrsa folder
04:32 <+hyper_ch> it's somewhere
04:37 < aditsu_> I'll init-pki and see what happens :p
04:39 < aditsu_> and build-ca.. it was pretty straightforward, looks like it went with cn_only
04:49 <@ordex> fyi: https://www.battleforthenet.com/july12/
04:49 <@vpnHelper> Title: Join the Day of Action for Net Neutrality on July 12th (at www.battleforthenet.com)
04:52 <+hyper_ch> I don't like battles
05:00 < aditsu_> is it a US thing? or not only?
05:22 <@ordex> well, it starts from the FCC
05:22 <@ordex> which is a US thing
05:22 <@ordex> but they are not disjoint :)
05:38 < aditsu_> new vpn server up and running :) time to connect a client and battle with the firewalls/routes
05:41 < aditsu_> I'm loving this new easyrsa
05:51 <@ordex> :)
06:32 < zx2c4> ordex: because wireguard is fundamentally different. its an entirely different design
07:05 < aditsu_> it works :o
08:31 < aditsu_> what do you guys think about tunnelblick (for macs)?
08:31 <+hyper_ch> I don't believe in macs
08:32 < aditsu_> me neither, but I kinda have to help some mac users connect to vpn..
08:32 <+hyper_ch> tell them to upgrade to Linux :)
08:32 < aditsu_> they won't listen..
08:33 <+hyper_ch> then you'll have to take their iphones away :)
08:33 < aditsu_> plus they're not really computer-literate, Linux might be too hard for them :p
08:35 <@krzee> aditsu_: tunnelblick is great
08:36 <+hyper_ch> hi krzee
08:36 <@krzee> ohai
08:36 <@krzee> haihai
08:37 <+hyper_ch> you haven't used ovpn with yealink t48g?
08:37 < aditsu_> krzee: I find it weird at best, I never understand what it's doing.. it doesn't seem to detect disconnections and reconnect properly
08:37 <@krzee> hyper_ch: i dont use the yealinks
08:37 <@krzee> let that be a blanket answer for them all
08:38 <+hyper_ch> got a t48g and it looks nice.. but can't get openvpn to run
08:38 <@krzee> user error :-p
08:38 <@krzee> aditsu_:
08:38 <@krzee> !logfile
08:38 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
08:38 <@krzee> openvpn can tell you directly ;]
08:38 <@krzee> aditsu_:
08:38 <@krzee> !goal
08:38 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:39 <@krzee> ill give more specific help if you give more specific problems =]
08:39 <+hyper_ch> I want to get openvpn running on my t48g :)
08:39 <@krzee> lol hyper_ch their docs work
08:40 <@krzee> you gotta format the config and the zip or tar properly
08:40 <@krzee> bonus if you get to see the log
08:40 <+hyper_ch> yeah, but how does it need to be? the problem is, when I select the tar file to upload, in the input file, it will show as  c:\fakeroot\openvpn.tar
08:40 <+hyper_ch> regardless whether I use *nix or *dows
08:41 <@krzee> so it never uploads?
08:41 < aditsu_> tunnelblick is showing some logs, but it seems to be mixing opevpn's logs with its own weird stuff
08:41 <+hyper_ch> seems like it but I do get a javascript dialog back that it was uplaoded and when I try to save, it tells me nothing was uploaded
08:41 <@krzee> aditsu_: thats why i gave you this
08:41 <@krzee> !logfile
08:41 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
08:43 <@krzee> hyper_ch: what os do you want to upload it from?
08:44 <+hyper_ch> preferrably linux
08:46 <@krzee> so the problem you're having is that you browse for the tar from local filesystem and the yealink never gets it? looks in the wrong place?
08:46 <@krzee> maybe you should tcpdump that connection and see exactly how that goes down
08:46 <+hyper_ch> seems like it
08:46 <@krzee> and try different browsers
08:46 <+hyper_ch> but after I upload it, it says upload was successful
08:46 < aditsu_> not sure I have the time and energy for a detailed investigation now (including controlled network condition changes).. but I'll know how to approach it next time, thanks krzee
08:46 <+hyper_ch> tried with different browsers and even windows
08:47 <+hyper_ch> all the same
08:47 <@krzee> i once had a router that i could only flash using a lame windows app called simple browser
08:47 <+hyper_ch> I hoped you might now
08:47 <@krzee> np aditsu_
08:47 <@krzee> hyper_ch: like i said, i dont use any yealink
08:48 <+hyper_ch> too bad... you should :)
08:48 <@krzee> and you havent got to the point where its openvpn related yet
08:48 <@krzee> nah i use snom
08:48 <@krzee> yealink are ugly
08:48 <+hyper_ch> the t48g looks nice
08:48 <@krzee> and theyd require more hacking than the snom for my usage
08:48 <@krzee> so meh, screw them
08:50 <@krzee> t48g looks nice to a tech, my 80 year old clients would look at that lcd and be like i just want a phone
08:50 <@krzee> look at the snom 760
08:50 <+hyper_ch> I got snom 370 running here
08:50 <@krzee> thats a nice simple phone with openvpn support, and when using EC it renegs in under a second
08:51 <@krzee> i only use 821 and 760
08:51 <@krzee> got some newer model that im supposed to dev on one of these days... but we keep finding cheap 760 so im not currently too worried about getting it done
09:06 < aditsu_> "user nobody" doesn't seem to work well with routes
09:12 < oajs> Anyone ever hear of a ESXi openvpn client that installs directly on the ESXi host as a VIB package or similar?
09:12 <+hyper_ch> no
09:12 <+hyper_ch> actually, yes
09:20 < oajs> care sharing where you might have seen such?  a VM within ESXi doesn't work as if the VM is down I can't access ESXi to fix it
09:21 <+hyper_ch> oajs: since you mentioned that then I assumed you've heard of it... otherwise you wouldn't be asking. So the correct answer to "Anyone ever hear of ..." is yes
09:21 <@ecrist> o.O
09:22 <+hyper_ch> ecrist: you disagree?
09:22 <@ecrist> I'm not sure what you're saying.
09:23 <+hyper_ch> ecrist: oajs asked if anyone ever heard of ... and I falsely answered with no first... then I corrected myself :)
09:24 <@ecrist> So, no, until oajs mentioned it, you hadn't heard of it.  Am I reading that correctly?
09:24 <+hyper_ch> ecrist: that's correct this far... but since oajs mentioned it, s/he/it heard of it before, otherwise s/he/it wouldn't have mentioned it
09:25 <+hyper_ch> and since oajs question didn't exclude s/he/it the only right answer was yes
09:25 <+hyper_ch> damn't can't type
09:25 <@ecrist> hyper_ch: not necessarily.
09:25 < oajs> ha, I heard of it was I came up with the idea a few minutes ago
09:25 <+hyper_ch> ok, if you're the first one coming up with something then you have not heard of it before but you can mention it
09:26 <@ecrist> VIB packages are the ESXi installation packages.  Someone could reason that there may be a VIB available for "xyz" software.  That's where oajs is coming from.
09:26 <+hyper_ch> it's a border case
09:26 <@ecrist> hyper_ch--
09:26 <+hyper_ch> ecrist: https://www.urbandictionary.com/define.php?term=metaquestion
09:26 <@vpnHelper> Title: Urban Dictionary: metaquestion (at www.urbandictionary.com)
10:58 <@ordex> zx2c4: I get to read the whitepaper then
11:12 < zx2c4> ordex: enjoy it
11:12 < zx2c4> Let me know if you have any questions
11:12 < zx2c4> https://www.wireguard.io/papers/wireguard.pdf
11:13 <@ordex> zx2c4: thanks :)
14:49 -!- themayor_ is now known as themayor
15:22 -!- viridys is now known as cos0
17:26 < AverageAlex> has anyone been able to successfully compile 2.4.3 with openssl 1.1.0f?
17:28 < AverageAlex> I am attempting to compile my own windows binaries. I am using build system provided on this page.  https://community.openvpn.net/openvpn/raw-attachment/wiki/SettingUpGenericBuildsystem/
17:28 <@vpnHelper> Title: SettingUpGenericBuildsystem – Attachments – OpenVPN Community (at community.openvpn.net)
17:28 < gtt> hello
17:28 < AverageAlex> I am using an Ubuntu 14.04 Virtual machine exactly as that page suggests to use.
17:28 < AverageAlex> hello
17:29 < AverageAlex> when I setup the build system, I see that it is still using openssl 1.0.2 as the openssl source.
17:30 < AverageAlex> I changed that source to 1.1.0f but the build fails during configuration
17:30 < AverageAlex> Build openssl Configuring OpenSSL version 1.1.0f (0x1010006fL) ***** Unsupported options: no-multilib FATAL: Configure openssl root@ubuntu:~/openvpn-build/generic#
17:31 < gtt> If I need to setup an openvpn server for several clients, what is the difference between setting up the server through a tun or tap interface?
17:32 < gtt> nvm https://openvpn.net/index.php/open-source/faq/75-general/305-what-is-the-difference-between-a-tun-device-and-a-tap-device.html
17:32 <@vpnHelper> Title: What is the difference between a TUN device and a TAP device? (at openvpn.net)
17:33 < AverageAlex> gtt: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
17:33 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
18:14 < AverageAlex> any help?
18:28 < AverageAlex> mattock: You seem to be the creator of the build scripts that I use. Could you please tell me how I can use buildscript 5 to compile openvpn binaries with openssl 1.1.0f?
18:29 < gtt> in the examples that I see when one creates the certificates fro the clients I don'tt see any .csr file being created
18:29 < gtt> but when I do in my setup they are created
18:30 < gtt> there's a client.csr, client.crt and client.key
19:49 < jusss> I'm using static keys now, and it tells "INSECURE cipher with block size less than 128 bit(64bit). this allows attacks like SWEET32" what should I do?
19:49 < jusss> use cipher aes-256-cbc ?
20:15 < jusss> how I can run multiple instance with static keys?
20:17 <@ordex> jusss: using different ports?
20:17  * ordex never tried
20:18 <@ordex> jusss: although you should not use static keys as they expose you to security risks
20:18 < jusss> ordex: should I use different tun?
20:18 <@ordex> jusss: each instance will create one tun
20:24 < jusss> ordex: openvpn tls auth is blocked by GFW
20:25 < jusss> so I have to use static keys or obfsproxy but obfsproxy doesn't support udp
20:28 < jusss> ordex: should I config something for tun in server.confi if I use multiple instances?
20:28 < jusss> I know port should be different in server.conf
20:34 <@ordex> jusss: you also have to change the name of the tun
20:34 <@ordex> otherwise openvpn will try to re-use tun0 and will have an error
20:34 <@ordex> the "dev" option can be used for that
20:34 < jusss> ordex: like "dev tun0" and "dev tun1" ?
20:34 <@ordex> jusss: btw, you can use tls-crypt instead of tls-auth
20:34 <@ordex> jusss: correct
20:35 <@ordex> jusss: tls-crypt (in TLS mode, so no static keys) is relatively new so should not be blocked yet
20:35 <@ordex> that way you can do the usual point-multipoint configuration
20:36 < AverageAlex> ordex: does mattock plan to update his build system script for the openvpn binaries?
20:37 <@ordex> AverageAlex: no clue - we should ask mattock
20:37 < AverageAlex> I have tried highlighting him, I just asked you in case you had a more direct line of communication to him
20:38 <@ordex> oh ok. well usually I chat here as he usually is responsive. we can try again later :)
20:39 < AverageAlex> From what I read 2.4.3 is capable of being compiled with 1.1.0
20:39 < AverageAlex> is this true?
20:40 < AverageAlex> I am able to use mattock's scripts to compile all of the binaries with 1.0.2l but not 1.1.0f
20:41 <@ordex> AverageAlex: yap, should be
20:41 <@ordex> AverageAlex: yeah, probably have to be updated in that regard
20:50 < jusss> "The tls-crypt option isn't safe from traffic analysis as it doesn't hide all elements of the control channel, notably the opcodes, session/packet IDs and timestamp."  http://svn.dd-wrt.com/ticket/3450
20:50 <@vpnHelper> Title: #3450 (Add xor scramble patch for OpenVPN) – DD-WRT (at svn.dd-wrt.com)
20:50 < jusss> tls-crypt still can be blocked by GFW?
21:35 < mojtaba> I had my openvpn server up and running; it was connected through eth0. But I had to move it and connect it to internet using wlan0.
21:35 < mojtaba> Now, it is not working.
21:36 < mojtaba> I have this setting: nano /etc/ufw/before.rules (add these above the file)
21:36 < mojtaba> *nat
21:36 < mojtaba> :POSTROUTING ACCEPT [0:0]
21:36 < mojtaba> #-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE (for cable connection)
21:36 < mojtaba> -A POSTROUTING -s 10.8.0.0/8 -o wlan0 -j MASQUERADE (for wifi connection)
21:36 < mojtaba> COMMIT
21:37 < mojtaba> There is no tun0, when I execute ifconfig.
21:37 < mojtaba> Any help is highly appreciated.
21:38 < jusss> can I use "openvpn --genkey --secret static.key" then "tls-crypt static.key" in server.conf?  I mean --secret can be used? and if I use tls-crypt do I still need tls-cipher option?
21:40 < jusss> mojtaba: cat /dev/net/tun what it said?
21:41 < mojtaba> jusss: cat: /dev/net/tun: File descriptor in bad state
21:42 < jusss> mojtaba: and "dev tun" in server.conf?
21:42 < mojtaba> jusss: It is uncommented
21:43 <@ordex> jusss: yes, tls-crypt can still be blocked because it is not obfuscation. just a different way of doing th handshake (encrypting the payload)
21:43 <@ordex> jusss: never used --secret there
21:44 < jusss> ordex: openvpn dont provide obfuscation, and obfsproxy only work for tcp, which tool work for udp ?
21:45 <@ordex> jusss: right. I am not aware of anything that works on udp right now. (but it may exist)
21:45 < jusss> ordex: if I use tls-crypt do I still need tls-cipher?
21:47 <@ordex> jusss: tls-cipher should be for the TLS session
21:47 <@ordex> therefore yes, it is still valid to be used
21:47 <@ordex> although I never use it
21:48 < mojtaba> jusss: Do you know what is going on?
21:48 <@ordex> mojtaba: how about providing the log?
21:48 < jusss> mojtaba: no
21:48 <@ordex> !logs
21:48 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
21:48 <@ordex> that may help understanding what is going on
21:48 <@ordex> no crystal ball in this room yet :P
21:48 <@ordex> although dazo is working on that
21:48 <@ordex> :D
21:49 < mojtaba> ordex: The problem is with wlan0. and there is no route for 10.8.0.0.
21:50 < mojtaba> route -n
21:50 <@ordex> mojtaba: you said tun0 is not created at all - that means openvpn is not starting properly at all
21:50 <@ordex> mojtaba: is this happening on the server ?
21:52 < mojtaba> ordex: service openvpn status gives me: http://paste.debian.net/976034/
21:52 <@ordex> mojtaba: is this happening on the server ?
21:52 < mojtaba> ordex: yes
21:52 <@ordex> mojtaba: how about providing the log ?
21:52 <@ordex> :)
21:52 <@ordex> !logs
21:52 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
21:53 <@ordex> server only is enough
21:53 <@ordex> as it is not starting
21:53 <@ordex> or not setting up everything properly
21:54 < mojtaba> ordex: It seems the problem is with properly configuring to connect through wlan0, instead of eth0.
21:54 < mojtaba> I had it working properly when it was connected through eth0.
21:54 <@ordex> mojtaba: I can't see how this is related. maybe the log will shed some lights
21:55 < mojtaba> ordex: openvpn.log?
21:55 <@ordex> mojtaba: you can also try to start openvpn manually from the console and see what it says
21:55 <@ordex> mojtaba: it depends how you have configured your log in the config
21:55 < jusss> ordex: openvpn --genkey x.key  missing parameter...
21:56 < jusss> ordex: it seems --secret is needed
21:56 < mojtaba> ordex: How can I start it manually? using service openvpn start?
21:56 <@ordex> jusss: oh yeah, apparently it is. sorry - not been using that since a bit :(
21:56 <@ordex> mojtaba: no, by running: openvpn <configfile?>
21:56 <@ordex> directly in the console
21:56 <@ordex> make sure the service is stopped first ..
21:57 < mojtaba> ordex: openvpn server.conf?
21:57 < mojtaba> ordex: It is just blinking on the next line.
21:57 <@ordex> mojtaba: let's paste the config then
21:57 <@ordex> !configs
21:58 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
21:58 <@ordex> only server.conf is enough ..
21:58 <@ordex> mojtaba: that is happening because the log is being redirected to a file that *you* have configured
21:59 <@ordex> mojtaba: to get the output on the screen you should comment the log section. (or read the log file directly which is what I was asking earlier)
22:01 < mojtaba> ordex: server.conf http://paste.debian.net/976035/
22:02 < jusss> ordex: the way that use static keys can be blocked? and how about it compare with obfuscation way?
22:02 <@ordex> mojtaba: you did not read what vpnHelper said, no? :)
22:02 < mojtaba> ordex: oops
22:03 < mojtaba> I can remove the comments.
22:03 <@ordex> mojtaba: and btw, yes, your log goes here: openvpn.log
22:03 <@ordex> as you configured
22:03 <@ordex> can you now restart the service
22:03 <@ordex> and then paste the content of that file?
22:05 < mojtaba> ordex: It is the openvpn.log http://paste.debian.net/976037/
22:06 <@ordex> mojtaba: it says it started
22:06 <@ordex> what does "ifconfig tun0" says?
22:07 < mojtaba> tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
22:07 < mojtaba>           inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
22:07 < mojtaba>           inet6 addr: fe80::d935:d76b:3912:7729/64 Scope:Link
22:07 < mojtaba>           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
22:07 < mojtaba>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
22:07 < mojtaba>           TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
22:07 < mojtaba>           collisions:0 txqueuelen:100
22:07 < mojtaba>           RX bytes:0 (0.0 B)  TX bytes:288 (288.0 B)
22:07 <@ordex> so ?
22:07 <@ordex> it is up and running
22:07 <@ordex> (btw, please don't paste here on IRC long multiline textx like that)
22:07 < mojtaba> ordex: ok.
22:07 < mojtaba> ordex: What happened?
22:07 <@ordex> mojtaba: I don't know? nothing
22:08 <@ordex> :D
22:08 <@ordex> you just started it
22:08 <@ordex> and probably it was working even before
22:08 <@ordex> that's why the service said "started"
22:08 <@ordex> :P
22:08 < mojtaba> ordex: thanks
22:09 <@ordex> I swear I did nothing :P
22:09 <@ordex> hehe
22:09 <@ordex> np
22:09 < mojtaba> That's so weird. It is working now.
22:09 <@ordex> yeah
22:10 <@ordex> maybe openvpn was just stopped and you did not try to restart it ?
22:10 <@ordex> it may have gone down together with the network
22:10 <@ordex> and then needed a restart (just speculating here)
22:13 <@ordex> jusss: are you based in CN and trying to play with the GFW?
22:14 <@ordex> jusss: I was reading yesterday about the total ban that the gov is trying to impose
22:14 <@ordex> and green vpn is gone already :(
22:14 < jusss> ordex: yes, I'm in CN
22:15 < mojtaba> ordex: I can now connect, and everything works properly; except when I disconnect the client (ubuntu), in server side it shows it is still connected. After like 2 or 3 min.
22:15 < mojtaba> ordex: Do you know what could be wrong?
22:16 <@ordex> mojtaba: on udp it is normal I think
22:16 <@ordex> mojtaba: you can add an exit notification on the client side
22:16 <@ordex> mojtaba: check --explicit-exit-notify in the manpage
22:17 < mojtaba> ordex: The thing is that when I use my iphone, it just shows the client is disconnect right away.
22:17 <@ordex> mojtaba: is this another problem? or you run ubuntu on your phone?
22:18 < mojtaba> ordex: No, I mean considering it is on udp. My phone does not have that problem.
22:18 < mojtaba> Just my laptop which is ubuntu.
22:18 <@ordex> mojtaba: maybe your phone already has this setting embedded
22:19 < jusss> ordex: now I'm using tls-crypt static.key, and it tells me "WARNING: this configuration may cache passwords in memory --user the auth-nocache option to prevent this" and should I use it on server and client?
22:19 < mojtaba> ordex: I will check it. Thanks.
22:19 <@ordex> mojtaba: np
22:19 < mojtaba> I am using openvpn client on my phone, BTW.
22:19 <@ordex> jusss: not sure why that message is printed ... auth-nocache makes sense when you use user-pass authentication of some sort or tokens
22:20 <@ordex> jusss: it might be a bug that prints that
22:20 <@ordex> I just saw it here too - I will check
22:34 < BillyCrook> I'm measuring about about a 90% overhead with iperf on a tcp tunnel.  Is that normal?
22:35 < BillyCrook> I'm aware tcp-in-tcp boo-hiss.  Stuck with it.  Trying to make the best of it.
23:41 < jusss> I'm using tls-crypt now, and I found there's only one client can connect to the server at the same time, why?
23:50 <@ordex> jusss: tls-crypt does not prevent multiple client from connecting, therefore the issue is unrelated to tls-crypt
23:51 <@ordex> are you using client/server mode?
23:51 < jusss> ordex: yes
23:51 <@ordex> with different certs per client?
23:51 < jusss> ordex: same certs
23:51 <@ordex> jusss: this is not really recommandable...but if you really want that
23:51 <@ordex> you must allow CN duplicates
23:52 <@ordex> otherwise the server won't allow more than one client with the same CN
23:52 <@ordex> jusss: check --duplicate-cn in the manpage
23:52 < jusss> ordex: ok
--- Day changed Wed Jul 12 2017
00:06 < jusss> ordex: I add "duplicate-cn" in server.conf and now I can use two clients at the same time, :)
00:07 <@ordex> jusss: however, unless you have a real reason, it is better to use multiple certificates
00:07 <@ordex> so you can block each single client in case of troubles
00:07 < jusss> ordex: yes, I'm kind of lazy
00:07 <@ordex> :P
00:09 < jusss> there's also a popular tool called shadowsocks on my country and it seems support obfuscation
07:33 <@ecrist> OpenVPN is not designed for obfuscation, just FYI.
07:34 <@ecrist> oh, wow, only 7 hours too late.
07:34  * ecrist slinks back into the corner
07:35 <+hyper_ch> ecrist: since you already got up......
07:42 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 246 seconds]
07:42 -!- BuildTheRobots_ is now known as BuildTheRobots
07:42 -!- ctracey_ is now known as ctracey
07:42 -!- KCinJP_ is now known as KCinJP
07:42 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
07:42 -!- mode/#openvpn [+o syzzer] by ChanServ
07:42 -!- nitdega_ is now known as nitdega
07:42 -!- vectr0n_ is now known as vectr0n
09:20 <+hyper_ch> krzee: https://www.golem.de/news/https-private-keys-on-web-servers-1707-128862.html
09:20 <@vpnHelper> Title: HTTPS: Private Keys on Web Servers - Golem.de (at www.golem.de)
09:31 <@krzee> haha nice
09:34 <+DArqueBishop> Wow.
09:35 <+hyper_ch> find /var/www -iname "privatekey.key" -exec rm {} ;\
09:36 <+hyper_ch> + a few variante and make it hourly cron?
09:38 <@krzee> ummm
09:38 <@krzee> seriously?
09:38 <+hyper_ch> well, if you're an ISP maybe it wouldn't be a bad option
09:38 <+hyper_ch> if you haven't integrated LE support in the control panel that handles it all
09:38 <@krzee> maybe you could just make an hourly cron that announces from a speaker not to be an idiot
09:39 <+hyper_ch> that won't work
09:39 <+hyper_ch> people think they're smarter than they usually are
09:39 <@krzee> you cant cron away every instance of people being morons
09:39 <@krzee> better idea: dont hire morons
09:40 <+hyper_ch> find /dev -iname "human" -exec rm {} \;  works fine
09:40 <@krzee> you gunna cron a comparison of all important files in case some moron overwrites one?
09:40 <@krzee> haha
09:41  * krzee pictures hyper's server with no power left to serve anything because of all the scripts he runs on cron to prevent idiots from hurting his server from within
09:42 <+hyper_ch> you can't overuse "find"
09:42 <@krzee> your harddrives might disagree
09:45 < tx> They might, but they don't have a say.
09:46 <@krzee> they do when it comes time to serve the services!
09:46 <@krzee> and they're like but no
09:56 <@ordex> hi there
09:57 <@krzee> heyhey!
09:58 <@ordex> so crowded today!
09:59 <@krzee> !roadmap
09:59 <@vpnHelper> "roadmap" is https://community.openvpn.net/openvpn/wiki/RoadMap for the roadmap for OpenVPN 3
09:59 <@krzee> ordex: have a peek ^
10:01 <@ordex> time flies eh ..
10:01 <@ordex> :)
10:01 <@ordex> krzee: about DTLS: do you think it would help in increasing the chance that openvpn control traffic can get fingerprinted?
10:02 <@ordex> well the other way around
10:02 <@ordex> reducing the chance
10:02 <@krzee> id have to deffer to steffan
10:03 <@ordex> good strategy
10:04 <@krzee> :D
10:04 <@ordex> :P
10:04 <@ordex> if you can't delegate ... just postpone :P
10:14 <@plaisthos> dtls and openvpn will probably not happen
10:14 <@plaisthos> and it would only be a short time until it can be fingerprinted again probably
10:16 <@ordex> plaisthos: why not happen at all ?
10:16 <@ordex> not helpful?
10:16 <@plaisthos> you gain not much
10:17 <@plaisthos> and you an incompatible protocol and spend a lot of time implementing that
10:17 <@plaisthos> and then you either still have openvpn's data packets or you implement everything over dtls
10:17 <@ordex> :D
10:17 <@plaisthos> and in that case you have completely different VPN
10:17 <@ordex> yeah
10:18 < Elon_Satoshi> Hello
10:18 <@ordex> "we spent so much time on it!! finally we broke compatibility!"
10:18 <@ordex> :D
10:18 <@ordex> makes sense
10:18 < Elon_Satoshi> I seem to not have a tun device ;-;
10:18 < Elon_Satoshi> ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
10:18 <@plaisthos> modprobe tun
10:18 <@ordex> plaisthos: that was fast
10:18 <@ordex> :D
10:19 <@plaisthos> or really old linux, then it is /dev/tun
10:19 < Elon_Satoshi> It's linux-libre lol
10:20 <@plaisthos> Elon_Satoshi: are you just trolling?
10:20 < Elon_Satoshi> Well I got a different error! Progress!
10:20 <@plaisthos> oh linux libre actually exists
10:20 < Elon_Satoshi> Yeah, it does
10:21 < Elon_Satoshi> And I have a new error
10:21 < Elon_Satoshi> Linux ip link set failed: external program fork failed
10:22 < Elon_Satoshi> Does that mean /usr/bin/ip link set dev tun0 up mtu 1500 failed?
10:22 < Elon_Satoshi> wait hmm
10:22 <@plaisthos> or ip does not exist
10:23 < Elon_Satoshi> No, my script security was 0
10:31 < Elon_Satoshi> Hmm, my ip address seems to be the same'
10:33 <@ordex> Elon_Satoshi: that depends on how you configured the vpn
10:38 <@krzee> !goal
10:38 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:08 < vishesh92> Hi. Is there any way to setup ACL for users?
11:10 <@ecrist> vishesh92: like what?
11:11 < vishesh92> like only a few users can access some routes
11:11 <@ecrist> you can have an --up script that defines the firewall rules
11:11 <@ecrist> sorry, not --up
11:11 <@ecrist> --client-connect
11:12 <@ecrist> and then a --client-disconnect that removes the routes.
11:12 <@ecrist> with pf, I'd tag interesting traffic and allow it that way.
11:12 <@ecrist> you could also only push the routes that a client is allowed, though that's not "secure" since there's nothing stopping someone from adding their own routes.
11:15 < vishesh92> so I need to define my firewall rules in a script and allow/block traffic for that user, right?
11:15 <@ecrist> yes
11:15 < vishesh92> ok. Thanks.
11:50 < lunaphyte> hi.  if this isn't topical, let me know :) - i'm just looking for recommendations for small/inexpensive hardware [something along the lines of a raspberry pi] for use as a little vpn server
11:51 < lunaphyte> from a bit of reading, it seems like a raspberry pi does a good job, but was also wondering what other alternatives folks might suggest too
12:02 <@krzee> depends on your needs
12:03 <@krzee> if your needs are modest, maybe youd like a router running lede (openwrt)
12:03 <@krzee> i have set that up in many places, its nice because its low power and just works
12:05 < lunaphyte> they're very modest
12:05 < lunaphyte> it's unlikely there would be more than two concurrent vpn connections
12:06 < honigkuchen> hi I have a openvpn server as a gateway at home for wifi places outside. I copied the config and firewall settings to a vserver in the internet, to do the same not with the homeserver but vserver, but problem is, that traffic seems not to be routed through the vserver, some webites load fast others very slow and my ip is still the one at home
12:06 <@krzee> i bought a ton of tp-link 841 routers for like $35 and grabbed the lede-imagebuilder, made myself custom roms with the packages i want and i admin them over ssh
12:07 < lunaphyte> krzee: in that scenario, you're not constrained to some gui's opinion on how openvpn should be configured?
12:07 < lunaphyte> you just configure it directly, e.g. the config file?
12:07 <@krzee> no sir, i dont even compile the web gui into the firmware
12:07 < lunaphyte> i see
12:08 <@krzee> i use rc.local to start my scripts and openvpn
12:08 <@krzee> i ignore the UCI config all together
12:08 <@krzee> my scripts remove their firewall and put mine, do any routing, etc
12:08 < lunaphyte> oh, course, i don't really need or want any wireless hardware though
12:08 <@krzee> same, so i dont compile that in to my firmware either
12:09 < lunaphyte> i'm sure i could just not use it, but i'd like minimalist too
12:09 <@krzee> and each port can be its own vlan, so in some cases i use these as actual routers connected to like 4 (5 max) networks
12:10 <@krzee> honigkuchen:
12:10 <@krzee> !redirect
12:10 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
12:10 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
12:10 <+DArqueBishop> I have the UCI config file on my LEDE router, but the only uncommented line is to look at the config file in /etc/openvpn. :-)
12:11 <@krzee> i dont use UCI at all, for openvpn or anything else
12:11 <@krzee> i just configure everything how i want via rc.local
12:47 <@ordex> DArqueBishop: me too. just easier to deal with standard config file
12:47 <@ordex> expecially if you have embedded certs :p
12:51 <@krzee> i believe we have that as a factoid
12:51 <@krzee> !openwrt
12:51 <@vpnHelper> "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
12:51 <@ordex> yeah :)
12:51 <@krzee> !lede
12:52 <@krzee> !learn lede as [openwrt]
12:52 <@vpnHelper> Joo got it.
12:53 <@ecrist> !lede
12:53 <@vpnHelper> "lede" is "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
12:54 <@ordex> !ecrist
12:54 <@vpnHelper> "ecrist" is http://www.youtube.com/watch?v=0Veqz8W98iA
12:54 <@krzee> !krzee
12:54 <@ordex> !krzee
12:54 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20, or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg, or (#3) location: moon base where he smokes moonajuana, or (#4) takes bonghits on the freeswitch teleconference
12:54 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20, or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg, or (#3) location: moon base where he smokes moonajuana, or (#4) takes bonghits on the freeswitch teleconference
12:54 <@ordex> lol
12:54 <@krzee> www.ircpimps.org is down for awhile tho
12:54 <@ordex> yeah
12:54 <@ordex> just tried to open it
12:55 <@ordex> :(
12:55 <@krzee> eric killed it
12:55  * krzee pokes ecrist
12:55 <@ordex> !syzzer
12:55 <@ordex> !dazo
12:55 <@vpnHelper> "dazo" is The project name krzee always forgets .... eurephia ... http://www.eurephia.net/
12:55 <@ordex> !!
12:55 <@ordex> lol
12:55 <@krzee> i could never remember that thing
12:55 <@krzee> haha
12:55 <@ordex> :P
12:59 <@krzee> !eugene
12:59 <@krzee> !beer
12:59 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
13:00 <@krzee> !blame
13:00 <@vpnHelper> "blame" is (#1) According to Bushmills, it's always krzee's fault, or (#2) According to krzee, it's always dazo's fault, or (#3) and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments, or (#4) cron2 says its always d12fk's fault (and sometimes the customers), or (#5) if it is crypto blame syzzer and plai for acking
13:01 <@ordex> :P
13:01 <@ordex> you spent quite some time to come up with those, eh? :D
13:02 <@krzee> vpnHelper has been here since maybe 07-08 or so
13:04 <+DArqueBishop> I kind of want to see one that says "if it's tap and not tun, it's your fault for choosing poorly".
13:04 <+DArqueBishop> ;-)
13:05 <@krzee> haha
14:04 < BillyCrook> I'm measuring about about a 90% overhead with iperf on a tcp tunnel.  Is that normal?  (Yes I'm aware tcp-in-tcp sucks, stuck with it, trying to make the best of it.  It's a design feature of openvpn.)
14:11 <@ecrist> krzee: that host was on hemp?
14:11 <@ecrist> !factoids
14:11 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
14:12 <@ecrist> DArqueBishop: that page has all of the factoids, pretty close to real time
14:12 <@ecrist> 788 factoids, 476 keys
14:12 <+DArqueBishop> ecrist: I use it regularly when trying to find an appropriate factoid.
14:12 < mete> interesting, I've exactly the same problem with one of my machines as the guys here: https://community.openvpn.net/openvpn/ticket/603
14:13 <+DArqueBishop> I meant, I wanted to see an entry under "blame" referring to tun/tap. ;-)
14:21 <@ecrist> !learn blame as <+DArqueBishop> I meant, I wanted to see an entry under "blame" referring to tun/tap. ;-)
14:21 <@vpnHelper> Joo got it.
14:21 <@ecrist> !blame
14:21 <@vpnHelper> "blame" is (#1) According to Bushmills, it's always krzee's fault, or (#2) According to krzee, it's always dazo's fault, or (#3) and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments, or (#4) cron2 says its always d12fk's fault (and sometimes the customers), or (#5) if it is crypto blame syzzer and plai for acking, or (#6) <+DArqueBishop> I
14:21 <@vpnHelper> meant, I wanted to see an entry under blame referring to tun/tap. ;-)
14:21 <@ecrist> !blame 6
14:21  * DArqueBishop laughs
15:08 < Eugene> But this bot doesn't have !vend :-(
15:15 < SCHAPiE> hmm, build.openvpn.net seems to resolve to an IPv6 address as well, but it times out on trying to connect
15:16 < SCHAPiE> Connecting to build.openvpn.net (build.openvpn.net)|2600:1f1c:702:ae00:e0a7:e533:ee3a:8dbc|:80...
15:16 < SCHAPiE> maybe a webserver issue? all my other connections are just fine
15:17 < SCHAPiE> ping6'ing the hostname results in no response... maybe there's an AAAA record set that should not be there?
15:18 <@krzee> !factoids whatis blame 6
15:18 <@vpnHelper> <+DArqueBishop> I meant, I wanted to see an entry under blame referring to tun/tap. ;-)
15:19 <@krzee> ecrist: yep www. is hemp.
15:19 <@krzee> but it does nothing important
17:49 < Abbott> I'm hosting an openvpn server on a linux machine and I can connect fine and connect to other service hosted on the vpn server, but I cannot access other machines on the VPN local subnet. What am I missing that causes this?
20:44 <@ordex> aloha
20:59 < Abbott> hi
20:59 < Abbott> could you help me troubleshoot why my openvpn clients can't see eachother? I have client-to-client enabled in the server config
21:01 <@ordex> Abbott: can you pingthe server from both clients?
21:01 < Abbott> I'm also pushing route 10.8.1.0 255.255.255.0, so they should have a route to eachother
21:02 < Abbott> ordex: yes I can
21:02 <@ordex> mh with client-to-client it should just work I believe
21:02 <@ordex> can you paste your configs, please?
21:02 <@ordex> !configs
21:02 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
21:07 < Abbott> ordex: these are the three configs, the two clients are basically the same: http://dpaste.com/01226CR
21:08 <@ordex> Abbott: push "route 10.8.1.0 255.255.255.0" << this is redundant because the server statement will take care of that already
21:09 <@ordex> Abbott: from the server can you ping both clients?
21:10 <@ordex> Abbott: would you add "topology subnet" to the server config, just to make everything more straightforward ?
21:10 <@ordex> just to help debugging (and also to make the setup easier to visualize)
21:11 < Abbott> I cannot ping the windows machine from the server
21:11 < Abbott> I can ping the server from the windows machine though
21:11 < Abbott> could windows just not be responding to pings or is there something wrong there?
21:12 < Abbott> and yes, I will add that
21:13 <@ordex> Abbott: windows by default drops pings
21:13 <@ordex> it's a firewall thing
21:18 < Abbott> I must have been testing the connectivity between clients by pinging the windows machine from the rpi lol
21:18 < Abbott> i just tried pinging the rpi from the desktop and it's working :)
21:18 < Abbott> thanks ordex
21:18 <@ordex> :D
21:18 <@ordex> Abbott: no problem :)
21:18 <@ordex> windows is not the best machine :P
21:18 <@ordex> better to use a machine where you know what's doing! :D
21:26 < Abbott> lol very true
23:36 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 255 seconds]
--- Day changed Thu Jul 13 2017
00:34 -!- marlinc_ is now known as marlinc
06:40 < mauzilla> Hi all! Id like to give my connected clients network access to a private network at our datacenter. The VPN server (vm) is hosted on teh same physical network at the dc. Would simply changing the server ip / netmask to the same private IP rang (10.0.1.0 255.255.255.0) work?
06:41 < mauzilla> A concern from my end is that if I understand correctly, openvpn will use the first available IP (so 10.0.1.1) for itself, but at the datacenter we've already got hosts on those IP's
06:42 < mauzilla> so will openvpn use the first available ip in that range or will it cause a network conflict?
06:46 < Kadigan> Hey... I'm having some trouble understanding an issue.
06:47 < Kadigan> So let's say I have two routers (router CLI and router SRV). CLI's internal net is 10.11.0.0/24, SRV's internal net is 10.20.0./22. I have OpenVPN-server running on SRV, it assigns 10.20.2.0/24.
06:47 < Kadigan> So, I connect via OpenVPN-client from CLI to OpenVPN-server on SRV, I get assigned 10.20.2.10.
06:48 < Kadigan> Now. Within the CLI's network, I have a host - 10.11.0.2. From this host, I am able to ping another VPN client (10.22.2.5) via 10.11.0.1 (which is a client)
06:48 < Kadigan> but ... not the other way around.
06:48 <@ordex> !clientlan
06:49 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
06:49 < Kadigan> For the love of all that is holy, I can't ping 10.11.0.anything from SRV
06:49 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
06:49 <@ordex> Kadigan: followed that already? ^^
06:49 < Kadigan> Client is a router, has IP forwarding enabled by default. Adding the route for the server.... fails,
06:49 < Kadigan> for some reason. :/
06:50 < Kadigan> "ip route add -net 10.11.0.0 netmask 255.255.255.0 gw 10.20.2.10 dev tun2" is accepted
06:50 < Kadigan> but the route's not there
06:50 <@ordex> Kadigan: you have to configure something in openvpn too
06:50 < Kadigan> and "ip route get 10.11.0.1" gets me "10.11.0.1 via 192.168.100.1 dev eth0 src 192.168.100.100" (which is the public inet of SRV)
06:50 <@ordex> Kadigan: did you configure the iroute too?
06:50 <@ordex> before digging into your config
06:50 < Kadigan> !iroute
06:51 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
06:51 < Kadigan> I'm somewhat lost. !in-english please?
06:51 <@ordex> :D
06:51 <@ordex> Kadigan: basically you need to tell openvpn which subnet is behind which client
06:51 < Kadigan> Okay. How?
06:51 <@ordex> with the iroute config option
06:52 < Kadigan> Okay. Let me look it up.
06:52 <@ordex> you have to put the iroute option in the ccd file related to the client controlling that subnet
06:52 <@ordex> sure
06:52 < Kadigan> Not sure what a ccd file is.
06:52 <@ordex> inthe manpage you should find something about it too
06:52 < Kadigan> I probably won't. But I hope I'll figure it out.
06:52 <@ordex> you can look it up too, but in a few words is a way to inject config options to certain clients only
06:53 < Kadigan> If by "ccd file" you mean client-specific file (where I put the static IP assignment)
06:53 < Kadigan> then I can do that.
06:53 <@ordex> correct
06:54 < mauzilla> hi ordex
06:54 < mauzilla> any chance you may bless me with some knowledge as well? :P
06:54 <@ordex> mauzilla: :D I usually don't bless people
06:54 < mauzilla> exception perhaps?
06:55 <@ordex> hehe
06:55 < mauzilla> just this once
06:55 <@ordex> mauzilla: just reading your messages
06:55 < Kadigan> well, le f***
06:55 <@ordex> mauzilla: if you only need clients to access the DC, then it should be like pushing a route to the clients
06:56 <@ordex> mauzilla: or you want the DC to be able to contact clients too ?
06:56 < mauzilla> we have hosts on 10.0.1.1 - 10.0.1.8 at the moment, so i'd like to connect via the vpn and have access to those hosts over the vpn network
06:56 < mauzilla> no no
06:56 < mauzilla> one way
06:57 < mauzilla> so the clients should just be able to access the host on 10.0.1.4 for example but the host does not have to access the clients at all
06:57 <@ordex> mauzilla: if it's only one way, you should be able to use just "route" to push the route towards the DC to all the VPN clients
06:58 <@ordex> and then enable forwarding on the VPN server, of course
06:58 <@ordex> !route
06:58 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
06:58 <@ordex> mauzilla: this should help you ^^
06:58 < mauzilla> lemme have a read quick
06:59 < Kadigan> ordex: so I -think- I have it configured properly now, but unfortunately I can't check (restarting openvpn didn't quite complete, and dummy me forgot to open a routed port for SSH, so...)
07:00 <@ordex> argh, so no access tothe server any more ?
07:01 < Kadigan> Yup. So I can't bring OpenVPN back up.
07:01 < Kadigan> Dumb move on my part, I know.
07:02 <@ordex> well can happen :/
07:04 < Kadigan> Fun fact: I was messing around my iptables script for half the day today, and I thought about enabling that no less than THREE times. And I didn't. Well, serves me right. :D
07:05 < Kadigan> Anyway, so now that I have "iroute 10.11.0.0 255.255.255.0" in the client config,
07:05 < Kadigan> do I still need to "ip route add" at all? or should that sort of "take care of itself"?
07:07 < Kadigan> (the only reason I was restarting the service was because it didn't pick the changes to those files up automatically... I assume that's because dd-wrt uses a fairly old build?)
07:11 <@ordex> Kadigan: the manpage should answer your question about "ip route add" - better than me typing it :P
07:12 <@ordex> about not picking up the file .. I don't know, I am not sure files have ever been cached .. but i could be wrong
07:16 < Kadigan> ordex, the manpages on dd-wrt have been removed to save space, so no ;)
07:16 <@ordex> Kadigan: I know, but you can find the manpage of openvpn everywhere
07:17 <@ordex> don't be lazy :P
07:17 <@ordex> https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
07:17 <@vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net)
07:17 <@ordex> ah this is old sorry
07:17 <@ordex> https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
07:17 <@ordex> there you go
07:17 <@vpnHelper> Title: Openvpn24ManPage – OpenVPN Community (at community.openvpn.net)
07:19 < Kadigan> Ah, so I still need to add the route, which will still present me with troubles... :/
07:20 < Kadigan> I was asking because "ip route add" doesn't actually add the route -- is it because openvpn claims it doesn't know it, which --iroute should have fixed?
07:20 <@ordex> "is it because openvpn claims it doesn't know it" << how does it get claimed ?
07:21 < Kadigan> I have no idea, I'm groping in the dark man.
07:21 <@ordex> but yes, the route was not working because openvpn did not know what to do
07:21 < Kadigan> No, no no no.
07:21 < Kadigan> The route wasn't ADDING
07:21 <@ordex> ah ok
07:21 < Kadigan> I add the route, and the router still claims 10.11.0.0 is via eth0 (WAN)
07:21 <@ordex> well, that needs to be checked on the spot
07:21 < Kadigan> and not tun2 (openvpn)
07:21 <@ordex> ah
07:21 <@ordex> you are sharing exactly the same network ?
07:22 < Kadigan> I did not understand the question.
07:22 <@ordex> sorry I have to recheck your setup I think
07:22 <@ordex> let me read what you wrote earlier..
07:23 <@ordex> " CLI's internal net is 10.11.0.0/24, SRV's internal net is 10.20.0./22." so in theory over eth0 you should have 10.11.0.0/22
07:23 <@ordex> should not interfere
07:23 <@ordex> not sure why it wouldn't add, I'd need to check the routing table
07:24 <@ordex> to get a clue
07:24 < Kadigan> Okay. Let me expand a bit.
07:24 < Kadigan> eth0 is 192.168.100.0/255.255.255.0
07:24 < Kadigan> it's the WAN-facing port, connected to the Internet-facing modem
07:25 < Kadigan> br0 is the LAN side, bridging Ethernet LAN to WLAN
07:25 < Kadigan> and is 10.20.0.0/24
07:25 < Kadigan> openvpn creates tun2, 10.20.2.0/24
07:25 <@ordex> ok
07:25 < Kadigan> (wifi, as can be imagined, is shared between 2 and 5GHz, 10.20.1.0/24)
07:26 <@ordex> with its own bridge ?
07:26 < Kadigan> I don't remember the specifics right now.
07:26 <@ordex> ok
07:26 < Kadigan> All I recall is that I set it up so that things could route freely
07:26 < Kadigan> so it should route easily between 10.20.0.0/22
07:27 < Kadigan> and I added a rule to route 10.11.0.0/24 to iptables already
07:27 <@ordex> one question: why did you bridge LAN and WAN if on the WAN you have a totally different network that does not speak any 10.11.x.x ?
07:27 <@ordex> I don't think it is related, but I just wanted to understand
07:27 < Kadigan> I didn't bridge WAN. What gave you THAT idea?
07:27 < Kadigan> WAN is NATted.
07:27 <@ordex> ah sorry: I misread this "br0 is the LAN side, bridging Ethernet LAN to WLAN"
07:28 <@ordex> I read WLAN as WAN
07:28  * ordex tired
07:28 < Kadigan> Oh.
07:28 <@ordex> ok
07:29 < Kadigan> So yeah, I was trying to understand if "ip route add" did any sort of checking before adding the route
07:29 < Kadigan> so that it went "hey, 10.20.2.10, we want to route to 10.11.0.0 through you, is that cool?"
07:29 < Kadigan> and it said "tf is 10.11.0.0?"
07:29 < Kadigan> and so it failed.
07:30 < Kadigan> (which I would've changed to "sure, I know 10.11.0.0, coo'" by adding iroute 10.11.0.0 255.255.255.0)
07:30 <@ordex> nope, there is no such check
07:30 < Kadigan> Then that means that f*** all is going on in the routing table, and I don't know how to fix it.
07:30 < Kadigan> Ugh >.<
07:30 <@ordex> the only thing to make sure is that when you add a route with a specific nexthop, that nexthop has to be reachable through an interface
07:30 < Kadigan> Yeah, I can ping 10.20.2.10
07:30 < Kadigan> but adding the route doesn't work :D
07:31 <@ordex> well, we'd need to look at the routing table together
07:31 < Kadigan> (I still don't get why "iroute" is needed, since I'm specifically saying "via 10.20.2.10", which only one client can have at a time)
07:31 <@ordex> and at the error printed during the failure (sometime sit is just invalid arg ..but could be different)
07:31 < Kadigan> Fun fact: no error is given (ie. it acts as if it succeeds)
07:31 <@ordex> uhm
07:31 <@ordex> weird
07:32 < Kadigan> but that means nothing, technically -- dd-wrt also stripped out a LOT of stuff like that
07:32 <@ordex> ip route does not show it afterwards ?
07:32 < Kadigan> Nope.
07:32 <@ordex> yeah, unless you installed the full ip package
07:32 < Kadigan> Still says 10.11.0.0 is via eth0 (WAN)
07:32 <@ordex> well, we need to look at the table anyway :P we are just speculating now
07:33 < Kadigan> I'm fairly sure it's because eth0 is the default gw
07:33 < Kadigan> so no suprise there.
07:33 < Kadigan> What -did- suprise me is that a traceroute went out,
07:34 < Kadigan> which it shouldn't have.
07:34 < Kadigan> (-some- router out there should've gone "ho ho hold tf up, that's non-routable on public Internet, DENIED")
09:06 -!- dionysus70 is now known as dionysus69
11:28 < skateu> hi, do you know if I could use iroute option in client config for Access Server OpenVPN?
11:29 < skateu> I would like to use different network metrics for same IP addresses
11:30 < skateu> ok I see other channel for AS
11:30 < skateu> sorry
11:31 < Kadigan> Step #1: enter channel; Step #2:state question; Step #3: read the topic. // wow, at least step #3 was actually reached :D
11:31 < skateu> ;)
11:32 < skateu> it should be visable in 80x25 terminals if it is annoying you ;p
11:45 < Kadigan> Visibility is not the issue. But I'm just having a small laugh in the corner, don't mind me. :)
12:37 < Kadigan> ordex: so a weird thing happened... I sent someone to reboot the router, fully expecting OpenVPN to start up... seems it did not. Adding "iroute 10.11.0.0 255.255.255.0" to the client file somehow seems to have bricked openvpn entirely.
12:42 < DigitalHype> Are folks aware that build.openvpn.net is unreachable via ipv6 the past few days (maybe longer)? traceroute dies in amazon ec2 network. verified from at least two different source AS'es.
12:43 < DigitalHype> The reason I mention is that it is breaking (long timeout) on v6 enabled servers, for distro updates.
13:25 < svm_invictvs> Hey
13:26 < svm_invictvs> How well does OpenVPN running UDP from behind a NAT?
13:27 < Eugene> svm_invictvs - OpenVPN is pretty good at hole-punching
13:27 < svm_invictvs> Yeah?
13:29 < svm_invictvs> Man...I just realized how difficult my question was to parse...
13:29 < svm_invictvs> Yeah, I'm using TCP right now because...well...I was concerned about having to support my end users
13:29 < svm_invictvs> Trying to deal with UDP etc.
13:30 < svm_invictvs> I know there's all sorts of performance problems/issues with TDP for VPN....basically every packet gets double checked
13:30 < svm_invictvs> Stability > Performance
13:30 < svm_invictvs> but I was thinking I could actually swich it over to UDP, I just don't want all my users to call me and bitch
13:31 < svm_invictvs> I thought lots of NAT routers were pretty bad about letting UDP back through
13:32 < svm_invictvs> But I guess modern stuff isn't gonna have that much ofa problem
13:36 < Eugene> Older routers are bad at it. I haven't seen much problem with newer ones
13:36 < svm_invictvs> how old?
13:36 < Eugene> /shrug
13:36 < Eugene> "within the last 5 years" ? :-p
13:36 < svm_invictvs> Yeah
13:37 < svm_invictvs> I dont' think anybody has one odler than that
13:37 < Eugene> I have run into stupid problems, like NAT running out of ephemeral ports. Reboot fixes that
13:37 < svm_invictvs> That's old enough that if I switched it over I could say, "Figure it out, or buy new hardware."
13:37 < Eugene> On networks that I care about I use pfsense routers, the branded ones by netgate. Works great.
13:37 < MacGyver> svm_invictvs: You could, of course, simply provide both.
13:38 < Eugene> Pretty much. Also, you can have multiple <connection> blocks.... yup
13:38 < svm_invictvs> Eugene Yeah, that's what the VPN server is, ha
13:38 < MacGyver> svm_invictvs: UDP for those for whom it works, TCP as a fallback for when it doesn't.
13:38 < svm_invictvs> Eugene Small office VPN
13:38 < Eugene> Good, good
13:38 < svm_invictvs> MacGyver Yeah
13:39 < Eugene> The /real/ problem I have with cheapo NAT boxes(eg, Netgear or Comcast modem or whatever random hardware users have) is the inconsistency in RFC1918 network selection
13:39 < Eugene> It /generally/ seems to be 192.168.{0-100}.0/24; collisions of course happen anyway with most network schemes
13:40 < svm_invictvs> Yeah,
13:41 < svm_invictvs> When we moved to VPN, I was like, "okay make sure everybody is running soemthing other thatn 10.0.1.0/24 on your home network"
13:41 < svm_invictvs> I put it in the 10.x.x.x network for this specific reason
13:42 < MacGyver> If you pick something other than 0 or 1 for that first x, the odds of colliding with anything have already reduced drastically.
13:42 < Eugene> !1918
13:42 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#3) See !5737 for addresses to use for examples and documentation, or (#4) See !conflict for common conflicting address spaces.
13:42 < Eugene> Hmm, I thought we had a cgi picker link
13:43 < Eugene> "Pick a random /16" works for me
13:43 < svm_invictvs> MacGyver I could always buy IPs :P
13:43 < Eugene> I am a weird person and use RFC2544 space at home
13:43 < Eugene> Bonus: it doesn't conflict with anything
13:44 < svm_invictvs> uggh
13:44 < svm_invictvs> I always fuck up netmasks
13:44 < Eugene> `ipcalc` is nice
13:47 < svm_invictvs> Yeah
13:50 < svm_invictvs> Now I'm curious
13:50 < svm_invictvs> https://www.arin.net/fees/fee_schedule.html#threex
13:50 <@vpnHelper> Title: ARIN Fee Schedule (at www.arin.net)
13:50 < Eugene> You won't have a good time going through ARIN directly unless you legitimately need an ASN
13:50 < svm_invictvs> "Larger than /24 up to an including /22" that's not that many addresses for $500
13:50 < Eugene> Better to buy through your ISP
13:51 < svm_invictvs> Eugene Oh I know, I just got really really curious
13:51 < svm_invictvs> lol
13:51 < Eugene> Yeah, but you'll never actually /get/ it. You need a lot of papework to prove your need
13:51 < svm_invictvs> Yeah
13:51 < MacGyver> (impressions of) scarcity drives price.
13:51 < svm_invictvs> I would suspect the fees required in filing the paperwork are 10x that
13:51 < Eugene> Nope, these are the paperwork filing fees :-p
13:52 < MacGyver> Ah if only IPv6 were turnkey.
13:52 < svm_invictvs> Eugene Yeah, paying somebody with the knowledge and know-how
13:52 < svm_invictvs> Eugene Like filing a patent.  THe actual patent fees are cheap.  Paying the attorney to write the application is the expensive bit.
13:53 < Eugene> Yup! Or you go to class and learn to file yourself, because attorney is really just a fancy term for "licensed to file the paperwork on your behalf"
13:53 < svm_invictvs> Yeah
13:53 < svm_invictvs> Eugene That "class" is called "law school"
13:53 < svm_invictvs> :P
13:54 < svm_invictvs> A buddy of mine is a patent attorney
13:54 < Eugene> Depends how broad your neds are
13:54 < svm_invictvs> That's true
13:54 < Eugene> Single patent? Sure, you can write that up yourself
13:54 < Eugene> RUnning a research corporation? Should probably hire a patent guy
13:54 < svm_invictvs> Yeah
13:54 < svm_invictvs> I'm looking at $7000 for a patent
13:54 < svm_invictvs> :P
13:55 < Eugene> Reasonable
13:55 < svm_invictvs> Yeah
14:54 <@ecrist> at previous $work I went through ARIN for v4/v6 and ASN
14:54 <@ecrist> it was pretty painless, to be honest.
14:56 <@ecrist> Eugene: WTF is RFC2544?
14:56 < Eugene> Thats the point
14:57 <@ecrist> https://www.ietf.org/rfc/rfc2544.txt
14:58 < Eugene> Its one of the more obscure reserved/non-routable blocks. Unlike multicast space or the other ones it has no special treatment in most OS routing tables, because it is actually intended to be used for testing
16:02 < aykut> hey guys
17:07 < randomA> hey, i'd like to set up a vpn service off my router
17:08 < randomA> i want to offer people VPNs?
17:08 < randomA> how can i configure that
17:38 < mojtaba> Hello, while I am connected through VPN, I can ping 8.8.8.8, but I can not ping google.com; does anybody know what could be wrong?
17:38 < str4nd> dns
17:39 < mojtaba> str4nd: I know, I mean what should I do?
17:40 < mojtaba> I had the same settings as before, and it was working. But now it is not working.
17:40 < Eugene> !redirect
17:40 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
17:40 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
17:40 < Eugene> Flowchart ^
17:59 < mojtaba> Eugene: I have these settings on my client and server.
19:45 < cagedwisdom> can someone help me create an ipv6 vpn?
20:46 < LordDread> !welcome
20:46 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
20:46 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
20:48 < LordDread> !route
20:48 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
20:58 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
20:58 -!- mode/#openvpn [+o krzee] by ChanServ
--- Day changed Fri Jul 14 2017
06:02 <@krzee> buenos
06:23 < skyroveRR> eh?
06:24 <+hyper_ch> skyroveRR: that was spanish :)
06:24 < skyroveRR> ah.
06:25 <+hyper_ch> skyroveRR: krzee knows a lot of language... next to english and spanish also bash and probably c
06:25 < skyroveRR> <-- hindi bhi bolta hai.
06:27 <@krzee> not much c =[
06:27 <@krzee> but my bash, spanish, english are strong
06:27 <+hyper_ch> vamos a la playa
06:27 <@krzee> but definitely not a word of hindi :D
06:27 <@krzee> hyper_ch: vamanos!
06:27 < skyroveRR> :)
06:27 <+hyper_ch> bodhi
06:28 <+hyper_ch> karma
06:28 < skyroveRR> krzee: i'll teach!
06:28 <@ordex> krzee: and no italian? what a disappointment.
06:28 <@krzee> actually i found italian to be somewhat easy
06:28 <@krzee> i speak spanish, they understand
06:29 <@krzee> they speak italian, i understand
06:29 <@ordex> :D
06:29 < skyroveRR> I speak hindi, no one understands :(
06:29 <@krzee> plus i had a lot of exposure to it when young
06:29 <@krzee> grandpa was first generation american italian
06:29 <+hyper_ch> you got infected by italian?
06:30 <@krzee> like his parents didnt speak english
06:30 <@krzee> so dinner time was always manga
06:30 <@krzee> etc
06:31 <+hyper_ch> manga? oO
06:31 <@krzee> 'lets eat;
06:31 <@ordex> lol
06:31 <+hyper_ch> ah... mangiare
06:31 <@ordex> manga dinner
06:31 <+hyper_ch> with manga I associate japanese cartoons
06:31 <@krzee> hyper_ch: i cant spell it
06:31 <+hyper_ch> voglio mangiare una pizza
06:32 <+hyper_ch> I only know bits and parts in italian :(
06:32 <@krzee> i was not impressed by pizza in italy lol
06:33 <@krzee> i think new york does it better
06:33 <+hyper_ch> they don't know deep dish pizza
06:33 <+hyper_ch> or what's the name again in chicago
06:33 <@krzee> ya chicago style too
06:34 <+hyper_ch> is Domino's actually any good?
06:34 <@krzee> no
06:34 <+hyper_ch> awwww
06:34 <@krzee> nor is budweiser
06:34 <+hyper_ch> I heard there's now also a Domino in Zurich and thought I might test it when I'll go there
06:34 <+hyper_ch> so Pizza Hut is better than Domino?
06:34 <@krzee> no
06:35 <@krzee> both crap
06:35 <@krzee> with pizza and beer in USA, you want to find the good local stuff
06:35 <+hyper_ch> :)
06:36 <@krzee> i guess the bigger the company the less likely to get good quality, i hadnt thought of it that way but it seems to be the case
06:38 <+hyper_ch> when I was in Australia I actually liked the Work's Deal from pizza hut... all you can east for 4.99 + beverages
06:38 <+hyper_ch> but that was 20 years ago
06:38 <@krzee> ahh, so in USA theres a commercial "fosters, Australian for beer"
06:39 <@krzee> but as you know, nobody over there drinks fosters
06:39 <@krzee> they over there drinking VB and carlton
06:39 <+hyper_ch> since Merican's don't know anything about beer, one can sell them everything ;)
06:40 <@krzee> theres really good small brew beer in america
06:40 <@krzee> thats why i say you gotta find the local stuff
06:40 <@krzee> the best beer from USA doesnt make it out of its general area
06:41 <@krzee> so california's best beer generally stays in california, for example... possibly even its part of california (north / south)
06:41 <+hyper_ch> :)
06:41 <+hyper_ch> you're in Cali?
06:41 <+hyper_ch> I keep forgetting
06:41 <@krzee> nah i dont live in usa
06:41 <@krzee> but im from there
06:42 <+hyper_ch> weird... I always picture you being there :)
06:42 <@krzee> picture a tropical island
06:42 <+hyper_ch> there's too many of those
06:43 <@krzee> you may underestimate the sheer size of california :D
06:43 < havoc> krzee: Wisconsin is the same, best beer is "local"
06:43 <@krzee> havoc: ya i strongly believe that... i think its most USA
06:43 < havoc> but that's the case with most things; mass-produced suffers degraded quality
06:44 < havoc> any product, anywhere in the world
06:44 <@krzee> thats what i loved about greece
06:44 <@krzee> they dont mass produce, everything was high quality
06:45 < havoc> not sure that helped their economy any :(
06:45 <@krzee> even the soap in the hotel was so nice i had to go out and buy some
06:45 < havoc> it's a catch22
06:46 < Murda> Is there way how I can make client to be connected to same LAN and assign address that belongs to this LAN?
06:46 <@krzee> i dont know the realities of their economy and not going to pretend the news told me
06:46 <@krzee> the truth*
06:46 <@krzee> Murda:
06:46 <@krzee> !goal
06:46 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:46 < havoc> krzee: wise course of action :)
06:46 <@krzee> instead of starting with what you think is the solution, please tell us the end game
06:47 <+hyper_ch> end game -> taking over the world
06:47 <@krzee> ok pinky
06:47 < havoc> krzee: s/Pinky/Brain/
06:47 <+hyper_ch> :)
06:47 <@krzee> didnt wanna make him brain lol
06:47 < Murda> I would like to make clients to able to connect to same lan as where VPN server is hosted, is it possible?
06:48 <@krzee> Murda: yes, do you need layer2 (traffic to mac address) or layer3 (ip traffic) ?
06:48 < Murda> krzee, layer3
06:49 <@krzee> ok so you do not need to have an ip on the same lan, you just need proper routing
06:49 <@krzee> !route
06:49 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
06:49 <@krzee> read that a couple times please
06:50 <@krzee> !serverlan
06:50 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
06:56 < Alchemy> hey all whats the name of that thing with a directory where you have different configs for different clients
06:57 < Alchemy> ccl ccd or something?
06:59 <@krzee> !ccd
06:59 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
07:07 < Alchemy> krzee, cheers
07:07 < Alchemy> btw guys, I start openvpn as a service
07:07 < Alchemy> so no need for openvpn gui to be running
07:07 < Alchemy> but it still seems to start automatically
07:07 < Alchemy> anyway I can tell it not to?
07:07 <@krzee> not sure, i dont use windows... id say most likely though
07:08 < Alchemy> can't see it in msconfig
07:08 < Alchemy> suppose I could just rename the gui .exe
07:08 <@krzee> does it have its own settings?
07:08 < Alchemy> not that I can see
07:08 <@krzee> ya i dunno, if you hang around surely somebody who uses windows will pop in
07:09 <@krzee> i bet hyper_ch uses windows!
07:09 < Alchemy> :)
07:09 < Alchemy> I am running inwodws server on a freebsd bhyve instance
07:09 < Alchemy> connecting to it via rdp over openvpn
07:09 < Alchemy> kinda awesome but so wrong
07:09 < Alchemy> lol
07:09 <@krzee> haha
07:09 < Alchemy> tell you what though its so much lighter than you expect it to be
07:10 <+hyper_ch> krzee: actually I have a Windows VM
07:10 <+hyper_ch> how did you know?
07:10 < Alchemy>   PID USERNAME    THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
07:10 < Alchemy> 49421 root         22  20    0  5156M  1573M kqread  2   6:51   1.10% bhyve
07:10 < Alchemy> thats 2012R2 as well
07:12 < Alchemy> hyper_ch, do you run openvpn as a system service
07:12 < Alchemy> or do you use the gui tool thing
07:13 <+hyper_ch> I have script that starts the tunnel and connects the network shares
07:13 < Alchemy> hmm
07:13 <@krzee> more to the point, do you know how to stop the gui from starting
07:13 < Alchemy> hyper_ch, indeed ^ I start it via windows services, all works great but I still get the gui tool in systray
07:13 < Alchemy> cannot even see where its been started from
07:14 < Alchemy> got around it temporarily by renaming openvpn-gui to open-gui-backup
07:14 < Alchemy> but not exactly an ideal solution
07:23 <+hyper_ch> Alchemy: https://paste.simplylinux.ch/view/6d2e5482 the batch file that runs when the user logs in
07:25 <@krzee> hyper_ch: when that starts on its own, does openvpn-gui start anyways?
07:25 <@krzee> or did you find how to stop it?
07:25 <+hyper_ch> krzee: not sure what you mean
07:25 <@krzee> you are not starting openvpn via the gui
07:26 <@krzee> did you stop the gui from running?
07:26 <+hyper_ch> nope, via script
07:26 <+hyper_ch> yes, the openvpn gui that was added to auto start was removed
07:26 <@krzee> how did you remove it from auto start?
07:26 <+hyper_ch> right-click the tray icon, settings, uncheck some box
07:27 <+hyper_ch> or something like that
07:27 <@krzee> Alchemy: ^
07:27 < Alchemy> hyper_ch, cheers
07:27 <+hyper_ch> like any sane program in windows
07:27 <+hyper_ch> only vicious programs can't be easily removed from autostart
07:27 <@krzee> he didnt find where the settings were and i dont have it to look
07:27 < Alchemy> its not in msconfig
07:27 < Alchemy> and startup (start menu) does not work on my windows version
07:28 < Alchemy> but if that bat is being called on service start
07:28 < Alchemy> would explain it though pretty unlikely
07:28 <@krzee> right click tray icon - settings
07:31 < Alchemy> ah
07:31 < Alchemy> got it
07:31 <@krzee> hyper_ch++
07:31 < Alchemy> :)
07:31 < Alchemy> hyper_ch++
07:33 <+hyper_ch> krzee: I wonder, if Yealink even can handle TA
07:33 <@krzee> TA?
07:34 <+hyper_ch> tls-auth
07:34 <+hyper_ch> still can't get it to upload or accept or use the .tar
07:35 <@krzee> if you cant get it to upload then why would you think a piece of the contents is to blame?
07:35 <+hyper_ch> I don't know if it actually gets uploaded
07:35 <@krzee> id be looking for a different browser that works
07:35 <@krzee> of course it gets uploaded!
07:35 <+hyper_ch> I tried different browsers and even windows
07:35 <@krzee> ask yealink support?
07:36 <@krzee> or get an snom
07:36 <+hyper_ch> then why doe the form field say samething like  c:\fakepath\openvpn.tar   after selecting it
07:36 <@krzee> lol
07:36 <@krzee> dunno dude, i use better phones
07:36 <+hyper_ch> :)
07:37 <@krzee> http://forum.yealink.com/forum/archive/index.php?thread-13952.html
07:37 <@vpnHelper> Title: Yealink Forums - can't setup openvpn with t48g (at forum.yealink.com)
07:37 <+hyper_ch> krzee: latest post from me ;)
07:38 <@krzee> haha
07:38 <@krzee> nice
07:38 <+hyper_ch> I even tried have certs and keys as seperate files
07:38 <@krzee> for the record, yealink cant run scripts
07:39 <@krzee> they ripped out the scripting interface
07:39 <+hyper_ch> what do you mean by that?
07:39 <@krzee> !script
07:39 <@vpnHelper> "script" is (#1) See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR, or (#2) to see all vars available to a script, you can env > /tmp/env, or (#3) if using bash you can put exec 2>&1 in the first line of your script and it will send all error output to
07:39 <@vpnHelper> your openvpn log. set -x as well to show your commands as they are executed
07:39 <@krzee> none of that works on a yealink
07:39 <+hyper_ch> ok
08:05 < Alchemy> in regards to ccd
08:05 < Alchemy> if my client was
08:05 < Alchemy> Jul 14 12:49:02 hetzner openvpn[49254]: coinproject.tmp.group/172.19.18.2 peer info: IV_VER=2.4.3
08:06 < Alchemy> would my sub directory in ccd/ be 'coinproject' or 'coinproject.tmp.group'
08:06 <@krzee> coinproject.tmp.group
08:06 < Alchemy> ah cool
08:07 < Alchemy> krzee++
08:07 <@krzee> your common-name
08:23 < Alchemy> krzee, I am right in thinking that the route's etc that are in openvpn.conf will still apply to whatever I put in ccd/client right, ccd/client is 'in addition to'
08:23 <@krzee> correct
08:23 < Alchemy> cool
08:35 <@ordex> krzee: typo
08:35 <@ordex> !script
08:35 <@vpnHelper> "script" is (#1) See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR, or (#2) to see all vars available to a script, you can env > /tmp/env, or (#3) if using bash you can put exec 2>&1 in the first line of your script and it will send all error output to
08:35 <@vpnHelper> your openvpn log. set -x as well to show your commands as they are executed
08:35 <@ordex> krzee: VARIALBES
08:35 <@ordex> and the man points to 2.3
08:35 <@krzee> haha and it was copied from the manual at some point i think
08:35 <@ordex> lol
08:38 <@krzee> !forget script *
08:38 <@vpnHelper> Joo got it.
08:38 <@krzee> learn script as See SCRIPTING AND ENVIRONMENTAL VARIABLES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage#lbAS
08:38 <@vpnHelper> Title: Openvpn24ManPage – OpenVPN Community (at community.openvpn.net)
08:38 <@krzee> !learn script as See SCRIPTING AND ENVIRONMENTAL VARIABLES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage#lbAS
08:38 <@vpnHelper> Joo got it.
08:39 <@krzee> !learn script as to see all vars available to a script, you can env > /tmp/env
08:39 <@vpnHelper> Joo got it.
08:39 <@krzee> !learn script as if using bash you can put exec 2>&1 in the first line of your script and it will send all error output to
08:39 <@vpnHelper> Joo got it.
08:39 <@krzee> !script
08:39 <@vpnHelper> "script" is (#1) See SCRIPTING AND ENVIRONMENTAL VARIABLES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage#lbAS, or (#2) to see all vars available to a script, you can env > /tmp/env, or (#3) if using bash you can put exec 2>&1 in the first line of your script and it will send all error output to
08:40 <@krzee> all better
08:41 <@ordex> ;)
08:44 <@krzee> grr
08:44 <@krzee> !forget script 3
08:44 <@vpnHelper> Joo got it.
08:44 <@krzee> !learn script as if using bash you can put exec 2>&1 in the first line of your script and it will send all error output to your openvpn log. set -x as well to show your commands as they are executed
08:44 <@vpnHelper> Joo got it.
08:44 <@krzee> !script
08:44 <@vpnHelper> "script" is (#1) See SCRIPTING AND ENVIRONMENTAL VARIABLES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage#lbAS, or (#2) to see all vars available to a script, you can env > /tmp/env, or (#3) if using bash you can put exec 2>&1 in the first line of your script and it will send all error output to
08:44 <@vpnHelper> your openvpn log. set -x as well to show your commands as they are executed
08:45 <@ordex> :]
08:55 <@krzee> !random
08:55 <@vpnHelper> "port-share": When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh. Not
08:55 <@vpnHelper> implemented on Windows.; "examples": There are some useful examples in the OpenVPN HowTo: https://openvpn.net/index.php/open-source/documentation/howto.html#examples; "testing": "snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these
08:55 <@vpnHelper> features become part of the stable branch
08:55 <@krzee> haha
08:55 <@krzee> !random
08:55 <@vpnHelper> "winshortcut": To start OpenVPN-GUI easily on Windows, make a shortcut and set the Target as: \"C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe\" --config_dir \"C:\path\to\config\" --connect client.ovpn --show_balloon 0 --silent_connection 1 --show_script_window 0; "shaping": to enable traffic shaping on clients, you do this in your firewall. it is unrelated to openvpn. it is called QOS,
08:55 <@vpnHelper> and in linux you would enable it in iptables with tc; "nsupdate": http://scarydevilmonastery.net/client_connect_nsupdate for a script Bushmills wrote to solve the question How can my vpn update my nameserver?
08:55 <@krzee> umm weird
08:56 <@krzee> !winshortcut
08:56 <@vpnHelper> "winshortcut" is To start OpenVPN-GUI easily on Windows, make a shortcut and set the Target as: \"C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe\" --config_dir \"C:\path\to\config\" --connect client.ovpn --show_balloon 0 --silent_connection 1 --show_script_window 0
08:56 <@krzee> oh !random is pulling 3 factoids it looks like
08:56 <@krzee> so its like !randomflood
09:04 < upbeta> what is the easiest way to sync VPN Users to multiple VPN Server? Like a setup 3 VPN Server (1) SG (2) US (3) UK
09:09 < skyroveRR> upbeta: uh.. "sync VPN users to multiple VPN server" .. not sure what you mean.... elaborate please.
09:09 <@krzee> upbeta: sync users?
09:09 <@krzee> just use the same PKI
09:09 <@krzee> !pki
09:09 <@vpnHelper> "pki" is (#1) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed specially as a server (see !servercert), or (#2) !certman for various PKI management tools, or (#3) see !intro-to-pki
09:10 < skyroveRR> Hmm. Didn't know "sync users" meant anything to do with PKI, but good to know.
09:10 <@krzee> well, he seems to not understand how users exist in openvpn
09:10 < upbeta> @krzee - well, what the objective is.. when admins create VPN user say from SG Server.. the user should be able to connect to US and UK. I assumed US and UK server needs to have the same user details from SG in order for it to allow the connection (excluding the gateway)
09:10 <@krzee> before you use it you could think the server has some sort of user store
09:11 <@krzee> upbeta: look into how PKI works
09:11 < upbeta> thanks for pointing me to the direction.. reading PKI now..
09:11 <@krzee> if both servers use certs that were signed by the same ca.key, and the users are signed by it to, then the clients can connect to either
09:12 <@krzee> too*
09:23 <@krzee> !whoami
09:23 <@vpnHelper> support
09:23 <@ordex> !whoami
09:23 <@vpnHelper> ordex
09:23 <@ordex> ah!
09:24 <+hyper_ch> !whoami
09:24 <@vpnHelper> I don't recognize you.
09:24 <+hyper_ch> excellent!
09:24 <@ordex> :D
09:24  * hyper_ch is anonymously surfing the web
09:24 <+hyper_ch> nobody recognizes me
09:24 <+DArqueBishop> !whoami
09:24 <@vpnHelper> I don't recognize you.
09:24 <@krzee> !seen hyper_ch
09:24 <@vpnHelper> hyper_ch was last seen in #openvpn 2 seconds ago: <hyper_ch> nobody recognizes me
09:25 < eworm> !whoami
09:25 <@vpnHelper> I don't recognize you.
09:25 <@krzee> !stats
09:25 <@vpnHelper> I have 7 registered users with 6 registered hostmasks; 3 owners and 0 admins.
09:25 < Murda> krzee: Is it possible to join to AD domain by using OpenVPN?
09:25 <+hyper_ch> how does one join AD domain?
09:25 <+hyper_ch> (and what is AD domain?)
09:26 <@krzee> i believe you can
09:26 <+DArqueBishop> Murda: so long as the VPN client has the AD domain's DNS servers configured, there's no reason why it shouldn't.
09:26 <@krzee> active directory, windows LDAP
09:26 <+hyper_ch> ldap? /me shivers
09:26 <@krzee> very preconfigured windows LDAP rather
09:26  * DArqueBishop shrugs.
09:27 <+DArqueBishop> I'm pretty open that there are some things MS produces that are better than anything available in Linux et al. ADS is one of them.
09:27 <+hyper_ch> I have to say, Samba runs really well
09:27 <@krzee> lol
09:27 <@krzee> hella wannacry victims disagree
09:28 <+hyper_ch> running a document/data server with samba... only let it access through the vpn
09:28 <+hyper_ch> (and of course have nightly incremental snapshot-style backups)
09:29 <+hyper_ch> krzee: did you have a look at borg backup? it looks rather intersting
09:29 <+hyper_ch> still using rsync with hardlinks though
09:30 <+DArqueBishop> Interesting.
09:30 <+DArqueBishop> I use Duplicity on my Linux boxes and Backblaze on my primary Windows desktop.
09:31 <+hyper_ch> never heard of backblaze
09:31 <+hyper_ch> but you know, with windows 10, you can now also use native rsync and probably also duplicity
09:31 <+DArqueBishop> It's a cloud backup service.
09:32 <+hyper_ch> oh... you trust the "cloud"?
09:32 <+DArqueBishop> They're pretty notable for publishing their stats on hard drive efficiency and error rates.
09:32 <+DArqueBishop> They haven't had any breaches of which I'm aware of.
09:36 <+hyper_ch> but it's the "Cloud"
09:36 <+hyper_ch> nobody really knows what the "Cloud" is or what it does or where it is.....
09:42 <@krzee> there is no cloud
09:42 <@krzee> theres only other peoples servers
09:43 <+hyper_ch> can't be... since it's a cloud service
09:43 <+hyper_ch> it can't be just other peoples servers
09:43 <+hyper_ch> that does not make sense
09:43 <+hyper_ch> :)
09:48  * DArqueBishop shrugs.
09:48  * hyper_ch thinks DArqueBishop likes to shrug
10:18 -!- upbeta____ is now known as upbeta
10:19 <+hyper_ch> syzzer: do you know all the crypto stuff?
10:21 <@krzee> hyper_ch: in relation to what?
10:21 <@krzee> he knows a lot about crypto, but he doesnt know "all the crypto stuff" lol
10:21 <+hyper_ch> krzee: someone in #letsencrypt asked about where to find material about cryptography etc...
10:22 <@krzee> unless you mean as it related to openvpn, in which case he does
10:22 <@krzee> google! lol
10:22 <+hyper_ch> and i wasn't sure how much syzzer is actually involved with the crypto part of openvpn
10:22 <@krzee> theres SO much info out there
10:22 <+hyper_ch> google hates me :(
10:22 <@krzee> hates the other guy too apparently
10:22 <@krzee> you looking for something specific?
10:22 <+hyper_ch> 17:09:27 Matapatapa  Do you guys know of any good resources to learn more about encryption? Some actual substance? Ive tried youtube, lynda, udemy but no luck.
10:22 <@krzee> crypto is a huge field
10:23 <@krzee> 1sec
10:23 <+hyper_ch> I guess crypto is a bit more "special" than high school math
10:23 <@krzee> https://www.coursera.org/learn/crypto
10:23 <+hyper_ch> ha, google found that for me as well and I gave him that link
10:23 <@krzee> free stanford class on crypto
10:23 <@syzzer> ^^ yes, that wone is great
10:24 <@krzee> i took that class
10:24 <@krzee> it was good stuff
10:24 <@syzzer> the posts on blog.cryptographyengineering.com are also great
10:24 <@syzzer> or, .org, not sure
10:25 <+hyper_ch> .com
10:26 <+hyper_ch> back in the old days we just had Alice and Bob...
10:26 <@krzee> alice and bob are alive and well
10:27 <@krzee> and still care about their privacy
10:27 <@krzee> http://www.aliceandbob.com/
10:27 <@vpnHelper> Title: The Story of Alice and Bob (at www.aliceandbob.com)
10:27 <@krzee> lol
10:45 -!- gthank is now known as gthank_away
10:47 -!- gthank_away is now known as gthank
10:47 -!- gthank is now known as gthank_away
10:53 -!- gthank_away is now known as gthank
15:03 < Trupsalms> Centos 7 systemd trying to run a config file on boot from /etc/openvpn/config please help
18:10 <@krzee> Trupsalms: is your problem an openvpn problem or a systemd problem?
18:10 <@krzee> if you can start openvpn from commandline without an issue, then its a systemd issue
18:11 <@krzee> you can wait for somebody here who knows systemd but id recommend asking in a linux help channel if your problem is isolated to systemd
18:11 <@krzee> (the question is on-topic, im just saying you may get a faster response there)
19:26 < Trupsalms> krzee: its both, i'm trying to get the client to start on boot
19:38 <@krzee> sounds like systemd
19:38 <@krzee> in other words, every system has its own way of doing it, and im not familiar with yours
19:38 <@krzee> older linux style would run every .conf that was in /etc/openvpn
19:39 <@krzee> thats all i got
19:39 <@krzee> im sure ordex or hyper_ch or Eugene know
19:55 < nejni-marji> is there any obvious reason my vpn should stop working if I disable ipv6 on my computer
19:56 <@krzee> got logs?
20:00 < nejni-marji> https://bpaste.net/show/293c1a45e1af
20:04 <@krzee> i dont see a problem
20:06 < nejni-marji> I actually don't know very much about OpenVPN or VPNs in general but the specific issue I'm having, I believe, is I'm not getting DNS resolution
20:06 < nejni-marji> which I tested by trying to access my personal website via ip and domain name
20:07 <@krzee> !pushdns
20:07 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for
20:07 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option
20:08 <@krzee> !dns
20:08 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns
20:08 <@krzee> grr
20:08 <@krzee> !factoids search dns
20:08 <@vpnHelper> 'block-outside-dns', 'blockdns', 'brokendns', 'dns', 'dnsbind', 'dnsmasq', 'googledns', 'nodns', 'opendns', 'pushdns', 'splitdns', 'win-dns', 'win-dns-vista-7', 'win-dns-xp', and 'windns'
20:08 <@krzee> brokendns
20:08 <@krzee> !brokendns
20:08 <@vpnHelper> "brokendns" is (#1) Odds are you are using a nameserver that is not configured to allow requests from your VPN's server IP. When you redirect your internet over the vpn the nameserver sees you as coming from the server IP and stops responding to your dns queries. you can verify this by pinging 8.8.8.8, and can fix this by setting your nameserver to 8.8.8.8 (or any other publicly accessible dns
20:08 <@vpnHelper> server), or (#2) you can make openvpn do this for you by seeing !pushdns
20:10 < nejni-marji> that fixed it, thanks :)
20:11 <@krzee> np =]
20:45 < Trupsalms> krzee: error = https://pastebin.com/NeEcY7ex
20:46 < Trupsalms> close to having it working, i just need to troubleshoot this error and/or issue, but i'm lost
20:49 < Trupsalms> when its starts i get locked out of the system via ssh remote connection
20:49 <@krzee> show me verb 4 from both sides if you can
20:50 <@krzee> not sure why theres no timestamps but that would help too
20:50 < Trupsalms> how to verb 4, is that a setting that i would put in the config file
20:55 <@krzee> !verb
20:56 <@vpnHelper> "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info, or (#2) verb 5 is good for finding firewall problems, verb 4 for troubleshooting anything else, and 3 is good for every day usage., or (#3) Anything more than 5 is for developer debugging only (special debug build needed)
20:56 <@krzee> !--
20:56 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
22:39 < Eugene> !systemd
22:39 <@vpnHelper> "systemd" is (#1) the devil!, or (#2) At least for those who wants keep living in the past ...., or (#3) Have troubles with OpenVPN and systemd? Try reaching out to dazo
22:39 < Eugene> Oy
22:39 < Trupsalms> can't really help the system it gets install on
22:40 < Eugene> Trupsalms - to start /etc/openvpn/foo.conf: `systemctl start openvpn@foo`
22:40 < Eugene> And enable/disable/etc
22:40 < Trupsalms> Eugene: the config file is located in /etc/openvpn/config/US-Miami
22:41 < Eugene> Yeah that won't work :-p
22:41 < Trupsalms> this is where i'm having the issue
22:41 < Eugene> And wtf, tigervpn? I don't think we can help you with that
22:41 < Eugene> You'll need to move the config file to the right place, for a start
22:41 < Eugene> https://fedoraproject.org/wiki/Openvpn#Working_with_systemd
22:41 <@vpnHelper> Title: Openvpn - FedoraProject (at fedoraproject.org)
22:41 < Trupsalms> this might help
22:41 < Eugene> !factoids learn systemd https://fedoraproject.org/wiki/Openvpn#Working_with_systemd
22:41 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
22:41 < Eugene> vpnHelper - fuck you
22:42 < Trupsalms> i have a cloud server that i'm using as a proxy / openvpn
22:42 < Trupsalms> so!
22:43 < Trupsalms> the proxy /openvpn cloud server, my in house computers connects to the openvpn, but i also want that openvpn server to connect to my paid vpn subscription
22:45 < Eugene> Ah.
22:45 < Eugene> That's a fun setup! I think you get to learn policy routing
22:45 < Trupsalms> so accepts connections from remote machines, but also joins a connection to a paid service
22:45 < Trupsalms> lol
22:46 < Trupsalms> halfway there, just stuck on this systemctl
22:55 < Trupsalms> with verb 4 https://pastebin.com/pUFQs25n
23:21 < Trupsalms> Anyone
--- Day changed Sat Jul 15 2017
01:40 -!- nejni-marji is now known as nejni-marji---E
01:41 -!- nejni-marji---E is now known as nejni-marji
02:56 -!- nejni-marji is now known as nejni-marji---E
02:56 -!- nejni-marji---E is now known as nejni-marji
03:34 < Druid05> Hello
03:35 < Druid05> I have two openvpn server configs, one on 1.1.1.0/24 and one on 2.2.2.0/24
03:36 < Druid05> i use " -o ens3 -j MASQUERADE" , and works fine for 1.1.1.0/24 but when i try to do same thing for secondary IP not works , which is on ens3:1
03:37 < Druid05> i tryed with "-j SNAT --to-source " too, but i can not use secondary ip on 2.2.2.0/24 ip pool..
03:37 < Druid05> some help?
03:48 -!- Alchemy is now known as daemon
03:49 -!- dionysus70 is now known as dionysus69
06:20 <@ordex> Druid05: what is ens3 exactly ?
06:20 <@ordex> the uplink interface ?
06:20 <@ordex> of the vpn ?
06:28 < Druid05> yes
06:34 <@ordex> Druid05: sorry my second question was "OR the vpn interface?"
08:02 -!- dionysus70 is now known as dionysus69
08:44 < Trupsalms> i reinstall centos 6.5 instead of centos 7 because of systemd, i have found the issues i was facing, which is - but instances trys to share the same tun, so my question is how to create multiple tuns?
08:46 -!- bjoe2k4 is now known as hapodfjhpsodf
08:47 -!- hapodfjhpsodf is now known as bjoe2k4
08:48 <@ordex> Trupsalms: the --dev congi option can be used for that
08:48 <@ordex> just specify a different name for each instance there
08:55 < Trupsalms> ordex: so in one of my config files where i have dev tun, i could lets say in the other config dev tun1?
08:55 <@ordex> correct
08:55 < Trupsalms> thanks i'll try that
08:55 <@ordex> np
08:56 < Trupsalms> presist-tun, would i need to change that as well
09:15 <@ordex> Trupsalms: nope, that's not related to the name
09:15 <@ordex> it's another thing
09:49 <@krzee> !learn systemd as https://fedoraproject.org/wiki/Openvpn#Working_with_systemd
09:49 <@vpnHelper> Joo got it.
09:51 <@krzee> Trupsalms: take every config option in your configs, and read about them each in the manual
09:51 <@krzee> !man
09:51 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
10:57 < Trupsalms> krzee: openvpn server works fine on boot, via tun0, for remote connections. when using the same openvpn sever to connect to a vpn, changing the dev tun in config to dev tun1, and issues command to start, it still hijacks tun0 and stead of adding another interface with tun1, so as when i run ifconfig i should see two tun devices
11:02 <@ordex> Trupsalms: then you should provide your configs and logs to see what's going on
11:02 <@ordex> this is not expected
11:02 <@ordex> !configs
11:02 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
11:02 <@ordex> !logs
11:02 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
11:05 -!- dionysus70 is now known as dionysus69
11:29 <@krzee> you probably have dev tun0 in your config
11:30 <@krzee> but like ordex was saying, we can only help with more info
11:45 < Trupsalms> config: https://pastebin.com/vnaiQhnq and log: https://pastebin.com/zMFZJprc = This is the remote server for which my client computer is connection to
11:49 <@ordex> Trupsalms: the logs looks good. the server is opening tun1 and the client is connecting fine
11:49 <@ordex> no?
11:49 <@ordex> what is the problem in this case?
11:50 < Trupsalms> when i run the second config file, i lose access to the server including remote ssh
11:52 <@ordex> maybe a route problem ?
11:52 < Trupsalms> iptables tun devices only, but tun before second config is ran: https://pastebin.com/6JJXyd09
11:55 < Trupsalms> collection other logs now
11:58 < Trupsalms> config: https://pastebin.com/mwVX1dvn and log: https://pastebin.com/7BgQUa62 = Both these Configs need to be ran on the same server
11:59 <@krzee> ohhh
11:59 <@krzee> heh
11:59 <@krzee> !factoids search route
11:59 <@vpnHelper> 'dlink_static_route', 'external_routes', 'iroute', 'ppp_defaultroute', 'route', 'route-nopull', 'route_outside_openvpn', 'route_outside_ovpn', 'route_override', 'routebyapp', 'router', 'splitroute', and 'winroute'
11:59 <@krzee> !splitroute
11:59 <@vpnHelper> "splitroute" is (#1) see https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet, or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
11:59 <@krzee> your second vpn uses redirect-gateway
12:00 <@krzee> which redirects all your traffic over the vpn, and breaks any connections that expected it to come from the physical interface
12:00 < Trupsalms> even so i don't think i should lock me out of ssh, first issues
12:00 <@krzee> yes, it should
12:00 <@krzee> networking doesnt care what you think it should do, this is how it works ;]
12:01 < Trupsalms> not arguing :)
12:02 <@krzee> i wrote the bottom section "note on another way to do it"
12:02 <@krzee> wrote it for you =]
12:04 < Trupsalms> End goal i want all traffic route over the vpn connection . ., but don't want to be locked out via remote ssh connection
12:04 <@krzee> yes, you want to read what i wrote for you
12:04 <@krzee> !splitroute
12:04 <@vpnHelper> "splitroute" is (#1) see https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet, or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
12:04 <@krzee> bottom of that link ^
12:04 <@krzee> "Note on another way to do it"
12:05 <@krzee> i give you the commands and a full explanation... you just need to read it
12:07 < Trupsalms> thanks i will, if i don't understand or can't get it to work i'll ask again
12:21 < aykut> hey guys
12:21 < aykut> my routing on windows 7 doesnt seem works properly
12:22 <@krzee> !goal
12:22 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:22 < aykut> okey
12:23 < aykut> i would like to access websites over VPN
12:23 < Trupsalms> krzee: thanks it works
12:24 < Trupsalms> one issues down
12:24 < aykut> Created ovpn files for various computers & phones
12:24 < Trupsalms> whenever the second config is ran, it closes the default or in simple dev tun1
12:25 < aykut> over phone i can access websites without ISP Blocking
12:25 < Trupsalms> i'm trying to get both to run co-current
12:25 < aykut> over win7 i cant
12:25 < aykut> changed priotry of network devices
12:26 <@krzee> Trupsalms: you want to run 2 openvpn processes that both redirect-gateway?
12:26 <@krzee> Trupsalms: whats your actual goal?
12:26 <@krzee> !xy
12:26 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
12:26 <@krzee> aykut:
12:27 <@krzee> give me a verb 5 logfile from the win7 box
12:27 < aykut> okay
12:27 < aykut> wait a second
12:28 < aykut> https://pastebin.com/e5hTyyYt
12:28 < aykut> krzee,
12:28 < aykut> is it ?
12:29 <@krzee> verb 5 please
12:29 <@krzee> !verb
12:29 <@vpnHelper> "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info, or (#2) verb 5 is good for finding firewall problems, verb 4 for troubleshooting anything else, and 3 is good for every day usage., or (#3) Anything more than 5 is for developer debugging only (special debug build needed)
12:29 < Trupsalms> set up vpn paid service, cloud vps/openvpn, home/office computers. the connection show go as follows, home/office, connects to vps/openvpn, for proxy service, and the vps/openvpn should connect to paid vpn, for hideme, but this makes since
12:29 < aykut> hm
12:30 < aykut> i m using openvpn gui
12:30 < aykut> how can i set verbose 5
12:30 <@krzee> Trupsalms: thats a rather advanced setup
12:30 <@krzee> you're trying to setup what i call vpnchains
12:31 < Trupsalms> the vps/openvpn she act as the server to the home/office
12:31 <@krzee> but i dont really support it, it requires pretty advanced understanding of networking
12:31 < Trupsalms> the paid vpn should act as the server for vps/openvpn
12:32 < Trupsalms> i just need to get both configs up and running together first
12:32 < Trupsalms> networking can come later
12:32 < Trupsalms> both configs work seperately
12:33 < Trupsalms> i'm trying to get both to run together
12:35 <@krzee> !diagram
12:35 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle
12:35 < Trupsalms> so i need the vps/openvpn to function as both a server and a client
12:35 <@krzee> if you wanna make a diagram i may have some advice, or others here will see it and maybe have some
12:35 < Trupsalms> ok
12:35 <@krzee> ya, but what do you want to happen to that traffic?
12:35 < aykut> krzee,
12:35 < aykut> https://pastebin.com/8h27Z7Zc
12:36 <@krzee> you expecting that clients connect to your server and route out of the other vpn?
12:36 < Trupsalms> yes
12:37 <@krzee> ya like i said, vpnchains
12:37 < Trupsalms> only because the server/client acts as a proxy to block somethings
12:38 < Trupsalms> manage kids tablets, phones and other devices via a global proxy
12:39 < Trupsalms> but i don't want to focus on the networking right now, lets focus on how to get both configs up and running together first
12:39 <@krzee> aykut: so whats the problem? log looks happy
12:39 <@krzee> cant surf the web?
12:40 < Trupsalms> please over look the networking aspect
12:40 < aykut> i can
12:40 < aykut> sometimes
12:40 < aykut> websites
12:40 <@krzee> Trupsalms: thats called "networking"
12:40 < aykut> to be more spesific
12:40 < aykut> the websites blocked in my country
12:40 < aykut> cant access over vpn
12:40 <@krzee> Trupsalms: you cant skip the networking while trying to do advanced networking (which is what vpns, and ESPECIALLY your desired setup are)
12:41 <@krzee> aykut: does your country actively attempt to block openvpn?
12:41 <@krzee> like china for example
12:41 < aykut> i dont think so
12:41 <@krzee> oh nice
12:41 < aykut> whatsmyip pr ifconfig.me says its working right
12:42 < aykut> but piratebay doesnt open for example
12:42 <@krzee> seems it doesnt open for the vpn ip
12:42 < Trupsalms> but this issue right now is getting both to run together, when one starts the other stop, no errors generate now thanks to your route help
12:42 < aykut> vpn server is on digitalocean, is this a common problem ?
12:43 <@krzee> aykut: no idea, we dont generally support vpn services so i have no experience with them
12:44 <@krzee> normally due to us needing stuff from both sides to really troubleshoot, we say:
12:44 <@krzee> !both
12:44 <@vpnHelper> "both" is (#1) If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead., or (#2) if you dont have access to both sides, come back when you do
12:44 < aykut> hm. it seems a OS level problem to me. Because on my android phone it works flawless
12:44 < aykut> hm
12:44 <@krzee> well i dont use windows, but i dont think any OS filter what sites you use
12:44 <@krzee> try a different browser?
12:44 < aykut> digitalocean is a cloud server
12:44 < aykut> i can access the server
12:44 < aykut> btw
12:45 <@krzee> oh cool, a vps
12:45 <@krzee> your browser could have some sort of "safe site" setting or something
12:46 < Trupsalms> aykut: a manage a vps, on vpn.net msg me directly i'll try to help with some as well
12:47 < Trupsalms> aykut: its hard as krzee said because you don't want to leak the public ip while getting help
12:47 <@krzee> when did i say that?
12:48 <@krzee> more like:
12:48 <@krzee> !topsecret
12:48 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust., or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice.
12:48 < Trupsalms> you didn't krzee
12:48 < aykut> i dont have a problem with my ip addresses
12:49 <@krzee> aykut: did you try another browser?
12:49 < aykut> yes i did
12:49 <@krzee> same results?
12:49 < aykut> yep
12:49 <@krzee> did you check it for filtering in the settings?
12:49 <@krzee> some have like "safe sites" filtering
12:49 < aykut> im checking it right now
12:49 <@krzee> your vpn connection was made correctly
12:50 <@krzee> so its something software level
12:50 <@krzee> maybe some sort of antivirus software filtering
12:50 < aykut> yeah i think it is the same
12:50 <@krzee> i hear those things can get overzealous
12:50 < aykut> because my phone can access that sites
12:50 < aykut> perfectly
12:50 < aykut> im in turkey. Even wikipedia is blocked.
12:51 < aykut> and my main problem is wikipedia on vpn sometimes cant be opened and i see my ISP s "blocked for blahblahblah reasons" page
12:53 < aykut> Trupsalms, i done have a problem with my ip adresses being leaked. I have 2 active websites and many services on that server
12:53 < aykut> i dont*
12:54 < aykut> krzee, thanks for the help
12:56 <@krzee> aykut: got it working?
12:56 < aykut> nope
12:57 <@krzee> you can do it! its either a setting in the browser or there is filtering software on a outbound firewall maybe built into a "security suite" or something similar
12:58 < aykut> there is no active firewall no security suite
12:58 < aykut> investigating right now
13:03 < Trupsalms> this is what i'm trying to do OpenVPN client and server on the same machine
13:06 <@krzee> when you explain it, i recommend saying it like this "I want to connect to server A (which has a connection to server B) and have my traffic route through it and go to the internet through server B"
13:06 <@krzee> that way people will understand your goal
13:07 < Trupsalms> my goal right now is to get both configs to run, then worry about networking issues
13:08 <@krzee> ok, remove redirect-gateway from everywhere
13:11 < Trupsalms> krzee: i'm not trying to challenge you, i'm trying to get tun0 and tun1 to both show up when a run ifconfig -a, i have notice that if a run one config i get tun0, if i run the other i get tun1, but never both, each instances closes the other
13:12 <@krzee> remove redirect-gateway from all configs
13:21 < Trupsalms> krzee: done tested and still it comes up either one or the other
13:24 <@krzee> how are you starting them?
13:25 <@krzee> smells like network mangler
13:26 < Trupsalms> openvpn --config /etc/openvpn/server.conf and openvpn --config /etc/openvpn/config/us-miami/client.conf
13:26 <@krzee> show me both configs?
14:08 <@krzee> Trupsalms: i saw you already posted your configs earlier, instead of dev tun1 change it to dev tun
14:08 <@krzee> or keep it dev tun1 and change the other to dev tun0
14:10 <@krzee> then show me both logs
14:10 <@krzee> the first log should include the period of time where the second openvpn instance is started
14:40 < tcts> hi, i have setup my vpn client + server and connect good - then i setup squid proxy and i can connect thru proxy on tcp 443 to vpn server -OK
14:40 < tcts> but when i try to use tcp port 80 http and via squid it will not connect
14:41 <@krzee> sounds like q question for the squid help channel
14:41 <@krzee> once you can make the ping your vpn works
14:41 < tcts> am i missing some vital information here ? like i cannot use port 80 because of some reason i do not know ?
14:42 <@krzee> totally unrelated to openvpn
14:42 <@krzee> !notovpn
14:42 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn.
14:42 < tcts> krzee: hi, i asked in #squid a few hours ago but no reply
14:42 <@krzee> sorry to hear that, doesnt make it an openvpn question
14:43 < tcts> krzee: is it normally possible to connect via http ?
14:43 <@krzee> totally not related to openvpn, openvpn doesnt care what goes over it
14:43 <@krzee> if you dont have your firewall stopping it, then its your squid config, but no matter what theres no way its your vpn
14:45 < tcts> no .. i am using openvpn --remote xxx 443 tcp4 --http-proxy ip.add port (this works) but not for vpn --port 80
14:46 <@krzee> openvpn really doesnt care about the port used
14:46 <@krzee> i dont know how to better say it
14:46 < tcts> sorry to bug you
14:46 <@krzee> no problem
14:46 <@krzee> i hope you find the issue
14:46 < tcts> i only have one question:
14:47 <@krzee> ask as many as you want ;]
14:49 < tcts> is it "normally" possible to use: openvpn --remote myserv 80 tcp4 --http-proxy myproxy 3128 etc .. or is it only possible with openvpn --remote myvpnserv 443 tcp4 --http-proxy myproxy 3128 etc ?
14:50 < tcts> thanks
14:50 <@krzee> i cant speak about your proxy software, but openvpn doesnt give a shit what ports you use
14:50 < tcts> ok
14:50 <@krzee> your ISP might
14:50 <@krzee> or the vpn servers ISP might
14:51 < tcts> it is all on my local network for now
14:51 <@krzee> openvpn itself never does
14:51 < tcts> ok
14:51 < tcts> thanks
14:51 <@krzee> do you have a webserver running on the same machine?
14:51 < tcts> no
14:52 < tcts> i did and i used --port-share
14:52 <@krzee> id be dumping packets to see whats going on
14:52 < tcts> so http is actually running on *:81
14:53 < tcts> i understand this is nothing to do with openvpn .. i guess it is something in squid i am doing wrong for 80 but which works for 443
14:54 <@krzee> must be,  if i were you id be sniffing the entire path to see whats up
14:54 < tcts> fyi: squid returns HTTP proxy returned: 'HTTP/1.1 403 Forbidden'
14:55 <@krzee> can you use your squid server to reach other stuff on port 80?
14:56 < tcts> yes .. normal http  works fine and normal http via proxy
14:57 < tcts> when i do tcpdump port 80 on the server .. when openvpn tries to use port 80 nothing arrives at the server
14:57 < tcts> so squid is blocking
14:57 < tcts> on 443 it works perfectly
14:57 <@krzee> is squid on a separate server?
14:58 <@krzee> so you can see traffic leave the client, get to squid, and squid server never makes an attempt to send it?
14:58 < tcts> squid is actually on (you guessed it) pfsense ;)
14:59 < tcts> i know .. and i dont want help with that
14:59 < tcts> i just wanted to make sure there is no specefic reason why openvpn cannot use tcp 80 via a proxy
15:00 < tcts> it seems it is either squid or me just making a mistake
15:00 <@krzee> i got ya
15:00 < tcts> and yeah .. squid blocks port 80
15:00 < tcts> but allows port 443
15:00 <@krzee> why?
15:00 <@krzee> thats weird
15:00 <@krzee> cause its crypted?
15:01 < tcts> thats what i thought :)
15:01 < tcts> thanks for your time :)
15:01 <@krzee> no problem, howd you find it blocks 80?
15:01 < tcts> just trying it out
15:01 <@krzee> ahh thought maybe you found a doc or something
15:02 < tcts> mope .. google has let me down on this one
15:02 < tcts> which is why i became suspicious that port 80 is not suitable to proxy a openvpn connection
15:04 < tcts> what i was think is: squid is doing some DPI and blocking openvpn on port 80 because suid is set to only allow clear text http on port 80 .. security :/
15:04 <@krzee> ya seems to be something like that, which i find weird
15:05 <@krzee> but maybe theres a reason
15:05 < tcts> exactly
15:06 < tcts> or it could be something on pfsense .. erg
15:06 <@krzee> true
15:06 <@krzee> could be something about the pre-config
15:06 <@krzee> maybe they know in #pfsense
15:07 <@krzee> or maybe since its just a dev project you can try with squid on a normal non preconfigured system
15:09 < tcts> yeah .. thats a good idea :) thanks
15:11 < tcts> i bet its pfsense! when(if) I work it out i'll let you know
15:12 <@krzee> cool
15:42 < Trupsalms> krzee: i've been googling about run openvpn as both a server and client, i'm seeing all types of post about it working, but no details
15:42 <@krzee> cause theres nothing special about running it as both on the same server until you add in the networking
15:43 <@krzee> what you didnt do was reply to my last request
15:43 < Trupsalms> it can even get both configs to run at the same time
15:43 < Trupsalms> got disconnected
15:45 < Trupsalms> brb
17:47 < Trupsalms> how to get the time stamp
17:48 < tcts> Trupsalms: systemd ?
17:49 < Trupsalms> reinstalled a later version of centos to get around that issue
17:49 < tcts> check the unit file
17:54 < Trupsalms> these are the logs and configs i posted earlier:  config: https://pastebin.com/vnaiQhnq and log: https://pastebin.com/zMFZJprc = This is the remote server for which my client computer is connection to
17:54 < Trupsalms> config: https://pastebin.com/mwVX1dvn and log: https://pastebin.com/7BgQUa62 = Both these Configs need to be ran on the same server
17:58 <@krzee> one has dev tun the other dev tun1
17:58 <@krzee> generally better to either specify both or neither
17:59 <@krzee> that way you dont end up using tun1 dynamically before the static one
17:59 <@krzee> not likely your issue here, but i suggest fixing it
18:00 <@krzee> ya its not your issue here
18:03 <@krzee> Sat Jul 15 19:53:24 2017 us=350549 event_wait : Interrupted system call (code=4)
18:03 <@krzee> wheres that come from?
18:03 < Trupsalms> i've tried using dev tun, dev tun0, and dev tun1, no change in the outcome
18:04 <@krzee> ya i said its not your issue here
18:05 <@krzee> but wait... why are these logs 20 minutes apart?
18:06 <@krzee> makes me think these logs dont match
18:06 < Trupsalms> why when i run one config, it works creating tun0, but if i run the other, the first stops, but creates tun 1
18:06 <@krzee> openvpn doesnt do that, so im wondering why as well
18:06 <@krzee> wanna give me logs that match?
18:07 < Trupsalms> krzee: i can do one better, i can give you user access to the server
18:08 <@krzee> i generally charge for that
18:08 <@krzee> but ill look at stuff for free
18:09 < Trupsalms> i'll do the work, i just need a little guidance
18:09 <@krzee> cool, this is the right place for that =]
18:09 <@krzee> im just starting work so i may be a little slow for the next 2 hours, but i'll also not be going anywhere
18:10 <@krzee> grab me brand new logs from both vpn instances
18:10 <@krzee> also just for fun, check if you can start them in the other order
18:10 <@krzee> like when you start each the other dies on you?
18:10 <@krzee> or only 1 way
18:12 < Trupsalms> have also tried starting in reverse order, but i'll get the new logs
18:14 <@krzee> is there some sort of program monitoring your processes doing this? maybe one of the general logfiles shows a message you dont expect?
18:14 <@krzee> like /var/log/messages or similar
18:14 <@krzee> i mean i wouldnt expect it... but worth a look
18:16 < Trupsalms> good one
18:21 <@krzee> k@smallaptop:~/mom > ps auxw|grep [o]penvpn|wc -l
18:22 <@krzee> 6
18:22 <@krzee> thats how im so sure that openvpn has no problem running multiple instances at once ;]
18:22 <@krzee> im basically always logged in to at least that many VPNs
18:26 < Trupsalms> https://pastebin.com/PGa2N6fk and https://pastebin.com/KyGZWSwc
18:27 <@krzee> do these clocks have sync'ed times?
18:28 <@krzee> maybe you could ntpdate pool.ntp.org on both sides?
18:28 <@krzee> im trying to see the moment one gets the kill signal
18:28 <@krzee> and how it relates to the other
18:30 <@krzee> also one side is verb 3, make it verb 4 while you're at it
18:38 < Trupsalms> message record: https://pastebin.com/Nb84tnQr
18:38 < Trupsalms> both are the config's from the same server
18:38 < Trupsalms> times should be the same
18:40 < Trupsalms> it looks like one tun gets delete when the other starts
18:47 <@krzee> Sun Jul 16 02:17:26 2017 Initialization Sequence Completed
18:47 <@krzee> Sun Jul 16 02:17:26 2017 event_wait : Interrupted system call (code=4)
18:47 <@krzee> something killed that one IMMEDIATELY
18:47 <@krzee> so fast that you hadnt even started the other one yet it looks like
18:48 <@krzee> 17:26 it gets killed, 17:29 the other one starts
18:48 <@krzee> 3 seconds later
18:57 < Trupsalms> rebooted server both are set to start on boot?
18:58 < Trupsalms> did u see the message log
19:00 <@krzee> just did
19:00 <@krzee> i guess the configs are in /etc/openvpn and the service is set to start
19:01 <@krzee> change the dir or the name of the configs to not be .conf and you can stop that
19:46 <@krzee> can you be sure that openvpn isnt already running before starting those configs?
22:16 < Trupsalms> i have two upstart script, lets says chkconfig openvpn and chkconfig openvpnauto
22:18 < Trupsalms> openvpn runs config in the working directory of /etc/openvpn/server.conf (<-------Server side) and (Client Side------->) openvpnauto run the config in /etc/openvpn/config/US-Miami/etc.conf
22:29 <@krzee> see i dont know anything about upstart either... can you just start them manually for testing?
22:30 <@krzee> and prior to starting them, make sure openvpn isnt already running
22:32 < Trupsalms> if i'm correct the to start is: openvpn --config directory?
22:32 <@krzee> you gave me the commands you were using earlier
22:32 <@krzee> were they not true?
22:33 < Trupsalms> yes but they just seem not to run, but as you said check that openvpn isn't running
22:54 <@ordex> morning
23:01 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has quit [Remote host closed the connection]
23:09 < Trupsalms> krzee: thanks for the help, there were issues in the config file if ran from command line
23:10 < Trupsalms> but now i'm locked out the server again via ssh
23:10 < Trupsalms> i'll post logs when i get back in
23:10 <@krzee> did you not run those ip rule/ ip route commands after reboot?
23:12 < Trupsalms> there not persitent
23:14 < Trupsalms> no i didn't i thought the would servive reboot
23:16 <@krzee> ahh
23:16 <@krzee> so ya, thats *that* problem
23:17 <@krzee> im super curious, what issues did you find in the configs?
23:17 <@krzee> cause i must have missed them
23:17 <@krzee> i didnt see device conflicts, nor did i see addressing conflicts or output file (logs etc) conflicts
23:18 <@krzee> you likely have/had a mtu issues on 1 of the setups, but that wasnt what we were seeing
23:18 < Trupsalms> running the configs from the commandline, i had to specify ca server key using the directory, even though everything was where it need to be per each config
23:18 <@krzee> oh sure
23:19 <@krzee> --cd would have helped too
23:19 <@krzee> to be fair tho, you *did* say earlier that you were running them from cli, you even gave exact commands
23:20 < Trupsalms> i'm lost as to why that is, even when the files where in the default directory of where to config file was, shouldn't it have been picked up by default
23:21 < Trupsalms> i kinda did, your right, but its was the same commands used in the upstart
23:21 <@krzee> upstart probably did more than you knew
23:21 < Trupsalms> re added ip rule trying again to see if i keep access
23:22 <@krzee> cause we were seeing stuff that openvpn doesnt do
23:22 <@krzee> Trupsalms: openvpn doesnt actually have default directories
23:22 <@krzee> so if you were in the same dir when executing, you wouldnt need paths
23:23 <@krzee> but full paths would make it just work
23:23 <@krzee> !fullpath
23:23 <@krzee> !path
23:23 <@vpnHelper> "path" is (#1) use full paths in your config!, or (#2) if you use windows, see !winpath
23:27 <@krzee> the "default directories" as you know them are only because of your OS startup scripts, they are irrelevant to openvpn itself
23:27 < Trupsalms> ok
23:27 < Trupsalms> and i kept access
23:28 <@krzee> a common source of confusion
23:28 <@krzee> great!
23:28 < Trupsalms> but now client machine wont connect
23:28 < Trupsalms> both tuns are up though
23:28 <@krzee> very nice
23:28 < Trupsalms> thats a start
23:28 <@krzee> so kill the server process
23:29 <@krzee> err no
23:29 <@krzee> kill the client process on the server
23:29 <@krzee> then can the client connect?
23:29 < Trupsalms> don't know how to kill when issued from the commandline
23:29 < Trupsalms> face palm ik ik
23:29 <@krzee> ps auxw|grep openvpn
23:30 <@krzee> find the PID of the process you want to kill
23:30 <@krzee> kill -9 PID
23:30 <@krzee> and honestly, you need to know basic sysadmin stuff before trying this stuff, but i wont hold it against you
23:30 <@krzee> you already been working on this a good amount of time and showed willingness to read and learn
23:33 < Trupsalms> thanks for the pull up coach, i'm a windows guy, but voip hubby has me in linux, hard to retain somethings though, i try to bookmark what i find that works, so i can re read
23:34 <@krzee> id venture to guess you could show me some things on windows, i havent used it really in over a decade
23:36 < Trupsalms> funny thing is i kinda left technology for a few to pursue truck driving, so i try to keep my skills up where i can
23:37 < Trupsalms> log from client side when both configs where running: https://pastebin.com/4VU8BLXe
23:40 < Trupsalms> killing the client side on the server allows me to connect just fine
23:49 <@krzee> ok so you're back to networking issues
23:49 <@krzee> try making the server on the server --listen only on the proper server ip
23:50 <@krzee> oh and i told you awhile back to not do redirect-gateway yet
23:50 <@krzee> that becomes more important now
23:50 <@krzee> we're going to get to a point where you're on your own and you wont have the skill level to keep going
23:50 <@krzee> we're not there yet tho
--- Day changed Sun Jul 16 2017
00:05 < detly> I'm having an unusual problem with openvpn 2.4.0 on Ubuntu - it's passing unexpected arguments to my "--up" script
00:06 < detly> according to the man page, it should be 'cmd tun_dev tun_mtu link_mtu ifconfig_local_ip ifconfig_remote_ip' for a tun device, but I'm getting something that looks like a netmask instead of remote IP
00:06 < detly> which is what should happen for a tap device, but it really looks like it's making a tun device as expected
00:06 <@ordex> detly: are you using topology subnet?
00:06 <@ordex> not sure it is related..but maybe
00:07 < detly> see eg. https://gitlab.com/snippets/1668112
00:07 <@vpnHelper> Title: Sign in · GitLab (at gitlab.com)
00:07 < detly> https://gitlab.com/snippets/1668112
00:07 < detly> ordex: not sure what that means! but for context it's in a network namepsace with no default route (ie. like an off-by-default kill switch)
00:08 < detly> sorry, meant to paste this:
00:08 < detly> Sun Jul 16 15:00:39 2017 TUN/TAP device tun0 opened
00:08 <@ordex> detly: "topology subnet" is an option you can specify in your config file
00:08 < detly> ah, let me check
00:08 <@ordex> detly: it wants me to login in order to open that link
00:08 < detly> dang, I forgot to set it to public
00:08 < detly> hang on
00:10 < detly> okay, try again
00:10 < detly> it also definitely gets a remote IP
00:11 < detly> no, no topology subnet in the config
00:11 < detly> definitely says "dev tun"
00:12 <@ordex> ok, just to check in case that may have affected the behaviour
00:13 < detly> hang on, I'll run it outside the namespace to see if that changes anything
00:13 <@ordex> ok
00:16 < detly> nope, still get netmask instead of remote ip
00:17 < detly> it used to work with openvpn 2.3.2, but I recently upgraded OS, so I have no idea whether something else changed somewhere else, or if it's a change in openvpn
00:17 <@ordex> detly: in any case it does not reflect the man..so something seems fishy
00:19 < detly> I'll check ubuntu's default openvpn route up scripts
00:20 < detly> oh it doesn't use that argument anyway, it just updates resolv.conf
00:20 < detly> (or runs resolvconf)
00:21 <@ordex> detly: can you paste the log please ?
00:21 <@ordex> and are you sure you have no "topology subnet" on the server as well?
00:21 < detly> don't know about the server, it's a commercial service
00:21 < detly> but I doubt it
00:21 < detly> let me just get the log from scrollback
00:22 <@ordex> detly: then you can check the log on the client
00:22 <@ordex> the "remote ip" is what gets passed to the ifconfig confi option as second argument
00:22 <@ordex> in the log you can see what you are receiving from the server fot that option
00:23 <@ordex>               Note: Using --topology subnet changes  the  interpretation  of  the  arguments  of
00:23 <@ordex>               --ifconfig to mean "address netmask", no longer "local remote".
00:23 <@ordex> which is what then gets passed to your script
00:24 < detly> ordex: https://gitlab.com/snippets/1668113
00:24 <@vpnHelper> Title: OpenVPN full log ($1668113) · Snippets · GitLab (at gitlab.com)
00:24 < detly> arg
00:24 < detly> you were right
00:25 < detly> I must've typod when I searched for it
00:25 < detly> Sun Jul 16 15:00:39 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option DNS 78.46.223.24,dhcp-option DNS 162.242.211.137,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.36 255.255.255.0,peer-id 10,cipher AES-256-GCM'
00:25 <@ordex> detly: yeah
00:25 <@ordex> exactly, I was just looking for that
00:25 < detly> hah
00:25 <@ordex> you got topology subnet and ifconfig with a subnet mask
00:26 < detly> I honestly don't know whether it's always been like that... has openvpn changed how it deals with that?
00:26 < detly> or must it have been the server that changed?
00:26 < detly> and is this an issue with openvpn - is the man page inaccurate then?
00:28 <@ordex> well, the note I pasted above was from the man. I think this note could/should be referenced in the section talking about --up too
00:29 <@ordex> detly: maybe the server changed (?)
00:29 <@ordex> I think topology subnet has always worked like that .. at least for a bit
00:29 <@ordex> but i am not 100% sure either. we should look in the git history
00:30 < detly> ahh I see now
00:30 < detly> the ifconfig options are modified, and presumably it just passes the same first two to the up/down script
00:30 < detly> well, in any case, I can work around it by passing the remote as an argument to up in the script that calls openvpn
00:31 <@ordex> detly: yes, --up gets what's passed to ifconfig
00:42 < detly> well, at least the script gets called with the right arguments now
00:42 < detly> as in, I can pass them in
00:43 < detly> ip route still doesn't want to add my default routes, but that's not an openvpn problem
00:46 <@ordex> detly: default routes?
00:46 <@ordex> are you trying to install routes over the vpn interface ?
00:47 < detly> no, just local default routes
00:48 < detly> ip route add default via 107.181.128.29 dev tun0
00:48 < detly> fails with RTNETLINK answers: Network is unreachable
00:48 < detly> but I can ping the remote, and tun0 exists, so I'm not really sure why
00:50 < detly> I'll run openvpn with default routes already set and see what it tries to add
00:51 <@ordex> if this the IP over the VPN interface: 107.181.128.29 ?
00:51 <@ordex> seems more a public IP
00:52 < detly> so I should be routing via my machine's address instead? the 10.8.8.1?
00:53 <@ordex> detly: you did not state what you are trying to achieve
00:53 < detly> ah, I didn't
00:54 < detly> I create a network namespace, and I add a route only to the vpn server via the namespace's tunnel to the outside world
00:54 < detly> no default route, so nothing gets out before the VPN is up
00:55 < detly> when openvpn connects, I want to add a default route to send all traffic via the VPN
00:55 <@ordex> detly: you can use redirect-gateway for that
00:55 <@ordex> no need to install the default route maually
00:55 <@ordex> !redirect
00:55 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
00:55 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
00:55 < detly> nope, because if the default gateway doesn't exist in the first place, openvpn refuses to create one
00:56 < detly> see: https://unix.stackexchange.com/questions/308751/can-openvpn-create-the-default-route-if-it-doesnt-exist
00:56 <@vpnHelper> Title: networking - Can OpenVPN create the default route if it doesnt exist? - Unix & Linux Stack Exchange (at unix.stackexchange.com)
00:56 <@ordex> so at the beginning the namespace has a single route towards the VPN server ?
00:56 <@ordex> and no default?
00:56 < detly> note the part of the answer: "Set the new default gateway to be the VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified)."
00:56 < detly> which is why I was asking about those arguments
00:57 < detly> so in the past, I've had a --up script to do this
00:57 <@ordex> detly: btw this has been fixed
00:57 <@ordex> in the latest openvpn you should have the fix
00:57 < detly> ordex: oh neat
00:57 < detly> I thought it was deliberate
00:58 <@ordex> detly: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13905.html
00:58 <@vpnHelper> Title: [Openvpn-devel] [PATCH v2] fix redirect-gateway behaviour when an IPv4 default route does not exist (at www.mail-archive.com)
00:58 <@ordex> detly: I think you should use "local" in that case
00:58 <@ordex> when using local, it should then work as expected
00:59 <@ordex> because with local, openvpn asumes that the vpn server is reached without a default route
00:59 < detly> use "local" for what? instead of "toplogy subnet"?
00:59 <@ordex> nono, it's a flag of redirect-gateway
00:59 <@ordex> check the man: you can specify several flags to this option
00:59 < detly> ohhh *reads man page*
01:00 < detly> right, I think "local" was the old old behaviour, before the 0.0.0.0 + 127.0.0.0 trick
01:04 < detly> ordex: do you know what minor-minor version this made it to? my 2.4.0 isn't doing this
01:04 < detly> Sun Jul 16 16:02:27 2017 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
01:04 <@ordex> I somewhere greater than that for sure
01:04 <@ordex> I should check
01:05 <@ordex> detly: 2.4.1 up
01:05 <@ordex> :p
01:08  * ordex is out for food
01:08 < detly> I will upgrade
01:18 < detly> woo! redirect-gateway works on 2.4.3!
01:18 < detly> I can throw out my up/down scripts!
01:44 <@ordex> DeathShot: ;)
01:45 <@ordex> DeathShot: ops wrong highlight
03:22 < orcus-de> !welcome
03:22 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
03:22 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
05:14 < lastaid> hello there. what is the current solution for openvpn with userauth, like one cert and a db with user info people authenticate with?
05:15 < lastaid> i just want a self contained linux server and everybody has a username password to login
05:21 <@ordex> lastaid: I might be wrong, but you need to write the script/program that gets the user/pass from openvpn and verifies them against a DB
05:21 <@ordex> unless you use some plugin .. but I am no expert here
05:21 < lastaid> i was looking through tutorials but didn't catch anything. though there might be a comprehensive writeup ^^
05:44 < lastaid> http://chagridsada.blogspot.de/2011/01/openvpn-system-based-on-userpass.html
05:44 <@vpnHelper> Title: OpenVPN System Based On User/Password Authentication with mysql & Day Control (shell script)- Debian ~ Mr.TUM's Blog (at chagridsada.blogspot.de)
05:44 < lastaid> looks a bit outdated but ok
05:44 < lastaid> does anyone see something dangerously wrong with this?
06:37 < lastaid> well i fnished the tutorial. there were some changes with systemd and all but nothing major.
06:37 < lastaid> but i keep getting an error  TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
06:42 < lastaid> also systemctl status openvpn show active (exited)
06:48 < lastaid> hehe ... tun tap was disabled on the server
06:56 < lastaid> ok, apparently i only get ipv6 connectivity through the vpn
07:42 < lordkryss> hello... i have the same problem i had a year ago, and i was stupid enough not to write down the solution..
07:43 < lordkryss> basically the vpn connection works, but i can't ssh into the server running the vpn if i'm using the vpn
07:43 < lordkryss> i remember it was some configuration, and someone linked me a nice graph with common openvpn problems
07:47 < lastaid> frustrating ^^. apparently the vpn with auth works quite fine
07:48 < lastaid> but i am slightly afraid that it is not a ipv6 error but my windows machine still routes ipv6 over my normal internet connection
07:51 < lastaid> oddly enough, just started openvpn as administrator to be sure, now i cannot even connect to the server anymore
08:14 -!- EmperorTom is now known as _quadDamage
08:18 <@krzee> lordkryss:
08:18 <@krzee> !factoids
08:18 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
08:18 <@krzee> !splitroute
08:18 <@vpnHelper> "splitroute" is (#1) see https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet, or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
08:19 -!- EmperorTom is now known as _quadDamage
08:19 <@krzee> see the last section of the link at !splitroute
08:19 <@krzee> "note on another way to do it"
08:21 < lordkryss> thanks krzee ! i was reading that because i remember having done something like that
08:21 < lordkryss> (i mean the "note...")
08:21 <@krzee> i wrote that the other day
08:21 < lordkryss> "The second command tells the server to route any packets with src 10.0.0.2 out of the table that we just made (table 10 in our case)" isn't this the other way around though?
08:22 <@krzee> no, not the other way around
08:22 <@krzee> what do you think it is?
08:22 < lordkryss> so i think my problem is that packets going to the vps are not redirected to localhost, right?
08:23 < lordkryss> oh maybe i got it, it's just saying that every packet should go to the gateway?
08:26 <@krzee> your problem is that you are redirecting your internet traffic over the vpn
08:26 <@krzee> so traffic that was destined for your server gets replied to with VPN source address
08:26 <@krzee> solution is given in the link
08:26 <@krzee> i explain the problem in "note on another way to do it"
08:42 < Trupsalms> Good Morning
08:43 <@krzee> moin
08:43 < Trupsalms> rested brain, ready to get back at it
08:53 < Trupsalms> ;redirect-gateway def1 bypass-dhcp added to all configs
08:53 <@krzee> umm
08:53 < Trupsalms> commented out
08:53 <@krzee> you mean that you commented the line that was already there, right?
08:53 < Trupsalms> yes
08:53 <@krzee> ok
08:53 <@krzee> cause adding a commented line wouldnt help
08:53 <@krzee> heheh
08:55 < Trupsalms> https://pastebin.com/4VU8BLXe
08:55 < Trupsalms> i still get the same error from last night
08:55 <@ordex> ecrist: if I have a pki created with easyrsa2, is there a way to make it work with easyrsa3 ?
08:56 <@ordex> looks like easyrsa3 expects a different pki folder structure
08:57 <@krzee> oh like a migration script
08:57 <@krzee> nothing exists that i know of
08:57 <@ordex> oh some isntructions, I can be the script :)
08:58 <@ordex> *or
08:58 <@krzee> if i could see an old and a new one im betting i could figure it out
08:58 <@krzee> but id guess you could too
08:58 <@krzee> have you tried making a new one and seeing the differences?
09:02 <@ordex> no
09:02 <@ordex> too lazy
09:02 <@ordex> :D
09:03 <@krzee> if you wanna go cleaning out the keys and tar up both new and old i can take a look
09:04 <@ordex> let's see if I can create a new pki in a bit,,
09:04 <@krzee> Trupsalms: you werent getting that error yesterday... check if openvpn is running on the other side
09:04 <@krzee> !timeout
09:04 <@vpnHelper> "timeout" is if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or one of the ISPs blocks it
09:17 < Trupsalms> Client: https://pastebin.com/efBGEXfR and Server: https://pastebin.com/T1bLXQHy
09:18 <@krzee> did you run those ip route / ip rule commands?
09:19 < Trupsalms> this is when the server is running as both a server and client: openvpn --config some directory client.conf and openvpn --config some directory server.conf
09:19 < Trupsalms> yes
09:20 < Trupsalms> remote clients are about to connect to the server
09:20 <@krzee> when you kill the server can clients connect?
09:21 <@krzee> err i mean the client config running on the server
09:22 < Trupsalms> if i kill the client side on the server, remote clients can connect
09:22 <@krzee> ok so let me see the server config
09:25 < Trupsalms> https://pastebin.com/sUeHEzUR
09:26 <@krzee> !configs
09:26 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
09:26 <@krzee> remove the comments for me, im not going to dig through 100 lines to see 10 that matter
09:26 <@krzee> grep -vE '^#|^;|^$' server.conf
09:28 < Trupsalms> https://pastebin.com/sUeHEzUR
09:29 <@krzee> 2 things
09:29 <@krzee> verb is set to 3, make it 5
09:29 <@krzee> and also, the ip you used in the ip rule command
09:29 <@krzee> put local <that ip>
09:34 < _FBi> morning krzee
09:37 <@krzee> g'mornin
09:37 -!- EmperorTom is now known as _quadDamage
09:47 <@ordex> krzee: unable to get 'traditional' section
09:47 <@ordex> any clue?
09:47 <@ordex> when doing build-ca
09:47 <@krzee> lemme look
09:47 <@krzee> !easy-rsa
09:48 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
09:53 <@ordex> hm
09:54 <@ordex> not sure who's printing that error exactly
09:56 <@krzee> so you did this?
09:56 <@krzee>         ./easyrsa init-pki
09:56 <@krzee>         ./easyrsa build-ca
09:56 <@ordex> right
09:56 <@ordex> and the latter is printing that error right after having generated the key
09:57 <@ordex> ah
09:57 <@ordex> found out why
09:57 <@krzee> weird, i dont get the error
09:57 <@ordex> in the openssl.cnf there was no 'traditional' section
09:57 <@ordex> but I had 'org'
09:57 <@ordex> chaning it made it work
09:58 <@krzee> oh you were using your own openssl config
09:58 <@krzee> gotchya
09:58 <@krzee> i was using the default in the package
09:59 <@ordex> krzee: well, it was shipped with the package i guess
09:59 <@ordex> I found it in the gentoo default folder
09:59 <@krzee> (i actually generate my pki with xca these days, and then i have a bash script that builds certs for the different pki's)
09:59 <@ordex> xca ?
09:59 <@krzee> !xca
09:59 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa., or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA
09:59 <@ordex> alright :)
09:59 <@ordex> thanks !
10:00 <@krzee> if you dont mind a gui its really nice
10:11 <@ordex> krzee: btw, now there are just some usbfolders in order to better organize the certs/keys/reqs...
10:11 <@ordex> before it was just one pot
10:11 <@ordex> :)
10:12 <@krzee> oh thats the only difference?
10:12 <@krzee> the index file stayed the same etc?
10:13 <@krzee> same alg's in use the in openssl.cnf?
10:14 <@krzee> could even possibly have mismatched methods of stopping mitm
10:14 <@krzee> nscerttype vs the rfc method
10:22 <@ordex> no clue
10:22 <@ordex> anyway
10:22 <@ordex> I replaced the files with my old ones and I created a new cert :-P
10:22 <@ordex> it worked
10:22 <@ordex> all fine :D
10:22 <@ordex> hehe
10:22 <@ordex> mh this is weird:
10:22 <@ordex> Sun Jul 16 15:20:57 2017 us=740567 /bin/ifconfig tun0 10.10.2.6 netmask 255.255.255.0 mtu 1500 broadcast 10.10.2.255
10:22 <@ordex> Sun Jul 16 15:20:57 2017 us=744410 Linux ifconfig failed: could not execute external program
10:22 <@ordex> Sun Jul 16 15:20:57 2017 us=744688 Exiting due to fatal error
10:22 <@ordex> but no error printed
10:23 < Trupsalms> krezee: i'm confused, beside making sure to add the ip route command, which allowed me to keep access to my server via remote ssh, the only other thing i change was when you said add the local <public ip>
10:23 < Trupsalms> everything seems to run now
10:24 < Trupsalms> i've been googling but i can't find away to make the ip route survive reboot
10:27 <@ordex> meh  - my ifconfig is not in /bin -.-
10:29 < Trupsalms> server log: https://pastebin.com/4jdqgBLE and client log: https://pastebin.com/pqZJCzag
10:34 < Trupsalms> now one the server/client, i run wget http://ipinfo.io/ip -qO - to tell me what ip address its receiving, its getting the ip address from the client vpn side, which is what i want, now to forward that same ip the the server said for its clients
10:35 <@krzee> Trupsalms: show me these:
10:35 <@krzee> ip rule show
10:35 <@krzee> ip route show table 10
10:36 <@krzee> Trupsalms: what distro?
10:36 < Trupsalms> centos
10:38 < Trupsalms> https://pastebin.com/Y5D1UXJr
10:38 <@krzee> https://www.centos.org/forums/viewtopic.php?t=3626
10:38 <@vpnHelper> Title: how to add ip rule so that it added after each reboot ??? - CentOS (at www.centos.org)
10:38 <@krzee> hit #2 from https://duckduckgo.com/?q=centos+ip+rule
10:38 <@vpnHelper> Title: centos ip rule at DuckDuckGo (at duckduckgo.com)
10:41 <@krzee> cool, so you got the vpns working, now you gotta figure out the networking, right?
10:43 < Trupsalms> yeah
10:43 <@krzee> nice, good job
10:43 < Trupsalms> working on the ip route rule survive
10:44 <@krzee> well you can do it the centos way, which i gave you the link to
10:44 <@krzee> orrrrrr you can just toss it in rc.local
10:44 <@krzee> the universal "i dont care, it works" method
10:45 <@krzee> basically all systems execute the contents of rc.local after doing the rest of the boot process
10:47 < Trupsalms> https://pastebin.com/WMrxrkwc
10:48 <@krzee> does it work?
10:48 <@krzee> those 2 commands should produce the same output after a reboot if it works
10:51 < Trupsalms> lets reboot, and hope so
10:55 < Trupsalms> golden for the ip rules and routes on reboot
10:56 <@krzee> nice
11:04 < Trupsalms> krzee, correct me if i'm wrong, but i'm thinking since i've removed redirect-gateway def1 bypass-dhcp from all configs, i'm thinking if i add it to the server side server config it should work?
11:05 <@krzee> dunno man never tried vpnchaining like you wanna do
11:05 <@krzee> might work
11:05 <@krzee> might not
11:41 < Trupsalms> first test, i still keep access via ssh, i enabled redirect-gateway in the sever.conf, but i lose access to the internet on the clients that connect
12:47 < Trupsalms> krzee: this looks like it works but i'm not quite sure how to go about it https://serverfault.com/questions/512160/vpn-chaining-using-openvpn
12:47 <@vpnHelper> Title: iptables - VPN chaining using openvpn - Server Fault (at serverfault.com)
13:07 < Trupsalms> i don't understand linux network as well as i do with windows, plus with windows i can basicly draw a diagram in the firewall of what i need
13:11 < BtbN> Networks don't particularry care about the OS
13:11 < Trupsalms> let me say iptables
13:11 < BtbN> Managing them is a lot less painfull on Linux though
14:02 < Trupsalms> is it asking me for the public ips, or private network ips issued by the openvpn server
14:25 < Trupsalms> found another reference to the vpnchain, but still not getting which addresses it wanting me to use: https://sourceforge.net/p/vpnchains/wiki/Home/
14:25 <@vpnHelper> Title: VPNCHAINS / Wiki / Home (at sourceforge.net)
14:29 <@krzee> han, id recommend 'openvpn for android' instead
14:35 < Trupsalms> krzee: can i borrow your eyes and understanding, i think this might work https://sourceforge.net/p/vpnchains/wiki/Home/
14:35 <@vpnHelper> Title: VPNCHAINS / Wiki / Home (at sourceforge.net)
14:57 <@krzee> is your android locked down?
14:57 <@krzee> like you go take permissions from stuff?
15:01 <@krzee> oh
15:02 <@krzee> walk me through how you get the error?
15:15 <@vpnHelper> Title: Solved: Android Lollipop - Cannot select "ok" to approve VPN connection request - F-Secure Community - 64502 (at community.f-secure.com)
15:16 <@krzee> whats twilight do?
15:17 <@krzee> ohh i get it
15:17 <@krzee> read your link
15:18 <@krzee> !learn androidapi as if you see vpn api permission dialog cancelled in your android log, you may have a program that manipulates the screen (eg: twilight) messing with you https://community.f-secure.com/t5/F-Secure/Android-Lollipop-Cannot-select/td-p/64502
15:18 <@vpnHelper> Joo got it.
15:19 <@krzee> thats an issue with tls-auth
15:19 <@krzee> !forget androidapi
15:19 <@vpnHelper> Joo got it.
15:19 <@krzee> !learn androidapi as if you see vpn api permission dialog ignored in your android log, you may have a program that manipulates the screen (eg: twilight) messing with you https://community.f-secure.com/t5/F-Secure/Android-Lollipop-Cannot-select/td-p/64502
15:19 <@vpnHelper> Joo got it.
15:28 <@krzee> thanks, and no problem
15:29 <@krzee> the problem is either a corrupted tls-auth key transfer or key-direction not set right
15:29 <@krzee> or is the tls-auth key doesnt exactly match, thats a problem
15:41 < Trupsalms> well that didn't work
15:54 <@krzee> Trupsalms: the way i see it, you will have to setup proper NAT to make it work
15:56 <@krzee> the server needs to nat traffic coming from 1 device out through the other device
15:57 <@krzee> !linnat
15:57 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
15:57 <@krzee> so like that but with -o eth0 changed to be the correct device for the vpn service
16:12 < Trupsalms> thumbs up, thanks, i'm really reading one of the other articles i posted here
16:13 < Trupsalms> i'm also having a old co-worker thats good with linux take a look
16:13 < Trupsalms> with all this help it should be up and running tonight
16:15 <@krzee> oh and of course your server needs ip forwarding enabled
16:15 <@krzee> !linipforward
16:15 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
16:24 < Trupsalms> done
16:24 < Trupsalms> question
16:27 < Trupsalms> iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j SNAT --to-source 10.0.2.6 <--------tun of vpn service i want everything to go out of, but what if this tun goes down, i would want to fall over to use the default internet from provider
16:31 <@krzee> more importantly, when you specify the IP and you dont control that server, what happens when you reconnect and get another ip
16:31 <@krzee> but i mean really, for this setup you should have some networking knowledge
16:31 <@krzee> or hire somebody who does
16:31 <@krzee> but anyways
16:31 <@krzee> !def1
16:32 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
16:32 < Trupsalms> the ip on thats server is static never changes
16:32 <@krzee> 10.0.2.6
16:32 <@krzee> ^ not static
16:32 < Trupsalms> no that was an example
16:34 < Trupsalms> thats the openvpn tun, for the paid vpn, but i'm sure somewhere in the config i can make it static
16:34 <@krzee> nope
16:34 <@krzee> the server controls that
16:34 < Trupsalms> crush my dreams why don't you
16:34 <@krzee> well i told you how to do it, and you did somethting else that wont work
16:35 <@krzee> but honestly it comes down to not having the background for the complexity of the setup you want
16:35 < Trupsalms> i haven't done anything else yet, haven't even uncommented the redirect yet
16:36 < Trupsalms> krzee: true, but if i keep working at it, and get it working, i would have learned a few things
16:37 <@krzee> when it breaks one day you'll be at a total loss for what to do
16:37 < Trupsalms> and everything eveuntually breaks, but maybe not, also
16:38 < Trupsalms> i might remember what i've learned
16:40 <@krzee> iptables -t nat -I POSTROUTING -s <vpn subnet your server uses>/24 -o <tunx whatever the vpn service client interface is> -j MASQUERADE
16:40 <@krzee> and this:
16:40 <@krzee> !linipforward
16:40 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
16:41 <@krzee> and reenable redirect-gateway
16:41  * krzee puts his spoon away
16:42 < Trupsalms> iptables -t nat -A POSTROUTING -s 172.8.0.0/24(<-------Server issued tun) -j SNAT --to-source 10.153.21.16(<------VPN issued tun) none example
16:42 <@krzee> did i give you a command with --to-source?
16:43 <@krzee> damn man if im going to spoonfeed you, you need to take the spoon
16:43 < Trupsalms> sorry
16:51 < Trupsalms> krzee: def1 in which config i'm i setting?
17:08 <@krzee> !man
17:08 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
17:08 <@krzee> def1 is a flag to redirect-gateway
17:08 < Trupsalms> krzee: it works
17:09 <@krzee> you got the whole thing working?
17:09 < Trupsalms> futher testing on restart
17:09 < Trupsalms> seems that way
17:09 <@krzee> nice man
17:09 <@krzee> pretty fast too considering
17:09 <@krzee> take lots of notes while its fresh
17:10 < Trupsalms> i took your advice and kept one
17:10 <@krzee> kept one what?
17:10 < Trupsalms> iptables -t nat -A POSTROUTING -s 172.8.0.0/24 -o tun0  -j MASQUERADE
17:10 < Trupsalms> iptables -t nat -A POSTROUTING -s 172.8.0.0/24 -o eth0  -j MASQUERADE
17:11 < Trupsalms> i tested the face that if the paid service goes down
17:11 <@krzee> oh, so it'll nat out either pay
17:11 <@krzee> way*
17:11 < Trupsalms> and it switches over
17:11 <@krzee> ya that should work
17:11 <@krzee> nice
17:11 <@krzee> dude your setup is complex
17:11 < Trupsalms> i'm sourcing this whole chat channel
17:12 < Trupsalms> i know it be crazy ideas that come to me in dreams
17:12 <@krzee> so... what was the point?
17:12 <@krzee> to share the paid service?
17:13 < Trupsalms> server/client is a proxy for many things, but i want it to be a global proxy, but hide its ip as much as it can
17:15 < Trupsalms> i have friends and family, and myself with kids, which is why i needed to configure it one the cloud based server, thats always up, so we can enter the proxy settings in all the devices, to filter, apps, ads, and sites
17:16 <@krzee> fyi, the paid service may not appreciate many devices connecting over 1 connection, and if they're looking they can tell
17:16 <@krzee> you may want to consult their TOS
17:22 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn
17:22 -!- mode/#openvpn [+o danhunsaker] by ChanServ
22:03 -!- stns4_ is now known as stns4
23:20 <+hyper_ch> krzee: https://mailarchive.ietf.org/arch/msg/ietf-announce/WS9N8eeO35tbe876-_6GmrgnSvY
23:20 <@vpnHelper> Title: Archive (at mailarchive.ietf.org)
--- Day changed Mon Jul 17 2017
03:12 < oe1skw> hello, i have a problem, that i push the route for the lan behind the server but i can't reach the lan
03:14 <@ordex> !redirlan
03:14 <@ordex> mh no..how was it ..
03:14 <@ordex> !serverlan
03:14 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
03:14 <@ordex> oe1skw: ^^
03:15 < oe1skw> sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1
03:15 < oe1skw> forward is enabled
03:16 < oe1skw> !route_outside_openvpn
03:16 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
03:19 < oe1skw> my server has the same subnet as the lan behind and the clients get an ip from that lan too, so server has 192.168.1.121 client get 192.168.1.126 but i can't reach 192.168.1.111 route is set properly with push "route 192.168.1.0 255.255.255.0"
03:30 <@ordex> oe1skw: client == VPN client ?
03:30 < CryptoSiD> build.openvpn.net (the apt repo) isn'T listening to Ipv6 anymore since ~2 weeks or so
03:30 <@ordex> CryptoSiD: yeah, a ticket has been opened already
03:31 < CryptoSiD> cool, I was wondering if i mail or ask here first, good choice i guess :)
03:31 <@ordex> :)
03:52 <@krzee> aloha ordex
03:52 <@ordex> aloha
03:53 <@ordex> tropical rain here :S
03:54 <@krzee> nice!
03:54 <@krzee> you collect it?
03:55 <@ordex> not myself :P
03:55 <@krzee> my plants LOVE that stuff! i have a big ass cistern that collects the rainwater from my roof
03:55 <@ordex> but probably the reservois around do
03:55 <@ordex> hehe
03:55 <@ordex> but now it's really *ALLOT* of water :D
03:56 <@krzee> hahah yep we get that too
03:56 <@ordex> and lasting quite long mh ..
03:56 <@krzee> do you get monsoons out there?
03:56 <@ordex> yap
03:56 <@krzee> shit
03:56 <@krzee> haha
03:56 <@ordex> :D
03:56 <@ordex> but usually in winter
03:58 <@krzee> hurricanes?
03:59 <@ordex> typhoons
03:59 <@ordex> (same thing but different name :P)
03:59 <@ordex> iirc hurricanes are called when originated in the atlantic, while typhoons if they come from the pacific
04:00 <@ordex> this is the right period for them :)
04:00 <@ordex> looking forward to the next :D
04:00 <@krzee> weird!
04:01 <@krzee> They're all the same, officially tropical cyclones. But they just use distinctive terms for a storm in different parts of the world. Hurricane is used in the Atlantic, Caribbean Sea, central and northeast Pacific. They are typhoons in the northwest Pacific. In the Bay of Bengal and the Arabia Sea, they are called cyclones. Tropical cyclone is used in the southwest India Ocean; in the southwestern Pacific and southeastern India Ocean they are
04:01 <@krzee> severe tropical cyclones.
04:01 <@krzee> so weird
04:01 <@ordex> hehe
04:01 <@ordex> yeah
04:02 <@ordex> the observatory here then uses different names based on the speed near the centre
04:02 <@ordex> you can get up to Super Typhoon!!
04:02 <@ordex> :D
04:02 <@krzee> STRENGTH: A storm gets a name and is considered a tropical storm at 39 mph (63 kph). It becomes a hurricane, typhoon, tropical cyclone, or cyclone at 74 mph (119 kph). There are five strength categories, depending on wind speed. The highest category is 5 and that's above 155 mph (249 kph). Australia has a different system for categorizing storm strength.
04:02 <@ordex> hehe yeah
04:02 <@krzee> super typhoon!
04:03 <@krzee> i picture it with a cape on
04:03 <@ordex> :D
04:03 <@ordex> http://www.hko.gov.hk/wxinfo/currwx/tc_gis_e.htm << here you see the current typhoons
04:03 <@vpnHelper> Title: Tropical cyclone track information - GIS version (at www.hko.gov.hk)
04:03 <@ordex> this one did not hit us
04:04 <@ordex> and was quite weak
04:04 <@krzee> burma bout to get tossed?
04:04 <@krzee> buhbye burma
04:04 <@ordex> :P
04:04 <@ordex> usually philippines are hit quite bad this period
04:04 <@ordex> they get the best of the best
04:04 <@ordex> :P
04:05 <@ordex> ah i found the classiffication: http://www.weather.gov.hk/informtc/class.htm
04:05 <@vpnHelper> Title: Classification of Tropical Cyclones (at www.weather.gov.hk)
04:06 <@krzee> even typhoons dont wanna go to philippines now
04:06 <@ordex> but it's quite nice how the entire city is well coordinated during those events
04:06 <@ordex> lol
04:06 <@ordex> :D
04:06 <@krzee> "call us when you get a new president"
04:06 <@ordex> hehe
04:07 <@krzee> i wonder if we could lock trump and duterte in a room together and see which one makes it out
04:07 <@ordex> mah
04:08 <@krzee> my $ on duterte
04:08 <@ordex> draw
04:08 <@ordex> they win, everybody else lose :P
04:08 <@krzee> no no, one of them doesnt make it out
04:08 <@ordex> u think so? :D
04:08 <@krzee> no matter what, 1 is gone
04:08 <@krzee> well thats the premise
04:09 <@krzee> haha
04:12 <@krzee> http://www.enchantedlearning.com/subjects/weather/hurricane/classification.shtml
04:12 <@vpnHelper> Title: Hurricane Classification: EnchantedLearning.com (at www.enchantedlearning.com)
04:12 <@krzee> ours is more boring
04:12 <@krzee> just 1-5
04:12 <+hyper_ch> hi krzee
04:13 <@krzee> but interesting, your super typhoon is only a cat 3 hurricane
04:13 <@krzee> 185km is 115 mph
04:13 <@ordex> yeah
04:13 <+hyper_ch> that's average speed on German Autobahn
04:13 <@krzee> hey hyper_ch
04:14 <+hyper_ch> seen about the IETF?
04:14 <@krzee> i didnt see the part that mattered... they changed venues it seems?
04:14 <+hyper_ch> yeah :)
04:14 <+hyper_ch> border issues
04:15 <@krzee> oh LOL
04:15 <@krzee> trump stuff?
04:15 <@ordex> lol
04:15 <+hyper_ch> The Meetings Committee observed that the United States had attempted to restrict entry into the country for individuals from a number of named countries and in other ways had increased its vetting of individuals entering the country regardless of citizenship through searches of personal electronic devices and other means. Some of this action has been blocked by the courts. These actions have resulted in an atmosphere of uncertainty in
04:15 <+hyper_ch> international travelers about their ability to enter the United States.
04:15 <@krzee> i hear that as an american im going to need a damn visa to go to europe soon
04:15 <@krzee> lol
04:15 <+hyper_ch> well, IMHO the US is one of the biggest threat to world peace today :)
04:16 <@ordex> krzee: to go back to US too maybe :D
04:16 <+hyper_ch> meddling in everyone's affairs, toppling governments when they feel like it :)
04:16 <@ordex> hyper_ch: been like that for 40+ years already, I'd say
04:16 <@krzee> dude they are welcome to suck me off if they wanna go through my electronics at the border
04:16 <+hyper_ch> "At this point in time it is impossible to know or predict the extent of the restrictions placed on individuals attempting to attend IETF 102 twelve months from now, or the level of uncertainty that will exist, and the impact that will have on the ability for the IETF to hold a successful meeting in the United States at that time."
04:16 <@ordex> krzee: :D heard about that for several US friends on their way back
04:17 <@krzee> "give us you decryption passes"   "how about you just suck this instead"
04:17 <+hyper_ch> krzee: don't you get free anal treatment upon entering the US?
04:17 <@ordex> krzee: :D
04:17 <@krzee> nah they never harass me (yet)
04:17 <@ordex> hyper_ch: only for VIPs
04:17 <@krzee> actually the USED TO harass me
04:17 <@ordex> krzee: I guess you have read the story of the NASA's employee going back to US
04:17 <@krzee> but i filed a report with TSA that they were harassing me
04:17 <@krzee> then they stopped
04:18 <@ordex> weird, usually that's when they harass you more :D
04:18 <+hyper_ch> then they stopped you before even boarding a plane?
04:18 <@krzee> not if you file the right papers ;]
04:18 <@ordex> lol
04:18 <@ordex> "you can board...but you got to be naked"
04:19 <@krzee> im ok with that
04:19 <@krzee> free advertising!
04:19 <@ordex> :D
04:19 <@krzee> :D
04:19 <@krzee> italiano :-p
04:19  * hyper_ch heard that Italians have tiny ...
04:19 <@krzee> now we know what hyper googles
04:20 <+hyper_ch> heard != googled
04:20 <@ordex> haha
04:20 <@krzee> no text to speech?
04:20 <+hyper_ch> nope
04:20 <@ordex> hyper_ch: you're not that far - might be contagious
04:20 <+hyper_ch> too strange a dialect here
04:21 <+hyper_ch> so, they did announce a new Doctor... interesting
04:22 <+hyper_ch> I think I should ship a Yealink T48g to krzee
04:22 <@krzee> if you wanna ill take a look
04:22 <@krzee> i have a us mailing address you can ship to
04:22 <+hyper_ch> nah, I'll figure it out - eventually
04:22 <@krzee> ok
04:22 <+hyper_ch> I mean I can't be the only one
04:22 <@krzee> but its an option if you wanna
04:23 <+hyper_ch> it's not like Google where I know they hate me
04:23 <@krzee> although you may save $ by buying a new one in usa lol
04:23 <@krzee> shipping sucks
04:23 <+hyper_ch> it does
04:24 <+hyper_ch> and then there's tax on it
04:24 <@ordex> well, if you ship to 3rd world countries ...
04:24 <@ordex> :P
04:24 <@krzee> and then *i* pay tax + shipping too
04:24 <@krzee> cause of the forwarder
04:24 <@krzee> and because of 3rd world country as noted by ordex
04:24 <@krzee> they love to get $ when you bring things in
04:25 <@ordex> krzee: I was referring to the US :P
04:25 <@krzee> (not sure if he was joking, but he was right)
04:25 <@krzee> oh lol
04:25 <@ordex> :D
04:25 <@krzee> well im literally in a 3rd world country
04:25 <+hyper_ch> but with gigabit internet?
04:25  * krzee notes what 3rd world countries are... unaffiliated back during the cold war
04:25 <@krzee> hyper_ch: actually i can only get 10mbit now, i moved =[
04:26 <+hyper_ch> I wonder, how did people live before 1gbps internet...
04:26 <@krzee> but yes, 3rd world country with LOTS of transit bandwidth
04:26 <@krzee> internal infrastructure is catching up, in some places
04:26 <+hyper_ch> can't you just plug into the backbone? like you'd tap into oil pipeline?
04:26 <@krzee> umm sure :-p
04:26 <@ordex> what do you do with 1Gbps
04:26 <@ordex> ?
04:26  * hyper_ch heard the NSA is doing the same thing... fiber splicing or something
04:27 <@ordex> they tried to sell it to me too, but I gently refused :D
04:27 <@krzee> me? nothing, cant get it
04:27 <+hyper_ch> ordex: download all the porn you can ever dream of
04:27 <@ordex> :D
04:27 <+hyper_ch> (and backups)
04:27 <@krzee> i had 100mbit fiber to the home in my last place tho
04:27 <+hyper_ch> ordex: you know how long it takes to fill a 50TB SSD with a merely 1gbit connection?
04:27 <@krzee> i just sneezed and my dogs woke up barking
04:27 <@ordex> hyper_ch: never tried :P
04:27 <@krzee> lol
04:27 <@ordex> lol
04:27 <@ordex> poor dog
04:28 <+hyper_ch> http://www.anandtech.com/show/11639/viking-ships-uhcsilo-ssds-50-tb-capacity-emlc-sas
04:28 <@vpnHelper> Title: Viking Ships UHC-Silo SSDs: 25 – 50 TB Capacity, Custom eMLC, SAS, $0.4 per GB (at www.anandtech.com)
04:28 <@ordex> lol
04:28 <@ordex> hyper_ch: use it for backups ?
04:28 <+hyper_ch> the only bad thing is, the 3.5" 50TB ssd can't be put into my notebook
04:29 <@ordex> why would you need that? :D
04:29 <@krzee> only $20,000 usd
04:29 <+hyper_ch> ordex: I have plain old WD Red 8TBs on my home and backup server
04:29 <+hyper_ch> not even a SSD for the system
04:29 <@ordex> hyper_ch: it sounds like you spend your life transferring stuff
04:29 <@ordex> :D
04:29 <+hyper_ch> ordex: like 3 months ago I upgraded my 512GB SSD to a 1TB SSD... but now I only have like 200gb left
04:30 <@krzee> theres no reason to have SSD in a home NAS
04:30 <+hyper_ch> the more space you have.... the more quickly you use it up :(
04:30 <@ordex> lol
04:30 <@ordex> wipe old things :P
04:30 <+hyper_ch> krzee: it's not a NAS
04:30 <@krzee>  /home/k/.Private  219G  193G   15G  93% /home/k
04:30 <@krzee> thats my laptop
04:31 <+hyper_ch> my notebook /dev/dm-0                   938G  686G  204G  78% /
04:31 <@krzee> and once i use 5-10gb more ill wipe out another 50g or so of crap
04:31 <@krzee> i dont even have network storage here
04:31 <@ordex> krzee: how is this related tothe 1Gbps bandwidth ? I have missed this
04:31 <@krzee> well technically i  have a 6TB freebsd nas, but i havent turned it on in at least 6 years
04:32 <@krzee> ordex: his 50TB ssd changed the topic for me
04:32 <@ordex> hehe
04:33 <@krzee> i dont even wanna talk about gigabit to the home
04:33 <@krzee> it makes me sad, i cant get better than 10mbit
04:33 <@ordex> I was just curious to understand how that is useful
04:33 <@ordex> krzee: isn't it enough ?:P
04:33 <+hyper_ch> so, with a 1Gbps connection, you donwload a gigabyte in 8 seconds... if you have 50'000 gigabytes available, it will take 400'000 seconds to fill it... which is like 4.6 days?
04:33 <@krzee> 10mbit is not enough to even stream hd reliably
04:34 <@krzee> and i get jitter on this line
04:34 <@ordex> hyper_ch: "with a 1Gbps connection, you donwload a gigabyte in 8 seconds" << not really true, but close :P
04:34 <@krzee> my old 100mbit FTTH never had jitter
04:34 <@ordex> hyper_ch: but you mean you daily weekly transfer 50TB ?
04:34 <+hyper_ch> bits -> bytes
04:34 <@ordex> *weekly
04:34 <@krzee> hyper_ch: overhead
04:34 <+hyper_ch> ordex: no :)
04:34 <@ordex> ok :D
04:34 <@ordex> I was a bit puzzled about that :P
04:35 <@ordex> hehe
04:35 <+hyper_ch> krzee: yeah, you also don't get full gigabit speed... I managed from really good servers to get around 70megabytes/s
04:35 <+hyper_ch> like the ETH Zurich
04:35 <@ordex> which is something you normally don't do in your daily routine :P
04:36 <@ordex> unless you spend your time surfing the ETH website :D
04:36 <@krzee> back in the 90s in the bay area i had a cable modem that somehow got me like 20mbit to a certain mp3 site that i was on (i used to be RNS council)
04:36 <+hyper_ch> they host a lot of OSS stuff... distro images etc
04:36 <@krzee> that shit was greatness
04:36 <+hyper_ch> repositories
04:36 <+hyper_ch> no idea what RNS council is
04:37 <+hyper_ch> back in the 90s... life was easy
04:37 <@krzee> https://en.wikipedia.org/wiki/Rabid_Neurosis
04:37 <@vpnHelper> Title: Rabid Neurosis - Wikipedia (at en.wikipedia.org)
04:37 < Kadigan> Hello. I seem to have managed to get iroute/route working now -- now my question would be: is there some sort of mechanism that can dynamically inform clients that a new route is being added/removed?
04:37 <@krzee> i was president of CDA for awhile, then we merged with CPS to form NOD, then we joined RNS in like 1997
04:37 <@ordex> Kadigan: no
04:38 < Kadigan> I'd like to know if it's possible to do this automatically if irouting clients are on unstable networks.
04:38 < Kadigan> So... only via the on-connect and on-disconnect scripts?
04:38 <@krzee> whats your real goal?
04:38 <@krzee> !xy
04:38 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
04:38 < Kadigan> (assuming I can set them up on the server)
04:39 < Kadigan> Well, I was really more curious than anything, but seeing I have to put "route A.B.C.D M.M.M.M" into openvpn.conf, that may not always be true
04:39 < Kadigan> (if the client irouting A.B.C.D is not connected or drops)
04:39 < Kadigan> seeing as*
04:40 < Kadigan> I was really wondering if there was anything else I needed, or could, do to make this as painless as possible... Like I said -- assuming this problem even needs fixing.
04:40 <@ordex> Kadigan: but then, do you have a fallback gateway to that network?
04:40 < Kadigan> (I think we can safely assume that if the irouting client drops, there -is- no workaround for me)
04:40 <@ordex> if not, who cares if the client is gone
04:40 <@ordex> ?
04:40 <@krzee> ^ that
04:41 < Kadigan> True enough... I'd get 'no route to...' responses -anyway-.
04:41 <@krzee> im trying to decide if you need a routing protocol or not
04:41 <@krzee> but it sounds like no
04:41 < Kadigan> I was just curious if this was handled in any case.
04:41 <@ordex> Kadigan: if you remove the route, the traffic would still go to the default gw
04:41 <@krzee> well i mean, dynamic routing is a thing...
04:41 <@krzee> but only when you have multiple paths to the target
04:41 <@krzee> (and its not an openvpn thing)
04:41 <@ordex> yeah, openvpn is not really for dynamic routing
04:41 <@ordex> ^ that
04:42 <@krzee> well it can be done tho, i do it
04:42 <@krzee> but not with iroutes and stuff
04:42 <@krzee> i had to use ptp mode to get it working right in freebsd at least
04:42 < Kadigan> ordex: I sometimes come up with CRAZY ideas of layering multiple routes over multiple subnets sharing identical configurations w/ fallback ordering/preference... don't ask :D and no, not to solve a real problem, just to see how far I can stretch the definitions of "workable" :D
04:42 < Kadigan> (most of the time, I can't)
04:43 <@ordex> lol
04:43 <@ordex> do it !
04:43 <@krzee> i hope we wont be helping to troubleshoot those :D
04:43 < Kadigan> In any case, I understant that if I -did- have a fallback path to the network (the VPN being the preferred way for some reason), I -could- manage dynamic pickups/drops via the scripts server-side, yeah?
04:44 < Kadigan> krzee: nooooo no no no ! :D You can usually tell most of such braindead ideas when they begin with "Say, is it possible to...?" xD
04:44 <@krzee> no, youd learn bird or quagga and then youd setup a routing protocol to handle the pickups/drops
04:44 <@krzee> like ospf for example
04:44 <@krzee> or RIP
04:45 <@krzee> in my experience (years ago, and freebsd) i had to stop using client/server mode all together for it to work right
04:45 <@krzee> !statickey
04:45 <@vpnHelper> "statickey" is (#1) you can use static keys by using --secret </path/to/key>, or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time., or (#3) see !forwardsecurity for more info
04:45 <@ordex> yeah in the past i also have been using openvpn in p2p mode with bird running on top
04:46 < Kadigan> That sounds like a general solution applied to a specific problem. Well, I'm not going to push it... I just like to know that I have -some- maneuvering space in a pinch (you know, like "*this* much... we -can- do... anything more, we need something bigger" sort of thing)
04:46 <@krzee> (i once asked about dynamic iroutes too, when i was doing the above setup)
04:46 <@ordex> openvpn wuld basically just do the link encryption and routing would be handled on top
04:46 <@krzee> ordex: exactamente!
04:46 <@ordex> :D
04:46 <@ordex> krzee: ever heard about anonet ? :P
04:47 <@krzee> i use bird over openvpn in 2 locations
04:47 < Kadigan> But I will happily accept that I have a -lot- to learn before I'd be able to pull this off cleanly. Or possibly at all. Possibly w/o requiring a straightjacket afterwards.
04:47 <@krzee> not sure, lemme google
04:47 <@krzee> oh their IRC network
04:47 <@ordex> well it was more than IRC, but that was one thing
04:47 <@ordex> it had been a nice experiment
04:48 < Kadigan> In any case, the whole iroute/route thing worked -- or so it seems -- so thanks again for your help!
04:49 <@ordex> this guy >> krzee
04:49 < Kadigan> As an aside, I'm possibly the younger prince of xy problems... :D (though often it's because I'm working under almost impossible constraints, like "I need full-HD HDMI coming from this SD camera's composite-video-out; make it happen")
04:51 <@krzee> hahah
04:51 <@krzee> ya it works til it doesnt :D
04:51  * krzee smokes a dab
04:53 < Kadigan> My boss' approach tends to be "If it ain't broke, don't fix it" -- which is generally correct... until he extends it to the whole set of patchwork solutions we have going... It's like a herd of Lemmings around when things DO break, and they tend to either when A) we have a big client in the room, or B) we're about to perform long-haul print/design runs or something
04:53 < Kadigan> (broken? --sp? in this context?)
04:53 <@krzee> my boss's approach is the best one
04:53 <@krzee> "you're the tech, do whatever you want"
04:53 < Kadigan> "Raize it to the ground and build again"? :D
04:54 < Kadigan> Cool, man.
04:54 < Kadigan> I'm the "IT manager", and I have to ask permission  before I remote-control a PC.
04:54 <@krzee> literally that attitude is why everything of his *just works*
04:54 <@krzee> im basically autonomous
04:55 < Kadigan> I know. Everything I actually *own* (as in, am -really- responsible for and the final authority) also "just works", 95% of the time.
04:55 < Kadigan> His own shit I'm not allowed to touch? Not so much...
04:55 <@krzee> ahh you have a semi-technical boss
04:55 <@krzee> that sounds horrible
04:55 <@krzee> mine knows he dunno, which is perfect
04:58 <@krzee> hey ordex, check this one out:
04:58 <@krzee> this is the "sayspool" i made at work
04:58 <@krzee> while : ;do say -- "$(ssh jeff@10.0.0.220 'until (($loop)) ;do for f in /ramdisk/say/* ; do [[ $f == "/ramdisk/say/*" ]] && continue ; cat $f && loop=1 && rm -f $f ; done ;sleep 1;done')" ;done
04:59 <@krzee> 1 liner that says anything i put in a file in my server's /ramdisk/say directory
05:00 <@krzee> result, my computer talks at work tells them anything I wanna keep an eye on and tell them about
05:00 <@krzee> can watch the db and report when things happen, etc
05:14 <@krzee> i guess the sayspool scared everyone off
05:20 <@ordex> hehe
05:20 <@ordex> :D
05:48 < Kadigan> krzee: I had a discussion with him about it, during which I explained the whole logic he'd follow to overrule my decisions if he only had the password and basic know-how to configure our local router, for example. ;) He didn't deny it.
05:49 < Kadigan> krzee: I'm no bash warrior, but that doesn't seem to check if the network's up, or if the folder exists... must have some pretty interesting failure modes :D
05:50 <+hyper_ch> hmmmm, dns queries over http/2
05:50 <+hyper_ch> if you use dns over http/2 and use for example google's dns server, does it mean, your ISP can't interfere anymore with dns resolutioN?
05:52 < Kadigan> hyper_ch: if you use HTTPS, sure
05:52 <+hyper_ch> http/2 is https only I though
05:52 < Kadigan> NBo.
05:52 < Kadigan> No*
05:52 <+hyper_ch> https://tools.ietf.org/html/draft-hoffman-dispatch-dns-over-https-00
05:52 <@vpnHelper> Title: draft-hoffman-dispatch-dns-over-https-00 - DNS Queries over HTTPS (at tools.ietf.org)
05:52 <+hyper_ch> sorry, they speak of https
05:53 < Kadigan> Google is already providing a DNS-over-HTTPS API, as I understand it.
05:53 < Kadigan> https://developers.google.com/speed/public-dns/docs/dns-over-https
05:53 <@vpnHelper> Title: DNS-over-HTTPS | Public DNS | Google Developers (at developers.google.com)
05:54 < Kadigan> HTTP/2.0 itself doesn't require encryption as, apparently, the draft authors couldn't arrive at a consensus as to whether to use it, and if yes - which protocol to demand.
05:56 <+hyper_ch> https://www.ietf.org/proceedings/99/slides/slides-99-dispatch-dns-over-https-00.pdf  -
05:56 <+hyper_ch> H2 is a more reliable transport for DNS
05:56 <+hyper_ch> queries and answers than DNS
06:03 <+hyper_ch> krzee: I told you about LE getting wildcard support?
07:28 <+hyper_ch> krzee: https://www.schneier.com/blog/archives/2017/07/australia_consi.html  the laws in australia trump the laws of mathematics :)
07:28 <@vpnHelper> Title: Australia Considering New Law Weakening Encryption - Schneier on Security (at www.schneier.com)
07:31 <@krzee> Kadigan: its lan stuff, network has never not been up. and the /ramdisk/ gets configured at boot, the directory always exists
07:31 <@krzee> but ya, it's a 1liner it doesnt do much for checking
07:33 <@krzee> hyper_ch: ya usa contemplates similar laws
07:35 <+hyper_ch> Trump trumps the laws of Mathematics?
07:43 <@ecrist> ?
07:43 <@ecrist> what does that have to do with OpenVPN?
07:45 <+hyper_ch> everything and nothing :)
07:55 <@krzee> just offtopicing until somebody needs help
07:57 <+hyper_ch> there was 1 1/2h nothing :)
11:41 -!- Vampire0_ is now known as Vampire0
11:41 -!- CryptoSi- is now known as CryptoSiD
11:44 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 240 seconds]
11:45 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
11:45 -!- mode/#openvpn [+o syzzer] by ChanServ
14:11 < Eugene> I'm sorry, we don't discuss reality TV
14:32 <@krzee> Eugene: american politics?
14:32 < Eugene> Yes, TV.
14:33 <@krzee> i strongly agree
14:33 < Eugene> I haven't even gotten any Game of Thrones spoilers today, its been nice
14:35 <@krzee> it starts off good
14:35 <@krzee> the 2face assassin girl is a badass
14:35 <@krzee> the rest is boringish
14:35 -!- mode/#openvpn [+o Eugene] by ChanServ
14:35 <@krzee> lol
14:35 -!- krzee was kicked from #openvpn by Eugene [I said no fucking spoilers you lil shit]
14:36 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
14:36 -!- mode/#openvpn [+o krzee] by ChanServ
14:36 <@krzee> lol
14:36 <@Eugene> The guy at $DAYJOB the week after Star Wars came out.... I wanted to hit him
14:36 <@krzee> lagg less?
14:37 <@Eugene> I enjoy stealing media to watch in the comfort of my own home, which typically means waiting for the Bluray
14:51 <+hyper_ch> has anyone already seen newest GoT? I got a question
14:54  * ecrist has
14:54 <@ecrist> it's a good show
15:05 <@krzee> hyper_ch:  ya we pirated it last night
15:10 <+hyper_ch> krzee: do you know what location the Mother of Dragons lands at the end? It seems unfamiliar to me
15:11 <+hyper_ch> use /msg for not spoiling :)
15:12 <@krzee> but eugene loves spoilers
15:13 -!- krzee was kicked from #openvpn by Eugene [krzee]
15:15 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
15:15 -!- mode/#openvpn [+o krzee] by ChanServ
15:16 <@krzee> you're making me want to configure vpnhelper to protect me
15:17 <+hyper_ch> ???
15:30 -!- Eugene was kicked from #openvpn by Eugene [op abuse]
16:01 -!- remirol is now known as lorimer
20:19 <@ordex> !vpnhelper
20:19 <@vpnHelper> "vpnhelper" is "bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
20:19 <@ordex> !goodmorning
20:20 <@ordex> !learn goodmorning is good morning! it's always morning somewhere in the world
20:20 <@vpnHelper> (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
20:20 <@ordex> !learn goodmorning as good morning! it's always morning somewhere in the world
20:20 <@vpnHelper> Joo got it.
20:20 <@ordex> !goodmorning
20:20 <@vpnHelper> "goodmorning" is good morning! it's always morning somewhere in the world
20:20 <@ordex> goed
20:20 <@ordex> now we can start this day
20:48 <@krzee> lol
20:50 <@krzee> !gm
20:50 <@krzee> !learn gm as [goodmorning]
20:50 <@vpnHelper> Joo got it.
20:50 <@krzee> !tell ordex [gm]
20:50 <@ordex> !gm
20:50 <@vpnHelper> "gm" is "goodmorning" is good morning! it's always morning somewhere in the world
20:58 <@krzee> !tell krzee test
20:58 <@krzee> !tell krzee [!factoids search test]
20:58 <@krzee> !tell krzee [!factoids] search test
20:59 <@krzee> !tell krzee [factoids] search test
20:59 <@krzee> !tell krzee [factoids search test]
20:59 <@krzee> !tell krzee [tell ordex [factoids search test]]
21:00 <@krzee> !tell ordex [tell krzee [factoids search test]]
21:00 <@ordex> it's recursive
21:00 <@ordex> :D
21:00 <@krzee> haha cool
21:08 -!- danhunsaker_ [sid145261@openvpn/corp/danhunsaker] has joined #openvpn
21:08 -!- mode/#openvpn [+o danhunsaker_] by ChanServ
21:09 -!- s7r_ [~s7r@openvpn/user/s7r] has joined #openvpn
21:09 -!- mode/#openvpn [+v s7r_] by ChanServ
21:15 -!- Netsplit *.net <-> *.split quits: @danhunsaker, +s7r
21:15 -!- danhunsaker_ is now known as danhunsaker
21:15 -!- s7r_ is now known as s7r
21:15 -!- n-st- is now known as n-st
21:15 -!- lesbraz is now known as sbraz
21:15 -!- patcable_ is now known as patcable
23:28 -!- CryptoSiD is now known as DyingSiD
--- Day changed Tue Jul 18 2017
00:26 <+hyper_ch> krzee: well, a ticket was opened at yealink :) I'll see how it goes
00:27 <@krzee> nice
00:29 <@ordex> !gm
00:29 <@vpnHelper> "gm" is "goodmorning" is good morning! it's always morning somewhere in the world
00:29 <+hyper_ch> the lst entry was a bit weird though:  " Please send the whole open VPN tar file to me, so I can check more."  -->  do they want also actual certs and keyfiles?
00:29 <@ordex> !tell hyper_ch [gm]
00:29 <+hyper_ch> ordex: that's wrong
00:29 <@krzee> hyper_ch: sure why not, make a PKI for the ticket
00:29 <+hyper_ch> since I consider myself the center of all existance, it only matters where I am :)
00:30 <+hyper_ch> krzee: will do so
00:30 <+hyper_ch> also:  " About the tls-auth and inline keys/certs, I need to check with our RD then give you update."
00:30 <@krzee> i doubt they support inline, but nice if they do
00:30 <@ordex> hehe
00:30 <@krzee> i bet they have an old ass compile like snom does
00:30 <@ordex> where is this company from ?
00:30 <+hyper_ch> I think china
00:30 <@krzee> yealink? a major voip phone provider
00:31 <+hyper_ch> Sent: 2017年7月17日 18:16
00:31 <+hyper_ch> To: 技术支持
00:31 <+hyper_ch> looks chinese to me
00:31 <@ordex> lol
00:31 <@ordex> good luck then :O
00:31 <+hyper_ch> why?
00:31 <@krzee> Yealink Network Technology Co.,Ltd.
00:31 <@krzee> Add: 4th-5th Floor,South Building,No.63 Wanghai Road,2nd Software Park,Xiamen,China(361008).
00:31 <@ordex> yeah
00:32 <@krzee> shit snom is german and they ignored the shit out of me explaining to them that their openvpn + openssl are both too old and vuln
00:32 <+hyper_ch> I've had fairly good experiences with chinese companies this far
00:32 <+hyper_ch> krzee: you just don't have that "German" vibe ;)
00:32 <@krzee> they are, not me
00:32 <@ordex> hyper_ch: yeah, just joking. it depends on the company. my experience is that most of the HW companies have no real clue about SW
00:32 <@krzee> http://forum.snom.com/index.php?showtopic=15138
00:32 <@vpnHelper> Title: vulnerable ssl in the snoms - General topics - snom Forum (at forum.snom.com)
00:32 <+hyper_ch> yeah, they are German.. you're not... and you don't have that German vibe :)
00:33 <@krzee> and so, https://secure-computing.net/wiki/index.php/Decompressing_Snom_Firmware
00:33 <@vpnHelper> Title: Decompressing Snom Firmware - Secure Computing Wiki (at secure-computing.net)
00:34 <+hyper_ch> krzee: you only gave them 4-5 years for software update... that's a bit short.... it's not a multi-billion dollar company that can fix things in 90 days (and sometimes not)
00:34 <@krzee> lol
00:35 <+hyper_ch> I mean also 15 years to deploy ipv6 is way too short
00:35 <+hyper_ch> good things take time
00:37 <@ordex> :D
00:37 <+hyper_ch> and the bot has now a !tell command... good to know
00:37 <@ordex> baking slowly is always best
00:37 <+hyper_ch> it's like breweing coffee
00:37 <+hyper_ch> you can do it the "normal" way... rush the water through in a minute or so... but the hotness will also increase bitterness
00:38 <+hyper_ch> or you can cold brew your coffee which takes several hours for a cup
00:38 <@krzee> hyper_ch: thats not new, !tell always existed
00:38 <+hyper_ch> !xxx >  user    would still be easier IMHO :)
00:42 <+hyper_ch> I should also upgrade my servers to debian 9
00:44  * ordex has 8.8
00:44 <@ordex> is it outdated already?
00:44 <@ordex> 9 is unstable, no ?
00:45 <+hyper_ch> 9 became stable like 3 weeks ago
00:45 <+hyper_ch> https://www.debian.org/News/2017/20170617
00:45 <@vpnHelper> Title: Debian -- News -- Debian 9 "Stretch" released (at www.debian.org)
00:45 <@ordex> oh!
00:45 <+hyper_ch> Jun e17th
00:45 <+hyper_ch> new openssl version :)
00:46 <@ordex> :)
00:46 <@ordex> I should upgrade too then
00:46 <+hyper_ch> I usually wait a bit :)
00:48 <+hyper_ch> so, gotta get to work, then I create new ca etc...
00:51 <@krzee> meh you guys just convinced me to update from 8.5 on a production server lol
00:51 <@krzee> if this causes me to actually work this week i blame you both
00:54 <@ordex> :D
00:54 <@ordex> there is no owncloud repo for debian9 yet ..
00:54 <@ordex> I have to wait then ..
00:56 < kerio> 1) zfs snap
00:56 < kerio> 2) there's no step 2
00:56 <@krzee> where am i?
00:57 <@krzee> #freebsd? is that you?
00:57 < kerio> i mean it's not my fault you picked the wrong root filesystem
01:01 <@krzee> im only unpacking 218 packages for the upgrade
01:02 <@krzee> lol
01:06 -!- ohnx- is now known as ohnx
01:38 <@krzee> 457 more packages from 8.8 to 9
01:38 <@krzee> wish me luck
01:47 <@ordex> enjoy
01:47 <@ordex> :D
01:48 <@krzee> i *bet* you that ejabberd gives me problems
01:48 <@krzee> cause it always does
01:48 <@krzee> it hates being upgraded
02:03 <@krzee> and 258 more for dist-upgrade :D
02:07 <@krzee> and this is headless lol
02:15  * russell-- is using easyrsa3 from github, created a root ca key, and an intermediate ca key, used the intermediate to sign server and client keys, somewhat confused about how to point at the crt files, is the config's ca supposed to be the intermediate or root ca?
02:16 <@krzee> you should not need an intermediate
02:16 <@krzee> unless you have a special case... do you?
02:19 < russell--> i want to keep the root-ca key offline
02:19 <@krzee> i do the same, but how is your setup any safer if the intermediate is online?
02:20 < russell--> also, i'd like to be able to delegate signing to others, without sharing the root key
02:21 < Kadigan> Sounds like a problem I'd come in with, and the answer would typically be "take a security class or two" ;D
02:22 < russell--> older openvpn docs seem to recommend this approach and it seemed to solve my delegation problem
02:22 <@krzee> so the root key will be used for other things?
02:22 < russell--> the root key will sign intermediate keys
02:23 <@krzee> like maybe multiple branch offices running their own pki?
02:23 < russell--> different people will build clients keys, i want those people to have their own signing keys
02:24 <@krzee> ok so root ca signs intermediate ca which signs clients
02:24 < russell--> yes
02:25 <@krzee> each side will use its ca.crt to check the other side of the connection, so use the ca,crt that signed the other side
02:26 < russell--> https://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html
02:26 <@vpnHelper> Title: RSA Key Management (at openvpn.net)
02:26 <@krzee> thats hella old
02:26 <@krzee> !easy-rsa
02:26 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
02:27  * Kadigan sees "hella", thinks "Life is Strange"
02:27 <@krzee> we (community) dont have access to change http://openvpn.net/... so theres quite a few outdated docs on it
02:27 <@vpnHelper> Title: OpenVPN - Open Source VPN (at openvpn.net)
02:29 < russell--> yeah, i understand it's old, i'm just trying to wrap my head around how the root-ca.crt is referenced in order to validate the host and client crt's
02:39 <@krzee> im talking to devs to understand it better, i have never had a need for intermediate ca
02:42 < russell--> in the language of https://github.com/OpenVPN/easy-rsa, i have created a sub-CA, and want to understand how to configure the end points when their certs are signed by the sub-CA
02:42 < tx> You should, intermediate certificates improve the chain of trust. :)
02:44 <@krzee> i am the chain of trust
02:44 <@krzee> why issue myself intermediate certs?
02:44 <@krzee> :D
02:45 < russell--> i have learned not to trust myself
02:45 <@krzee> then you cant issue yourself an intermediate ca cert
02:45 <@krzee> since it has the same level of trust and all...
02:46 <@krzee> (unless you have multiple intermediates owned by different people)
02:46 -!- jaroslav is now known as Guest5040
02:46 <@krzee> but since *i* am not different people, i think that'll be fine
02:46 <@krzee> russell--:
02:47 <@krzee> it should be possible to 'chain' (just concat) the intermediate cert to the client cert, but I recall something about that only working client->server, not the other way around
02:47 <@krzee> so client could have 'cert <inter|client>' and servers 'ca <root>' and that should work
02:47 <@krzee> (copied from the person i asked)
02:49 <@krzee> so youd cat intermediate-ca.crt root-ca.crt > client-ca.crt
02:49 <@krzee> then clients get client-ca.crt and server(s) get root-ca.crt
02:49 < russell--> for the ca option?
02:50 <@krzee> right
02:50 < russell--> okay, i'll giv that a whirl
02:50 <@ordex> whirl russell-- whirl :)
02:52 < russell--> bingo!
02:52 <@krzee> it worked?
02:52 < russell--> yes
02:52 <@krzee> now for my learning benefit
02:52 <@krzee> was both client and server signed by intermediate CA?
02:53 < russell--> yes
02:53 < russell--> root signed subca, subca signed both the server and client.
02:54 < russell--> the server's ca is just the root-ca.crt
02:54 < russell--> the client's ca is the concatenation of the subca.crt and root-ca.crt
02:54 <@krzee> nice
02:58 < russell--> thanks!
02:58 <@krzee> you're welcome =]
02:59 < russell--> it might be nice to write that down somewhere for the next person ;-)
03:00 <@krzee> i would if i fully understood how it works :D
03:00 <@krzee> still trying to wrap my head around why server side gets only root cert and client gets the combined
03:01 <@krzee> !intermediateca
03:01 <@krzee> !learn intermediateca as youd cat intermediate-ca.crt root-ca.crt > client-ca.crt and then clients get client-ca.crt and server(s) get root-ca.crt
03:01 <@vpnHelper> Joo got it.
03:03 <@krzee> good enough i guess :D
03:03 <@ordex> russell--: are you using openssl or mbedtls ?
03:03 <@ordex> not sure it makes a difference, but wanted to be sure
03:06 < russell--> ordex: openvpn-openssl at the moment
03:06 <@ordex> ok
03:07 < russell--> i wanted to switch to mbedtls but ran into some problem i don't currently remember
03:07 < russell--> since it saved 700k or something ;-)
03:07 <@krzee> i like mbed as well
03:08 <@krzee> i believe openssl needs a rewrite, and mbed seems to be said rewrite
03:10 <@krzee> as expected, ejabberd is not starting lol
03:21 <+hyper_ch> krzee: I think I managed now with the yealink
03:21 <+hyper_ch> pebkac :)
03:21 <@krzee> what was the problem?
03:21 <+hyper_ch> vpn.conf != vpn.cnf
03:21 <@krzee> heh
03:21 <@krzee> so it did upload the tar
03:21 <+hyper_ch> yeah... it's booting my fake ca now
03:22 <@krzee> if you did the tcpdump you'd have known that :-p
03:22 <+hyper_ch> tcpdump is too advanced magic for me
03:25 <+hyper_ch> next check is if inline and tls-auth works also
03:29 <+hyper_ch> my cold brewed coffee is ready :)
03:47 <+hyper_ch> krzee: it works with inline certs and tls-auth
03:47 <@krzee> nice
03:47 <@krzee> so what version?
03:48 <+hyper_ch> how to find out?
03:48 <+hyper_ch> can I find out from server side?
04:02 <+hyper_ch> krzee: that's the config I use:  https://paste.simplylinux.ch/view/raw/980f8d5c
04:04 <@krzee> cant get a logfile still?
04:04 < russell--> ordex: just retried openvpn-mbedtls, no workie
04:05 < russell--> not super clear why, even with debugging turned up to 6 on the client
04:07 <+hyper_ch> krzee: I was able to get some log file but vpn version isn't stated
04:07 <@krzee> verb 4
04:07 <+hyper_ch> on the phone or on the server?
04:08 <@krzee> i think it'll be in there
04:08 <@krzee> on the phone
04:08 <+hyper_ch> will it log to syslog?
04:08 <+hyper_ch> if I don't provide a log file?
04:08 <@krzee> it can based on settings
04:08 <+hyper_ch> let me test it
04:08 <@krzee> ive gotta fix my ejabberd setup too
04:10 <+hyper_ch> I have verb 5
04:10 <+hyper_ch> shouldn't that already provider more info?
04:18 <+hyper_ch> and I still need an adapter for the yealink to connect to my jabra headset
04:21 <+hyper_ch> ok, set yealink logging to max level I think
04:32 <+hyper_ch> krzee: can't find anything
04:55 <@ordex> russell--: I think that it simply depends on how the library takes care of the cert file
04:56 <@ordex> russell--: I think openvpn simply gives the entire content to the SSL library and openssl might be able to parse it, while mbedtls might not ... although syzzer might know more about thios
04:56 <@ordex> *this
05:04 <+hyper_ch> ecrist: how comes you don't like easyrsa?
05:08 <+hyper_ch> krzee: seems they still run openvpn 2.2
05:10 <+hyper_ch> http://forum.yealink.com/forum/showthread.php?tid=40953&pid=60056#pid60056
05:10 <@vpnHelper> Title: Updated and Comprehensive VPN Guide (at forum.yealink.com)
06:05 < Aprexer> Tue Jul 18 12:01:06 2017 Error in add_block_dns_filters(): FwpEngineOpen: open fwp session failed : There are no more endpoints available from the endpoint mapper.   [status=0x6d9]
06:05 < Aprexer> I've ran openvpn as admin and no luck
06:37 <@ordex> Aprexer: on windows ?
06:38 < Aprexer> yeah
06:38 < Aprexer> I removed it from config and now I get dnsleaks which I don't want.
08:20 <+hyper_ch> krzee: so, now I keep track of the configs that I create https://github.com/sjau/sipGenVPN
08:20 <@vpnHelper> Title: GitHub - sjau/sipGenVPN: Small collection of bash scripts to create client config files for SIP hard- and softphones (at github.com)
08:39 <@ecrist> hyper_ch: it's a hot mess
08:40 <@ecrist> ironically, I'm the current maintainer (though I don't do much)
08:51 <+hyper_ch> I know you're the maintainer
08:51 <+hyper_ch> but why is it a mess?
10:06 < zetheroo1> when I am connected to my work's VPN I can ping/nslookup/dig wiki.domain.local, but in the browsers it doesn't resolve
10:12 <@ordex> zetheroo1: weird - have you  configured a proxy in your browser ?
10:13 < zetheroo1> not that I know of
10:13 < zetheroo1> Same in all three browsers (Chrome, FF and Chromium)
10:15 < zetheroo1> Host OS: Ubuntu 16.04
10:25 <@ordex> zetheroo1: not sure what to say .. I'd give a try at wireshark and see what's going on at the traffic level
10:25 <@ordex> might be faster
10:35 < zetheroo1> odd thing is that I can get to https://host but not to https://site.domain.local
10:39 < zetheroo1> ok, I have wireshark installed
10:51 <@plaisthos> .local over vpn is asking for trouble
10:51 <@plaisthos> just use ips
10:51 <@plaisthos> or go down the dns rabbit hole :P
10:52 < zetheroo1> ips you say ... so like http://wiki.hostIP ?
10:54 < zetheroo1> plaisthos: I don't know how to use an IP to access a site
10:59 <@ordex> zetheroo1: http://IP
10:59 <@ordex> but then it won't work with vhosts
10:59 < zetheroo1> yeah
10:59 <@ordex> unless you want to fix that manually in your /etc/hosts file
10:59 <@ordex> but .. meh
11:00 < zetheroo1> can do ... if it's a matter of slapping a couple lines in there
11:00 < zetheroo1> :)
11:50 < Aprexer> Error in add_block_dns_filters(): Fwp Engine Open: open fwp session failed : There are no more endpoints available from the endpoint mapper. [status=0x6d9] Any ideas?
11:50 < Aprexer> Running it as admin
12:24 < Eugene> Sounds like one of the cool new errors added in 2.4 for the Windos stuff. Sorry, no idea.
12:24 < Eugene> Try #openvpn-devel
12:33 < Aprexer> What dns resolver by default use?
13:08 < Henry151> hello all y'all
13:08 < Henry151> a while back I was trying to set up my own VPN and I haven't messed with it in a long while
13:09 < Henry151> my goal is to have a desktop at home that's always on acting as a server, or else a VPS running somewhere as the server, and have the dozen or so laptops that I help maintain all set up to easily connect to the VPN, so that I can access any of them through SSH remotely
13:10 < Henry151> so that if say my dad is connected to the internet from a wifi hotspot in an airport somewhere, he can connect through the VPN, and I can then SSH into his machine to help him with whatever he's trying to do
13:10 < Henry151> is openvpn the way to do this?
13:13 < Eugene> In theory, yes. In practice that sounds horrible unless you have tight control over the endpoint devices
13:17 < Henry151> Eugene: can you elaborate on that a bit?
13:17 < Henry151> I'm not sure I understand what you mean, and I'm sure I don't understand why that would be
13:17 < Kobaz> sooooo
13:18 < Eugene> "I can SSH into his machine" is a lot of assumptions rolled-up into one
13:18 < Kobaz> 2017-07-18 14:16:25 MANAGEMENT: >STATE:1500401785,WAIT,,,,,,
13:18 < Kobaz> 2017-07-18 14:16:26 Connection reset, restarting [-1]
13:18 < Kobaz> what would cause that?
13:18 < Kobaz> i'm behind a who knows what router, and i'm doing a tcp vpn on port 443
13:19 < Kobaz> i cant get a fully established connection
13:19 < Eugene> What sort of router? A fancy one that can tell the difference between HTTPS and openvpn-over-port-443, I'm guessing?
13:19 < Eugene> One with content blocks built in?
13:19 < Kobaz> yeah maybe, who knows
13:20 < Kobaz> i'm at a vet with free wifi
13:20 < Henry151> Eugene: I would really love to be able to "screen-share" and have mouse/keyboard control of all the machines remotely... but SSH would do
13:20 < Eugene> Henry151 - honestly what you're describing is Chrome Remote Desktop, not openvpn :-p
13:20 < Kobaz> udp vpn wasn't working... i have a tcp server as a backup
13:20 < Henry151> Eugene: but Chrome Remote Desktop wouldn't be as secure, would it?
13:20 < Eugene> Kobaz - my honest guess is that its the firewall doing what it is supposed to, especially if its already blocking UDP. "Talk to your ISP"
13:21 < Henry151> because I want it to be very secure
13:21 < Kobaz> <p>You don't have permission to access /
13:21 < Kobaz> that's the router
13:22 < Kobaz> hehe
13:22 < Eugene> Henry151 - "secure" is relative. In my professional & personal opinion there is nothing to worry about from Google.... other than reading your emails and selling advertisement space. Its kinda their shtick
13:22 < Kobaz> it's not blocking udp entirely
13:22 < Kobaz> i can get some packets through to the box
13:22 < Kobaz> oooh
13:22 < Kobaz> you know what i can do
13:22 < Kobaz> this might be a little slow
13:23 < Kobaz> i can ssh tunnel a local port and then use that as the vpn server address
13:23 < Henry151> hmm. Can chrome remote desktop work cross-platform? I'm running debian, some of the laptops in question are mac, some are windows
13:23 < Henry151> others are also debian
13:23 < Eugene> Its always worked great for me. Its not actually RDP, its chrome screen-sharing + their own magic sauce
13:23 < Eugene> Kobaz - SOCKS proxy is probably what you want :-p
13:23 < Kobaz> nah
13:23 < Kobaz> why would i want to proxy
13:24 < Kobaz> i just want to vpn to my office
13:24 < Eugene> No, for openvpn
13:24 < Kobaz> i can just ssh tunnel
13:29 < Kobaz> connected
13:29 < Kobaz> that was easy
13:29 < Eugene> Yay
13:29 < Kobaz> now my server is just localhost, connecting through a ssh tunnel
13:30 < Kobaz> 64 bytes from 192.168.5.2: icmp_seq=0 ttl=62 time=60.040 ms
13:30 < Kobaz> not too shabby
14:29 <+hyper_ch> krzee:  Yes, Yealink phones support tls-auth and inline keys/certs and the version is 2.2.x
14:29 <+hyper_ch> I got that from yealink support
14:47 <@krzee> howd they compile it with a .x version? :D
14:48 <@krzee> and sounds like you'll have the same issues as the snom phones i was talking about yesterday
14:49 <@krzee> There is a HMAC key leak in openvpn 2.3.0 and before.
14:49 <@krzee> and if their openvpn is that old, so is their openssl
15:24 < havoc> openvpn doesn't have any proxy capability, does it? e.g. connect to a single server, and get reconnected/redirected to another server?
15:25 < Eugene> openvpn can connect to a SOCKS proxy, but it does not have any proxy daemon built in. You can build advanced logic as you are describing in hook scripts, but that is not part of the core
15:25 < havoc> ok, thanks
15:32 < havoc> I'm writing a "provisioning" script for on --client-connect to the default server
15:33 < havoc> gonna split ~2,000 clients across 16 servers, udp:1195-201, and /25's
15:34 < havoc> I guess I'll just push a server-specific client conf for each one, no biggie, since I'm also using unique keys for all
15:34 < havoc> gonna just give them "static" IPs too, via ccd
15:34 < havoc> but still using nsupdate/dynamic zone for dns
15:35 < Eugene> Sounds like you're familiar enough with the moving pieces
15:35 < havoc> got that working already, and don't want to mess with editing bind zone files
15:35 < havoc> just brushing up on my bash, it's been a while ;)
15:36 < havoc> don't have to deal w/ race conditions w/ nsupdate either
15:36 < havoc> but do have to flock on the provisioning script, since it's handing out IPs
15:36 < havoc> clients are these little Ubiquiti ER-X routers
15:37 < Eugene> Ahhhh yes, I think you've been around for a while with different parts
15:37 < havoc> already have an SSH key for the vpn server in their configs too, which makes automating easier
15:37 < havoc> yeah, I've been around here, off and on, for a decade or so?
15:37 < havoc> been in the industry a while
15:38 < havoc> these ubnt devices are pretty slick, not os good as whatever it was krzee was recommending, but they're $43/ea., and can be purchased in bulk
15:39 < havoc> and we need 2,000+ of them
15:46 <@krzee> mine were $35 each with no quantity discount :D
15:46 <@krzee> but who knows about bulk on those lol
16:16 < havoc> krzee: ah, not bad
16:18 < havoc> what's that distro they use?
16:18 < havoc> LEDE?
16:33 <@krzee> well they come running the tplink software
16:33 <@krzee> but ya, i make custom LEDE roms for them using the lede-imagebuilder
17:24 < redrabbit> hi
17:41 <@krzee> in fact havok, i just found 68 of the tplink routers for under $2 each
17:41 <@krzee> well +$5.50 shipping, whatever
17:41 <@krzee> https://www.amazon.com/gp/offer-listing/B001FWYGJS/ref=sr_1_1_olp?ie=UTF8&qid=1500417428&sr=8-1&keywords=tplink+841&condition=new
17:42 <@krzee> oh nevermind 68 as low as $2, still they cheap
17:42 < havoc> it's also an issue of what I can get approval for :(
17:42 <@krzee> right
17:42 <@krzee> but good to know for the next round ;]
17:43 < havoc> yes, yes it is, thank you :)
17:43 <@krzee> i have like 8 of those new in box
17:43 <@krzee> just cause, i know i'll need more openvpn routers eventually
17:43 <@krzee> every camera system i setup gets one, every remote office setup i setup get multiple
17:43 < havoc> at least as long as I hang in this industry, which isn't much longer, I hope ;)
20:36 < Elon_Satoshi> !heartbleed
20:36 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl, or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised., or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected., or (#4)
20:36 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed, or (#5) http://xkcd.com/1354/
20:39 < Elon_Satoshi> So how do I set up openvpn on my router?
20:40 < Elon_Satoshi> Err, or any vpn?
20:40 < Elon_Satoshi> Not sure if I want to hassle with running openvpn itself on my router, just wanna configure it for openvpn
20:47 <@krzee> huh?
20:47 <@krzee> obvious troll is obvious :-p
20:57 <+DArqueBishop> Elon_Satoshi: if you're not trolling, it depends on the router and firmware.
20:58 < Elon_Satoshi> Ah. Would installing openwrt helo?
21:00 <+DArqueBishop> LEDE is the better choice, as it's essentially the current version of OpenWRT.
21:01 <+DArqueBishop> I have an OpenVPN server running on a LEDE router.
21:16 <@ordex> moin
21:27 <@krzee> moinmoin
21:38  * ordex is currently playing with openvpn on arm64 (pine64)
21:38 <@ordex> running ubuntu - not sure lede supports that arch
21:39 <@ordex> although we could work on it :]
21:42 <@krzee> nice
21:42 <@krzee> lede does arm64 but dunno about the specific device
21:43 <@krzee> https://downloads.lede-project.org/snapshots/targets/arm64/generic/
21:43 <@vpnHelper> Title: Index of /snapshots/targets/arm64/generic/ (at downloads.lede-project.org)
21:45 <@ordex> even better
21:45 <@ordex> we just need a profile then
21:45 <@ordex> if the arch is already there
21:45 <@ordex> I already suffered enough to create a .deb of openvpn-2.4.3 for xenial on arm64 (aparently they are sticking to 2.3.10 + patches)
21:46 <@krzee> why wouldnt they want 2.4!?
21:46 <@krzee> its ++
21:46 <@ordex> mah! why!
21:52 < a1fa> hello; has anyone run into a bug with openvpn and openbsd's rdomain? starting openvpn in a specific rdomain fails to complete
21:53 <@krzee> i havent seen anybody mention it... but you may be the first user ive ever seen say "rdomain" here
21:53 <@krzee> we dont get a lot of openbsd people around here
21:54 <@krzee> http://linux-unix-open-source.1053819.n5.nabble.com/ratble-and-rdomain-support-on-dhcpd-and-openvpn-td5900036.html
21:55 <@krzee> seems you run openvpn then add the interface to the rdomain, which you could do with a --route-up script
21:55 <@krzee> !script
21:55 <@vpnHelper> "script" is (#1) See SCRIPTING AND ENVIRONMENTAL VARIABLES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage#lbAS, or (#2) to see all vars available to a script, you can env > /tmp/env, or (#3) if using bash you can put exec 2>&1 in the first line of your script and it will send all error output to
21:55 <@vpnHelper> your openvpn log. set -x as well to show your commands as they are executed
21:56 <@krzee> hah somebody else suggests the same thing later in the thread
21:56 < a1fa> krzee: that's what i am doing
21:57 < a1fa> or having to resort to
21:58 <@krzee> oh so thats working?
21:58 < a1fa> yeah
21:58 < a1fa> i configred a tun3 interface
21:58 < a1fa> and put it into rdomain 3
21:58 < a1fa> start openvpn in rdomain 0; it provisions tun3
21:58 < a1fa> but routes fail, because rdomain 0 vs 3
21:59 < a1fa> which i guess is not a big dea
21:59 < a1fa> +:
22:09 <@krzee> you could have the --route-up script add routes too if you want
22:09 <@krzee> with whatever special options you need
22:10 <@krzee> dump the env and check it out, it gets all the route info
22:24 < a1fa> krzee: that worked
22:24 < a1fa> krzee: the only non dynamic part is the netmask
22:25 < a1fa> which i think can be fixed with -netmask
--- Day changed Wed Jul 19 2017
00:02 <+hyper_ch> krzee: why should one use ovpn 2.4 instead of 2.2?
04:26 < ndk> morning
04:43 <+hyper_ch> krzee: so, now my Jabra is also connected to my Yealink :)
05:49 < ndk> I've managed to successfully setup and connect, but have no local or internet access
05:50 < ndk> UFW is set to allow, as is my router
05:53 <+hyper_ch> !goal
05:53 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:53 <+hyper_ch> !configs
05:53 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
05:54 < ndk> thank you hyper_ch
05:55 < ndk> !goal Access internet and local resources on home network
05:56 <+hyper_ch> so you want to route all your internet traffic through the vpn?
05:56 < ndk> Yeah
05:57 <+hyper_ch> do you run the vpn server?
05:57 < ndk> I do
05:58 < ndk> The server is running correctly, and i am able to connect via an iOS client
05:58 <+hyper_ch> !configs
05:58 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
05:58 < ndk> Working on that, just a moment
05:58 <+hyper_ch> server needs to have ipforward enabled
05:58 <+hyper_ch> also you may want to
05:58 <+hyper_ch> !def1
05:58 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
06:01 < ndk> How much of the server.conf needs removing (apart from comments) ?
06:04 < ndk> !config https://pastebin.com/eC67ejLG
06:04 <@vpnHelper> Error: 'supybot.https://pastebin.com/eC67ejLG' is not a valid configuration variable.
06:05 < ndk> Oops. Am i to just directly paste configs into the channel?
06:06 <+hyper_ch> no, you're just supposed to paste the url to the pastebin into the channel
06:06 <+hyper_ch> the ! is a command for the bot
06:06 < ndk> Oh, apologies
06:07 <+hyper_ch> so, you have a vpn server
06:07 <+hyper_ch> does it have a public ip address?
06:07 < ndk> It does
06:07 <+hyper_ch> and you have a computer... probably in your lan
06:07 <+hyper_ch> right?
06:07 < ndk> Right
06:08 <+hyper_ch> so, that computer in your lan should still be able to access other computers, devices in your lan, right?
06:08 < ndk> Correct, yes
06:08 <+hyper_ch> but if makes a request to the internet, then it should go through the vpn server?
06:08 < ndk> Ah, no
06:08 < ndk> Say im connecting from an iOS client whilst on 4G
06:09 < ndk> I'd like to access files at home via the VPN, in addition to routing 4G data through the vpn.
06:10 <+hyper_ch> now I see
06:10 <+hyper_ch> first thing, you'll need to check, what lan your mobile phone provider supplies you
06:10 <+hyper_ch> usually, mobile devices are in a private subnet
06:10 <+hyper_ch> and 192.160.x.x is quite popular
06:10 <+hyper_ch> so you might have already issues there
06:12 < ndk> Forgive me, i'm not sure what you mean
06:12 <+hyper_ch> if you are connected to 4g
06:12 <+hyper_ch> you don't havee a public ip on your phone (usually)
06:12 <+hyper_ch> but usually you are in a private subnet
06:12 <+hyper_ch> you need to find out what your mobile phone provider uses
06:12 <+hyper_ch> so that it won't clash with the private subnet you're using at home
06:13 < ndk> 94.197
06:13 < ndk> 94.197.120/*
06:14 <+hyper_ch> !lan
06:14 <+hyper_ch> damn, what was it again
06:16 <+hyper_ch> and your home lan is 192.168.10.x?
06:16 <+hyper_ch> but what's 192.168.20.x?
06:18 <+hyper_ch> !scope
06:18 <+hyper_ch> well, https://openvpn.net/index.php/open-source/documentation/howto.html#scope
06:18 <@vpnHelper> Title: HOWTO (at openvpn.net)
06:19 < ndk> Yes the home lan is 192.168.0.x
06:21 <+hyper_ch> you don't push 192.168.0.x
06:21 <+hyper_ch> you push 10.x
06:21 <+hyper_ch> and 20.x
06:24 < ndk> Ah yes, i see
06:24 < ndk> It's now pushing 192.168.0.x instead
06:37 < ndk> That didn't appear to solve either issue
06:38 <+hyper_ch> still no client config
06:39 <+hyper_ch> also you'd need to check if your ios device even accepts routing instructions
06:39 <+hyper_ch> and are you sure you did enable ipforwarding?
06:39 <+hyper_ch> !ipforward
06:39 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
06:40 < ndk> I have enabled forwarding in /etc/sysctl.conf, yes
06:41 < ndk> I will attempt to connect via a laptop client instead of iOS, to rule that out
06:42 <+hyper_ch> did you reboot after altering sysctl?
06:43 < ndk> I did not. I'll try that
06:43 < ndk> I assume because i made kernel changes and the new kernel wasnt loaded
06:44 < ndk> This box is also my znc server, so i'll disconnect momentarily
06:47 <+hyper_ch> no, just altering the config has no effect
06:47 <+hyper_ch> you'd need to reboot or restart according service or
06:47 <+hyper_ch> !linipforward
06:47 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
06:47 <+hyper_ch> echo 1 > ....   will enable it on-the-fly
06:49 < ndk> Unbeleivable.
06:49 < ndk> I am such a muppet
06:49 < ndk> Loading the new kernel worked via a restart, i can't beleive it was something that simple causing me 2 days of headaches
06:50 <+hyper_ch> it's all in the
06:50 <+hyper_ch> !howto
06:50 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
06:51 < ndk> Yeah i read the docs, i must have missed the restart part
06:51 < ndk> Thanks for your help hyper_ch
06:53 <+hyper_ch> actually, it seem that ip forwarding isn't in the howto... at least I couldn't fin dit
06:53 <+hyper_ch> found it:  Make sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN server machine.
06:57 < ndk> Yeah, that part i got, it was just the restart that got me
06:58 -!- czart__ is now known as czart
07:09 -!- DeathShot_ is now known as DeathShot
07:21 < Knyaz> hi. how can I tell if my ca.crt is expired? how long does it usually last for?
07:26 < Knyaz> I was under the impression that my cert is valid for 10 years
07:28 <+hyper_ch> depends on what you did when you created it
07:29 < Knyaz> i get handshake error
07:29 < Knyaz> i can paste it
07:29 < Knyaz> hang on
07:29 < Knyaz> https://pastebin.com/XzicmAyn
07:30 <+hyper_ch> openssl x509 -noout -text -in ca.crt
07:32 <+hyper_ch> check expiration date with the above
07:32 < Knyaz> valid until 2023
07:32 < Knyaz> so something wrong with the client cert?
07:33 < Knyaz> I do not do this often, so forgive me if I sound like a noob
07:33 <+hyper_ch> no idea
07:33 <+hyper_ch> do operate the vpn server?
07:34 < Knyaz> before, i used to have three files in the client side in the config folder
07:34 < Knyaz> yeah the server is mine
07:34 <+hyper_ch> I have 4
07:34 <+hyper_ch> ca, client.crt and client.key and ta.key for tls-auth
07:34 <+hyper_ch> so you created all the certs and stuff?
07:35 < Knyaz> yes me
07:35 < Knyaz> i don't have tls auth
07:35 <+hyper_ch> did you follow a howto?
07:35 <+hyper_ch> tls-auth is recommended
07:35 < Knyaz> everything was working fine before
07:35 < Knyaz> no changes were done on the server side
07:35 <+hyper_ch> hard to pin point then
07:35 < Knyaz> i just lost the client certs
07:35 <+hyper_ch> client certs should still be where you generated them originally
07:35 < Knyaz> and installed new windows
07:36 <+hyper_ch> in case you didn't delete them
07:36 < Knyaz> i think they are still there
07:36 < Knyaz> i am just confused about the new version of openvpn client for windows
07:36 < Knyaz> when I copy them to the config folder they are not recognized by the openvpn gui
07:37 < Knyaz> let me try this first. how can I clear all the configs from the openvpn gui?
07:37 < Knyaz> right clicking gives me an option to import config, but not to erase it
07:38 <+hyper_ch> no idea what new gui you're talking about
07:39 < Knyaz> talking about the vpn client in the task bar in lower right corner
07:39 < Knyaz> shows the connection, you can right click it, shows the logs, etc... (called openvpn gui? no?)
07:40 <+hyper_ch> he openvpn gui client hasn't changed for years
07:40 <+hyper_ch> so I don't know what you're talking about
07:40 < Knyaz> for windows it changed
07:40 < Knyaz> it was different in 2013
07:41 < Knyaz> when I set it up first
07:42 <+hyper_ch> there might or might not be an option to clear config... never needed to use it
07:43 <@plaisthos> yes there have been changes but not nothing major
07:43 <@plaisthos> you might have used a different ui
07:56 < Knyaz> is there a way to clear all the configs from windows openvpn client ?
08:25 <+hyper_ch> probably delete them from c:\Programs\OpenVPN\config\ or whatever the path is
08:36 < Knyaz> ok i'm starting to remember now
08:38 < Knyaz> i just generated new client.crt client.key and ca.crt.client and placed them into the c:\Programs\OpenVPN\config\
08:38 < Knyaz> made sure that server.ovpn has entries for client.crt client.key and ca.crt.client
08:38 < Knyaz> all located in the same folder
08:40 < Knyaz> but still get the same error
08:40 < Knyaz> Jul 19 09:36:15 oruvmlnd ovpn-server[5374]: 46.216.29.251:64617 TLS Error: TLS handshake failed
08:40 < Knyaz> Jul 19 09:36:15 oruvmlnd ovpn-server[5374]: 46.216.29.251:64617 SIGUSR1[soft,tls-error] received, client-instance restarting
08:43 < Knyaz> ideas?
08:43 < havoc> Knyaz: firewall
08:43 < havoc> firewall and/or route, but 99% of the time it's firewall, usually local
08:43 < Knyaz> havoc: those logs are from the server
08:44 < havoc> yes
08:44 < havoc> but the problem is *usually* the client firewall
08:44 < havoc> but it's probably a firewall issue on the client, or server
08:45 < Knyaz> I see
08:45 < Knyaz> yeah, this notebook might have a firewall
08:45 < havoc> but can also be routing, although not as often
08:45 < havoc> Knyaz: Windows client?
08:45 < Knyaz> yeah windows
08:45 < Knyaz> I can try it from my iphone, but not sure how to place all those files into one .ovpn profile
08:46 < havoc> Knyaz: simple solution/test...
08:46 < havoc> Knyaz: add an Inbound Advanced rule in the Windows firewall
08:46 < havoc> Knyaz: call it Allow All for openvpn.exe
08:47 < havoc> Knyaz: all scopes, all IPs, all profiles, all ports, all everything, but for a single program: openvpn.exe
08:47 < havoc> Knyaz: 99% of the time that solves the problem
08:47 < Knyaz> i see
08:47 < Knyaz> well
08:47 < Knyaz> the thing is, this windows 7 laptop has locked firewall
08:47 < Knyaz> this is why I want to format it and install windows 10 on it
08:47 < Knyaz> the only other thing I can test now is with my iphone
08:48 < Knyaz> i have openvpn client on my iphone which works with other vpn servers
08:48 < havoc> then you have a problem, as I add that rule I just stated on all Windows OpenVPN clients for the TLS reason
08:48 < Knyaz> how can I combine all the client related files into one .ovpn file?
08:48 < Knyaz> this way I will try it on my iphone, where I actually intend to use it a lot
08:49 < havoc> Knyaz: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV
08:49 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
09:15 < Knyaz> still getting the TLS handshake error
09:15 < Knyaz> i should be able to telnet on the port which vpn server is running on from the remote computer right?
09:15 < Knyaz> but I cannot telnet
09:17 <@ordex> Knyaz: not on udp
09:17 <@ordex> Knyaz: are you using tls-auth or tls-crypt ?
09:22 < Knyaz> do not think I am using any
09:22 < Knyaz> in server.conf I have the following line ;tls-auth ta.key 0 # This file is secret
09:23 < Knyaz> from this laptop I am able to connect to other vpn server from freeopenvpn.org
09:23 < Knyaz> but not to mine (
09:23 < ndk> Wouldn't removing the ; at the start of the line resolve TLS issues?
09:23 < Knyaz> same thing with the phone
09:24 < Knyaz> well, it was working fine a few years ago
09:24 < Knyaz> and I didn't really make any changes to the server
09:24 < Knyaz> well, besides updating it
09:25 < ndk> Different version could have brought new changes to config etc
09:25 < Knyaz> this is Debian 8 by the way, and I believe it was Debian 7 when I first installed openvpn server in it
09:26 < Knyaz> do you want me to try to remove the ; ?
09:26 < Knyaz> in server config?
09:26 < ndk> I'm inclined to say yes, try it
09:27 <@ordex> that will enable the tls-auth
09:27 <@ordex> if not configured on the clients too, will just not work
09:27 < Knyaz> oh I see
09:27 <@ordex> so, if also on the client is commented (or does not exist at all) then it is ok
09:28 <@ordex> but you can;t have it enabled on one side and disabled on the other
09:28 < Knyaz> yeah it does not exist now on the client side
09:28 <@ordex> alright
09:28 < Knyaz> but if I enable it on both sides, will it help with my issue?
09:28 <@ordex> no
09:28 < Knyaz> ok
09:28 <@ordex> Knyaz: have you already pasted the server and client log with verb 4 ?
09:28 < Knyaz> nope not yet
09:29 <@ordex> !logs
09:29 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
09:29 <@ordex> please do
09:29 <@ordex> and also
09:29 <@ordex> !configs
09:29 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
09:29 <@ordex> that will help troubleshooting
09:32 < Knyaz> ordex: i'll do that in a few. please stand by
09:32 <@ordex> Knyaz: sure :)
09:38 < Knyaz> verb 4 setting on the server side will change verbosity for both server and client right?
09:38 <@ordex> no
09:38 <@ordex> each one needs its own setting
10:16 < havoc> hmm, I can use inclues in the server conf, right?
10:16 < havoc> that'll make creating 16 new server processes a lot easier
10:17 < havoc> then each specific conf only needs port,dev,push route-gateway,ifconfig,ifconfig-pool,status
10:20 < havoc> --config, that's what I want :)
11:12 < Knyaz> ok back
11:14 < Knyaz> ordex: on server side running Debian 8 the log you want to look at is /var/log/syslog right?
11:14 <@ordex> Knyaz: whatever is configured for the server - might be that or might be a specific log file you have configured
11:14 <@ordex> Knyaz: maybe it's better to start by pasting the configs
11:14 <@ordex> there we can see where the log is
11:16 < Knyaz> understood
11:16 < Knyaz> on it
11:19 < Knyaz> server.conf https://apaste.info/HCbc
11:22 < Knyaz> client.conf https://apaste.info/eSVl
11:26 < Knyaz> is there a way to send all openvpn server related logs to a separate log file? because right now they are going to /var/log/messages and /var/log/syslog
11:26 < Knyaz> i think it would be good to have /var/log/openvpnserver.log
11:27 < Eugene> Knyaz - you mean, like the --log option?
11:29 < Knyaz> i just want to know how to do it if it is possible
11:31 < Knyaz> client verb 4 log https://apaste.info/xuGO
11:33 < Knyaz> so is there a way to set the location of the openvpn server log?
11:34 < Knyaz> ordex: are you here?
11:34 <@ordex> Knyaz: yup
11:34 <@ordex> Knyaz: yes, as the man says: --log
11:35 < Knyaz> could you provide an example? this would be set in server.conf right?
11:37 < Knyaz> log-append /var/log/openvpn.log
11:37 < Knyaz> like that?
11:38 < Knyaz> let me try it
11:38 <@ordex> that also works
11:38 <@ordex> it depends what you prefer :)
11:39 <@ordex> Knyaz: there is the error
11:39 <@ordex> Wed Jul 19 19:29:14 2017 us=885558 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=NJ, L=Newark, O=VMLX Netwark, CN=oruvmlnd, emailAddress=vmlx.network@gmail.com
11:39 <@ordex> Wed Jul 19 19:29:14 2017 us=885558 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
11:39 <@ordex> the client can't verify the server certificate and thus shuts the door
11:40 < Knyaz> i prefer append
11:41 <@ordex> Knyaz: ^^
11:41 < Knyaz> so what should be done?
11:42 < Knyaz> I generated the client cert according to my notes from a few years ago
11:42 <@ordex> error=self signed certificate in certificate
11:42 < Knyaz> not sure where I made a mistake
11:42 <@ordex> I think this is the problem now
11:42 <@ordex> well, new SSL library
11:42 <@ordex> stricter checks, I think
11:42 <@ordex> you have a self signed cert
11:42 < Knyaz> oh yeah
11:43 <@ordex> don't you have a CA that signs the rest?
11:43 < Knyaz> nope it was always self signed
11:43 < Knyaz> i don't mind generating a new CA
11:43 <@ordex> I think the newer SSL does not like this anymore
11:43 < Knyaz> I see
11:43 < Knyaz> what do you recommend?
11:43 <@ordex> to generate your own CA and then generates certs with it
11:43 <@ordex> you can use easyrsa for that
11:44 <@ordex> it simplifies your job a lot
11:45 < Knyaz> is there a guide on how to do this?
11:46 <@ordex> yep
11:46 <@ordex> !easyrsa
11:46 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA, or (#4) Source checkouts available from the github project.
11:46 <@ordex> there you go :)
11:46 < Knyaz> also, another question is i noticed in the server log there are old hostnames listed under IFCONFIG POOL LIST
11:46 < Knyaz> i want to clear all that out and start fresh
11:47 <@ordex> I think those are store in the pool file, it is probably configured in your config
11:47 <@ordex> then open the file and clean them
11:51 < Knyaz> got it
11:51 < Knyaz> i cleared it
11:51 < Knyaz> ok back to CA
11:51 < Knyaz> so..
11:51 < Knyaz> i need two linux servers right?:
11:51 < Knyaz> i have one in london and one in the US
11:51 < Knyaz> should work right?
11:53 <@ordex> sure
11:53 <@ordex> one CA
11:54 <@ordex> to generate as many server and client certs as you want
14:25 < Knyaz> ordex still here?
14:26 < Knyaz> the server which i want to use for CA is centos 7
14:26 < Knyaz> I am trying to install easyrsa, but i cannot locate it using yum
14:26 < Knyaz> or is it only part of openvpn installation?
14:28 < vectr0n> Knyaz, its in the epel repo
14:29 < vectr0n> it can be used for lots of things, so isnt openvpn specific
14:30 < Knyaz> vectr0n: i have epel repo but for some reason cannot find it using 'yum search easyrsa'
14:30 < vectr0n> cuz its easy-rsa
14:30 < Knyaz> oh
14:30 < vectr0n> :)
14:31 < vectr0n> first google result provided me with this info ;)
14:38 < Knyaz> installed easy-rsa
14:42 < Knyaz> hmm
14:42 < Knyaz> where is the easyrsa binary installed to?
14:42 < Knyaz> cannot find it
14:45 < Knyaz> vectr0n
14:47 < Knyaz> from which path do I execute this command from the guide ./easyrsa init-pki
14:50 <@krzee> hyper_ch: for one thing, 2.2 has a vuln that makes HMAC sigs basically useless
14:50 <@krzee> and 2.2 would likely mean that is has a similarly old array of openssl bugs
14:50 <@krzee> shit i bet its on linux 2.6 kernel :D
14:51 <@krzee> !easy-rsa
14:51 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
14:53 < Knyaz> krzee: the easy-rsa i installed from epel is no good?
14:56 < Knyaz> nevermind downloaded 3.0.1 from github
15:25 <@krzee> better luck?
15:29 < Knyaz> krzee: well
15:29 < Knyaz> i just finished signing the cert
15:30 < Knyaz> but not exactly sure what to do next
15:30 <@krzee> make more?
15:30 < Knyaz> krzee: at step 5 currently https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/README.quickstart.md
15:31 <@vpnHelper> Title: easy-rsa/README.quickstart.md at v3.0.0-rc1 · OpenVPN/easy-rsa · GitHub (at github.com)
15:31 <@krzee> use them?
15:31 < Knyaz> right right
15:31 < Knyaz> this is the first time i'm doing this
15:31 < Knyaz> trying to understand what to do
15:33 < Knyaz> Transport the newly signed certificate to the requesting entity. This entity may also need the CA cert (ca.crt) unless it had a prior copy.
15:33 < Knyaz> to which folder do i transfer ca.crt and the signed cert?
15:38 <@krzee> whereever you plan on using them
15:40 < Sagan> hi there :) I originally installed openvpn via https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh, that worked fine. Then my server had a reboot, now it does not start up anymore. Even a complete reinstallation does not fix that. service openvpn@server status only shows:
15:40 < Sagan> ovpn-server[2362]: daemon() failed or unsupported: Resource temporarily unavailable (errno=11)
15:40 < Sagan> can somebody help me with this?
15:41 < Knyaz> krzee: lol well i copied them to the openvpn server
15:41 < Knyaz> krzee: but which folders should those files be in?
15:43 < Knyaz> so now I have this
15:43 < Knyaz> /etc/openvpn/easyrsa-3.0.1/pki/
15:44 < Knyaz> /etc/openvpn/easyrsa-3.0.1/pki/private/selsovet.key
15:44 < Knyaz> ca.crt and selsovet.crt
15:44 < Knyaz> not sure where to copy them
15:47 < Sagan> nvm, got a fix for my problem
15:48 <@krzee> so the thing is, theres no default directories for openvpn
15:48 < Knyaz> krzee: /etc/openvpn/easyrsa-3.0.1/pki/ca.crt
15:48 <@krzee> if you're running linux i guess you can toss them in /etc/openvpn if you wanna
15:48 <@krzee> wherever you want so long as your configs know where you put them
15:49 < Knyaz> oh ok
15:56 < Knyaz> okay, now i have all three files in /etc/openvpn
15:56 < Knyaz> now I should copy them to the client side?
16:02 <@krzee> client needs its own key/cert
16:03 <@krzee> every client needs their own
16:04 < Knyaz> krzee: ok. so.. for the client i need to repeat steps 2-6,
16:04 < Knyaz> krzee: ?
16:06 <@krzee> On the separate system that is requesting a certificate, init its own PKI and generate a keypair/request. Note that the init-pki is used only when this is done on a separate system (or at least a separate PKI dir.) This is the recommended procedure. If you are not using this recommended procedure, skip the next import-req step as well.
16:07 <@krzee> ^ that is recommended because clients can generate their own keys and give the csr to the CA admin who returns a signed cert without ever seeing the key
16:07 < Knyaz> wait, i'm passed the error message
16:07 <@krzee> if you're doing it all yourself you dont need to  ./easyrsa init-pki or do any of step 3
16:07 < Knyaz> but a get new error now
16:08 < Knyaz> Options error: You must define DH file (--dh)
16:08 <@krzee> i gotta go, just follow the directions
16:08 < Knyaz> ok thanks
16:08 <@krzee> np
16:08 <@krzee> the dh file is literally on the same page, read it all before you start (always)
16:10 < Knyaz> got it thanks
18:05 < havoc> hmm, if I have a single "provisioning" server, then the provisioning script should have to worry about locking, as openvpn is single threaded
18:06 < havoc> but may be best to flock it anyway
18:56 <@krzee> you could also use temp filenames specific to the client
18:57 <@krzee> then you never have to worry about it, even though as you said openvpn is single threaded and can only process 1 client at a time through the scripting interface (plugin interface is different btw)
18:58 <@krzee> havoc: ^
19:20 < havoc> krzee: I'm going to assign IPs to ccd files
19:21 < havoc> krzee: so it needs to be atomic
19:21 < havoc> I'll just wrap it in a flock
19:33 <@krzee> oh, why static?
20:17 <@krzee> and wouldnt every ccd file have a different filename too...?
20:22 <@ordex> morning
20:25 <@krzee> bonjour
20:25 < havoc> krzee: was gonna nsupdate, but if I'f generating a key for every client, it's not much more to give them an IP
20:25 < havoc> but probably still nsupdate it
20:25 < havoc> and yes, diff files for all clients
20:26 <@krzee> i guess that's true, except that you'll need way more IPs that way
20:26 <@krzee> you said most wont be on most the time
20:26 < havoc> no, they all will be, ideally
20:26 <@krzee> oh ok
20:26 <@krzee> nevermind then :D
20:26 < havoc> linux should be able to handle ~2,000 tiny files in one dir
20:27 < havoc> or I could break them up by server, but one dir is easier
20:28 <@krzee> you'll have many server processes using 1 ccd dir?
20:28 <@krzee> (thats fine, just checking if i understood)
20:28 < havoc> yes, is that a problem?
20:28 < havoc> ok
20:28 <@krzee> actually its a good way to deal with the issue that you can only fit so many clients per server proc
20:29 < havoc> tomorrow is all about the provisioning, assuming nothing else blows up in the meantime
20:29 <@krzee> hell i have a quad cpu 16core at work, that could run like 60 openvpn servers lol
20:29 < havoc> I've got most of the groundwork done
20:29 < havoc> this is a VM, so we can easily up the power
20:30 <@krzee> its less about power and more about cpu cores
20:30 <@krzee> well and power
20:30 <@krzee> but ya
20:30 < havoc> vCores, whatever, yeah
20:30 <@ordex> krzee: what do you do with that ? :D
20:30 <@ordex> other than running zillions of openvpn servers?
20:30 <@ordex> :P
20:31 <@krzee> currently running memtest86 on its 32gb of ecc ram
20:31 <@krzee> later it and its twin will replace the DB server
20:31 <@krzee> you can get insanely strong used rackmount servers on ebay for cheap
20:32 <@krzee> these will be raid 10, they have 6 HD bays but i'll only use 4 and 2 hot spares each
20:33 <@krzee> for example: http://www.ebay.com/itm/1U-Supermicro-Server-H8DGU-F-2x-AMD-6128-8-Core-32GB-Mem-HW-SATA-Raid-Rail-/152619146800?hash=item2388cf5e30:g:hIUAAOSwVJhZVUOA
20:33 <@krzee>  Details about  1U Supermicro Server H8DGU-F 2x AMD 6128 8 Core 32GB Mem HW SATA Raid Rail       $185
20:34 <@krzee> !ping
20:34 <@vpnHelper> pong
20:35 <@krzee> http://www.ebay.com/itm/1U-Supermicro-Server-H8DGU-F-2x-AMD-Opteron-6272-16-Core-Total-32-Cores-48GB-/152619237041?hash=item2388d0beb1:g:DV8AAOSw-ldZZA95
20:35 <@krzee> 1U Supermicro Server H8DGU-F 2x AMD Opteron 6272 16 Core (Total 32 Cores) 48GB     $371
20:36 <@krzee> cause tech companies replace entire cages every couple years after they amortized the cost of the hw over the years used, then they sell it off cheap
20:37 < havoc> they dumpster them; they can't legally sell them if they've taken the tax credits/amortization
20:37 <@krzee> then their friend grabs them from the dumpster, and boom ebay
20:37 < havoc> that can/does happen, yes
20:38 <@krzee> i used to get kingston ram back in the 90s for like 70% off (fell of the back of a truck ;] )
20:38 <@krzee> and thats back when ram wasnt cheap
20:38 < havoc> I've gotten a lot of gear from companies after it's been completely amortized, because they can't sell it
20:39 <@krzee> and boom ebay
20:39 <@krzee> haha
20:39 < havoc> I was litterally doing them a favor by "disposing" of it, at no cost to them
20:39 < havoc> nah, I only grabbed stuff I wanted
20:48 <@krzee> what was her name
22:30 < everythingorange> Hey all, I recently set-up openvpn on my Rpi at home. I've forwarded the appropriate port on my router to my Rpi, but I'm still not able to successfully connect when I run sudo openvpn X.conf. Any suggestions?
22:30 < everythingorange> If it helps, I used pivpn to set-up the VPN
22:31 <@ordex> everythingorange: is the rpi acting as client or server ?
22:31 < everythingorange> I ran a wireshark capture from the client machine, I see my computer trying to communicate with my public ip addr. but no response. TCP dump on the Rpi also shows no bits.
22:31 < everythingorange> ordex: the rpi is the server
22:33 <@ordex> everythingorange: ok, are you trying to connect within the same lan ?
22:34 < everythingorange> ordex: Currently, yes. I'm using a laptop as the client.
22:34 <@ordex> oky
22:34 <@ordex> if you are within the same LAN, the port forwarding on the router is not important
22:34 <@ordex> can you paste the configs ?
22:34 <@ordex> !configs
22:34 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
22:34 <@ordex> and the logs?
22:34 <@ordex> !logs
22:35 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
22:35 <@ordex> that will help understanding what's going on
22:35 < everythingorange> Sure, let me fire up a pastebin.
22:36 <@ordex> k
22:38 < everythingorange> ordex: https://pastebin.com/yBMDiqQs Here are the client configs and the server config.
22:38 < everythingorange> !logfile
22:38 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
22:42 < everythingorange> Here is the output when I try to connect https://pastebin.com/19L2jfFK, I get a TLS handshake failure. I know the server is not receiving any data, but I cannot figure out why as the port is forwarded and I believe pivpn has no firewall in place.
22:52 <@ordex> everythingorange: no cert/key on the client ?
22:52 <@ordex> everythingorange: you also have tls-auth enabled on the server but nothing on the client
22:52 <@ordex> ?
22:52 <@ordex> !howto
22:52 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
23:04 <@ordex> everythingorange: ?
23:27 < everythingorange> Sorry, I was afk for a sec. The Cert and Private key are there, but I didn't post that section.
23:28 < everythingorange> Most of the stuff was auto-generated with Pivpn and most of it made sense to me.
23:52 <@ordex> everythingorange: ok .. next time just omit the value but not the config option :P
23:52 <@ordex> everythingorange: is tls-auth also configure on the clinet ?
23:52 <@ordex> *client
23:53 < everythingorange> @ordex: mb for that :P I was just trying to be super cautious of what I post lol
23:54 < everythingorange> I believe so, there is a certificate and private key in the client config file.
--- Day changed Thu Jul 20 2017
00:03 < everythingorange> I'm about to sleep for work ordex, but I PMed you,
00:18 <@ordex> everythingorange: cert and key is ok, but "tls-auth" has to go on both ends (or none)
03:59 <+hyper_ch> hi krzee
07:43 < Knyaz> hello guys
07:43 < Knyaz> so i generated key pair and ca on the server side
07:43 < Knyaz> not sure what to do next
07:43 <+hyper_ch> create dh
07:43 <+hyper_ch> create tls-auth cert
07:43 <+hyper_ch> setup configs
07:43 <+hyper_ch> and start openvpn
07:43 < Knyaz> configs are there
07:44 <+hyper_ch> got dh?
07:44 <+hyper_ch> how did you create certs?
07:45 <+hyper_ch> what do configs look like
07:45 <+hyper_ch> so many questions
07:45 <+hyper_ch> oh, probably enalbe ipfowarding on the server
07:45 < Knyaz> q
07:46 < Knyaz> hmm
07:46 < Knyaz> when i start openvpn server it tells me this
07:47 < Knyaz> https://apaste.info/r1cJ
07:47 < Knyaz> where do I need to enter the password?
07:47 < Knyaz> i thought the password is in the key
07:47 <+hyper_ch> what password?
07:47 <+hyper_ch> did you create certs with a password?
07:47 <+hyper_ch> how did you create the certs?
07:48 < Knyaz> I followed this guided https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/README.quickstart.md
07:48 <@vpnHelper> Title: easy-rsa/README.quickstart.md at v3.0.0-rc1 · OpenVPN/easy-rsa · GitHub (at github.com)
07:48 < Knyaz> using two separate servers
07:49 < Knyaz> i would rather not use passwords at all
07:49 <+hyper_ch> Knyaz: oh.... I follow another guide - insecure PKI since I issue all certs and keys
07:49 <+hyper_ch> I follow that:  https://community.openvpn.net/openvpn/wiki/EasyRSA3-Insecure-PKI
07:49 <@vpnHelper> Title: EasyRSA3-Insecure-PKI – OpenVPN Community (at community.openvpn.net)
07:50 <+hyper_ch> the small change I do is this:  ./easyrsa build-client-full client1   -->  I use      ./easyrsa build-client-full client1 nopass    so that the client1.crt   does not have a password
07:51 < Knyaz> oh cool
07:51 < Knyaz> thanks
07:51 < Knyaz> let me try this
07:56 -!- czart_ is now known as czart
07:56 <+hyper_ch> Knyaz: it's labelled as insecure because you don't just sign the cert requests but you create them on your own....
07:56 < Knyaz> i see
07:56 < Knyaz> can i do it all from one linux server where openvpn is installed?
07:56 <+hyper_ch> yes
07:56 < Knyaz> ok cool
07:57 <+hyper_ch> well, I have actually the whole cert thing in a seperate vm where I create everything
07:57 <+hyper_ch> also little script to auto-create config files for clients
07:57 <+hyper_ch> with integrated keys/certs
08:01 < Knyaz> hmm. how come it generated ca.key and server.key? inside pki/private folder?
08:02 <+hyper_ch> it's what easyrsa does nowadays
08:19 < Knyaz> generated everything for the client, the client says TLS handshake failed
08:19 < Knyaz> and nothing in the logs on the server side
08:20 <+hyper_ch> !configs
08:20 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
08:21 < Knyaz> server.conf https://apaste.info/thXn
08:22 < Knyaz> client.conf https://apaste.info/a9oz
08:24 <+hyper_ch> (1) in he server it should reference the server.key and server.crt
08:24 <+hyper_ch> or is oruvmlnd.crt the actual server cert?
08:24 < Knyaz> yeah oruvmlnd.crt
08:24 < Knyaz> is correct
08:25 < Knyaz> client log https://apaste.info/6MIo
08:25 <+hyper_ch> I just leave it as "server" for me :)
08:26 <+hyper_ch> Knyaz: ca ca.crt.softnb that is also correct?
08:26 < Knyaz> yep
08:27 <+hyper_ch> update --ns-cert-type to   --remote-cert-tls
08:27 <+hyper_ch> what's the log on the server?
08:27 <+hyper_ch> is server port open?
08:28 <+hyper_ch> firewall?
08:29 < Knyaz> port is open
08:30 <@ordex> Knyaz: you see nothing on the server when the client tries to connect? is verb on the server 4 ?
08:33 < Knyaz> server log https://apaste.info/ifb9
08:33 < Knyaz> there is stuff going on in the server log when the client is trying to connect
08:34 <+hyper_ch> I think you got confused with the certs somewhere
08:34 <+hyper_ch> configs look all fine
08:34 <+hyper_ch> client can talk to openvpn server
08:34 <+hyper_ch> it just can't authenticated so I think you mixed up with certs somewhere
08:38 < Knyaz> for the servers in the server config i pointed the keys and certs in the right folders where they were created
08:38 < Knyaz> maybe have to redo the client?
08:39 <+hyper_ch> I'd create another instanace and this time naming the certs  server   and   client
08:39 <+hyper_ch> just to be sure it's all fine and no mix-up
08:39 <+hyper_ch> once you get it working, you can using different names IMHO
08:44 < Knyaz> okay
08:44 < Knyaz> i'll do it now
09:15 < Knyaz> server startup log looks good? https://apaste.info/HYJ1
09:15 < Knyaz> just generated new cert
09:17 <+hyper_ch> try to connect with a clinet
09:18 < Knyaz> i did
09:18 < Knyaz> still not working
09:19 < Knyaz> server.conf https://apaste.info/kNGH
09:20 < Knyaz> client.conf https://apaste.info/LQnF
09:21 < Knyaz> client log https://apaste.info/Iluz
09:22 <+hyper_ch> no idea
09:23 <@ordex> Knyaz: can you paste the log of the client with verb 4 ?
09:23 <@ordex> oh
09:23 <@ordex> sorry it's the last link
09:23 <@ordex> Thu Jul 20 17:16:28 2017 us=268496 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
09:24 <@ordex> are you sure ca.crt is the right one ?
09:24 <@ordex> and that exprity date is in the future? :P
09:24 < Knyaz> server log https://apaste.info/PzFG
09:24 <@ordex> Knyaz: it's the client that stops the connection becaue of the error above
09:24 < Knyaz> ordex: the ca.crt in the client I took it from the server
09:25 <@ordex> hmm#
09:25 <@ordex> why wouldn't it verify the server cert ...
09:26 < Knyaz> ordex: the ca.crt i got from /etc/openvpn/easyrsa-3.0.1/pki
09:26 <@ordex> yeah
09:26 <@ordex> that's correct
09:29 <@ordex> Knyaz: not sure if an higher verb might give some more clue .. but can you try running the client with verb 5 ?
09:30 < Knyaz> sure
09:31 <@ordex> just the client is enough as we have found out that the problem is happening there
09:31 < Knyaz> client log verb 5 https://apaste.info/guCj
09:32 <@ordex> no nothing helpful
09:32 < Knyaz> what the hell ((
09:33 <@ordex> Knyaz: could you copy server.crt on the client and run
09:33 <@ordex> openssl verify -CAfile ca.crt server.crt
09:33 <@ordex> ?
09:33 <@ordex> you can first run it directly on thr server
09:33 <@ordex> *the
09:38 < Knyaz> ordex: client is windows 7
09:38 <@ordex> Knyaz: oh
09:38 <@ordex> openssl command line does not exist there ?
09:38 <@ordex> mh I can imagine it is not even installed system wide
09:38 < Knyaz> i don't know never tried it
09:38 <@ordex> you can try, but try on the server first
09:39 <@ordex> it should say OK
09:39 <@ordex> (same as openvpn should just work..)
09:39 < Knyaz> ok sounds good
09:39 < Knyaz> i have another linux server which could be openvpn client for test
09:39 < Knyaz> if required
09:40 <@ordex> that's an option too, but first I'd try on the server
09:40 < Knyaz> k
09:40 < Knyaz> sec
09:41 < Knyaz> root@oruvmlnd /var/tmp# openssl verify -CAfile ca.crt server1.crt
09:41 < Knyaz> server1.crt: OK
09:41 <@ordex> as expected
09:41 <@ordex> can you verify the client cert too ?
09:42 < Knyaz> root@oruvmlnd /var/tmp# openssl verify -CAfile ca.crt client1.crt
09:42 < Knyaz> client1.crt: OK
09:43 <@ordex> ok
09:43 < Knyaz> maybe there is something wrong with port 443 on the server?
09:43 <@ordex> if this is the same ca.crt that is saved on the server, then i don't understand why it does not work
09:43 < Knyaz> same exact one
09:43 <@ordex> nope, because the connection works fine, it is the client that then rejects the server client
09:43 <@ordex> can you look at the content just to be 100% sure?
09:44 < Knyaz> this is the same exact ca.crt
09:44 <@ordex> the content of the file on the server and the one used by the client
09:44 <@ordex> ok
09:44 <@ordex> :/
09:44 <@ordex> weird
09:45 < Knyaz> yeah ..
09:46 < Knyaz> i even checked by opening ca.crt
09:46 < Knyaz> and the content is the same
09:46 <@krzee> you dont check by opening
09:46 <@krzee> you check by checking the sha/md5 hashes
09:47 <@krzee> for example:
09:47 <@krzee> smallaptop ~ # sha256sum UBCD537.iso
09:47 <@krzee> cbc31178c50d0792fed1f6da678b3226796b9f9914eb2c81c9a85d0dde6cb5c9  UBCD537.iso
09:47 < Knyaz> i know how to check sum on linux but not on windows
09:48 <@krzee> yet its only a google away
09:49 < Knyaz> i just asked in #windows
09:49 <@krzee> palm ---> face
09:50 <@ordex> LOL
09:50 <@krzee> http://www.lmgtfy.com/?q=windows%20md5%20hash
09:50 <@vpnHelper> Title: LMGTFY (at www.lmgtfy.com)
09:54 < Knyaz> check verified md5sum of ca.crt on both ends server and client
09:54 < Knyaz> hrrrmmm
09:56 < Knyaz> ya ya let me google that for you joike is too old and not funny anymore
09:57 < Knyaz> maybe there is something simple that we are overlooking?
09:58 < Knyaz> in the configs maybe?
10:01 <@ordex> might be .. but it's very simple ..
10:03 < Knyaz> the configs are like 4 years old
10:03 < Knyaz> maybe something needs to be changed for the latest versions?
10:04 < Knyaz> I have a centos box which I can try as a vpn client. but its running apache on the same port 443
10:05 <@ordex> if you want to use it as a client it's ok
10:06 < Knyaz> let me try then
10:06 <@ordex> Knyaz: how about removing ns-cert-type server from the config?
10:06 <@ordex> I am not sure it can affect your situation, but just an attempt ..
10:07 < Knyaz> hah
10:08 < Knyaz> it worked!
10:08 <@ordex> :p
10:08 < Knyaz> thanks bro!
10:08 < Knyaz> knew it was something stupid
10:08 <@ordex> check the man
10:08 < Knyaz> the what?
10:08 <@ordex> if you want to still use it there is a more modern alternative
10:09 <@ordex> the manpage
10:09 <@ordex> and read up for that option, if you still want to use it
10:09 < Knyaz> what does that do anyway?
10:09 < Knyaz> ok so am I good to go?
10:09 <@ordex> well, if you read the man you'll find out :P
10:09 < Knyaz> my ip address changed
10:09 < Knyaz> as it should
10:09 <@ordex> well it connected :_
10:09 <@ordex> :)
10:10 < Knyaz> whatismyip.com shows openvpn server's external IP yay!
10:16 <@ordex> Knyaz: mission complete ;)
10:17 < Knyaz> ordex: oh yeah thanks guys
10:17 < Knyaz> time to test free google voice calling
10:17 < Knyaz> ))
10:17 <@ordex> Knyaz: btw hyper_ch told you earlier to change that :P
10:17 <@ordex> [2125.26] <+hyper_ch> update --ns-cert-type to   --remote-cert-tls
10:17 <+hyper_ch> ‎[15:25] ‎<‎hyper_ch‎>‎ update --ns-cert-type to   --remote-cert-tls
10:18 <+hyper_ch> ordex: :)
10:18 <@ordex> :D
10:20 < Knyaz> hmm. i think hangouts recognizes that I am on vpn
10:20 < Knyaz> still says I have to pay
10:49 < tkla> Hello guys
10:50 < tkla> Can you tell me if Openvpn V2.1_rc22 still getting security updates?
10:50 <@krzee> lol no
10:50 <@krzee> hahah
10:50 <@krzee> thats sooooo long ago
10:50 < tkla> I have a router here where it seems to be built in, at least what the documentation says
10:51 <@krzee> that must be before 2010
10:51 < tkla> Does this version support     Signature Algorithm: sha256WithRSAEncryption  ??
10:51 <@krzee> no idea
10:51 <@krzee> so old
10:51 <@krzee> it supports every bug found in openvpn and openssl in the last 7 or more years!
10:51 < tkla> Would you have a look for me into a log file?
10:52 <@krzee> i guess i can look, but i dont have any interest in supporting openvpn 2.1 at this point lol
10:52 <@krzee> find a router you can install LEDE on
10:53 < tkla> well you know
10:53 < tkla> you know what the real shame about that is?
10:54 <@krzee> i do not
10:54 < tkla> It´s a business device supposed to work in industrial enviroments
10:54 <@krzee> lol
10:54 < tkla> yes
10:54 <@krzee> any vpn ran on that will not be secure
10:54 <@krzee> fyi
10:54 < tkla> So WTF?!!!
10:54 < tkla> I would like to find out which version is used to bring the shit back to them
10:54 <@krzee> there will be old openssl bugs, and hmac sigs wont save you because they can be broken pre ovpn2.3
10:55 <@krzee> i thought you know which version is used
10:55 <@krzee> but openvpn --version will tell ya
10:56 <@krzee> smallaptop ~ # cat test
10:56 <@krzee> version
10:56 <@krzee> smallaptop ~ # openvpn test
10:56 <@krzee> OpenVPN 2.4.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 20 2017
10:56 < tkla> Well i can´t connect via ssh, something with the ciphers seem to be not working, i have the version from the documentation in the GUI
10:56 <@krzee> or like that, because:
10:56 <@krzee> !--
10:56 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
10:57 <@krzee> you probably have an old as shit ssh too, see if theres some old ass compatibility mode you need to use
10:57 < tkla> krzee: Could you open a private chat so i can paste the log to you?
10:57 <@krzee> and fyi it might be dropbear instead of openssh
10:57 <@krzee> just post it here
10:57 <@krzee> you will be ignored otherwise unless you're trying to pay or something
10:58 <@krzee> !topsecret
10:58 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust., or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice.
10:58 < tkla> :)
10:58 < tkla> It´s dropbear right
10:58 < tkla> let me see if i can get into this somehow
10:59 < tkla> https://pastebin.com/nrbMuuZ7
10:59 <@krzee> no higher than verb 5
11:00 <@krzee> !verb
11:00 <@vpnHelper> "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info, or (#2) verb 5 is good for finding firewall problems, verb 4 for troubleshooting anything else, and 3 is good for every day usage., or (#3) Anything more than 5 is for developer debugging only (special debug build needed)
11:00 < tkla> Sorry i can´t configure that
11:03 < DArqueBishop> If this is a commercial device, you really should be talking to their support.
11:03 < tkla> krzee: So what do you think?
11:03 < Knyaz> any idea why google thinks that I am in united arab nations when I am connected to my VPN server which is in Newark NJ?
11:03 < tkla> It is, and i tell you it´s not cheap.
11:03 < DArqueBishop> Cheap, fast, right.
11:03 < DArqueBishop> Pick two.
11:04 <@krzee> tkla: i think you should get another router, i thought i told ya
11:06 < tkla> Ok
11:07 <@krzee> i have dealt with similar problems
11:07 <@krzee> https://secure-computing.net/wiki/index.php/Decompressing_Snom_Firmware
11:07 <@vpnHelper> Title: Decompressing Snom Firmware - Secure Computing Wiki (at secure-computing.net)
11:07 < tkla> Im connected via SSH now, but the CLI is very limited, no chance to look up for any versions
11:10 < tkla> Thanks for your advice, sad to see that companies in such a critical sector are dealing so bad with the security of their products
11:40 < heller_> hey guys
11:40 < heller_> how do i change my connection names on windows?
11:43 < heller_> oh its that easy
11:43 < heller_> :)
11:52 <+hyper_ch> ecrist: you're there?
12:33 <+hyper_ch> krzee: https://github.com/sjau/sipGenVPN
12:33 <@vpnHelper> Title: GitHub - sjau/sipGenVPN: Small collection of bash scripts to create client config files for SIP hard- and softphones (at github.com)
13:28 < Lann> Heyas
13:30 < Lann> I just set openvpn on a linux server more or less successfully, however my clients are routing ALL traffic through the VPN and I only want to route 10.8.0.0 traffic. I tried adding route-nopull and route 10.8.0.0 255.255.255.0 after the "client" line of my ovpn file on one of the clients but it had no effect at all, all traffic still routed through the vpn. Not sure what else to try
13:31 < DArqueBishop> Lann: if there's a line along the lines of "push redirect-gateway" on the server config, remove it.
13:32 < Lann> k
13:34 < Lann> DArqueBishop: I followed the digitalocean tutorial. So I have this: push "redirect-gateway def1 bypass-dhcp"
13:34 < DArqueBishop> !blogs
13:34 < DArqueBishop> !blog
13:34 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
13:35 < DArqueBishop> Lann: that line is what's causing all traffic to be routed through the VPN server.
13:35 < Lann> those bastards
13:36 < Lann> DArqueBishop: so would I no longer need the no-pull directives on the client?
13:38 < DArqueBishop> Nope. If your VPN network is 10.8.0.0/24 and that's the only network that clients need access to, just put "client-to-client" in the server config and that should be it. You don't need to push a route parameter for the VPN subnet. You only need it for subnets that are outside of your VPN network that you would use the VPN to access.
13:38 < DArqueBishop> Rather, "Nope, you are correct."
13:39 < Lann> ok i am trying that. thank you for helping me out
13:39 < DArqueBishop> I would imagine that the DigitalOcean tutorial is designed for those who are trying to use a VPN for privacy/anonymizing purposes.
13:43 < Lann> It seems to be. I made the changes you described but i'm experiencing the same issue
13:46 < Lann> pasting my config to gist
13:48 < Lann> DArqueBishop: https://gist.github.com/minusreality/15bec15db88cd769ad272e16e3af93a1
13:48 <@vpnHelper> Title: gist:15bec15db88cd769ad272e16e3af93a1 · GitHub (at gist.github.com)
13:49 < DArqueBishop> Did you restart the server?
13:50 < Lann> yes
13:52 < Lann> disconnect the vpn and i'm able to access it (on port 80)
13:53 < Lann> this is windows....do i have to actually restart the openvpn service on the client to get it to reload routes?
13:55 < Lann> tried that, no change
13:55 < wsky> hey, on debian 9 i get https://pastebin.com/5F0e9HTv this
13:56 < wsky> when i try to set up easy-rsa with the vars script
13:58 < Lann> DArqueBishop: Revised with ipconfig and routes: https://gist.github.com/minusreality/15bec15db88cd769ad272e16e3af93a1
13:58 <@vpnHelper> Title: gist:15bec15db88cd769ad272e16e3af93a1 · GitHub (at gist.github.com)
14:00 < wsky> nevermind i know what i did wrong
14:00 < wsky> cheers
14:02 < Lann> is this related to the subnet masks?
14:04 < Lann> DArqueBishop: My server says server 10.8.0.0 255.255.255.0 while the other (eth0) on my client has the same netmask
14:04 < DArqueBishop> The VPN subnet needs to be unique.
14:04 < Lann> maybe thats the issue
14:05 < DArqueBishop> If the client, for example, has 10.8.0.0/24 as the local subnet, you should maybe use a different subnet for the VPN like 10.8.1.0/24.
14:06 < Lann> not so sure if thats related then....the client is on 10.70.2.0 and the vpn is 10.8.0.0
14:06 < Lann> i was just guessing
14:30 -!- dionysus70 is now known as dionysus69
14:41 < Philip_J_Fry> anyone here?
14:41 < Philip_J_Fry> need some help guys
14:42 < Philip_J_Fry> basically i am using IPVanish, but they constantly sabotage their applications in some ways
14:42 < Philip_J_Fry> like V2 - V3 they combined killswitch, so if ipvanish crashes - killswitch disables and traffic runs unencrypted
14:43 < Philip_J_Fry> now they disabled Block LAN Traffic, so my computer sees every device on my network, and they probably see my PC
14:43 < Philip_J_Fry> I could use their servers with a third party open source app, but no idea which app to use there is so many, I would like a separate kill switch, separate LAN block
14:45 < Philip_J_Fry> I have contacted them about these issues, but it is futile, they give me a runaround of "try reinstalling" etc. last time they suggested I use a different application with their server list
15:20 <@krzee> Philip_J_Fry: sorry but even if their support sucks and wont help, we're still not their support
15:20 <@krzee> !provider
15:20 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team., or (#2) Please contact their support team.
15:21 <@krzee> maybe switch to a provider who has support that works for you
15:21 < Philip_J_Fry> LOOK
15:21 < Philip_J_Fry> sorry caps
15:21 < Philip_J_Fry> I came for suggestions on open source applications, their servers are fine, i am not looking for support for their application I simply described a problem I have encountered, please read again what I said
15:22 <@krzee> !download
15:22 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn, or (#2) in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs
15:22 <@krzee> i mean if all you wanted to know was where to download openvpn, id have thought youd have found it before checking irc
15:22 < Philip_J_Fry> are there other maybe better open source applications for openvpn, because usually the source is very concervative on features
15:23 <@krzee> oh really>?
15:23 <@krzee> care to tell me about some of them?
15:23 < Philip_J_Fry> im asking i dont know
15:23 <@krzee> nope
15:23 < Kelsar> all apps i know are just nice frontends to openvpn
15:23 < Philip_J_Fry> like LAN block or separate kill switch
15:23 < Philip_J_Fry> traffic meter
15:23 <@krzee> *no*
15:24 < Philip_J_Fry> ability to check whole list of servers to pick the fastest one with lowest ping
15:24 <@krzee> lol no
15:24 < Philip_J_Fry> so is there a different third party openvpn app that can do that
15:24 <@krzee> dunno, we support openvpn
15:24 < Philip_J_Fry> why cant the app do these things, seems pretty basic
15:25 <@krzee> patches are accepted, feel free
15:25 < Philip_J_Fry> im more into medicine than patching
15:25 <@krzee> so ya, answer is nope
15:25 < Philip_J_Fry> mmmm
15:26 < Philip_J_Fry> you support openvpn protocol or application
15:26 <@krzee> whats the real question?
15:27 < Philip_J_Fry> real question is, additional software, like kill switch and block lan
15:27 <@krzee> unrelated
15:27 < Philip_J_Fry> separate, if openvpn crashes i dont want those key features to crash as well
15:27 <@krzee> but those would happen in the firewall, FYI
15:27 < Philip_J_Fry> ebcause this is the issue right now
15:28 < Philip_J_Fry> right now in my case they happen within the application i use, how do i do it through firewall, i wanted it to be a software so it would be hassle free, in case i need to disable the kill switch
15:28 <@krzee> those things that you have come to expect are part of a vpn are actually just features of a firewall
15:28 <@krzee> you're in windows im guessing...?
15:28 < Philip_J_Fry> yes
15:28 <@krzee> ya i dunno, i dont use windows
15:28 <@krzee> felt like a safe guess tho :D
15:29 < Philip_J_Fry> i cannot afford a mac and linux for me is useless
15:29 < Philip_J_Fry> a lot of niche apps arent being written for linux that I have to use
15:30 <@krzee> cool, still your problem is not openvpn related, talk to your providers support
15:30 < Philip_J_Fry> they actually suggested third party or openvpn software
15:30 <@krzee> cool
15:30 <@krzee> doesnt make us their support
15:30 < Philip_J_Fry> but you tell me that it doesnt even have the killswitch so i am lost, i have just emailed them again a "wtf"
15:31 < Philip_J_Fry> ill stay here until i figure everything out, ive tried setting up openvpn software long long time in the past, it was a pain if i recall correctly
15:31 < Philip_J_Fry> i hope there are youtube tutorials
15:32 <@krzee> we support people who run their own servers
15:32 < Kelsar> Philip_J_Fry: your "features" could be configured in your windows firewall, not an openvpn issue
15:32 < Philip_J_Fry> who does that, apart from chinese and IT
15:32 < Philip_J_Fry> Kelsar: no i know that now
15:33 < Philip_J_Fry> no idea how to do it though
15:33 <@krzee> IT
15:33 <@krzee> exactly, we support IT
15:33 <@krzee> not the customers that vpn providers hustle by convincing them that somehow their connection becomes more secure when they route through the provider
15:33 < Philip_J_Fry> they have reliable servers and service, but their application SUCKS
15:34 < Philip_J_Fry> they didnt convince me uin anything i did some research and picked them, simple as that
15:35 <@krzee> ya i didnt mean you specifically got hustled
15:35 <@krzee> i just hate how they trick people into thinking their connections are secured cause they use a vpn
15:36 < Philip_J_Fry> they intentionally break something on every release, one thing fixed another broken, i think this is orders from NSA tbh, tin foil hat engaged, but those things they do make zero sense
15:36 < Philip_J_Fry> what do  you mean secure
15:37 <@krzee> well like you said you think its the nsa (joking im sure)... but a vpn doesnt stop them from gaining *anything*
15:37 < Philip_J_Fry> i want my connection to be encrypted so my ISP is oblivious to what is happening, that is as far as it goes, and also more security on public networks
15:37 <@krzee> your traffic just pops out of a different place, but its the same traffic as if no vpn
15:38 <@krzee> you just trading your ISP for them and theirs
15:38 < Kelsar> instead of trusting random isp, it is trusting likely much smaller vpn sp
15:38 <@krzee> so if you have a specifically bad ISP, then it could be better
15:39 <@krzee> and regardless of what they say, they all log
15:39 <@krzee> they arent going to jail for what their users do, they log
15:40 <@krzee> https://gist.github.com/joepie91/5a9909939e6ce7d09e29    <-- here ya go
15:40 <@vpnHelper> Title: Dont use VPN services. · GitHub (at gist.github.com)
15:40 < Philip_J_Fry> they log what, encrypted gibberish?
15:40 <@krzee> the vpn endpoints can see all traffic unencrypted
15:41 <@krzee> !vpn
15:41 < Philip_J_Fry> my exit from the VPN provider is mixed with thousands of other users
15:41 <@vpnHelper> "vpn" is http://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html for a basic rundown of what a vpn is
15:41 < Philip_J_Fry> i am aware
15:41 <@krzee> you seem to have vpn and tor confused
15:41 < Philip_J_Fry> no i am not into tor
15:41 <@krzee> your traffic isnt mixxed in any reliable way to hide you
15:41 <@krzee> tor makes an attempt to do that, vpns do not
15:41 < Philip_J_Fry> that is not what i am after
15:41 <@krzee> a vpn is basically a virtual cable between you and the server
15:41 < Philip_J_Fry> VPN with no logging will not log specific user traffic
15:42 <@krzee> nothing more
15:42 < Philip_J_Fry> that is exactly what i want
15:42 <@krzee> cool
15:42 <@krzee> enjoy
15:42 < Philip_J_Fry> yeah, if i get a kill switch and lan block
15:42 <@krzee> thats firewall stuff, nothing to do with vpn
15:42 <@krzee> (a long ethernet cable doesnt come with those)
15:43 < Philip_J_Fry> right but i dont know how to do that, and would prefer to have a separate program doing that
15:43 < Philip_J_Fry> actually, how do i do it through firewall, sounds more reliable
15:43 <@krzee> try a firewall program
15:43 <@krzee> theres plenty for windows
15:43 < Philip_J_Fry> what
15:43 <@krzee> like netlimiter
15:43 < Philip_J_Fry> i thought you meant internal firewall
15:43 <@krzee> that probably works too
15:43 <@krzee> dunno, i dont use windows
15:44 < Philip_J_Fry> I have kaspersky total security
15:44 <@krzee> !learn provider as https://gist.github.com/joepie91/5a9909939e6ce7d09e29 for why not to use vpn providers
15:44 <@vpnHelper> Joo got it.
15:44 <@krzee> Philip_J_Fry: i gave you some pointers, you get to figure out the rest on your own
15:44 < Philip_J_Fry> already have that link ill read it in a bit
15:46 < Philip_J_Fry> hm
15:48 < Philip_J_Fry> so, what if i kept my vpn provider, but used it to connect to my own rented VPS server id create, would that rented server be logged by the renting company?
15:48 < Philip_J_Fry> actually there would be no point of keeping my provider then
15:48 < Philip_J_Fry> vpn provider*
15:50 < Philip_J_Fry> first of all, what i noticed after i started using VPN is that my connection is not throttled to any website, before that my connections would be sent through more nodes, as well as some overpopulated nodes that lost packets, which caused unberably slow connections
15:50 < Philip_J_Fry> so thats a huge plus for me already, plus my ISP is oblivious if i torrent or what not
15:50 <@krzee> ahh nice
15:51 < Philip_J_Fry> the rest - i do use e2e for texts
15:51 <@krzee> so you actually have a *better
15:51 <@krzee> *better* link to the internet when on the vpn?
15:51 < Philip_J_Fry> yeah
15:51 <@krzee> (that's rare, but totally possible, especially in areas with bad links)
15:51 < Philip_J_Fry> in a way yes
15:51 <@krzee> i once had a horrible link to usa, except i could connect to a server of mine in usa great
15:51 <@krzee> so i routed through that server and had a much better internet connection to usa
15:52 < Philip_J_Fry> i have screenshots, i used some show streaming website in europe, directly it would connect over 14 nodes, and one of those nodes in the US would drop packets like crazy, on VPN id go over 11 nodes and no dropped packets
15:52 <@krzee> similar to what you said
15:52 < Philip_J_Fry> see
15:52 <@krzee> ya, it can happen
15:52 <@krzee> not common, but very nice when it happens
15:53 <@krzee> that alone is a good reason to have them
15:53 <@krzee> (the provider)
15:53 < Philip_J_Fry> also one time i was torrenting, right after i got this cool fiber optic conenction, and immediately got a notice that i was reported for torrenting, on previous provider i NEVER got a notice
15:53 <@krzee> and another valid reason ^
15:54 < Philip_J_Fry> my friend was convinced that it was a random report on me, from someone who copied my IP when i was torrenting, but i have a suspicion it was intentional done by ISP
15:54 <@krzee> without knowing anything my guess would be your guess
15:55 < Philip_J_Fry> i am a bit curious though, if i rented a VPS and terrented through it, would I receive a notice, would the company that rented the server receive a notice, would they care etc.
15:55 < Philip_J_Fry> rented a server and turned it into VPS**
15:56 <@krzee> 2 answers:
15:56 <@krzee> 1) i've ran torrents from many datacenters before (thats how i beef up my ratio so i can leech)
15:56 <@krzee> never had a notice in my life
15:56 <@krzee> 2) there are VPS accounts called "seedboxes"
15:56 <@krzee> where they *expect* the traffic to be torrents
15:56 < Philip_J_Fry> heard about 2
15:57 <@krzee> so i KNOW seedboxes dont care
15:57 <@krzee> cause thats their business model!
15:57 < Philip_J_Fry> just to clarify, 1) is what i described, renting server and making it VPS?
15:57 <@krzee> and if you get good download speeds from your seedbox you can download to there (and seed) and grab it from your server
15:58  * Kelsar managed a datacenter
15:58 <@krzee> well 1) was simply my personal experience, i dont have VPS accounts tho
15:58 < Kelsar> atleast in europe you will get a notice, if the DC gets one
15:58 <@krzee> i run my own servers
15:58 <@krzee> Kelsar: hey cool!
15:58 <@krzee> left the DC?
15:58 < Philip_J_Fry> kelsar u managed one in the US or EU
15:58 <@krzee> sounds like in EU
15:58 < Kelsar> krzee: yes, left that position
15:59 < ocb> hello guys
15:59 < Philip_J_Fry> yeah so thats unreliable
15:59 < Kelsar> in EU, Germany to be specific
15:59 < ocb> have a quick question, maybe not that related to openvpn but maybe to the system iteself.
15:59 < ocb> i hope somebody can help me just lost a few hours
16:00 < Philip_J_Fry> kelsar if someone from asia rented a server, turned it into their private VPS, 1) if you got some notice from china to shut it down, would you comply, 2) if you saw some illegal activity on it like torrenting or some other stuff, how would it be handled
16:01 < Philip_J_Fry> and were they logged
16:02 < DArqueBishop> I'm not Kelsar, but I would imagine that #1 would depend on what legal says.
16:02 < Kelsar> Philip_J_Fry: atleast in germany we would need to, no, no logs, since we only (what is the opposite of rent again?) Physical servers we hadn't acces to the machines directly and german law acutaly prohbits logging traffic itself
16:02 < ocb> setting up openvpn server on centos 6, i can connect to it with with tls key and authenticate, but i am unable to visit outside world links, only ping what is inside the internal network on 10.x.x.x./24 for example other vpn users, is there a known solution to this?
16:02 < DArqueBishop> ocb:
16:02 < DArqueBishop> !redirect
16:02 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
16:02 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
16:02 < Kelsar> DArqueBishop: if it is obvious it would be illegal activity, you got no choice at all. but who to decide that
16:03 < ocb> !dn
16:03 < ocb> !dns
16:03 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns
16:03 < ocb> !pushdns
16:03 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for
16:03 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option
16:03 < DArqueBishop> Kelsar: if it was a legal request (aka, came from an attorney or from a government), I'd hand it off to the lawyers and let them decide.
16:03 < Philip_J_Fry> Kelsar: so everyone should get german based VPN providers because german law says no logging?
16:04 < Kelsar> DArqueBishop: most of the time they just get ignored, only a judge can force something
16:04 < Kelsar> Philip_J_Fry: that is not how it works
16:04  * DArqueBishop is speaking from an American perspective.
16:05 < Kelsar> Philip_J_Fry: if you rent a server in germany, basically anybody can get your personal information the server is registered on, with a bit of effort.
16:06 < Philip_J_Fry> Kelsar: impossible to register under fake name?
16:06 < Kelsar> Philip_J_Fry: well, that would brake the law
16:06 < Philip_J_Fry> in russia i know for a fact you can register servers under fake names no problem
16:06 < DArqueBishop> Philip_J_Fry: I would imagine that in Kelsar's case (and please correct me if I'm wrong), any takedown requests would simply be handed off top the people who own the actual servers.
16:06 < Kelsar> Philip_J_Fry: depends of how strict the company checks, also prepaid would be needed in someway
16:07 < Philip_J_Fry> Kelsar: well bitcoin and what not
16:07 < Kelsar> DArqueBishop: yes, abuse would be forwarded, law enforcement request not, since that is prohibited
16:07 < Kelsar> Philip_J_Fry: i don't know any german DC accepting BC
16:08 < Philip_J_Fry> fair enough
16:09 < Philip_J_Fry> what if, I connect to the german VPS directly, but VPS is connecting to the internet through a VPN provider, second layer of encrypted network, even if VPN provider is logging, its logging a VPS,
16:09 < Philip_J_Fry> nobody to expose
16:09 < Kelsar> Philip_J_Fry: the vpn can always log all of your connections
16:10 < Philip_J_Fry> it would log a VPS
16:10 < Philip_J_Fry> VPN provider would think they are logging someone in germany
16:10 < Philip_J_Fry> would additionally extend the user
16:10 < Kelsar> any hop in your chain can always log your traffic
16:11 < Philip_J_Fry> encrypted gibberish*
16:11 < Kelsar> no, any hop can decipher the traffic
16:11 < Philip_J_Fry> between user and VPS, how would be decipherable
16:12 < Kelsar> on the vps it would be and after that on the vpn provider node again
16:12 < Philip_J_Fry> if the stream is encrypted
16:12 < Kelsar> at one point the traffic needs to be decrypted, at that point it is completly loggable
16:12 < Philip_J_Fry> VPS itself is encrypted under your password, decrypted traffic is encrypted again under VPN provider, only after it exits from the VPN provider its decrypted
16:12 < Kelsar> just a matter of who you want to trust
16:13 < Kelsar> yes, exactly, the vpn provider can log all your traffic
16:13 < Kelsar> that is why things like Tor exist
16:13 < Philip_J_Fry> exactly, not the VPS if you rent and manage it yourself entirely
16:13 < Kelsar> and even that is not 100%
16:14 < Philip_J_Fry> i dont really see the point of doing what i just described anymore
16:14 < Philip_J_Fry> unless you live in china
16:14 < Kelsar> Philip_J_Fry: i don't see the point of chaining VPNs either
16:14 < Kelsar> Philip_J_Fry: your increase in connectivity comes from using different routes, not from the vpn itself
16:15 < Philip_J_Fry> i know
16:15 < Philip_J_Fry> i was trying to come up with a more unloggable solution
16:15 < Kelsar> your VPN just shifts the trust of not logging from your ISP to the VPN SP
16:16 < Kelsar> Philip_J_Fry: you need to decrypt your traffic at one point, if that is one endpoint, it is loggable
16:16 < Kelsar> always the same endpoint i mean
16:16 < Philip_J_Fry> okay so browser traffic is loggable and identifiable because they go beyond looking at exit IP address which is shared
16:17 < Philip_J_Fry> what about applications like e2e apps, IRC, torrent
16:17 < Kelsar> all the same
16:17 < Philip_J_Fry> its loggable, but can it be pinned down to a specific user
16:17 < Kelsar> you always can glog metadata, payload can be encrypted, with SSL likely
16:17 < Kelsar> Philip_J_Fry: yes, it can
16:18 < Kelsar> Philip_J_Fry: like said multiple times, you are shifiting your trust from ISP to VPN Provider
16:18 < Philip_J_Fry> yikes, hope they ignore piracy
16:18 < Philip_J_Fry> its my hobby
16:18 < ocb> !def1
16:18 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
16:19 < Kelsar> Philip_J_Fry: my personal server was pretty safe... guess why
16:19 < Philip_J_Fry> and as gist github tutorial explanation thing states, everyone logs
16:19 < ocb> !nat
16:19 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
16:19 < Philip_J_Fry> why
16:20 < ocb> !linnat
16:20 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
16:20 < Kelsar> because i was the one getting the inquiry on IPs ;)
16:20 < Philip_J_Fry> from who
16:20 < Philip_J_Fry> who does the inquiries
16:20 < Kelsar> law enforcement, the only way you can get such data, even lawyers need to get them through there
16:20 < Kelsar> in germany ofc
16:21 < Philip_J_Fry> and law enforcement gets the inquiry without any court?
16:21 < Kelsar> court issues those
16:21 < Philip_J_Fry> and DC has to comply
16:21 < Kelsar> yes
16:22 < Philip_J_Fry> wow
16:22 < Kelsar> if they can, with rented servers it gets a bit more complicated
16:22 < Philip_J_Fry> when datacenter receives encrytped VPN traffic from user to their VPS, do they know who the traffic came from?
16:22 < Kelsar> Philip_J_Fry: sure
16:23 <@krzee> for the record, EU and specifically germany have strong privacy laws
16:23 < Kelsar> well which ip it did come from, not the persion, but the ISP will know which person it is
16:23 < Philip_J_Fry> why dont they design the network in a way that incoming encrypted stream of data is not indentifiable
16:23 < Philip_J_Fry> identifiable*
16:23 < Kelsar> krzee: yes, but politics is trying hard to get rid of that
16:23 < Kelsar> Philip_J_Fry: how would the traffic ever get to its target and back?
16:23 < Philip_J_Fry> US has governamnce over germany media for 100 or 200 years, dont they have something over network
16:24 < Philip_J_Fry> good point lol
16:24 < Kelsar> Philip_J_Fry: aside that, that is exactly what Tor tries to do
16:25 < Philip_J_Fry> yea but tor nodes can be ran by malicious computers, i read about that, and i am not a terrorist to use tor, there is nothing tor would give me that would benefit me in any way
16:25 < Kelsar> Philip_J_Fry: there is a NSA scandal going on, but people investigating are not allowed to give everyhting to public, in fact german government want to lock the report for 120y...
16:25 < Philip_J_Fry> wow
16:25 < Philip_J_Fry> thats US leverage, 100%
16:26 < Philip_J_Fry> after the war there are several agreements where US has control over germany, it makes me sick
16:26 < Philip_J_Fry> i forgot what its called, and it is impossible to google using keywords, and only if you know the actual law - very little info about it will be available
16:52 <@krzee> [14:23] <Philip_J_Fry> yea but tor nodes can be ran by malicious computers, i read about that, and i am not a terrorist to use tor, there is nothing tor would give me that would benefit me in any way
16:52 <@krzee> tor is not for terrorism
16:52 <@krzee> for the record
16:53 <@krzee> in fact it started as a navy project iirc
16:53 <@krzee> (us navy)
16:54 < Philip_J_Fry> Kelsar: original video and channel were terminated https://www.youtube.com/watch?v=vXYn3uU2nxw
16:54 < Philip_J_Fry> krzee: us navy IRC?
16:56 <@krzee> iirc = if i remember correctly
16:57 < Philip_J_Fry> i think they just use satellites and line of sight encrypted laser data streams, helps with jamming...
16:57 <@krzee> ya i was right, navy started tor in mid 90s
16:58 <@krzee> or developed it
16:58 < Philip_J_Fry> that, is probably more for agents, like in 2008 or some time around that, some russian agent was caught transfering data using bluetooth lol
16:58 < Philip_J_Fry> so the tor we have is copied concept?
16:59 < Philip_J_Fry> i tried using tor, i simply do not find any use for it
16:59 < Philip_J_Fry> all edgy tor websites are scams and honey pots, and everything else can be found in public
17:00 < Kelsar> Philip_J_Fry: no... no... those are... no, just no
17:00 < Philip_J_Fry> didnt they trace down and catch some pedophile website servers on tor
17:01 < Philip_J_Fry> Kelsar: are you talking about the link i gave you or the comments on tor, because i really know only rumors about tor
17:01 < Kelsar> Philip_J_Fry: the link
17:01 < Philip_J_Fry> you dont believe it?
17:01 < Philip_J_Fry> there are a lot of fact dumps here and there, you could follow up on it
17:01 < Kelsar> nothing to believe, the things they beleive are wrong in so many levels
17:02 -!- mode/#openvpn [+v Kelsar] by krzee
17:02 < Philip_J_Fry> im not sure what they talk about in the video, i dont speak german, but in the video they have the official public name for the treaty, actual one is classified
17:02 <+Kelsar> Philip_J_Fry: well i wish a good night anyway
17:02 < Philip_J_Fry> good night, thanks for answers
17:03 <+Kelsar> Philip_J_Fry: the interpretation is not correct, also those treatys are cancelled 20y before
17:03 < Philip_J_Fry> i heard 2099
17:04 < Philip_J_Fry> maybe, there is something due to the fall of berlin wall, but i dont know
17:04 <+Kelsar> Philip_J_Fry: do you know soeverign citizens?
17:04 <+Kelsar> those people are something similar
17:04 < Philip_J_Fry> i dont
17:05 <+Kelsar> well i should really go to bed, it is not ontopic here and i get angry about those people...
17:05 < Philip_J_Fry> okay, another time
17:05 < Philip_J_Fry> you guys at openvpn should get your own Matrix channel
17:07 <@krzee> offtopic is usually ok until somebody comes with an on-topic question
17:07 < Philip_J_Fry> are you familiar with matrix?
17:07 <@krzee> shall i follow the white rabbit?
17:07 < Philip_J_Fry> lol, its an open source e2e
17:08 <@krzee> cool
17:08 <@krzee> but nah we're on freenode
17:08 < Philip_J_Fry> http://matrix.org/
17:08 <@vpnHelper> Title: Home | Matrix.org (at matrix.org)
17:08 < Philip_J_Fry> it connects to IRC as well
17:09 < Philip_J_Fry> matrix requires no servers
17:09 < Philip_J_Fry> freenode falls - this is gone, on matrix its like torrent
17:09 < Philip_J_Fry> also encrypted etc
17:09 <@krzee> im not concerned about freenode just disappearing without notice
17:10 < Philip_J_Fry> true, but worth noting, this is one of the apps snowden mentoned, though its still beta
17:10 <@krzee> this is irc, we dont care about what we say here
17:10 <@krzee> we even log the channel
17:10 <@krzee> !ircstats
17:10 <@vpnHelper> "ircstats" is (#1) See http://secure-computing.net/logs/openvpn.html for all-time IRC stats., or (#2) See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats.
17:10 < Philip_J_Fry> another good point
17:16 < Lann> i'd care about what i say on IRC
17:17 < Lann> only takes one hard link to your real name to make the logs matter
17:17 < Lann> thats why i also change my username pretty regularly now
17:18 < Lann> not that i say anything noteworthy anymore
17:20 < RovingWriter> Hi all. Anyone here that is able to assist me in making OpenLDAP auth to a OpenLDAP server? LDAP server is already setup and working properly, and I have OpenVPN setup using this guide (https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04) -- I stopped at step 6 because I am not sure if I should do the rest of the steps, if I will be authing to LDAP
17:20 < RovingWriter> -- anyone able to give insight on it?
17:20 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com)
17:20 < Philip_J_Fry> Lann: good point, but its why public usernames i choose are very commonly used words
17:20 < ocb> i'm also having problems
17:20 < Philip_J_Fry> so untraceable
17:21 < Philip_J_Fry> or famous usernames of other people
17:21 < Philip_J_Fry> go on a random forum, take some moderators nickname, and use it for yourself in otehr places
17:23 < Philip_J_Fry> funny story from 14-19 i used the same nickname for everything and it could be linked to my nake, boy did i have fun time cleaning aftermyself
17:23 < Philip_J_Fry> took me weeks, and still if someone put in extra effort it could be done\
17:23 < Philip_J_Fry> name* not nake
17:30 < Philip_J_Fry> is there a page on openvpn how to block non-vpn traffic?>
17:33 <@krzee> no, thats your firewall
17:33 <@krzee> as youve been told
17:34 <@krzee> RovingWriter: ive never used ldap but i can tell you that certs are totally seperate from user/pass auth
17:36 <@krzee> !authpass
17:36 <@vpnHelper> "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
17:37 <@krzee> you will be using a script to auth against ldap
17:39 < ocb> should openvpn work normally with eth0:0 instead of eth0
17:43 < RovingWriter> krzee, ok, i shall keep researching =]
17:44 <@krzee> ocb: what do you mean, you have 2 interfaces and you want to use it on only 1?
17:53 <@krzee> just reconnected to my bnc and lost all scroll, didnt see anything said after the last thing i said
18:12 < ocb> krzee: yes
18:12 < ocb> damn lost the whole day, can't ping anything
18:13 <@krzee> just use --local to specify what address to bind to
18:13 <@krzee> then the traffic will leave through there as well
18:13 < ocb> krzee: done that
18:13 < ocb> but trying to figure out if something is wrong with my routes
18:13 <@krzee> !goal
18:13 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:13 < ocb> can't even ping the tun0 interface
18:14 <@krzee> firewall?
18:14 <@krzee> set INPUT to allow tun+
18:14 < ocb> no firewall, iptables only masquerade for tun'
18:14 < ocb> let me list everything
18:14 < ocb> i'm trying to connect to outside internet
18:15 <@krzee> you mean trying to redirect your internet connection through your server?
18:17 < ocb> correct
18:17 <@krzee> for now remove the nat line and comment redirect-gateway
18:17 <@krzee> lets focus on getting you pinging tun
18:17 <@krzee> then set your logs to verb 5 and restart both sides
18:18 <@krzee> if you still cant ping the vpn IP then show me your logs
18:20 < ocb> maybe this helpss; https://pastebin.com/raw/czEnZWK6
18:20 < ocb> going to do that
18:20 < pwrcycle> how can i get ./build-key client1 to build without user input?
18:21 < pwrcycle> ie as part of a script
18:21 <@krzee> pwrcycle: look at how the script works and yank out what you need
18:21 <@krzee> it just calls openssl
18:22 <@krzee> but consider basing it from easy-rsa 3 instead
18:22 <@krzee> !easy-rsa
18:22 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
18:22 <@krzee> your command was from easy-rsa 2
18:25 <@krzee> hey ocb what IP are you pinging?
18:25 < ocb> tun0 inet addr:10.8.0.1
18:25 < ocb> no luck, removed NAT rule and removed redirect-gateway
18:26 < ocb> tried pinging also .2 which is PtP
18:27 <@krzee> nope
18:27 <@krzee> !net30
18:27 <@vpnHelper> "net30" is (#1) https://community.openvpn.net/openvpn/wiki/273-qifconfig-poolq-option-use-a-30-subnet-4-private-ip-addresses-per-client-when-used-in-tun-mode explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology
18:27 <@krzee> !topology
18:27 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
18:28 <@krzee> you probably wanna use topology subnet, less confusing
18:29 < ocb> actually tried pinging everything from 10.8.0.1 to 10.8.0.15
18:29 < ocb> only 10.8.0.6 responded which is my client IP
18:30 < ocb> (i always do ping a lot of IP's in case somthign is messed up and i'm missing something)
18:31 < ocb> also tried making a route to connect to a docker on 172. but no luck
18:32 <@krzee> ok so add 'topology subnet' to your server config, and then get me the logs with verb 5
18:32 <@krzee> !verb
18:32 <@vpnHelper> "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info, or (#2) verb 5 is good for finding firewall problems, verb 4 for troubleshooting anything else, and 3 is good for every day usage., or (#3) Anything more than 5 is for developer debugging only (special debug build needed)
18:42 < ocb> Ok this is giving me some info now, let me try to do something without bothering you
18:42 < ocb> getting; MULTI: bad source address from client
18:42 < ocb> RwRFri Jul 21 00:38:10 2017 us=954699 client/xxxxxx.xxx.179:50990 MULTI: bad source address from client [xxxxxx.xxx.179], packet dropped
18:52 < ocb> krzee: https://pastebin.com/raw/YH0CnpeR
18:54 -!- |Mike| [~mike@pD9E45B5E.dip0.t-ipconnect.de] has joined #openvpn
18:55 < |Mike|> Kia ora! I'm running into an issue after upgrading to openvpn 2.4.0-6+deb9u1
18:56 < |Mike|> https://pastebin.com/quJ41iL6
18:56 < |Mike|> OpenSSL: error:04075070:rsa routines:RSA_sign:digest too big for rsa key
18:56 < |Mike|> Fri Jul 21 01:50:55 2017 217.228.91.94:63263 OpenSSL: error:1409B006:SSL routines:ssl3_send_server_key_exchange:EVP lib
18:56 < |Mike|> err. putty--
18:57 < |Mike|> And yes; I'm using a 512 bits key ;)
19:01 <@krzee> rsa 512bit>/
19:01 <@krzee> |Mike|: rsa 512bit?
19:01 < |Mike|> y
19:01 <@krzee> why dude
19:01 <@krzee> thats too weak
19:02 < |Mike|> because there's no need for heavy encryption
19:02 <@krzee> use at least 1024, which is also weak
19:02 < |Mike|> can I change the key w/o reconfiguring the clients?
19:02 <@krzee> to quote what i found:
19:02 <@krzee> > The negotiated TLSv1.2 digest produces output that is too wide to be
19:02 <@krzee> > signed with an RSA 512-bit private key. The client key should be
19:02 <@krzee> > at least 1024-bits, and in many cases stronger.
19:04 <@krzee> what ancient hardware are you using where 2048 is too much to handle once per hour?
19:04 < |Mike|> it's actually a oversized big chunky machine hehe
19:05 <@krzee> if you wanna save cycles consider EC
19:05 <@krzee> wayyyyy faster
19:06 -!- |Mike| [~mike@pD9E45B5E.dip0.t-ipconnect.de] has quit [Disconnected by services]
19:06 -!- |Mike| [~mike@pD9E45725.dip0.t-ipconnect.de] has joined #openvpn
19:06 < |Mike|> Is there a way to update the servers key to lets say 2048 without reconfiguring all the clients?
19:08 <@krzee> you can probably force a weak tls
19:08 <@krzee> that might let it work
19:08 <@krzee> i just dont get why you want insecure
19:08 < |Mike|> all => 3 clients, but I don't have access to them
19:09 < |Mike|> The connection between the server and clients is mostly 3-4G and not superfast
19:09 < |Mike|> hm, which cipher am I removing?
19:10 <@krzee> https://community.openvpn.net/openvpn/wiki/Hardening
19:10 <@vpnHelper> Title: Hardening – OpenVPN Community (at community.openvpn.net)
19:10 <@krzee> tls-cipher
19:12 < |Mike|> not using tls imho
19:12 < |Mike|> https://pastebin.com/1QarWZtJ
19:12 < ocb> krzee: saw the log? trying to understand why is it giving same client IP and wrong source addr
19:12 <@krzee> |Mike|: your problem is that your tls cipher is too strong to work with 512 rsa certs
19:13 <@krzee> so increase your cert bitsize or decrease your tls-cipher strength (default in 2.4 must be too good for your weak certs)
19:14 < |Mike|> I see; So basically using 'tls-version-min' to the config will fix it temp.?
19:14 <@krzee> dunno, figure it out
19:14 <@krzee> i thought i told you tls-cipher
19:14 <@krzee> but if you wanna play with tls-version-min you go for it :D
19:15 <@krzee> ocb
19:15 <@krzee> what os is the client?
19:15 < |Mike|> krzee: thanks buddy! <3
19:15 <@krzee> yw
19:17 < ocb> fedora 24
19:20 <@krzee> iptables-save
19:21 < ocb> yep did that
19:21 <@krzee> whats it show?
19:23 < ocb> krzee: https://pastebin.com/raw/vyuy0jXJ
19:37 <@krzee> lost internet after i asked what it shows
19:37 <@krzee> if you responded, do it again please
19:38 < ocb> https://pastebin.com/raw/vyuy0jXJ
19:39 < ocb> trying to add client-config-dir now
19:40 <@krzee> This page has been removed!
19:41 <@krzee> so your problem is that your client is sending traffic over the vpn with source address of its interface
19:41 <@krzee> that makes me think you have a NAT rule on the client messing things up
19:41 <@krzee> s/interface/physical interface/
19:44 < ocb> krzee: https://pastebin.com/raw/cSiV6eng
19:44 < ocb> going to check that
19:44 <@krzee> oh god
19:45 <@krzee> -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
19:45 <@krzee> i bet that does it
19:45 < ocb> oh
19:45 < ocb> let me try when disabled
19:46 < ocb> should I enable MASQUERADE for openvpn now?
19:47 <@krzee> no
19:47 <@krzee> no redirect-gateway either
19:47 <@krzee> first we get the vpn working, THEN do advanced stuff over it
19:50 < ocb> clear
19:50 < ocb> krzee: wow, can ping 10.8.0.2 and 10.8.0.1 now
19:50 <@krzee> can you ping now?
19:51 <@krzee> nice
19:51 < ocb> good one :)
19:51 <@krzee> ok so now
19:51 <@krzee> !redirect
19:51 < ocb> i would never try that
19:51 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
19:51 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
19:51 <@krzee> !linipforward
19:51 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
19:51 <@krzee> !linnat
19:51 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
19:52 < ocb> !def1
19:52 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
19:53 < ocb> !nat
19:53 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
19:54 < ocb> !man redirect-gateway
19:54 < ocb> !man --redirect-gateway
19:54 < ocb> !man
19:54 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
19:56 <@krzee> that would be insanely cool if somebody coded a plugin for vpnHelper that made !man --option possible
19:56 < |Mike|> krzee: I decided to roll the upgrade back and reinstall a VM with the new software & go from there. Upgrades are teh sheit at 02:54.
19:56 <@krzee> your problem was tls-cipher + your rsa keysize
19:57 <@krzee> one was too strong for the other being that weak
19:57 < |Mike|> I'm aware of that. New keysize will be 4096bits RSA and that will fix things for the next 10 yrs
19:57 < |Mike|> Fri Jul 21 02:46:07 2017 wim/91.181.175.184:60641 PUSH: Received control message: 'PUSH_REQUEST'
19:57 < |Mike|> Fri Jul 21 02:46:07 2017 wim/91.181.175.184:60641 send_push_reply(): safe_cap=940
19:57 < |Mike|> Fri Jul 21 02:46:07 2017 wim/91.181.175.184:60641 SENT CONTROL [wim]: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,dhcp-option WINS 192.168.2.15,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9' (status=1)
19:57 <@krzee> very nice |Mike|
19:57 < |Mike|> aaaaaaaaaaaargh fucking putty
19:57 <@krzee> good job
19:57 < |Mike|> kill me.
19:57 <@krzee> i cant, not an irc op
19:58 <@krzee> :-p
19:58 <@krzee> [17:56] [481] krzee Permission Denied - You're not an IRC operator
19:58 < |Mike|> Haha, contact rip for my contacts :-P
20:01 -!- |Mike| [~mike@pD9E45725.dip0.t-ipconnect.de] has quit [Quit: leaving]
20:01 -!- |mike| [~mike@pD9E45725.dip0.t-ipconnect.de] has joined #openvpn
20:06 < |mike|> re.
20:08 <@krzee> ocb: hows that going?
20:10 < ocb> krzee: not getting any ping, added redirect-gateway, did permanent ip_forward and sysctl -p, in server.conf dns is 8.8.8.8 and 8.8.4.4, added iptables -I FORWARD -i tun0 -j ACCEPT, added iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
20:10 < ocb> i mean still can ping 10.8.0.2 and .1 but not the outside world
20:11 <@krzee> !factoids whatis redirect 4
20:11 <@vpnHelper> Handy troubleshooting flowchart: http://pekster.sdf.org/misc/redirect.png
20:11 < |mike|> masquerdinggggggggggggg <3
20:12 < ocb> uh, started with this vpn server at 11 am, now it's 4am....
20:13 < |mike|> feel free to send me the bill ;-)
20:13 < |mike|> ocb: did you follow an digital ocean tut?
20:13 <@krzee> ocb: my first full setup took multiple days
20:14 <@krzee> of course we're talking about over a decade ago when there was like 10 people in this channel
20:14 < ocb> |mike|: yeah :)
20:14 < |mike|> ^ same. or with upgrades xD
20:14 < ocb> hehehe, krzee then i'm not that bad :) ... maybe a little
20:14 < |mike|> krzee: bullshit. at least 40. :-)
20:14 <@krzee> 40? no way
20:15 <@krzee> when i came there was WAY under 40
20:15 < |mike|> You're right. Logs show me 28 people in #OpenVPN in 2005
20:16 <@krzee> nice
20:16 <@krzee> you were here back then?
20:16 <@krzee> i wonder if you have my very first question lol
20:17 < |mike|> doubt it tbh!
20:18 < |mike|> I see quite some advanced stuff in 2006-7 from you :)
20:21 <@krzee> =]
20:21 < |mike|> have you seen echrist lately?
20:24 <@krzee> ya he pops in
20:25 -!- |mike| [~mike@pD9E45725.dip0.t-ipconnect.de] has quit [Quit: leaving]
20:38 < ocb> krzee: hmm, went through is ip forwarding enabled - yes, is nat enabled on the vpn subnet? ... is this regarding the iptables rule? if yes - then enabled, are the client and server on the same lan - yes checked in ifconfig both are on 10.8.0.0/24, tried adding --redirect-gateway local - no changes
20:40 < ocb> damn again getting; client/xxx.xxx.125.179:38329 MULTI: bad source address from client [xxx.xxx.125.179], packet dropped
20:40 < ocb> but ping 10.8.0.1 and .2 works
20:49 <@ordex> [1316.46] <@ordex> everythingorange: cert and key is ok, but "tls-auth" has to go on both ends (or none)
20:57 < everythingorange> So I should find that in my server conf and my client conf?
20:59 < everythingorange> I have tls-auth on the server and tls-auth on my client (an OpenVPN static key)
21:00 <@ordex> everythingorange: oh is it on both ?
21:00 <@ordex> is it the same key ?
21:00 <@ordex> how is it configured on the client? (you removed the line)
21:08 < everythingorange> yes, it's the same key. Just double checked.
21:21 <@ordex> everythingorange: direction is set properly?
21:21 <@ordex> 0 on server and 1 on client?
21:34 <@krzee> ocb: got it working yet?
21:34 <@krzee> i just got off work
21:36 < everythingorange> ordex: yes I believe it is correct. I seee key direction 1 on the client and tls-auth 0 on the server
21:36 <@ordex> everythingorange: ok
21:36 < everythingorange> tls-auth /path/to/key 0
21:36 <@ordex> yeah
21:37 <@ordex> everythingorange: can you run the client with verb 4 and post the log ?
21:38 < everythingorange> Where does the log go? Or do I pipe to file.
21:38 <@ordex> in the config you can use log to specify a filename
21:38 <@ordex> look for --log in the manpage
21:39 < everythingorange> Just found it, one sec.
21:39 <@ordex> sure
21:42 < ocb> krzee: haven't :/
21:42 < ocb> playing with iptables rules
21:43 < ocb> it's still returning same IP address in openvpn.log
21:43 < ocb> from client and client
21:43 <@krzee> ok so you didnt change the client since before, right?
21:44 < everythingorange> ordex: For some reason it didn't output to a log, is it okay if I pastebin?
21:44 <@ordex> everythingorange: sure
21:45 < ocb> krzee: tried adding local after redirect-gateway,
21:45 < ocb> as it said in that image
21:45 < everythingorange> https://pastebin.com/VDeBswaR also listed command run
21:45 <@krzee> ocb: your client and server are on the same lan?
21:46 <@ordex> everythingorange: Thu Jul 20 19:35:12 2017 us=120454 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
21:46 <@ordex> everythingorange: and as a side note: 2.3.4 << this is old, you should really upgrade
21:46 < ocb> krzee: correct, both are on same subnet 10.8.0.0/24
21:46 <@krzee> you misunderstood
21:46 <@krzee> a vpn server and client are ALWAYS on the same vpn subnet, that does not mean they're on the same lan
21:47 < everythingorange> ordex: I saw that but wasn't sure if I set that or it's a misconfiguration
21:47 <@ordex> everythingorange: can you paste user.conf again as it is
21:47 < ocb> oh
21:47 < everythingorange> sure
21:49 < everythingorange> https://pastebin.com/XDeqRSAB
21:49 < everythingorange> here it is
21:50 <@ordex> let's see
21:50 <@ordex> weird, why would it say no exncryption
21:51 <@ordex> krzee: do you happen to remember if on 2.4.3 you must specify tls-client instead of client in order to use tls ?
21:51 <@krzee> --client includes --tls-client
21:52 <@ordex> ok
21:52 <@ordex> then it's weird
21:52 <@krzee> 2.3 cant do tls-version-min 1.2
21:52 <@krzee> not weird at all ;]
21:52 < everythingorange> perhaps it'd be easier if I just tried a reinstall? Do you have an updated guide maybe?
21:52 <@ordex> ah that's the point then :)
21:52 <@krzee> update the client
21:52 <@ordex> ecrist: ^^
21:53 <@ordex> ecrist: sorry,not for you
21:53 <@ordex> everythingorange: ^^
21:53 <@ordex> either you remove that line or you upgrade to a more recent client (you should really do that anyway)
21:54 < everythingorange> is that possible from apt-get or do I have to install from source
21:54 <@ordex> everythingorange: it is possible, but it depend son what distro you have
21:54 <@ordex> support doe debian/ubuntu on i386 or amd64 is possible
21:55 <@ordex> by using the openvpn.net repository
21:55 < everythingorange> I'm running Debian stable :P maybe that's why it's so old?
21:55 <@ordex> yes :D
21:55 <@ordex> but the poenvpn.net repo should support that
21:55 <@ordex> wait a sec
21:57 <@ordex> everythingorange: you can have a look here: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
21:57 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net)
21:57 <@ordex> this explains what to do
21:57 <@ordex> !repos
21:57 <@ordex> !repo
21:57 <@vpnHelper> "repo" is openvpn runs some software repositories for your installing pleasure, http://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
21:57 <@krzee> cat /etc/debian_version
21:57 < everythingorange> 8.8
21:58 <@krzee> ahh cool
21:58 < everythingorange> Thanks ordex! I'll update my client and try to connect and see how it goes.
21:58 <@ordex> :)
21:58 < everythingorange> THanks krzee too
21:58 < ocb> !lan
21:58 < ocb> !nat
21:58 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
21:58 <@ordex> !map
21:58 <@ordex> !beer
21:58 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
21:59 <@ordex> !dinner
21:59 <@ordex> !!!
21:59 <@krzee> yw everythingorange
21:59 < ocb> !redirect
21:59 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
21:59 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
21:59 <@ordex> !tell vpnHelper [!tell vpnhelper !tell vpnhelper]
21:59 <@vpnHelper> Error: You just told me, why should I tell myself?
21:59 <@ordex> !
22:01 < ocb> krzee: if I do "arp", I can see them on eth0 and not eth0:0, should it be like that?
22:01 <@ordex> eth0:0 is a virtual interface and it is deprecated to use it
22:01 <@ordex> I believe it is normal not to see it
22:01 <@ordex> ocb: what is the problem?
22:01 < ocb> can't make any more interfaces
22:01 <@ordex> I have missed that part
22:02 <@ordex> actually it is not "virtual", it is just fake :p
22:02 <@krzee> i dont understand why you're asking about that
22:02 <@krzee> hows it matter for the vpn?
22:02 < ocb> maybe that's the thing it's breaking it :) i'm still new to all this
22:03 <@ordex> !goal
22:03 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:03 <@krzee> ocb: ok ill walk you through the flowchart
22:03 <@krzee> show me your client log
22:06 < everythingorange> ordex: I'm still getting a TLS-Handshake fail according to my log
22:06 < everythingorange> :/
22:07 <@krzee> everythingorange: you running 2.4 on the client now?
22:07 <@ordex> everythingorange: what's the version on the server ?
22:07 <@ordex> :D
22:07 <@krzee> ya and server
22:07 < everythingorange> Oh sorry, I thought I just had to update client :P my mistake. One second.
22:07 <@krzee> what version is the server and the client?
22:08 <@krzee> nobody said you need to update, we asked what it is
22:08 < everythingorange> Client is now 2.4.3
22:08 <@krzee> ok and server?
22:08 < ocb> https://pastebin.com/raw/zTAmqGcx
22:08 <@krzee> ocb:
22:08 <@krzee> !netman
22:08 <@vpnHelper> "netman" is (#1) NetworkManager usually works fine, but can have some challenges in som env, or (#2) Ensure you run a reasonably recent NM version, or (#3) NM is aimed at client configurations and requires a logged in user session and is sensitive to instable unstable networks, or (#4) If OpenVPN works from the command line but not NM, go to #nm or https://wiki.gnome.org/Projects/NetworkManager
22:08 < everythingorange> Server is 2.3.4
22:08 <@krzee> oh you have a config with options for only 2.4
22:08 <@krzee> ya update that too
22:09 < everythingorange> Okay, wil do now. Fingers crossed!
22:09 <@krzee> ocb: run openvpn without network mangler for now, when you're done you're free to import your working config and use netman after
22:10 <@krzee> but if it works with openvpn and not network mangler you'll know its their fault
22:12 <@krzee> and
22:12 <@krzee> !logfile
22:12 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
22:14 < ocb> thanks working on it
22:33 < everythingorange> ordex: Unfortunately, I'm still getting a TLS handshake fail :/
22:33 < everythingorange> At this point, it's definitely not OpenVPN anymore since I've updated both to the latest version.
22:33 <@ordex> everythingorange: still getting that WARNING on the client ?
22:34 < everythingorange> I'm getting the cache password warning, not the other one.
22:34 <@ordex> ok, that's ok
22:34 <@ordex> so the problem is different now
22:34 <@ordex> can you paste the log again with --verb 4 ?
22:34 < everythingorange> sure
22:34 <@ordex> and, could you also try removing that tls-ver-min just to try ?
22:34 <@ordex> (on both server and client)
22:34 < everythingorange> okay, I'll try that
22:35 < everythingorange> I can comment with a # yes?
22:36 <@ordex> yup
22:37 < everythingorange> When I run --verb 4 why does it require extra options?
22:41 < everythingorange> ordex: I'vr actually gotta go right now. Thanks again for your help. I'll be back later.
22:41 <@ordex> everythingorange: what do you mean with extra options ?
22:42 <@ordex> everythingorange: ok np!
22:42 < everythingorange> ordex: Thank you! I will message you again later. You've been great :)
22:57 < Philip_J_Fry>  guys
23:00 <@ordex> wuzzup?
23:10 < Philip_J_Fry> nm just waiting http://www.f1countdown.com/
23:10 <@vpnHelper> Title: F1 Countdown for every Formula 1 Race in 2017 (at www.f1countdown.com)
--- Day changed Fri Jul 21 2017
01:03 <+hyper_ch> krzee: https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html
01:03 <@vpnHelper> Title: How I tricked Symantec with a Fake Private Key - Hanno's blog (at blog.hboeck.de)
01:28 <+hyper_ch> so, time to update my debian VMs to Stretch...
02:26 < iheartlinux> what does this mean: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
02:32 <@ordex> iheartlinux: it's local internal state. I think it means that there was nothing to configure about IPv6 on the tun interface
02:55 < iheartlinux> because of that message, I changed my proto to udp4 instead of udp. I started snooping around because my connection stopped working. Somehow I inadvertenly commented out the port I had opened up for it in shorewall.
03:05 <@ordex> iheartlinux: that message is neither an error nor a warning
03:06 <@ordex> you can ignore it
03:06 <@ordex> but i think it's too late :P
03:10 <+hyper_ch> ordex: https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html
03:10 <@vpnHelper> Title: How I tricked Symantec with a Fake Private Key - Hanno's blog (at blog.hboeck.de)
05:00 < ocb> !redirect
05:00 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
05:00 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
06:16 < ocb> !nat
06:16 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
06:16 < ocb> !linnat
06:16 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
08:23 <@krzee> if anybody decides to help ocb while im gone, hes doing a redirect setup and messed up somewhere while following the flowchart, id suggest looking at his server, checking if ip forwarding and NAT are properly configured
08:25 < ocb> krzee: thanks man, still working on it :)
08:26 < ocb> tried to make a bridge between tun0 and eth0:0 but i think i made a mistake somewhere, found a bash script on official openvpn website
08:58 <@krzee> why would you be bridging???
08:58 <@krzee> dude you were so close last night
08:58 <@krzee> sounds like you went way backwards
09:04 -!- czart__ is now known as czart
09:11 < ocb> krzee: i've put everything back how it was, now i can ping the 10.8.0.1 again (ip of tun0)
09:14 < ocb> reading this now, maybe i'll figure it :) https://serverfault.com/questions/49765/how-does-ipv4-subnetting-work
09:14 <@vpnHelper> Title: networking - How does IPv4 Subnetting Work? - Server Fault (at serverfault.com)
09:21 <@ordex> ocb: what are you fighting with ?
09:21 <@ordex> :D
09:21  * ordex has not been reading all
09:29 < ocb> ordex: so, i can ping the tun0 interface but can't exit to internet. going to paste some info about the sys, iptables, config etc. i na few
09:29 < ocb> going to write in details, i even tried making a new interface eth0:3 but... i am not very good with networking,only basics
09:30 <@ordex> ocb: well, you can't ping an interface :P
09:30 <@ordex> but I got what you mean
09:30 <@ordex> so the client can ping the server IP but can't ping any external host ?
09:30 <@ordex> ocb: is the client running linux? same for the server?
09:31 < ocb> well, i managed to ping 10.8.0.2 or .1
09:31 < ocb> client is running fedora 26 now, and server is centos 6
09:31 < ocb> running openvpn 2.4.x
09:32 < ocb> going to paste the info
09:32 <@ordex> ok
09:33 <@ordex> ocb: not sure what you are going to paste, but could you please paste
09:33 <@ordex> the output of "ip route" on both client and server
09:33 <@ordex> on the server: "sysctl -a |grep ip_forward", "iptables -nL", "iptables -t nat -nL"
09:33 < ocb> sure
09:45 <@ordex> ocb: ?
09:45 < ocb> ordex: https://pastebin.com/yAXtiw0v
09:45 < ocb> took some time, a lot of windows open :)
09:45 < debitux> hi, little question: i'm currently trying to get my openvpn android client to set a dns server after establishing the vpn connection. dhcp-option DNS6 unfortunately seems not to work
09:46 < ocb> btw. moved my client from fedora 26 to slackware 14.2
09:46 <@ordex> ocb: wasn't the client running Fedora?
09:46 <@ordex> ah
09:46 <@ordex> ok
09:46 <@ordex> :)
09:46 < debitux> any idea about this? is this even possible with android without root?
09:47 < DArqueBishop> <ocb> btw. moved my client from fedora 26 to slackware 14.2
09:47 <+hyper_ch> I doubt you can push dns without root on droid but not sure
09:47 <@ordex> ocb: what is tun0?
09:47 <+hyper_ch> I always have root
09:47 < DArqueBishop> ... wow.
09:47 < DArqueBishop> Someone's a masochist.
09:48 <+hyper_ch> whats wrong with slackware?
09:48 <@ordex> lol
09:48 <@ordex> ocb: I mean, on the client
09:48 < ocb> ordex: tun0 is another vpn but same things happen if I close it too
09:49 < debitux> hyper_ch: tried it, but also seems not to work.unfortunately theres no root for my phone :(
09:49 <@ordex> ocb: just trying to understand your setup
09:49 <@ordex> weird, you have no route for tun1
09:49 <+hyper_ch> get a better phone then
09:49 <@ordex> uhm
09:49 < debitux> :(
09:49 < ocb> hmm that's why i was reading that networking guide but couldn't figure out the problem if it's the routes or iptables
09:50 < ocb> ... or something third
09:50 <@ordex> ocb: something is weird in the setup
09:50 <@ordex> could you please paste the log on the client with verb 4
09:50 < ocb> moment
09:50 <@ordex> ?
09:50 <@ordex> k
09:52 < DArqueBishop> hyper_ch: unless you really want to get into the nitty-gritty of Linux, I wouldn't choose it over Fedora when first starting out.
09:52 <+hyper_ch> me neither... I'd straight go to debian :)
09:52 < DArqueBishop> Keep in mind that my personal servers ran Slackware for around 20 years.
09:53 <+hyper_ch> you've had personal servers for such a long time?
09:53 <+hyper_ch> oO
09:54 < ocb> https://pastebin.com/SBnyfDZD
09:54 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has quit [Quit: ZNC - http://znc.sourceforge.net]
09:54 < DArqueBishop> Well, they weren't always the same box. ;-)
09:55 < ocb> DArqueBishop: i've only started with slack on 13.37 and love it, but sometimes i hate the things i need to get done today but can't get them work 5 days
09:55 <@ordex> ocb: can you do it again and run "ip route" while the client is running (without killing it like you did now) ?
09:56 < ocb> sure
09:56 <@ordex> thanks!
09:56 < ocb> no, thanks you
09:58 < ocb> https://pastebin.com/SAGwWbeN
09:59 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
09:59 -!- mode/#openvpn [+v hyper_ch] by ChanServ
10:01 <@ordex> ocb: ok. now it makes sense. I think earlier you pasted "ip route" while the client was not running
10:01 <@ordex> is it possible to keep the client running? why do you kill it every time ?
10:01 < DArqueBishop> But yeah, my first Slack box was Slack 3.1(?) back in 1996 or thereabouts.
10:01 < ocb> possibly, sorry for the trouble. slept like 3h
10:02 <+hyper_ch> I got first internet in 1996
10:02 < Lann> yay friday!
10:03 < ocb> wow DArque, masochist for 20 years :)
10:03 <@ordex> ocb: hehe :D no problem
10:03 <@ordex> ocb: please, since now on keep it running ok?
10:03 <@ordex> ocb: with the current config, can you ping 10.8.0.1 ?
10:04 <@ordex> well, i think the server firewall rejects pings
10:04 <@ordex> so it won't reply
10:04 < ocb> can't be on irc then, need to disconnect  it time to time setup isn't finished yet
10:04 < ocb> let me try
10:04 <@ordex> can't be on IRC ? when you run the client you have to disconnect ?
10:05 <@ordex> ocb: can you then paste from the server the output of: "iptables -nvL" and "iptables -t nat -nvL" ?
10:05 < ocb> irc disconnects after 5 minutes so i can be here, time to time
10:05 < ocb> 10.8.0.1 replies, .2 replies
10:06 < ocb> it's a BNC so just a quick alias back to ssh and to bnc works well
10:06 <@ordex> ocb: 10.8.0.1 works? ok great
10:06 <@ordex> that's the server
10:06 <@ordex> ocb: and if you ping 8.8.8.8 it does not work ?
10:07 < ocb> correct
10:07 < ocb> let me output the iptables from server
10:07 <@ordex> ok
10:08 < ocb> https://pastebin.com/nztQQUth
10:14 <@ordex> ocb: default route on the server is over eth0, not eth0:0
10:15 <@ordex> therefore your MASQUERADE rule seems wrong to me
10:15 <@ordex> can you please runthe following commands:
10:15 <@ordex> ocb: iptables -t nat -F POSTROUTING
10:15 < DArqueBishop> ocb: technically I learned on Slackware because it was one of the very few options available at the time. Not even Red Hat or Debian are older than Slackware.
10:16 < DArqueBishop> I switched from Slackware to CentOS a couple of years ago because I was tired of having to manually compile all of the software I needed whenever an update came out.
10:16 <@ordex> ocb: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -o eth0 -j MASQUERADE
10:16 < ocb> moment
10:16 <@ordex> usually I use a less strict rule, but given the amount of interfaces, better to be more specific
10:17 < DArqueBishop> As you get older and firther into your sysadmin career, you learn the value of $EXPLETIVE just working.
10:17 <@ordex> DArqueBishop: I remember when I was using slack many years ago...I was about to write my own package manager for compiling packages and their dependencies...
10:17 <@ordex> then I discovere Gentoo and I reached nirvana
10:17 <@ordex> :D
10:18 <@ordex> *discovered
10:18 < DArqueBishop> Gentoo?
10:18 < DArqueBishop> I'm so sorry.
10:18 <@ordex> lol
10:18 <@ordex> :D
10:18 <@ordex> I feel so happy :P
10:19 < ocb> ordex: then the routes are possibly wrong, as i have been setting up everything to use eth0:0 194.xxx IP
10:20 <@ordex> ocb: well hopefully that won't interfere with the VPN
10:20 <@ordex> ocb: this is your default route on the server: default via 77.81.120.1 dev eth0
10:21 < ocb> damn
10:21 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has quit [Ping timeout: 258 seconds]
10:22 <@ordex> ocb: anyway, are you fixing the masquerading rule now ?
10:22 < ocb> yes
10:24 < ocb> tried it with eth0:0 and eth0, and running flush between - can ping the server inside but still can't go outside
10:25 < ocb> selinux is in permissive mode, shouldn't be a problem
10:27 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
10:27 -!- mode/#openvpn [+v hyper_ch] by ChanServ
10:31 <@ordex> ocb:
10:31 <@ordex> one step at a time please ..
10:32 <@ordex> after flushing and adding the new rule
10:32 <@ordex> can you please ping 8.8.8.8
10:32 < ocb> tried that
10:32 <@ordex> and then paste again iptables -t nat -nvL
10:32 <@ordex> ?
10:32 < ocb> ok moment
10:32 <@ordex> do all the steps
10:32 <@ordex> because I'd like to see the counters
10:41 < ocb> ordex: am I allowed to disconnect from VPN in the meantime?
10:41 <@ordex> ocb: if you have pinged 8.8.8.8 already it's ok
10:41 <@ordex> but what's up with your setup? :D
10:41 <@ordex> why do you need to go up and down ?
10:42 <@ordex> seems like the problem is somewhere else :P
10:42 < ocb> crazy setup on client :)
10:43 < ocb> well, if I connect to VPN on the server, i'm unable to connect anywhere other than changing setup or powering on the backup link that uses another ISP
10:43 < ocb> https://pastebin.com/raw/X0KsB8gV
10:44 <@ordex> ocb: my rule is working
10:44 < ocb> great news
10:44 <@ordex> ocb: maybe in the forward chain you have something blocking packets coming back
10:44 <@ordex> can you paste "iptables -nvL" again please?
10:45 < ocb> i've also tried allowing all output,forward and input in iptables - same happend
10:45 < ocb> moment
10:46 < ocb> https://pastebin.com/raw/gw3AcvVB
10:46 <@ordex> ocb: mh let's try by adding a rule for the incoming packets
10:47 <@ordex> iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
10:47 <@ordex> ocb: be sure you have kept my MASQUERADE rule with eth0
10:48 < ocb> currently there is iptables -A FORWARD -i eth0:0 -o tun0 -j ACCEPT enabled
10:48 <+hyper_ch> ordex: what are you trying to di wth ocb?
10:48 < ocb> let me try with eth0 then
10:48 <@ordex> ocb: seen that, but traffic from outside is coming over eth0, not eth0:0
10:48 <@ordex> ocb: checking who gets mad first
10:48 <@ordex> :D
10:49 < ocb> :))))))
10:49 <@ordex> ocb: tried?
10:51 < ocb> wait i don't believe it works, i need to triple check :D
10:51 <@ordex> :D
10:51 <@ordex> after pinging, paste again "iptables -nvL"
10:53 < ocb> you're the man
10:53 < ocb> https://pastebin.com/758UyzYE
10:53 < ocb> thank you krzee and ordex for helping me out :)
10:53 <@ordex> ocb: doesn't work yet ?
10:53 < ocb> works :)
10:53 <@ordex> ah ok
10:54 <@ordex> because I see the packets being accepted :P
10:54 < ocb> thank you very much
10:54 <@ordex> np
10:54 < ocb> you too krzee :)
10:54 <@ordex> you owe some hair to hyper_ch
10:54 <@ordex> and krzee
10:54 <@ordex> :P
10:54 < ocb> if you accept BTC for a beer :)
10:54 <+hyper_ch> ???
10:54 <@ordex> hyper_ch: weren't you involved as well?
10:54 <@ordex> hehe
10:54 <+hyper_ch> no
10:54 <+hyper_ch> and you have no proof otherwise
10:55 <@ordex> ocb: where should I com to get my beer?
10:55 < ocb> thank you too hyper_ch  :)
10:55 <@ordex> hyper_ch: ah :D sorry
10:55 < ocb> i will send it virtually :)
10:55 <@ordex> hehe
10:55 < havoc> which env var would be the client vpn IP on --client-connect?
10:55 < havoc> there are many possibilities
10:55 <@ordex> havoc: the man should say that
10:55 < havoc> I'm looking at the Environmental Variables
10:56 <@ordex> $ifconfig_local sounds like what you want, no ?
10:56 < havoc> ifconfig_remote? ifconfig_pool_local_ip?
10:56 <@ordex> ah
10:56 <@ordex> on the server
10:56 <@ordex> sorry
10:56 < havoc> ordex: when run on the server?
10:57 < havoc> also, I meant ifconfig_pool_remote_ip, not the local one
10:57 < havoc> copy/pasted wrong one
10:57 <@ordex> havoc: yeah i think the latter
10:57 <@ordex> ifconfig_pool_remote_ip
10:57 <@ordex> sounds so
10:57 <@ordex> try!
10:57 <@ordex> :D
10:58 < havoc> been testing
10:58 < havoc> I may have typo'd one
10:58 < havoc> hmm, it's empty
10:58 <@ordex> mh weird
10:58 <@ordex> try the remote ?
10:58 <@ordex> but it's weird
11:00 < havoc> I am using $ifconfig_pool_remote_ip
11:01 < havoc> it works in my nsupdate script, not sure why it's not here
11:02 < havoc> eh, more testing....
11:02 < havoc> bah, was a quoting/assignment issue in bash
11:03 < havoc> my bash skills have seriously atrophied over the decades :(
11:07 <@ordex> :P
11:09 < havoc> ok, and [un]trusted_ip is real IP of client
11:34 < havoc> hmm, maybe I want this to run on --route-up, instead of --client-connect
11:34 < havoc> I want whatever is done last
11:35 < havoc> or would that be --learn-address?
11:35 <@ordex> havoc: check tha man :P
11:35 < havoc> ordex: no shit :)
11:35 <@ordex> it also depend son what you want to do, I'd say
11:35 <@ordex> *depends
11:35 < havoc> ordex: I am, an it's far from clear
11:35 < havoc> I want whatever runs last when a client successfully connects
11:36 <@ordex> "Script Order of Execution"
11:36 < havoc> https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAS
11:36 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
11:36 < havoc> where do you think I'm getting this from?
11:36 <@ordex> dunno
11:36 <@ordex> probably from the same place where I am  :P
11:37 < havoc> but those are NOT in order, they can't be
11:37 <@ordex> oh ok
11:38 < havoc> I'm thinking --learn-address is the last in the connection process
11:38 <@ordex> might be
11:38 <@ordex> but why do you want to run it that late ?
11:38 < havoc> part of the provisioning script needs to ssh hostname to the client vpn IP
11:39 < havoc> ...so that I can generate a key set with the client's hostname==CN
11:39 <@ordex> oh ok
11:39 <@ordex> then i think that --learn-address is really what you want
11:39 <@ordex> because at that point the server should be able to send packets to the client
11:39 < havoc> I was doing it on --client-connect, doesn't work ;)
11:40 <@ordex> yeah
11:40 <@ordex> upon learn-address the daemon creates the internal route to the client, which is a must for the communication to work
11:40 <@ordex> i guess you are right
11:40 < havoc> I think the actual order is: up, tls-verify, ipchange, client-connect, route-up, learn-address
11:41 < havoc> with auth-user-pass-verify in there somewhere, too
11:41 <@ordex> probably at the end
11:41 < havoc> well, we gonna find out :)
11:41 <@ordex> hehe
11:41 <@ordex> right
11:41 < havoc> now I have to restart the server though :(
11:41 < havoc> oh well
11:42 < ocb> ordex: thanks man, got everything working. just had to remove eth0:2 interface that was 10.10.0.0 and then added the 194. IP to default route and now using eth0:0 for exit IP 194. instead of 77, now only using eth0:0 in iptables without the default eth0 route.. thanks once more
11:42 <@ordex> cool
11:42 <@ordex> ocb: as you can see the problem was in understanding what you were doing rather than iptables/route/chachacha
11:43 <@ordex> ;)
11:44 < ocb> ;)) learned a lot from your and krzee help. correct, i didn't understand what i was doing, need to learn more about networking, iptables in details etc. :) have a nice day!
11:46 < havoc> I use shorewall, makes everything a lot easier
11:49 < ocb> i'll check it out
11:51 < havoc> bah, not --learn_address either :(
12:09 <@ordex> havoc: what is that does not work exactly ?
12:09 <@ordex> have you tried testing a simple ping -c 3 for example ?
12:10 <@ordex> or printing ifconfig to see how it looks like at that time ?
12:10 < havoc> bah, think I've figured it out
12:10 <@ordex> well..ifconfig won't say much because on the server is already configured
12:10 <@ordex> ok
12:10 < havoc> learn-address is the last script point that runs, BUT, it's before routes are PUSHED
12:11 <@ordex> ah
12:11 <@ordex> so the client isnot able to talk yet
12:11 < havoc> correct :(
12:11 < havoc> so ssh to it is gonna hang, like it has been
12:11 < havoc> I need something that runs at the very end of the connection process
12:12 < havoc> I don't hink there is such a thing :(
12:12 <@ordex> mh
12:13 <@ordex> well, I think the problem is that on the server you don't really know when the client is ready
12:13 <@ordex> havoc: how about having learn-address spawn a daemon that wait X seconds and then does what you want to do ?
12:13 <@ordex> could be just a bash script in background
12:14 < havoc> that's Plan B :(
12:14 <@ordex> yeah :(
12:14 < havoc> can just use a file of remote IPs, that's parsed/processed/emptied, even on a cron
12:14 <@ordex> yeah, it depends how much delay you are going to accept after the connection
12:15 < havoc> last thing in server log: SENT CONTROL [mass17.ubnt.er-x]: 'PUSH_REPLY,route-gateway 172.28.0.1,route 172.28.0.0 255.255.240.0,route 10.1.5.0 255.255.255.0,route 10.1.16.0 255.255.240.0,topology subnet,ping 5,ping-restart 30,ifconfig 172.28.0.2 255.255.255.128' (status=1)
12:15 < havoc> and that's several lines after the LEARN entry
12:15 < havoc> so no route-gateway, routes, or topology, at --learn-address :(
12:16 < havoc> that'd make ssh fail
12:16 <@ordex> havoc: yeah
12:16 <@ordex> havoc: but even if you had an event upon pushing the data, you don't know when the client is going to apply them
12:17 <@ordex> well, in practice this is supposed to happen right after, but still no event for that
12:17 < havoc> yeah, I think I need to log the clients that need to be provisioned, by remote vpn IP, and post-process them after, in a seperate process
12:17 <@ordex> or prepare a patch for openvpn ;)
12:18 <@ordex> like introducing client-connect on the server side
12:18 <@ordex> :]
12:18 < havoc> would be nice, by I'm already a week behind on this :(
12:19 <@ordex> oh ok :S
12:19 < havoc> yeah, it's Work :(
12:19 < havoc> another option is to initiate the provisioning from the client side
12:19 <@ordex> yeah
12:19 <@ordex> I was thinking that as well
12:19 <@ordex> but you need to deploy an ssh key on the client
12:19 <@ordex> that is authorized on the server
12:20 < havoc> I already have some Windows scripts to assign the router (vpn client) a hostname from the dedicated PC behind it, when the "station" is setup
12:20 < havoc> ordex: already done
12:20 <@ordex> oh ok
12:20 < havoc> we'll have a default config package on the routers before deployment
12:21 < havoc> I just try to keep it as generic as possible, and handle as much as possible from the server
12:21 <@ordex> yeah, makes sense
12:21 < havoc> I'm thinking I'll roll the provisioning into the router
12:22 < havoc> except then I have to figure out how to initiate it, security/permissions-wise, from the router
12:22 <@ordex> havoc: FYI it seems that learn-address is invoked several times upon "add" "delete" and "update2 of an address (just in case you are still thinking about using it)
12:23 < havoc> ordex: is it ever invoked again after PUSH?
12:23 <@ordex> don't think so
12:23 < havoc> then doesn't help :(
12:23 <@ordex> yeah :/
12:24 < havoc> I wonder if I can't put the pushed stuff, like route-gateway, topology, etc.., in the default client config
12:25 < havoc> as that ovpn server process only allows 125 max-clients
12:25 < havoc> it's just nice controlling as much as possible from the server, in case changes need to be made, re-subnetting, etc...
12:26 <+hyper_ch> ovpn only allows 125 clients?
12:26 < havoc> hyper_ch: it does if you set --max-clients 125 :)
12:26 < havoc> it's configured as a /25
12:26 <+hyper_ch> why would I set that?
12:27 < havoc> no clue, but *I* have it setup that way
12:28 < havoc> 17 server configs/processes, a /25 each, 1 for default/provisioning, and 16 for production, for ~2,000 clients
12:28 <+hyper_ch> 2000 clients is a lot
12:29 < havoc> yup
12:30 <+hyper_ch> so you're a vpn provider and sell acccess?
12:30 < havoc> no
12:30 < havoc> the clients are locked-down hardware
12:30 <+hyper_ch> why do you need then power for 2000 clients?
12:30 < havoc> think Redbox, but for a gov contract
12:30 <+hyper_ch> no idea what redbox is
12:31 < DArqueBishop> Redbox is a DVD rental service.
12:31 < havoc> they have a PC that's hardware controller, a few ip cams, and some other gear, behind each router/vpn client
12:31 <+hyper_ch> ah ok
12:32 < havoc> and they need to be able to be dropped onto any network where they can get Internet access, and just "work"
12:32 <+hyper_ch> cool :)
12:32 <+hyper_ch> so, how powerful are then your servers?
12:33 < havoc> the one server is a VM on a blade center somewhere
12:33 < havoc> so I guess it's as powerful as we want it to be
12:33 < havoc> at least that's what I'm told by the team that manages it
12:33 < havoc> so it's an SEP
12:34 < havoc> (Someone Else's Problem)
12:34 <+hyper_ch> those are the best kind of problems
12:34 <+hyper_ch> except if that someone else happens to be you
12:34 < havoc> yup, and yup
12:40 <@ordex> havoc: I have worked for a company developing a similar solution. but we implemented owr own tiny vpn
12:41 <@ordex> tailor made for our usage, I think it turned out to be more efficient than adapting openvpn. although they were embedded devices. in your case the clients are PCs
13:08 <@krzee> <hyper_ch> except if that someone else happens to be you
13:08 <@krzee> but those are the kind you get to charge for
13:09 <@krzee> ordex: actually his are routers
13:10 <@ordex> krzee: oh ok
13:10 <@krzee> uqibuiti if i remember
13:10 <@ordex> very similar then :)
13:10 <@krzee> i have 1 big hammer (openvpn) so all those issues look like nails to me ;]
13:13 <@ordex> hehe
13:13 <@ordex> beat them all!
13:24 < havoc> ordex: the openvpn clients are the routers, Ubiquiti ER-X
13:24 <@ordex> I see ok
13:30 < nast> Hello there, how would I make openvpn "push" IPs and hostnames to vpn client machines, so that they were able to access nginx server blocks(virtual hosts) without them need to edit /etc/hosts file?
13:31 <@ordex> nast: can't be done on a host basis. but you could push the VPN server as DNS and then the VPN server would resolve the hosts the way it wants...
13:31 <@ordex> but this means all the dns traffic goes to the vpn
13:32 < nast> @ordex: I get it right? the task is for unbound/dnsmasq rather than for openvpn?
13:33 <@ordex> nast: correct - openvpn will just push the dns ip address
13:33 < nast> ok, thanks!
13:34 <@ordex> np
13:53 < havoc> I still need to figure out this provisioning thing :(
14:03 <+hyper_ch> provisioning thing?
14:09 < havoc> hyper_ch: have a default ovpn server with --duplicate-cn for pre-configured clients to connect to
14:10 <+hyper_ch> can you translate that to non-geek? :)
14:10 < havoc> then they get a unique keyset generated based on their hostname
14:10 <+hyper_ch> :)
14:10 < havoc> hyper_ch: ah, all 2000 clients/routers have identical configs when they're deployed
14:11 <+hyper_ch> sounds good
14:11 < havoc> once they get a hostname set, they reconnect, ovpn server detects new hostname, gens keys with that hostname as CN, sends new config, restarts client
14:12 < havoc> the default is the provisioning server, where they all use the same keys, and have access only to that server
14:12 <+hyper_ch> won't they have to download the key and cert as well?
14:12 < havoc> new/unique keys give them access to the private network
14:12 < havoc> hyper_ch: they already have the ssh key of the vpn server in their config, so the vpn server can push the new stuff out
14:13 <+hyper_ch> so where's the issue?
14:14 < havoc> openvpn doesn't have script targets that run at the end of the connection phase
14:14 < havoc> so I can't "ssh user@vpnip hostname" to get the hostname to gen the key
14:15 < havoc> unless I do it out of process
14:15 < havoc> --learn-address doesn't happen last, it happens before PUSH
14:16 < havoc> which makes ssh fail as route-gateway, etc.., are PUSHed
14:16 <+hyper_ch> :) you'll solve it somehow
14:18 < havoc> yeah, it's just a pain
14:25 < havoc> oh shit, this isn't possible, without something out of process, as one of the PUSH commands is the client ifconfig
14:25 <+hyper_ch> maybe some sort of adavanced automagic could help :)
14:26 < havoc> or I just say f-it, and use duplicate-cn everywhere ;)
14:28 <+hyper_ch> this sounds like a hack
14:28 < havoc> cuz it is
14:29 <+hyper_ch> so you're a hacker
14:29 < havoc> if there was a script target at the end of the connection process, it would not be a problem :(
14:29 <+hyper_ch> maybe some of the smart people in here know something
14:30 <+hyper_ch> I'm just a basic ovpn user and use it for own small vpns
14:32 < havoc> I need a script target after PUSH_REPLY
14:32 < havoc> but for now I'm gonna go drink some beer, and think about it
14:48 <@krzee> !script
14:48 <@vpnHelper> "script" is (#1) See SCRIPTING AND ENVIRONMENTAL VARIABLES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage#lbAS, or (#2) to see all vars available to a script, you can env > /tmp/env, or (#3) if using bash you can put exec 2>&1 in the first line of your script and it will send all error output to
14:48 <@vpnHelper> your openvpn log. set -x as well to show your commands as they are executed
14:48 <@krzee> --route-up
14:48 <@krzee> havoc: ^
14:49 <@krzee> PUSH_REPLY would have the routes, so route-up must come after that
14:49 <@krzee> --route-up
14:49 <@krzee> Executed after connection authentication, either immediately after, or some number of seconds after as defined by the --route-delay option.
14:50 < havoc> hmm, I tried --route-up as well
14:50 < havoc> that one doesn't specify --mode server though
14:52 <@krzee> huh?
14:52 < havoc> I tried it before, I'll try it again, but I think I get the same error, on the server, as when I tried w/ --ipcange
14:52 < havoc> --ipchange
14:53 <@krzee> wait a sec here... why would it ssh to the server to have the server run commands?
14:53 <@krzee> why wouldnt the server just run the commands when the client connects via --client-connect script?
14:53 <@krzee> (i just scrolled up more)
14:54 < havoc> --client-connect doesn't work
14:54 <@krzee> why not?
14:54 < havoc> routes/IPs aren't there yet
14:54 < havoc> so ssh hangs
14:54 <@krzee> maybe i midunderstand your goal
14:54 <@krzee> run it by me again?
14:55 < havoc> I need to get the hostname of a vpn client, on the server, when it connects
14:56 <@krzee> oh your hostname thing, cant you just make the CN=that?
14:56 <@krzee> oh right orig config will be generic
14:56 <@krzee> i member
14:56 < havoc> and the client hostname, when chnaged from the default, will become the CN
14:57 <@krzee> i wonder if you can call a script, have that script call another script and detach it and disown it then exit success
14:57 <@krzee> i wonder if the backgrounded disowned script will run without blocking
14:57 <@krzee> if so you could sleep 10 then continue
14:58 <@krzee> easy enough for you to test that idea
14:59 < havoc> yeah, been trying many things
14:59 <@krzee> lemme know how that goes
15:00 <@krzee> you could always let them connect, and have a script that looks for clients connected to that server
15:00 <@krzee> run the script every 10min or so
15:00 <@krzee> its only a 1time run per client, not so important that it happens the moment it connects
15:01 <@krzee> 1sec ill get you a template
15:01 < havoc> eh, it kindof is, right now, unless we change the deployment process
15:01 < havoc> ok
15:02 <@krzee> how so?
15:02 <@krzee> it would be the same
15:02 <@krzee> thered be a step of "wait 5-10 minutes"
15:02 <@krzee> lol
15:02 < havoc> that may be the problem
15:03 < havoc> having someone wait there in front of the machine
15:03 <@krzee> fine step up the crontab
15:03 <@krzee> run it more often :-p
15:03 < havoc> yeah, every minute may work
15:03 < havoc> that's already been explored
15:03 < havoc> trying to find a better solution before going that route
15:03 <@krzee> just make sure it outputs some sort of list so it doesnt double-run on 1
15:03 < havoc> flock
15:04 < havoc> and yes, everything unique
15:04 <@krzee> https://0bin.net/paste/ZHV9pg6mCR2KTaec#dNUJ377270W1OzCiI2InTw1sZ1bFHUBF3y8hrwy2g6A
15:04 <@krzee> that has 2 vpn services, you could remove some to make it 1 or add some to make it more
15:04 <@krzee> adjust to your flavor
15:07 <@krzee> you may notice i used filehandle 3 in loggedinvpn()
15:07 <@krzee> that matters =]
15:07 < havoc> what is this for?
15:07 <@krzee> it queries the management interface to get the clients logged in
15:07 < havoc> it uses the management interface, which I'm not using
15:07 < havoc> ah
15:08 <@krzee> you will if you wanna do what i said ;]
15:08 <@krzee> thats how you find active vpn users to run the script on
15:08 < havoc> ok
15:08 < havoc> I'd just cat/grep the status log :)
15:08 <@krzee> you'll likely find over time that you want the management interface
15:08 < havoc> same thing
15:09 <@krzee> less realtime, but sure you could force it to update before using it
15:09 <@krzee> at least if i remember right thats the case
15:09 < havoc> I've never touched the management iface, I need to look into that
15:09 <@krzee> its good stuff
15:09 <@krzee> annnnnd you can automate stuff with it
15:09 <@krzee> in fact its made for that
15:10 <@krzee> !management
15:10 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface, or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN, or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
15:39 < havoc> ah, it's --route-up that just doesn't get called in server mode
15:39 < havoc> that's why that one didn't work
15:40 <@krzee> oh my bad since you said push_reply i was thinking clients
15:41 <@krzee> ya ipchange, learn-address, and client-connect is what you get to work with
15:41 < havoc> not ipchange, throws error in server mode on that one
15:42 <@krzee> tested learn-address?
15:42 < havoc> yup
15:42 <@krzee> tested client-connect?
15:42 < havoc> the problem is that the ifconfig-pool address isn't handed out until the end, several ops after the learn-address target
15:43 <@krzee> tested my idea about a script called from one of those scripts as a detached process/disown'ed?
15:43 < havoc> yes, client-connect was the first thing I tried, and had assumed was going to work
15:43 <@krzee> if that script could sleep awhile and then run without blocking...?
15:43 < havoc> need something that runs at the very end, and there is no such thing :(
15:43 <@krzee> if it slept for like 10sec the connection would be finished
15:43 <@krzee> (or it would hang til done sleeping)
15:44 <@krzee> test that
15:44 <@krzee> you get what i mean?
15:44 < havoc> possibly, on learn-address, as that's closest to the end
15:44 < havoc> at least it's as close as we can get
15:44 <@krzee> doesnt even matter which, as you can sleep through the rest
15:45 <@krzee> just matters if the idea works or not
15:45 < havoc> I'm trying to limit the blocked time
15:45 <@krzee> if not, you'll be using my idea with management interface
15:45 <@krzee> thats what im saying, we dont know if my idea would block
15:45 <@krzee> if its detached and disowned, does it still block?
15:46 <@krzee> so youd have a script called by learn-address or whatever that would call another script & ; disown ; exit
15:46 <@krzee> then other script would sleep 30 ; test stuff
15:46 <@krzee> see if that blocks or not
15:47 <@krzee> in bash (dunno bout others) disown will give up ownership of backgrounded jobs
15:47 < havoc> bah, not going to work, not threaded, duh
15:48 <@krzee> when it calls the other script its another process, when you disown that process is no longer your child
15:48 <@krzee> you give up process parenthood
15:48 < havoc> yeah, may have to do that, but my bash skills have atrophied over the years
15:48 <@krzee> it could work, worth testing
15:48 < havoc> re-learning it all
15:49 < havoc> have to pass the ovpn env vars too
15:49 < havoc> not that that's a big deal
15:49 <@krzee> !script
15:49 <@vpnHelper> "script" is (#1) See SCRIPTING AND ENVIRONMENTAL VARIABLES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage#lbAS, or (#2) to see all vars available to a script, you can env > /tmp/env, or (#3) if using bash you can put exec 2>&1 in the first line of your script and it will send all error output to
15:49 <@vpnHelper> your openvpn log. set -x as well to show your commands as they are executed
15:49 <@krzee> see #2 and #3
15:50 <@krzee> #2 is a quick cheat
15:50 < havoc> not sure what that has to do with a forked/disowned script not having access to openvpn's environment
15:50 <@krzee> you said youd have to pass the vars
15:50 <@krzee> thats a cheatsheet on the vars
15:50 <@krzee> then you just export them before you run
15:50 < havoc> oh, I know what the vars are
15:51 <@krzee> it'll still have them after disowning
15:51 <@krzee> they get set immediately
15:51 < havoc> better to pass as args to script, as in a disowned state, there could be more than one script running
15:51 < havoc> ah, disown clones the environment?
15:51 <@krzee> either way you send the current env to the invocation of the script
15:52 <@krzee> disown has nothing to do with it, exporting vars happens when you execute the script it gets the env
15:52 < havoc> well, I was only going to send a coupl things
15:52 <@krzee> when you disown it still has its env
15:52 < havoc> ok
15:52 <@krzee> you can send or export whichever you want
15:52 <@krzee> both ways works and both ways you only send the vars you want
15:52 < havoc> really only need 3
15:53 < havoc> well, 2
15:53 <@krzee> cool
15:53 <@krzee> exporting is lazier but both ways is fine
15:53 <@krzee> so do whichever makes you happier ;]
15:53 < havoc> I'm using ifconfig_pool_remote_ip, trusted_ip, and common_name
15:53 <@krzee> wont common_name always be same?
15:53 <@krzee> since generic config
15:54 <@krzee> oh i guess you can exclude yourself that way at least
15:54 < havoc> that's how I know if it's provisioned or not, and possibly connecting to the wrong server
15:54 <@krzee> you can filter that before calling the subscript
15:54 <@krzee> since it doesnt require the sleep
15:54 < havoc> yes
15:54 <@krzee> so dont need to pass it
15:55 < havoc> right now it's just dumping everything to a tmp file
15:55 <@krzee> just cause its testing
15:55 <@krzee> ?
15:55 < havoc> yes, for testing
15:55 <@krzee> cool
15:58 <@krzee> im interested in hearing if my backgrounding idea worked
15:58 < havoc> it will be quicker than logging/polling
16:01 < havoc> ok, so --learn-address script just calls script2, and disowns script2, and exits, script2 does all the heavy lifting
16:01 < havoc> ...in a detached state, and then exits
16:02 <@krzee> yes, but you can do any of your filtering to do no heavy lifting in the first script
16:03 <@krzee> then have script2 sleep 40sec and echo testing
16:03 <@krzee> see if openvpn waits 40sec or not
16:04 < havoc> hmm, could I just do: --learn-address "provisioning.sh & disown"   ?
16:05 <@krzee> no
16:05 < havoc> be aware, I'm still reading up on the bash process table
16:05 <@krzee> openvpn isnt a bash processor, it just calls the script
16:06 <@krzee> if the script has a bash shbang at top now you in bash land
16:06 < havoc> duh, and disown is a bash func
16:06 <@krzee> right!
16:06 <@krzee> thats why theres 2 scripts :-p
16:06 <@krzee> duh? you made my point ;]
16:09 < havoc> but I can call the secondary script that way, correct? "script.sh & disown" from the primary script?
16:09 <@krzee> no
16:09 <@krzee> script &
16:09 <@krzee> disown
16:09 <@krzee> i believe needs to be separate lines
16:09 < havoc> ok
16:09 <@krzee> if im wrong thats new to me
16:10 < havoc> again, I'm still reading
16:10 <@krzee> well i could be wrong about it NEEDING to be separate lines
16:10 < havoc> but that gets me there quicker, thank you
16:10 <@krzee> i believe it does tho
16:10 < havoc> I'd think you could do "script.sh &; disown"
16:10 <@krzee> yes id expect that to work
16:10 < havoc> but whatever, seperate lines isn't a problem, if it works
16:10 < havoc> it's just sperate commands
16:11 <@krzee> right
16:11 < havoc> seperate
16:11 <@krzee> separate
16:11 <@krzee> ;]
16:11 < havoc> yeah
16:11 < havoc> I'm assuming disown will use the PID of the last invocation if no JOBSPEC is specified?
16:12 < havoc> yeah, looks/sounds that way
16:16 < havoc> it should work, the only problem was openvpn blocking on the script, so sleep is useless
16:17 < havoc> if it can detach (logically), then the ovpn connection process should continue
16:17 < havoc> and as long as the local env is passed, there's no problem
16:17 < havoc> env/relevant args, whatever
16:18 <@krzee> you can just disown
16:18 <@krzee> if only 1 job in background at least
16:18 <@krzee> you may have more depending how fast they connecting
16:19 < havoc> I'm not too worried about that, the field techs can only bring so many of these online at one time
16:19 <@krzee> havoc: test first with my simple sleep / echo
16:19 < havoc> I tested w/ sleep, like 40min ago
16:19 <@krzee> it'll save work if it fails
16:19 < havoc> the process just blocks
16:19 <@krzee> oh, it worked??
16:20 <@krzee> no i mean script2 does sleep 40 ; echo
16:20 <@krzee> then gets disowned
16:20 < havoc> oh, no, haven't done that yet, still reading
16:20 <@krzee> doing that will save time
16:20 <@krzee> cause if it blocks, nothing left to read on that
16:20 <@krzee> hehe
16:20 < havoc> I figued I'd just cann the script immediately, assuming it needs to be called, then have the disowned script sleep 10
16:21 < havoc> call
16:21 <@krzee> right, disowned script sleep 40 ; echo test
16:21 <@krzee> test that
16:21 < havoc> that's the plan, just not yet, other fires :(
16:22 <@krzee> want me to give you the scripts so you can test? cause reading about it will be a waste of your time if it still blocks
16:22 < havoc> leanring more than one knows is not a waste of time :)
16:23 < havoc> gimme a minute
16:24 <@krzee> https://pastebin.com/GA69XYFH
16:25 <@krzee> =]
16:25 <@krzee> if that blocks then this is a dead end
16:28 < havoc> ok, works w/ sleep 10, and env is passed to second script
16:28 < havoc> yay!
16:28 < havoc> thank you :)
16:29 < havoc> not sure I even *need* to sleep, as ssh will block
16:29 < havoc> block/wait
16:30 <@krzee> sweet
16:30 <@krzee> glad to know
16:30 <@krzee> you should sleep, doesnt necessarily need to be 10
16:31 < cVsup> When I boot my openvpn server it has the following error?
16:31 < cVsup> When I boot my openvpn server it has the following error:
16:31 < cVsup> Fri Jul 21 18:26:52 2017 WARNING: Your certificate has expired!
16:31 < cVsup> somebody can help?
16:31 <@krzee> you dont know what that means?
16:31 <@krzee> wanna take a guess?
16:33 < cVsup> krzee: He is informing me that my certificate has expired, but I have dozens of clients. Can I regenerate this certificate without having to send something to these clients?
16:33 <@krzee> yes if you still have the original PKI
16:33 <@krzee> you only need to give new certs to whoever expires
16:45 < cVsup> krs93_: CA certificate and CA private key do not match
16:46 < cVsup> the error ocurred when run build-key-server
17:02 <@krzee> sounds like your ca cert and ca private key dont match
17:02 <@krzee> ive never seen such perfect error messages really
17:07 < cVsup> krzee: my old crt and new crt are diferent
17:07 < cVsup> how can use cnf file?
17:08 <@krzee> your new cert needs to be signed by the same CA that signed all the existing certs
17:09 < cVsup> yes
17:09 <@krzee> if you dont have the old ca.key then you're screwed and need to make an entire new PKI for everybody
17:09 < cVsup> i have
17:09 <@krzee> you need to be using the old ca.crt too
17:09 <@krzee> they need to match
17:09 < cVsup> old ca.crt
17:09 < cVsup>         Subject Public Key Info:
17:09 < cVsup>             Public Key Algorithm: rsaEncryption
17:09 < cVsup>             RSA Public Key: (1024 bit)
17:09 < cVsup>                 Modulus (1024 bit):
17:10 <@krzee> if you make a new ca.crt you need an entire new pki
17:10 < cVsup>         Subject Public Key Info:
17:10 < cVsup>             Public Key Algorithm: rsaEncryption
17:10 < cVsup>             RSA Public Key: (2048 bit)
17:10 < cVsup>                 Modulus (2048 bit):
17:10 <@krzee> which i suggest since you're using 1024 ;]
17:10 <@plaisthos> not necessarliy
17:10 <@plaisthos> but migrating a CA certificate is a pain in the ass
17:10 <@krzee> oh right you could sign the new ca.crt with the old ca.key
17:10 <@plaisthos> and only worth if the old one is not yet expired
17:10 <@plaisthos> as you have to push the new CA to the clients
17:11 <@plaisthos> if it is expired you can as well just do a new ca
17:11 <@krzee> oh right, in which case you may as well start over anyways
17:12 <@krzee> so cVsup is the old ca.crt close to or past expiration?
17:12 < cVsup> He has already expired.
17:13 <@krzee> ahh ok
17:13 <@krzee> so you will need to update all clients anyways
17:14 < cVsup> My ca.crt is already expired. I'm trying to run the command to create a new ca.crt using my old ca.crt.
17:14 <@krzee> you may as well make a whole new PKI
17:14 < cVsup> Openssl x509 -in ca.crt -days 36500 -out ca_new.crt -signkey server.key
17:14 < cVsup> i need send only ca.crt to my clients?
17:16 <@plaisthos> cVsup: you are screwed and need to replace all certificates anyway
17:17 <@plaisthos> If you really desperate you could create a new CA (with the old key) for the still valid client certificates (that are valid after the CA validity) for the server to validate the clients and also push this CA to the clients
17:17 <@plaisthos> but you face problems with that sooner or later as 1024 bit is the next thing that dies
17:19 < cVsup> plaisthos: can you help me? What the command i need to run?
17:20 <@plaisthos> cVsup: I never done that
17:20 <@plaisthos> I knwo that is possible but for my small CAs, replacing all certs was just easier
17:22 <@krzee> cVsup: youd make a new ca.csr and sign it with your old ca.key
17:22 <@krzee> i think
17:23 <@krzee> but like plai said id make a all new pki with 4096 keysize
17:23 <@krzee> well he said not 1024, i said 4096 :D
18:26 < havoc> krzee: it works w/o sleep
18:27 < havoc> the problem before was that the ssh call was blocking, so the client connect process couldn't continue
18:27 < havoc> there are some other strange artifacts, but I'll figure them out
19:20 -!- |Mike| [~mike@2001:0:53aa:64c:2046:4692:4d00:ce10] has joined #openvpn
19:21 < |Mike|> re!
19:25 <@krzee> werd
19:25 <@krzee> good to know havocthanks
19:26 < |Mike|> aloha krzee :)
19:27 <@krzee> goedemorgen
19:33 < |Mike|> Nice going hehe. Krrrzzzee goes Dutch :)
19:41 <@krzee> lol i needed google that time
19:41 <@krzee> dutch is hard
19:46 < |Mike|> krzee: not for me ;-)
19:47 < |Mike|> But then again, I speak German/French and English fluently
19:47 < |Mike|> Writing is another skill xD
19:47 < ocb> any programming languages? :)
19:47 < |Mike|> Ruby and Perl :)
19:48 < |Mike|> and a little bit PHP, but that's more scripting, isn't it?
19:48 < |Mike|> et tu?
19:48 < ocb> that's nice, perl seems to be hard for me
19:49 < ocb> ? :O
19:50 < |Mike|> and you?
19:50 < ocb> oh now i understand :)
19:50 < ocb> bash and python
19:52 < ocb> enjoy the evening, time to rest a little :)
19:52 < ocb> see ya in a few
19:55 < |Mike|> it's nearly 3am here, I better go to Zzz :)
19:55 < |Mike|> nn.
20:01 <@ordex> morning!
20:09 <@krzee> g'day mate
20:11 <@ordex> :]
--- Day changed Sat Jul 22 2017
01:57 -!- nocaberi is now known as Bock
02:09 <+hyper_ch> hmmm, if I connect to two different vpns and if both vpns push a dns server, which one will get priority?
02:35 <@ordex> :D
02:35 <@ordex> imho the last one !
02:35 <+hyper_ch> probably :) will push dns server remove already existing ones? I don't really know :)
02:36 <@ordex> i think this also depends on the platform and how openvpn pushes the dns
02:36  * ordex nothing know
02:36 <+hyper_ch> :)
04:54 -!- rax-Y is now known as rax-
06:21 <@ordex> !easyrsa
06:21 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA, or (#4) Source checkouts available from the github project.
07:03 -!- |Mike| [~mike@2001:0:53aa:64c:2046:4692:4d00:ce10] has quit [Ping timeout: 255 seconds]
07:55 -!- |Mike| [~mike@178.255.49.239] has joined #openvpn
13:01 < GordenFreemant> Good afternoon, everyone
13:02 < GordenFreemant> Is anyone here who might be able to help me figure out if the problem I'm having is iOS 11's fault or the OpenVPN iOS app's fault?
13:28 < xboner> explain more
13:51 <@krzee> lol
14:21 < Netmage> Hello, does anyone know if it is possible to force tunnelblick to use socks proxy before creating a openvpn connection ?
14:30 <@krzee> !socks
14:30 <@krzee> !man
14:30 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
14:30 <@krzee> search for the socks options
14:31 <@krzee> looks like --socks-proxy and --socks-proxy-retry
14:32 < Netmage> thank you very much
14:32 < Netmage> I will have a look
14:32 <@krzee> no problem
14:32 <@krzee> note that most socks proxies only can proxy tcp not udp
14:33 <@krzee> and that tcp over tcp is not a great idea
14:38 < Netmage> I think ssh Dynamic Forward is one of the socks proxies that only allow tcp
14:38 <@krzee> ssh's socks implementation is definitely tcp only
14:38 <@krzee> dante can only listen on tcp but can proxy udp
14:42 < Netmage> My main problem is that the openvpn provider does only provide openvpn on the default openvpn port and not on 443 but the hotel does only allow 443 and 80
14:42 < Netmage> So I used changed the default ssh port to 443 and now I would like to connect ot the openvpn provider
16:26 < DArqueBishop> 14:40 Netmage: My main problem is that the openvpn provider does only provide openvpn on the default openvpn port and not on 443 but the hotel does only allow 443 and 80
16:26 < DArqueBishop> They must not get a lot of business travelers.
16:37 <@krzee> ouch so you need to bounce through your own
16:52 < DArqueBishop> Han: why?
16:53 < DArqueBishop> I don't use a VPN for privacy/anonymization purposes. I use it for remote access.
16:56 < DArqueBishop> I was merely stating that Netmage's hotel must not get a lot of business travelers, because most would be incensed if they couldn't access their corporate VPN from the hotel.
17:02 <@krzee> with your own server you could by;pass whatever they put in your way
17:02 <@krzee> even if you had to resort to dns tunneling
19:43 < Kadigan> DArqueBishop: actually, the fact that the hotel only allows 80/443 probably means they have shit for security. Whoever set it up probably thought this was a good idea, and who knows what other "bright" ideas this guy had...
19:44 < nathani> do I need to do something special to get tun devices working on a raspberry PI?
19:47 < nathani> my log has Sun Jul 23 00:44:43 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
19:52 < DArqueBishop> Kadigan: whynotboth.jpg
19:58 -!- marlinc_ is now known as marlinc
20:10 < nathani> I get no output from the command openvpn --config <filename>
21:08 <@ordex> krzee: typhoooon :D
21:08 <@ordex> but it's not worththe name. it's just a tropical fart
21:08 <@ordex> :p
22:46 < nathani> openvpn isnt working on my Raspberry Pi for some reason
23:01 <@ordex> !logs
23:01 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
23:01 <@ordex> !configs
23:01 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
--- Day changed Sun Jul 23 2017
01:33 < cr1t1cal> is openvpn a vpn provider?
01:33 < cr1t1cal> or just an application used to access vpn?
01:34 < cyberanger> !welcome
01:34 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
01:34 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
01:35 < cr1t1cal> cyberanger: does that answer my question?
01:35 < cr1t1cal> my goal is to starting using a trustworthy vpn
01:35 < cr1t1cal> i'm not sure which vpn to choose as I don't know the metrics to measure vpn quality
01:37 < cyberanger> cr1t1cal: no, but it answered mine
01:38 < cyberanger> As for your question, this channel is about the software. Not a vpn provider.
01:38 < cyberanger> I've used a few providers, but also DIY too
01:40 <@krzee> cr1t1cal: openvpn is an application for vpns, but openvpn technologies also runs a vpn service
01:40 <@krzee> im sure you can find more on openvpn.net
02:32 -!- nocaberi is now known as Bock
05:13 < Aprexer> cr1t1cal, rent a server and run openvpn, walla you have a dedicated ip
05:13 < cr1t1cal> Aprexer: dedicated ip?
05:14 < Aprexer> Well yes, because other vpn providers will usually have more than one server but if 1 is enough for what you're doing it would be fine running
05:14 < Aprexer> Basically no one else will share it with you
05:15 < cr1t1cal> btw
05:15 < cr1t1cal> I heard VPNs are not safe due to the fact that everyone else using the VPN shares the same NAT?
05:15 < cr1t1cal> what does that mean?
05:16 < Aprexer> Well no because hopefully you'll be using certificates so that can't happen.
05:17 < cr1t1cal> Aprexer: certificates? i kindly ask for a quick elaboration
05:18 < Aprexer> Your basic certificate and private key
05:18 < Aprexer> So like you can get openvpn install scripts for linux and you can add or remove users.
05:18 < Aprexer> Every user has its own certificate.
05:19 < Aprexer> Therefore, other can't intervene on the network.
05:19 < Aprexer> and it's a way of authenticating.
05:20 < Aprexer> Most of the time you'll get better speeds also running your own one.
05:20 < cr1t1cal> but the authentication is just for the connection itself
05:20 < cr1t1cal> from you to the vpn entrance
05:20 < cr1t1cal> from there its just regular old NAT, correct?
05:21 < Aprexer> well it uses ssl or tls for key exchange
05:22 < Aprexer> you don't really need a username and password. I believe that feature is only available to the other version of openvpn
05:23 < Aprexer> Openssl does most of the work in encryption.
05:23 < cr1t1cal> hm
05:24 < cr1t1cal> you still haven't convinced me that vpns are secure?
05:24 < cr1t1cal> xd
05:24 < cr1t1cal> thats still only for the connection between you and the vpn provider
05:24 < cr1t1cal> even if the connection was unencrypted, the problems would be just as bad
05:24 <@ordex> cr1t1cal: if the server is used as GW towards the Internet, and the server provides one public IP for all the clients, then yes. All the clients need to share the same IP and the server will do NAT
05:24 <@ordex> cr1t1cal: how does this make the vpn per se unsafe ?
05:25 <@ordex> NAT is being used everywhere, whenever you have a shared IPv4 among a number of hosts
05:25 < Aprexer> If you run your own openvpn just make sure you drop root privileges
05:26 < cr1t1cal> ordex: but its safe for things like personal routers. the assumption that everyone behind it is trustworthy stands
05:27 < cr1t1cal> ordex: but when you have vpns with randoms joining every now and then, the trust policy is broken. unless you really trust all those random people which you have no reason to do anyways
05:27 <@ordex> cr1t1cal: why do you need to trust other people sharing your IP?
05:27 <@ordex> (and don't forget that the IP being shared is not in your name)
05:29 < Aprexer> If you're shared of using a shared one, better just to run a dedicated one yourself.
05:29 < Aprexer> scared*
05:29 < cr1t1cal> ordex: but then its shit for anonymity
05:29 <@ordex> cr1t1cal: the opposite
05:29 <@ordex> cr1t1cal: the same IP being used by X people -> more difficult to understand who was operating in that moment
05:29 < cr1t1cal> ordex: if you dont care about someone knowing what you are searching, finding your real ip
05:29 < cr1t1cal> then sure
05:29 <@ordex> sorry Ididn't get the last sentence, could you rephrase?
05:30 <@ordex> cr1t1cal: ah got it
05:30 <@ordex> cr1t1cal: the only entity in that position is the VPN provider
05:30 <@ordex> yes, you have to trust them
05:30 <@ordex> they could be sniffing all your traffic
05:30 <@ordex> same as your local ISP besically
05:30 <@ordex> *basically
05:30 < Aprexer> Don't believe the no logging bullshit also
05:30 < cr1t1cal> about the x people thing, you would still be using the same ip:port combo right?
05:30 <@ordex> but not the other people using the service. they are not involved
05:30 <@ordex> cr1t1cal: no. only same IP
05:31 <@ordex> each connection will be using different ports (normally)
05:31 <@ordex> (at least we can assume that) but not sure where it makes the difference?
05:32 < cr1t1cal> like i was thinking it would be impossible to connect without everyone using the same port
05:32 <@ordex> well
05:32 <@ordex> we are mixing up different topics
05:32 < cr1t1cal> coz NAT translation
05:32 <@ordex> the VPN server will be running on a given ip/port
05:32 <@ordex> and everybody will connect there
05:32 <@ordex> but this is totally unrelated to the NAT
05:33 < cr1t1cal> but this makes it insecure and not good for anonymity yes?
05:33 <@ordex> uhm
05:33 <@ordex> why ?
05:33 < cr1t1cal> sorry i am not the most educated of people. i do appreciate your time
05:33 <@ordex> np :)
05:33 <@ordex> just trying to understand how you come to such conclusion
05:33 < cr1t1cal> yeah its just
05:33 < cr1t1cal> topics mixing up
05:33 < cr1t1cal> its fine
05:33 <@ordex> hehe
05:33 <@ordex> np
05:33 < cyberanger> Security and Anonymity do not always go hand in hand
05:34 <@ordex> true
05:34 <@ordex> but now we were really mixing different things
05:34 <@ordex> completely disjoint, this is why I got lost
05:34 <@ordex> the VPN server is like any other server: a daemon listening on a given port
05:34 <@ordex> clients connect there and start an application session on top (i.e. the VPN tunnel)
05:35 <@ordex> then *IN* the VPN tunnel there will be traffic flowing to the server
05:35 <@ordex> and the server will decide what to do
05:35 <@ordex> it can do NAT and forward the traffic to the Internet
05:35 <@ordex> but this is on a different level compared to the connection to the VPN port
05:35 < cr1t1cal> a vpn is not just a daemon. doesnt it hook onto the kernel interface?
05:36 <@ordex> well, these are implementation details - we can keep them out for the sake of the discussion
05:36 < cr1t1cal> ok ok
05:36 <@ordex> but yes, the VPN uses the tun kernel module
05:36 < cr1t1cal> ordex: i really appreciate your help
05:36 <@ordex> np
05:36 <@ordex> :)
05:37 <@ordex> better to clarify before spreading wrong rumors :D
05:37 < cr1t1cal> yeah ofcourse
07:12 <@ordex> !clientlan
07:12 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
07:12 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
09:10 < GreatEmerald> I'm trying to set up a VPN instance for a DirectPlay server (which normally requires UDP port forwarding of the clients, too, which is not possible in this case). With routed mode, I can ping the client and vice versa, but we still can't connect
09:11 < GreatEmerald> I also tried to set up bridging, but that didn't work so well (I use NetworkManager and it's a pain to set up tunnels with it)
09:12 < GreatEmerald> In theory, I shouldn't need bridging, though, because clients who can forward ports can connect to the server just fine. So I don't know why it didn't work to connect
09:13 < GreatEmerald> Is there a way to troubleshoot this? The server is openSUSE Tumbleweed and the client is Windows
09:19 <@plaisthos> wireshark
09:19 <@plaisthos> or just use tap
09:20 <@plaisthos> it is not as nice but works better in these scenarios
09:20 < GreatEmerald> Hm, interesting, I'll try
09:20 <@plaisthos> tap has whole ethernet semantics
09:20 < GreatEmerald> And I haven't used wireshark before
09:20 < GreatEmerald> Let me test tap first
09:21 <@plaisthos> wireshark shows all packets on the network
09:21 <@plaisthos> it is a great tool to debug if you have network knowlege
09:23 < GreatEmerald> I have some, but not sure if enough, given that the number of packets could be quite high. Then again if it works only on the tap then it shouldn't be too high
09:33 -!- czart__ is now known as czart
09:51 < GreatEmerald> Well, Wireshar shows some communication
09:51 < GreatEmerald> And there's a red block with [RST]
09:51 < GreatEmerald> Which says warning: connection reset
10:00 < GreatEmerald> Well, this is what I'm seeing: http://i.imgur.com/YJSeWzp.png
10:01 < GreatEmerald> I'm not sure what to make of it
10:01 < GreatEmerald> 47624 is the DirectPlay port
10:01 < GreatEmerald> There's SYN, ACK, FIN and RST
10:02 < GreatEmerald> Normally this TCP port is used for negotiating another (UDP) port on which the games then run
10:08 < tetero> Is there any way to accept the pushed dns servers when connecting to an openvpn server other than through the env variables of the up/down scripts?
10:09 < tetero> I'm currently grabbing them from the env variables, via up/down script hooks - but that's problematic during ping-restarts because it can't reconnect since the dns servers are in the tunnel
10:20 < Serus> does enabling client-to-client mean I would be able to see network shares from other users?
10:42 < malarivi> anyone know a channel for support with ocserv?
10:54 < GreatEmerald> OK, I think I found a clue by comparing the capture from a successful connection through the internet
10:54 < GreatEmerald> In the success case, the server asks for a conenction on TCP 2300 on the client
10:55 < GreatEmerald> In the VPN case, I don't see such a packet
10:55 < GreatEmerald> Would it be shown if it got filtered by a firewall on the client? I assume so
13:37 -!- id4rk_ is now known as id4rk
14:28 < nathani> how do I set default IPv6 route via OpenVPN configs?
14:34 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net)
14:54 < tetero> GreatEmerald: Depends on whether the client firewall blocks it or drops it, i.e. returns a TCP RST / ICMP unreachable or not.
14:55 < GreatEmerald> Well, I think I figured the problem out
14:56 < GreatEmerald> It took looking into the data portion of the TCP packets and figuring out that what it's supposed to send is the negotiated port number
14:56 < GreatEmerald> But my client sent something that looks like nonsense instead
14:57 < GreatEmerald> Which is probably because Windows 10 has a non-functional DirectPlay client
14:58 < GreatEmerald> So that's their problem rather than anything to do with the VPN
19:16 < |Mike|> nathani: solved?
20:01 -!- |Mike| [~mike@178.255.49.239] has quit [Quit: leaving]
20:09 -!- |mike| [~mike@178.255.49.239] has joined #openvpn
20:16 -!- |mike| [~mike@178.255.49.239] has quit [Quit: leaving]
20:24 -!- |Mike| [~mike@178.255.49.239] has joined #openvpn
20:26 -!- |Mike| [~mike@178.255.49.239] has quit [Client Quit]
20:46 -!- remirol is now known as lorimer
--- Day changed Mon Jul 24 2017
00:34 -!- instantp10neer_ is now known as instantp10neer
01:23 < vishesh92> hi. I have setup google authenticator with VPN. But if the internet connection is little flaky, it disconnects and asks for OTP again. Is there a workaround for this?
01:25 < vishesh92> So that I do not have to enter the OTP again when openvpn reconnects
01:44 <@krzee> id expect that to be intended behavior since its a new connection, but maybe theres something you could do to modify the script if theres a way you can tell its a reconnection
04:29 < steeling> !welcome
04:29 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
04:29 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
04:36 < tetero> !goal profit
04:38 < steeling> If I run an openvpn instance to create a tun device without setting up routes, why might setting that link to a net namespace invalidate it or stop it working correctly?
05:05 < comfag> Hello. I am trying to make an OpenVPN server on a Windows 10 machine. So the server and client are both Windows 10. I have shared the network connection with TAN adapter on server side, and I have Remote Access service running too. I have also tried enabling the registry entry of TCPIP parameters but still can't find a solution. I am connected to the server but I can't browse anything. I have
05:05 < comfag> tried turning off firewalls on both server and client but still it didn't do anything. I had it working until yesterday when my server was restarted, and ever since I cannot get it to work anymore. Here are the configs. Server -> https://pastebin.com/i1nCxj1z (I have tried specifying GoogleDNS but it still didn't work). Client -> https://pastebin.com/2wdhdiqK
05:06 <@dazo> steeling: if you create a tun device with no routes ... it would be configured ... and no traffic should enter the tun-adapter, as the kernel have not been told to route traffic to it
05:06 < comfag> TAP Adapter*
05:06 <@dazo> you would have one route though, which is the subnet of the tun adapter only ... so any traffic carrying an IP address scope of the tun would be routed
05:08 <@dazo> to the tun adapter
05:09 < steeling> dazo: Once I've set the tun device to the namespace, I setup lo, add an address to the tun as well as up it. I then set the default route to be through an address on the same network as the tun interface
05:10 < steeling> The reason I don't setup routes initially is to stop the openvpn instance from setting itself up on the default namespace, I just want it to yield a tun device
05:13 <@dazo> you're doing some kind of container stuff?
05:15 < steeling> Yeah, I've managed to get containers working by setting up a netns with veth interfaces and setting up forwarding. After that I can then start openvpn in the namespace and that works. I'm just trying to understand why setting an existing tunnel to a namespace suddenly stops it working
05:15 < cbauer> is it possible to specify password on cmdline? I only find the --auth-user-pass [up] that gives me a way to specify it but requires  it to be in a file
05:17 < steeling> cbauer: Does it work if you don't supply [up]? The manual says it will prompt for one
05:26 < comfag> Is anyone familiar with my issue? :(
05:28 < tetero> What's a proper way of getting openvpn to set nameservers pushed by the server? The only way I've figured out is to have a script set it as they're passed as env vars, but that causes the issue that when there's a ping-restart, it can't resolve the vpn server name since it's using nameservers internal to the tunnel, and openvpn doesn't seem to send any 'restart' signal during ping-restarts
05:35 < tetero> comfag: You may want to provide some logs.. have you set up firewall rules to allow openvpn/routing?
05:39 < comfag> tetero: Server logs -> https://pastebin.com/wiGZFdzV | Client logs -> https://pastebin.com/QHUB4vsd
05:39 < comfag> I have openvpn added as an exception in firewall on both sides
05:39 < comfag> I have even tried turning off firewall from both sides, still it didn't work.
05:40 <@dazo> steeling: we have very little experience with openvpn in a containerized environment ... it's important ... but you might need to use --route-noexec --route-up ... to properly call /usr/bin/ip manually to get everything configured correctly .... openvpn in its current design is not aimed at containerized environment
05:48 < tetero> comfag: Logs look all right. It's some sort of Windows routing issue, doesn't appear to be an openvpn issue
05:49 < comfag> It was working fine until I restarted yesterday
05:49 < comfag> Everything is the same, nothing's changed.
05:49 < tetero> Yeah well, unfortunately, in Windows, things change without you changing them
05:50 < tetero> dazo: Is there a signal sent during ping-restart (to scripts) or is there a script hook for ping-restart, or can I somehow set pushed nameservers via a client option?
05:59 < tetero> fg
07:22 < comfag> Hello. I've tried everything listed on Google regarding my issue of being unable to browse after connecting. Does anyone here uses OpenVPN on Windows 10?
07:23 < comfag> My firewall settings are not the problem.
07:23 < comfag> And I have shared the internet connection with the TAP adapter.
07:24 < comfag> Here are my configs: Server -> https://pastebin.com/i1nCxj1z (I have tried specifying GoogleDNS but it still didn't work). Client -> https://pastebin.com/2wdhdiqK
07:24 < comfag> Server logs -> https://pastebin.com/wiGZFdzV | Client logs -> https://pastebin.com/QHUB4vsd
07:34 < comfag> I can only ping server's IP
07:34 < comfag> I can't ping anything else.
07:34 < comfag> MULTI: bad source address from client [::], packet dropped
07:34 < comfag> Also I just got this error randomly
07:35 <@ordex> comfag: I guess connection sharing/NAT is not setup properly..maybe..
07:35 <@ordex> never used openvpn server on windows
07:35 < comfag> I have set up sharing of the main internet adapter. It was working fine till yesterday when I restarted the server.
07:35 <@ordex> comfag: are you using dev tun or tap ?
07:35 <@ordex> ah ok
07:35 < comfag> I'm using tun
07:35 <@ordex> :S dunno
07:35 < comfag> What's this error: MULTI: bad source address from client [::], packet dropped
07:36 < comfag> Before I couldn't even see the gateway being assigned after connecting to the server
07:36 < steeling> Is the server using tun aswell?
07:36 < comfag> but now I can see them assigned, but there is no activity.
07:36 < comfag> Yes, it's tun on both sides.
07:38 < comfag> https://pastebin.com/zsPKDJ7F
07:39 < comfag> As you can see in the route table, it's everything is properly assigned.
07:43 < SerusWork> I have a similar issue with openvpn on linux
07:43 < SerusWork> dragoon/212.178.xxx.xx MULTI: bad source address from client [192.168.1.90], packet dropped
07:43 < SerusWork> the client is also linux
07:43 < SerusWork> from what I understand the client's local network is leaking to the server
07:43 < SerusWork> how do I stop this from happening?
07:44 <@plaisthos> SerusWork: often that are just packets of existing connections
07:44 <@plaisthos> and is quite normal
07:45 <@plaisthos> as the default gw for outside changes
07:45 <@plaisthos> you could do policy based routing/iptables to stop that happening
07:46 <@plaisthos> but noramlly it is not worth the trouble
07:50 < SerusWork> policy based routing?
07:51 <@plaisthos> SerusWork: or source based routing
07:51 <@plaisthos> i.e. routing not only based on destination but also on source
07:51 <@plaisthos> but seriously just ignore the problem
07:51 < SerusWork> that would require dynamic rules, wouldn't it?
07:52 <@plaisthos> don't know what you mean with dynamic rules in this context
07:52 <@dazo> SerusWork: sounds like you need to configure --client-config-dir ... with a ccd file for that client containing 'iroute 192.168.1.0 255.255.255.0'
07:53 <@dazo> but that would actually just allow that LAN traffic to be handled by openvpn
07:53 < SerusWork> plaisthos: adding and removing iptables rules on client connect and disconnect
07:54 < SerusWork> dazo: I don't want client to client communication though
07:55 <+hyper_ch> ecrist: in EasyRSA 3, what's the difference between build-full-server and build-full-client ?
07:55 <@dazo> then you need make your client to not route that traffic via the tunnel .... haven't tested it ... but a ccd with 'route 192.168.1.0 255.255.255.0 net_gateway' could maybe resolve it
07:56 < SerusWork> plaisthos: so even if I ignore this, this has nothing to do with the massive udp slowdown I experience, right?
07:56 < SerusWork> just so I know the issues are unrelated
07:56 <@dazo> otherwise, plaisthos is usually quite spot-on on these network related issues
07:56 < SerusWork> since that's question 2
07:56 <@dazo> SerusWork: it could most likely be related to slowdown ... as you fill the openvpn pipe with traffic it shouldn't have
07:57 < SerusWork> right
07:57 < SerusWork> could I make a ccd config for all clients and just route ips matching the 192.168 range to net_gateway?
07:59 <@dazo> if this happens on all your clients ... it sounds like you're doing something wrong in the openvpn config, where you actually push routes clients wouldn't need
07:59 <@dazo> !configs
07:59 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
07:59 < SerusWork> alright, messy config file time
08:04 < SerusWork> https://gist.github.com/DragoonX6/b785995c22ccb71ec499d4410a81e163 here you go, dazo
08:04 <@vpnHelper> Title: server.conf · GitHub (at gist.github.com)
08:04 < SerusWork> as you can see I have experimented with it quite a bit
08:05 <@dazo> SerusWork: okay ... these two lines may not work as expected
08:05 <@dazo> push "redirect-gateway def1 bypass-dhcp"
08:05 <@dazo> push "redirect-gateway ipv6"
08:06 < SerusWork> I expected as much
08:06 <@dazo> first of all, you really don't need bypass-dhcp .... some idiot put that in a blog post long time ago, and everyone since thinks that's clever
08:06 <@dazo> so just merge those two lines to:  push "redirect-gateway def1 ipv6"
08:06 < SerusWork> right
08:07 <@dazo> another detail .... auth SHA512 is overkill .... it'll waste bandwidth for no real enhanced security .... using auth SHA256 is far than good enough
08:08 <@dazo> (and in this context, even the default  SHA1  is even still safe to use ... as HMAC authentication is not hit by the SHA1 weaknesses)
08:09 < SerusWork> isn't that only for auth though?
08:09 < SerusWork> or does it have impact on traffic?
08:09 <@dazo> it have an impact for each packet ... --auth controls the packet authentication
08:09 <@dazo> so with --auth SHA512 each packet gets 64 additional bytes .... with --auth SHA256 it is reduced to only 32 bytes
08:11 <@dazo> (with SHA1 it is 20 bytes)
08:12 < SerusWork> right
08:13 <@dazo> SerusWork: now, if you want the best performing auth/cipher ... have OpenVPN v2.4 on both server and client ... and switch to --cipher AES-256-GCM .... GCM have --auth included in the cipher, so it doesn't depend on --auth at all ... so packets gets even a bit smaller ... plus most CPUs have hardware support for AES - including GCM
08:14 < SerusWork> right
08:15 < SerusWork> but that shouldn't really make an impact on both machines
08:15 < SerusWork> there's a very real possibility that the traffic is being inspected by the company network first
08:15 <@dazo> well, the AES-GCM and --auth stuff is not related your initial issue, it's a side-track
08:16 < SerusWork> but I'd assume that also to be the case with tcp
08:16 < SerusWork> but I get about 50Mb/s with tcp
08:16 <@dazo> SerusWork: packet inspection influences depends on where that happens
08:16 < SerusWork> and 2 with udp
08:16 <@dazo> ouch ... that is nasty
08:16 <@plaisthos> SerusWork: no does not to be dynamic just drop anything that is not from VPN range source and going to any tun device
08:16 < SerusWork> and this is a 100/200 network
08:16 <@dazo> that does sound like some router/gateway not being too nice to UDP packets
08:17 <@plaisthos> udp is usally faster than TCP
08:17 <@dazo> SerusWork: even though UDP is really recommended in most cases ... there are some environments where TCP works better, due to gateways/router/NATs not being nice to UDP packets
08:17 <@ecrist> hyper_ch: one builds a client certificate, and the other builds a server certificate with the proper EKU
08:18 <+hyper_ch> so those are different certs :)
08:18 <@ecrist> yes
08:20 <@dazo> hyper_ch: openssl x509  -noout -text  -in $CERT | grep -A2 "X509v3 Key Usage:"
08:20 <+hyper_ch> :)
08:22 < SerusWork> dazo: also with verb 0 and commenting out the logs, the speed does not change
08:22 < SerusWork> I do notice little bumps in the speed
08:22 < SerusWork> it starts out at 5MB/s
08:22 < SerusWork> and then drops to 2
08:23 < SerusWork> and jumps to 3~4 occasionally
08:30 < SerusWork> would this be the company inspecting udp packets?
08:32 <@dazo> SerusWork: --verb 0 does nothing in regards to the traffic hitting the tunnel .... that is the crux of your issue.  OpenVPN picks up traffic routed to the tun/tap adapter, encrypts it and sends it to the remote side .... then the remote side says: "Hey, I know nothing about this source subnet.  I'm dropping it" ... then the application which sends these packets times out as it never gets a response
08:33 <@dazo> SerusWork: inspecting udp packets is definitely not causing the "MULTI: bad source address from client" errors
08:33 <@dazo> SerusWork: you have two issues, afaict .... 1) bad source address .... 2) an ugly router/gateway which treats UDP packets poorly
08:33 <@dazo> 1) is solved by _not_ routing wrong networks into the VPN tunnel
08:34 <@dazo> 2) is solved by fixing the router/gateway and switching to TCP until this issue is resolved
08:35 <@ordex> is it possible to prevent openvpn from creating the .status file ?
08:35 <@dazo> ordex: remove --status from config :)
08:36 <@dazo> or add --status /dev/null
08:36 <@ordex> I have none
08:36 <@ordex> ok, the latter should work then
08:37 <@dazo> ordex: starting via systemd?
08:37 <@ordex> dazo: yup
08:37 <@ordex> dazo: does it add options on its own ?
08:37 <@dazo> ordex: to maintain some backward compat expectations, we have --status in the unit file, before --config
08:38 <@ordex> I see
08:38 <@ordex> oky
08:38 <@dazo> and generally, it's not a nasty thing to have ... gives a fairly nice overview of connected clients ... but I see that for some sites it is not really wanted
08:39 <@ordex> right
08:51 < SerusWork> dazo: we get no access to the router
08:51 < SerusWork> did my conn die?
08:51 < SerusWork> dazo: we get no access to the router
08:52 < SerusWork> we're a company on another company's terrain, and they're fucking with the network big time
08:53 < SerusWork> they don't block certain websites or files entirely, instead they let the download go to 99% and then block the last few bytes
08:54 <@ordex> uhm
08:54 <@ordex> that does not even sound easy to achieve
08:54 <@ordex> :P
08:55 < SerusWork> I know
08:56 < SerusWork> they're on a millitary backbone
08:56 < SerusWork> so that means you obviously have to block us from downloading llvm!
08:57 <@dazo> SerusWork: I'd then recommend you to get a decent connection from a more cooperative ISP
08:58 < SerusWork> they won't allow it
08:58 <@dazo> well, then adding openvpn on top of this is probably violating another set of policies as well ... hence they cripple the UDP traffic
08:59 < SerusWork> well, I need to get my libraries somehow
08:59 < comfag> Ok so I have found the problem. My Windows on the server is fucking up the network sharing. Everytime I open the sharing tab the settings get bugged and they reset
08:59 <@dazo> then you need a decent connection too
08:59 < comfag> That's why it worked before but not anymore.
08:59 <@ordex> comfag: :/
09:00 < comfag> Windows settings are so retarded sometimes :(
09:00 < SerusWork> that's what you get for using windows server
09:00 < SerusWork> :P
09:00 < comfag> haha
09:00 < comfag> I host some game servers, that's why I have to use Windows.
09:00 <@dazo> comfag: that's one of a million reasons I've not used Windows in any of my primary environments for about 15 years .... I even forced my wife over to Linux if she would get help with her issues
09:01 < SerusWork> dazo: oh the connection is fast and stable, just not very open
09:01 < SerusWork> they block the weirdest things
09:01 < SerusWork> like, they blocked me from grabbing a nautilus source package
09:01 < SerusWork> but other ports are wide open
09:02 <@dazo> SerusWork: right ... and they probably add these blocks for a reason, which is why you probably violate some policies trying to evade them ... the solution here isn't technology, it is a policy change you need to get in place so you can do your job
09:02 < SerusWork> oh we tried
09:03 <@dazo> get some mobile ISP connection, using WiMax, 3G, LTE or whatever is available in your region
09:03 < SerusWork> we're not part of their company, we just rent space on their property so they can get more money from the govt because they're such a helpful company
09:03 <@dazo> have it in an isolated network ... for downloading stuff you need
09:03 <@dazo> (or switch completely over to it ... if you don't need access to their network)
09:04  * dazo heads out for an hour or so
09:04 < SerusWork> I would use from LTE hotspot from my phone if I had a wifi card
09:04 < SerusWork> but it works decent if I use ovpn over tcp
09:05 < SerusWork> so I'll guess I'll do some work to get it listening on both ports later today
09:16 -!- |Mike| [~mike@178.255.49.239] has joined #openvpn
10:33 <@ordex> is it bad to allow the openvpn user to run ip commands via sudo with no passwd ?
10:33 <@ordex> or better...how bad is it ?:)
10:34 < Eugene> !unpriv
10:34 <@vpnHelper> "unpriv" is see https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions.
10:39 <@ordex> thanks :)
10:40 <@ordex> argh Eugene on xenial I have systemd..but I think I can spend some time adapting your instructions for that
10:41 < Eugene> I'm sure there's a better way to do it
10:41 < Eugene> !hardening
10:41 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
10:41 < Eugene> May also be of interest ^
10:41 <@ordex> yeah, thanks for the pointers!
11:44 < zib_> hi
11:44 < zib_> can I tunnel IPv4 over openvpn IPv6 tunnel?
11:44 < zib_> is that possible?
11:47 <@dazo> zib_: yes
11:47 <@dazo> zib_: that's just all about routing ... the packets sent inside the tunnel does not care how the openvpn transport happens
11:49 < zib_> ok thanks
11:49 < zib_> will try that out
11:51 < zib_> are you also aware of tunnel brokers supporting that?
11:54 <@dazo> zib_: nope ... I don't trust external VPN providers ... when needing a "broker", I get my own VPS and configure OpenVPN myself
11:54 <@dazo> it's not that hard, and costs about the same
11:54 < zib_> yeah, but I need something *now* :-)
11:55 <@dazo> it takes about max 15 minutes to get a VPS booting with a Linux distro  ... and another 10-15 minutes to configure the tunnel?
11:56 < zib_> but then I need NAT on the server to get into Inet
11:56 < zib_> and generate certificates or keys or whatever
11:56 < zib_> I expect that this takes me 1-2 hours
11:57 <@dazo> ehm ... iptables -t nat -A POSTROUTING -o ethX -s 10.8.0.0/24 -j MASQUERADE
11:57 < zib_> and then OpenVPN on Windoze client :-O
11:57 < zib_> but will try that out now
11:57 < zib_> thanks
11:57 <@dazo> well, if you need it _now_ ... and don't need it running for too long ... you can start with static keys
11:58 < zib_> my server isnt that well located
11:58 < zib_> and my amazon test account just showed me that my VM there doesnt have IPv6 at all
11:58 < zib_> so fiddling on my jungle server
11:58 <@dazo> in addition to that iptables lines ... you need:  iptables -I FORWARD -i tun+ -s 10.8.0.0/24 -j ACCEPT ; iptables -I FORWARD -o tun+ -d 10.8.0.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
11:59 <@dazo> and sysctl net.ipv4.ip_forward=1
11:59 <@dazo> that's the config needed on top of openvpn
12:06 <@dazo> zib_: https://openvpn.net/index.php/open-source/documentation/miscellaneous/static-key-mini-howto.html
12:06 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
12:06 <@dazo> once you have that working ... you can easily generate proper PKI keys ... and then switch to that without too much config changes
12:08 <@dazo> once keys are generated for server/client ... you replace --secret with: --tls-server --key $KEY --cert $CERT --ca $CA --dh $DH on the server side .... and the client side is similar, replace --secret with --tls-client -key $KEY --cert $CERT --ca $CA  ... and it should work
12:08 < zib_> oki
12:08 < zib_> any recommendation about setting things up for maximum throughput and minimal latency (beside using UDP)?
12:15 <@plaisthos> use aes-gcm which requires pki
12:21 < zib_> openvpn[19500]: Options error: --server and --secret cannot be used together (you must use SSL/TLS keys)
12:25 < zib_> ok going the x509 way...
12:25 < zib_> 40 minutes .... :-D
12:25 < zib_> I'am slow
12:28 < zib_> damn this old OpenVPN installation cannot listen on IPv6 it seems
12:29 < zib_> I'am cursed
12:30 < zib_> my bad, just needs udp6 in config
12:30 < zib_> stop spamming now
12:56 < sstoveld> hey everyone, i know this has probably been asked a bunch, but i'm having issues accessing devices on the lan behind the ovpn server. i have ip forwarding enabled, push route is in the config, tried setting up a static route on the ubuntu server, nothing doing. can anyone point me in the right direction?
13:31 < DomiX> !welcome
13:31 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
13:31 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
13:33 < DomiX> Hi
14:41 < Serus> hey dazo, I have the same problems at home
14:43 < Serus> bad source addresses (this time ipv6)
14:43 < Serus> and really slow speed
14:43 < sstoveld> !route
14:43 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
14:44 < Serus> !clientlan
14:44 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
14:44 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
15:07 < Serus> hmmm, setting the sndbuf and rcvbuf for me on windows does help a ton
15:07 < Serus> makes me reach near native speeds
15:17 < sstoveld> anyone know of any openvpn consultants available to hire for some support?
15:24 < Eugene> Several. My going rate is $250/hr
15:24 < Eugene> !ask
15:24 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
15:36 < Serus> sstoveld: https://openvpn.net/index.php/login.html check here
15:36 <@vpnHelper> Title: Login (at openvpn.net)
15:37 < Serus> I don't have an account, but you might be able to order support
15:37 < Serus> or check contact
15:37 < Serus> or send an email to help@openvpn.net
15:50 < Conder> hello, does openwrt support running a vpn server on router?
15:51 < signo-> Conder: you mean something like this? https://wiki.openwrt.org/doc/howto/vpn.openvpn
16:17 < Conder> signo-: yeah, thx. by the way, do you know how is this feature called in router specifications?
16:24 < signo-> Condor: Not sure what you mean. It should usually be referred to as OpenVPN or OpenVPN tunnel
18:07 < |Mike|> re! :)
18:08 < Eugene> Anybody dealt with a SOC2 audit, in regards to OpenVPN?
18:08 < Eugene> $CLIENT is going through one, and I'm not sure what to expect
18:09 < |Mike|> are you running 2.4.1? :)
18:11 < Eugene> Great question! I offloaded all of that nonsense to pfsense, heh
18:12 < Eugene> Last time I did a PCI Audit, they sent me a list of CVEs that their scanner spat out. I returned a list of RHEL/CentOS update changelogs. That was it
18:12 < |Mike|> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7478
18:12 <@vpnHelper> Title: CVE - CVE-2017-7478 (at www.cve.mitre.org)
18:12 < Eugene> (no, our SSHd is not vulnerable to a weird decrypt vuln in ssh1. Because that is turned off, you retards)
18:12 < |Mike|> Things like that might pop up.
18:13 < |Mike|> I've had an qualys audit a few years ago. Heaps of work and yes as you mention above, we had to send a complete list back with updates and changelogs (backports - debian ) etc. etc.
18:13 < Eugene> Rephrasing: anything specific to SOC2 I should care about?
18:14 < Eugene> Looks like we're on 2.3.14
18:14 < Eugene> Sigh
18:14 < |Mike|> I feel a shitstorm coming hehe
18:14 < |Mike|> 2.3.15 and 2.4.2 aren't vulnerable ^^
18:15 < Eugene> I haven't looked too hard at pfsense packaging, but I suspect clicking the Update button will fix this
18:15 < Eugene> It mostly Just Works so I leave it alone
18:19 < |Mike|> surfnet, dat is oud!
18:19 < |Mike|> Eugene: is it an complex setup?
18:24 < Eugene> Fairly. Two main "Hub" servers, with user-access(AD/LDAP connector) and site-to-site listeners on each. 6 office/sites, plus a bunch of Azure IPsec remote endpoints
18:24 < Eugene> No dynamic routing, thankfully
18:32 < |Mike|> ahhh, I understand why you don't click on the "Update" button ;-)
19:09 < Eugene> Indeed. Even with HA at the hub & site nodes it is still a giant pain in the ass to keep everything in sync
19:09 < Eugene> But.... if you don't touch it, everything works fine
22:03 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:12 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:12 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Day changed Tue Jul 25 2017
03:04 -!- Vampire0_ is now known as Vampire0
05:57 -!- r00t^2_ is now known as r00t^2
07:32 < |Mike|> Eugene: good luck with the compliance :-)
07:37 -!- |Mike| [~mike@178.255.49.239] has quit [Remote host closed the connection]
08:11 < htd> hi, I am trying to use pam_access.so to skip OTP auth from a certain IP, in syslog I now have "access denied for user `htd' from `openvpn'" - shouldn't there be the IP in the "from 'openvpn'" part instead of openvpn?
08:11 < htd> using v2.4.3 on the server side
08:28 < htd> meaning that openvpn does not pass the IP address to the pam-module, is that expected behaviour?
08:33 <@ecrist> htd: you'd have to look at the source for the plugin architecture
08:33 <@ecrist> I'm not sure that it does pass the IP address.
08:37 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Excess Flood]
08:38 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
08:38 -!- mode/#openvpn [+v RBecker] by ChanServ
08:49 -!- |Mike| [~mike@178.255.49.239] has joined #openvpn
08:52 < |Mike|> Hm, I'm having an issue after upgrading to 2.4.0
08:52 < |Mike|> the /etc/openvpn/ directiry contains client/ and server/ and obviouslyu in the previous version it only was using /etc/openvpn
08:53 <+hyper_ch> fail to see how that's related to 2.4
08:53 <+hyper_ch> and 2.4.3 is current version
08:54 < |Mike|> not on Debian Stretch imho. You know debs
08:54 < |Mike|> the config_dir is set to /etc/openvpn/
08:54 <+hyper_ch> so?
08:54 <+hyper_ch> that's been the case on debian for a long time
08:54 <+hyper_ch> still fail to comprehend what your (perceived) problem is
08:55 < |Mike|> starting it through the system tools (e.g init.d) it's not getting a config
08:55 <+hyper_ch> systemd start openvpn@[configname].service
09:03 < |Mike|> I'm not familair with systemd; Excess arguments.
09:06 < htd> ecrist: indeed it doesn't look like it sets PAM_RHOST anywhere
09:07 <@ecrist> |Mike|: you'll have to talk to the package maintainer, it seems
09:08 <@ecrist> htd: you could probably add that functionality easy enough.
09:09 < |Mike|> Seems so... Lets give it a go with 2.4.3 from backports instead :-)
09:11 -!- |Mike| [~mike@178.255.49.239] has quit [Read error: Connection reset by peer]
09:13 <+hyper_ch> apt-get build-dep openvpn
09:13 <+hyper_ch> download package
09:14 <+hyper_ch> unpack
09:14 <+hyper_ch> ./configure
09:14 <+hyper_ch> make
09:14 <+hyper_ch> make install
09:18 -!- |Mike| [~mike@178.255.49.239] has joined #openvpn
09:19 < |Mike|> Issue solved after installing OpenVPN 2.4.3 from Stretch backports =)
09:30 -!- |Mike| [~mike@178.255.49.239] has quit [Quit: leaving]
09:38 -!- |Mike| [~mike@178.255.49.239] has joined #openvpn
10:39 <@dazo> hyper_ch: no no no ... not openvpn@[configname] ..... openvpn-server@[configname] or openvppn-client@[configname] .... depending on where the config is located /etc/openvpn/{client,server}
10:40 <@dazo> there is a slight distinction in how openvpn is being started, depending on the capabilities it needs for the client or server profile
10:40 <@dazo> |Mike|: ^^^
10:40 <@dazo> |Mike|: feel free to grab me when it systemd related
10:43 <@dazo> |Mike|: otherwise .... journalctl --since today -u openvpn-{client,server}@$CONFIGNAME  should also help you pin-point issues .... as well as systemctl status openvpn-{client,server}@CONFIGNAME
10:44 <@dazo> another important detail .... the openvpn-{client,server}@.service unit files should be what we maintain in the OpenVPN community .... the openvpn@.service (and openvpn.service) unit files are maintained by the package-maintainers; whom on the Debian side of things tries to simulate how the old init.d script worked ... which works poorly in most cases
10:45 <@dazo> the openvpn-{client,server}@.service unit files also makes use of a better systemd integration in OpenVPN, in regards to process management and monitoring - which the old distro maintained unit files often does not make use of at all
11:12 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
11:14 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
11:14 -!- mode/#openvpn [+o krzee] by ChanServ
11:15 -!- rax-Y is now known as rax-
11:56 < gtt> I'm under a vpn inception
11:56 < gtt> three layers deep
11:56 < gtt> vpn within vpn within vpn
11:56 < gtt> I'm afraid going one more will turn the whole thing unstable
13:27 -!- dionysus70 is now known as dionysus69
15:17 < redrabbit> vpn-lol
15:32 < havoc> and the provisioning script is done!
15:49 < |Mike|> dazo: thanks, issue has been solved by upgrading to 2.4.3 from Debian backports
15:50 -!- |Mike| [~mike@178.255.49.239] has quit [Quit: leaving]
15:51 -!- |Mike| [~mike@178.255.49.239] has joined #openvpn
17:19 < havoc> well, bash skills are returning
18:14 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 255 seconds]
18:20 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
18:20 -!- mode/#openvpn [+o dazo] by ChanServ
19:50 <@ordex> gtt: be careful when you wake up!
22:03 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:12 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:12 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Day changed Wed Jul 26 2017
00:11 < kevr> http://sprunge.us/GbaO <= ?
00:39 -!- svm_invi_ is now known as svm_invictvs
01:19 <@ordex> kevr: the -1 looks weird
01:19 <@ordex> can you paste yor config ?
01:19 <@ordex> !configs
01:19 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
01:28 < madsage> America is GREAT Again
01:28 < madsage> warez krazy at
01:30 < madsage> !maga
01:42 <@ordex> hm
02:53 < vishesh92> Hi. I wanted to know how can I push routes based on the user connecting to VPN?
02:54 <@ordex> !ccd
02:54 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
02:54 <@ordex> vishesh92: ^^^
02:54 < vishesh92> thanks ordex
04:23 -!- pizzaops_ is now known as pizzaops
04:24 -!- nitdega_ is now known as nitdega
04:28 -!- dvl_ is now known as dvl
04:28 -!- vectr0n_ is now known as vectr0n
07:29 <@krzee> looks like we should get a influx of !obfs questions from russia soon
07:29 <@krzee> http://thehackernews.com/2017/07/russian-ban-proxy-vpn-tor.html
07:29 <@vpnHelper> Title: Russia Bans Proxy Services And VPNs To Purge Extremist Content (at thehackernews.com)
07:31 <+hyper_ch> !obfs
07:31 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols, or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation, or (#3) in client/server mode an admin can know that openvpn is being
07:31 <@vpnHelper> used. in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
07:31 <+hyper_ch> :)
07:31 <+hyper_ch> hi mr. krzee
07:32 <@krzee> hola
07:33 <+hyper_ch> hablas esapñol?
07:33 <+hyper_ch> btw, seen my little repo to generate configs and also according packges you can use in phones ?
07:34 <+hyper_ch> it's way more basic then your confgen tool :)
07:37 <@krzee> lol the confgen i forgot about that
07:37 <@krzee> !forget confgen
07:37 <@vpnHelper> Error: 3 factoids have that key.  Please specify which one to remove, or use * to designate all of them.
07:37 <@krzee> !confgen
07:37 <@vpnHelper> "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/, or (#3) you must run this in bash
07:37 <@krzee> !forget confgen *
07:37 <@vpnHelper> Joo got it.
07:38 <@krzee> and no, but i also dont have an iphone
07:40 <+hyper_ch> why did you make the bot forget confgen?
07:41 <@krzee> hella outdated
07:42 <+hyper_ch> and why do you revert to an iphone?
07:42 <@krzee> oh whoa i thought you said iphones lol
07:42 <+hyper_ch> nah :)
07:43 <+hyper_ch> I have never owned an iphone, ipad, ipod, imac
07:43 <+hyper_ch> but since yesterday I know someone with an iWatch (or wahtever it's called)
07:44 <@krzee> just planted a fig tree, a red cashew tree, a starfruit tree, some dragonfruit,and some other stuff
07:44 <@krzee> :d
07:44 <@krzee> :D
07:45 <+hyper_ch> krzee: https://github.com/sjau/sipGenVPN  very simple.. first I started off with tar creation for snom and yealink and then I though I could also add linux, windows, android, and server versions
07:45 <@vpnHelper> Title: GitHub - sjau/sipGenVPN: Small collection of bash scripts to create client config files for SIP hard- and softphones (at github.com)
07:45 <+hyper_ch> cashew is grown on trees?
07:45 <+hyper_ch> and what's a a starfruit?
07:46 <+hyper_ch> hmm, Carambola.... don't think I've ever seen that before
07:46 <@krzee> starfruit = carambola
07:46 <+hyper_ch> and I thought cashew nuts originate in the supermarket :)
07:46 <@krzee> cashew grows on trees often with a fruit (in the case of my new tree its a red fruit, but i already have a yellow cashew tree too
07:47 <@krzee> fun fact, cashew and mango and poison ivy are all relatives
07:47 <+hyper_ch> I like mango and cashew
07:47 <+hyper_ch> not so much poison ivy
07:47 <@krzee> and if you crack open the cashew nut you'll get a poison-ivy like oil all over yourself and will itch like hell
07:48 <@krzee> and if you trim back a mango tree and get its sap on you, often the same reaction
07:48 <+hyper_ch> so you're midly masochistic since you planted such a a tree?
07:48 <@krzee> nah i know how to deal with them
07:51 < havoc> krzee: nice, our friends have a farm in Khon-Kaen with such things
07:52 < havoc> with like 7 diff varieties of avacado too
07:52 <@krzee> i have 3 variety of avacado
07:52 <@krzee> and 3 of mango
07:53 <+hyper_ch> avocado is just a hipster fruit :)
07:53 < havoc> but for a commercial crop, it's in demand
07:53 <@krzee> no way, avacado is great
07:54 <@krzee> guacamole <3
07:54 <+hyper_ch> hipster!!!
07:54 <+hyper_ch> it's very poplar currently
07:54 <@krzee> i been loving avacado since long before hipsters were a thing
07:55 <+hyper_ch> next thing you'll plant a chia tree :)
07:56 <@krzee> CHA CHA CHA CHIA
07:56 <+hyper_ch> (if it was a tree)
07:56 < havoc> krzee: got my provisioning working (so far), with locking even
07:57 < havoc> and assigning "static" IPs via ccd, but still using nsupdate
07:58 <@krzee> nice
07:58 < havoc> lots of scripts, lots of calls to ipcalc ;)
07:59 < havoc> but bash skills are returning; I could have had it done quickly in perl, but want to reduce deps
07:59 <@krzee> awesome
07:59 < havoc> figured out how to parse the output line by line of ipcalc and stuff it in a hash
07:59 < havoc> which is trivial, for me, in perl, a little trickier in bash ;)
08:00 < havoc> also a lot of <<< redirection to avoid sub-shells
08:01 < havoc> anyway, it works :)
08:01 <@krzee> maybe you wanna show me?
08:01 < havoc> sure, hang on
08:02 < havoc> preferred pastebin?
08:02 < tangarora> I have configured openvpn client on a server that I intend to share the tunnel with other hosts on. However, even if I am on the server via ssh, it only woutes stuff the normal way... how can i make the traffic go through the tun0 instead of ens1?
08:02 < tangarora> routes... sorry
08:03 <@krzee> 0bin.net or any
08:03 <+hyper_ch> couldn't find a website with fqdn "any"
08:04 < tangarora> can I put anything in the vpn client file in /etc/NetworkManager/system-connections ?
08:05 <@krzee> !redirect
08:05 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
08:05 < tangarora> Like a directive to say: hey. Route traffic through me.
08:05 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
08:05 <@krzee> !ping
08:05 <@vpnHelper> pong
08:05 <@krzee> !netman
08:05 <@vpnHelper> "netman" is (#1) NetworkManager usually works fine, but can have some challenges in som env, or (#2) Ensure you run a reasonably recent NM version, or (#3) NM is aimed at client configurations and requires a logged in user session and is sensitive to instable unstable networks, or (#4) If OpenVPN works from the command line but not NM, go to #nm or https://wiki.gnome.org/Projects/NetworkManager
08:05 <@krzee> grrr bot seems to be on a bad server
08:06 < tangarora> krzee, let me read all that and try.. thank you
08:09 < tangarora> krzee, so can I add the --redirect-gateway in the vpn config file directly then?
08:10 < tangarora> google was not clear on that...
10:42 < seanBE> anybody have any experience with pritunl?
11:10 < havoc> now I have to figure out how to recycle IPs on this static IP setup
11:10 < havoc> joy
11:11 < havoc> can bash export data structures to a file that can be later source'd?
11:11 < havoc> source'd, modified, re-exported
11:11 < havoc> then a simple hash or address=hostname would be good enough
11:12 < havoc> times 2,000
11:12  * havoc gets to the gargler
11:14 < havoc> I could just dump to a plain file, and read in
11:17 < Pricey> I'm on 2.4.3 on LEDE and seem to be hitting something identical to https://community.openvpn.net/openvpn/ticket/209 - the client just waits and gives up eventually with "reconnecting no push-reply". Any ideas?
11:18 <@ordex> Pricey: does the client work fine at least once ?
11:19 < Pricey> ordex: Yes, it's during reconnections.
11:19 < Pricey> ordex: If I restart the server and then trigger a reconnect on the client, it works first time.
11:19 <@ordex> Pricey: because there is a timer to avoid to send push-reply more than once in a row
11:19 <@ordex> therefore if it works, then you immediately disconnect and reconnect
11:20 <@ordex> you may hit this situation
11:20 < Pricey> The client is openvpn for android 0.6.73
11:20 < Pricey> ordex: Oh ok, is that option configurable?
11:20 <@ordex> Pricey: no. it's just to prevent several push-reply being sent
11:20 < Pricey> And this would act over minutes?
11:20 <@ordex> but if the client reconnect once after some time
11:20 <@ordex> it should just work
11:20 <@ordex> mhh dunno, need to check
11:21 <@ordex> I mean, if the client connects, everything works and the client stay online, say 10 minutes and then reconnects, it should work just fine
11:21 < Pricey> Waiting 10 minutes is a little sucky on a phone, ideally I'd like a way to reduce that timeout.
11:22 <@ordex> 10 minutes was just a number
11:22 <@ordex> what I am doing now is trying to understand your case :)
11:22 < Pricey> Sure, but it seems to be closer to 10 minutes than 10 seconds :)
11:23 < Pricey> The client spins for 2 minutes before giving up and reinitiating a connection.
11:23 <@ordex> ok
11:23 <@ordex> then there might be something else
11:23 <@ordex> the timeout is 30 seconds
11:23 < Pricey> And even then, the new connection spins.
11:23 <@ordex> can you provide the logs ?
11:23 <@ordex> !logs
11:23 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
11:24 < Pricey> I'll give it a go. Will take a while until it happens :) Thanks for confirming it's not a known bug at least!
11:25 <@ordex> np!
13:19 < entourage> what is(are) the differens(es) between OpenVPN 2.4.3-I601 and OpenVPN 2.4.3-I602 the change log doesn't say??
13:19 <+hyper_ch> 1
13:20 < entourage> no that's your IQ
13:20 <+hyper_ch> that was never disputed
13:22 < skyroveRR> lol
13:27 < Eugene> entourage - https://github.com/OpenVPN/openvpn. `git log release/2.4 v2.4.3`
13:27 < Eugene> See also the -devel channel
13:33 < entourage> Eugene: thanks but I don't find a change log there
13:34 < Eugene> .....you need to examine the commit history
13:34 < Eugene> I'm not going to spoon-feed you a list
15:13 <+s7r> suddenly the DNS doesn't work on my android, but on windows it works (same openvpn server) push dhcp-option DNS is not pulled by the android client
15:13 <+s7r> the vpn server is also the DNS server, it has a local caching name resolver installed
18:24 < Eugene> s7r - to ask a dumb question: have you tried turning it off and back on again? Android's DNS resolver can be finicky
18:37 <@plaisthos> s7r: both android clients accept push dns
21:21 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 276 seconds]
21:27 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
21:27 -!- mode/#openvpn [+o dazo] by ChanServ
22:21 <@ordex> does anybody know how to tell journalctl to print the entire lines and not trim them ?
22:22 <@ordex> ah it adapts to the width of the screen ..
22:30 < thumbs> ordex: set the SYSTEMD_PAGER ?
22:30 <@ordex> ah yeah i could od that too
22:30 <@ordex> thanks
22:30 < thumbs> or whatever those donkeys decided to call that variable.
22:31 < thumbs> (apparently, PAGER isn't simple enough)
22:31 <@ordex> lol
23:12 -!- ketas is now known as ketas-
--- Day changed Thu Jul 27 2017
07:55 <@ecrist> systemd sucks.  I don't like it, and nobody is going to convince me to like it.
07:57 < DArqueBishop> It doesn't like you either.
07:57 <@ecrist> fuck you
07:57 < DArqueBishop> :-)
08:01 < havoc> ecrist: agreed :)
08:33 <@ordex> ecrist: <o
08:33 <@ordex> ecrist: what distro do you use ?
08:33 <@ecrist> FreeBSD isn't a distro.  It's real unix.
08:34 <@ordex> ah
08:34 <@ordex> nah I like linux :P
08:35 <+hyper_ch> isn't freebsd just another linux distro?
08:36 -!- hyper_ch was kicked from #openvpn by ecrist [gtfo]
08:36 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
08:36 -!- mode/#openvpn [+v hyper_ch] by ChanServ
08:36 <@ordex> hyper_ch: :O
08:39 <+hyper_ch> I assume that was a yes
08:46 <@ordex> lol
08:47 <+hyper_ch> ordex: well, people only tend to use such actions if they see they are wrong and the other party is right :)
08:47 <@ordex> :D
08:48  * ecrist changes hyper_ch's hostmask to @openvpn/troll/gtfo
08:57 < DArqueBishop> I think I'd be more likely to imitate my uncle.
08:57  * DArqueBishop points at hyper_ch and screams, "OUT!!! OUTTTTTT!!!!!!!!!!:
09:02 <@ordex> I don't really understand https://community.openvpn.net/openvpn/wiki/UnprivilegedUser - something looks weird
09:02 <@vpnHelper> Title: UnprivilegedUser – OpenVPN Community (at community.openvpn.net)
09:03 <@ordex> Eugene: u there ?
10:48 < _AxS_> hey all .. i'm trying to find some information about running multiple openvpn servers in a failover / HA type configuration.  I've got two gateways that are already providing failover for a particular interface/ip, and openvpn is running on each instance.  Right now when the gateways failover the client needs to reconnect due i think to the fact that nothing about openvpn state is being shared between servers.  Is helping to force client reconnects the
10:48 < _AxS_> only way to do this or is there a way to sync the state of one openvpn daemon to another?
11:03 <@ordex> _AxS_: openvpn by itself can't sync .. unless there is some plugin
11:03 <@ordex> _AxS_: but even if the two were sharing the info, wouldn't you need to disconnect from one IP and connect to the other ?
11:05 < _AxS_> ordex: no because the ip remains consistent.  TCP connection state is already preserved across the virtual interface between gateways (didn't look into udp but i assume the same would be true for whatever 'state' there is there), its just that openvpn's internal states aren't.
11:05 <@ordex> _AxS_: please make me fully understand your setup
11:05 <@ordex> you have 2 gateways
11:05 <@ordex> they have 1 uplink connection each
11:06 <@ordex> and on each of them you have an openvpn server running ?
11:07 < _AxS_> ordex: sure.  I've got two pfSense boxes (the gateways) using CARP to create a single virtual interface with the WAN ip that everything uses.  This interface stays up and the gateways synchronize state between eachother so that when one gateway fails/goes down, the other takes over seamlessly.
11:07 <@ordex> oh ok
11:07 <@ordex> so they share the IP and everything
11:07 <@ordex> so they are seen like one Gw only from the LAN side
11:07 <@ordex> correct ?
11:08 < _AxS_> correct.
11:08 <@ordex> but of course, they run 2 distinct instances of openvpn
11:08 < _AxS_> Currently I'm also running openvpn servers on both gateways as well.  I -could- run it on some box behind the gateways and everything would work seamlessly, but its easier to run two openvpn servers (one on each gateway).
11:08 < _AxS_> exactly yes.
11:08 <@ordex> yeah, having it on one box behind would be easier
11:09 <@ordex> yeah, not sure there is anything that could help you with that
11:09 < _AxS_> its quite possible that there isn't a way to do what i'm looking for yet.  I did see a bunch of stuff talking about HA / failover with openvpn-as , but I don't know if clients still need to reconnect in that scenario
11:09 <@ordex> dunno about openvpn-as
11:10 <@ordex> but i doubt it really keeps all the sessions in sync
11:10 < _AxS_> that's just the google hits i foudn.  setting it up seems to be more about synchronization of user databses and so forth, didn't seem to talk at all about state
11:10 < _AxS_> s/foudn/found/
11:10 <@ordex> do handle such a failover seamlessly you'd need both the instances to know about the keys being exhcnaged during the tls handshake
11:10 <@ordex> *to handle
11:11 < _AxS_> ordex: exactly yeah..  i figure since this is a master/slave scenario i'm looking at, there might be a way for the master openvpn to transmit that state info to the slave.
11:11 <@ordex> nice to have :) but I don't think there is anything in the openvpn code right now
11:12 < _AxS_> sweet, thanks for confirming!  I'll just push keepalive timeouts a lot lower for now
11:12 <@ordex> just thinking how you could solve this differently
11:13 <@ordex> how do the two boxes talk to each other ?
11:13 <@ordex> they have also a direct link?
11:13 <@ordex> with dedicated IPs there ?
11:13 < _AxS_> ordex: they have a dedicated direct link, private network.
11:13 <@ordex> mh
11:14 <@ordex> but the problem is that after the failover the traffic will go to the new GW
11:14 <@ordex> because of the virtual interface taking care of that ...
11:14 <@ordex> mhhh and this will break
11:14 <@ordex> ok
11:14 < _AxS_> yep.  most often the failure would be caused by the box going offline, it would be rare for the wan link to die on just one box
11:14 <@ordex> I was thinking that maybe traffic directed to the VPN port could be redirected to the old GW and then back to the new one
11:15 <@ordex> oh ok
11:15 <@ordex> then my statement is nonsense
11:15 <@ordex> :)
11:15 <@ordex> but it would bea very nice feature i think :)
11:29 < _AxS_> ordex: ... an openvpn client only connects to one remote at a time, right?  it can't be set to load-balance by connecting to two concurrently?
11:29 <@ordex> correct
11:29 <@ordex> it can't
11:30 <@ordex> but you can setup two openvpn client instances
11:30 <@ordex> and then do something with the 2 interfaces you get
11:30 <@ordex> like bonding
11:30 <@ordex> (never tried with 2 tun interfaces)
11:31 < _AxS_> ... hm.  that sounds like it would be tricky to deal with on all the platforms I expect will be connecting.
11:31 < _AxS_> BUT, that might be a feasible option for a couple of site-to-site connections..
11:31 <@ordex> I agree about the platform problem
11:32 <@ordex> I just said that becausre this sounds more like a problem that should be solved outside of openvpn, not inside
11:32 <@ordex> anyway, bbl
11:32 < _AxS_> ordex: *nod*.  thanks!
12:51 < fatman1683> Hello, is anyone able to help me troubleshoot a site-to-site setup with openswan?
12:58 < _AxS_> i can help troubleshoot a site-to-site setup, but i haven't used openswan
12:59 < _AxS_> i assume tho it exposes most of the same configuration bits?
13:03 < DArqueBishop> fatman1683:
13:03 < DArqueBishop> !notovpn
13:03 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn.
13:09 < fatman1683> @DArqueBishop stipulated, but the openswan channel is totally dead, figured someone here might've worked with it before
13:13 < _AxS_> fatman1683: we can't help you set up openswan, but if you've got openvpn configured and as far as you can tell everything should be working but isn't, we (i at least) can probably help with the openvpn debugging.
13:13 < _AxS_> fatman1683: so, step 1 -- do you have a working tunnel, at all?
13:14 < _AxS_> actually, step 0 -- one side is openswan, what's the other side?
13:15 < fatman1683> Trying to do it with openswan on both sides
13:15 < fatman1683> and the tunnel isn't coming up
13:15 < _AxS_> ok.  do you have logs?
13:15 < fatman1683> yeah here's the pertinent bit:
13:15 < fatman1683> Jul 27 17:55:24 ip-172-30-1-137 pluto[29227]: "bzprod-to-breezyci" #2: no suitable connection for peer '192.168.0.235' Jul 27 17:55:24 ip-172-30-1-137 pluto[29227]: "bzprod-to-breezyci" #2: sending encrypted notification INVALID_ID_INFORMATION to 52.24.146.164:500
13:17 < _AxS_> fatman1683: i think that means you have 'verify-x509-name' or whatever the old equivalent is in the config, but it doesn't match the name on the cert (or CA)
13:17 < fatman1683> No certs in this config, strictly PSK
13:18 < fatman1683> I'm going back over my configs now, been fiddling with them for a few hours
13:18 < fatman1683> so starting over
13:18 < _AxS_> fatman1683: do you happen to have access to the raw config files?  if you can get a shell you should be able to find via 'ps' what the path is to the config file openvpn uses
13:20 < fatman1683> _AxS_ I'm going to try starting over with clean configs and see where that gets me
13:20 < _AxS_> ...also are you testing this on local networks?
13:21 < fatman1683> no, this is a site-to-site between two LANs
13:21 < _AxS_> is this actually openvpn you're using?  i don't know what 'pluto' is
13:22 < _AxS_> pluto is ipsec.  we can't help you with that here
13:32 < fatman1683> Ok, thanks for trying
13:35 < _AxS_> fatman1683: try ##networking , that might be your best bet for random help
13:35 < fatman1683> Thanks
16:14 < Knyaz> hello. are there routers that support openvpn
16:14 < Knyaz> ?
16:14 < Knyaz> I want a separate vlan and connect it to my openvpn server
16:14 < Eugene> pfsense-branded routers(sold by Netgate) have openvpn built-in, and are generally great pieces of hardware
16:14 < Knyaz> from the router
16:39 < DArqueBishop> Also, LEDE has OpenVPN support.
17:26 < redrabbit> why is comp-lzo enabled on the defaults examples
17:26 < redrabbit> ?
17:26 < redrabbit> trying to get better perfs over tcp/443
17:26 < redrabbit> if anyone have suggestions
17:34 < redrabbit> is mtu-disc client side only?
17:40 < redrabbit> ah, linux only
17:43 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Write error: Broken pipe]
17:43 -!- frank-- is now known as thumbs
17:43 -!- madduck_ is now known as madduck
17:44 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
17:44 -!- mode/#openvpn [+o vpnHelper] by ChanServ
17:46 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 247 seconds]
17:49 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
17:49 -!- mode/#openvpn [+o syzzer] by ChanServ
18:23 -!- dionysus70 is now known as dionysus69
18:57  * |Mike| yawn
19:03  * Eugene stuffs a sock in the open mouth
19:04 < |Mike|> Eugene: how did the test go?
19:05 < Eugene> ?
19:06 < |Mike|> qualys ^^
19:09 < Eugene> Oh the SOC audit? Have not heard back and I'm going on vacation next week #yolo
19:11 < |Mike|> oic! Where are you oging?
19:11 < |Mike|> going
19:14 < Eugene> Moving! Going from Ballard to Vashon Island, settling into a nice house with a yard
19:18 < |Mike|> /wi/awa
19:19 < |Mike|> Moving doesn't sound like holidays jmo :-P
19:20 < Eugene> "not going to work for a week" doesn't have the same ring to it
19:21 < |Mike|> I agree and understand :-D
19:21 < |Mike|> I'm having my first 5 days off since 01/01/2017
19:21 < |Mike|> starting tomorrow as well
19:22 < Eugene> Contractually I have 20 days per calendar year. I don't take all of them, but this is a 80% remote job anyway, soooooo whatever
19:22 < Eugene> RIP pants
19:22 < |Mike|> 20?! geez
19:22 < Eugene> It also pays about half the market rate
19:22 < |Mike|> it's quite common to have 25-30'ish in the EU nowadays
19:24 < Eugene> In the US salaried employees average 10 days, and often more individual days are uncounted based upon your workplace(Office jobs. Retail lol ur fukt)
19:25 < Eugene> So its comparatively high. I don't feel like burnout is a concern for me, but thats because I don't wake up until 8AM, and my commute consists of hunting the laptop under the couch
19:25 < Eugene> "Meh"
19:25 < Eugene> I need a real job
19:25 < Eugene> Or else I'll never become an adult
19:56 < mattfly> hi
19:58 < mattfly> how to tell in a ovpn file for the user to connect to a onion server?
20:00 < Eugene> AFAIK openvpn does not support pushing proxy settings to a client as a dhcp-option. So you can't.
20:01 < mattfly> no?
20:01 < mattfly> i can connect to a proxy???
20:02 < Eugene> I don't understand your question.
20:03 < mattfly> in the client side it is not possible to connect to a vpn that has a onion url?
20:03 < mattfly> that is running openvpn as a server...
20:15 < Eugene> Ahhhh
20:15 < Eugene> !man
20:15 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
20:16 < Eugene> --http-proxy is the option you want
20:16 < Eugene> Or --socks-proxy, if thats how it is being presented
20:16 < Eugene> Your provider should have an example configuration
23:15 <@ecrist> sup bitches?
23:16 < skyroveRR> I didn't know there were bitches in this channel.
23:17 <@ecrist> well, if you don't know who the bitches are, you are the bitch(es)
23:17 < skyroveRR> heh
23:50 -!- rudi_s_ is now known as rudi_s
23:56 <@ordex> ecrist: lol
23:56 <@ordex> good one :D
--- Day changed Fri Jul 28 2017
03:41 < BloqueNegro> hi all together :)
03:41 < BloqueNegro> i have a ovpn file which requires a password for the private key. any suggestions how to extract the private key, remove the password and 'recompile' the ovpn file?
05:08 <@ordex> BloqueNegro: I believe you can do that with openssl
05:09 <@ordex> BloqueNegro: I *believe* (not tried) that you can just do: openssl rsa –in encrypted.key -out decrypted.key
05:09 <@ordex> it will ask for the pass and in decrypted.ke you will find the key in clear that you can then copy in the openvpn configuration file
05:10 < BloqueNegro> ordex: the key does not start with ENCRYPTED RSA KEY
05:10 <@ordex> how does it ?
05:11 < BloqueNegro> -----BEGIN ENCRYPTED PRIVATE KEY-----
05:11 < BloqueNegro> i've never seen a key format starting with a string like that :/
05:12 < BloqueNegro> [brb]
05:13 <@ordex> BloqueNegro: honestly dunno, but I would just try to see what openssl says when trying to read it
05:18 < BloqueNegro> well, it throws angry error messages at me *g
05:20 < BloqueNegro> nevermind
05:21 < BloqueNegro> you really should not feed the whole ovpn file to openssl
05:21 < BloqueNegro> worked like a charm, thank you :)
05:22 < BloqueNegro> damn paranoid admins... using name, password and an encrypted keyfile
05:23 < BloqueNegro> resulting in saving name and password to disk and removing the password from the key
05:24 < BloqueNegro> and we learned today: security only works if it is convinient. entering three parameters (two of them passwords i cant set) to establish a vpn connection is bullshit
05:37 <@ordex> BloqueNegro: or better: the weak ring in the chain is made up by the user, not the system :-P
05:38 <@ordex> you have to create a solution that is convenient for him
05:38 <@ordex> :)
05:40 < BloqueNegro> if you want to attack a system, try to attack the users
05:40 < BloqueNegro> meatbags are full of bugs, easy to exploit
08:03 <@danhunsaker> ecrist: I dunno. How _are_ you?
08:04 <@ecrist> Peachy keen, jelly bean!
08:12 <@danhunsaker> Cool. So the bitches are alright, then.
08:14 <@danhunsaker> A wild lev__ appears!
08:14  * ecrist sees what you did there.
08:15 <@danhunsaker> ecrist: get this nick some permissions, plox? lev__ is working for The Man now. And by The Man I mean OpenVPN Tech.
08:16 < lev__> well, officially since 1.8
08:16 <@danhunsaker> Pfft. Sez you.
08:16 <@danhunsaker> But yeah, is actually acting like it finally.
08:17 <@danhunsaker> Showed up in the company chats and everything.
08:37 < cotty22> Hi.
08:37 < cotty22> What's the best curves and keysizes for EC?
08:41 <@ecrist> lev__: want an @openvpn/corp/dev__ host cloak?
08:42 <@ecrist> cotty22: bigger the better is a general rule of thumb for crypto
08:43 < lev__> ecrist: yeah, why not
08:43 <@ecrist> ok, expect a PM from a server oper shortly
08:43 < cotty22> ecrist: Yeah but that will affect performance especially for phones. Also there's many curves and I'm totally lost.
08:46 -!- lev__ [~lev@openvpn/corp/lev] has joined #openvpn
08:46 -!- mode/#openvpn [+o lev__] by ChanServ
08:47 <@ecrist> they don't allow __ in the cloak, so I had to drop them
08:47 < peterandre> cotty22, use this -> ECDHE-RSA-AES256-GCM-SHA384
08:48 <@ecrist> cotty22: modern smarts phones are already doing a TON of crypto, and I wouldn't be surprised if they're offloading to a crypto chip
08:49 <@ecrist> lev__: note that the openvpn/corp/* cloak automatically provides chanop privileges in a few of the openvpn-* channels
08:49 <@ecrist> -devel has to be earned, though. ;)
08:49 <@lev__> ecrist: ack
08:50 < cotty22> peterandre: what about generating server and client keys etc etc, not just the one used in config files
08:50 < cotty22> is there a guide or something?
08:50 < cotty22> ecrist: I agree
08:51 <@ecrist> cotty22: we have both EasyRSA and ssl-admin to help with that.
08:51 <@ecrist> I maintain both.
08:52 < peterandre> cotty22, try this one https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8
08:52 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Debian 8 | DigitalOcean (at www.digitalocean.com)
08:52 <@ecrist> or,
08:52 <@ecrist> !howto
08:52 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
08:52 <@ecrist> or,
08:52 < peterandre> use 4096 bit RSA
08:52 <@ecrist> !book
08:52 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) Troubleshooting OpenVPN (April, 2017) by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
08:53 < rob0> oooh, you're famous!  And I knew you Way Back When!
08:53 < cotty22> I mean a guide for ECC with OpenVPN
08:53 < cotty22> is RSA better?
08:54 <@ecrist> http://page.mi.fu-berlin.de/rhschulz/Krypto/RSA_or_ECC.pdf
08:54 <@ecrist> !crypto
08:54 <@ecrist> !learn crypto as For a guide comparing ECC to RSA see http://page.mi.fu-berlin.de/rhschulz/Krypto/RSA_or_ECC.pdf
08:54 <@vpnHelper> Joo got it.
08:54 < cotty22> ecrist: Thanks I'll look at it
09:10 < cotty22> ecrist: it contained some info but none of them actually compares RSA to ECC
09:18 < cotty22> gotta sleep, see u tomorrow and thanks for everything
09:23 <@ecrist> the whole point of the PDF is to compare the two.
09:26 <@ecrist> !learn crypto as A speed comparison between ECC and RSA can be found at https://joneaves.wordpress.com/2004/04/18/ecc_and_rsa_speed_comparison/comment-page-1/
09:26 <@vpnHelper> Joo got it.
10:17 < xuumno> !welcome
10:17 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
10:17 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
10:51 < xuumno> I have a license, for 2 connections
10:51 < xuumno> I use it, one for pc, other for my phone
10:52 < xuumno> but my phone keeps saying: LICENSE: Acess server license failure: maxiumum concurrent_connections exceeded (2)
10:52 <@ordex> !as
10:52 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
10:52 <@ordex> xuumno: ^^
10:53 < xuumno> cheers
11:35 -!- optimus_prime is now known as xuumno
14:14 -!- dionysus70 is now known as dionysus69
15:18 < marlinc> Can I stop OpenVPN from creating the tap device specified in the config when it doesn't exist already? I'd rather it quits then tries to setup up the device itself as I have configured it in /etc/network/interfaces
15:22 < metaloxide> Hello folks, trying to connect to my companies sophos vpn and the sophos appliance provides me with a ovpn file but I get a bunch of can not add routes
15:51 -!- ikonia_ is now known as ikonia
18:18 -!- ptx0_ is now known as ptx0
19:09 < metaloxide> anyone around?
19:20 < metaloxide> Anyone around?
21:02 < redrabbit> is there a way to disable the effects of push "redirect-gateway def1 bypass-dhcp" from the client.config file
21:15 < redrabbit> that would be convininent
21:22 < redrabbit> "Just add "route-nopull" to the client openvpn config, then all pushed commands from the server are ignored"
21:23 < redrabbit> sweet
--- Day changed Sat Jul 29 2017
02:40 < hexhaxtron> In simple terms what is OpenVPN used for?
02:54 < rudi_s> hexhaxtron: Provide secure access to a network (e.g. hosts in a local network) from a remote location.
05:15 <@ordex> hexhaxtron: or just establish a tunnel between to LANs to emulate like they are phisically connected. I think there are thousands of use cases
05:25 < beatzz> !welcome
05:25 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
05:25 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
06:06 -!- dionysus70 is now known as dionysus69
06:42 < m0u> hi, i want to access a server on the VPN network that has the same IP as another one in the local network so when i try to connect to the one on the VPN network, i get the local one. I would like to avoid this behaviour. In openvpn-android this will be the option "Bypass VPN for local networks".
06:47 <@ordex> m0u: "Bypass VPN for local networks" sounds like the opposite
06:47 <@ordex> however, this is a problem that might be solved, but it's really something that should not happen at all
06:53 < m0u> ordex: yeah, but it is a checkbox
06:54 <@ordex> m0u: sure, but I don't think it would solve your problem, no? it sounds like the opposite effect
06:54 <@ordex> like "access a local machine without passing via the VPN
06:54 <@ordex> "
06:54 <@ordex> while you want to do the other way around, no ? you want to connect to the server behind the VPN, right ?
06:55 <@ordex> btw, wuthout talking too much .. have you tried adding a route for this IP ponting towards the VPN interface ?
06:55 < m0u> ordex: oh, i get you. True, maybe it doesn't work correctly on android even with the checkbox unchecked
06:55 <@ordex> the more specific route should take over anything else and directly send the traffic to the VPN
06:55 < m0u> ordex: no, that will do the work. Thanks!
06:55 <@ordex> of course I expect the vpn client ot be running on the same machine
06:55 <@ordex> np
06:55 <@ordex> :)
08:28 -!- czart_ is now known as czart
08:37 <@krzee> !echo hello world!
08:37 <@krzee> &echo test
08:38 <@krzee> !ping
08:38 <@vpnHelper> pong
08:38 <@krzee> !say test
16:29 -!- Bock is now known as Sauvin
19:58 < |subz3r0|> hi
19:58 < |subz3r0|> i compiled the newest version on a debian 9 system
19:58 < |subz3r0|> actually i dont have any init scripts to autostart openvpn on boot
19:58 < |subz3r0|> tried it with the given init.d script, but its not working as expected
19:58 < |subz3r0|> any ideas?
20:46 <@ordex> |subz3r0|: why not using openvpn from the backports, so you get the latest version on your deb9 ?
20:46 <@ordex> and you get all you need
23:08 -!- mundus2018 is now known as HalfEatenOut
23:09 -!- HalfEatenOut is now known as HalfBakedPie
23:16 -!- HalfBakedPie is now known as mundus2018
--- Day changed Sun Jul 30 2017
04:49 -!- Captain_Beezay is now known as |elcapitan|
04:49 -!- |elcapitan| is now known as Captain_Beezay
06:18 -!- czart_ is now known as czart
06:20 < czart> Once "build-key-pass" is to used with a certain "pass phase", can the "pass phase" be changed later on?
06:23 < czart> I've found something like this: https://www.linuxsysadmintutorials.com/change-the-passphrase-on-an-openvpn-key
06:23 <@vpnHelper> Title: Change the passphrase on an OpenVPN key - Linux Sysadmin Tutorials (at www.linuxsysadmintutorials.com)
06:39 <@ordex> czart: makes sense
06:39 <@ordex> that will basically decrypt and reencrypt the key
06:39 < czart> @ordex: OK. Thanks.
06:39 <@ordex> but I am not sure openssl would use des3 to encrypt the key normally
06:39 <@ordex> it sounds weird/old to me
06:39 < czart> Yeah, it may be old, it comes back to 2012.
06:40 <@krzee> !changepw
06:40 <@krzee> !changepass
06:40 <@ordex> try harder krzee !
06:40 <@krzee> !factoids search pass
06:40 <@vpnHelper> '2.1-winpass-script', 'authpass', 'change-passphrase', 'enable-passwd-save', 'password', 'password-only', 'redirect_bypass', 'strip-passphrase', and 'winpass'
06:40 <@krzee> !change-passphrase
06:40 <@vpnHelper> "change-passphrase" is see http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase
06:41 <@ordex> krzee: there is no other algo that can be used instead of des3 ?
06:41 <@krzee> to remove passphrase leave -des3 off
06:41 <@krzee> tried -aes?
06:41 < czart> OK, thanks, I will carry out experiments later.
06:41 <@krzee> (i dunno)
06:42 < Kryczek> czart: you could also have a private key kept in hardware such as a TPM or smartcard :)
06:45 < czart> Kryczek: That would be cool, but my scenario does not involve such hardware at the moment. I just want to generate client keys (give access to OpenVPN server) with e.g. random pass phrases, and allow the users to set their own pass phrases. That's why I asked about whether amendment can be done.
06:46 < czart> Definitely, I don't want them to keep private keys in plain :)
06:47 <@ordex> until they realize that typing the passphrase everytime is annoying and will decrypt it :P
06:47 < Kryczek> czart: what kind of devices are the clients using?
06:48 < czart> Kryczek: at the moment no similar devices to those you mentioned, just software.
06:49 < Kryczek> czart: no I mean is it laptops or smartphones or? :)
06:50 < czart> @ordex: laptops, and I believe it will not change drastically over time.
06:51 < Kryczek> czart: those laptops most likely already have a TPM, you might just have to enable/activate them in the BIOS :)
06:51 < Kryczek> czart: and in case they don't already have a TPM (unlikely) then they might still have a smartcard reader on the side like all our company laptops (several generations of Dell)
06:51 < czart> @ordex: you may use so-called mantra password, e.g.: "TheWeekendIsComing!@_@" or "PaymentIsComing!8-D". Users will not get annoyed when they are creative :)
06:53 < Kryczek> it depends how often you make them type a password and how often you make them change it
06:53 < Kryczek> in the last security audit I did, *50* different users all had the same password that was like "CompanyName2017"
06:53 < czart> Kryczek: yeah, I know, it will always be kinda of pain...
06:53 < Kryczek> czart: that's why I'm saying, if you can store the VPN keys in their TPM then it's even more secure and users will be happy :)
06:54 < czart> Kryczek: Certainly, I will make an investigation and if they have TPM on embedded on their boards, I will consider employing that feature :) Many thanks :)
06:55 < czart> Kryczek: Yeah, people are always the weakest point of security systems...
06:55 <@ordex> yeah
06:55 <@ordex> and sometimes hardening the system will result in the opposite effect
06:56 <@ordex> because users will try to defeat all the seacurity measures :D
06:56 < czart> @ordex: he he, sounds likely :)
06:56 < Kryczek> czart: you'll most likely have to use the PKCS11 API, which is a standard for communicating with Hardware Security Modules such as smartcards and TPMs (basically the TPM can be seen as a smartcard with extra features)
06:57 < Kryczek> something like this http://www.tunxten.com/blog/2012/06/04/openvpn-and-pkcs-11-security-tokens-smartcards
06:57 <@vpnHelper> Title: Blog (at www.tunxten.com)
06:57 < czart> Kryczek: Ah yeah, I remember PKCS11 in some configuration file when I was initially configuring the server. I was wondering what for it was.
06:58 < czart> Kryczek: Many thanks once more, I will take a look.
06:58 < Kryczek> not to confuse with PKCS12 ;) PKCS7 is also quite common... There's all kinds of PKCS, just a family of standards for various crypto things, "PKCS" is a bit like "ISO" in the sense that you have lots of ISO* things
06:59 < Kryczek> czart: happy to be of help
07:00 < czart> OK. I will take precautions to distinguish between PKC*, in the configuration file I found "PKCS11_MODULE_PATH", so it is pointing to PKCS11.
07:00 < czart> Kryczek: :)
07:02 < cotty22> Does it worth to use ta.key to harden the connection? Will it affect performance or only at login?
07:02 < Kryczek> cotty22: greetings
07:02 < cotty22> oh, sorry
07:02 < cotty22> HIIIIIIIIIIIIIIIIII
07:10 < cotty22> !welcome
07:10 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
07:11 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
08:45 <@ordex> Han: vpnHelper does not really understand what you want :-P
08:45 <@ordex> it's a way to ask you to express your goal clearly so other people can try to help
18:26 < Agro> hi there, i have 2 tun vpn configs i want to use. one of them uses `redirect-gateway def1` to redirect all my regular traffic to the vpn, and the other one just redirects traffic on a route like 10.14.22.0 (that i'm using to access a private network). i can use both separately, but i can't use the latter while the former is also enabled. is there any way to configure to route all traffic except to 10.14.22.0 through the first vpn?
18:30 <@krzee> !factoids search redirect
18:30 <@vpnHelper> 'redirect', 'redirect-policy', 'redirect_bypass', 'redirect_ignore', and 'redirect_ips'
18:30 <@krzee> !redirect_bypass
18:30 <@vpnHelper> "redirect_bypass" is (#1) route <ip> <netmask> net_gateway to to override --redirect-gateway for a certain subnet. note that net_gateway is internal to openvpn and should not be changed, or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
18:31 <@krzee> Agro: you want to make an exception for the public ip of the vpn server of the first vpn
18:31 <@krzee> you dont have to worry about 10.14.22.0
18:31 <@krzee> since you already have a specific route for that, it's fine
18:31 < Agro> oh
18:38 <@krzee> although i would think that you could run the redirect vpn first and everything would work (but your connection to the lan on second vpn would be slower as youd be routing through the redirect vpn)
18:40 <@krzee> and actually, even when starting them in the other order the lan vpn should reconnect if you used keepalive, and then should reconnect over the redirect vpn and work fine
18:41 < cotty22> Hi. Is 2048 RSA considered secure? And if I used HMAC firewall, will that decrease performance?
18:45 < Agro> krzee that works, thanks!
18:46 < Agro> i didn't realize that it was the traffic to the vpn server itself that i needed to prevent from being routed as opposed to the route i pushed from the 2nd vpn
18:46 < Agro> that makes sense
18:46 <@krzee> =] glad it helped
18:48 <@krzee> cotty22: ive never heard any complaints regarding performance with tls-auth, you may also enjoy the new tls-crypt instead (uses ta.key to encrypt the control channel instead of signing it with an hmac)
18:49 <@krzee> i think 2048 is still considered safe (assuming it was properly generated with plenty of entropy/randomness)
18:50 < cotty22> krzee: Thank you.
18:50 <@krzee> personally i use 4096 anyways
18:50 <@krzee> (or EC)
18:52 <@krzee> if you're concerned that stronger RSA will take too much CPU, try EC instead
18:52 <@krzee> i have voip phones that would go silent for like 5-10 sec while rekeying the vpn hourly... switched to EC and now its less than a second, barely a hiccup
18:53 < tpw_rules> https://community.openvpn.net/openvpn/ticket/848 can someone follow up on this? it's still not fixed
18:53 <@vpnHelper> Title: #848 (SOCKS5 Replies Parsed Incorrectly) – OpenVPN Community (at community.openvpn.net)
18:53 < tpw_rules> i can submit a PR if that would help
18:53 < cotty22> krzee: the problem with OpenVPN & EC is documentation and available curves
18:56 <@krzee> cotty22: did you try openvpn --show-curves ?
18:56 <@krzee> :D
18:56 <@krzee> it's gotten better in 2.4
18:56 < tpw_rules> that sounds inappropriate
18:57 <@krzee> tpw_rules: more likely to get results by pinging the trac ticket than the irc
18:57 < cotty22> krzee: I didn't try this command before, will see now
18:57 < tpw_rules> krzee: how do i do that?
18:57 <@krzee> respond asking how thats going?.
18:58 <@krzee> i just know the devs watch the trac more than here
18:58 < tpw_rules> ah ok
18:58 <@krzee> but the bug got accepted, thats a good thing
19:04 < cotty22> krzee: it has the same results as openssl -list_curves
19:04 < cotty22> most people at ##crypto don't consider this curves as safe
19:09 <@krzee> oh so you mean you're having a hard time deciding
19:09 <@krzee> ya thats tough, and a personal choice
19:09 < cotty22> yup
19:10 <@krzee> i decided to go with the curve they use with bitcoin... i figure if people figure that one out it'll probably be known before my stuff can possibly matter enough
19:10 <@krzee> hella millions of $ > me
19:10 < tpw_rules> what if they practice on you
19:10 < cotty22> what's the curve?
19:10 <@krzee> its google
19:10 < cotty22> what?
19:11 <@krzee> tpw_rules: wouldnt that be some bad luck lol
19:11 <@krzee> cotty22: google it dude
19:11 < cotty22> ok
19:14 < cotty22> oh so that's secp256k1
21:17 < cotty22> krzee: Did you use ECDH or normal DH?
22:11 -!- instantp10neer is now known as Guest22058
22:15 -!- instantp10neer_ is now known as instantp10neer
22:34 <@krzee> cotty22: if you use ec certs use ec dh
22:34 <@krzee> if you use rsa certs, use same size dh as your rsa certs
22:34 <@krzee> so like 2048 rsa certs should have dh 2048
22:35 <@ordex> krzee: morning
22:36 <@krzee> bongiorno
22:45 <@ordex> buenos dias
22:46 <@krzee> moinmoin
22:46 < skyroveRR> Morning.
23:23 < DMarby> Hi, I'm having some issues with a custom authentication plugin and deferred auth. For some reason when openvpn runs in daemon mode it doesn't work, possibly because it can't make http requests. Is there any particular difference to how openvpn treats plugins when ran as a daemon?
--- Day changed Mon Jul 31 2017
00:12 <@krzee> DMarby:
00:12 <@krzee> !trac
00:12 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker., or (#2) if you have a forum login, use that for trac, its the same database.
00:13 <@krzee> make a bug report and be very specific (like configs, logs or both ways, and the code of the plugin)
00:13 < DMarby> Alright, thanks :)
00:14 <@krzee> of both ways*
03:04 < beatzz> I've been reading articles and documents about openvpn
03:04 < beatzz> and it seems like maybe it can only be used as like... p2p?
03:05 < beatzz> or can it be used as an encrypted tunnel to the internet?
03:23 < eworm> you need at least two hosts to communicate with each other
03:23 < eworm> or a service provider that supports openvpn connectivity
04:21 <@ordex> beatzz: openvpn is just a tool creating a (encrypted) tunnel. it can work in p2p more as well as p2mp (clients-server). what happens on top it's up to the admin. openvpn is often used by vpn prvoviders to grant users access to the internet
04:25 < beatzz> :o thank you ordex and eworm
06:26 < canci> I have the following config for a server which should provide access to an L2 ethernet to clients https://pastebin.com/D6D25Bq6
06:26 < canci> the up script adds the tap-device on the server into the correct bridge which also has the server's ip configure
06:27 < canci> the issue I have now is that clients don't automatically receive an ip address. If I configure 100.100.100.150/24 or something on a client's tap, it all works perfectly
06:28 < canci> client config looks like this if it's relevant https://pastebin.com/H9KerY9A - anybody any hints what I'm doing wrong?
06:35 < canci> okay, I found the problem: while my setup doesn't need the settings, I still need to specify "ifconfig 100.100.100.1 255.255.255.0" in the serverconfig for it to push ips to clients
06:35 < canci> sorry for the noise :)
07:11 < Lorphos> !welcome
07:11 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
07:11 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
07:12 < Lorphos> !goal
07:12 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:12 < Lorphos> I'd like to use the public IP address of a VPS on a box inside my home network.
07:13 < Lorphos> Ideally I want to have an interface on the home box configured with the public ip address
07:13 < Lorphos> i made a post about it at https://forums.openvpn.net/viewtopic.php?f=6&t=24612
07:13 <@vpnHelper> Title: Forwarding all traffic to another host - OpenVPN Support Forum (at forums.openvpn.net)
07:15 <@ecrist> !def1
07:15 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
07:17 < Lorphos> that's the other way round, sending all client traffic to the server.
07:18 < Lorphos> what I want to do is sent all traffic directed at the server to the client (except for 1 maintenance port)
09:35 < coredumb> Good afternoon
09:35 < coredumb> I've a very basic static key setup for my android client
09:36 < coredumb> connection happens to work fine, but for some reason, traffic never gets back from the server to the client
09:37 < Kryczek> coredumb: have you checked with tcpdump or wireshark for example?
09:37 < coredumb> tcpdump -i tun0 shows all the traffic from the client coming in but no reply sent
09:37 < coredumb> Kryczek: yep
09:37 < Kryczek> coredumb: do you see the client's traffic leaving the gateway for the internet?
09:38 < Kryczek> it could be that you are missing the routing part :)
09:38 < coredumb> Kryczek: a simple ping doesn't work
09:38 < Kryczek> coredumb: that doesn't answer my question ;)
09:39 < Kryczek> coredumb: let's say for example you ping 8.8.8.8
09:39 < Kryczek> coredumb: the gateway receives ICMP Echo Request AndroidTunIP->8.8.8.8
09:39 < coredumb> yes i see that
09:40 < Kryczek> coredumb: can you see a ICMP Echo Request leaving the OpenVPN server for 8.8.8.8? For example through eth0
09:40 < coredumb> oh wait
09:42 < coredumb> but just pinging 10.8.1 should work
09:42 < coredumb> my server tun ip
09:43 < coredumb> so to answer ypur test it doesn't work
09:44 < Kryczek> coredumb: what do you get out of `cat /proc/sys/net/ipv4/ip_forward` ?
09:44 < coredumb> nothing that gets to 10.8.0.1 gets anywhere else
09:44 < coredumb> Kryczek: it's 1
09:44 < Kryczek> you ran tcpdump on the out interface?
09:44 < coredumb> Kryczek: both
09:45 < Kryczek> and no packet left for 8.8.8.8, at all?
09:45 < coredumb> but i mean, even without ip forwarding on server tun IP should be accessible
09:45 < coredumb> none
09:45 < Kryczek> not necessarily, depends on your firewall rules and if you disabled ICMP response in sysctl
09:46 < coredumb> no fw rules not sysctl option
09:46 < coredumb> nor*
09:46 < Kryczek> what IP does your client get?
09:47 < Kryczek> if it gets 10.8.0.6 for example try pinging 10.8.0.5
09:47 < coredumb> 10.8.0.2
09:47 < coredumb> server is 10.8.0.1
09:47 < coredumb> ping doesn't work in any way
09:48 < Kryczek> did you give the .2 IP to the client yourself? When I use OpenVPN the server is .1 but then I get funny point2point links like .5<->.6
09:49 < coredumb> Kryczek: as i said very basic setup with static key and single ip
09:49 < Kryczek> ah wait you said it was udp minihowto, right
09:49 < coredumb> yep the quick one :)
09:50 < Kryczek> coredumb: you correctly have IP addresses reverted on the ifconfig line for client and server?
09:50 < coredumb> sure
09:50 < Kryczek> like one should be "ifconfig 10.8.0.1 10.8.0.2" and the other "ifconfig .2 .1"
09:50 < coredumb> it's done by the android openvpn client though
09:51 < Kryczek> how do you mean? I give my android openvpn client my manually-written openvpn config files, just like for the server
09:52 < coredumb> yeah not in this client
09:52 < coredumb> but result is the same and is correct in this case
10:04 <@plaisthos> coredumb: that the client requires two ip addresses in that config is a bug
10:05 <@plaisthos> will be fixed in next version
10:06 <@plaisthos> oh sorry misread that
10:06 <@plaisthos> nevermind
10:15 < coredumb> still I wonder why I don't get any reply from my server's vpn IP
10:17 < Kryczek> coredumb: can your server ping the client?
10:17 < Kryczek> through the tunnel
10:19 < coredumb> ah now it works
10:21 < coredumb> I ping I mean
10:24 < coredumb> ok
10:31 < coredumb> Kryczek: rebooted my phone and my servers interface now works fine...
10:31 < coredumb> only I can't use the dns server on my server's vpn ip
10:32 < coredumb> have to debug this
10:41 < fomox> if I want to bridge my LAN network with my VPN i should bridge eth0, tun0(openvpn interface) to br0 (bridge), but then only the bridge should have an IP address, or should all three interfaces have one?
10:41 <@plaisthos> only the bridge
10:41 <@plaisthos> also see
10:41 <@plaisthos> !tap
10:41 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the
10:41 <@vpnHelper> protocol uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
10:41 <@plaisthos> !tun
10:41 <@plaisthos> !tunortap
10:41 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
10:41 < Kryczek> coredumb: sounds good :)
10:41 <@vpnHelper> rooted/jailbroken) support only tun
10:43 < fomox> thanks plaisthos. The problem is that I need access to printers and a windows share from a remote location on an Ipad and a Win pc, should I still use routing or is bridging okay?
10:44 < Kryczek> fomox: it should be doable (and would be better) with routing
10:44 <@plaisthos> ipad and brdiging will not work
10:44 <@plaisthos> so you have to use tun anwyay
10:44 <@plaisthos> see #5
10:45 < fomox> are you familiar with pivpn?
10:45 < fomox> ill read up on 5 btw
10:47 <@plaisthos> I meant #5 from tunortap
10:50 < fomox> oh okay
10:51 < fomox> but wont the tunnel make sure that the ipad is on the "Local network" where the openvpn server is if I bridge the vpn interface and the ethernet interface?
10:54 < DArqueBishop> fomox: iOS does not support bridging/tap, full stop.
10:55 < fomox> I know I am asking stupid questions now, what is the difference between a bridge and a tunnel?
10:55 < DArqueBishop> Windows shares are easily accessible via routing. If you need name resolution, use DNS/WINS. Otherwise, you can just use the IP address.
11:15 < canci> !tap
11:15 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the protocol
11:15 <@vpnHelper> uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
12:00 < coredumb> Kryczek: well I don't see it good that you can ping but not dns on the server IP when there's no FW
12:00 < coredumb> ;)
12:29 < Kryczek> coredumb: I meant good as in progress from the previous situation ;p
14:10 < coredumb> Kryczek: I wonder if it has ever worked...
14:10 < coredumb> Cause indeed to surf the web through the tunnel I have a NAT rule as well on the server
14:11 < coredumb> is the server then, supposed to be able to serve on its VPN internal IP?
14:12 < fomox> can I make a route that merges the 10.0.0.0-254 and 10.8.0.0-254 subnets?
14:14 < fomox> nvm i dont think this makes any sence
14:42 < coredumb> Kryczek: indeed the NAT messing with me
15:14 < alex88> Hi there :) I've setup an openvpn server at home, forwarded ports 53, 80, 443, 1194 from router to rPI port 1194 (just in case external wifi doesn't let connection on other ports) and everything kinda work.. the only issue is ipv6, as soon as i enable "openvpn for android" client on my phone
15:15 < alex88> ipv4 traffic works through the tunnel and I see my home ip as source, ipv6 however goes via LTE connection, is there a solution for this?
15:16 <@plaisthos> alex88: android version?
15:16 <@plaisthos> do you push ipv6 routes?
15:16 <@plaisthos> do you have the allow local lan opition checked?
15:18 < alex88> plaisthos: both 7.1.2 and 8.0.0 beta, on the client ipv6 connection I've enabled "use default route" which seems to add the "route-ipv6 ::/0" option
15:18 < alex88> about the local lan option you mean "bypass vpn for local networks"? If so, yes
15:19 < alex88> about server config, there is nothing regarding ipv6 because I would like to not have android go through ipv6 while connected
15:19 <@plaisthos> alex88: the default route for ipv6 only works if your VPN actually has IPv6
15:19 < alex88> also because I would need another server config, different ip space, server ipv6 public etc
15:20 <@plaisthos> allow local LAN currently also adds IPv6 leaks because it allows  IPv6 traffic
15:20 < alex88> so the only option is to have a server using ipv6 or remove the local lan bypass?
15:20 <@plaisthos> without that option IPv6 traffic is disabled completely if your VPN does not provide IPv6
15:21 < alex88> oh I see, let me try
15:21 <@plaisthos> or just try to uncheck to local lan option and your LAN range manually in the excluded routes section
15:21 <@plaisthos> I probably should split this allow IPv4/IPv6 if not provided by VPN to an extra option
15:25 < alex88> are you the app developer?
15:25 <@plaisthos> yepp
15:25 < alex88> in that case, congrats for the app! best vpn app ever, plenty of options/settings and fully customizable!
15:25 <@plaisthos> Thanks
15:26 < alex88> oh awesome the "bypass vpn for lan" worked :) thanks!
15:33 < alex88> last question, any reason why vpn connection might fail on port 53?
15:34 < alex88> Since I actually see with tcpdump packets on the server arriving, but tls handshake fails after 60 seconds
15:34 < alex88> on port 80 instead (both port 53 and 80 are forwarded by the router to rPI port 1194) it works perfectly
15:37 <@plaisthos> some packet inspection or whatever inbetween
15:37 <@plaisthos> the app does not have any special code that would block 53
15:38 < alex88> kk gotcha, maybe router or other stuff inbetween
15:44 < alex88> well, on tcp it works, the issue is just udp, probably yeah something in between
15:48 < alex88> plaisthos: only thing missing in the app imho, being able to automatically enable vpn every time phone connects to a wifi network that's not the home network (user still have to tell the app which wifi is the home one)
15:49 <@plaisthos> I know
16:43 < alex88> well, it randomly work on port 53.. even more strange
16:51 < sudosmurf> hey guys. so I am trying to import a connection profile to network manager gnome and getting an error about the import. when I use openvpn --config filename.ovpn it asks me for creds just fine
16:52 <@plaisthos> !nm
16:52 < sudosmurf> however when I try to import I get an error that says the plugin does not support import capability
16:52 <@plaisthos> !network-manager
16:52 < sudosmurf> which seems...odd
16:52 < sudosmurf> I've imported in the past
16:52 <@plaisthos> !factoids
16:52 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
16:52 <@plaisthos> !netman
16:52 <@vpnHelper> "netman" is (#1) NetworkManager usually works fine, but can have some challenges in som env, or (#2) Ensure you run a reasonably recent NM version, or (#3) NM is aimed at client configurations and requires a logged in user session and is sensitive to instable unstable networks, or (#4) If OpenVPN works from the command line but not NM, go to #nm or https://wiki.gnome.org/Projects/NetworkManager
16:53 < sudosmurf> thanks
16:53 < sudosmurf> doesn't entirely answer the question there. I will pop over to the gnome chat.
16:53 <@plaisthos> most of us don't use networkmanager and have no idea how it works
16:53 <@plaisthos> I never used it
16:53 <@plaisthos> so I cannot help you with it, sorry
16:54 < sudosmurf> nbd, thanks for pointing me in a different direction.
17:04 < sudosmurf> plaisthos: found the solution here FWIW: https://askubuntu.com/questions/761684/error-the-plugin-does-not-support-import-capability-when-attempting-to-import
17:04 <@vpnHelper> Title: network manager - "error: the plugin does not support import capability" when attempting to import openvpn config file - Ask Ubuntu (at askubuntu.com)
17:04 < sudosmurf> commenting out reneg-sec in the ovpn file lets me import
17:08 < Kryczek> 19:09 < coredumb> is the server then, supposed to be able to serve on its VPN internal IP?
17:09 < Kryczek> coredumb: yes but it becomes a problem when you have services configured with IPs of VPN interfaces that do not exist anymore, e.g. SSH might refuse to start
17:11 < Kryczek> coredumb: the solution is to either let the service listen to 0.0.0.0 and then remove unwanted connections with firewalling, or have the service listen on an IP that the VPN tunnels lead to in terms of routing (e.g. I have pdnsd listening on the LAN IP, which all VPN clients can reach through their tunnels and which devices in my LAN can reach, but which wouldn't accept external connections if my
17:11 < Kryczek> firewall rules get cleared by mistake)
17:23 < alex88> ok seems project FI does something strange with output packets on port 53 :( good to know (tried with an external VPS so not my house rPI)
17:42 < s34n> Upgrading my server to opvn 2.4.3 caused me to lose access to the host network
17:46 < s34n> a tracepath doesn't go past the opvn server
17:53 < s34n> openvpn-status.log shows no clients and no routes
17:53 <@plaisthos> s34n: check the logs of the server
17:53 < s34n> that is the log of the server
17:53 <@plaisthos> !logfile
17:54 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
17:54 <@plaisthos> s34n: if you don't know what a logfile is why did you mess with your openvpn server in the first place?!
18:00 < s34n> the logfile doesn't have errors. it shows a client negotiating a connection without blinking
18:02 <@plaisthos> s34n: the status file is only updated every 5 minutes iirc
18:03 < s34n> plaisthos: I don't mean the status log. I enabled the logfile and restarted with verb 4
18:07 < s34n> verb 6 shows more interesting things:
18:07 < s34n> Data Channel: using negotiated cipher 'AES-256-GCM'
18:07 < s34n> AEAD Decrypt error: cipher final failed
18:20 < s34n> the Decrypt errors stopped, but I still can't ping across the vpn
18:33 < ocb> ;;redirect
18:34 < ocb> !redirect
18:34 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
18:34 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
18:43 <@plaisthos> s34n: you can add disable-ncp to your server config and check if the problem disappears
18:44 <@plaisthos> if yes then either our gcm implementation or the one of the clinet or server SSL library is broken
18:44 <@plaisthos> sorry ncp-disable
18:58 < s34n> I haven't been able to reproduce the error with or without ncp-disable
23:27 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 255 seconds]
23:28 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
23:28 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Day changed Tue Aug 01 2017
00:25 < nostalgiccloud> So
00:25 < nostalgiccloud> is openvpn AS without support free?
01:00 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 255 seconds]
01:01 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
01:01 -!- mode/#openvpn [+v s7r] by ChanServ
01:50 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 276 seconds]
01:51 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
01:51 -!- mode/#openvpn [+o dazo] by ChanServ
02:20 < SerusWork> so yesterday I had an interesting thing happen to me
02:23 < SerusWork> I connected to my openvpn over tcp and did a speedtest
02:24 < SerusWork> speeds suddenly went off the charts and my computer completely froze
02:24 < SerusWork> 100% unresponsive
02:24 < SerusWork> I ended up cutting the power after 10 minutes
02:24 < SerusWork> any idea why this might happen?
02:25 < SerusWork> kernel logs were cut in the process :/
04:55 < fomox> Do I need to install openvpn to all computers that need access to the openvpn subnet or can the server merge my local network with the openvpn subnet so that all computers on the local network can get access to all openvpn clients?
05:20 < BtbN> Only the local gateway router can do that
05:22 < fomox> I think i figured it out. I can do route add on the computers, its not an optimal solution but it can work
05:24 < BtbN> You do that on the gateway
05:24 < BtbN> It's its job after all
05:26 < fomox> i dont think my router supports that (shitty isp router)
05:27 < fomox> wow it actually did. thanks BtbN :D
05:28 < BtbN> I know my Fritzbox can do it, but it's luck with those boxes
06:39 < jimduchek> Hello... from the openvpn man page on the 'shaper' option:  "It should be noted that OpenVPN supports multiple tunnels between the same two peers"... Is there any documentation on this at all?
06:39 < jimduchek> As far as I can tell a given client can only handle one --remote/<connection> at a time
06:42 < aperol> Hey, I'm looking for help
06:43 < aperol> I'm setting up a openvpn server but I can't start it
06:50 <@plaisthos> jimduchek: propably mean two different openvpn instances
06:50 <@plaisthos> other protocols like ipsec don't support that
06:50 <@plaisthos> !howto
06:50 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
06:52 < aperol> ok
06:53 < Kryczek> I love IPsec but OpenVPN is awesome
06:54 < Kryczek> in 2010 I built a microwave link solution with 2 servers on each side for high availability, and thanks to OpenVPN and Linux's brctl I was able to easily have all possible links covered and recovering seconds after I would unplug a cable
06:55 < Kryczek> by having 4 OpenVPN tunnels in total: Left1-Right1, Left1-Right2, Left2-Right1 and Left2-Right2
06:55 < Kryczek> then the Spanning Tree Protocol activated with brctl would disable the redundant paths until the active one stops working
06:59 < aperol> plaisthos: errno=2 and I don't know what to do
06:59 < aperol> or it's @plaisthos
07:13 <@plaisthos> *sigh* if people would wait for more than 10 minutes for a response
07:14 < Kryczek> plaisthos: haha yeah I was just about to answer him when he left :D
07:36 <@ecrist> plaisthos: this is IRC.  the behavior isn't new. :)
07:52 < android_> 16000
07:52 <@ecrist> 32000
07:52 < android_> 01 active
07:52 <@ecrist> NAK
07:55 < android_> todo
07:57 < android_> says unroutable control packet
07:58 < android_> TLS error
07:58 <@ecrist> Do you have a question?
07:59 < android_> What's the question ecrist?
08:00 < android_> e unum pluribus
08:00 < android_> youve got questions US have answers
08:01 <@ecrist> I'm asking if you have a question, or if you're going to just spout random text?
08:02 < android_> if you can ask GOD just one question ecrist
08:02 < android_> what would it be?
08:03 < Kryczek> -_-
08:03 < android_> respond properly, receive grantimus eternity
08:03 -!- mode/#openvpn [+b *!*@unaffiliated/mercenaryship] by ecrist
08:03 -!- android_ was kicked from #openvpn by ecrist [android_]
08:10 <@ecrist> I'm surprised.  Normally I get some tirade via PM
08:10 < vectr0n> lol
08:55 < metaloxide> Im trying to connect to my work's Sophos SSL VPN however it appears as though it tries to add certain routes multiple times, it adds them the first time but fails successively afterwards more of an annoyance than anything but wondering if there is a way to modify the ovpn file to keep from trying to add the routes more than once
08:56 < metaloxide> Also does not seem to be using the work dns so when I try to resolve mtn-wor-08 it doesn't resolve the IP
08:58 < DArqueBishop> metaloxide: are the routes added by the client file?
08:58 < DArqueBishop> !configs
08:58 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
08:58 < DArqueBishop> !logs
08:58 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
09:01 < metaloxide> DArqueBishop: Yes they are
09:02 < metaloxide> at the bottom of the config it shows a bunch
09:02 < metaloxide> bunch of "remote" lines
09:02 <@ecrist> are you using OpenVPN on the command line, or some GUI?
09:03 < metaloxide> command line as when I try to open from the gui it says its not supported
09:03 < metaloxide> Guessing Sophos doesn't make it "friendly"
09:04 < metaloxide> It adds the routes but looks like it tries to add them a second and 3rd time and thats where it just fails to add them
09:04 < metaloxide> Don't know if that is a real issue or more just an annoyance
09:05 < metaloxide> When I use the Sophos client in windows it does the same thing with the remotes but seems to work although really slooow
09:05 < metaloxide> In Linux using openvpn it connects but doesn't seem to be resolving dns names
09:10 < rullie> This may be off topic, but do I need to do something special on Alpine linux to get openssl to not do: OpenSSL: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed.   So that i can connect to my VPN?
09:18 -!- fury__ is now known as fury_
09:18 <@plaisthos> there should another error above that line
09:18 <@plaisthos> what exactly openssl dislikes about your certificate
09:19 < rullie> plaisthos: VERIFY ERROR: depth=0, error=self signed certificate
09:20 <@plaisthos> there it is
09:20 <@plaisthos> probably wrong CA
09:20 <@plaisthos> and there openssl cannot verify the certificate
09:23 < rullie> plaisthos: hmm, i just do openvpn theFileIGotFromMyProvider.ovpn
09:23 < rullie> works everywhere else
09:23 < rullie> except in this alpine that's in a docker cont
09:24 <@plaisthos> !paidvpn
09:24 <@vpnHelper> "paidvpn" is We are very reluctant to help you if you use a (commerical) VPN provider since we do not want to be their unpaid support team. See also !both
09:24 < rullie> ok
09:40 < metaloxide> is it normal for a route for have something like this: route 192.168.10.2 8443 ?
09:41 < metaloxide> Thought it was subnet mask after ip address
10:11 <@ecrist> no
10:11 <@ecrist> that's not a route
10:11 < DArqueBishop> That looks more like a port number.
10:11 < DArqueBishop> 8443 is a common alternative port for https.
13:28 < metaloxide> DArqueBishop: Thats what the entires look like for the "routes"
13:31 < DArqueBishop> metaloxide: are you the admin for the VPN server? If not, I strongly suggest you to speak to him/her.
13:33 < metaloxide> DArqueBishop: Not the admin, just wasn't sure if the routes were proper
13:35 < DArqueBishop> Not at all.
13:36 < DArqueBishop> Let me put it this way: if the subnet mask is a single number, it can't be larger than 32 on an IPv4 address.
13:48 < metaloxide> DArqueBishop: is there a way of viewing the routes added by this in linux?
13:52 < DArqueBishop> ip route
13:54 <@krzee> metaloxide:
13:54 <@krzee> !configs
13:54 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
14:32 < metaloxide> krzee: I have the client config, think it was generated by the Sophos UTM
15:47 -!- johnny56_ is now known as johnny56
16:35 < s34n> after upgrading to ovpn 2.4.3 I can no longer see hosts on the network
16:35 <@krzee> see hosts?
16:37 < s34n> I can't ping them, etc
16:40 <@krzee> behind server or client...
16:45 < s34n> my client cannot ping hosts on the network behind the vpn server
16:46 < s34n> the vpn server can ping those hosts
16:46 < chicognu> s34n, it is a route problem almost 100% sure. what os ?
16:47 <@krzee> !serverlan
16:47 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
16:47 < s34n> linux
16:47 <@krzee> follow the flowchart s34n
16:47 <@krzee> tell me where you get stuck
16:47 < s34n> k
16:48 < s34n> ip forwarding is enabled, router is pushed
16:48 <@krzee> can you ping the lan ip of the server from the client?
16:50 < s34n> yes
16:50 < s34n> oh. wait
16:51 < s34n> ok. yes
16:51 <@krzee> ok, so continue...
16:52 <@krzee> that means your vpn is configured right, your ip forwarding and route is right
16:52 <@krzee> !route_outside_ovpn
16:52 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
16:52 < chicognu> i had the same problem, except the clients don't have access to internet. almost cry haha... create the iptables rules and nothing happen. took me 5 days to figure out vent0 has the interface with internet access (ip 127.0.0.2) and not the vent0:0 with was the assign the ip of external access
16:54 < chicognu> I compiled openvpn from source, everything works nice, but i cant make start on boot. Any idea how to do it ? debian wheezy
16:56 < s34n> The vpn server has a route to the network
16:58 < chicognu> s34n, past the ifconfig of the server at pastbin or other copy past site also the result of iptables -t nat -L and iptables -L
17:07 < s34n> chicognu: https://gist.github.com/anonymous/e82d764a55e7d20da4db04732cfce5e4
17:07 <@vpnHelper> Title: iptable-nat · GitHub (at gist.github.com)
17:09 < s34n> none of this has changed since it was working under ovpn 2.3
17:14 < s34n> chicognu: I'm not sure what you meant by "ifconfig"
17:20 < chicognu> s34n, ifconfig is a command to show and configure the interfaces. look mine config, see if that helps. https://pastebin.com/9j6e2upJ
17:22 < chicognu> s34n, ifik, tun0 and the card used to access the internet or local network are in different netmask, so you will need a rule in the firewall to do the NAT, and not only packages forwarding
17:23 < s34n> I have another interface on the local network and a corresponding route
17:23 < chicognu> sorry, you have the rule to nat
17:36 < chicognu> s34n, the network you are trying to access can see the machine hosting the openvpn ?
17:36 < s34n> yes
17:37 < s34n> and the openvpn machine can see hosts on that network
17:40 < Niklas_E> is there any app that tells if openvpn is connected or not?
17:41 < s34n> Niklas_E: yes.
17:41 < s34n> Niklas_E: the GUI on windows show you
17:41 < s34n> Niklas_E: what os?
17:41 < Niklas_E> not running windows
17:42 < s34n> Niklas_E: ok. what os are you running?
17:42 < Niklas_E> Gentoo
17:42 < s34n> Niklas_E: ip is your friend
17:42 < s34n> ip link
17:43 < s34n> will show you if you have an interface for the vpn
17:43 < s34n> ip a will show you if it has an ip, etc.
17:43 < s34n> ip r will show you if it has a route
17:44 < Niklas_E> ok
17:44 < Niklas_E> thanks
17:45 < s34n> Niklas_E: are you using a DE?
17:45 < s34n> Niklas_E: are you using NM?
17:46 < Niklas_E> Nope
17:47 < s34n> no to NM, too?
17:47 < Niklas_E> nope to nm too
17:49 < s34n> krzee: Everything on that charts checks out
18:04 < s34n> chicognu: what am I missing?
18:06 < chicognu> s34n, sorry mate, really don't no. If the server can see and ping network (and by server I mean the tun0 interface) really dunno
20:00 < kambei> I have an issue that I don't understand.  I have two networks that are bridged.  I added a new machine (running Debian 9.1) and no machines on the other side of the bridge can reach, and it cannot reach them either.  Other machines work fine on both sides.  Any idea what could be causing it?  Something regarding the default network configuration in Stretch, perhaps?
--- Day changed Wed Aug 02 2017
02:31 <+hyper_ch> hello #openvpn
03:35 < PresidentTrump> hi is there a way to disable ssl verification?
03:35 < PresidentTrump> my vpn provides certs are not compatible with openssl 1.1.0
03:36 < PresidentTrump> Wed Aug  2 08:28:19 2017 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
03:40 <+hyper_ch> wouldn't disable ssl verification pretty much defeat the purpose?
03:45 < PresidentTrump> hyper_ch, don't care. I am not trying to get a secure connection. I am trying to get different IP addresses
03:45 < PresidentTrump> I need to test my site performance from multiple locations
03:45 < PresidentTrump> the NSA can MITM this connection as much as they want :D
03:52 <+hyper_ch> but it's not what your vpn provider wants
03:52 <+hyper_ch> if it can be disabled, then I think both endpoints will have to do so... but I think it can't be disabled at all
03:54 < PresidentTrump> hyper_ch, my vpn provider said they'll issue new certs soon
03:55 < PresidentTrump> considering openssl 1.1.0 has been out for months I don't know how soon soon will be
04:06 <+hyper_ch> debian oldstable still doesn't have openssl 1.1.0 IIRC
04:39 < PresidentTrump> meh
09:33 < molgrum> hi how do i check why openvpn couldn't connect to the server? i don't get an error message in arch linux
09:42 <+hyper_ch> set verb 5
09:42 <+hyper_ch> and check log
10:37 < arooni_team_b> how can i detect via the command line that i'm connected to a vpn?  i'm using vpn unlimited's client which uses openvpn as a backend
10:43 <@dazo> arooni_team_b: ps faxuw | grep openvpn
10:51 < gtt> does openvpn certificate generation (for clients) have to be done in the same server where the openvpn server is running_
10:51 < gtt> ?
10:52 <@dazo> gtt: on the contrary .... certificates should ideally be generated on an offline device
10:53 <@dazo> gtt: the server needs CA certificate, server key and certificate and DH parameters file, in addition to the config file (and advisable, the --tls-auth/--tls-crypt key file)
10:53 <@dazo> gtt: clients only need CA certificate, client key and certificate, in addition to the config file (and advisable, the --tls-auth/--tls-crypt key file)
10:53 < gtt> alright, so simply copying the entire folder somewhere else should be enough and sourcing the vars should be enough to succesfully run the scripts succesfully?
10:55 < gtt> dazo: I definitely have dh file, not sure about --tls-auth --tls-crypt settings. Are those only for the handshaking/authentication part of the openvpn, or are they use to encrypt all traffic from each client once the authentication has already been passed?
11:53 < s34n> I still can't get my vpn to work since upgrading to 2.4.3
13:17 <@dazo> gtt: sorry, was out in meetings .... --tls-auth and --tls-crypt are exclusive, the former only adds an additional packet authentication while the latter encrypts the control channel - which again results in hiding the TLS handshake (where server/client certificates are transported in clear-text)
13:28 < s34n> krzee: ping
13:58 <@dazo> !logs
13:58 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
13:58 <@dazo> !configs
13:58 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
13:58 <@dazo> !ask
13:58 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
13:58 <@dazo> s34n: ^^^ ... and for !ask, have a look at #2
14:12 < s34n> dazo: I upgraded my server to 2.4 and things quit working
14:13 < s34n> I walked through the flowchart at http://www.ircpimps.org/serverlan.png
14:13 < s34n> I made it all the way to "Add a route to the router", but I already have a route
14:16 <@dazo> !logs
14:16 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
14:16 <@dazo> !configs
14:16 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
14:41 < s34n> https://gist.github.com/anonymous/a3eee64015158946080827da4ed93134
14:41 <@vpnHelper> Title: client.conf · GitHub (at gist.github.com)
14:42 < s34n> https://gist.github.com/anonymous/a3eee64015158946080827da4ed93134#file-server-log-L290 shows a failure to extract curve from certificate
14:42 <@vpnHelper> Title: client.conf · GitHub (at gist.github.com)
14:43 < s34n> I don't know what it means to extract a curve from a certificate.
15:05 < bytesaber> Trying to answer a question via Google without success.  The ready to go VM from openvpn.net, works great.  But it also trys to make ipsec connections to Amazon behind the scenes when it's online.  I don't know what for, and also not sure how to appropriately make it shut up.
15:06 < bytesaber> ah, #openvpn-as
15:08 <@dazo> s34n: I get 404 on those urls
15:09 < s34n> dazo: sorry. https://gist.github.com/anonymous/4344b7ee7b3f1e7006befabd8655ecab
15:09 <@vpnHelper> Title: client.conf · GitHub (at gist.github.com)
15:12 <@dazo> s34n: the server log is good ... no errors, no warnings .... what does the client log say?
15:12 <@dazo> the server log does not indicate any client connections attempts
15:14 < s34n> I haven't figured out how to get a log from the nm applet
15:14 <@dazo> check /var/log/messages
15:15 <@dazo> grep for nm-openvpn
15:15 < s34n> dazo: ah. yes. I did look there
15:15 <@dazo> or even better ... first try to connect using the command line, when that works, import that config to nm-openvpn and start it via nm
15:15 < s34n> let me see if I can get a paste
15:16 < s34n> dazo: All indeications are that I connect fine
15:17 <@dazo> okay, problem solved
15:18 <@dazo> (what I am really saying: If you don't provide logs, we can't tell you if it works or not)
15:28 < s34n> working on logs...
15:32 < s34n> https://gist.github.com/anonymous/abf39da340ee9c04624fb46f1ecd123b
15:32 <@vpnHelper> Title: clinet.log · GitHub (at gist.github.com)
15:32 < s34n> ^^ That shows a client connection
19:58 < gtxbb> hi
19:59 <@ordex> s34n: last url gives 404
19:59 <@ordex> I think they timeout pretty quickly
--- Day changed Thu Aug 03 2017
02:41 < qmq> hi folks - I'm seeing odd behavior using OpenVPN and hoping someone can tell me why, or point in the right direction. I'm using a TCP connection as the physical link isn't 100% stable (there is some packet loss I cannot control - crappy ISP). A typical packet loss ratio is around 1%. When using VPN over TCP I would expect the measurement to return 0 loss, but that's not the case. How can that be? (yeah, it is 10x smaller, but still happ
02:43 < qmq> I expected it to retry "on the VPN level" (OpenVPN transmitting it's packets etc) and effectively offer a "perfect connection" within the VPN
06:02 < Igloo> !welcome
06:02 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
06:02 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
06:04 < Igloo> I'm a bit confused by "--pull This  option  must  be used on a client which is connecting to a multi-client server". Does that mean that if I am connected to a multi-client server then I must use the option, or that I cannot use it if I am not connecting to a multi-client server?
06:17 <@ordex> Igloo: --pull is implicit when using --client
06:17 < Igloo> But I can use --tls-client instead, right?
06:18 <@ordex> Igloo: but --pull is something you want to use when talking to a server
06:18 <@ordex> Igloo: you may not want it when you have a p2p connection (I think .. otherwise i can't think of any case where you don't want it)
06:19 < Igloo> If I want to set routes myself, what benefit does it give me?
06:26 <@ordex> Igloo: the server is going to push a bunch of stuff, not just routes
06:26 <@ordex> if you want to completely ignore routes pushed by the server, thereshould be something for that
06:28 <@ordex> Igloo: check --route-nopull in the man
06:28 <@ordex> Igloo: but if you want to set *more* routes you can just do that. no need to ignore what you receive
06:31 < Igloo> Ah, is it going to push something that sets my IP address?
06:32 <@ordex> Igloo: you can check the log of the client and you will see a bunch of options being pushed
06:35 < Igloo> OK, I think I understand now. Thanks for your help, ordex!
06:35 <@ordex> np
09:45 < redrabbit> if i run a second openvpn server on the same machine to be able to access from either tcp/443 or udp, can i keep the same subnet/client config for both
09:45 < redrabbit> atm on my setup i used a different one for each server instance
10:31 <+hyper_ch> you would need different subnets
10:38 <@ecrist> redrabbit: like hyper_ch said, you'll need/want to separate subnets for those.
10:38 <@ecrist> otherwise the system won't know which process to route the packets to
10:38 <+hyper_ch> 10.8.0.x and 10.8.1.x :(
12:34 <+hyper_ch> krzee: do you also put a postit on your notebook's webcam?  https://wikileaks.org/vault7/#Dumbo
12:34 <@vpnHelper> Title: WikiLeaks - Vault 7: Projects (at wikileaks.org)
12:46 < redrabbit> well, nothing to change then. thanks
12:47 < redrabbit> i put a piece of electrical black tapes on laptops cams
12:47 < redrabbit> tin foil all the way up
12:47 < redrabbit> i even unplugged the mike inside
12:48 <+hyper_ch> as linux user I feel discriminated against
12:49 < redrabbit> not really, you put yourself in that spot :p
12:49  * redrabbit uses both
12:49 < redrabbit> mostly win10 for gui/debian based for services
12:49 < redrabbit> debian raspbian armbian
12:52 <+hyper_ch> I put myself in that spot? oO
12:53 < redrabbit> yeah you choose to be a linux user
12:53 <+hyper_ch> no... that just happened
12:53 < redrabbit> ah
12:53 < redrabbit> lol
12:54 < redrabbit> 19:45 <+hyper_ch> as linux user I feel discriminated against
12:54 < redrabbit> why
12:55 <+hyper_ch> https://wikileaks.org/vault7/#Dumbo  -  Dumbo can identify, control and manipulate monitoring and detection systems on a target computer running the Microsoft Windows operating sytem.
12:55 <@vpnHelper> Title: WikiLeaks - Vault 7: Projects (at wikileaks.org)
12:57 < redrabbit> nice tool
13:06 < Conder> hello, is it normal that "build-dh" is running more than 10 minutes?
13:15 < BtbN> if you have a slow CPU, yes.
13:15 < BtbN> Or try to build way large parameters
13:15 < BtbN> 4096bit DH params can take a while
13:28 -!- arooni_team_b is now known as arooni
13:37 < _FBi> morning #openvpn
14:28 -!- druid- is now known as xuumno
14:31 -!- xuumno is now known as selsper
15:50 -!- gthank is now known as gthank_away
15:50 -!- gthank_away is now known as gthank
18:14 < fengshaun> is it possible for an openvpn client to tell the server what domain it provides? for example, if siteA which has the domain domA.com connects to siteB with domain domB.com, I want siteA to tell siteB to set its dns to route domA.com through the siteA client
18:15 < fengshaun> I could do that with dns separately, but wanted a more robust solution especially when multiple domains and clients are involved
23:52 < berglh> fengshaun: i'm pretty confident you can't do that
23:54 < berglh> vpn's do ip routing; dns resolution happens at your machines DNS client talking to a list of preferred DNS servers
23:58 < berglh> I suppose it would be theoretically possible to create a VPN client that was Layer 7 aware and dynamically add routes to your VPN interface
--- Day changed Fri Aug 04 2017
00:41 < fengshaun> berglh: thanks
01:15 <+hyper_ch> krzee: https://motherboard.vice.com/en_us/article/ywp8k5/researcher-who-stopped-wannacry-ransomware-detained-in-us-after-def-con
01:15 <@vpnHelper> Title: Researcher Who Stopped WannaCry Ransomware Detained in US After Def Con - Motherboard (at motherboard.vice.com)
05:39 <+hyper_ch> krzee: using cisco? see list of vulnerabilities  https://www.heise.de/security/meldung/Cisco-schliesst-Super-Admin-Luecke-3793025.html
05:39 <@vpnHelper> Title: Cisco schließt Super-Admin-Lücke | heise Security (at www.heise.de)
07:12 < havoc> hyper_ch: apparently someone has also emptied the wannacry ransom accounts
07:31 <+hyper_ch> havoc: it wasn't me! really!!!
07:34 <@ordex> havoc: oh yeah?
07:35 < havoc> just caught it on the local news ticker on tv, but I'm sure google news has much about it
08:05 <@ecrist> hyper_ch: is there an english version of that article?
08:06 <+hyper_ch>  ecrist:  google translate?
08:06 <@ecrist> or, we could come liberate germany again...
08:06 <@ecrist> "liberate"
08:08 <+hyper_ch> why come again when you're still there?
08:08 <+hyper_ch> due to the US, Germany is also a nuclear power ;)
08:08 <@ecrist> once my truck is paid off, I'm buying another BMW.  I plan on taking european delivery on my next one
08:09 <@ecrist> I had a 2013 535
08:09 <@ecrist> that thing was fun
08:09 <@ecrist> alas, I needed a truck, so had to trade it in
08:09 <@ecrist> ironically, the 535 was about $2,000 cheaper than my pickup
08:13 <+hyper_ch> why would anyone need a truck...
08:13 <@ecrist> hyper_ch: have you ever been to the US?
08:13 <+hyper_ch> once
08:13 <+hyper_ch> 20 years ago
08:13 <+hyper_ch> Pittsburgh
08:14 <@ecrist> I'm sorry for your loss.
08:14 <+hyper_ch> I had a good time
08:14 <+hyper_ch> but nowadays, I prefer the friendly Canadians :)
08:14 <@ecrist> We haul things around, have a camper we pull with the truck, and do some off-road/ATV stuff.
08:14 <@ecrist> someone tried to stab me in Ottawa
08:15  * ecrist has lots of Ottawa/Toronto stories
08:16 <+hyper_ch> Ottawa and Montréal are nice cities
08:16 <+hyper_ch> never been to Toronto though
08:16 < havoc> motreal is all mobbed up
08:16 < havoc> toronto too
08:16 <+hyper_ch> why do you haul things around what sane person would do that?
08:17  * havoc has a truck, and camper, too
08:17 <+hyper_ch> ecrist: http://www.npr.org/2017/08/01/540903038/u-s-citizen-held-by-immigration-for-3-years-denied-compensation-by-appeals-court
08:17 <@vpnHelper> Title: U.S. Citizen Who Was Held By ICE For 3 Years Denied Compensation By Appeals Court : The Two-Way : NPR (at www.npr.org)
08:18 <@ecrist> yeah, I saw that
08:18 <@ecrist> he will appeal again, I'm sure
08:18 <@ecrist> hyper_ch: are you trolling, or do you not actually understand why someone would want a truck?
08:18 <+hyper_ch> ecrist: I do not understand the need for a truck or a pickup
08:18 <+hyper_ch> except if you run some business
08:19 <+hyper_ch> and then ecrist being so into computers I can't envision why he'd need a pickup or truck for a business
08:21 <@ecrist> a couple of things.  the US is huge.  for fun, we tend to drive places to do things.  riding four-wheelers, for example, isn't something you can do in the city.  where I go (tomorrow, actually), it's about a 2.5 hour drive, and I need to haul my four-wheelers (ATVs) with us
08:21 <@ecrist> hard to do that in a car
08:22 <+hyper_ch> AT-ATs?
08:22 <@ecrist> as far as business, I do own a business where I do low-voltage (< 72VDC typically) wiring and systems (read: alarms, communication, CCTV, access control)
08:22 <@ecrist> that would be cool
08:22 <+hyper_ch> and I thought you do stuff with computers :)
08:22 <@ecrist> that's my side job
08:22 <@ecrist> (Above) my day job I am a med-device engineer
08:22 <@ecrist> :)
08:23 <+hyper_ch> :)
08:23 < havoc> ecrist: whereabouts are you?
08:24 <@ecrist> St Paul, Minnesota
08:24 <+hyper_ch> Minnesota... that's somewhere in the middle of nothing, right?
08:24 < havoc> ah, heh, I'm in Waukesha County, WI
08:25 < DArqueBishop> There's a joke that says that the difference between the US and the UK (or really any European country except maybe Russia) is that the UK thinks 100 miles is a long distance while the US thinks 100 years is a long time.
08:25 <@ecrist> DArqueBishop: I like that.
08:25 <+hyper_ch> they don't have miles in the UK
08:26 <+hyper_ch> (I think)
08:26 <@ecrist> yes they do
08:26 <+hyper_ch> who still uses such old-fashioned units like miles and inches
08:26 <@ecrist> the whole imperial system of measurement came from there
08:26 < cyberanger> Yes we do
08:27 <@ecrist> hyper_ch: the US and UK still do, IIRC.
08:27 <+hyper_ch> :)
08:27 <@ecrist> but, at least in the US, we're using the metric system in engineering more frequently
08:27 < havoc> and Canada uses imperial for building
08:28 <+hyper_ch> ecrist: the english also drive on the wrong side of the road.. at least the Mericans got that right
08:28 <@ecrist> ++
08:28  * hyper_ch hides
08:28 <@ecrist> remember, hyper_ch, Americans invented driving.  
08:29 < cyberanger> We're also odd in that we use  litres for petrol, but miles for distance & speed. We couldn't pick one or the other
08:29 <+hyper_ch> pretty sure poeple drove carraiges before the invention of the US
08:29 <+hyper_ch> I seem to recall that even the ancient rome already had the wheel ;)
08:29 <@ecrist> havoc: I was in your area just a couple weeks ago.
08:29 < havoc> cyberanger: that's likely due to local economics, same reason Canada uses inches/feet for building/construction
08:30 <@ecrist> went to the HD museum with my son, and up to Oshkosh for an EAA thing.
08:30 < redrabbit> metric ftw
08:30 < havoc> ecrist: where?
08:30 < havoc> ah
08:30 < havoc> SI FTW, you mean ;)
08:30 <+hyper_ch> also a thing that seems odd to me is that prices display in the US are usually before tax/vat... here you're obliged to display the endprice for customers
08:30 < cyberanger> hyper_ch: It still feels wrong to me (US Citizen in the UK) having the clutch, brake & gas the same, but the stick is in my left.
08:31 < cyberanger> Add that to which side I'm driving on, glad for the tube most days
08:31 < havoc> hyper_ch: buarecratic differences only
08:31 <+hyper_ch> for me as customers I want to know the final price.... not the price before tax/vat :)
08:31 < havoc> bureaucratic
08:32 <+hyper_ch> if a product is sold for $10 then I don't care if tax is $1 or $9....
08:32 < DArqueBishop> hyper_ch: I'm pretty sure it has to do with the fact that the tax rate can vary wildly between locations.
08:32 <@ecrist> hyper_ch: we don't have VAT, we have about 1 million assorted taxes, and where you are and how you're buying can change what (if any) taxes apply
08:32 <+hyper_ch> DArqueBishop: that's the reason... but for me as endcustomer I want to know how much it'll finally cost me
08:33 <+hyper_ch> e.g. tax on cigarets is like 70% or so... and tax on food is like 3% here
08:33 <+hyper_ch> I don't care for how much the tax is but how much my wallet gets lighter after paying
08:33 <@ecrist> in Minnesota, there is no tax on unprepared food and clothing, but hop over the border to Wisconsin, there is
08:34 < DArqueBishop> hyper_ch: I said between locations, not between products. There are tax rates at the state, county, and possibly city level, and they're not the same between states. Even in my area, until relatively recently, the sales tax rate was 7.25% in the county but outside of the city limits and 8.25% within the city limits.
08:35 < cyberanger> ecrist: Same for PA vs NY, we had buses drive from Ontario to Erie, PA to go shopping just for that reason.
08:35 < |Mike|> https://www.youtube.com/watch?v=O52jAYa4Pm8
08:35 <+hyper_ch> DArqueBishop: it doesn't matter... my example was I don't care how much of the final price is tax
08:35 < cyberanger> (Of course they'd still hit up Buffalo)
08:35 <+hyper_ch> DArqueBishop: for me as end customer the only thing that counts is whether its $100 or $120
08:35 <@ecrist> In St Paul, Minnesota, there's an added transit improvement tax (until Sept 1) that adds .25% on top of the state sales tax
08:35 <@ecrist> \http://www.revenue.state.mn.us/businesses/sut/factsheets/FS164.pdf
08:35 <+hyper_ch> I don't care if 99.999% of the price is tax or if only 0.00001 is tax
08:36 <@ecrist> hyper_ch: unfortunately, the US doesn't care what hyper_ch thinks about how prices are displayed
08:36 <@ecrist> :)
08:36 < DArqueBishop> hyper_ch: right, but it's a lot easier and more cost efficient to add the tax at the time of sale instead of having to label everything differently for sale in different locations.
08:36 <+hyper_ch> but they should!!!
08:37 <@ecrist> cyberanger: MN calls their tax Sales and Use
08:37 <+hyper_ch> DArqueBishop: that doesn't make sense
08:37 <@ecrist> the idea is, even if you buy it somewhere else, you need to pay tax on it to USE it in MN
08:38 <@ecrist> most people don't, but a company I worked for previously ended up in a state audit and had to be a few thousand dollars in USE taxes for things that were purchased online
08:38 < DArqueBishop> hyper_ch: is the VAT pretty uniform across your country for a specific product?
08:38 <+hyper_ch> VAT is uniform for whole classes of products
08:38 < DArqueBishop> hyper_ch: right. It's not here.
08:38 <+hyper_ch> but still, your example doesn't make sense
08:38 <@ecrist> It's not uniform here.
08:38 <+hyper_ch> there's no difference between the lables and the POS
08:38 <@ecrist> sure, you're asking for a price tag that includes all of the possible taxes
08:38 <+hyper_ch> you have to actually calculate it at one poiknt
08:39 <+hyper_ch> you don't put the price tag on the product itself
08:39 <@ecrist> Amazon, for example, has started charging sales tax.  should their site list all of the possible prices?
08:39 <+hyper_ch> you have a shelf with xx same products and one price tag
08:39 < DArqueBishop> hyper_ch: right, and because the VAT here can vary widly between locsations (even if they're five miles from one another), it's easier and more cost-efficient to do it at the time of sale.
08:39 <+hyper_ch> ecrist: the internet doesn't count :)
08:39 <@ecrist> it's also the true price.
08:40 <+hyper_ch> there's no true price
08:40 <@ecrist> everyone pays the tax, whatever that is, but I want to know if Bob's Burgers is charging me $3 for a burger vs Joe's Burgers across the border
08:40 <+hyper_ch> DArqueBishop: for online it makes sense....
08:40 <+hyper_ch> DArqueBishop: but for phyiscal shops it doesn't :)
08:40 <@ecrist> to you
08:40 < DArqueBishop> ...
08:41 <@ecrist> who isn't here
08:41 < DArqueBishop> hyper_ch: again, your basing your opinion on how your country handles VAT.
08:41 < DArqueBishop> It isn't how the US handles sales tax.
08:41 < DArqueBishop> Your system works for you.
08:41 <@ecrist> hyper_ch: you'll be happy to know that is how fuel is priced here - all displays are after-tax
08:41 < DArqueBishop> It would not work in the US without a massive restructuring of tax law.
08:42 <+hyper_ch> no, I'm basing my opinion on how I see it.... if I go into a shop I wanna know how much it costs and not having and addiotnal 100% tax slammed on the price tag at the cashier
08:42 <@ecrist> but that's why a gallon of gasoline shows as $2.9875/ga
08:42 < havoc> which is flat out impossible
08:42 <+hyper_ch> if the item in the shop is lablled 9.95 then I want to pay 9.95 and not 9.95 + 9 TAX
08:42 <@ecrist> it's OK hyper_ch, you can keep being wrong.
08:42 <+hyper_ch> ecrist: by definition I'm always right :)
08:43 < DArqueBishop> hyper_ch: if we did things the way you suggest without a massive restructure of tax law (which won't happen), you'd end up paying triple/quadruple the price because of all the time wasted relabeling products and goods everywhere for location-specific pricing.
08:44 < cyberanger> I wonder how Canada deals with that (they are the most similar to both the US Sales tax & VAT afaik. with HST, different provinces with different rates & taxes in the price)
08:44 <@ecrist> tax is calculated at the register in CA
08:46 <+hyper_ch> so, time for weekend
08:46 < DArqueBishop> Back when I worked retail, I worked at a Toys R Us in unincorporated (as in, not part of a city) Harris County. The sales tax rate was 7.25%.
08:47 < cyberanger> ecrist: in which province?
08:47 <+hyper_ch> oh noes... in a week, internet will be down for max. 4h - 23:00 - 03:00 CEST
08:47 < DArqueBishop> While I was there, the city of Houston annexed the area I was in. The sales tax changed from 7.25% to 8.25%.
08:48 <@ecrist> cyberanger: IIRC, both Ontario and Quebec
08:48 < cyberanger> ecrist: come to think of it, I may have to take back the inclusive part. Tourist area may have been doing people a favor
08:49 <@ecrist> I wasn't in any tourist areas, so I'm not sure if there's a difference there.
08:50 < cyberanger> Now that I think about it more, yeah. The places that bundled it weren't required to, it was just to make life a little easier. Further away HST was added on.
08:51 < cyberanger> My bad
08:52 <@ecrist> The views of Europeans about how things "should be done" in the US or Canada sometimes amuses me.  There are plenty of things we do poorly, sure, but things don't always scale the same as they do in country X in Europe.
08:52 < cyberanger> Restraunts might have also had different rules too
08:53 <@ecrist> Size is a real thing.  Like DArqueBishop's joke earlier, I really don't think Europeans understand how big the US is.  Trying to apply anything over that size area is difficult.
08:53 <@ecrist> cyberanger: restaurants do it different ways in the US, too
08:53 < DArqueBishop> ecrist: sometimes Americans don't realize it either.
08:53 <@ecrist> Some menus include tax, some don't.  Depending on where you are, the food might not even be taxed.
08:53 <@ecrist> DArqueBishop: that is true.
08:54 < cyberanger> I never remembered Sales tax built into the menu, I do remember HST built into the menu at one place, but "tax-out" at another.
08:54 <@ecrist> I can point my pickup north and drive for 8 hours and not leave Minnesota, and I'm 1/3 of the way "up" from the southern border.
08:54 < DArqueBishop> So, a few years back a friend of mine IMed me to tell me that his sister was moving to Texas because her husband was being stationed here, so I should meet them for dinner sometime. I mad met and befriended the sister at my friend's wedding.
08:55 < DArqueBishop> I asked my friend where she was moving to, and he said, "El Paso."
08:55 < DArqueBishop> Again, I live in Houston.
08:55 <@ecrist> just hop on over?
08:55 < DArqueBishop> I sighed, and said, "Let me put it this way. You know how, when you drive from Houston to Los Angeles, you have to drive all the way across Texas, New Mexico, Arizona, and California?"
08:55 < DArqueBishop> He said, "Yeah?"
08:56 < DArqueBishop> I said, "El Paso is the halfway point."
08:57 < DArqueBishop> He never brought it up again. :-)
08:58 < cyberanger> lol
09:01 < cyberanger> Yeah, similar issues explaining it here, distance between my US home in Buffalo, NY and folks in Knoxville, TN is like here (London) to Warsaw
09:01 <@ecrist> I'm having a hard time finding it, but there was an AskReddit a few weeks ago that said something like "Non-Americans of Reddit, what was a misconception about America that changed after visiting America"
09:02 <@ecrist> the top three traits that seemed to be in the comments were 1) It's HUGE, 2) American's aren't assholes, and 3) American's aren't fatter than Europeans
09:02 < cyberanger> Apperently few people here have family from Poland, so it doesn't click
09:03 < cyberanger> (I think Prauge is more honest, but Warsaw made for better jokes)
09:03 <@syzzer> ecrist: re 3), https://en.wikipedia.org/wiki/Human_body_weight
09:03 <@vpnHelper> Title: Human body weight - Wikipedia (at en.wikipedia.org)
09:04 <@syzzer> (so, yes, europe is doing pretty bad too, but north america is definity leading the overweight charts)
09:04 <@ecrist> syzzer: I think the perception was that Americans looked like the characters from Wall-E, but don't actually look that way
09:05 <@syzzer> ah, ok, so "not as bad as I thought" :-P
09:05 <@ecrist> and I don't necessarily trust that wikipedia article 
09:06 <@syzzer> this one has a proper source :)
09:06 <@ecrist> it doesn't take into account things like height in the top chart
09:06 <@ecrist> full-disclosure, I'm a fat-ass. ;)
09:07 <@syzzer> "average weight" not ofc, but (although I admit I didn't read the source) "overweight %" should
09:08 <@ecrist> what's the definition of overweight, though?
09:08 <@syzzer> and well, $gf tends to call me fat too :p
09:08 <@ecrist> and ALL of the source for that table is a single article that's 5 years old
09:10 <@syzzer> "Overweight" is defined by the WHO: http://apps.who.int/bmi/index.jsp?introPage=intro_3.html
09:10 <@vpnHelper> Title: WHO :: Global Database on Body Mass Index (at apps.who.int)
09:10 <@ecrist> it would be interesting to comb through all the #openvpn logs and isolate these off-topic conversations and post them somewhere
09:10 <@syzzer> haha, it would
09:11 <@ecrist> there have been quiet a few relatively in-depth discussions about things that have absolutely NOTHING to do with VPNs
09:11 <@syzzer> so easy to get distracted
09:12 <@ecrist> It's Friday (at least in the free world)
09:12 <@syzzer> even Friday afternoon in my part of the Free world!
09:13 < metalinjection> Hi, I have a question about OpenVPN. I live in China and I like to access my server in the internet securely. SInce I had a lot of people trying to hack the computer, I blocked all communication from China. So my question is, how secure is it to just open the OpenVPN port? As far as I understand the system, the server will only be opened via a certificate - how secure is it?
09:13 <@syzzer> metalinjection: check out tls-auth (or tls-crypt if you're using openvpn 2.4+)
09:14 <@syzzer> that adds another layer on top of the security of TLS itself
09:14 <@syzzer> with that in place, I would not worry about opening the OpenVPN port to the internet
09:15 < metalinjection> do you know a good tutorial how to get everything set up? I found this one - but I am not sure how to add TLS than.. http://www.slsmk.com/getting-started-with-openvpn/installing-openvpn-on-ubuntu-server-12-04-or-14-04-using-tap/
09:15 <@vpnHelper> Title: Installing OpenVPN on Ubuntu Server 12.04 or 14.04 using TAP Super Library of Solutions (at www.slsmk.com)
09:15 <@ecrist> metalinjection: You're probably aware, China is working harder at blocking VPNs and making their use illegal, as well.
09:16 <@ecrist> !gfoc
09:16 <@ecrist> !gfc
09:16 <@ecrist> !gfwc
09:16 <@ecrist> :/
09:16 <@ecrist> !china
09:16 < metalinjection> yeah I know
09:16 <@ecrist> !factiods
09:16 < metalinjection> but so long…
09:16 <@ecrist> !factoids
09:16 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
09:17 <@ecrist> !obfs
09:17 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols, or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation, or (#3) in client/server mode an admin can know that openvpn is being used.
09:17 <@vpnHelper> in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
09:19 < CryptoSiD> Any idea whats happening with https://community.openvpn.net/ ?
09:20 < CryptoSiD> ho it's loading but very slowly
09:20 < metalinjection> @vpnHelper and @ ecrist and @syzzer - I will try it. Thanks
09:21 < metalinjection> wish me luck
09:38 < lord_zoo> Hi people, just a question, when a client reconnects automatically, it reloads configuration and overwrites any manually added routes?
10:00 < Poster> lord_zoo: I don't think it reloads it's configuration per se, that is done when the client/service is restarted.  In terms of overwriting manually added routes, I think that would depend on the gateway used, if the gateway goes away due to a disconnect event, I believe the associated routes would go away with it.  Not entirely an overwrite per se.  This can also depend on if the OpenVPN server
10:00 < Poster> is pushing routes to the OpenVPN client, in most cases you probably will not for things like LAN to LAN links, they may be statically defined on both sides.
10:24 < lord_zoo> thanks Poster
13:38 < vectr0n> did the openvpn apt repo's key change?
14:16 <@dazo> vectr0n: most likely ... don't recall the details, but I vaguely remember mattock doing some changes
14:17 < vectr0n> had to reimport on all my apt systems lol so was curious
14:17 < vectr0n> icinga2 started bitching for apt checks
14:18 <@dazo> https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos ... there's a url to the key used here
14:18 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net)
14:18 < vectr0n> 10 steps ahead of you :)
14:20 <@dazo> vectr0n: also seen this one?  https://openvpn.net/index.php/open-source/documentation/sig.html
14:20 <@vpnHelper> Title: File Signatures (at openvpn.net)
14:21 <@dazo> hmmm ... the deb signing key is quite old actually, so that does sound odd
14:21 <@dazo> (that you had a key issue, I mean)
14:21 < vectr0n> importing the key from the first link corrected the apt error
14:21  * vectr0n shrugs
15:06 < randymarsh9> hey guys
15:06 < randymarsh9> does openvpn let me choose what country i connect from?
15:06 < randymarsh9> oh wait
15:07 < randymarsh9> this is to just let me vpn to my home/work network right?
15:08 < BtbN> openvpn is just software.
15:08 < BtbN> Not a provider.
15:09 < randymarsh9> yea just realized that lol
15:10 < randymarsh9> anyone know a decent provider that lets you connect from another country?
15:12 <@dazo> As I'm working for OpenVPN Tech, I'm obliged to recommend PrivateTunnel ;-)
15:13 < randymarsh9> dazo: works for me
15:13 < randymarsh9> thanks!
15:16 <@dazo> (but on a different note, VPN service providers is a minefield to walk through ... https://thatoneprivacysite.net/vpn-section/ ... so pick your VPN provider carefully )
15:16 <@vpnHelper> Title: That One Privacy Site | VPN Section (at thatoneprivacysite.net)
22:03 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:12 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:12 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Day changed Sat Aug 05 2017
04:11 < fatalhalt> Hello
04:11 < fatalhalt> https://forums.openvpn.net/viewtopic.php?f=6&t=24651
04:11 <@vpnHelper> Title: OpenVPN as Client; Share 1 connection among multiple devices? - OpenVPN Support Forum (at forums.openvpn.net)
04:12 < fatalhalt> I was wondering if there's a way to share a VPN Client connection among other devices
08:29 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 255 seconds]
08:52 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
08:52 -!- mode/#openvpn [+o dazo] by ChanServ
09:27 < BOLADAO> I'm trying to use openvpn in a vps, but when I start vpn, it automatically drops my connection to the machine. How do I keep control of the machine with vpn on, without losing the connection? Is it some firewall rule? I ask for help, thank you
09:57 < DArqueBishop> BOLADAO: are you using it as a client on the machine?
09:57 < DArqueBishop> Er, on the VPS?
09:59 < BOLADAO> yes DArqueBishop, cliente vpn on the vps
09:59 < DArqueBishop> It's a routing problem.
10:01 < DArqueBishop> When you tell your VPS to connect to the VPN server, it's most likely being told to change the default gateway to the VPN. Thus, the route between you and your VPS is altered.
10:02 < BOLADAO> DArqueBishop Can you help me make the correct routing of my network? I need all the connections to be tunneled, except the ssh I use to connect to vps.
10:05 < DArqueBishop> BOLADAO: I would imagine you would need to put in a specific route for your IP address to use the normal default gateway.
13:46 < H4ndy> !welcome
13:46 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
13:46 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
14:49 < BOLADAO> I'm trying to do a split tunneling on my vps. It turns out that when I connect to vpn, my connection automatically drops. I followed the following steps, but none of it freed port 22 and all connections through it, without going through the tunnel. can anybody help me? https://paste.linux.community/view/2b7083e4
15:08 < DArqueBishop> !split
15:09 < DArqueBishop> !splitroute
15:09 <@vpnHelper> "splitroute" is (#1) see https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet, or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
15:17 < abaday1> I need help with my openvpn tunnel between 2 openwrt routers
15:17 < abaday1> Tunnel is up, I can ping between the the routers on the tunnel IP. But not able to ping from the lan behind the first router to the lan on the other router.
15:18 < abaday1> I can see that the first router forwards the ping over the tunnel when I do tcpdump -i tun0. But I dont see the icmp packets coming out on the second routers tun0 interface.
15:18 < abaday1> firewall config should allow
15:21 < jasunto> having trouble getting openvpn to connect at boot, yet it does manually
15:21 < jasunto> ubuntu server or debian, both headless and no DE
15:39 < redrabbit> update-rc.d openvpn enable
15:39 < redrabbit> jasunto: try this
15:41 < jasunto> sudo: update-rc.d: command not found
15:41 < jasunto> i would say its because ubuntu uses systemd? but same issues on debian 9
15:52 < redrabbit> works on debian jessie
15:52 < redrabbit> and on armbian / raspbian
16:13 < jasunto> just did it per a guide, copy US East.ovpn to /etc/openvpn as .conf extension, edit it and point to login.conf that was created, edit /etc/default/open and set AUTOSTART=“US East”, reboot and nothing
16:13 < jasunto> can connect manaully
16:24 < redrabbit> try to name it /etc/openvpn/client.conf
16:24 < redrabbit> then
16:25 < redrabbit> systemctl start openvpn@client.service
22:02 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:12 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:12 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Day changed Sun Aug 06 2017
00:40 < TheRiddla> any help around?
01:42 < TheRiddla> Anyone know how to acquire a username and passord for  the openvpn gui?
02:58 < ah-donny> !welcome
02:58 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
02:58 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
03:05 < qwerkus> hello. I've managed to set up openvpn on my routerbox, and can established a connection towards it. The only thing not working is dns forwarding: I only have internet by manually overwriting the /etc/resolv.conf file
03:06 < qwerkus> is there a way to do this automatically with the client config file (or the server one) ?
03:23 < ah-donny> qwerkus: As in your not getting any outside internet connection?
03:23 < ah-donny> But you can access connected LAN devices
03:25 < nacelle> qwerkus: do you have a 'push "dhcp-option DNS x.x.x.x"' in your server config?
03:25 < ah-donny> It was the reason why I came here just before you. I can't link to the article because its gone but add push "dhcp-option DNS 8.8.8.8" to the config or what ever dns you wis... nvm nacelle got to it
03:27 < ah-donny> This fixed my problem that has been plagued me for the past 4 months tho it wasn't limiting me on what I needed to use since most of the time it was just other LAN devices. If I wanted the internet I just disconnected. But now I don't have to so yeah.
03:29 < nacelle> <-- becoming old as dirt
03:30 < qwerkus> yes: no outside connection
03:30 < qwerkus> it tried pushing a dns
03:30 < qwerkus> doesn t seem to be working
03:30 < qwerkus> I suspect the local system dns resolver is interfering
03:39 < qwerkus> confirmed: the problem may not be openvpn config
03:40 < qwerkus> I tried it with android, win 10 and ubuntu
03:40 < qwerkus> only ubuntu has this weired dns resolution problem
12:52 < GoGi> can I run an openvpn server without a tun or tap device?
12:52 < GoGi> I just need client-to-client communication
14:01 -!- SiD is now known as Guest72471
14:10 -!- hyamamoto is now known as hiroki
14:10 -!- sparx_ is now known as sparx
14:10 -!- _gypci0 is now known as egypcio
14:10 -!- tx_ is now known as tx
14:10 -!- n-st- is now known as n-st
14:26 -!- ohnx- is now known as ohnx
--- Log closed Sun Aug 06 18:05:22 2017
--- Log opened Mon Aug 07 06:50:29 2017
06:50 -!- Irssi: #openvpn: Total of 313 nicks [9 ops, 0 halfops, 3 voices, 301 normal]
06:50 -!- mode/#openvpn [+o ecrist_] by ChanServ
06:50 -!- Irssi: Join to #openvpn was synced in 1 secs
06:51 -!- You're now known as ecrist
06:51 <@ecrist> !ping
06:51 <@vpnHelper> pong
07:38 < Kryczek> pong (DUP)
07:48 <@dazo> !learn pong as just stupid
07:48 <@vpnHelper> Joo got it.
07:48 <@dazo> !pong
07:48 <@vpnHelper> "pong" is just stupid
07:49 <@dazo> !ping
07:49 <@vpnHelper> pong
07:49 <@dazo> !ping
07:49 <@vpnHelper> pong
07:49 <@dazo> !ping
07:49 <@vpnHelper> pong
07:49 <@dazo> !pong
07:49 <@vpnHelper> "pong" is just stupid
07:50 < Kryczek> no it's not! It's a good way to tunnel data without triggering replies :P
07:51 <@dazo> hahaha :-P
07:52 <@dazo> so, basically just like UDP :-P
07:52 <@dazo> "I don't care if you don't catch my UDP jokes"
07:52 < Kryczek> dazo: no UDP will trigger ICMP Port Unreachable if it's not open :)
07:53 <@dazo> heh, true! :)
07:54 <@dazo> but *only* if it is not open in the firewall ... if the firewall is opened ;-)
07:56 <@dazo> no, I'm mistaken!
07:56 <@dazo> echo test | nc -u localhost 9938
07:56 <@dazo> Ncat: Connection refused.
07:56 < Kryczek> I see what you mean, if the target IP has a firewall the pongs might be dropped :)
07:56 <@dazo> 14:53:42.189588 IP6 ::1 > ::1: ICMP6, destination unreachable, unreachable port, ::1 udp port 9938, length 61
07:57 <@dazo> yeah, if the UDP is blocked by fw, that's something else ... which results in a drop
08:01 < Kryczek> I've done all kinds of crazy networking... My biggest regret is that many routers on the Internet annoyingly drop IP packets with any sort of IP Option field, because I coded my own VPN at the IP layer and it doesn't always work as a result :/
09:19 -!- fury__ is now known as fury_
09:29 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 258 seconds]
09:30 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
09:30 -!- mode/#openvpn [+o plaisthos] by ChanServ
09:34 < redrabbit> i have an vps with two external ips on eth0 eth0:0
09:34 < redrabbit> i want to use eth0 port 443 to serve web content and eth0:0 port 443 to host an openvpn
09:34 < redrabbit> i already have openvpn and the web server working on the first interface, just added the second one
09:35 < redrabbit> so probably all i have to do is bind the openvpn server instance to eth0:0
09:35 < redrabbit> how should i do this?
09:58 <@dazo> redrabbit: use --local $IP_ADDRESS
09:58 <@dazo> redrabbit: or don't use --local (which binds to all IPs) and filter traffic in iptables
11:43 -!- svm_invi_ is now known as svm_invictvs
11:56 < flappyjonson> hello
11:56 < flappyjonson> !welcome
11:56 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
11:56 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
11:56 <@vpnHelper> you
11:56 < flappyjonson> !goal keep connection alive
11:57 < flappyjonson> !howto
11:57 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
12:20 < flappyjonson> can someone tell me how can I check if openvpn is connected to some vpn using command line?
12:20 < flappyjonson> Can't figure it out
12:27 < flappyjonson> I did install openvpn but I use it for connectiong only so I did not set any rsa keys and other stuff so I do not have /etc/openvpn/config file to add  option management 'ip port' how do I enable management for client if there is no config file used?
12:46 < redrabbit> ifconfig flappyjonson
12:46 < redrabbit> to check if openvpn is connected
12:47 < redrabbit> should appear as tun0
12:48 < flappyjonson> ah indeed, thanks
18:21 < daemon> hey all if I add:
18:21 < daemon> push "route 172.19.18.0 255.255.255.0"
18:21 < daemon> that will tell all clients that connect, they should use 'me' as a gateway for 172.19.18.0 right
18:29 < redrabbit> calling you server "me" is strange but yeah
18:29 < daemon> sweet
18:29 < daemon> thank you :)
20:13 < redrabbit> dazo: it worked fine, thanks
20:14 < redrabbit> now i have a tough one to ask
20:14 < redrabbit> i have two instances of ovpn
20:14 < redrabbit> one high port / udp, the other 443/tcp
20:15 < redrabbit> i have a client connected on the 1st instance, that i use with client-to-client to access my network behind it from other clients
20:15 < redrabbit> however id like to access this network from the 2nd instace
20:15 < redrabbit> so client to client through the 1 instance to another
20:17 < redrabbit> probably need to figure out a bit of routing there
20:17 < redrabbit> maybe some NAT rules
20:19 < redrabbit> like push route to subnet of instance 1 on instance 2
20:19 < redrabbit> lets try this
20:21 < redrabbit> nope. meh
20:37 < redrabbit> allright
20:37 < redrabbit> got it
20:38 < redrabbit> proper NAT rules and push route
21:16 < redrabbit> ah, looking for a way to push the second inteface as gateway for vpn clients. its not the default gw on the server
21:27 -!- Alchemy is now known as daemon
--- Day changed Tue Aug 08 2017
01:35 -!- upbeta_____ is now known as upbeta
04:05 <@ordex> redrabbit: routing is enough. no need for routing
04:06 <@ordex> redrabbit: and yes you need to push the route for the other subnet (unless your clients are using the server as default gw)
05:18 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
05:20 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
05:20 -!- mode/#openvpn [+o vpnHelper] by ChanServ
09:36 < Optic> some strangeness, logs are full of "WARNING: Failed to stat CRL file, not (re)loading CRL." but everything seems to be configured fine.  i have tried local dir and absolute path in the config file, crl file is world readable ><
09:36 < Optic> https://www.irccloud.com/pastebin/YCONBLiE/
09:39 < Optic> OpenVPN 2.4.3 x86_64-redhat-linux-gnu
09:44 < Optic> it was a permissions problem & i'm a dork :3
09:46 < Optic> ty for being my rubber duck #openvpn
09:48 < redrabbit> ordex: i got the communications between subnets working fine, now i need to find a way to use eth0:0 as the wlan gateway for my ovpn clients. now the default gw is eth0, so all traffic is routed through that with either push gateway or push route
09:48 < redrabbit> guess the simplest would be to change the default gw on the server
09:48 < redrabbit> that would work
09:48 < redrabbit> looking for something more flexible
09:52 < redrabbit> i tried push "route 0.0.0.0 0.0.0.0 %External_IP_iwant_to_use 1"
09:52 < redrabbit> but nope
09:53 < redrabbit> however i can use curl --interface %External_IP_iwant_to_use http://monip.org/
09:53 <@vpnHelper> Title: MonIP.org v1.0 (at monip.org)
09:53 < redrabbit> it does works shows that external IP
12:50 < plum> hi!
12:51 < plum> is it possible to include ta.key in an openssl pkcs12 file?
13:42 < abaday1> !goal
13:42 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:47 < abaday1> I want to access the lans behind the server, I also want the lan behind the server to access the lan behind the client. I have a tunnel up between two machines, and I can only ping from the client to the server and to the LANs behind it, but not the other way around. Please help me
13:48 < abaday1> The server has routes towards the LANs behind the client over the tun interface and firewall is configured to allow this
13:50 -!- abaday1 is now known as abaday
13:54 < LegalDrokz> working on a openvpn setup for my home connection
13:54 < abaday> let me correct myself, the lan behind the client can't reach the server or the LAN behind the server over the tunnel. I can see with tcpdump that the client is forwarding the ping requests over the tunnel, but I can't see any ping requests come in on the server side tun interface
13:54 < LegalDrokz> going to run openvpn server on a flashed ddwrt router
13:54 < LegalDrokz> question about certficates
13:55 < LegalDrokz> right now, im generated the ca+certs on a windows machine using easy rsa
13:55 < LegalDrokz> when i want to revoke a cert made with that windows machine, can i revoke it from another machine?
13:56 < LegalDrokz> so basically, is the machine that created the ca the only one that can create and revoke certs for that CA?
13:57 < LegalDrokz> i might be missing some basic pki knowledge, but if anyone spots my blind spot, i'd appricate a nudge in the right direction
14:01 < LegalDrokz> got the answer from another channel
14:02 < LegalDrokz> i need the CA cert to revoke and create certs, the machine is not relevant
14:17 < LegalDrokz> !welcome
14:17 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
14:17 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
14:18 < abaday> !logs
14:18 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
14:19 <@dazo> LegalDrokz: ddwrt is considered insecure and unsuitable for VPNs - if you care about security
14:19 <@dazo> !dd-wrt
14:19 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN, or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783, or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536, or (#4) And the
14:19 <@vpnHelper> security focus still seems to need improvements: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=279467 (hint: dd-wrt company does not do this effort + no reference to any security fixes)
14:20 <@dazo> LegalDrokz: in regards to revocation ... that can happen on any computer which have access to the CA private key
14:21 < LegalDrokz> thanks dazo for the info and tip
14:21 <@dazo> LegalDrokz: the CA private key is the most sacred files of all in an PKI environment ... it is used to sign everything it does and which is to be used in the public (certificates, CRLs, probably more things) ... and the CA certificate is used to validate the CA signature in those files
14:22 <@dazo> LegalDrokz: which is why I recommend to store the CA files (easy-rsa, XCA, TinyCA, whatever CA tool you use) on an offline medium - only to be activated when you want to do a signing request or revocation
14:23 <@dazo> s/signing request/sign a certificate signing request/
14:25 < LegalDrokz> right, got it dazo
14:31 < LegalDrokz> !raspberrypi
14:34 < LegalDrokz> i can imagine the pi could be more secure, but performance would be worst
14:35 < LegalDrokz> and the age old question, how secure is secure..
14:35 <@dazo> LegalDrokz: OpenWRT is often a far more reasonable router OS
14:35 <@dazo> and now that LEDE and OpenWRT have decided to bury the hatches and co-operate again, I think there's a brighter future there again
14:36 < LegalDrokz> and others? like tomato?
14:36 < LegalDrokz> ive used ddwrt since wrt54g days :p
14:37 <@dazo> I have no hands-on experience with Tomato ... and haven't paid attention to how they handle security issues.  But it will be hard to do any worse job on that area compared to what DD-WRT achieves
14:51 < LegalDrokz> tomato looks pretty solid security wise, can't really find any incidents as mentioned here with dd wrt
14:52 < LegalDrokz> plus they have a shiny html interface through https://advancedtomato.com/
14:52 <@vpnHelper> Title: AdvancedTomato :: Open Source Broadcom Firmware (at advancedtomato.com)
15:01 < LegalDrokz> yep looks good, going to go with advanced tomato and openvpn with a static key
15:01 < LegalDrokz> i can upgrade to PKI later, but for now this will work :)
15:02 <@dazo> LegalDrokz: if you don't need multiple clients ... upgrading to a PKI based p2p setup (which static key setups implies) is really simple
15:03 <@dazo> LegalDrokz: regardless, consider to also add --tls-crypt (or --tls-auth if you can't use openvpn 2.4)
15:06 < LegalDrokz> are the keys sniffable without that option dazo?
15:06 < LegalDrokz> when inititial connection is made
15:07 <@dazo> Not directly "sniffable", but static key mode does not have Perfect Forward Secrecy ... and if you manage to bruteforce decrypt a single packet, you can decrypt all the packets saved in the past
15:07 <@dazo> oh ... tls-crypt only applies for PKI mode ....
15:08 <@dazo> and --tls-auth as well :/
15:08 <@dazo> sorry, I misremembered that detail
15:08 <@dazo> (static key mode does not have the TLS control channel)
15:10 < LegalDrokz> ah that incidentally explains perfect forward secrecy which i read about :)
15:12 < LegalDrokz> bruteforcing a 2048bit encrypted packet
15:13 < LegalDrokz> would be quite an undertaking wouldn't it?
15:15 < LegalDrokz> i find it hard to differentiate between what's as secure as possible vs what's secure enough
15:18 < LegalDrokz> tbh, i care about security, but i taking it to the secure as possible level just seems crazy if you actually want to get things done
15:20 < LegalDrokz> would be neat if there was a way to automagically calculate risks so you could just set an acceptable risk level and have the tool spit out the needed measures
15:21 < LegalDrokz> so both pitfalls 1) going crazy with over the top measures and 2) forgetting about certain risks like physcial security can be managed
15:35 -!- ghoti_ is now known as ghoti
15:47 -!- themayor_ is now known as themayor
16:05 < arooni> dumb question: with a openvpn connection to a server on public wifi with my laptop;  does that mean that any open ports i might have are blocked
16:05 <@ordex> redrabbit: policy routing
16:05 < arooni> or are rules like [11] 445                        ALLOW IN    192.168.0.0/16 ;; still going to let me get burned if someone on the public wifi tries to connect to that port
16:09 < DArqueBishop> arooni: if they're on the same subnet as you, they won't be blocked. Your best bet is to have a different firewall config when you're not on your home network.
16:09 < arooni> DArqueBishop: never thought about that till now
16:09 < arooni> good idea
16:09 < DArqueBishop> This is, of course, assuming the owners of said public wifi haven't configured it correctly and don't have client isolation going.
16:13 < DArqueBishop> I know firewalld in Fedora/CentOS and Windows 10's firewall supports different rules for different zones, but I can't speak for other OSes.
16:13 < DArqueBishop> s/Windows 10/Windows 7+/
20:02 -!- vectr0n_ is now known as vectr0n
--- Day changed Wed Aug 09 2017
01:22 -!- instantp10neer_ is now known as instantp10neer
03:49 -!- Netsplit *.net <-> *.split quits: +hyper_ch, @krzee, @mattock
04:06 -!- Netsplit over, joins: hyper_ch
04:07 < hyper_ch> ecrist: https://www.buzzfeed.com/peteraldhous/hidden-spy-planes?utm_term=.jyV6dqzew#.evk1VOPWE
04:07 <@vpnHelper> Title: We Trained A Computer To Search For Hidden Spy Planes. This Is What It Found. (at www.buzzfeed.com)
04:07 -!- mode/#openvpn [+v hyper_ch] by ChanServ
04:09 < Kryczek> hyper_ch: so... journalists are proud to help drug cartels and terrorists now?
04:09 <+hyper_ch> journalists are proud to disclose governmental spying on its citizens
04:11 <+hyper_ch> and while we're add it:  https://epjdatascience.springeropen.com/articles/10.1140/epjds/s13688-017-0110-z  - instagram photos reveal predictive markers of depression
04:11 <@vpnHelper> Title: Instagram photos reveal predictive markers of depression | EPJ Data Science | Full Text (at epjdatascience.springeropen.com)
04:12 < Kryczek> hyper_ch: where does it say that they were spying on citizens?
04:12 < Kryczek> all I see is they ruined good operations, *slowclap*
04:12 <+hyper_ch> and you think it only spied on so called "evil guys"?
04:12 <+hyper_ch> the rest is just "collateral damage" spying?
04:13 < Kryczek> hyper_ch: I think you overestimate your importance if you think the government has time to check up on your everyday life
04:14 <+hyper_ch> really? you don't know how quickly or why you can come into the government's crosshair
04:14 <+hyper_ch> e.g.: take the main curl developer that was denied entry into the US... nobody knows why
04:14 < Kryczek> did he have spy planes circling above his head?
04:15 <+hyper_ch> you can use their analysis to find out ;)
04:16 < Kryczek> you're missing the point
04:16 <+hyper_ch> or you're missing the point
04:17 < Kryczek> then please explain to me how is ruining antiterrorism operations etc more important than your paranoia of having spy planes above your head while taking a dump?
04:17 <+hyper_ch> everything is labelled antitrerorism nowadays
04:17 <+hyper_ch> inflationary use of the term
04:17 <+hyper_ch> and well, take a look at some other countries where spy planes fly high in the sky and then relase missiles...
04:18 <+hyper_ch> invading other countries, killing other countries citizens without legitimation except "we have the stronges military and can just do as we please"
04:18 < Kryczek> I can't think of any; are you perhaps mixing up with a movie?
04:18 <+hyper_ch> you don't know when you'll be the target and that's the problem
04:19 < Kryczek> They can do all that with those tiny Cesna's in the article?
04:19 <+hyper_ch> sure they can
04:20 < Kryczek> -_-
04:20 < Kryczek> ok, I see there is no reasoning with you...
04:20 <+hyper_ch> same here
04:33 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
04:33 -!- mode/#openvpn [+o krzee] by ChanServ
04:34 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
04:34 -!- mode/#openvpn [+o mattock] by ChanServ
07:20 <@ecrist> hyper_ch: neat
07:20 <+hyper_ch> ecrist: which one? :)
07:21 <@ecrist> you only pinged me on one
07:22 <+hyper_ch> ecrist: I see
07:23 <+hyper_ch> ecrist: https://epjdatascience.springeropen.com/articles/10.1140/epjds/s13688-017-0110-z
07:23 <@vpnHelper> Title: Instagram photos reveal predictive markers of depression | EPJ Data Science | Full Text (at epjdatascience.springeropen.com)
08:22 < DArqueBishop> I know I'm late to the argument, but it's hardly a secret that most law enforcement operations that are set up in the name of anti-terrorism are primarily used for enforcing drug laws... and if we REALLY wanted to break the cartels' backs, the quickest way is via legalization, not criminalization.
09:23 < cluelessperson> UGH,  apparently your root and intermediate CA must be seperately named
09:24 < cluelessperson> otherwise OVPN hits this error
09:24 < cluelessperson> Wed Aug  9 02:43:13 2017 Cannot load CA certificate file certs/ca-chain.cert.pem (entry 2 did not validate)
09:24 < cluelessperson> Wed Aug  9 02:43:13 2017 Cannot load CA certificate file certs/ca-chain.cert.pem (only 1 of 2 entries were valid X509 names)
11:37 < abaday> the lan behind the client can't reach the server or the LAN behind the server over the tunnel. I can see with tcpdump that the client is forwarding the ping requests over the tunnel, but I can't see any ping requests come in on the server side tun interface
11:53 < DArqueBishop> abaday:
11:53 < DArqueBishop> !clientlan
11:53 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see
11:53 <@vpnHelper> !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
12:06 -!- Browndragon2345 is now known as Rookie2345
12:07 < Rookie2345> hello guys
12:08 < abaday> !iroute
12:08 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
12:08 < Rookie2345> hey guys
12:08 < mmoreno80> hello there! need some help; I have configured openvpn and it works properly when I started it from the command line; but it doesn't work with systemd ... it shows: Active: active (exited) since Wed 2017-08-09 17:00:46 UTC. could you point me to the right direction? I cannot make it work with systemd on debian ...
12:09 < Rookie2345> whois mmoreno80
12:09 < skyroveRR>  /whois Rookie2345
12:09 < mmoreno80> Rookie2345: I am
12:09 < mmoreno80> ;)
12:12 < abaday> DArqueBishop: I have a ccd folder with a file named after the CN-name of the client. In that file I have "iroute <CLIENT-LAN-NETWORK-ADDRESS> <NETMASK>, still doesn't work
12:13 < abaday> the LAN behind server can only reach the clientlan if I use masquerade, which I don't want
12:13 < abaday> " after <NETMASK"
12:13 < abaday> >
12:15 < abaday> hmm how can I be sure that openvpn is reading my ccd file?
12:25 < abaday> !ccd
12:25 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
12:34 < abaday> !route
12:34 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
12:34 < abaday> !serverlan
12:34 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
12:35 < V1s1ble> I was just about to ask for that flowchart :)
16:18 < Kryczek> Hi! Out of curiosity, I was wondering: is it possible to preconfigure the server's cert in a client conf, and perhaps client certs in the server conf as well?
16:22 < Kryczek> (like in IPsec it's often possible to distribute public keys in advance, for example)
16:23 < DArqueBishop> Kryczek: well, yes, the client keys/certs can be put inline in the config file.
16:23 < DArqueBishop> However, in a PKI-only config (as in, no user/pass), the server does not need to know the client certs, and vice versa.
16:24 < DArqueBishop> As long as they're all signed by the same CA and the CA cert is on the clients and server, it'll work.
16:26 < Kryczek> I know I know, that's how I've had it working already :) I was wondering if I could remove the CA from the equation since they're all my devices anyway
16:26 < Kryczek> what's the keyword for including remote certs in the config? I can't seem to find it in the manpage
16:27 < DArqueBishop> !inline
16:27 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV, or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
16:29 < Kryczek> I am confused...
16:29 < DArqueBishop> If you plan on using certs for authentication to your VPN, you absolutely need the CA cert so that the traffic can be verified.
16:30 < Kryczek> DArqueBishop: wouldn't inlining still be referring to the machine's own cert, not the remote peer's cert?
16:31 < Kryczek> I don't really need certs, I could do with just public keys if that's easier :)
16:31 < DArqueBishop> Kryczek: you want to add the certs to the config file as opposed to using a CA cert?
16:31 < Kryczek> I am not sure I understand your question... Let me rephrase :)
16:31 < Kryczek> DArqueBishop: let's say we have peers Left and Right
16:32 < Kryczek> I'd like Left to know Right's pubkey and Right to know Left's pubkey
16:32 < Kryczek> in advance
16:32 < DArqueBishop> That's not supported.
16:33 < DArqueBishop> I see what you're saying, but for the amount of effort that it would take a private CA would actually be easier and more scalable.
16:33 < Kryczek> it depends
16:34 < DArqueBishop> ... not really.
16:34 < Kryczek> all my OpenVPN peers now have their private key in a Hardware Security Module, so the unnecessary trust onto yet another key pair for the CA is actually making the setup less secure
16:35 < DArqueBishop> I need to add a client? I generate a cert/key for the client. The server doesn't need to know the new client cert; as long as it's signed by the CA it knows it's authorized.
16:35 < Kryczek> DArqueBishop: I know, and that's exactly what I want to avoid
16:36 < DArqueBishop> ... why?
16:36 < Kryczek> if somehow I misplace the CA all my peers would instantly trust a new rogue client
16:36 < Kryczek> whereas they could trust each other and no one else :)
16:37 < DArqueBishop> If you misplace your CA you create a new one and have the OpenVPN server use that.
16:37 < Kryczek> what if I am in a cross-atlantic flight?
16:38 < Kryczek> DArqueBishop: I am not denying that having a CA is more convenient, but you won't convince me that it's as secure :)
16:38 < DArqueBishop> Besides which, ideally the machine that does the signing would ideally be offline or inaccessible most of the time.
16:39 < DArqueBishop> The machine I use for signing is offline most of the time, and it has the only copy of the CA key.
16:39 < Kryczek> and it is... but that does not solve the possibility of misplacing it
16:39 < DArqueBishop> Tehn encrypt the drive.
16:39 < DArqueBishop> s/Tehn/Then/
16:40 < Kryczek> it is already... but that's not the point
16:40 < Kryczek> the point is removing risk where there does not need to be risk
16:40 < DArqueBishop> It's called "risk mitigation", not "risk elimination".
16:41 < Kryczek> DArqueBishop: I lecture on security worldwide, I think I'd know.
16:42 < DArqueBishop> What you're asking for is something that doesn't exist in OpenVPN, and is to mitigate a risk that is so small as to be statistically insignificant.
16:43 < Kryczek> that's what everybody says until they get compromised in a way that could have been totally avoided
16:44 < Kryczek> risk mitigation: wearing a bulletproof vest when you're a soldier going in warzones
16:45 < Kryczek> risk elimination: not deciding your holidays to be in a warzone
16:45 < DArqueBishop> Literally, the use case you came up with is someone stealing your CA machine, who knows the encryption password, and wants to break into your network while you're on a trans-Atlantic flight.
16:46 < Kryczek> DArqueBishop: may I ask if your CA is on an encrypted disk too? What kind, LUKS?
16:46 < DArqueBishop> It's on a LUKS encrypted disk, and stored offline.
16:47 < Kryczek> DArqueBishop: that's all you have protecting your disk, right?
16:47 < DArqueBishop> Though, to be honest, I'm much more in danger of someone stealing the machine to pawn it for drug money. :-)
16:48 < DArqueBishop> Yes, but to be blunt if they wanted to do THAT there are easier ways of compromising the network.
16:48 < Kryczek> that's easy to circumvent: extract the initrd, modify the script asking for the passphrase (e.g. local-top/cryptroot but might be elsewhere on different distros) to store a copy, recompress the initrd and wait
16:49 < DArqueBishop> Right, but then they'd need physical access to the machine.
16:49 < Kryczek> DArqueBishop: that's only kicking the problem down the road
16:49 < DArqueBishop> By that point there are much easier ways to compromise the network.
16:49 < Kryczek> "No need to fix X because Y is broken also"
16:49 < Kryczek> -_-
16:50 < Kryczek> DArqueBishop: it really depends. In security conferences for example I like to tease the audience about how many of them leave their laptops unattended in the conference room during coffee breaks / lunches
16:50 < Kryczek> DArqueBishop: in that case I would argue it is faaaaaaaaaaar easier for me to get into your laptop than into your network
16:53 < DArqueBishop> Right, and your proposal simply smells of the wrench problem.
16:53 < Kryczek> anyway, if it's not supported it's not supported... and maybe I'll add it, won't be the first time I add support for some "insignificant use case" in OpenVPN ;D
16:53 < DArqueBishop> !wrench
16:53 <@vpnHelper> "wrench" is https://xkcd.com/538/
16:53 < Kryczek> funny that was my title slide.
16:55 < Kryczek> DArqueBishop: in return may I recommend you Socrates' "I know that I know nothing" - it really helps in Security :)
16:56  * DArqueBishop smiles.
16:56 < DArqueBishop> I'm always the first to say that.
16:56 < Kryczek> excellent
16:57 < DArqueBishop> It's served me well in my almost twenty year career in IT support/administration.
16:58 < DArqueBishop> Anyway, time for me to go home from work. Later.
16:58 < Kryczek> have a good evening
19:53 < DaCheat> Good evening, seeing some weird behaivor on my Openvpn instance on openvpn. doing a "road-warrior" setup with user-pass verify however my android client's get as far as inital packet and then die out.
19:54 < DaCheat> firewall is wide open on udp/1194
20:02 < redrabbit> so much bad jokes comes to my mind when i read that
20:03 < DaCheat> pastebin's here https://pastebin.com/
20:03 < DaCheat> https://pastebin.com/Y2RBtbmu
20:23 < DaCheat> looks like i've got it, thanks folks
--- Day changed Thu Aug 10 2017
05:06 < devonrevenge> im having problems with a tap0 connection with openvpn on a vm
05:06 < devonrevenge> should I put the openvpn on the host of the vm or does that make no difference?
05:32 < Kryczek> devonrevenge: what kind of problems?
05:34 < skyroveRR> family problems
05:34 < devonrevenge> I guess
05:34 < devonrevenge> so whats happening is the vm resets itself
05:34 < devonrevenge> but starts working again if I use it
05:34 < devonrevenge> for a bit then dies
05:35 < Kryczek> weird
05:36 < Kryczek> what kind of vm system is it? vmware? virtualbox? ...?
05:36 < devonrevenge> however im using a signal boosting wifi thing that turns 5ghz into a normal wifi connection - but im right by the router now
05:36 < devonrevenge> its vmware
05:37 < Kryczek> what type of network card do you have configured for the vm? VMXNET?
05:40 < devonrevenge> no idea tbh
05:40 < devonrevenge> is a kali distro for the oscp course
05:44 < Kryczek> in the vmware settings
05:44 < devonrevenge> kk looking
05:44 < devonrevenge> not sure waht to look for :P
05:44 < devonrevenge> NAT
05:44 < devonrevenge> tap0
05:45 < devonrevenge> Realtek 8812Au
05:48 < Kryczek> try the other types, VMXNET should be the best if you have guest additions installed
05:53 < Kryczek> devonrevenge: https://kb.vmware.com/kb/1001805
05:53 <@vpnHelper> Title: Choosing a network adapter for your virtual machine (1001805) | VMware KB (at kb.vmware.com)
05:53 < devonrevenge> So I bridged the network
05:54 < devonrevenge> does that mean I have to use the vpn on the vmware
05:56 < devonrevenge> https://hastebin.com/ocabamabim.css
05:56 <@vpnHelper> Title: hastebin (at hastebin.com)
05:56 < devonrevenge> get a ton of them
06:03 < devonrevenge> had to register :/
06:06 < Kryczek> devonrevenge: bridge networking won't work with WiFi
06:06 < devonrevenge> ooh
06:06 < devonrevenge> so I have to use NAT
06:07 < devonrevenge> the wifi device im using needs drivers even if I can add it too the vm
06:07 < devonrevenge> and its a pain to install on linux
06:07 < devonrevenge> ima have to have dodgy connection
06:07 < devonrevenge> what about changing tun to tap or is that dictated by the provider
06:07 < devonrevenge> or mtus
06:07 < Kryczek> I'm not following...
06:07 < devonrevenge> maybe less
06:07 < devonrevenge> me iether
06:08 < Kryczek> keep the WiFi on the host like you had, keep the NAT like you had, just changed the virtual NIC type to VMXNET
06:08 < Kryczek> change*
06:08 < devonrevenge> okay - vmtools are jsut checking my elegibilty xD
06:48 < adac> My openvpn client seems to create two network interfaces instead of only one. How can that happen? Any ideas?
06:48 < adac> https://gist.github.com/anonymous/90e7f03ad74a825280f82c1248631cb4
06:48 <@vpnHelper> Title: gist:90e7f03ad74a825280f82c1248631cb4 · GitHub (at gist.github.com)
06:51 < adac> lol my old docker contaier that had a vpn client runing was rstarted on reboot
06:52 < adac> that will explain it :D
07:28 < metaloxide> Ugh not even sure where to start with troubleshooting my vpn connection..
07:28 < metaloxide> Seems the Tunnel gets an IP address, I turned off Linux Firewall, seems to add the routes but still can't ping any of the gateways..
07:38 < |Mike|> metaloxide: topic ^^
07:39 < metaloxide> Mike--: Think I figured it out, sorry.
07:59 < devonrevenge> I have to wait 3 days so that vmware can confirm wehter or not they want me to use their vmware tools
07:59 < devonrevenge> in the meantime, using the vpn seems to make it reset
08:00 < devonrevenge> im getting 50% packet loss
08:02 < devonrevenge> can I connect tap0 on my host to the vm?
08:14 < BtbN> vmware tools are usually freely available guest tools oO
10:31 < cotty22> Hi. I remember there's a directive to make clients' IPs on the virtual network assigned incrementally, not randomly. I can't find it now.
10:33 < Kryczek> cotty22: Hi. I don't remember such a directive but I think it's possible to assign each client a static IP through the directory for per-client configs; maybe that can help?
10:35 < cotty22> Kryczek: Thank you. I don't mean static IPs. I mean when server assigns IPs it make it well-ordered. Like 10.0.0.2, 10.0.0.3, etc..
10:36 < cotty22> I already use ifconfig-pool-persist btw
10:39 < Kryczek> cotty22: I know I know :) I just meant maybe you could make client2 always be 10.0.0.2, client3 always 10.0.0.3, etc
11:42 < cotty22> I'm getting this error in OpenVPN for Android: OpenVPN core error: PolarSSL: error parsing config private key : PKCS5 - Requested encryption or digest alg not available
11:43 < cotty22> It seems OpenVPN in unable of decrypting my private key, because I still get the error even if I entered a wrong passphrase
11:43 < cotty22> is*
11:49 < Kryczek> cotty22: https://github.com/StarshipEngineer/OpenVPN-Setup/issues/40
11:49 <@vpnHelper> Title: OpenVPN core error : PolarSSL: error parsing config private key : PK - Invalid key tag or value · Issue #40 · StarshipEngineer/OpenVPN-Setup · GitHub (at github.com)
11:52 < Kryczek> cotty22: also it would be better to import your private key separately from OpenVPN, into the Android Keystore. In my OpenVPN config files for Android I only have <ca> and <tls-auth> :)
11:52 < Kryczek> I mean in terms of keys
11:53 < cotty22> Kryczek: That actually helped. How to use Android Keystore with OpenVPN?
11:56 < Kryczek> cotty22: OpenVPN somehow tries it all by itself, I do not have anything special in my OpenVPN config files other than the absence of client key and crt :)
11:57 < Kryczek> cotty22: https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-android-faq.html
11:57 <@vpnHelper> Title: OpenVPN Connect Android FAQ (at docs.openvpn.net)
11:57 < Kryczek> see Q: How do I use a client certificate and private key from the Android Keychain?
11:58 < cotty22> Kryczek: Thank you so much.
11:58 < Kryczek> cotty22: if you import the CA certificate inside the same file for the client cert and key, Android will complain that you are trusting a 3rd party CA
11:59 < Kryczek> cotty22: that's fine, you can then go in Android settings (or maybe tap that warning directly?) and delete the OpenVPN CA from there
11:59 < Kryczek> cotty22: then everything works fine as long as you have the OpenVPN CA within the config file between <ca> and </ca>
12:00 < cotty22> :)
12:02 < Kryczek> cotty22: have you found the solution to your earlier question of sequential IP address assignment by the way? :)
12:02 < cotty22> Kryczek: nah
12:05 < Kryczek> cotty22: it requires a bit more work but it's even better if you can assign static IPs: better traceability in case one of the client attacks a server inside your LAN for example, then you don't have to worry about what client had what IP at that time, and also if you ever need to connect *to* a client then you already know the IP :)
12:06 < Kryczek> the only problem would be if you have more clients than IP addresses to assign, but earlier you mentioned the 10.* range so it should be fine
12:08 < cotty22> Kryczek: yeah I decided to let it go that way
12:08 < cotty22> I don't see the benefit of Android Keystore because it only protects the client's key
12:09 < Kryczek> as opposed to what?
12:10 < cotty22> I mean I'll have many clients and if one of them didn't protect his this procedure will have no value at all
12:10 < cotty22> his key *
12:11 < Kryczek> cotty22: it reduces the risk: for example if you have 99 clients that have their private key held in hardware and 1 client that doesn't, then there is only 1% chance that malware on one of these clients would steal credentials to access your network, as opposed to 100%
12:14 < cotty22> Kryczec: correct. I prefered performance over security in my setup. AES-128-GCM. 2048 RSA. No tls-auth
12:14 < cotty22> because almost all of the clients are mobiles
12:15 < Kryczek> erm... how does that have better performance?
12:15 < cotty22> umm.. faster?
12:15 < Kryczek> Also, unless you are sure the mobiles have AES acceleration in hardware, you should use ChaCha20-Poly1305 instead if you want performance in mobiles
12:15 < cotty22> wtf lol
12:15 < Kryczek> cotty22: I mean using the Android Keystore does not affect performance at all, in fact it might even accelerate RSA
12:16 < cotty22> funny algorithm name
12:16 < Kryczek> yeah... I didn't choose it
12:16 < Kryczek> https://blog.cloudflare.com/do-the-chacha-better-mobile-performance-with-cryptography/
12:16 <@vpnHelper> Title: Do the ChaCha: better mobile performance with cryptography (at blog.cloudflare.com)
12:16 < cotty22> Kryczek: I mean the keysizes and ciphers. I know Android Keystore is better anyway
12:17 < Kryczek> cotty22: I don't understand, Android Keystore supports RSA so you don't need to change keysizes or anything o_O
12:17 < Kryczek> cotty22: also I would strongly suggest that you do use tls-auth if you want to protect from attacks like Heartbleed
12:18 < cotty22> Kryczek: You didn't get my point. I mean I used 2048 RSA instead of 4096. AES 128 instead of 256.
12:19 < Kryczek> that's fine
12:19 < cotty22> Android Keystore will accept any key that's not the point
12:19 < Kryczek> but still no excuse to not use the Keystore ;)
12:19 < cotty22> I'll use it
12:19 < Kryczek> ah :)
12:19 < cotty22> you happy now? ;)
12:20 < Kryczek> what kind of mobile devices are they? All recent Android phones?
12:21 < cotty22> Kryczek: not all of them. mostly Android 6 and above but there's version 4 too
12:23 < cotty22> Kryczek: Doesn't tls-auth consumes more power? I mean it encrypts every packet going to the server even if the packet is already encrypted
12:24 < Kryczek> cotty22: no no it's only in the beginning
12:24 < cotty22> Kryczek Are you sure?
12:24 < Kryczek> cotty22: when a client connects it authenticates with the RSA key and then a temporary AES key is agreed upon, for the bulk of the traffic
12:25 < Kryczek> the tls-auth key is only to protect that part at the beginning, to avoid having complete strangers try to negotiate with (and potentially exploit flaws in) your server
12:25 < cotty22> in that way I'll enable it
12:26 < cotty22> Kryczek: You are a really helpful person because I asked the exact question above a week ago and no one gave me an answer
12:27  * Kryczek blushes
12:27 < Kryczek> thank you ^^
12:27 < cotty22> ^^
12:31 < devonrevenge> hey im doing oscp, I changed the OS I changed to ethernet but the vpn is still unstable
12:32 < devonrevenge> particularly when I use things that use a fair bit of bandwidth like ssl
12:33 < Kryczek> devonrevenge: are you by any chance filtering ICMP along the way?
12:34 < devonrevenge> whut now?
12:34 < devonrevenge> not that im aware of
12:35 < Kryczek> many admins mistakenly drop all ICMP packets, which includes Fragmentation Needed messages, and that would explain things like SSL hanging due to big Client/Server Hello packets
12:36 < Kryczek> devonrevenge: try replacing your WiFi with an Ethernet cable temporarily, it might be a wonky WiFi adapter/driver
12:36 < devonrevenge> I got a bt router
12:36 < devonrevenge> I got a powerline extender
12:36 < devonrevenge> same problem as when I had wifi
12:36 < devonrevenge> but I cant use ethernet in this house there will be drama
12:36 < Kryczek> just temporarily?
12:37 < Kryczek> as it so happens I am starting to suspect my powerline extender to my TV of being the cause of all the Netflix buffering lately
12:37 < Kryczek> but if it's behaving exactly the same as with WiFi then that would be unlikely to be the cause
12:38 < Kryczek> devonrevenge: what kind of VPN connection is it by the way? TCP or UDP?
12:38 < devonrevenge> im using tap I couldnt tell you what kind, did they give us a choice?
12:38 < devonrevenge> it behaves like udp
12:38 < devonrevenge> but I dont know
12:38 < devonrevenge> I havent been using args to start it
12:39 < Kryczek> devonrevenge: in the OpenVPN config file, does it say "proto tcp" or "proto udp"
12:39 < devonrevenge> Im not sure if I have a choice is OSCPs vpn
12:40 < devonrevenge> neither :O
12:41 < devonrevenge> oh its udp
12:41 < devonrevenge> says remote fsefse.sfsefesf.fse 1194 udp
12:42 < Kryczek> that's good
12:42 < Kryczek> now look at the logs of OpenVPN to see if it gives any warnings or errors when you experience problems
12:43 < Kryczek> you can also monitor the traffic with tcpdump and/or wireshark
12:55 < devonrevenge> the oscp guys are looking
14:43 < nktech1135> Hi all. I'm having a problem with a new setup of openvpn. The client connects to the server and can ping the server. However, the client can't ping any devices on the server network. The inverse is true however, the server can ping the client side. Any thoughts/help? Where can i start?
14:48 < nktech1135> client is a pfsense firewall and the server is windows.
15:00 < nktech1135> Where can i see the tun adapter settings in windows?
15:42 < eelstrebor> nktech1135, ipconfig /all (from the cli of course)
15:43 < nktech1135> i'm realizing that now. However, when i asked the question i didn't realize that tun and tap used the same interface on the server side.
16:03 -!- Kryczek_ is now known as Kryczek
19:53 -!- sunrunner20_ is now known as sunrunner20
20:13 < cluelessperson> hey guys, sorry to bother you, some reason I can connect to my vpn from INSIDE my network, but not from outside, the port is forwarded, but the TLS handshake fails
20:13 < cluelessperson> if the client cert were bad, it wouldn't work inside the network though
20:14 < cluelessperson> error message:
20:14 < cluelessperson> Thu Aug 10 20:11:21 2017 us=638766 192.168.0.253:56179 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA512,keysize 128,key-method 2,tls-client'
21:24 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds]
21:27 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
21:27 -!- mode/#openvpn [+o krzee] by ChanServ
22:21 < cluelessperson> I get handshake failed when I try to connect from outside my lan
22:21 < cluelessperson> I don't get it
22:22 < cluelessperson> hm
22:23 < cluelessperson> inside network -> public ip -> server ack, fails
22:23 < cluelessperson> oh, I think it's because I'm trying my public ip from within it
22:23 < cluelessperson> causing a upnp conflict
22:23  * cluelessperson tries phone
22:24 < skyroveRR> !ask
22:24 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
22:24 < skyroveRR> Read #2.
22:32 < cluelessperson> skyroveRR, I already detailed my issue, although it's been over a long timeline.
22:33 < cluelessperson> skyroveRR, Sorry, it sometimes just helps me to talk.  you know, the rubber ducky thing.
22:53 < stochastix> Can someone help me understand something. Is this person explaining how to run openvpn over an ssl tunnel? https://snikt.net/blog/2016/12/01/openvpn-over-https/  Ive read how you can do this with stunnel or something, But i dont quite get what this person is getting at.
22:53 <@vpnHelper> Title: Andreas Happe - How to hide OpenVPN behind HTTPS/SSL (at snikt.net)
22:56 < stochastix> It looks like they eventually have a web service running on port 4443 , and the the "port-share 127.0.0.1 4443"  setting in the server conf file is the magic command to tell openvpn to do some sort of sneaky transparent openvpn service that when contacted by an openvpn client, does regular vpn connection, but when contacted by a normal web client, passes through to the web server and serves up what nginx has ready.
22:57 < stochastix> I dont get how this evades deep packet inspection, because your openvpn server is still being connected to on port 443 with openvpn's protocol(not regular TLS)
22:57 < stochastix> I think
22:59 < stochastix> I dont see anything in this persons setup that suggests the openvpn client is going out through port 443 using regular TLS, and tunneling the openvpn connection through that. Unless i am really missing it.
23:13 < stochastix> They say near the beginning "A commonly suggest way about the egress firewall is to just use the HTTPS port (tcp/443) for the openvpn traffic. This might work in some situations, but as soon as deep-packet inspection is performed this is not feasible anymore."   However, From what I see, they didnt take any steps that evade deep packet inspection when connecting with the openvpn client.
23:36 < as2333> I'm trying to do PC ----> tor ---> vpn ----> inet
23:36 < as2333> openvpn seems to connect just fine but then after some seconds I get
23:36 < as2333> Fri Aug 11 01:30:12 2017 [_.opengw.net] Inactivity timeout (--ping-restart), restarting
23:36 < as2333> Fri Aug 11 01:30:12 2017 TCP/UDP: Closing socket
23:37 < as2333> and it keeps restarting every 5 seconds or so.
--- Day changed Fri Aug 11 2017
00:26 < cluelessperson> as2333, maybe look at the "keepalive" variable
00:27 < as2333> cluelessperson, thanks, let me check that
02:23 -!- SerusWor1 is now known as SerusWork
02:30 -!- SWAT_ is now known as SWAT
06:30 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds]
06:30 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds]
06:30 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
06:31 -!- mode/#openvpn [+o mattock] by ChanServ
06:33 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
06:33 -!- mode/#openvpn [+o krzee] by ChanServ
07:24 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 260 seconds]
07:24 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
07:25 -!- mode/#openvpn [+o mattock] by ChanServ
08:07 < shaggycat> Hi all! I'm using  easy-rsa. I changed something in the server settings, and now I always have an error when I try to generate certificate:  error creating name index:(2,22,23) // As I see, any new certificate easy rsa create for subject which I have in the vars file here:  export KEY_CN=
08:07 < shaggycat> If i disable unique names, I can generate the cert,
08:08 < shaggycat> but all new certs create for this one client
08:08 < shaggycat> I want to understand what I need to roll back in the settings to return a feature - create new certificates to news hosts always
08:10 < shaggycat> https://pastebin.com/G2r31w7f it's my vars file
11:14 < m0rd3cai> So i've got a weird issue i hope someone can help with. im running openvpn on a VPS located in US, a few states from me. as of a couple days ago, now when i connect to my VPN and websites that access your location (i.e. Google) redirects me straight to google.com.co which has never happened before.
11:15 < m0rd3cai> im not sure where to even start looking other than the logs
11:15 <@dazo> !logs
11:15 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
11:15 <@dazo> !configs
11:15 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
11:31 < m0rd3cai> !logfile
11:31 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
11:35 <@ecrist> shaggycat: what version of easy-rsa are you using?
11:36 <@ecrist> line 78 shouldn't be set
11:37 <@ecrist> by defining that there, you won't be prompted for it
11:39 <@ecrist> m0rd3cai: when you're connected to your VPN, you are redirected to google.com.co?  for more than one site, or do other site redirect you to other places?
11:42 < DArqueBishop> Hey ecrist, mind if I ask you a dumb question?
11:44 < DArqueBishop> The easy-rsa on Github for Windows - can that be run off a thumb drive?
11:44 < m0rd3cai> @ecrist ive only noticed it on google as of right now
11:45 <@ecrist> DArqueBishop: it's never stopped you before... ;)
11:45 < m0rd3cai> as for now, just google.
11:45 <@ecrist> yes, it can, assuming you have all the prerequisites.
11:45 < DArqueBishop> No, it certainly hasn't. ;-)
11:46 <@ecrist> m0rd3cai: what is your "new" external IP when you're on the VPN?
11:46 < m0rd3cai> the correct public IP assigned to my vps
11:46 <@ecrist> I suspect google thinks it's Mexico, or something similar.
11:46 <@ecrist> m0rd3cai: what is that IP?
11:46 < m0rd3cai> ecrist: im thinking so too
11:47 < m0rd3cai> 104.156.250.X based out of Piscatawah, New jersey
11:47 <@ecrist> that's not Mexico
11:48 <@ecrist> neato, I use Vultr, too
11:49 <@ecrist> Many of the geoIP databases show that out of NJ
11:49 <@ecrist> not sure why google would redirect to .co
11:49 < m0rd3cai> http://picpaste.com/iplocation-4V1hbW7A.JPG
11:49 < m0rd3cai> yea i have no idea either. it just recently changed in the last week or so
11:52 <@ecrist> if you manually go to google.com, does it give you an option to "make this my google home page"?
11:52 <@ecrist> some sites do that 
11:52 < m0rd3cai> nope
11:52 < m0rd3cai> auto redirect to .com.co
11:52 < m0rd3cai> i think thats columbian
11:52 -!- Patch_ is now known as Patch
11:54 < m0rd3cai> ecrist: really? ive had good experience with them and reasonable per month cost
11:56 < DArqueBishop> ecrist: FYI, https://www.openssl.org/related/binaries.html as given in README-WIndows.txt gives a 404.
13:01 < vectr0n> is it possible to stop clients from using password files?
13:29 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds]
13:31 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
13:31 -!- mode/#openvpn [+o krzee] by ChanServ
14:09 <@ecrist> vectr0n: no
14:38 < vectr0n> ecrist, ty didnt think it was possible
17:20 < Eugene> $CUSTOMER is running into a problem with OpenVPN for Android(de.blinkt.openvpn). Apparently it is not handling DNS queries. Sadly I don't have the device in front of me, but I found https://www.codeword.xyz/2016/09/08/solving-openvpn-dns-issues-on-android-clients/ which seems to make sense
17:20 <@vpnHelper> Title: Solving OpenVPN DNS Issues on Android Clients (at www.codeword.xyz)
17:20 < Eugene> Anybody else run into this / can confirm that it is an Android SNAFU? Basically I am trying to tell my customer that we told them Android isn't supported, they're trying to use it anyway, and it doesn't work. Duh.
17:20 < Eugene> But its nice to be certain
--- Day changed Sat Aug 12 2017
09:10 < banco> Hi, guys, I'd like to know if it's possible to run openvpn in unprivileged mode and in chroot at the same time? It works fine separately but if I enable them at the same time, then it gives me an error:
09:10 < banco> chroot to '/var/lib/openvpn' failed: Operation not permitted (errno=1)
09:10 < banco> But based on this link it seems that it should work somehow:
09:10 < banco> http://blog.dornea.nu/2015/11/17/openvpn-for-paranoids/
09:10 <@vpnHelper> Title: OpenVPN for paranoids - blog.dornea.nu (at blog.dornea.nu)
09:11 < BtbN> chroot first, then drop privileges
09:13 < banco> Mmm, I mean unprivileged as it described here:
09:13 < banco> https://community.openvpn.net/openvpn/wiki/UnprivilegedUser
09:13 <@vpnHelper> Title: UnprivilegedUser – OpenVPN Community (at community.openvpn.net)
09:13 < banco> I.e. start the process from the openvpn user/griup
09:14 < BtbN> If you're not letting openvpn itself drop permissions, it won't ever be able to chroot
09:15 < banco> I think so as well, but I may be mistaken, because in the first link it works for some reason (see the log at the end)
09:17 < BtbN> The log there is launching openvpn as root.
09:17 < BtbN> The thing you linked launches openvpn as unprivileged user. So it can't possibly chroot.
09:17 < BtbN> Just use openvpns own capabilities to drop privileges instead
09:18 < banco> You're right, missed it
09:18 < banco> Thanks, I'll just use chroot and openvpn permissions drop
12:16 < devster31> !welcome
12:16 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
12:16 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
12:17 < devster31> !route
12:17 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
12:19 < devster31> !iporder
12:19 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
12:19 < devster31> !redirect
12:19 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
12:19 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
12:20 < devster31> Hi, I'm trying to find again the wiki page that explained how to set up routes on a router to allow external client to connect to the OpenVPN server within the LAN, is there a command?
12:23 < devster31> ok, this should be it -> https://secure-computing.net/wiki/index.php/Graph
12:23 <@vpnHelper> Title: Graph - Secure Computing Wiki (at secure-computing.net)
12:23 < devster31> !goal is it possible to have this kind of setup automated in some way? So that when a new server starts on the lan it adds configured routes to the router?
12:24 < devster31> !goal
12:24 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:24 < devster31> is it possible to have this kind of setup automated in some way? So that when a new server starts on the lan it adds configured routes to the router?
12:38 < banco> It depends on your router capabilities. In general you can automate the add/del of the routes via ssh.
13:06 -!- rax-Y is now known as rax-
13:11 < devster31> ok, and is there no protocol that does so?
13:45 < banco> There's no such thing as far as I know. THe easiest way is to add/del routes on router in up/down scripts of the OpenVPN servers. You can do it in other ways, for example, run openvpn server on the router and connect from every openvpn servers to the router and push the routes to be added on router via UV_ client variables in push-peer-info option, then in the client-connect/client-disconnect you caan
13:45 < banco> pasre these variables and add/dev routes.
13:46 < banco> *fix* THe easiest way is to add/del routes on router in up/down scripts of the OpenVPN servers via ssh.
14:01 < megaTherion> can I somehow disable the usage of ipv6 (also the gathering of an IPv6 address + route)?
17:40 < nacelle> megaTherion: you have to specifically enable ipv6, so just dont and you're fine
17:45 < megaTherion> nacelle: I tried, didnt help
17:45 < megaTherion> I've had tun-ipv6... I've commented it out but I still get an default ipv6 route
17:52 < nacelle> are you not the server, just the client?
17:52 < megaTherion> aye
17:52 < nacelle> ahhh.
17:53 < nacelle> not quite the same thing :|
17:53 < megaTherion> oh :|
17:55 < nacelle> what client os?
17:55 < megaTherion> Linux
17:55 < nacelle> you can disable ipv6 on the nic for some of them, etc., not sure if that helps
17:55 < nacelle> (or just disable it outright if you dont care about it)
17:56 < nacelle> i dont know otherwise :|
17:56 < megaTherion> I see, you mean disable on tunnel device
17:56 < nacelle> :{
17:56 < megaTherion> could try
17:56 < megaTherion> ah its okay, thanks :)
17:56 < nacelle> i'd like to know!
22:03 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:13 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:13 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Day changed Sun Aug 13 2017
00:32 -!- r00t^2_ is now known as r00t^2
08:38 < reinar> Hello! Does anybody know if no-replay option is still supported? Tried to enable it on both server/client, got Assertion failed at crypto.c:81 (packet_id_initialized(&opt->packet_id))
08:39 < reinar> client version is 2.4.3, server 2.4.0 (ArchLinux as client, Debian 9 as server)
08:42 < reinar> AFAIK - since there's no packet id's in case of no-replay, it's ether regression or devs dropped the support for this, but didn't delete the option
08:48 < reinar> cipher is AES-256-GCM, from the sources it looks like it's impossible to use no-replay with AEAD ciphers
08:50 < reinar> packet id accessed and checked unconditionally while encrypting/decrypting
08:51 < stew[m]> !welcome
08:51 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
08:51 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
09:00 < reinar> as for goal - I need to deliver RTP multicast packets over vpn as fast as possible, security is good, but not that much of a concern, so I'd like to use no-replay
09:20 < reinar> btw, found a workaround in using non-AEAD cipher (AES-128-CBC), but it might be a good idea to provide some warning that AEAD ciphers and no-replay don't work well together
11:09 < |Mike|> Hah! Nearly weekend o/ o/
11:50 < eelstrebor> is softether vpn able to establish connections with openvpn clients?
12:02 < |Mike|> eelstrebor: https://www.softether.org/1-features/1._Ultimate_Powerful_VPN_Connectivity#Support_OpenVPN_Protocol
12:02 <@vpnHelper> Title: 1. Ultimate Powerful VPN Connectivity - SoftEther VPN Project (at www.softether.org)
12:03 < |Mike|> The advantages to adopt SoftEther VPN Server instead of old OpenVPN Server program are as follows <== *sigh*
12:47 < redrabbit> they claim higher throughput
12:47 < redrabbit> i do have softether installed, never tried to connect to my own vpns with it though
13:07 < redrabbit> im trying to use an ovpn file to connect to my server on softether
13:08 < redrabbit> i can tell, its not obvious how to do it
13:08 < redrabbit> meh
13:11 < redrabbit> "You can use a OpenVPN Client to conect to a SoftEther server but not vice versa."
13:11 < redrabbit> righttt
13:11 < redrabbit> :D
14:59 < vpnvpn> hi, my name is vpnvpn and my problem is probably firewall :)
15:00 < vpnvpn> anyone willing to help with this? I'm pretty much at my wits' end...
15:01 < vpnvpn> basically - I have a similar layout in two sites: a box which is used only for VPN (server in one place, client in the other), which is not the local router
15:02 < vpnvpn> I am able to establish an OpenVPN connection between the two locations (using tun over UDP), I can ping from the client side to the server side (including from LAN box on client side to LAN box on server side)
15:03 < vpnvpn> now this is where it gets interesting: as I said, I can ping from client side and can even open an ssh connection to the server-side LAN box
15:03 < vpnvpn> but I cannot connect to the server-side LAN machine over HTTP or HTTPS
15:04 < vpnvpn> i.e. the request gets there (I can see it in tcpdump), but nothing ever comes back
15:05 < vpnvpn> any ideas? I am probably missing some iptables magic, but no idea where/what...
19:07 < nacelle> servers route back needs to match the vpn
19:07 < nacelle> eg its probably routing yer vpn range out the internet instead of back to your vpn
21:12 < eelstrebor> i'm trying to figure out if my clients are routed thru vpn via a router set up as a vpn client to the vpn server running on another router on my network
21:12 < eelstrebor> pc clients -> client bridge router (vpn client) -> main router (vpn server)
21:13 < eelstrebor> traceroute doesn't show connections with the vpn server from the pc clients
21:15 < eelstrebor> the main router and client bridge router shows an established connection
21:15 < eelstrebor> i have a pc client that is wired directly to the main router that has an established vpn connection with the main router (vpn server) that does show a connection to the vpn server when i run traceroute
21:18 < eelstrebor> i guess i should see if i can get wireshark to work to help with diagnosis but it has never worked "out of the box" for me
21:22 <@ordex> eelstrebor: what you should check first is if all the routes are setup properl
21:22 <@ordex> eelstrebor: first of all, does the vpn client properly use the vpn server as gateway to the internet ?
22:03 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:13 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:13 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Day changed Mon Aug 14 2017
08:05 -!- indy_ is now known as indy
10:05 < eelstrebor> ordex, i'm not sure if i got the client set up right - if i'm reading the output of ip route show properly, the pc's connected to the client bridge don't get routed thru the vpn tunnel between the client bridge (vpn client) and the main router (vpn server) - i suppose i can post the output to pastebin but i'd have to change the addresses to "protect the innocent"
10:10 < eelstrebor> ip route show as executed on the client bridge router: https://paste.ubuntu.com/25312699/
10:12 < eelstrebor> none of the attached pc's are configured to use openvpn - my aim is to provide an encrypted connection between the client bridge with open vpn without making the individual pc's use openvpn client
10:13 < eelstrebor> the connection between the main router and client bridge router is wireless, of course
10:55 <@dazo> eelstrebor: why do you bridge?
11:01 < eelstrebor> dazo, it's not an openvpn bridge - it's a wireless router bridge because computers are in different rooms
11:01 < eelstrebor> some of the devices can't be set up as openvpn clients
11:02 < eelstrebor> i.e. smart tv's, roku's etc
11:07 <@dazo> ahh, okay
11:08 <@dazo> so .... {internet}-[fw/openvpn client]----[WLAN AP]----[wifi devices] .... is that correctly understood?
15:51 < eelstrebor> dazo, nope
15:54 < eelstrebor> {internet}-[fw/openvpn server/wireless AP----[wireless client bridge/openvpnclient]----ethernet devices
16:08 <@ordex> eelstrebor: sorry, just woke up
16:08 <@ordex> :D
16:08 <@ordex> !clientlan
16:08 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
16:08 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
16:08 <@ordex> eelstrebor: have you followed this?
16:08 <@ordex> openvpn needs to be aware of the LAN behind a client, you can't just setup a route
16:52 < eelstrebor> ordex, all devices are on the same subnet - the individual device can see the vpn server - i'm just trying to get the devices to use the vpn channel that's being used between the client bridged router and the main router
16:53  * eelstrebor doesn't know how to explain it any better than that
16:54 < eelstrebor> the pc's can be setup as an openvpn client but otherdevices like smart tv's, roku's and bluray players don't have that option
16:55 <@ordex> eelstrebor: your previous description was better ahah
16:55 <@ordex> anyway
16:55 <@ordex> you said that it works in one direction, no?
16:55 <@ordex> i.e. devices behind the vpn-client can contact devices/PCs behind the vpn-server, right?
16:57 < eelstrebor> no, i have an established openvpn connection between the client bridge router (the openvpn client) and the main router/WAP where the openvpn server is running - i just want the ethernet clients that are connected to the bridged router to use that tunnel
17:00 < eelstrebor> it's a wireless bridged router - not an openvpn bridge
17:03 <@ordex> eelstrebor: oky. do the Ethernet client have the bridge router set as default gateway ?
17:03 <@ordex> because the first step is to ensure they send all the traffic to the client
17:03 <@ordex> vpn-client*
17:04 <@ordex> if this bridge router/vpn client runs the dhcp server, this should be already in place
17:05 < eelstrebor> no, i kinda figured that may be the problem - the individual devices get their dhcp service from the main router which is the gateway that the individual devices use
17:06 <@ordex> ah because the VPN client is not running on your LAN GW
17:06 <@ordex> I see
17:07 <@ordex> well, you could configure the DHCP server to inject the VPN client as default route instead of itself
17:07 <@ordex> this means that every device in the LAN will use the VPN client as default GW and therefore Internet won't work when the VPN client is down
17:08 <@ordex> another solution is to statically configure the devices you want
17:08 <@ordex> statically == assign static IP settings instead of DHCP
17:10 <@ordex> eelstrebor: does it make sense?
18:25 < eelstrebor> ordex, i wish the fix was simple
18:51 <@ordex> eelstrebor: well, it is not "complex" per se .. but it's your setup that is implicitly complex :P
18:52 <@ordex> eelstrebor: as I said, the easiest solution is to let your dhcp assign a specific default route (the vpn client) so all the devices will send the traffic there
18:54 -!- Netsplit *.net <-> *.split quits: |Mike|, +hyper_ch, @krzee, +s7r
18:58 -!- |Mike| [~mike@178.255.49.239] has joined #openvpn
18:59 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
18:59 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:59 -!- ServerMode/#openvpn [+vv hyper_ch s7r] by orwell.freenode.net
18:59 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
18:59 -!- ServerMode/#openvpn [+o krzee] by orwell.freenode.net
19:00 -!- Netsplit *.net <-> *.split quits: |Mike|
19:02 -!- Netsplit over, joins: |Mike|
19:15 < as2333> I'm trying to use openvpn via a socks proxy (tor) -  I can't get it to work because after the openvpn client connects to the opv server it changes the routing table and tor gets disconnected (I think that;s the problem). Any hint/link to an explanation on how to do it properly?
19:17 < |Mike|> as2333: /topic please.
19:17 <@ordex> as2333: maybe with some policy routing where the new default route over the VPN is applied only for connection having as source address the one of the VPN?
19:23 < as2333> ordex, I guess some routing trick should fix this but I've no clue which one.
19:24 <@ordex> as2333: asI said, look into policy routing
19:24 <@ordex> that cna help you to apply routing rules based on the source address
19:25 < as2333> cna?
19:26 < as2333> !welcome
19:26 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
19:26 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
19:38 <@ordex> as2333: *can
19:39 < as2333> ordex, ah, sorry, I didn't get it was a typo
19:48 < as2333> ordex, anyway  thanks for replying. I guess I'll give a try to the tor channel
19:49 <@ordex> as2333: sure. not sure what's wrong with my suggestion though :P
19:50 <@ordex> I have done that this way
19:50 < as2333> ordex, oh there's nothing wrong with your suggestion. The only problem is that I don't know enough about routign to implemente it =)  ={
21:42 < redrabbit> so i have two IPs on the interface eth0 and eth0:0 on my Vps
21:43 < redrabbit> if i type   curl -vvv --interface 145.229.12.65 monip.org  it does use 145.229.12.65 so i can use it to connect to the web
21:43 < redrabbit> however the default interface is 92.12.56.32, when i type curl monip.org it returns 92.12.56.32
21:44 < redrabbit> same when i use the openvpn server as a default gateway for the clients
21:44 < redrabbit> i would like to use 145.229.12.65 as a default gateway for the clients
21:44 < redrabbit> instead of 92.12.56.32
21:45 < redrabbit> i tried messing with default gateway setting and i had to reboot and use the kvm to restore it
21:45 < redrabbit> ^^
21:45 < redrabbit> also, the server is bound to 145.229.12.65 and only listen to that
22:05 < redrabbit> well.. solved it
22:05 < redrabbit> had to change the default gw for the whole machine
23:08 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 276 seconds]
23:08 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
23:08 -!- mode/#openvpn [+o syzzer] by ChanServ
23:36 < _bradk> bit of a strange one - i'm new to openvpn, i've deployed a running instance on centos7 and configured the iptables masquerade - i can connect to the tunnel remotely
23:36 < _bradk> but can't pass any traffic over it
23:37 < _bradk> the gateway that gets supplied to my pc is 10.8.0.5 for my internal network (it also changes the default-gateway to 10.8.0.5 which i'd like to stop from happening as well)
23:37 < _bradk> but it's as if the gateway-provided ip is not actually up
--- Day changed Tue Aug 15 2017
00:21 < _bradk> update: i have fixed this
00:21 < _bradk> it was comp-lzo being enabled on client side but not server side
00:22 < _bradk> only last issue, i've commented out pushing default-gateway (i want to split-tunnel, so only route traffic through the vpn that i specify)
00:22 < _bradk> but when i connect, it still gets the default gateway pointing to openvpn
00:39 < _bradk> any ideas?
01:10 <@ordex> _bradk: have you removed the option on both server and client ?
01:10 <@ordex> maybe pasting the configs would be helpful
01:10 <@ordex> !configs
01:10 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
01:10 < _bradk> ordex: yes, it's not present in the client config
01:11 < _bradk> and i originanly enabled it on the server
01:11 < _bradk> and then commented it out , i tried with # first and then ; second
01:11 <@ordex> yeah, checking the config is a good idea at this point then
01:11 < _bradk> still no deal
01:11 <@ordex> and also the client log would be helpful
01:11 <@ordex> !logs
01:11 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
01:11 < _bradk> where do the windows clients log to?
01:12 < _bradk> i'm happy to just have a "no default-gateway" option in the client config if that will work
01:12 < _bradk> i am pushing a single /24 from the server which i would like to keep doing
01:12 <@ordex> I think that depends on your config: "log /path/to/file"
01:12 <@ordex> _bradk: I'd suggest to start pasting the configs anyway
01:21 < _bradk> hmm, i'll post them when i leave the office
01:22 < _bradk> i guess since everything is working now, it's not a huge prob;em
01:22 < _bradk> but not ideal
01:22 < _bradk> last question - is there an easy way i can enable local user authentication for these connections?
01:38 <@ordex> _bradk: what does it mean exactly ?
01:42 < _bradk> when i connect to this vpn now
01:42 < _bradk> it automatically just connects me
01:42 < _bradk> i would like a challenge for a username/password - preferably which is local to the server
01:43 < _bradk> to validate that "john smith is permitted to login to this vpn"
01:43 <@ordex> _bradk: that is what certificates are for
01:43 <@ordex> and in theory the certificates are held by the user launching the openvpn client
01:44 <@ordex> anyhow, you can enable user/pass authentication
01:44 <@ordex> _bradk: you can check for --auth-user-pass-verify in the manpage
01:44 < _bradk> i was planning on giving access to a few friends, but would like the ability to revoke access easily without disrupting everyone
01:44 < _bradk> oh great, thanks!
01:45 <@ordex> _bradk: why not giving each of your friend a different certificate?
01:46 <@ordex> or are they all going to use the same PC with the same user?
01:46 < _bradk> i'm not too sure how to do that yet, but that sounds like a good idea
01:46 < _bradk> nah, i'm building out a lab at home with lots of resources
01:46 <@ordex> one certificate per client is the "standard" setup
01:46 < _bradk> and i'm being a good friend and letting them freeload some of those resources
01:46 <@ordex> :)
01:47 < _bradk> i won't be able to use everything myself lol
06:18 < gavit> morning
06:19 < gavit> my connection to the internet through vpn seems slower than normal. I am unsure if my network settings have changed, how can I best debug the situation?
07:06 <+hyper_ch> krzee: http://apenwarr.ca/log/?m=201708#10
07:07 <@vpnHelper> Title: 201708 - apenwarr (at apenwarr.ca)
07:31 < redrabbit> _bradk: yeah issue one cert per client
07:31 < redrabbit> https://designdesk.org/security/setup-openvpn-vps-local-server under "Add more clients"
07:31 <@vpnHelper> Title: OpenVPN server setup (at designdesk.org)
07:53 < |Mike|> gavit: could be that your ISP is having problems ?
08:08 -!- gthank is now known as gthank_away
08:08 -!- gthank_away is now known as gthank
08:08 -!- gthank is now known as gthank_away
08:09 -!- gthank_away is now known as gthank
08:22 < gavit> |Mike|: how can one 'see' that?
08:51 < |Mike|> gavit: support page, speedtest etc? heaps of possible tests :)
09:13 <+hyper_ch> sweet, now i have automatic adserver list in my hosts file :)
09:14 < |Mike|> mind to share? ;)
09:14 <+hyper_ch> |Mike|: https://github.com/sjau/nixos/blob/master/configuration.nix#L172  - not sure if that's useful for you
09:15 <@vpnHelper> Title: nixos/configuration.nix at master · sjau/nixos · GitHub (at github.com)
09:15 <+hyper_ch> whenever I issue a build on my notebook, it'll fetch latest list
09:18 < |Mike|> https://pgl.yoyo.org/adservers/serverlist.php?showintro=0;hostformat=hosts <3
09:18 <@vpnHelper> Title: Ad server hostnames for blocking ads (format: hosts -- in hosts file format) (at pgl.yoyo.org)
09:18 < |Mike|> Needed something like that :-)
09:19 <+hyper_ch> best would be to run a local dns server that creates master zone files for all those entries
09:19 <+hyper_ch> so that all devices in your network are protected
09:20 < Garogat> Do I have to use a bridge for tap even on my client?
09:20 <@ecrist> !tunortap
09:20 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
09:20 <@vpnHelper> rooted/jailbroken) support only tun
09:21 <@ecrist> Garogat: you don't have to use bridge mode with tap adapter, but it's best to avoid tap adapter if you can
09:23 < Garogat> I really need tap. So I should be able to request my IP over DHCP on tap0?
09:23 < |Mike|> hyper_ch: only running 1 device in this network. Just automated it with Puppet :))
09:23 <+hyper_ch> |Mike|: https://pgl.yoyo.org/adservers/
09:23 <@vpnHelper> Title: Blocking with ad server and tracking server hostnames (at pgl.yoyo.org)
09:23 <+hyper_ch> there's also other list formats :)
09:28 < |Mike|> thanks sir!
09:34 <@plaisthos> Garogat: windows only with obscureoptions
09:34 <@plaisthos> openvpn normally assign the ip even in tap mode
09:34 <@ecrist> Garogat: yes
09:35 <@ecrist> note that using tap will preclude use of any mobile platform clients
09:35 <@plaisthos> (or for briding devices behind the openvpn client/server should work with dhcp)
09:36 < Garogat> My client in this case is a single linux system. So openvpn handles dhcp for me?
09:36 <@ecrist> typically, openvpn provides the IP address, depending on the arguments you set in the server
09:38 < Garogat> https://gist.github.com/Garogat/1c2adbd5977f92109b862d3619afadb8
09:38 <@vpnHelper> Title: gist:1c2adbd5977f92109b862d3619afadb8 · GitHub (at gist.github.com)
09:40 < Garogat> My Server has a dnsmasq as dhcp server.
09:40 <@ecrist> if you're trying to do a DHCP relay, you'll need to enable --server-bridge
09:41 <@ecrist> maybe you should start with this, Garogat 
09:41 <@ecrist> !goal
09:41 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:41 <@ecrist> Your route pushes conflict, too
09:41 <@ecrist> line 26 isn't needed with line 28
09:43 < Garogat> goal: access the lan behind two of my clients
09:45 <@plaisthos> why do you think you need tap for that?
09:45 <@plaisthos> any non IP protocols?
09:46 <@plaisthos> otherwise see
09:46 <@plaisthos> !iroute
09:46 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
09:46 <@plaisthos> and
09:46 <@plaisthos> !ipforwarding
09:46 <@plaisthos> !forward
09:46 <@plaisthos> !ipforward
09:46 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
09:47 <@ecrist> I'd guess ~99% of people who think they need tap are wrong
09:48 < havoc> tap+bridging has it's legitimate uses, they are just few/rare
09:48 < havoc> its
09:54 < DArqueBishop> !clientlan
09:54 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see
09:54 <@vpnHelper> !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
10:38 < Garogat> i am running a failover cluster over vpn and the offline detection needs multicast.
13:13 < Garogat> why cant i get an ip for my client? https://gist.github.com/Garogat/6f1cbb8d7b2b328fda4c477c916fdde7
13:13 <@vpnHelper> Title: gist:6f1cbb8d7b2b328fda4c477c916fdde7 · GitHub (at gist.github.com)
13:20 < BtbN> If this is a static key peer to peer vpn, you need to configure it
13:38 < Garogat> why static key?
13:38 < Garogat> i am using normal certificates with tls
13:40 < |Mike|> why're you using a 512bit key anyway? ;)
13:40 < |Mike|> Line 27 kinda explains it for you
13:41 < |Mike|> Tue Aug 15 20:09:21 2017 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
13:41 < |Mike|> !route
13:41 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
13:41 < |Mike|> and ehm; DON'T SKIM IT
13:58 < johnfg> hi folks
13:59 < johnfg> I've got a bit of a problem: at the office, my clients don't connect to the server when I'm using it's name: church.spirit.org.  I have to use 192.168.0.107.
14:00 < johnfg> However, from my home, the same client can use the fqdn.
14:00 < johnfg> Can I fix this somehow?
14:06 -!- Netsplit *.net <-> *.split quits: @syzzer
14:07 < Poster> johnfg: can you elaborate more on your topology, is "office" the VPN client and "church.spirit.org" at a remote location from the "office" ?
14:08 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
14:09 <@dazo> johnfg: try adding --multihome to your server configuration
14:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
14:10 -!- mode/#openvpn [+o syzzer] by ChanServ
14:11 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
14:11 -!- mode/#openvpn [+v RBecker] by ChanServ
14:11 <@dazo> I've also made it work using a port-nat hack when --multihome didn't work ... iptables -t nat -A PREROUTING -d 192.168.0.107 -p udp --dport 1194 -j DNAT --to-destination x.x.x.x:1194   .... where x.x.x.x is the public IP address of your VPN server.  This needs to be applied on your main gateway.  Also, consider this NAT approach a HACK. The preferred and recommended solution is --multihome
14:14 < johnfg> the server is actually at the office, and there are some 7 clients.  Sometimes in the building, sometimes at my home.
14:15 < johnfg> I'll look into the --multihome.
14:20 < DArqueBishop> Just out of curiosity, why would the VPN clients need to connect from the office if the server is there?
14:22 < johnfg> dazo: I looked at the web page.  where do i add multihome?
14:26 < johnfg> just using the secure tunnel all over, I guess.
14:26 < johnfg> Done it this way for years.
14:26 < johnfg> DArqueBishop: That was to you,btw.
14:31 < DArqueBishop> If I had to guess, I would imagine that "church.spirit.org" is resolving to the external IP address in your office network. If you have an internal DNS resolver for your network, you could have it resolve "church.spirit.org" to 192.168.0.107.
14:33 < johnfg> DArqueBishop: what about the multihome option?  how would you add that to server.conf?
14:35 < johnfg> gotta run, will check back later.
15:04 < Garogat> even after setting --route-gateway iget get: Tue Aug 15 21:46:27 2017 /sbin/ip route add 10.8.0.0/24 via 10.8.0.1
15:04 < Garogat> RTNETLINK answers: Network is unreachable
15:17 < hola1> how do i trubleshoot the problem on my openvpn installation? i've installed openvpn 2.4.0 on raspbian stretch. i've use the default server.conf. ip addr shows me, that i have a tun0 interface and the logs seem ok too but nmap doesn't show me that port 1194 is open (local ip address as well as on localhost)
15:19 <@plaisthos> nmap and udp does not work well
15:19 <@plaisthos> better use netstat -lp
15:19 <@plaisthos> or ss
15:22 < hola1> doesn't show anything
15:22 <@plaisthos> does openvpn even run?
15:22 <@plaisthos> ps aux |grep vpn
15:23 < hola1> yes
15:24 <@plaisthos> lsof -p pid of openvpn
15:26 < hola1> a list of entrys... including this:
15:26 < hola1> openvpn 465 nobody    6u  IPv4  10027      0t0   UDP *:openvpn
15:36 < hola1> any further ideas?
15:42 <@ordex> hola1: I think I missed the initial part of your discussion
15:42 <@ordex> could you re-paste please?
15:42 < hola1> <hola1> how do i trubleshoot the problem on my openvpn installation? i've installed openvpn 2.4.0 on raspbian stretch. i've use the default server.conf. ip addr shows me, that i have a tun0 interface and the logs seem ok too but nmap doesn't show me that port 1194 is open (local ip address as well as on localhost)
15:43 <@ordex> hola1: what's the problem you are having?
15:43 <@ordex> clients can't connect?
15:43 < hola1> the port isn't even open
15:44 <@ordex> maybe you misused nmap? have you tried to connect a client?
15:44 <@ordex> [0422.37] < hola1> openvpn 465 nobody    6u  IPv4  10027      0t0   UDP *:openvpn
15:44 <@ordex> this line in lsof clearly says that openvpn is listening
15:44 < hola1> let me check
15:56 < Poster> are you using tls-auth ?
15:56 < hola1> how do i see that the client has connected succesfully?
15:56 < Poster> it will be in your system logs
15:57 < Poster> you can also try using tcpdump on your server, assuming it's eth0, something like: tcpdump -i eth0 port 1194 and udp
15:57 < hola1> client gives me tls error: tls handshake failed
15:57 < Poster> ok try the tcpdump on the server side and retry your client connection
15:58 < Poster> if tcpdump doesn't show traffic, something is blocking it
15:59 <@ordex> or the configuration is wrong
16:00 < Poster> yeah hopefully the clients are configured to use 1194 udp as well
16:00 < Poster> =S
16:01 <@ordex> as you said before, it could also be a tls-auth/crypt issue
16:02 < hola1> iirc the default port is 1194
16:02 <@ordex> how about posting your configs?
16:02 <@ordex> !configs
16:02 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
16:04 < hola1> client os is debian stretch with openvpn version 2.4.0
16:05 < hola1> !paste port 1194
16:05 < hola1> proto udp
16:05 < hola1> dev tun
16:05 < hola1> ca ca.crt
16:05 < hola1> cert server.crt
16:05 < hola1> key server.key  # This file should be kept secret
16:05 < hola1> dh dh4096.pem
16:05 < hola1> server 10.8.0.0 255.255.255.0
16:05 < hola1> ifconfig-pool-persist ipp.txt
16:05 < hola1> push "redirect-gateway def1 bypass-dhcp"
16:05 < hola1> push "dhcp-option DNS 192.168.178.1"
16:05 < hola1> keepalive 10 120
16:05 < hola1> cipher AES-256-CBC
16:05 < hola1> user nobody
16:05 < hola1> group nogroup
16:05 < hola1> persist-key
16:05 < hola1> persist-tun
16:05 < hola1> status openvpn-status.log
16:05 < hola1> log         openvpn.log
16:05 < hola1> verb 3
16:06 < hola1> explicit-exit-notify 1y
16:06 < hola1> thats the server.conf (sry if i missunderstood the '!paste')
16:07 < hola1> client.ovpn
16:07 < hola1> client
16:07 < hola1> dev tun
16:07 < hola1> proto udp
16:08 < hola1> remote 2t5hwk0jytciv0x7.myfritz.net 1194
16:08 < hola1> resolv-retry infinite
16:08 < hola1> nobind
16:08 < hola1> user nobody
16:08 < hola1> group nogroup
16:08 < hola1> persist-key
16:08 < hola1> persist-tun
16:08 < hola1> remote-cert-tls server
16:08 < hola1> cipher AES-256-CBC
16:08 < hola1> verb 3
16:16 < hola1> do you see any problem?
16:21 < |Mike|> re!
16:21 < |Mike|> hola1: pastebin ktnx.
16:22 < hola1> you mean i sould upload it on pastebin?
16:23 < |Mike|> paste it to pastebin instead into this channel.
16:23 < hola1> oh... ok
16:24 < |Mike|> but no worries now, it's already here.
16:25 < |Mike|> could you set the verb to 4 and restart the server ?
16:26 < hola1> ok...
16:27 < hola1> how do i see that the client has connected successfully? ... i ask cause of my limitations right now my client is in the same lan
16:28 < |Mike|> and see /var/log/openvpn.log
16:28 < |Mike|> minus 'and'
16:29 < hola1> tanks... it seems it has worked
16:29 < hola1> +h
16:29 < hola1> the real problem was the router port
16:29 < |Mike|> you got a notification that the client obtained ip 10.8.0.6?
16:29 < |Mike|> (or higher)
16:29 < hola1> yes
16:30 < |Mike|> are you able to reach the other clients and/or outside world?
16:30 < hola1> i've forgot that i have to open it even if i just test over the lan
16:30 < |Mike|> you're using the internet to contact 2t5hwk0jytciv0x7.myfritz.net ;-)
16:31 < hola1> yes
16:31 < |Mike|> Would've been easier to contact your RFC1918 subnet imho.
16:31 < |Mike|> eg. 192.168.x.x
16:31 < hola1> i mean the url leads to my vpn server
16:32 < |Mike|> all good :-)
16:34 < hola1> how do i tell the client to route traffic through the vpn instead of the loacl network?
16:34 < |Mike|> !def1
16:34 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
16:35 < |Mike|> ^^
16:40 < |Mike|> ps: why aren't you using backports? Running OpenVPN 2.4.3 instead :)
16:41 < hola1> i tryed openvpn(and vpn in general) the first time today
16:42 < hola1> never thought about such thing
16:49 < hola1> is there a way to test if the tunnel works while server and client ar on the same network?
16:52 < |Mike|> tcpdump, wireshark etc
16:52 < redrabbit> i use my cellphone
16:52 < redrabbit> quite handy
16:53 < hola1> seem to work
16:53 < hola1> thank you so much guys (and girls, if one)
16:54 < hola1> i'll test it tomorrow with a friend
16:54 < hola1> have a nice day|night and thanks again
16:55 < |Mike|> You can always block outgoing traffic on the LAN imho.
16:55 < |Mike|> ipv4/6'ish.
16:55 < |Mike|> (from certain clients)
20:27 < nostalgiccloud> yay!
20:27 < nostalgiccloud> the pivpn script is broken
20:27 < nostalgiccloud> and when I manually setup OpenVPN it doesn't create a tun0 interface
20:27 < nostalgiccloud> OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
20:27 < nostalgiccloud> library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
20:28 < nostalgiccloud> That's my version, I'm on Ubuntu Server 16.04 LTS
20:28 < nostalgiccloud> Anyone have any idea what I'm doing wrong?
20:28 <@ordex> nostalgiccloud: what is pivpn?
20:29 < nostalgiccloud> It automates OpenVPN setup
20:29 <@ordex> nostalgiccloud: could you provide the config you use to start openvpn and the log ?
20:29 < nostalgiccloud> I felt like being lazy
20:29 <@ordex> !configs
20:29 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
20:29 <@ordex> !logs
20:29 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
20:29 < nostalgiccloud> it's not producing any logs
20:30 < nostalgiccloud> I might just try a reinstall, I feel like I messed up a config
20:30 <@ordex> well, maybe it is redirecting to syslog? the configuration decides what to do in that regards
20:30 <@ordex> maybe you paste it first ?
20:30 < nostalgiccloud> It's set to a custom log file
20:30 < nostalgiccloud> It's not touching it
20:31 <@ordex> and the verb ?
20:31 <@ordex> why don't you just paste the config? :)
20:33 < nostalgiccloud> http://termbin.com/1vw2
20:35 < johnfg> hi again folks
20:36 < johnfg> I had to leave for 2nd job before getting an answer, but I'm off of work now.
20:36 < johnfg> how does one configure --multihome?  neither the man page, nor web searching is helping me much.
20:38 < nostalgiccloud> ordex, ?
20:40 < johnfg> Does it go in server.conf somehow?
20:41 < DArqueBishop> ecrist: just an FYI - easy-rsa 3.0.1 seems to be missing bin\sh.exe.
20:48 <@ordex> nostalgiccloud: is this empty: log /var/log/openvpn.log ?
20:48 < nostalgiccloud> yes
20:48 < nostalgiccloud> I checked it
20:49 <@ordex> nostalgiccloud: what do you see when you run openvpn from the console with that config ?
20:49 < nostalgiccloud> It starts and does nothing
20:49 <@ordex> what's the output ?
20:49 <@ordex> it's weird it write nothing on the console and in the log
20:50 <@ordex> *writes
20:50 < nostalgiccloud> nothing...
20:50 <@ordex> uhm
20:50 < nostalgiccloud> yea..
20:50 < nostalgiccloud> i'm just going to wipe my VPS and do it manually.
20:50 <@ordex> what if you comment the "log" statement in the config and run openvpn again in the console
20:51 <@ordex> ?
20:51 < nostalgiccloud> I'm just going to do it manually
20:51 < nostalgiccloud> that way I know I have 100% control over it.
20:51 <@ordex> ok. but I am not sure what will be the difference given that you have a plain config to use
20:51 < nostalgiccloud> I was considering WireGuard / L2TP
20:52 < nostalgiccloud> ordex, well I have to trust the pivpn script
20:52 <@ordex> never used either one
20:52 <@ordex> nostalgiccloud: right
20:52 <@ordex> the openvn version you are running is also pretty old
20:52 <@ordex> what distribution is that ?
20:53 < nostalgiccloud> Ubuntu Server 16.04 LTS
20:54 <@ordex> ok. you could install a more recent version if you'd used the openvpn.net repository
20:54 <@ordex> but it's your call
20:56 < nostalgiccloud> I always wondered this one
20:56 < nostalgiccloud> Anyone here use SoftEther?
20:56 < nostalgiccloud> It supports multiple VPN protocols
20:59 -!- remirol is now known as lorimer
21:04 < johnfg> Any ideas/thoughts about --multihome?
21:19 < nostalgiccloud> So one thing I'm still trying to understand
21:19 < nostalgiccloud> Is how does OpenVPN handle networks?
21:22 < nostalgiccloud> Like
21:22 < nostalgiccloud> Could I use it to seamlessly bridge networks
21:37 <@ordex> nostalgiccloud: of course. openvpn just creates a L2 or L3 tunnel, then you can do whatever you want on top of it
21:37 <@ordex> and it supports LANs behind clients too
21:37 < nostalgiccloud> wat
21:49 < nostalgiccloud> ordex, reinstalled my VPS
21:49 < nostalgiccloud> retried PiVPN because why not
21:49 < nostalgiccloud> turns out I'm a fucking moron and broke it myself.
21:49 < nostalgiccloud> laugh all you want
21:50 < nostalgiccloud> :^)
21:52 <@ordex> nostalgiccloud: :D
21:52 <@ordex> glad you realized that this quick
21:53 < nostalgiccloud> ordex, shh
21:53 < nostalgiccloud> let me be retarded
21:53 < nostalgiccloud> :D
22:02 < nostalgiccloud> ordex,
22:02 < nostalgiccloud> OpenVPN times out now
22:02 < nostalgiccloud> fugg
22:03 < nostalgiccloud> my phone says it's recieving data back from my VPN
22:03 < nostalgiccloud> but it also stays on "connecting"
22:08 < nostalgiccloud> ordex, you can call me a moron
22:08 < nostalgiccloud> i missread a step and I configured my server's IP as Google's dns
22:08 < nostalgiccloud> XD
22:09 < nostalgiccloud> I wish I could say it's because I am tired but it was my lazyness
22:09 < nostalgiccloud> I should be more carefull reading configs
--- Day changed Wed Aug 16 2017
05:02 <+hyper_ch> hi there, if a openvpn server requires username/password to login, I can use auth-user-pass directive and provide a file where username and passwords are located. However, is there an option to also have username and password in the config directly?
05:16 < xvifr> Hi
05:22 < xvifr> I have a daemon running with topology p2p, up <script>, down <script>, route-up <script>, ipchange <script> and up-restart. When I start the daemon it executes up and route-up scripts and, when the connection is established, the ipchange script. When I cut the connection and "ping-restart" is fired, the up-restart executes down and up scripts and, when the connection is established, it executes the ipchange script, but the route-up script
05:22 < xvifr> is not executed again. Anyone can help me pointing what I am doing wrong? Thanks!
06:53 < redrabbit> is there a way to mix tcp and udp servers for a failover setup
06:54 < redrabbit> on the client.conf file
06:54 < redrabbit> it doesnt look possible from what i have gathered, that would be handy though
06:59 <@ordex> redrabbit: why not having multiple remote lines?
06:59 <@ordex> (on the client side)
06:59 <@ordex> if one fails, it will try the next
07:00 < redrabbit> i have that setup
07:00 < redrabbit> i wanted to mix tcp with udp
07:00 < redrabbit> because you can only add multiple tcp
07:00 < redrabbit> or multiple udp
07:00 < redrabbit> from what i see
07:01 < redrabbit> ideal setup would be to try in that order :  Serv1/UDP, Serv2/UDP, Serv1/TCP, Serv2/TCP
07:01 < redrabbit> atm i need two config files
07:01 < redrabbit> one for udp, the other for tcp
07:02 < havoc> heh, I have 17 server configs on this one machine I'm working on
07:02 < redrabbit> neat
07:03 < redrabbit> i have the strangest issue, on my server1/UDP instance, the gateway doesnt work
07:03 < redrabbit> server1/TCP works fine
07:03 < redrabbit> i can access the internet through server1/TCP, no problem
07:04 < redrabbit> the UDP instance timesout when i try to connect to the wan with it
07:04 < redrabbit> i must have messed up something
07:05 < redrabbit> i can however access the whole lan behind Serv2/UDP no issue
07:06 <@ordex> redrabbit: you can mix tcp and udp
07:06 <@ordex> check the manpage for --remote
07:06 < redrabbit> neat
07:09 < redrabbit> from a client.conf perspective i have to comment proto udp & proto tcp and add that on the remote host 2345 line?
07:10 <@ordex> yap
07:10 <@ordex> or if you have 10 tcp and 1 udp, you can keep "proto tcp" and add udp only on the related line
07:10 <@ordex> that should work too
08:09 < Pat2_> hello. i would want to know how to know if there's two peoples using a same configuration .ovpn file. cause there's bug in one person using his configuration file...
08:09 < Pat2_> i want to say in the log files...
08:09 < BtbN> Ask them to send it to you, and compare?
08:10 < BtbN> You probably mean their cert though I guess?
08:12 < |Mike|> diff bla.ovpn bla2.ovpn ;)
08:12 < |Mike|> Pat2_: are both clients using the same certificates?
08:15 < Pat2_> |Mike|: no i don't think. In fact i take back in administration an old server , but i don't have historic. i think some computers uses similar openvpn conf file (with same port : eg 1197) than an other. this one i want to configure can connect one minute, and it stop the connexion...
08:17 < Pat2_> but there's a lot of computers, it is very impossibmle to watch all conf files... i am wondering if someones external are not using a such .ovpn file....
08:17 < Pat2_> and it blocks one port...
08:18 < Pat2_> as there's no files enouncing what port is used with such computers... i am in the chaos :)
08:19 < Pat2_> i try to organise it... the reason why i was wonderng if theres is a methodology to see who (IP) use what port....
08:20 < Pat2_> and if there's two users in the same port... etc/...
08:21 < redrabbit> ordex: i'm unsure what the syntax is for the "remote host.com 2345" line to choose between udp and tcp, i'm looking at this https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html and have trouble figuring it
08:21 <@vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net)
08:21 <@ordex> redrabbit: that's the manual for 2.0
08:21 < redrabbit> ^^"
08:22 <@ordex> I don't think you are using that version .. are you? :D
08:22 <@ordex> just click on "Manuals" on the left, and choose your version
08:22 < redrabbit> 2.3.4 here
08:23 < redrabbit> --remote host [port] [proto]
08:23 <@ordex> want me to click on the link for you? :P
08:23 < redrabbit> oh, right!
08:23 <@ordex> yeah
08:24 < redrabbit> thanks
08:24 < |Mike|> !goal
08:24 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:24 < |Mike|> Pat2_: ^
08:25 < redrabbit> somehow a search on google got that adress : https://openvpn.net/man.html and it redirects to the 2.0.x manual
08:26 < redrabbit> i asumed that url would show something current
08:27 <@ordex> yeah
08:27 <@ordex> I reported that. might make sense to have a redirect to the latest manpage
08:27 < redrabbit> definitely ^^"
08:30 <@ordex> redrabbit: and btw, consider upgrading. that's really old
08:30 <@ordex> if you don't want to switch to 2.4 at least you should get all the bug fixes in the 2.3 series
08:32 < redrabbit> ill try to upgrade my system with apt-get and see if the repos use a new version
08:32 < redrabbit> if not i guess i can compile it myself
08:46 < DArqueBishop> Pat2_: the easiest way to compare is to have them send you their .ovpn files.
08:47 < Pat2_> DArqueBishop: yes... it seems that i will have to do that next... thx.
08:48 < DArqueBishop> FYI - there's nothing wrong with multiple users connecting to the same port.
08:49 < DArqueBishop> Pat2_: like |Mike| pointed out, it would help if we knew what your end goal was.
09:30 < Pat2_> DArqueBishop: |Mike| : just to organise a new way for openvpn in the "company", and to know who use what configuration (it is organised by port ; one person = one port). as there's a configuration wich fails, i wanted to analyse if the configuration was not used by an other person.
09:31 < Pat2_> but i ve found an other solution (an other port pass)
09:31 < DArqueBishop> Pat2_: assigning a port per user sounds horribly inefficient.
09:36 < DArqueBishop> Besides which, if you're using certs and don't have duplicate-cn set, people CAN'T share configs. If person A and person B share a config, if person B tries to connect while person A is connected, person A will be knocked offline. IIRC, the logs will show when that happens.
09:36 < DArqueBishop> Rephrase. They can't share a config with the same certs.
10:22 < Poster> with the automatic reconnect, it ends up being a tennis match of connect/disconnect, not a good way to go
10:23 < Poster> a single port with unique certificate per user is probably your best bet, be sure to setup a certificate revocation in the event you suspect a cert/key becomes compromised along the way
10:26 < Poster> you can look at the ifconfig-pool-persist on the server side, it will lock in a user (certificate) to a specific IP address, from there you can apply appropriate ACLs/netfilter/etc
10:31 <@dazo> Poster: wrong ... ifconfig-pool-persist gives no guarantee of unique IP addresses per user .... it is a best efforts approach, but no guarantee to be consistent over time
10:32 <@dazo> Poster: to achieve that, you must use --client-config-dir and set a specific IP address per user .... or use the --client-connect script hook and have a script maintaining that "database" and generate a CCD file on-the-fly (which file to use is one of the arguments to the script)
10:33 <@dazo> (or you can do it via a --plugin too, but that's even more complicated and more suitable for more advanced site configurations)
11:24 < redrabbit> how come example configs use LZO as a default ?
11:24 < BtbN> because it's fast
11:24 < redrabbit> it has only degraded perfs in my case
11:24 < redrabbit> :/
11:24 < BtbN> of course it's slower than not compressing at all, but faster than gzip or even stronger compressions
11:25 < redrabbit> after i disabled it it saved tons of megabytes
11:25 < BtbN> what?
11:25 < redrabbit> with lzo somehow it used bandwith just to maintain the link
11:25 < redrabbit> maybe its a bug from my 2years old server version though
11:25 < redrabbit> debian heh
11:26 < redrabbit> well i see little benefits degrading perfs for supposed gains ive never seen
11:26 < redrabbit> maybe im doing it wrong
11:33 < redrabbit> ah, and streaming videos from my home to my cell phone was super laggy with LZO
11:33 < redrabbit> lots of freeze
11:33 < redrabbit> once i removed it, super smooth, no freeze
16:26 < axsuul> My openvpn server was working for a long time but recently started having issues with accessing urls. Basically, everything works except via the browser. I suspect it's a DNS issue although I'm having trouble debugging it. I can ping yahoo.com on the server but I can't access it via the VPN on my browser
16:31 < axsuul> nm I think i figured it out
17:47 < Kryczek> axsuul: what was it?
17:48 < axsuul> I added a line `push "dhcp-option DNS 8.8.8.8"` to my config
17:48 < axsuul> i think openvpn was having trouble resolving DNS
17:48 < axsuul> Kryczek: ^
17:49 < Kryczek> openvpn does not "resolve DNS", it just carries traffic, but you can configure the client operating system with such an option indeed :)
17:52 <@ordex> axsuul: can you ping yahoo.com from the client ?
19:47 < Protected> Hi there. A friend of mine is trying to install openvpn as a server on windows, but running into a few issues with the documentation: https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide says easyrsa is bundled with openvpn but it isn't; It also hasn't been updated for easyrsa 3; Easyrsa 3.0.1 (zip) contains a windows readme file that mentions bundled executables that aren't really
19:47 < Protected> bundled (but they're in 3.0.0-rc1...) and so on; Could anyone advise me on the best up to date resource I can give to him to guide him in this endeavor?
19:47 <@vpnHelper> Title: Easy_Windows_Guide – OpenVPN Community (at community.openvpn.net)
19:47 < Protected> I use linux, so I can't help him very well
19:47 < Protected> And he has never done this before
19:49 < Protected> Is there, like, a
19:49 < Protected> !windows
19:49 <@vpnHelper> "windows" is (#1) computers are like air conditioners, they work well until you open windows., or (#2) http://secure-computing.net/files/windows.jpg for funny, or (#3) http://secure-computing.net/files/windows_2.jpg for more funny
19:49 < Protected> :D
19:55 < Kryczek> lol
19:58 < Kryczek> Protected: does your friend have a Raspberry Pi or a spare computer like that which could be used as a VPN server??
19:58 < Kryczek> -?
19:58 < Kryczek> exposing Windows to the Internet is all kinds of dangerous
19:59 < Protected> No, unfortunately it's a remote server that must run windows because (if I remember correctly) it runs some game servers that could only run in linux on mono, and very poorly at that
20:14 < Protected> Well, he says he found easyrsa was bundled after all
20:16 < Kryczek> Protected: then make sure he opens only OpenVPN's UDP port (a TCP configuration would be a bad idea for gaming) and nothing else, especially not putting the Windows box as "DMZ host"
20:21 < Protected> I wasn't thinking he'd actually game through it, but now that you say that, he might
20:21 < Protected> I'll make sure he uses udp
20:22 < Protected> I don't personally know a reason why he shouldn't, so I wouldn't advise him otherwise
22:03 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:13 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:13 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Log closed Wed Aug 16 23:45:07 2017
--- Log opened Thu Aug 17 07:43:03 2017
07:43 -!- Irssi: #openvpn: Total of 233 nicks [7 ops, 0 halfops, 2 voices, 224 normal]
07:43 -!- mode/#openvpn [+o ecrist] by ChanServ
07:43 -!- Irssi: Join to #openvpn was synced in 1 secs
07:43 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
07:43 -!- mode/#openvpn [+o vpnHelper] by ChanServ
07:47 < abenz> Gents, another quick one
07:48 < abenz> when I add cipher AES-256-CBC to my static key setup the tunnel doesn't get established
07:48 < abenz> without specifying cipher, I get this warning:
07:49 < abenz> WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
07:49 < abenz> so I add cipher and use the same one given in the e.g. stated in warning.. but doesn't go up
07:49 < abenz> is this applicable to static key lan to lan setups?
07:51 < Kryczek> did you specify it on both sides?
07:52 < abenz> yes
07:52 < Kryczek> did you restart openvpn on both sides? :P
07:53 < abenz> yes :)
07:54 -!- eblip is now known as eb0t
07:54 < abenz> uhh
07:55 < abenz> it just worked! oh man
07:55 < abenz> Kryczek: heisenbug ? :P
07:57 -!- ketas is now known as ketas-
07:57 < Kryczek> yeah right ;P
08:19 < abenz> Thanks a lot for all the help guys
08:20 < abenz> see you later (on laptop now)
11:33 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 248 seconds]
11:40 < deftjack> Is this supported in the community version and if so anyone have a good document on how to implement?  https://docs.openvpn.net/docs/access-server/openvpn-access-server-post-auth-scripting.html
11:40 <@vpnHelper> Title: OpenVPN Access Server Post-Auth Scripting (at docs.openvpn.net)
11:57 < banco> --client-connect cmd
11:57 < banco> Note that the return value of script is significant. If script returns a non-zero error status, it will cause the client to be disconnected.
11:57 < deftjack> Thanks! Was just now looking at that. Saw it in a forum post.
11:58 < deftjack> Not finding the document page for that. Not sure why.
11:58 < banco> https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
11:58 <@vpnHelper> Title: Openvpn24ManPage – OpenVPN Community (at community.openvpn.net)
12:00 < deftjack> So this goes in a ccd file?
12:00 < deftjack> It looks like only a global setting...
12:01 < banco> No, this option goes in the server config file
12:01 < banco> client-connect /path/to/script.sh
12:01 < banco> This script will be called for every client that will connect to the server
12:02 < deftjack> Thanks again!
12:08 < yong> Can you use a pre-shared secret to connect multiple clients to the same vpn (they're supposed to see each other)? Because https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html says it's only for one client-to-server connection but that seems a bit odd to me
12:08 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
12:09 < DArqueBishop> yong: no.
12:10 < banco> duplicate-cn
12:10 < banco> It's possible
12:10 < BtbN> static key is not the best idea in general though
12:10 < BtbN> it makes a lot of recent security features unusable
12:11 < banco> Not a good practice, yes
12:28 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
12:28 -!- mode/#openvpn [+o krzee] by ChanServ
12:59 < deftjack> I dont know if Im reading the wrong pages or what but Im confused on client-connect. It simply runs a script on the server not client. What Im trying to do is a sort of "host check" such as make sure they are using X version of software etc.  Reading forums its implied it runs on the client but everything I put in the script to test only runs on the server.
13:00 <@ecrist> --client-connect is a server-side option
13:01 <@ecrist> it only runs on the server
13:01 < deftjack> So would I use something like ipchange instead?
13:01 <@ecrist> if you want to run a script on the client, look to --up or something
13:01 < deftjack> Ah ok. I see, I think, --mode server....
21:06 < gdh> 0P3NVPN
21:12 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
21:12 -!- mode/#openvpn [+v RBecker] by ChanServ
21:20 <@ordex> l33t!
22:03 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:13 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:13 -!- mode/#openvpn [+o syzzer] by ChanServ
22:51 -!- gdh is now known as FlonnorMayGregor
23:29 < abenz> Hi
23:29 < abenz> ordex: ping
23:29 <@ordex> pong
23:29 <@ordex> :)
23:29 <@ordex> you lucky
23:30 < abenz> :)
23:30 < abenz> my excitement yesterday was too rushed I'm afraid!
23:31 < abenz> I hope you recall our discussion
23:31 < abenz> I can only ping the server IF I'm initiating the ping from the router itself
23:32 < abenz> think I need an SNAT config?
23:33 <@ordex> abenz: don't stop at half explanation :P you said what works, but what does not ?
23:33 < abenz> ohh!
23:33 < abenz> a client behind the router on other side of tunnel doesn't get a reply from the server
23:33 < abenz> ping times out
23:34 < abenz> so router itself: successful. Client behind router: fail..
23:34 <@ordex> what IP has this client ?
23:35 <@ordex> and does the client know that the server is behind that router with the tunnel?
23:35 <@ordex> i.e. does it has a route towards the server ?
23:40 < abenz> ordex: pls give me a second, I'm trying to remote in again into my PC on other side but cant atm
23:40 <@ordex> sure
23:41 < abenz> it can reach the router on the other side of the tunnel, but not the server so I was wondering if the ip route add... src <routerB_LAN_IP> we used only modifies the source of packets originating from router itself rather than all clients behind it as well
23:54 <@ordex> abenz: yeah, it's only a routing decision for the router itself
23:55 <@ordex> abenz: but clients behind should already have an IP from that LAN, no ?
23:55 <@ordex> or do they have yet another IP?
--- Day changed Fri Aug 18 2017
00:30 < abenz> please excuse me ordex I suddenly got occupied
02:59 < nostrora> Hi, i have question about OpenVPN. i'm connected to openvpn server, all is working very well and fast. But when i go to 192.168.1.1 i get MY routeur, not the openvpn router, why ?
03:04 <@ordex> nostrora: what's the ip of the vpn router?
03:04 < nostrora> ordex, 192.168.1.1
03:04 <@ordex> are you using over the vpn the same network you are using in the LAN ?
03:05 <@ordex> ??
03:05 < nostrora> ordex, i don't understand
03:06 < nostrora> ordex, openvpn is on online server with pfsense, and this pfsense is 192.168.1.1 and at home, my router is 192.168.1.1 too. when i'm connected to vpn, i want to connect to 192.168.1.1 to access to pfsense (openvpn router) and not my router
03:10 <@ordex> nostrora: that is probably the IP of the pfsense machine on its local network. you have to use the IP it has over the VPN tunnel to reach it
03:11 <@ordex> because the tunnel is the interface in common you have with it
03:14 < nostrora> ordex, ip over the VPN tunnel ?
03:14 < nostrora> ordex, so pfsense can have another ip ?
03:39 < cbauer> what information can be captured by a MITM, can he see SYN/ACK etc. TCP flags from a tcp connection that's going through the vpn tunnel?
06:49 < Ducky^> sorry for a bit of a general question, but could anyone please recommend me some ways to implement access control on an openvpn server for remote access?
06:49 < Ducky^> the only way I can think of is by assigning static IPs to clients and using iptables
06:50 < Ducky^> is the the generally recommended way to prevent users from getting to certain IP ranges?
08:14 <@ecrist> Ducky^: firewall
08:14 <@ecrist> You can, on the server side, implement custom rules with --client-connect scripts to open specific ports or add addresses to tables within the firewall.
08:23 -!- |Mike| [~mike@178.255.49.239] has joined #openvpn
08:23 < |Mike|> wht the f-word.
08:23 < |Mike|> 06:42:07 [Freenode] -!- You are banned from this server- Spam is off topic on freenode. Email kline@freenode.net if in error  (2017/8/17 04.42)
08:23 < |Mike|> Spam while snorning o/
08:23 <@ecrist> |Mike|: it's normal
08:23 <@ecrist> http://freenode.net/news/spamwave
08:23 < |Mike|> aloha chris
08:23 <@vpnHelper> Title: Spambot attack - freenode (at freenode.net)
08:24 <@ecrist> some oper did a /kline *@*
08:24 <@ecrist> just wipe out the network and start over
08:24 < |Mike|> That's a way to stop something -not-
08:28 <@ecrist> apparently it worked.
08:30 <@ordex> :D
08:31 < |Mike|> it's a good thing that it worked :)
09:13 < Ducky^> ecrist: thanks, --client-connect script looks promising
11:19 <@ecrist> no problem.
11:23 < DArqueBishop> ecrist: I suppose I should have looked at the easy-rsa buglist before asking you about the missing binary. :-)
11:29 <@ecrist> DArqueBishop: yep
11:30 < duo8> what are these
11:30 < duo8> !welcome
11:30 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
11:30 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
11:30 <@ecrist> now you know
11:32 < duo8> that's cool but what if i want to read all of these wouldn't it be like spam
11:32 <@ecrist> !factoids
11:32 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
11:32 <@ecrist> you can also /mnt vpnHelper !keyword
11:33 <@ecrist> nope, that doesn't work
11:33 <@ecrist> I thought it used to
11:33 < duo8> oh
11:33 <@ecrist> you can read them all on that web page, duo8 
11:33 < duo8> is double NAT bad?
11:34 <@ecrist> it works, but it can cause problems
11:34 < duo8> it seems if i'm gonna redirect internet traffic i'll have to deal with that
11:35 < duo8> (server behind router)
11:41 < duo8> is there a way to avoid that?
11:41 <@ecrist> give your openvpn server a public IP
11:44 < duo8> ? i was thinking the internet traffic from a client will go through nat on the server then another nat layer on the router
11:44 <@ecrist> that's common
11:45 < duo8> is there a way to only use the nat layer on the router?
13:22 <@ecrist> Your clients are outside, right?  There isn't a good way, no.
13:53 -!- WebDawg is now known as neoweb
14:12 -!- abenz__ is now known as abenz
14:13 -!- Dougy [~dougy@openvpn/community/support/Dougy] has joined #openvpn
14:30 -!- NonSecwitter is now known as Extremist
14:30 -!- Extremist is now known as NotSecwitter
14:31 -!- NotSecwitter is now known as NonSecwitter
15:05 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
15:32 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
15:32 -!- mode/#openvpn [+o krzee] by ChanServ
15:47 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
15:51 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
15:51 -!- mode/#openvpn [+o krzee] by ChanServ
19:41 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
20:02 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
20:02 -!- mode/#openvpn [+o krzee] by ChanServ
22:39 < armegeden> !welcome
22:39 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
22:39 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
22:55 <@ordex> armegeden: welcome
22:55 <@ordex> :D
22:55 < armegeden> ty ty!
22:57 < armegeden> been having some crazy vpn/firewall/performance related issues.  came in here to ask opinions, but now i discover that it's probably not openvpn in play.  rather, something with how my asa is seeing certain encrypted traffic come through compared to l2tp/ipsec
22:57 < armegeden> grrr. more testing.
23:02 <@ordex> dig deeper!
23:02 <@ordex> :)
--- Day changed Sat Aug 19 2017
00:14 -!- abenz_ is now known as abenz
00:25 < n0rthlight> Sorry its not directly related to openvpn but I am sure you guys would know.
00:25 < n0rthlight>  I was testing my vpn on dns leak earlier and tried the test whitout my vpn and noticed I that it generated multiples ip's all close to each others in numbers. it this regular?
00:25 < n0rthlight> 2-3 "server found" on the same extended test.
00:26 < n0rthlight> https://www.dnsleaktest.com/
00:26 <@vpnHelper> Title: DNS leak test (at www.dnsleaktest.com)
00:26 < abenz> yes regular
00:27 < n0rthlight> Thx abenz I will sleep better. Small thing for you. :)
00:27 < abenz> :)
11:41 -!- dionysus70 is now known as dionysus69
14:06 -!- dionysus70 is now known as dionysus69
15:22 < ryan-c> I'm using openvpn 2.4.0 with --resolv-retry infinite plus a chroot jail, and it can't resolve the server name - anyone know how to fix that?
15:23 < ryan-c> I have a setup with 2.3.4 where this works.
15:24 -!- NP-Completeass is now known as NP-Hardass
15:47 < ryan-c> looks like adding a resolv.conf in the jail fixes it
20:18 -!- Serus_ is now known as Serus
--- Day changed Sun Aug 20 2017
05:10 < dvds> hello world
05:14 < desnudopenguino> hi
05:31 < dvds> I was afraid there might be too much activity around here, but apparently there might be some room for a question :-)
05:34 <@ordex> there is always room for questions :P
05:35 < dvds> I have a weird phenomenon since a couple of days: I have a "management localhost 1234" line in my config since ages, and it worked fine (script that goes grabbing info)... when restarting, openvpn happily confims that "MANAGEMENT: TCP Socket listening on [AF_INET6]::1:1234" (as it has always done), but since Friday it seems something has broken: I get a Connection refused even when trying to nc to it.
05:35 < dvds> netstat says it's listening, and iptables does not reject anything. I know I probably changed something (fixing a couple of problems since last debian upgrade), but I'm a bit clueless about what to look for... Does anybody have any hint? What could go wrong, that would block a local tcp connection??
05:51 <@ordex> dvds: maybe is binding on a different local address ?
05:55 < dvds> ordex: could be, but it really looks fine: tcp6 0 0 ::1:1234 :::* LISTEN 17932/openvpn
05:55 <@ordex> ah ok
05:55 <@ordex> and are you nc'ing to ::1 ?
05:56 < dvds> well, yes/no, I'm connecting to "localhost" or 127.0.0.1, which should not be an issue (and worked until Thursday)
05:57 <@ordex> did you upgrade openvpn in the meantime? what else changed?
05:57 <@ordex> or changed something else in your config ?
05:57 <@ordex> but I think ::1 will work
05:59 < dvds> nope, openvpn had been running since last weekend without interruption, just restarted it today to try to fix the issue
06:00 < dvds> btw, the config says "localhost", i guess it binds it dual-stack per default
06:02 < dvds> oh
06:03 < dvds> just to be on the safe side of things, I just changed my script to connect to ::1 instead of 127.0.0.1 ... and it works o_O
06:04 < dvds> looks like I broke something on the network stack on Friday... I'll need to find out what it is
06:04 < dvds> Anyways, thanks ordex :D
06:05 <@ordex> np :P
13:14 < ryao> I am configuring a private OpenVPN server for my own use for the nth time. I usually put bogus information into the ca and certificate's fields when generating it, but this time, I want to do something a bit more permanent. Am I correct in thinking that anyone snooping on the connection will see those fields unless I use --tls-crypt?
13:33 < ninjalf2> !welcome
13:33 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
13:33 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
13:34 < ninjalf2> !1925
13:34 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
13:35 < ninjalf2> !route
13:35 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
13:35 < ninjalf2> !clientlan
13:35 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route
13:35 <@vpnHelper> for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
14:02 < ninjalf2> !goal
14:02 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:18 < ninjalf2> !goal I would like to setup a gateway that forwards all traffic through my main gateway (home router) and then through an OpenVPN server so that I can connect to my normal gateway to browse unencrypted and through the VPN gateway to browse anonymously. I would like to avoid subnets too, so that I can access machines on my local subnet
19:13 < jair> hello all
19:13 < jair> how are you doing today?
19:14 <@ordex> good
19:14 <@ordex> how are you? :)
19:18 < jair> ordex: I am running into a small issue with my openvpn client
19:18 <@ordex> I am sorry about that :P
19:19 < jair> I am not sure if the problem can be solved in the client application side or server side
19:19 < jair> (^^)
19:20 < jair> I can provide the logs of the error >> http://paste.debian.net/hidden/62191ed2/
19:21 <@ordex> Mon Aug 21 08:50:54 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed << this is the problem
19:21 < jair> I am not sure if I need to create a new self-signed certificate
19:21 <@ordex> are you using a self-signed certificate?
19:21 <@ordex> or is the CA expired? or something around those lines ..?
19:21 < jair> I have a .key file and a .crt file
19:21 <@ordex> jair: self-signed certificate are not supported anymore I believe because openssl simply does not accept them (iirc)
19:21 <@ordex> jair: did you create your own CA ?
19:22 <@ordex> if not, you better setup your own CA and create server and client certs from there
19:22 <@ordex> !easyrsa
19:22 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA, or (#4) Source checkouts available from the github project.
19:22 < jair> ordex: I believe so
19:22 <@ordex> you should have a ca.crt on the client too then
19:22 < jair> Yes correct
19:22 <@ordex> on the client and on the server
19:22 <@ordex> is it configured ?
19:22 <@ordex> !config
19:22 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
19:22 <@ordex> !configs
19:22 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
19:22 < jair> yes it is
19:22 <@ordex> ah
19:22 <@ordex> Mon Aug 21 08:50:54 2017 VERIFY ERROR: depth=1, error=certificate has expired: C=FR, ST=PACA, L=Aix-en-Provence, O=Smart Trade Technologies, CN=VPNAccess-CA, emailAddress=support@smart-trade.net
19:23 <@ordex> sorry, I hadn't read this
19:23 < jair> this has been working for long time before
19:23 <@ordex> error=certificate has expired
19:23 <@ordex> yeah
19:23 <@ordex> now it's time to have a new cert :P
19:23 <@ordex> it seems like the CA expired
19:24 < jair> right so if the certificate expired I was thinking do I create a new one myself using openssl command and the ca.crt jair.crt jair.key
19:24 <@ordex> if it's the CA that is expired, you need to create a new CA (or maybe you can just extend its validity)
19:24 < jair> ordex: I thought there was a command to verify that other than opening the file jair.crt with a linux editor
19:25 < jair> 1. create a new one
19:25 < jair> 2. extend the validity
19:25 <@ordex> yeah there is
19:25 < jair> those are my options, however I am not sure how to accomplish them
19:25 <@ordex> with the openssl command line
19:25 < jair> ahhh
19:25 <@ordex> I should google too
19:25 < jair> yes
19:26 <@ordex> but the openssl command line tool can help with this
19:26 < jair> will do for sure
19:26 <@ordex> if you create a new CA, you need to create new certs too
19:26 < jair> ahh
19:26 <@ordex> so if you can extend the validity, might be better
19:26 < jair> ahhh understood
19:26 < jair> ahhh
19:26 < jair> so i will need to check how to do that in google
19:27 < jair> ordex: thank you very much for the info I will check now on that process
19:27 <@ordex> np :)
19:28 <@ordex> jair: I think you can do openssl x509 -in CERTIFICATEPATH -text
19:28 <@ordex> I was just playing with it now
19:28 <@ordex> and it should show all the data
19:29 < jair> OK let me check
19:30 < jair> also, the two files I will need to generate are CA.crt and the jair.crt correct using the >> jair.key  the jair.ovpn remains as it is?
19:32 <@ordex> yeah, it's just a matter a certficate
19:32 <@ordex> the config can stay the same
19:32 <@ordex> *a matter of
19:32 < jair> got it
19:33 < jair> ordex: but this is what I am confused about >> http://paste.debian.net/hidden/02be4f1f/
19:34 <@ordex> yap this seems valid
19:34 <@ordex> is this ca.crt ?
19:34 < jair> ordex: do you undestand that Not Before and Not After...
19:34 < jair> that is the jair.crt
19:34 <@ordex> how about ca.crt ?
19:35 < jair> ahhhh
19:35 <@ordex> mh why did you use this CN for jair.crt? "CN=VPNAccess-CA" seems confusing..although it should not be a big deal
19:36 < jair> ordex: http://paste.debian.net/hidden/39d78443/
19:36 < jair> that makes totally sense
19:36 <@ordex> yap
19:36 < jair> ordex: it was using before for a year or two
19:36 <@ordex> I tend to agree :P
19:37 <@ordex> yap
19:37 <@ordex> even 10 I'd say :D
19:37 < jair> so I can agree with you, it is super clear
19:38 < jair> even 10 ? the line 10?
19:38 < jair> OK let me see if I can extend this date with the openssl command
19:38 <@ordex> no sorry, I meant that this CA has been used for 10 years
19:38 <@ordex> or at least was created 10 years ago
19:39 < jair> right
19:39 < jair> :)
19:40 < jair> Ok checking on google
19:40 < jair> how to extend the ca.crt
19:41 <@ordex> yup
19:41 <@ordex> good luck
19:42 < jair> Thank you so much! I will report here the findings for you to let you know if I got it to work or not (^^), really appreciate your time, thank you!
19:48 <@ordex> np :)
20:11 < jair> Hello ordex , sorry one last question
20:12 < jair> I do have the ca.crt and jair.crt jair.key and jair.ovpn but no ca.key
20:13 < jair> I will need that file from somewhere in the server?
20:13 <@ordex> nope
20:13 <@ordex> that is only required to create certificates and hsould be kept very very secret
20:13 <@ordex> during the verification procedure you only need the public key/certificate (aka ca.crt)
20:19 < jair> ahhh perfect, thank you
21:30 < jair> ordex: sorry I see what I am missing
21:31 <@ordex> that is ?
21:31 < jair> ordex: I don't have the publick key for ca.crt
21:31 < jair> ordex: should i be able to generate it or import it?
21:32 < jair> all I have are: ca.crt, jair.crt, jair.key, and jair.ovpn
21:32 <@ordex> ca.crt is the certificate which contains the public key
21:32 <@ordex> there is no other file
21:32 < jair> hmm
21:33 <@ordex> and ca.crt is the file given around because it can be used to verify certificates created by that CA
21:33 <@ordex> while the private key (ca.key) is used to *sign/create* the certificates
21:33 <@ordex> and has to be kept secret
21:33 < jair> ok understood I don't need this >> ca.key
21:34 < jair> private one
21:34 <@ordex> right. I think this is what I said before
21:34 <@ordex> yup
21:34 <@ordex> you need it only to sign new certificates
21:34 < jair> so i thought this is the solution >> https://forums.openvpn.net/viewtopic.php?t=18671
21:34 <@vpnHelper> Title: [Solved]Expired CA - clients can't connect - OpenVPN Support Forum (at forums.openvpn.net)
21:35 < jair> ordex: but as you can see there is a ca.key file I guess that is the public
21:35 < jair> so I can generate a public ca.key file from the ca.crt
21:36 < jair> just need to copy the key in a file called ca.key
21:36 <@ordex> jair: the other way around ..
21:36 <@ordex> if you create a new ca.crt signed by your existing ca.key
21:36 <@ordex> then existing certs are validated against the new ca.crt.
21:36 <@ordex> you use ca.key to generate a new ca.crt
21:36 <@ordex> with a new validity
21:36 <@ordex> then you can give ca.crt around
21:37 <@ordex> ca.key is used only during local operations as it contains the private key. so it is used to sign new things (i.e. new CA and new certificates), but it is not supposed to be distributed
21:37 < jair> so I certainly need to extract the public key from the ca.crt file I have?
21:37 <@ordex> why would yo do that ?
21:38 <@ordex> why do you need the raw public key?
21:38 < jair> >> https://forums.openvpn.net/viewtopic.php?t=18671 ca.key
21:38 <@vpnHelper> Title: [Solved]Expired CA - clients can't connect - OpenVPN Support Forum (at forums.openvpn.net)
21:38 < jair> where do I get this filoe from
21:38 < jair> file from
21:38 <@ordex> ca.key ?
21:38 <@ordex> you should have it already
21:38 < jair> yes
21:38 < jair> no I don't have that file
21:38 <@ordex> this is the very first thing you create when you generate your CA
21:38 <@ordex> 10 years ago
21:38 <@ordex> :D
21:39 <@ordex> is the CA yours? who created ca.crt in the first place?
21:39 < jair> I only have this files>> ca.crt, jair.crt, jair.key, and jair.ovpn (that's it)
21:39 <@ordex> how about my last questions?:)
21:39 <@ordex> [1034.54] <@ordex> is the CA yours? who created ca.crt in the first place?
21:40 < jair> I believe it was created by one of our teammates in the organization
21:40 <@ordex> alright
21:40 < jair> but I was looking for a file like that and I could not find it ca.key
21:40 <@ordex> then either you find him and ask him where is the ca.key (CA private key)
21:40 <@ordex> or you need to start from scratch
21:41 < jair> nevermind found it
21:41 < jair> OK
21:41 <@ordex> recreate the CA from scratch and all the certificates
21:41 <@ordex> ah
21:41 <@ordex> :P
21:41 < jair> but I believe is the private one
21:41 <@ordex> yes, ca.key is the private one
21:41 < jair> wait I do have this too >> ca-public-key.pem
21:42 <@ordex> mhhh nothing that I know
21:42 < jair> ok
21:42 < jair> it's there a command to verify if the .key is the private or publick key?
21:42 <@ordex> just "cat ca.key"
21:43 <@ordex> the header should say it
21:43 <@ordex> it should start with: -----BEGIN ENCRYPTED PRIVATE KEY-----
21:43 <@ordex> or without ENCRYPTED
21:44 < jair> ok
21:44 < jair> checking
21:45 <@ordex> otherwise, if it's a certificate, it will say -----BEGIN CERTIFICATE-----
21:45 <@ordex> (and there might be some metadata in text form too)
21:45 < jair> I cat >> ca.key and got >> -----BEGIN RSA PRIVATE KEY-----
21:45 <@ordex> yap, it's a private key
21:46 <@ordex> the fact that it says RSA it's because of the type. if I am not wrong using this type of key is deprecated now (but probably it was not 10 years ago)
21:46 <@ordex> but I am not 100% sure about this
21:47 <@ordex> so you may want to search around to confirm this statement. if that's true, you might want to start from scratch and create a new CA. but that's up to you
21:48 < jair> well I can try the easy way
21:48 < jair> and simple
21:48 < jair> and then plan for the (right) way of configuration
21:50 <@ordex> jair: yeah, makes sense
21:50 < jair> Ok I have all the components to try extend the expiration I will see how it goes and then after having the file I will use it to connect to my openvpn server
21:50 < jair> see if connects
21:50 < jair> hold on ok I will try to do it quick to share with you the results
21:52 <@ordex> jair: don't forget to give your clients the new (extended) ca.crt that you will create
21:52 < jair> ordex: in this case the first client will be me
21:52 < jair> ordex: if it works I will then share it
21:53 <@ordex> yup
21:53 <@ordex> sounds good!
21:58 < cattuslaetus> !welcome
21:58 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
21:58 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
21:58 <@vpnHelper> you
21:58 < jair> ordex: >> http://paste.debian.net/hidden/35e4ce08/
21:59 < jair> hmm there is an error :(
22:01 < cattuslaetus> !tap
22:01 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the
22:01 <@vpnHelper> protocol uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
22:02 < jair> cattuslaetus: thank you but I am working on solving this with an very helpful individual ordex .
22:02 < jair> cattuslaetus: that does not mean I will read/study more about openvpn and certificates
22:03 < cattuslaetus> jair: oh i am sorry i am new and reading the tap infodump
22:03 < jair> ordex: the only error I might think of will be that the ca.key is no the private key for this .crt?
22:05 < cattuslaetus> my openvpn configuration (formerly functional) has a problem, but i've never been here before and it happens to be a tap0 configuration. should my first step be to try to change it to a tun configuration if tap is not recommended?
22:28 <@ordex> jair: I am not sure about what the error means
22:28 <@ordex> I'd need to google a bit
22:28 <@ordex> after some food ;P
23:25 < jair> ordex: no problem :P
--- Day changed Mon Aug 21 2017
00:16 <@ordex> jair: what are all the steps that brought you there ?
01:37 -!- def_jam is now known as eb0t
02:56 < Joost> I'm trying to compile openvpn with a local copy of polarssl (i.e. not the one installed systemwide) but I cannot figure out the correct incantation of CLFAGS / LDFLAGS / CPATH / LD_LIBRARY_PATH etc
02:56 < Joost> does anyone have experience with this and/or a good resource?
02:56 <@ordex> Joost: I guess you mean mbedtls?
02:57 <@ordex> because if it is really polarssl then it is really old and not recommended in general
02:57 <@ordex> this said, what you normally hav to do is to add to CFLAGS a -I directive telling gcc where to find the header files, then add to LDFLAGS a -L and -l directive to tell the linker where to find the .so and what is the name
03:02 < Joost> I have a .a rather than a .so though
03:02 < Joost> ah, now I also have a .so. thakns!
03:02 < Joost> thanks*
03:03 <@ordex> :)
03:04 < Joost> re polarssl vs mbedtls; I wish I meant mbedtls
03:05 < Joost> I'm trying to get a legacy set-up to compile again though, before migrating all sorts of stuff
03:05 <@ordex> oh
03:05 <@ordex> I see
03:05 < Joost> today is a dark day
03:05 <@ordex> well, you may already know, but I like to repeat :P since the days of polarssl tons and tons of bugs have been fixed (security bugs)
03:05 <@ordex> hehe
03:05 <@ordex> I see why :)
03:06 < Joost> thanks for bearing with me though :P
03:07 < Joost> your comment made me realise I was looking at the wrong part of the chain, i.e. I was fiddling with compiling openvpn while I didn't have the library compiled properly yet
03:08 <@ordex> hehe talking sometimes can just help by itself
03:23 -!- abenz_ is now known as abenz
03:48 < Deus3X> hi
03:48 < Deus3X> i'm trying to setup my openvpn server to share with client a route that use a different gateway
03:49 < Deus3X> if i will add the push command with different gateway... the client will give an error...
03:49 < Deus3X> any suggestion?
03:51 < BtbN> route command with a different gateway?
03:51 < Deus3X> root@SERVER:~# route -n Tabella di routing IP del kernel Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 0.0.0.0         10.1.1.1        0.0.0.0         UG    0      0        0 ens3 10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 ens3 10.2.2.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0 192.168.2.0     192.168.100.1   255.255.255.0   UG    0      0        
03:51 < BtbN> You can only add routes for a network the client knows.
03:51 < BtbN> And that is entirely unreadable.
03:51 < Deus3X> sorry just a sec
03:51 < Deus3X> 0.0.0.0         10.1.1.1        0.0.0.0         UG    0      0        0 ens3
03:51 < Deus3X> 10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 ens3
03:52 < Deus3X> 10.2.2.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
03:52 < Deus3X> 192.168.2.0     192.168.100.1   255.255.255.0   UG    0      0        0 tun1
03:52 < Deus3X> 10.1.1.0 is server subnet
03:52 < BtbN> just use a pastebin next time.
03:52 < Deus3X> 10.2.2.2 is openvpn server
03:52 < Deus3X> i will sorry :/
03:53 < Deus3X> id like to share 192.168.2.0 to openvpn client
03:53 < Deus3X> is this possible?
03:54 < BtbN> So the server has that network, and the clients wants it?
03:54 < Deus3X> yes
03:55 < BtbN> pushing a route is all you need then.
03:55 < Deus3X> i will get an error
03:56 < Deus3X> tun_prop_route_error: route destinations other than vpn_gateway or net_gateway are not supported
03:56 < BtbN> you're setting the wrong gateway then.
03:56 < Deus3X> push "route 192.168.2.0 255.255.255.0 192.168.100.1"
03:56 < BtbN> Where does 192.168.100.1 come from?
03:57 < Deus3X> another opnevpn client
03:57 < BtbN> That makes no sense
03:57 < Deus3X> tun0 is openvpn server
03:57 < Deus3X> tun1 is openvpn client
03:57 < BtbN> Only directly attached networks can be used as gateway
03:57 < BtbN> So most likely your OpenVPN server.
03:58 < Deus3X> so if ubuntu server has client and server openvpn
03:58 < Deus3X> i can't connect the subnet coming from 2 openvpn?
03:58 < BtbN> You can, with an appropiate route via your server.
03:59 < Deus3X> can you explain me how to?
03:59 < BtbN> I have no idea how your network looks like, so I can only tell you to set your server that the client sees as apropiate gateway
04:01 < Deus3X> the server know that to call 192.168.2.0 need to user 192.168.100.1 gateway
04:01 < Deus3X> user = use
04:01 < BtbN> Your client does not see those networks
04:01 < BtbN> so they can't possibly be where the gateway is
04:01 <@ordex> Deus3X: if your server has two interfaces (i.e. it is attached to 2 networks) then the server will be the "router/gateway" between those two
04:02 <@ordex> thus it has to be configured as GW to the peers connected to those interfaces (i.e. the vpn clients)
04:05 < Deus3X> ok.. so i need to lear how to setup openvpn server as router/gateway
04:05 < Deus3X> :)
04:05 < BtbN> It most likely already is.
04:05 < BtbN> Just push the right route
04:06 < BtbN> The server has to be the gateway
04:06 < Deus3X> the client is already getting the openvpn server as gateway
04:06 < Deus3X> push "route 192.168.2.0 255.255.255.0 192.168.100.1"
04:07 < Deus3X> will give me a gateway error
04:08 < BtbN> That gateway is clearly not your OpenVPN server.
04:08 < BtbN> The gateway has to be the server itself, not some gateway the server uses. The Client does not have that network.
04:09 < Deus3X> 0.0.0.0         10.1.1.1        0.0.0.0         UG    0      0        0 ens3
04:09 < Deus3X> the ubuntu server gateway?
04:09 < BtbN> what?
04:10 < Deus3X> the client need to have as getaway the server gateway? in my case 10.1.1.1?
04:12 < BtbN> If that's the server on the vpn network, yes.
04:17 < Deus3X> omg i'm really a noob... :P i will try to understand how to do that..
04:19 < Deus3X> https://pastebin.com/6rekdndU
04:19 < Deus3X> this is my openvpn server conf
04:19 < Deus3X> can you explain me how to set the right gateway?
04:22 < Deus3X> atm the client will get 10.2.2.1 as gateway (the openvpn server gateway)
04:55 <@ordex> Deus3X: you probably have to learn a bit about networking first. learn what is a gateway, how the route specification works and how a route by itself works
04:57 <@ordex> once these concepts are clear it will be much easy to setup your server
05:30 < Deus3X> ordex, tnx for your answer. As you noticed i'm not an expert... i'd try to learn how to do using google... anyway.. i know a bit of networking.. The ubuntu server have some different subnet... 1) the lan 2) the vpn server 3) the vpn client. The Ubuntu server will talk with the openvpn client network using not the default gateway... so i'n my opinion i had to configure openvpn server adding the push command with subnet, net mask and 
05:31 < Deus3X> i really don't understand why the openvn server will not accept the second gateway
05:33 < Deus3X> my situation is similar to the one explained on that post https://www.clearos.com/clearfoundation/social/community/openvpn-and-multiple-subnets/likes#filter-sort
05:33 <@vpnHelper> Title: OpenVPN and multiple subnets (at www.clearos.com)
05:42 < Deus3X> anyway... i got a solution...
05:42 < Deus3X> -A POSTROUTING -s 10.2.2.0/24 -o tun+ -j MASQUERADE
05:43 < Deus3X> :)
05:44 < BtbN> That's NAT, not anything routing related.
05:44 < BtbN> It'S all private networks, you don't need NAT
05:46 <@ordex> and will work only one way
05:46 < Deus3X> ?
05:46 <@ordex> connections can be established only from 10.2.2.0/24 to outside, not the other way around
05:47 < Deus3X> on server.conf i have added push "route 192.168.2.0 255.255.255.0"
05:48 < Deus3X> openvpn client can connect to 192.168.2.0 network (tun1)
05:49 < Deus3X> what i'm missing?
06:48 < ninjalf2> !goal I would like to setup a gateway that forwards all traffic through my main gateway (home router) and then through an OpenVPN server so that I can connect to my normal gateway to browse unencrypted and through the VPN gateway to browse anonymously. I would like to avoid subnets too, so that I can access machines on my local subnet
07:47 < Pip_> Hi what protocol does OpenVPN use?
07:49 <@ordex> Pip_: it's a custom made protocol based on TLS (but not using the standard TLS implementation)
09:37 < ninjalf2> !goal
09:37 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:24 < Deus3X_> hi
11:25 < Deus3X_> i'm following setup of my server.... and now i have an error on client side...
11:25 < Deus3X_> daemon.err openvpn(CLOUD)[2618]: TCP/UDP packet too large on write to [AF_INET]ip:port (tried=1560,max=1558)
11:25 < Deus3X_> is an MTU problem?
11:49 <@dazo> Deus3X_: yes, that sounds like MTU issues
11:49 <@dazo> but that line alone may be false alarm .... it depends on the rest of the log file
11:50 < Deus3X_> i only have that message spamming
11:50 <@dazo> if you have --verb 4, you will have more details
11:50 < Deus3X_> i will add
11:50 < Deus3X_> tnx
11:52 <@dazo> and some of the clues will be in the first lines related to the setup of the connection
12:53 -!- Murda__ is now known as Murda
13:25 -!- krzie [40207a28@openvpn/community/support/krzee] has joined #openvpn
13:25 -!- mode/#openvpn [+o krzie] by ChanServ
13:50 < FlonnorMayGregor> I'm experiencing a certain oddity
13:51 < FlonnorMayGregor> I have a vpn that I can ping and get ~70ms rtt consitently
13:52 < FlonnorMayGregor> I have an openvpn server listening there, and when I connect to it, the server's ip is 10.9.8.1, and when I ping it I get ~+90ms rtt instead
13:52 < FlonnorMayGregor> what might be causing this increase of latency?
13:54 < FlonnorMayGregor> I'm running oenvpn on a debian 8 server, and I have the standard iptables rules setup to permit, and nat traffic from tun1
15:49 <@krzie> FlonnorMayGregor: i dont know of measurements, but i do know there should be some added time due to the fact that packets traverse kernel land to userland and back
16:31 < mete> FlonnorMayGregor: what OS is installed on the client side?
18:11 -!- krzie [40207a28@openvpn/community/support/krzee] has quit [Quit: Page closed]
19:00 -!- dionysus70 is now known as dionysus69
19:54 <@ordex> aloha people
19:54 <@ordex> :]
19:56 < as2333> so,  routing vpn connections through tor fools cloudlare (shitflare) apparently
20:03 <@ordex> as2333: what do you mean exactly with fools ?
20:04 <@ordex> if you connect to a VPN server on top of tor ?
20:04 < as2333> well, you dont get the idiotic captchas you get if you use tor
20:04 <@ordex> ah
20:05 <@ordex> yeah because the IP cloudfare sees it's the IP of the VPN server
20:05 <@ordex> even if you don't have tor the effect is the same
20:05 < as2333> yes
20:05 <@ordex> with the difference that the VPN server knows your IP
20:05 < as2333> right
20:05 < as2333> I'm not sure why they don't serve captchas to vpn users too.
20:05 < as2333> they should if they were consitently retarded
20:06 <@ordex> well, maybe the vpn server is not known to them
20:06 <@ordex> I don't know what DB of IPs they use to determine that
20:07 < as2333> hm, that seems unlikely cause I've tried public vpn servers
20:08 <@ordex> or maybe the VPN server made an agreement to avoid that
20:08 <@ordex> given that they know who is connecting
20:08 < as2333> could be
20:09 < as2333> that seems more plausible than cloudflare not knowing
20:09 < as2333> (that a given IP addy is a vpn server)
20:09 <@ordex> yap
20:09 < as2333> so...that's why it makes sense to connect to the vpn server thru tor...
20:10 <@ordex> that might be the cloudfare business model: we block everybody unless you guys pay us
20:10 <@ordex> :D
20:10 <@ordex> as2333: but aren't you registered to the VPN provider ?
20:10 <@ordex> made a payment to them? or given the email, etc ?
20:10 < as2333> no
20:10 <@ordex> ah totally anonymous ?
20:10 <@ordex> $random ?
20:12 < as2333> http://www.vpngate.net/en/
20:12 <@vpnHelper> Title: VPN Gate - Public Free VPN Cloud by Univ of Tsukuba, Japan (at www.vpngate.net)
20:13 < as2333> as to cloudflare's business model....I'm now assuming that many people use their 'free' 'servcices'
20:14 < as2333> they give 'protection' for free. So they must be selling all the data they collect by spying to....somebody.
20:14 <@ordex> hehe no clue to be honest
20:15 < as2333> in other words, it seems rather plausible that shitflare is a front for the US govt
20:20 <@ordex> maybe the don't block you on purpose :P
20:22 < as2333> could be  -  I need to do some more testing then =)
20:25 < as2333> for what it's worth in the tor support channel they don't 'advise' you to do this at all.
20:26 < as2333> but their reasons why it's a bad idea are pretty unconvincing
20:44 < FlonnorMayGregor> krzee, mete: I don't think the delay should be that high, specially since I've already done this setup in the past with no increase in original latency. The os I'm using is debian 8
20:45 <@ordex> FlonnorMayGregor: I agree you should not see somuch delay
20:46 <@ordex> FlonnorMayGregor: so basically you are comparing the ping results when pinging the public IP of the VPN server vs the VPN IP of the VPN server ?
21:14 < FlonnorMayGregor> yes
21:15 < FlonnorMayGregor> but all pings increase by the same amount
21:16 < FlonnorMayGregor> I mean, pinging the server outside the vpn gives regular ping, and through the vpn they increase by the same amount, like globably
21:16 < FlonnorMayGregor> I mean, to all hosts, including of course the vps server itself
23:23 -!- abenz__ is now known as abenz
23:50 < ah-donny> !welcome
23:50 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
23:50 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
--- Day changed Tue Aug 22 2017
00:13 < ah-donny> My openvpn clients seem to have suddenly stopped being able to access the internet when connected. I can see local LAN devices. Its probably firewall since I was playing around with it but I reverted all the changes (well seems like i've missed something). Is there anything you can point to that I could check?
00:21 < ah-donny> nvm found it.
00:21 < ah-donny> Stupid gateways and groups
02:56 < Bogdar> Hello all! Are there any recommended approach to have groups of users and per-group access control with OpenVPN server? I'm reading about VLAN patchset, but it seems to use TAP+bridging which is not recommended in topic. Sure I need external authentication with LDAP or RADIUS.
03:22 <+hyper_ch> run multiple openvpn server instances?
05:12 < Bogdar> hyper_ch, in multi-instance case I have to update client configs (at least port number) each time I move the client from one group to another.
05:17 <+hyper_ch> yep :)
05:18 <+hyper_ch> I don't know what "groups" you have or how members get shuffled accross them
05:18 <+hyper_ch> it was just one option
06:27 < desnudopenguino> so, i'm trying to set up a quick static key vpn tunnel so I can connect to my home net from elsewhere. when I connect, I can access the openvpn server, but nothing else on my lan, anyone have any ideas?
06:34 < desnudopenguino> ah, i didn't enable ip forwarding, d'oh!
06:35 < Bogdar> desnudopenguino, set up masquerading
06:35 < Bogdar> despite IP forwarding you neet masquerading, because host in your LAN don't know how to reach VPN client subnet
06:36 < Bogdar> Sure, if you have control over gateway on that network you may set up static routes instead NAT.
06:37 < desnudopenguino> masquerading is an openvpn setting?
06:37 < desnudopenguino> the term is new to me
06:43 < Bogdar> desnudopenguino, this is not a part of OpenVPN. The operating system. You probably know it as SNAT.
06:43 < desnudopenguino> ok
07:29 <@dazo> Bogdar: you should not setup masquerading to an internal network!
07:30 <@dazo> desnudopenguino: this goes a bit beyond your static tunnel .... but it is quite related ... https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN#Configuringthenetworklayer
07:30 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net)
07:31 <@dazo> desnudopenguino: you need proper routing, IP forwarding and possibly firewalling setup correctly ... then you'll be able to access things directly as you where at home
07:36 < desnudopenguino> @dazo: thanks
07:39 <@dazo> desnudopenguino: btw ... I would highly recommend you (when your setup works) to generate CA certificates, client and server certs ... then replace --secret with --tls-{client,server} together with --ca, --key, --cert (and on server side --dh)
07:40 < desnudopenguino> k, yeah this just started out as something simple, but my lan stuff is growing (local dns, web proxy, firewall and all)
07:44 <@dazo> heh .... yeah, been there, done that :)  Still running ... things got easier to handle once I setup FreeIPA though :)  (have now ~10 VMs, servers, laptops enrolled)
07:51 < desnudopenguino> nice
07:51 < Dougy> hi dazo
07:54 < desnudopenguino> i have some networking stuff to learn first haha. i'm running openbsd with pf for the firewall, and i haven't done much fw work yet, nor real NAT/routing stuff so that's where I'll start
07:56 < desnudopenguino> for some strange reason, I'm unable to ssh to one of my vm's over the vpn, but the others all work fine.
07:57 < mete> FlonnorMayGregor: had once such a problem with the windows client, because of that I asked ;)
08:33 < Stuart12345609> Hi, I was wondering if anyone would be able to help me connecting to a client on my android phone?
08:36 < Dougy> wat
08:37 < Stuart12345609> Basically I have created a .ovpn file and copied it to my android device. But when I import it and try to connect I get the following error: "OpenVPN core error: PolarSSL: error parsing config private key: PKCS5 - Requested encryption or digest alg not available"
08:37 < Stuart12345609> But if I try to use it on windows, it connects fine
08:38 < _FBi> OVPN does work on android
08:39 < Stuart12345609> ive had it working before to a different server
08:40 <@ecrist> EasyRSA v3.0.3 is released.  Mainly fixes windows distribution problems.
08:41 <@ecrist> OpenVPN Community Support Channel || PLEASE read entire /topic || Current Release:2.4.3 (21 June 2017) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || Your problem is probably firewall. Really || TAP/bridging is almost always a bad idea || Vulninfo: !heartbleed !poodle !ovpnuke !sweet32 || EasyRSA v3.0.3 Released!
08:42 -!- ecrist changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire /topic || Current Release:2.4.3 (21 June 2017) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || Your problem is probably firewall. Really || TAP/bridging is almost always a bad idea || Vulninfo: !heartbleed !poodle !ovpnuke !sweet32 || EasyRSA v3.0.3 Released!
08:42 <@ecrist> that works better
08:46 < _FBi> heh
08:47 < _FBi> morning ecrist
08:47 <@ecrist> howdy _FBi 
08:47  * _FBi tips hat -- cowboy'esk
08:48 < Stuart12345609> any ideas how i can get it working?
08:49 < _FBi> is it configured correctly?
08:49 < Stuart12345609> yeah i tried the came file on windows but doesnt work on android
08:49 < _FBi> looks like youre using an encryption that the server doesn't have
08:49 < Stuart12345609> right.. how do i fix that lol
08:50 < _FBi> edit the config
08:51 < _FBi> use only ones that are supported
08:51 <@ordex> Stuart12345609: what client are you using ?
08:51 <@ordex> is it openvpn connect ?
08:51 < Stuart12345609> yes
08:52 <@ordex> if so, please check the topic :)
08:52 <@ordex> !as
08:52 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
08:52 < Stuart12345609> !as
08:52 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
08:52 < Stuart12345609> Cheers!
08:52 <@ordex> Salut!
08:54 < Stuart12345609> out of interest fbi how do i hceck what encryption is supported?
08:54 < Stuart12345609> check*
08:55 -!- abenz_ is now known as abenz
08:55 <@ordex> Stuart12345609: that is likely a client problem, not a server one
08:55 < _FBi> by device or server?  either way -- I don't know.  You should be able to install them in a server
08:57 < Stuart12345609> ok i'll try have a look into it
10:27 < shaggycat> Hi all! I have a question - I have openvpn server, and several of clients. The openvpn server has direct access to one network. All clients has an access to this network. But, clients hasn't an access to each other. I have client-to-client an option in server's config. So, clients can ping other hosts (including not-VPN IP, IP of the internal client's LAN), and has an access to http server in client's LAN. But ssh doesn't
10:27 < shaggycat> work anyway :( But ssh works in the openvpn server!
10:27 < shaggycat> also, If I use connection via LTE and smartphone, I can't ping other client's hosts too
10:27 < shaggycat> I tryed to change mssfix and other options, but it doesn't help
10:29 < shaggycat> why ssh doesn't work via vpn in the clients, but works in openvpn server to each client?
10:29 < shaggycat> i mean connection via openvpn network from client to another client's network
10:30 < shaggycat> Also, host of the openvpn client also doesn't permit connections
10:30 < shaggycat> but it permits it from openvpn server
10:30 < shaggycat> and I have this situation in several of sites :(
10:31 < shaggycat> it's openvpn server's config: https://pastebin.com/fWi8GTdZ
10:32 < shaggycat> it's client's config: https://pastebin.com/LHqQB3Cs
11:29 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
11:29 -!- mode/#openvpn [+o novaflash] by ChanServ
11:39 -!- abenz_ is now known as abenz
12:13 -!- Irssi: #openvpn: Total of 279 nicks [10 ops, 0 halfops, 3 voices, 266 normal]
12:53 -!- xemdetia_ is now known as xemdetia
16:41 < fas3r> Hello
16:43 < fas3r> I would like to setup openvpn with Okta plugin for the authentication. However, is it necessary to use TLS for that ? Basically generating a certificate by user is not practical for us and I was wondering if we can not use a shared key ?
16:43 < fas3r> Thank you by advance.
17:49 -!- svm_invi_ is now known as svm_invictvs
19:33 <@ecrist> fas3r: yes, you can choose to use a common certificate
19:33 <@ecrist> you can set openvpn with --client-cert-not-required (or something similar)
19:33 <@ecrist> in that mode, it acts more like a web browser
19:33 < fas3r> oki
19:33 <@ecrist> I recommend using tls-auth, though
19:35 < fas3r> ecrist, ok great. That was my next question. Thank you.
20:12 <@ordex> hi there
20:23 < fas3r> Is it possible to use --secret options and the dhcp/ip pool from openvpn ? Or using --secret will only works for point to point connection ?
20:26 <@ordex> fas3r: poiint-to-multipoint requires TLS, can't be used with a shared key
20:26 <@ordex> and shared key should just not be used is possible
20:28 < fas3r> ordex, ok, it's just that managing hundreds of certificates can be painful ... so as we are using okta for the authentication, I wanted to use a pre shared-keys and then initiate the authentication with okra plugin.
20:28 < fas3r> I think I will just use tis-auth without certificates auth and leave okta do the rest.
20:29 < fas3r> ( by setting client-cert-not-required as recommended by ecrist )
20:29 <@ordex> fas3r: tls-auth is another things
20:29 <@ordex> fas3r: you have to use the TLS implementation with certificates. how would the server distinguish the various clients otherwise ?
20:30 < fas3r> ordex, Okta
20:30 < fas3r> We have username/pass + MFA activated.
20:30 < fas3r> Yes tis-auth is a features which adds "extra protection" to the TLS channel by requiring that incoming packets have a valid signature generated using the PSK ke
20:31 < fas3r> y
20:31 <@ordex> fas3r: Okta is not implemented in openvpn, therefore openvpn can't use that user identification
20:31 <@ordex> so you need something that openvpn can use to distinguish users in order to apply its multipoint logic
20:32 <@ordex> and this is TLS with certificates
20:32 <@ordex> do you see what I mean?
20:32 < fas3r> ordex, it is : https://github.com/okta/okta-openvpn
20:32 <@vpnHelper> Title: GitHub - okta/okta-openvpn: IMPORTANT: OpenVPN natively supports RADIUS, and integrating OpenVPN with Okta via RADIUS is Oktas recommended method: (at github.com)
20:32 <@ordex> it's on a different layer
20:33 < fas3r> What do you mean by " apply it's multipoint logic " ?
20:34 <@ecrist> ordex: you don't have to distribute certificates to clients
20:34 <@ordex> ecrist: oh ok, can clients connect withouta certificate then ?
20:34 <@ecrist> yes
20:34 <@ecrist> in that mode it behaves like a browser
20:35 <@ecrist> that's why I recommend tls-auth or tls-encrypt so that it prevents DDoS or password attacks
20:36 < fas3r> Thanks for your help guys, really appreciate :)
20:37 <@ordex> ecrist: haven't got what you mean: how can you do P2MP without giving clients the certificates?
20:44 <@ecrist> ordex: see --client-cert-not-required and --verify-client-cert none|optional|require
20:44 <@ordex> ecrist: you mean this: --client-cert-not-required (DEPRECATED) ?
20:44 <@ordex> :D
20:45 <@ordex> ecrist: oh ok, because we want users to use --verify-client-cert
20:45 <@ordex> sorry :P
20:45 <@ordex> ecrist: this means no key exchange will be performed? so no encryption? or a static key can be used in this case?
20:45 <@ordex> ecrist: but ccd won't work, right? because that's explicitly based on the CN
20:47 <@ecrist> ordex: there is encryption
20:47 <@ecrist> the same way a web browser works
20:47 <@ordex> oh hat's what you mant with the browser thing
20:48 <@ordex> *that's
20:48 <@ordex> so TLs is still there, just no cert from the client is provided
20:48 <@ordex> I see
20:48 <@ordex> but still, how about ccd, it should not work, no ?
20:48 <@ordex> or will it use the username ?
20:48 <@ecrist> it uses the username
20:49 <@ecrist> ordex: see --username-as-common-name
20:49 <@ecrist> you should really try reading the man page some time
20:49 <@ecrist> ;)
20:49 <@ecrist> or, better yet, a book!
20:49 <@ecrist> !book
20:49 <@ordex> ecrist: I do! but I stop when I find what I need :P
20:49 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) Troubleshooting OpenVPN (April, 2017) by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
20:49 <@ordex> ah!
20:49 <@ordex> nah
20:49 <@ordex> you can't take me into that :D
20:49 <@ordex> I only read the code :P
20:49  * ecrist shamless plug
20:56 <@ordex> ecrist: shame on me :P
21:39 -!- novaflash is now known as novaflash_away
21:40 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 240 seconds]
21:41 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
21:42 -!- mode/#openvpn [+o syzzer] by ChanServ
22:08 -!- novaflash_away is now known as novaflash
--- Day changed Wed Aug 23 2017
00:05 -!- Netsplit *.net <-> *.split quits: @syzzer
00:07 -!- Netsplit over, joins: syzzer
00:07 -!- mode/#openvpn [+o syzzer] by ChanServ
01:19 -!- sunrunner20_ is now known as sunrunner20
05:15 -!- abenz_ is now known as abenz
05:34 < tped> !welcome
05:34 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
05:34 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
05:36 < tped> !1925
05:36 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
05:37 < tped> !goal I would like to register an account on openvpn.net for license purchase
05:38 < tped> !ask
05:38 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
05:39 <@ordex> !as
05:39 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
06:48 <@novaflash> wow i haven't been here in ages
06:48 <@novaflash> well, that was fun
06:51 -!- Kryczek_ is now known as Kryczek
10:07 -!- abenz_ is now known as abenz
11:37 < ryan-c> !welcome
11:37 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
11:37 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
11:38 < ryan-c> !1925
11:38 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
11:38 < ryan-c> !tap
11:38 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the
11:38 <@vpnHelper> protocol uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
11:39 < ryan-c> !tunortap
11:39 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
11:39 <@vpnHelper> rooted/jailbroken) support only tun
11:53 < blizzow> My VPN is connecting to a LAN where all hosts are using jumbo frames (9000 MTU). When I try and access some services on that LAN, I get errors about hosts sending packets back to my client that are too large. I added link-mtu 9000 to my openvpn client and am still getting the errors. What's the right way to get my VPN client speaking in Jumbo Frames?
12:19 < BtbN> If you have Windows Client, I think it's simply not possible, as the Tap-Driver doesn't support it.
12:19 < BtbN> Otherwise it shouldn't be more than setting tun-mtu accordingly.
12:20 < BtbN> You should not touch link-mtu at all
12:20 < rob0> wouldn't it require that MTU for the whole path?
12:21 < BtbN> It'd just fragment it
12:34 -!- r00t^2 is now known as jth4n
12:34 -!- jth4n is now known as r00t^2
12:39 < blizzow> I'm having really weird behavior. My client is linux based. The host I'm trying to manage on my LAN is linux based. I'm able to connect to the server via ssh. When I try and connect to the host via libvirt, I get a message saying: packet 1349281117 bytes received from server is too large, want 33554432.
12:39 < blizzow> Strangely, I'm able to connect to other service on other servers on the same LAN.
12:40 < blizzow> I verified that the network config is the same between both hosts on my LAN. :/
12:40 < BtbN> That's not an MTU issue
12:40 < BtbN> I'd say its entirely unrelated to OpenVPN
12:41 < BtbN> Maybe a version mismatch between your virt-thingy versions. Better ask somewhere about it where people know it.
12:43 < blizzow> strangely, if I run the virt-thingy from another host directly on the LAN, there are no problems.
12:43 < BtbN> Is it the same version everywhere?
12:45 < blizzow> Yeah.
13:46 < FlonnorMayGregor> I have already setup my client.conf inside /etc/openvpn
13:46 < FlonnorMayGregor> and succesfully, started the openvpn service via systemctl start openvpn@client
13:46 < FlonnorMayGregor> if I do systemctl enable openvpn@client, which I already have, can I trust that systemd will initiate this service on startup?
13:49 < rob0> that would be a question for #your-distro-here
13:50 < rob0> systemd is not a part of openvpn
13:52 < FlonnorMayGregor> nvm
13:52 < FlonnorMayGregor> I already tried it and it did wrkk
13:52 < FlonnorMayGregor> thans anyways
15:00 < Barudaret> Good day, everyone.  I'm signed in through matrix, so I don't know if my client is spamming something without me seeing it.  If anything like that happens, please let me know.
15:51 < Barudaret> Alrighty, so I'm trying to connect to the VPN for a class with `openvpn --config /path/to/client.ovpn`... This does work, I can successfully connect to the vpn and my internet traffic does get routed through the vpn.  Problem is, local DNS doesn't work.  There are local domains like "vcenter5.ciscloud.local" which can't be resolved.
15:53 < Barudaret> On Windows openvpn clients, the DNS does get routed.  I'm on a linux client, though, where it does not.  I wanted to test to make sure it's actually a DNS issue, so I pinged one of the domains from a windows client and got the IP address.  I connected to that IP on my linux client and it worked, but the local domain name does not resolve.
15:53 < Barudaret> What should I do to make DNS work?
15:59 < Barudaret> If it helps, I'm working with my Fedora-linux laptop right now.  But the same thing goes on with my Gentoo-linux desktop
16:31 < rob0> !dnsmasq
16:31 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
16:31 < rob0> ^^ ought to be just what you need
16:45 < fas3r> Hello
16:45 < fas3r> Can I use a third party certificate with openvpn ?
16:47 < rob0> fas3r, I suppose, but why would you want that?
16:47 < Barudaret> rob0: Thanks my man.  I am connecting to the school's vpn, so I don't know if they have dnsmasq installed on their server or something else.  Would dnsmasq work with a server that is something other than dnsmasq?  Sorry for the dumb question.  I don't know a thing about vpns
16:47 < rob0> you'd run dnsmasq on your own machine
16:48 < rob0> you said you had Linux clients
16:50 < fas3r> rob0, to avoid the usage of self-signed certificat.
16:51 < rob0> fas3r, the whole point of the self-managed SSL CA is that *you* are the one who decides who gets access.
16:51 < rob0> Do you want letsencrypt to decide who connects to your VPN?
16:57 < Barudaret> rob0: I'll give that a shot later today and will let you know how it goes.
16:57 < Barudaret> Thanks
17:01 < rob0> yw
18:54 < |Mike|> aloha!
19:13 <@ordex> morning
20:48 <@ordex> |Mike|: aloha!
20:57 <@ecrist> suuuuuup bitches?
21:00 <@ordex> butp
21:00 <@ordex> buRp
22:46 -!- abenz_ is now known as abenz
--- Day changed Thu Aug 24 2017
02:40 -!- abenz_ is now known as abenz
04:50 < nohitall> hi guys!
04:51 < nohitall> having this https://community.openvpn.net/openvpn/wiki/259-tap-win32-adapter-is-not-coming-up-initialization-sequence-completed-with-errors issue on windows 10 machine, I tried all suggested things to do and googled but nothing seems to help.
04:51 <@vpnHelper> Title: 259-tap-win32-adapter-is-not-coming-up-initialization-sequence-completed-with-errors – OpenVPN Community (at community.openvpn.net)
04:51 < nohitall> Anyone got other ideas except checking dhcp service and reseting tcp stack?
04:51 < nohitall> or is there some known issues with win10
04:55 < minikdo> hi, when I'm using ovpn in a local network I have to set up remote to 192.168.x.x but when I'm away I always have to change my config to set remote for external ip. Is there any way to set it up that way so would have to change it when I travel away from my local network? thanks
04:55 < adac> if I have a server with openvpn 2.4.0 will clients with 2.3.0 still work?
04:56 < adac> *2.3.x
04:57 < BtbN> I'd guess it depends on the Server configuration.
04:59 < adac> BtbN, Hmm Maybe it only works when I allow the default cipher
04:59 < adac> https://community.openvpn.net/openvpn/wiki/SWEET32
04:59 <@vpnHelper> Title: SWEET32 – OpenVPN Community (at community.openvpn.net)
05:01 < adac> Wondering if old vpn clients on android then still do work if I dissallow the default cipher
05:01 <@ordex> adac: it works when you allow clients to use the cipher they support
05:02 < adac> ordex, hmm yes but old clients probably do only support the one that is vulnerable to SWEET32 or?
05:02 <@ordex> adac: absolutely not
05:03 <@ordex> 2.3 clients can still use AES-256-CBC for example
05:03 <@ordex> consider that 2.4 supports a simple negotiation logic
05:03 <@ordex> so you can allow 2.4 clients to use the preferred GCM version of AES, while 2.3 can still use CBC
05:04 <@ordex> check the man for --cipher and --ncp-ciphers
05:04 < adac> ordex, OK I see, thanks!
06:16 < ninjalf2> I would like to setup a gateway that forwards all traffic through my main gateway (home router) and then through an OpenVPN server so that I can connect to my normal gateway to browse unencrypted and through the VPN gateway to browse anonymously. I would like to avoid subnets too, so that I can access machines on my local subnet
06:31 < ninjalf2> My inspiration came from this link https://trick77.com/how-to-set-up-transparent-vpn-internet-gateway-tunnel-openvpn/ however, as I am able to connect to the gateway and get access to the local subnet (just as with the regular home router gateway), I am not able to get access to the Internet
06:31 <@vpnHelper> Title: How to set up a transparent VPN Internet gateway tunnel using OpenVPN | trick77.com (at trick77.com)
07:14 < adac> ordex, you wrote "so you can allow 2.4 clients to use the preferred GCM version of AES, while 2.3 can still use CBC" does that mean I have to allow CBC in order to still make clients < 2.4.x to be accessed on the server, right=
07:14 <@ordex> adac: I think so
07:14 <@ordex> I haven't played with it myself
07:14 <@ordex> dazo might help here
07:16 < adac> ordex, that was also how I understood it from reading in the internets.
07:16 < adac> Hmm ok lets wait for dazo :)
07:16 < adac> You knwo it does not make much sense to still allow a insecure mechanism for older clients if one wants to stay secure.
07:16 < adac> Just my opinion
07:19 <@ordex> right
07:19 <@ordex> but CBC is not insecure
07:19 <@ordex> just a bit weaker than GCM when compared on the broader scale
07:19 <@ordex> but it isnot broken (like BF-CBC)
07:20 <@ordex> adac: and if you want to allow 2.3 clients to connect, you have to use something they can speak, otherwise they won't be able to establish the connection
07:20 <@ordex> adac: but with this mechanism you can at least default to something stronger while having a little door for who is not there yet
07:20 <@ordex> for example you can use this mechanism for a transition period
07:21 < adac> ordex, true good point
07:21 < adac> thanks!
07:21 <@ordex> np :0
07:21 <@ordex> :)
07:22 < adac> ordex, it is a pain in the ass not so much for the servers to update the client, but all the other devices of the co-workers and so on
07:22 <@ordex> adac: yup, that's why this ncp feature is so handy :)
07:24 < adac> ordex, Do I have to explicitly need to set this up, or do clients with version 2.4.x automagically connet with the stronger cipher actually? Do you know that perhaps?
07:25 <@ordex> I know the 2.4 will try to upgrade to GCM on its own, but I can't remember if that happens "always" or under certain settings
07:25 <@ordex> you can play with it :)
07:30 < adac> ordex, need to check. But I have still everywhere 2.3.x :P
07:30 <@ordex> heh
07:46 < JackWinter_> hi, i want to create a new pki with easy-rsa, since my mine is quite old and i think the keys i generated back then aren't up to snuff nowdays.  are there any recommendations as to what keylengths, etc to use?
07:49 < adac> ordex, Now I installed a newer openvpn client locally. How can I check which cipher it actually uses?
07:49 <@ordex> you can check the log
07:50 <@ordex> it says what gets negotiated once the handshake is done
07:58 < adac> ordex, hmm when I run the client without deamon like  openvpn my.conf  I only get this output: https://gist.github.com/anonymous/2c7501e8c08c4d72d09ab21e14c2c5d7
07:58 <@vpnHelper> Title: gist:2c7501e8c08c4d72d09ab21e14c2c5d7 · GitHub (at gist.github.com)
07:59 <@ordex> I guess you are not using --verb 4, aren't you?
08:01 < |Mike|> JackWinter_: what version are you running?
08:01 < adac> sudo openvpn --verb 4
08:01 < rgrundstrom> Hello
08:01 < adac> Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: verb (2.4.3)
08:02 < |Mike|> verb 4 is a setting for your config adac
08:02 <@ordex> you can't run openvpn only with that
08:02 <@ordex> adac: add it to your config
08:02 <@ordex> like all the other settings
08:02 <@ordex> !log
08:02 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
08:02 <@ordex> !logs
08:02 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
08:03 <@ordex> !whoami
08:03 <@vpnHelper> ordex
08:03 <@ordex> vpnHelper: !
08:03 < adac> ordex, ahh ok thank you very much
08:03 < |Mike|> haha ordex
08:04 <@dazo> adac: whazzup?
08:05 < rgrundstrom> I was looking to setup a 3 way openvpn connection. Or is openvpn just used for client to server connections?
08:06 < |Mike|> !goal
08:06 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:06 < adac> dazo, Hi! my question was:
08:06 < adac>  ordex, you wrote "so you can allow 2.4 clients to use the preferred GCM version of AES, while 2.3 can still use CBC" does that mean I have to allow CBC in order to still make clients < 2.4.x to be accessed on the server, right=
08:07 <@dazo> adac: ahh, I see ... don't worry about GCM vs CBC ... they are both reasonably secure.  But what comes before CBC is critical.   BF-CBC is considered broken, AES-CBC is still considered secure
08:07 < adac> ordex, with my client 2.4.0 now it says with verbose:
08:08 < adac> Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
08:08 <@ordex> :)
08:08 < adac> so I think we are cool 8-)
08:08 <@dazo> GCM is better than CBC as it does the authentication and decryption in one operation ... while CBC needs HMAC on top of it
08:08 < adac> dazo, need to check how my 2.3 clients do connect
08:08 < adac> with which cipher
08:09 <@dazo> adac: openvpn 2.4 server and clients, when --ncp-disabled is *not* used will automatically upgrade to AES-256-GCM
08:09 <@dazo> adac: for 2.3 clients .... using --ncp-ciphers on the server side, clients can use any --cipher value enlisted in --ncp-cipher
08:10 < adac> dazo, ok I see. thank you a lot
08:10 < adac> and thank you too ordex
08:10 <@dazo> I presume you have looked into the Fedora package (where we do some "migration magic" for F-27)
08:11 <@dazo> we enlist BF-CBC in the --ncp-ciphers on the server profile, as many have configurations _not_ listing --cipher ... or uses --cipher BF-CBC in the client configs .... this ensures those clients won't break when server is upgraded
08:11 <@dazo> then you can take each client, one-by-one and either migrate to openvpn 2.4 (the best approach) ... or swap/insert --cipher AES-256-CBC or AES-128-CBC
08:12 <@dazo> (as openvpn 2.3 does _not_ support AES-*-GCM)
08:16 < adac> dazo, ordex this is how my 2.3 clients atm seem to connect:
08:16 < adac> Thu Aug 24 15:12:14 2017 us=837587 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
08:16 < adac> Thu Aug 24 15:12:14 2017 us=837663 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
08:17 <@dazo> adac: right, that's the 2.3 default --cipher .... if you just add --cipher AES-256-CBC to your client config, it should connect properly without that warning
08:17 <@ordex> dazo: wouldn't be better if he would deny that on the server at all?
08:17 <@ordex> I mean, reject BF-CBC
08:17 <@ordex> (if he wants)
08:18 <@dazo> ordex: we will do that later on ... but we can't upgrade Fedora packages (I presume this is Fedora related) without having some kind of backwards compat feature
08:18 < adac> what would happen with the 2.4 clients when I set: --cipher AES-256-CBC
08:18 < adac> would they then also use that?
08:19 <@dazo> adac: they would still go for GCM ... unless you also add --ncp-disable
08:19 <@ordex> dazo: if the user specifies another set of --ncp-cipher, wouldn't that override what Fedora is configuring ?
08:19 <@dazo> so having --cipher AES-256-CBC and ship to both v2.4 and v2.3 clients are considered safe
08:20 <@dazo> ordex: correct ... so they can reject it at some point too
08:20 <@ordex> oky
08:20 <@dazo> but many want to have done the client  migration first ;-)
08:20 <@dazo> s/done/completed/
08:21 < adac> dazo, OK I see, thanks!
08:21 <@dazo> adac: regarding --ncp-disable .... that is a v2.4 option, so if that is used in a 2.3 client config it won't start
08:21 < adac> Is there  way to solve this on server side?
08:22 <@dazo> solve what? --cipher?
08:22 < adac> Or do I ahve to set this on the client side?
08:22 < adac> yes
08:22 <@dazo> it is solved by upgrading clients to v2.4 ;-)
08:22 <@dazo> NCP is a result of wanting to manage client side ciphers from the server
08:23 < adac> hehe ok :D
08:23 <@dazo> and we're also looking into making --cipher pushable from client-config-dir configs too ... but that will require 2.4+ clients too
08:25 < adac> With my current configuration (client and server) I have just seen that when I have to do nothing but upgrade to 2.4 clients (server is 2.4 already)
08:25 < adac> then it already uses Cipher 'AES-256-GCM'
08:26 <@dazo> that's right, 2.4 clients against 2.4 servers upgrade automatically, which was the intention of NCP
08:26 < adac> I would need to upgrade all my client configs though. that can well be done
08:26 <@dazo> so the trick with adding a different --cipher in v2.3 and older clients are considered "poor man's NCP" ... it's not automated, but works
08:26 < adac>  --cipher AES-256-CBC
08:27 <@dazo> right
08:27 < adac> Ok now I see a loooot clearer
08:27 < adac> thanks again! You are very nice people!
08:28 < rob0> but we're working on that
08:28 <@dazo> oh, thanks! :)
08:28 <@dazo> hehehe
08:28 <@dazo> rob0: I had a bad day today, so I forgot my proper modus operandi
08:28 <@dazo> :-P
08:29  * rob0 files a report
08:29 < adac> :D
08:30 < adac> lol I get now: Thu Aug 24 15:25:20 2017 Cipher algorithm 'AES-256-GCM' not found (OpenSSL)
08:30 < adac> when I try it on one of my clients
08:30 <@dazo> which client is that?
08:30 <@dazo> version?  os?
08:31 < rgrundstrom> Here is what i would like to do. Is it possible with openvpn? https://justpaste.it/1agdq
08:32 < adac> dazo, it is: Thu Aug 24 15:25:20 2017 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
08:32 < adac> Ubuntu 16.04.1 LTS
08:32 < rob0> rgrundstrom, not viewable in lynx
08:33 < rob0> oh, an image
08:33 < rgrundstrom> rob0: Yes :) an image says more then words :)
08:33 < rob0> of course, just two instances of openvpn on each endpoint
08:33 <@ordex> rgrundstrom: you could create 3 P2P tunnels
08:34 <@ordex> or also client/server with one client each and yes 2 instances per host (like rob0 says)
08:34 < rob0> I actually did a 6-node mesh once, same idea but more instances.
08:34 <@ordex> or actually
08:35 <@ordex> tinc is more appropriate for meshing, I think
08:35 <@ordex> but that's another story
08:35 <@ordex> maybe we should implement meshing :]
08:35 <@ordex> meshing and smashing
08:35 < rgrundstrom> I was thinking 2 tap interfaces on each node. one in each direction.
08:35 < rob0> tap?  Why?
08:36 < rgrundstrom> Ok so i used the wrong term.... Im a big noob when it comes to networking :p
08:36 < rob0> !tunortap
08:36 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
08:36 <@vpnHelper> rooted/jailbroken) support only tun
08:36 < |Mike|> rob0: grab the lart!
08:37 < rgrundstrom> Its just IP traffic
08:37 < rgrundstrom> Well I need to go... Thanks everyone
08:38 < rob0> |Mike|, we didn't get the chance to apply the LART :(
08:40 <@dazo> adac: well, right ... openvpn v2.3 does not support GCM, hence I said you need --cipher AES-256-CBC on v2.3 and older ;-)
08:41 <@dazo> ordex: IIRC, but the security aspects of tinc is .... how did some security reviewers phrase it .... absent?
08:41 <@ordex> :D
08:41 < adac> dazo, Ok now I see. I managed to mix up those two already :D
08:41 < adac> thanks
08:42 <@dazo> sure, np!
08:42 <@ordex> dazo: probably ;P
08:42 <@dazo> ordex: http://www.off.net/~jme/tinc_secu.html
08:42 <@vpnHelper> Title: Security flaws in tinc (at www.off.net)
08:42 <@dazo> " It includes a description of the security (see section 1) and lists the possible attacks (see section 2). An attacker can modify packets, replay them and learn patterns of the plain text. "
08:43 < |Mike|> rob0: oops, we scared him
08:43 <@ordex> dazo: lol
08:43 <@ordex> not good
08:44 <@ordex> but these flaws are quite ... big ...
08:44 <@ordex> how come? nobody cares?
08:44 < adac> dazo, hmm now, with the correct cipher, I get the following warnings:
08:44 < adac> https://gist.github.com/anonymous/8d4e0c129bccfbc4bf2f02ed527b1c4e
08:44 <@dazo> I read some other reviews, by more known persons .... and they just started with something like "Tinc demonstrates quite well why you should not roll your own cipher implementation"
08:44 <@vpnHelper> Title: gist:8d4e0c129bccfbc4bf2f02ed527b1c4e · GitHub (at gist.github.com)
08:44 < adac> *warnings and errors
08:45 < adac> I guess I need to set this on the server too, or?
08:45 <@dazo> adac: yeah, you can fix line 2+3 by updating the server config to have --cipher AES-256-GCM
08:45 < adac> Ok I tought so, thanks!
08:46 <@dazo> as long as you have BF-CBC and AES-256-CBC enlisted in --ncp-ciphers on the server, unmodified and modified 2.3 clients can connect too
08:46 < adac>  AES-256-CBC not AES-256-GCM
08:46 < adac> right?
08:46 <@dazo> I think GCM should work, to be honest
08:46 < adac> hehehe
08:47 <@dazo> uhm ... wait
08:47 <@dazo> adac: can you pastebin the complete server config?
08:48 < adac> dazo, sure: https://gist.github.com/anonymous/e4e7a2ba02639dd47bdf720a4f3a0ba2
08:48 <@vpnHelper> Title: gist:e4e7a2ba02639dd47bdf720a4f3a0ba2 · GitHub (at gist.github.com)
08:48 <@dazo> I have the whole time presumed your server was a Fedora 27 box .... which have a tweak (I enabled that tweak)
08:49 < adac> nope ubuntu 16.04 :)
08:49 <@dazo> adac: ahh ... okay, then you need a tweak in your server config first!
08:49 < adac> dazo, I actually use this docker image for the server:
08:49 < adac> https://github.com/kylemanna/docker-openvpn
08:49 <@vpnHelper> Title: GitHub - kylemanna/docker-openvpn: 🔒 OpenVPN server in a Docker container complete with an EasyRSA PKI CA (at github.com)
08:50 <@dazo> adac: add --cipher AES-256-GCM    and   --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC   in your server config
08:50 < adac> dazo, ok thanks
08:50 <@dazo> this allows 128+256 bits AES-GCM and AES-CBC ... plus the bad BF-CBC
08:51 < adac> hmm but it still would allow 128 BF-CBC right?
08:51 < adac> which we don't want maybe?
08:51 < adac> yeah as you wrote
08:52 <@dazo> yes, when you have migrated all your clients away from BF-CBC ... you can remove that from your server config's --ncp-ciphers list
08:53 <@dazo> more details on what is coming in Fedora 27 .... related to this can be found here:  https://fedoraproject.org/wiki/Changes/New_default_cipher_in_OpenVPN
08:53 <@vpnHelper> Title: Changes/New default cipher in OpenVPN - FedoraProject (at fedoraproject.org)
08:53 <@dazo> and we're going to do something in the upstream OpenVPN too, to cover all OS and Linux distros
08:53 <@dazo> (but we're not quite there yet)
08:54 < adac> dazo, Ok I see thanks!
09:51 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
09:52 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
09:52 -!- mode/#openvpn [+v RBecker] by ChanServ
12:17 < JackWinter_> |Mike|: openvpn 2.4.3 and easy-rsa 3.0.1
12:17 < JackWinter_> rather at the moment i still run an older openvpn, but this is what i'll run with the new pki
12:19 < JackWinter_> i have no need for supporting any older openvpn versions, nor to connect to any other vpns.  it's just for my private networks so that i can access it occasionally from my laptop
18:58 < |Mike|> re!
19:03 < |Mike|> JackWinter_: then just throw the old pki away and use easy-rsa :)
19:45 < BillyCrook> I keep getting TCP Resets whenever my tunnels get heavy traffic
19:45 < BillyCrook> What should I do to track down why?
19:46 < BillyCrook> TLS, Soft Reset, I mean
19:46 < BillyCrook> I put reneg secs to 0, but that has no bearing on it
19:47 < BillyCrook> !ovpnuke
19:47 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
19:47 < BillyCrook> oh, well that's not it
20:57 -!- abenz_ is now known as abenz
--- Day changed Fri Aug 25 2017
01:02 < whodat> !welcome
01:02 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
01:02 < whodat> !goal
01:02 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
01:02 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
04:59 < Pat2_> hello
05:03 < Pat2_> i ve some difficulties about activating A VPN config on a debian server. I ve other configuration files activated, but this one doesn't want to up the interface, but the the port is UP... i mean : when i do ifconfig, i don't see the "vpn14" interface, but when i do a netstat/ss i can see the openvpn service used by vpn14.... do you have an idea ?
05:11 < Pat2_> configuration is thus : http://paste.debian.net/plain/982974 . when i connect (i can connect) it indicates a strange error : "WARNING: 'ifconfig' is used inconsistently, local='ifconfig 172.16.69.2 172.16.69.1', remote='ifconfig 172.16.68.2 172.16.68.1'" . but i can't use a filer in VPN...
05:12 < Pat2_> i don't understant why it talks about "172.16.68.0 network" ???
05:20 < banco> Maybe you have 2 openvpn configs with the same port running?
05:20 < banco> ps aux | grep openvpn
05:20 < banco> And show the log file
05:31 < Pat2_> banco: http://paste.debian.net/982975/ we can see that the vpn14 with the port 1202 is visible with a netstat and not with the ps... maybe a bug (i am on a wheezy)
05:33 < banco> You have 11 open ports and 11 openvpn processes. You sure that you have port 1202 for vpn14 config?
05:35 < banco> Check that you don't have duplicate port for other config
05:35 < banco> cat /etc/openvpn/*.conf | grep port
05:35 < Pat2_> zut... sorry there's a n other config file with this port... descriptives files are not up to date... really sorry...
05:36 < banco> No problem
05:56 < TyrfingMjolnir> How do I configure openvpn server
05:56 < TyrfingMjolnir> I did: pkgin in openvpn
05:57 < TyrfingMjolnir> I copied server.conf from example folder to /opt/local/etc/openvpn.conf
05:58 < TyrfingMjolnir> I assume I will have to create the CERTs, and then choose a cipher; which cipher is the go to as pr today?
06:04 <@ordex> !howto
06:04 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
06:27 < TyrfingMjolnir> ordex: Which cipher to choose for ECDSA or similar?
06:33 < TyrfingMjolnir> git clone https://github.com/OpenVPN/openvpn
06:33 <@vpnHelper> Title: GitHub - OpenVPN/openvpn: OpenVPN is an open source VPN daemon (at github.com)
06:37 <@plaisthos> TyrfingMjolnir: if you really want ecdsa you need all certificates also to be ecdsa
06:37 <@plaisthos> you will then automatically get ecdsa
06:38 < TyrfingMjolnir> What is the recommended setup?
06:40 < TyrfingMjolnir> I just pulled down the current git version as smartos comes with 2.3
06:40 < TyrfingMjolnir> Not 2.4
06:47 < TyrfingMjolnir> cd openvpn
06:47 < TyrfingMjolnir> ./configure does not run
06:47 < TyrfingMjolnir> There is configure.ac however
06:48 <@plaisthos> git version of software generally don't come with autconf pregenerated
06:49 <@plaisthos> but come with a INSTALL file for you to read ;P
06:53 <@plaisthos> (your question is answered there)
06:56 < TyrfingMjolnir> I got that part
06:57 < TyrfingMjolnir> The part I do not get is how to make sure I'm using 2.4
06:57 < TyrfingMjolnir> opposed to pre 2.5?
07:11 < TyrfingMjolnir> http://termbin.com/m33o
07:14 < TyrfingMjolnir> config.log http://termbin.com/nqbj
07:17 < Fraz> Hi
07:17 < Fraz> any idea why im getting this error from the up/down scripts in my .ovpn? WARNING: Failed running command (--up/--down): could not execute external program
07:25 < |Mike|> TyrfingMjolnir: according to the log; It was created by OpenVPN configure 2.4.3, which was
07:25 < |Mike|> </cut>
07:25 < |Mike|> Fraz: eh, could you please read the topic?
07:26 < Fraz> !welcome
07:26 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
07:26 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
07:28 < Fraz> !goal I need to figure out why i am getting this error "WARNING: Failed running command (--up/--down): could not execute external program"
07:29 < Fraz> is that right?
07:33 < |Mike|> could you show us your configuration? Feel free to remove IP addresses / passowrds etc.
07:33 < |Mike|> passwords*
07:34 < banco> Fraz: Do you have +x permissions for the script? Do you have "script-security 2" option in config file?
07:35 < Fraz> banco, yes and yes
07:36 < Fraz> Here's the config: https://pastebin.com/N5kcABm5
07:37 < |Mike|> might want to remove the ' :-)
07:38 < Fraz> oh?
07:38 < Fraz> they were in the guide i followed lol
07:39 < |Mike|> Fraz: is openvpn able to read / execute the files? and the directory obviously... ?
07:40 < banco> Fraz: try to use test command instead of script
07:40 < banco> up '/bin/echo test > /var/log/openvpn_tst'
07:40 < Fraz> ok 1 sec
07:40 < Fraz> im new to all this stuff
07:42 < Fraz> where do i run that?
07:42 < banco> Paste in the config file instead of :
07:42 < banco> up '/etc/openvpn/scripts/vpn-up.sh'
07:43 < Fraz> oih i see
07:43 < banco> And check if it will create the /var/log/openvpn_tst file
07:43 < Fraz> up: not found
07:44 < banco> What if you execute this command?
07:44 < banco> /bin/echo test > /var/log/openvpn_tst1
07:45 < banco> Do you run openvpn as root?
07:46 < Fraz> i do
07:46 < Fraz> banco do you mean, /bin/echo test > /var/log/openvpn-xyz.log?
07:46 < Fraz> thats the path in my config
07:47 < banco> No, not in the log, but just test file
07:47 < banco> To test that the command works
07:47 < Fraz> oh ohhh
07:47 < |Mike|> Fraz: banco is trying to see if openvpn can create a file in /var/log :-)
07:48 < Fraz> so i need to run this from etc/openvpn right?
07:48 < |Mike|> no, just from your terminal
07:48 < |Mike|> mike@vpn:~$ /bin/echo test > /var/log/openvpn-xyz.log
07:48 < |Mike|> -bash: /var/log/openvpn-xyz.log: Permission denied
07:48 < |Mike|> like that ^
07:48 < Fraz> it doesnt say permission denied
07:48 < |Mike|> ls -slah /var/log/openvpn-xyz.log
07:49 < banco> Fraz: chack if the file is created in the /var/log
07:49 < Fraz> that log file is there its where i originally got the error from
07:49 < |Mike|> banco: he's all yours. work calls! o/
07:50 < banco> |Mike|: will try =)
07:50 < banco> Fraz: Can you post the openvpn log?
07:50 < Fraz> yeo, 1 sec
07:50 < banco> When you got this error: up: not found
07:51 < banco> afk for a bit
07:52 < Fraz> atm im testing with /usr/sbin/openvpn --cd /etc/openvpn --config /etc/openvpn/generic-pia.ovpn --remote germany.privateinternetaccess.com 1198
07:53 < Fraz> and heres the log, after running that
07:53 < Fraz> https://pastebin.com/0Auagm52
07:55 < Fraz> im gonna go for a quick smoke and see to the puppy
08:06 < Fraz> back
08:06 < |Mike|> Fraz: https://www.privateinternetaccess.com/installer/download_installer_linux
08:08 < Fraz> |Mike|, im using openvpn on my router with Lede
08:09 < Fraz> ive set up a seperate wifi interface to go through vpn
08:09 < Fraz> it just seems to be these scripts causing an issue
08:17 < banco> What's inside /etc/openvpn/scripts/vpn-up.sh?
08:19 < Fraz> banco, https://pastebin.com/Bv1sL1Fv
08:20 < Fraz> and down: https://pastebin.com/mpgjezJD
08:20 < banco> try to replace ip -> /sbin/ip and iptables -> /sbin/iptables
08:21 < banco> iptables -I FORWARD -o $dev -j ACCEP
08:21 < banco> ACCEP
08:22 < Fraz> sorry, that was just a copy paste error for pastebin
08:22 < Fraz> its ACCEPT in the file
08:22 < banco> Ok
08:23 < banco> Also, will it return you an error with the empty script? With just #~/bin/sh
08:24 < banco> #!/bin/sh
08:24 < Fraz> hold on im just gonna try with the replacements you suggested
08:26 < Fraz> its the same error with the replacements
08:26 < Fraz> let me try empty
08:32 < Fraz> yes the error is still there when both files have #~/bin/sh
08:33 < banco> #!/bin/sh
08:34 < banco> It's my typo
08:35 < banco> Show me the output of this command:
08:35 < banco> ls -la /etc/openvpn/scripts/vpn-up.sh
08:35 < Fraz> error is still there with #!/bin/sh
08:36 < Fraz> ohh crap
08:37 < Fraz> they DONT have x
08:37 < Fraz> i set the folder and im sure it said it set it on files too
08:37 < banco> (-_-')
08:41 < Fraz> ok seems to be connecting now:)
08:42 < Fraz> but are these option errors serious? https://pastebin.com/kSgytrEh
08:46 < Fraz> im guessing i need to change the ip addresses in the up/down scripts in order to get it working properly, but i dont know what to
08:46 < Fraz> im connected but have no internet
08:51 < banco> Fraz: do you have vpn table in /etc/iproute2/rt_tables?
08:53 < Fraz> all that is in there is this: https://pastebin.com/x7Xef9SM
08:57 < banco> Run this command:
08:57 < banco> echo 100 vpn >> /etc/iproute2/rt_tables
08:57 < banco> And restart openvpn
09:47 -!- xemdetia_ is now known as xemdetia
09:58 < BillyCrook> My goal is to eliminate "Connection reset, restarting [-1]"
10:00 <@ecrist> get a better network connection ;)
10:03 < Fraz> banco, sorry i had to go afk a bit
10:03 < Fraz> i just did what you said
10:04 < Fraz> rt_tables contents is now: https://pastebin.com/SP0ZH9f5
10:08 < TyrfingMjolnir> |Mike|: The last part of the topic I can read is TAP/bridgi
10:10 < banco> Fraz: paste the openvpn log now
10:15 < Fraz> banco, just checking, do the connected devices need a static ip or something?
10:20 <@ecrist> TyrfingMjolnir: you can type /topic and it will be printed out in your chat window
10:22 < TyrfingMjolnir> TAP/bridging is almost always a bad idea ?
10:22 < TyrfingMjolnir> |Mike|: TAP/bridging is almost always a bad idea
10:22 < TyrfingMjolnir> This was what you wanted me to read?
10:25 < TyrfingMjolnir> |Mike|: The issue at hand is to run configure
10:29 < BillyCrook> ecrist: the connection works great for all other protocols and all other sites
10:33 < BillyCrook> ecrist: iconfig shows a high number of dropped TX frames on tun0, the adapter for this openvpnserver
10:33 < BillyCrook> ifconfig, i meant
10:34 < BillyCrook> My goal is to reduce the number of dropped packets on tun0
10:35 < BillyCrook> tun is a virtual interface, so I don't expect it to be a bad network connection
10:35 < banco> Fraz: Which IP are you refering to? Virtual network IP? If you didn't specify static client IP, then server should handle the client IP distribution.
10:36 < Fraz> banco, the ip of my wifi devices
10:36 < Fraz> tv/phone etc
10:38 < Fraz> did you have any other steps to follow after restarting openvpn?
10:38 < Fraz> because i still have no internet
10:39 < BillyCrook> Here is my config: https://paste.fedoraproject.org/paste/kMLa9A2kpjAof9XxVLvS5w
10:39 < BillyCrook> I think if the server is dropping TX packets that means the server's openvpn processes aren't keeping up with demand
10:39 < BillyCrook> but cpu and mem are vastly underused
10:40 < BillyCrook> 8 cores 0.05 load, 10% ram usage, no swap usage, i don't get it
10:53 <@ecrist> enable verbosity in openvpn maybe?
10:53 < BillyCrook> its at verb 4 right now. 5 floods me to oblivion
10:55 < banco> Fraz: This IP doesn't matter. Show me the current openvpn log
11:02 < TyrfingMjolnir> What does TAP/bridging mean?
11:02 < TyrfingMjolnir> Or route vs whatever?
11:03 < TyrfingMjolnir> Is route tun?
11:04 -!- Kryczek_ is now known as Kryczek
11:07 < Fraz> banco, i dont know what the heck is going on now: https://pastebin.com/0kKW7Zks
11:22 < banco> Fraz: check that you can run the commands in the up script in the terminal
11:22 < banco> ip rule add from 10.3.4.128/25 priority 10 table vpn
11:22 < banco> etc
11:22 < banco> Check if they'll give you an error
11:23 < banco> TyrfingMjolnir: tun is routing
11:23 < banco> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
11:23 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
11:46 < Fraz> banco, i reused the original script and forgot to change ip to /sbin/ip
11:47 < Fraz> so im back to where i was, with the errors gone and connected with no internet access: https://pastebin.com/zSRUWgPS
11:54 < banco> Fraz: you need to make your routing right now
11:55 < banco> You want to have internet on client or in the 10.3.4.128/25 network?
11:55 < banco> Do you have internet on the client?
11:56 < banco> If so, you need to add default route via $ifconfig_remote for the main iproute2 table
11:56 < banco> If not*
11:57 < banco> ip route add default via $ifconfig_remote dev $dev
11:57 < banco> in the up script
12:05 -!- xemdetia__ is now known as xemdetia
14:07 -!- abenz_ is now known as abenz
14:34 < BillyCrook> Why does openvpn drop tx packets on tun0?  My goal is to have no dropped packets
14:44 < rob0> No one can answer that.  Maybe the connection to peer is lost?  Just a WAG.
16:16 < thumbs> rob0: I lose my peers all the time, too.
16:16 <@novaflash> BillyCrook: i would suggest running iperf tests without a vpn tunnel for a while to see if there is any packet loss. if there is, then obviously whatever you send over that connection will be lost too.
16:35 < TyrfingMjolnir> Which apps other than games will require "you are running applications over the VPN which rely on network broadcasts (such as LAN games)" apart from games?
16:37 < TyrfingMjolnir> Which apps other than games will require "you are running applications over the VPN which rely on network broadcasts (such as LAN games)"?
16:42 <@novaflash> TyrfingMjolnir: 'apps' that need network broadcast :-P like for example when you look up a computer in your network overview and it tries to look up other computers in the same network using broadcast packets in your local network. that type of stuff. broadcast stuff. strange question.
16:43 < TyrfingMjolnir> I only know of printers
16:43 < TyrfingMjolnir> Like avahi bonjour
16:43 <@novaflash> that's one
16:44 < TyrfingMjolnir> These are not requirements; rather like convenience stuff that was added in last iterations of the OSes I guess
16:44 <@novaflash> you got a windows machine? click in explorer on network. it does lookups of stuff using broadcast in your network. that shit don't travel over vpn.
16:44 < TyrfingMjolnir> I never run avahi in debian or linux
16:44 < TyrfingMjolnir> No Windows here
16:44 <@novaflash> ah. well there's an assumption where you are slightly wrong. it's not always about convenience.
16:44 < TyrfingMjolnir> Apples and penguins only
16:44 <@novaflash> some programmers using a network based licensing server to license software used in a network which works on broadcast basis to find the server in the local network.
16:45 < TyrfingMjolnir> I use VPN to connect to work or home
16:45 <@novaflash> could be a problem
16:45 < TyrfingMjolnir> mainly for the purpose of CIFS or ssh/scp
16:46 < TyrfingMjolnir> Also CUPS/ipp/lpr
16:47 < TyrfingMjolnir> But those are pr IP
16:48 < TyrfingMjolnir> tun then
16:48 < TyrfingMjolnir> thanks
16:49 <@novaflash> enjoy
16:49 < TyrfingMjolnir> I will ccd though
16:51 < TyrfingMjolnir> I will need ccd though, still choose tun?
16:51 < TyrfingMjolnir> tap works fine with ios
16:51 < rob0> the choice of ccd would have no bearing on tun vs. tap
16:52 <@novaflash> rob0 ! baby i'm back. feel free to roll eyes.
16:52  * rob0 rolls eyes
16:52 < TyrfingMjolnir> perfect
17:14 < TyrfingMjolnir> Which easy-rsa to use? http://termbin.com/xey0
17:15 < TyrfingMjolnir> find / -name init-config returns nothing
17:51 < Neobenedict> is openvpn the best option to set up a server/client to route all my traffic on my machine through a linux server as a vpn
18:37 < flying_sausages> Hey guys, I'm trying to configure UFW (Firewall for inux) on my server. I allowed port 1194 incoming for the OpenVPN but when I connect I cannot browse any websites. When I switch the firewall off then it works again, so this must be the culprit. Is there anything I should enable for the VPN to work?
18:45 < lsik_> hi guys
18:45 < lsik_> i would like to make my raspberry as a gateway vpn
18:45 < lsik_> https://www.tech-blogger.net/raspberry-pi-als-vpn-gateway/ - i did the very same steps
18:45 <@vpnHelper> Title: Raspberry Pi als VPN-Gateway - tech-blogger.net (at www.tech-blogger.net)
18:46 < lsik_> but the problem is error when i'm trying to run openvpn client
18:46 < lsik_> Fri Aug 25 23:36:00 2017 ERROR: Linux route add command failed: external program exited with error status: 2
18:46 < lsik_> Fri Aug 25 23:37:07 2017 /etc/openvpn/update-resolv-conf tun0 1500 1541 172.30.0.6 255.255.0.0 init
18:46 < lsik_> im not really able to understand this, even google didnt help me
18:46 < lsik_> can anybody help me? i would be really greateful for that:)
18:49 < lsik_> test
18:49 < lsik> my quassel session:)
18:50 < lsik> so, if anybody would be able to help me with this problem, that would be great
18:50 < lsik> i really want to make my rpi as a gateway vpn
18:50 < lsik> using openvpn ofc
19:15 < Neobenedict>  home/<myip>:53009 MULTI: bad source address from client [192.168.1.80], packet dropped
19:15 < Neobenedict> any ideas
19:15 < Neobenedict> no internet connectivity when the vpn is on
19:15 < Neobenedict> tons of those errors
20:46 < dirac1> Hello i'm having this problem: https://ptpb.pw/Oa8c, not sure what's wrong when i start the server via terminal it works fine.
21:05 < dirac1> .
21:29 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
22:05 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
22:05 -!- mode/#openvpn [+o krzee] by ChanServ
23:39 < banco> dirac1: Try to comment out the LimitNPROC line in /lib/systemd/system/openvpn@.service
23:46 < banco> lsik: seems like you have wrong routes, show me the full log
23:47 < banco> flying_sausages: What about forwarding and masquerade rules?
--- Day changed Sat Aug 26 2017
00:53 < lsik> banco: can I show you via PM the whole pics
00:53 < lsik> logs*?
03:23 < banco> lsik: you can send it to me in PM or upload it to the pastebin or something
03:38 < TyrfingMjolnir> find / -name init-config returns nothing
03:49 < TyrfingMjolnir> I'm here: https://openvpn.net/index.php/open-source/documentation/howto.html#pki
03:49 <@vpnHelper> Title: HOWTO (at openvpn.net)
03:54 < banco> TyrfingMjolnir: >If you are using Windows
03:54 < TyrfingMjolnir> There are no windows here
03:55 < TyrfingMjolnir> Well, the house has Windows
03:55 < banco> init-config is windows batch file
03:55 < banco> For easy-rsa on win
03:55 < TyrfingMjolnir> Oh
03:55 < TyrfingMjolnir> I do not know Windows
03:55 < TyrfingMjolnir> How far down does this if go? There are no {}
03:56 < TyrfingMjolnir> . ./vars
03:56 < TyrfingMjolnir> ?
03:56 < TyrfingMjolnir> /opt/local/etc/openvpn/easy-rsa]# . ./vars
03:56 < TyrfingMjolnir> -bash: ./vars: No such file or directory
03:57 < banco> ls -la /opt/local/etc/openvpn/easy-rsa
03:58 < banco> Whats inside?
03:58 < TyrfingMjolnir> http://termbin.com/xcdm
03:58 < TyrfingMjolnir> banco: http://termbin.com/002b
03:59 < banco> use this one /opt/local/bin/easy-rsa/easyrsa3/vars
04:01 < TyrfingMjolnir> You appear to be sourcing an Easy-RSA 'vars' file.
04:01 < TyrfingMjolnir> This is no longer necessary and is disallowed.
04:01 < banco> https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
04:01 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net)
04:01 < banco> Yes
04:10 < TyrfingMjolnir> There is no clean-all either
04:11 < TyrfingMjolnir> find / - name build-ca also non-existing
04:24 < banco> Yes, but what're you searching for?
04:24 <@ordex> TyrfingMjolnir: did you read the howto above?
04:25 <@ordex> there is no build-ca with easyrsa3, you can keep on searching :P
04:26 <@ordex> not sure where you are reading all those old commands - maybe another document ?
04:30 < abenz> ordex: web is filled with tutorials using the older ones
04:31 <@ordex> abenz: I know .. I was just hoping that TyrfingMjolnir could read the document that was given in his help some time ago
04:31 < abenz> yup..
05:47 < flying_sausages> banco cheers for the tip, got it working :)
08:36 < Fraz> hi
08:36 < Fraz> is banco around?
08:37 < Fraz> <banco> You want to have internet on client or in the 10.3.4.128/25 network? << i dont know:(
10:42 < TyrfingMjolnir> Where is a HOWTO for easyrsa3?
10:42 < TyrfingMjolnir> ordex: Is there a HOWTO for easyrsa3?
10:42 < BtbN> call it with --help
10:43 < abenz> TyrfingMjolnir: https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
10:43 <@ordex> TyrfingMjolnir: [1657.23] < banco> https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
10:43 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net)
10:43 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net)
10:43 <@ordex> banco mentioned it right after your question :P
10:43 < abenz> yes yes but WHERE is it ;)
10:44 < TyrfingMjolnir> http://termbin.com/ssti
10:45 < abenz> TyrfingMjolnir: try this:
10:45 < abenz> just type: easyrsa
10:45 < abenz> without anything, it will list all possible commands and short descriptions
10:46 < TyrfingMjolnir> http://termbin.com/ice6
10:46 < abenz> what system is this? don't add ./
10:46 < TyrfingMjolnir> smartos
10:46 < TyrfingMjolnir> aka open solaris
10:47 < TyrfingMjolnir> I have to run this: bash /opt/local/bin/easy-rsa/easyrsa3/easyrsa
10:48 < TyrfingMjolnir> I changed the first line of the script
10:49 < TyrfingMjolnir> It now reads: #!/bin/bash
10:52 < TyrfingMjolnir> Reading the first couple of lines of the latters link, is this how to add the suggested parameter? echo "--remote-cert-tls" >> /opt/local/etc/openvpn/openvpn.conf
10:52 < TyrfingMjolnir> I find it a bit odd to start a part of the config with --
10:53 <@novaflash> TyrfingMjolnir: openvpn directives can be passed either command line with --directivehere, or, directly into the openvpn.conf file without the -- as just; directivehere
10:54 < abenz> TyrfingMjolnir: no, --options-conf are passed to the binary (eg openvpn --bla-bla)
10:55 < abenz> when using the config file you dont add --
10:56 < abenz> https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/server.conf
10:56 <@vpnHelper> Title: openvpn/server.conf at master · OpenVPN/openvpn · GitHub (at github.com)
11:00 < TyrfingMjolnir> your secured CA environment; this will be on a separate system, or at least a separate directory from anything else
11:00 < TyrfingMjolnir> Separate system? Or just a memory stick?
11:00 < DArqueBishop> Separate system is best, though a memory stick would work.
11:02 < TyrfingMjolnir> What would be the best option? I have a Compaq M700 running debian 5 with no wifi and it's hardly ever connected to the ethernet
11:05 <@novaflash> is this 1999?
11:05 < TyrfingMjolnir> All other laptops have wifi
11:05 < TyrfingMjolnir> No, it has PATA SSD
11:07 < TyrfingMjolnir> Is 2 TRNGs better than 1?
11:08 < TyrfingMjolnir> Connected to the same node, i e
11:09 < rob0> Party like it's 1999?
11:18 <@novaflash> TyrfingMjolnir: i believe that that depends; if you have a good one, and a bad one, then having 2 will be worse than having only the good one, but better than having only the bad one. assuming you use both at the same time anyways.
11:18 < abenz> TyrfingMjolnir: thats a general securtiy advice, to keep it on a separate system
11:19 < abenz> however if you run debian 5 (no longer supported) I think the CA is of less concern
11:30 < TyrfingMjolnir> yubikey neo
11:30 < TyrfingMjolnir> I also have an arch linux of newest date, however that machine is connected to the LAN
11:30 < TyrfingMjolnir> So I guess a memory stick on that system would be the way to go
11:32 < TyrfingMjolnir> Yubikey n actually
11:33 < abenz> I reckon 2 copies on 2 separate sticks is more than sufficient
11:33 < abenz> redundant and offline..
11:33 <@novaflash> the best way is to delete the key immediately after generating it. perfect security.
11:34 <@novaflash> in fact, never generate it. even better.
11:34 < TyrfingMjolnir> novaflash: That sound like the way to go
11:34 < TyrfingMjolnir> Procrastination is it?
11:34 <@novaflash> it's the weekend.. it's been a tough week. i need to poke some fun
11:35 < abenz> unplug from the interwebz mate
11:35 < abenz> walk on grass with naked feet
11:35 < abenz> thats how you fix a "tough week"
11:35 < TyrfingMjolnir> I did this all day
11:36 < TyrfingMjolnir> Now I look inside the computer again, and I consider upgrading my OpenVPN 1.something
11:37 < rob0> did 1.x even support TLS, or was it just --static in those days?
11:44 < TyrfingMjolnir> My point was not to run 100 LocalForwards in .ssh/config
12:08 < TyrfingMjolnir> What is this thing about no tap on iOS?
12:09 <@novaflash> there's no support built for it
12:09 < TyrfingMjolnir> Well it works
12:09 < TyrfingMjolnir> I run tap on iOS
12:09 <@novaflash> jailbroken?
12:09 < TyrfingMjolnir> But it does not work on android
12:09 < TyrfingMjolnir> Not jailbrokenb
12:10 < TyrfingMjolnir> I run this on at least 20 stock iPhone 5 and 6
12:10 <@novaflash> no idea then, i always heard tap was not possible on ios and android
12:10 < TyrfingMjolnir> Not able to make it work on android however; and this may explain why
12:21 <@novaflash> well, i have heard some noises about a new network api in ios, and somebody in openvpn technologies working on switching to that, but i don't know if that code is out yet or whatever. maybe it is, and maybe that explains why tap works on ios. i dunno. i'd have to test to be sure.
12:28 <@ordex> novaflash: I don't think the new api allows tap either
12:28 <@novaflash> hm okay. then i have no idea what TyrfingMjolnir is on about
12:28 <@ordex> if you are talking about OpenVPN Connect, I think it completely ignores the 'dev' config option
12:29 <@novaflash> that is what i believe happens too
12:29 <@novaflash> no idea why TyrfingMjolnir is saying that tap works on ios
12:45 < TyrfingMjolnir> I have only used tap so far with openpvn
12:45 < TyrfingMjolnir> I have installed openvpn and loaded configs since the release and it always worked for me
12:46 < TyrfingMjolnir> Sorry
12:46 < TyrfingMjolnir> It's tun
12:46 < TyrfingMjolnir> I have only used tun
12:46 < TyrfingMjolnir> Not tap
12:46 < TyrfingMjolnir> Then this makes sense
12:46 < TyrfingMjolnir> But why my keys does not work with android?
12:46 < TyrfingMjolnir> All of them work with tunnelblick and iOS
12:47 < TyrfingMjolnir> Also OpenVPN client in Windows
12:47 <@ordex> you should check the log in the android app
12:47 <@ordex> and on the server at the same time
12:51 < TyrfingMjolnir> Nothing on the server in those logs
12:51 < TyrfingMjolnir> How can I check the android logs?
12:52 <@ordex> TyrfingMjolnir: nothing? not even a connection attempt?
12:52 <@ordex> TyrfingMjolnir: for android it depends on the app you are using
16:02 < HyP3r> hey all, I have here one client of my openvpn infrastructure which is behind a bad firewall which only allwowing me to connect over port 53 or 21. I used this command
16:02 < HyP3r> iptables -t nat -A PREROUTING -p udp --dport 21 -j REDIRECT --to-port 1194
16:02 < HyP3r> To redirect the traffic from 21 to 1194 (as you can see). The genral connection seems to work.
16:02 < HyP3r> But the TLS Handshake doesn't work
16:03 < HyP3r> Is this normal? Or why does this happen?
16:04 <@novaflash> probably the same bad firewall. it may not be so stupid after all. you may be able to only get it working with obfuscation to disguise traffic as ftp or dns traffic.
16:06 < HyP3r> the funny thing is that ssh is working
16:06 < HyP3r> I did this:
16:06 < HyP3r> iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port 22
16:06 < HyP3r> Now I can connect from the client to the server with port 53.
16:14 < HyP3r> novaflash: I even get this message in my eventlog Aug 26 23:10:33 bahn-temp ovpn-client[19136]: TLS: Initial packet from [AF_INET] 85.214.xxx.xxx:53, sid=0cb63b4c f90ee05a
16:14 < HyP3r> Doesn't that mean that the server is responding?
16:18 <@novaflash> if the same openvpn client program and client config works from anywhere else, but not through this firewall, then it's still the firewall blocking you. an open port doesn't necessarily mean that EVERYTHING will pass through it. NAT firewalls may be that simplistic, but a decent firewall surely isn't. it may simply not allow this type of traffic to pass. obfuscation may be your only recourse...
16:18 <@novaflash> ...then, to try and fool the firewall, to disguise traffic as something else.
16:19 < BtbN> If it's a "decent" firewall it wouldn't even open port 21 for UDP. FTP uses TCP.
16:20 < HyP3r> BtbN: atm. I'm using 53 (DNS/UDP)
16:21 < BtbN> Most Business-Grade Firewalls have DNS inspection and rewriting.
16:21 < BtbN> So if stuff breaks on that port, I'd blame that
16:21 <@novaflash> aww BtbN why do you have to put quotes around something i wrote
16:21 <@novaflash> it makes me feel like i said something wrong
16:21 < HyP3r> My fear is that the iptables is not configured properly. Can I forward openvpn ports?
16:22 < BtbN> Because I think those firewalls are horrible.
16:22 < BtbN> And not decent at all
16:22 <@novaflash> HyP3r: it's not the port forwarding.
16:22 <@novaflash> BtbN: haha, yeah, from a victim's point of view certainly!
16:22 < BtbN> I'm managing a couple of them at work.
16:22 <@novaflash> BtbN: "managing" ;)
16:22 < BtbN> They are bad from every perspective except for the Business-People that decide to buy them
16:23 < HyP3r> well then I have to hide my traffic in HTTP
16:23 <@novaflash> nyeah you may have better luck with obfuscation. it's messy, not very efficient, but probably your only shot at beating that firewall. or i dunno, contact the sys admin and buy him beers and pizza.
16:24 < BtbN> I have an additional IP on my server just to have OpenVPN in TCP mode on port 443 on it.
16:24 < HyP3r> novaflash: yeah contacting is also a way. But I asked him later some other things and he acted like an idiot
16:25 < HyP3r> BtbN: makes very much sence. I also thought about that
17:32 < jacekowski> BtbN: actually, ftp spec says ftp can use udp (not that i've ever seen a client that actually does)
17:46 < HyP3r> Hm. My next Idea was just to create a ssh tunnel (which I'm allready able to run over port 21 and 53) and then tunnel udp over tcp and then connect to vpn. But it seems like this simple udp bridge does not work
17:46 < HyP3r> Something like that: https://superuser.com/a/53109/484401
17:46 <@vpnHelper> Title: UDP traffic through SSH tunnel - Super User (at superuser.com)
17:56 < Kryczek> BtbN: no need :) I have haproxy serving both HTTPS websites and OpenVPN on port 443 :)
17:57 < Kryczek> basically it redirects to HTTPS websites for which it recognizes Server Name Indication, otherwise it defaults to redirecting to OpenVPN
18:01 < Kryczek> HyP3r: I have iptables rules like you except without any --dport criteria so all UDP ports and all TCP ports on my DMZ host are redirected to OpenVPN
18:03 < Kryczek> HyP3r: 21 and 53 are not the best ports to try with though: as others have mentioned, other machines along the way are likely to mess with those (typically transparent FTP proxy for 21 and they might force you to use the local DNS service instead of outbound 53)
18:03 < Kryczek> HyP3r: try 123/UDP and 123/TCP: those are often enough allowed through firewalls since it's supposed to be for the Network Time Protocol
18:23 < HyP3r> Kryczek: NTP is disabled (123)
18:26 < Kryczek> HyP3r: if you have access to the remote machine, you could run tcpdump there (don't forget to add a rule like "not tcp port 22" to ignore the traffic from the connection you're using to access it remotely) and scan all its ports from the client machine, with nmap for example
18:26 < Kryczek> then whatever appears in tcpdump means packets to that port made it through
19:46 -!- abenz_ is now known as abenz
20:57 < beastwick> Hi, I am having a problem with TLS authentication using OpenVPN on my DD-WRT router.
20:58 < beastwick> Authenticate/Decrypt packet error: packet HMAC authentication failed
20:58 < Logicgate> hey guys
20:58 < Logicgate> I setup openvpn on my centos box and I can connect with the client easily however I cannot access anything but intranet
20:58 < Logicgate> https://pastebin.com/yMB7hTk2
20:58 < Logicgate> here is my conf
20:59 < beastwick> Hey Logic did you setup your own OpenVPN server? Just curious, because I am having problems with mine.
20:59 < Logicgate> I did
20:59 < beastwick> I am going to look at your config then :D. Did you setup TLS authentication? How are you connecting, using gnome GUI?
21:00 < Logicgate> I'm using OpenVPN GUI
21:00 < Logicgate> on windows..
21:00 < beastwick> ah ok
21:00 < beastwick> what is the difference between server and daemon?
21:11 < beastwick> is it possible to turn off tls auth?
21:29 <@ordex> beastwick: sure
21:29 <@ordex> beastwick: it's just an additional protection to authenticate the tls handshake
21:29 <@ordex> beastwick: why would you want to switch it off?
21:30 < banco> beastwick: show your server/client configs
21:31 <@ordex> beastwick: < beastwick> Authenticate/Decrypt packet error: packet HMAC authentication failed << does not mean it is tls-auth
21:37 < beastwick> @ordex I just want to get it running to test.
21:37 < beastwick> @banco I will give me one moment.
21:46 < beastwick> is there an easier way to get the server config off dd-wrt without taking a screen shot of the gui?
21:50 < banco> beastwick: connect with ssh and cat config?
21:50 < beastwick> i can't find the config :( there isn't a /etc/openvpn
21:51 < banco> What about /tmp ?
21:51 < banco> Or /opt
21:51 < banco> Of /jffs
21:52 < beastwick> yes I found it, I believe.
21:53 < beastwick> this is my server config on dd-wrt, I have they keys and certs setup accordingly.
21:53 < beastwick> https://pastebin.com/kHeMVMKh
21:53 < beastwick> on linux I am trying to connect using the gnome gui
21:55 < banco> beastwick: OpenVPN Network Manager plugin?
21:55 < beastwick> authentication is certificates tls, I made a user cert, ca cert (one on server), and private key, port 1943, udp, lzo compression, TAP device, 1500 mtu, accept auth packets from any port, AES-128-CBC, SHA-1 (HMAC), tls-auth with key and direction 0.
21:55 < beastwick> banco I believe so
21:55 < beastwick> the gnome plugin
21:56 < beastwick> maybe the HMAC authentication isn't really SHA-1?
21:57 < banco> Make sure you have cipher aes-128-cbc and auth sha1here:
21:57 < banco> https://www.linode.com/docs/assets/networkmanager-openvpn-vpn-advanced-security.png
21:58 < beastwick> yes that is what I set it to
21:58 < beastwick> does it matter how the key was encrypted?
21:58 < beastwick> i did it the default way
21:59 < beastwick> yeah it is failing on HMAC authentication
22:00 < beastwick> did you mean to change the server to 256/512?
22:00 < banco> What's your auth type here?
22:00 < banco> https://www.linode.com/docs/assets/networkmanager-openvpn-vpn.png
22:01 < beastwick> my auth type is like that picture
22:01 < banco> beastwick: No, make the client the same as server - 128
22:01 < banco> What do you have here?
22:01 < banco> https://www.linode.com/docs/assets/networkmanager-openvpn-vpn-advanced-tlsauthentication.png
22:02 < beastwick> I have mode TLS-Auth, key file (my key), Key Direction 0.
22:02 < beastwick> maybe it is the key direction?
22:02 < beastwick> I am not verifying the certification.
22:03 < beastwick> if I do key direction 0, no error, but it seems to keep looping
22:03 < banco> You don't have the It should be direction 1
22:03 < banco> 0 for server and 1 for client
22:04 < beastwick> https://pastebin.com/d1ytyMSP
22:04 < beastwick> this happens when I change direction
22:05 < beastwick> it like seems to keep doing that step
22:05 < beastwick> and then it eventually times out
22:05 < beastwick> ports are open on my firewall
22:05 < beastwick> although I am running fedora
22:08 < beastwick> :(
22:08 <@ordex> beastwick: what is the problem you are tyring to solve?
22:08 <@ordex> have you already provided some log so that we can first understand what the problem is?
22:08 <@ordex> !logs
22:08 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
22:09 < beastwick> the last pastebin is a log of what is happening now
22:09 < beastwick> I changed the key direction, instead of HMAC error, it seems to loop.
22:10 < beastwick> I'm pretty sure I followed all the instructions correctly. I setup my keys and certs using easyrsa 3.x
22:10 <@ordex> beastwick: you should use 0 on the server and 1 on the client (or viceversa) but not the same on both
22:11 <@ordex> are you doing that ?
22:11 < beastwick> ordex how do I specify direction in dd-wrt?
22:11 <@ordex> beastwick: I have no clue how the GUI in dd-wrt works
22:11 <@ordex> I usually work directly on the config file
22:11 < beastwick> what is the server config option?
22:11 < beastwick> I can manually specify it
22:11 <@ordex> beastwick: it's the second parameter of --tls-auth
22:11 <@ordex> --tls-auth <file> <key direction>
22:11 <@ordex> like on the client
22:11 < beastwick> hmmm ok I think i can do it
22:12 < banco> beastwick: Seems like your TLS handshake failed on the client side, check the log on the client
22:12 < beastwick> it is being specified
22:12 < beastwick> tls-auth /tmp/openvpn/ta.key 0
22:13 < beastwick> ah ok, now I have to figure out how to see the client logs lol
22:13 < banco> Maybe wrong ta.key?
22:13 < banco> /var/log/syslog maybe
22:13 <@ordex> beastwick: can you please provide the log and the config of both sides? I feel like you and banco are playing guess work without any evidence :S
22:14 < beastwick> ordex https://pastebin.com/kHeMVMKh my server config
22:14 <@ordex> the rest ?
22:14 <@ordex> alone it's useless
22:14 < beastwick> as for my client config, no easy way to see it from the GUI, certificates tls, I made a user cert, ca cert (one on server), and private key, port 1943, udp, lzo compression, TAP device, 1500 mtu, accept auth packets from any port, AES-128-CBC, SHA-1 (HMAC), tls-auth with key and direction 0.
22:15 < beastwick> direction is (1) now
22:15 < beastwick> back to 1
22:15 < banco> beastwick: Why tap?
22:15 <@ordex> beastwick: it must be logging somewhere
22:15 <@ordex> beastwick: either you have some "log" directive in the config, or it may be logging in syslog
22:15 < beastwick> tbh I don't know what TAP is, but the server is set to Bridge (TAP)
22:16 < banco> Ah, ok
22:16 <@ordex> that's another thing you can discuss once the connection is working
22:16 <@ordex> it is unrelated to this problem
22:16 < banco> Yeah
22:16 <@ordex> beastwick: search for the client log
22:16 <@ordex> and the client config
22:16 <@ordex> it must be somewhere I guess (?)
22:16 <@ordex> the gui must be saving it somewhere before executing openvpn
22:16 < beastwick> looking now
22:17 <@ordex> and the log :P
22:17 < banco> check /var/log/messages for the log
22:19 < banco> beastwick: you can check the process command to see the location of config: ps aux | grep openvpn
22:19 < beastwick> i found it one second
22:20 < beastwick> https://pastebin.com/jyTSdhjW
22:20 < beastwick> client config
22:25 < banco> Seems like everything is ok
22:25 < banco> Can you search for the log?
22:29 < beastwick>  banco my journalctl has this: https://pastebin.com/PbEP3n06
22:30 < beastwick> not very helpful :(
22:30 <@ordex> beastwick: have you checked /var/log/messages ?
22:31 <@ordex> beastwick: while openvpn is running, could you check "ps aux |grep openvpn" as banco suggested? may reveal where the config and log are
22:34 < beastwick> ordex, I already pasted the client config, this is that commands: output https://pastebin.com/HTVWEUY5
22:35 < beastwick> ordex client config: https://pastebin.com/jyTSdhjW
22:35 < beastwick> so I am at a loss, maybe it's my router being dumb :(
22:37 < beastwick> the key files are exactly the same
22:37 < beastwick> maybe it's whitespace?
22:37 < beastwick> because you have to copy and paste into the GUI
22:38 <@ordex> the format would be wrong if you mistyped it
22:39 <@ordex> beastwick: --syslog nm-openvpn
22:39 <@ordex> beastwick: grep openvpn /var/log/messages
22:39 <@ordex> like was suggested before :P
22:39 < beastwick> --syslog nm-openvpn?
22:39 < beastwick> on my server?
22:40 < beastwick> I'll paste the server messages
22:40 < banco> The verb is 1, we need to change it first
22:40 <@ordex> beastwick: that is in the command output
22:40 <@ordex> of your client
22:40 <@ordex> right
22:40 <@ordex> needs to be 4 to understand something
22:40 < beastwick> https://pastebin.com/Tbsf1b6H
22:40 <@ordex> beastwick: and how is the log on the server ?
22:40 < banco> beastwick: can you try to edit the config manually and add this string in the [vpn] block:
22:40 < banco> verb=5
22:40 < banco> Maybe it'll work
22:40 < beastwick> yeah I can do that, for the server right?
22:41 < banco> On the client side
22:41 < beastwick> ordex the verb is 4 on the server
22:41 < beastwick> oh
22:41 < beastwick> client
22:41 < beastwick> going to add it manually
22:41 <@ordex> keep 4 first
22:47 < beastwick> hrm maybe it is fedora being fedora
22:47 < beastwick> I did a grep -r VPN * in my /var/log directory
22:47 < beastwick> I see this:
22:48 < beastwick> https://pastebin.com/bscbrwpS
22:49 < beastwick> hrm "You will have to change the location of your certificates. SELinux requires them to be placed in /home/USERNAME/.cert or ~/.cert. .cert is a hidden folder in your home directory. Just place all you certificates there and adjust the .opvn file."
22:54 < banco> https://unix.stackexchange.com/questions/267789/selinux-not-allowing-read-files-on-cert
22:54 <@vpnHelper> Title: fedora - SELinux not allowing read files on ~/.cert - Unix & Linux Stack Exchange (at unix.stackexchange.com)
22:57 < beastwick> banco I fixed the AVC thing, but it's still happening.
22:57 < beastwick> maybe I can connect or get better output by not using the gui?
22:57 < beastwick> not sure how to setup a client
22:57 < beastwick> and connect
23:05 < banco> beastwick: create the file /etc/openvpn/client.conf with this content:
23:05 < banco> https://pastebin.com/nc7AuW8p
23:05 <@ordex> !howto
23:05 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
23:05 < banco> disable/delete network manager connection to vpn
23:06 < banco> THen start openvpn with service
23:06 < banco>  systemctl start openvpn@client.service
23:14 < beastwick> banco is there a way to specify my private key password?
23:14 < beastwick> Password entry required for 'Enter Private Key Password:' (PID 4614). Please enter password with the systemd-tty-ask-password-agent tool!
23:15 < banco> https://askubuntu.com/questions/765951/starting-openvpn-error-please-enter-password-with-the-systemd-tty-ask-password
23:15 <@vpnHelper> Title: 15.10 - Starting openvpn error: "Please enter password with the systemd-tty-ask-password-agent" - Ask Ubuntu (at askubuntu.com)
23:17 < beastwick> wow apologies didn't actually read that error
23:17 < beastwick> heh
23:20 < beastwick> wow frustrating, that tool won't prompt me for username or password
23:29 < beastwick> banco
23:29 < beastwick> regened key with nopass
23:29 < beastwick> log incoming
23:30 < beastwick> do I need user and group directives?
23:30 < beastwick> Sun Aug 27 00:26:38 2017 us=768255 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.1.1:1943[2], expected peer address: [AF_INET]209.122.125.137:1943 (allow this incoming source address/port by removing --remote or adding --float)
23:30 < beastwick> oh let me do that
23:31 < beastwick> ok much better log being generated
23:33 < beastwick> I see Sun Aug 27 00:28:55 2017 us=67604 TCP/UDP: Preserving recently used remote address: [AF_INET]209.122.125.137:1943 Sun Aug 27 00:28:55 2017 us=67711 Socket Buffers: R=[212992->212992] S=[212992->212992] Sun Aug 27 00:28:55 2017 us=67736 UDP link local: (not bound) Sun Aug 27 00:28:55 2017 us=67755 UDP link remote: [AF_INET]209.122.125.137:1943 Sun Aug 27 00:28:55 2017 us=79106 TLS: Initial packet from [AF_INET]192.168.1.1:1
23:33 < beastwick> wait
23:33 < beastwick> https://pastebin.com/82wAdSn2
23:34 < beastwick> error=unsupported certificate
23:35 < beastwick> my dd-wrt is on the latest build and I am using easyrsa 3.x to gen my certs/keys
23:36 < banco> Did you generate the server crt right?
23:37 < banco> ./easyrsa gen-req UNIQUE_SERVER_SHORT_NAME nopass
23:37 < banco> ./easyrsa sign server UNIQUE_SHORT_FILE_NAME
23:37 < beastwick> that is how i did it
23:37 < beastwick> well I signed with client
23:37 < beastwick> not server
23:38 < beastwick> https://pastebin.com/LWbHzBN9
23:38 < beastwick> is my client.crt
23:38 < beastwick> header
23:38 < beastwick> not the key :P
23:38 < beastwick> sha256
23:39 < banco> How did you sign yor client and server certs?
23:39 < beastwick> ./easyrsa sign client server
23:39 < beastwick> ./easyrsa sign client client
23:39 < banco> No
23:39 < beastwick> lol
23:39 < banco> ./easyrsa sign server server
23:39 < banco> ./easyrsa sign client client
23:40 < beastwick> heh heh, let me see if that does it
23:43 < beastwick> oh boy
23:44 < beastwick> I think that was it
23:44 < beastwick> I am sorry for my incompetence, the instructions weren't clear.
23:44 < beastwick> I thought I was signing as a client.
23:44 < beastwick> or at least that would be alright.
23:44 < banco> So it works fine now?
23:44 < beastwick> it appears I am connected, I am making sure.
23:47 < beastwick> It seems I have connected, but I don't think it is working, in the GUI it still says failed to connect.
23:48 < beastwick> maybe I won't use the GUI
23:49 < beastwick> MULTI: no dynamic or static remote --ifconfig address is available for client2/192.168.1.129:34276 don't know if that is an error
23:50 < beastwick> I am not sure if I am connected via command line
23:50 < beastwick> is there a way to verify?
23:50 < beastwick> 0 bytes received in dd-wrt gui
23:51 <@ordex> I might be the grumpy one :) but how about going through the howto so that you can learn how this works?
23:51 < beastwick> hah hah, sure ordex, but I am "connected" now.
23:51 <@ordex> whatever that means :P
23:51 < beastwick> I mean I will do that again, I just feel very close to success.
23:51 < skyroveRR> Heya ordex
23:51 <@ordex> heya
23:56 < beastwick> I wanted to use bridge to be behind the same subnet as my local computers.
--- Day changed Sun Aug 27 2017
00:03 < banco> beastwick: Check the manual based on which you try to configure the openvpn
00:03 < banco> If --server-bridge is used without any parameters, it will enable a DHCP-proxy mode, where connecting OpenVPN clients will receive an IP address for their TAP adapter from the DHCP server running on the OpenVPN server-side LAN. Note that only clients that support the binding of a DHCP client with the TAP adapter (such as Windows) can support this mode. The optional nogw flag (advanced) indicates that
00:03 < banco> gateway information should not be pushed to the client.
00:04 < beastwick> so I enabled proxy mode in GUI, but my client has to support it?
00:04 < beastwick> I was just about to try manually specifying a pool
00:04 < banco> Not about proxy mode, but about server-bridge nogw
00:06 < banco> Maybe you don't need gw on clients tho
00:09 < banco> Check your interfaces with ip a
00:15 < beastwick_> banco can you repeat that please, got d/c
00:22 < beastwick_> Is the client config we setup considered a .ovpn file?
00:23 < beastwick_> I want to throw it on my android phone and see if I can connect, because it is hard testing behind the device I am trying to connect to.
00:25 < beastwick_> found how to make one
00:46 < beastwick_> phone app doesn't support TAP tunnels hah hah.
00:47 <@ordex> beastwick_: yeah, neither android nor iOS
00:48 < beastwick_> well, the GUI is showing bytesin=47228, bytesout=125993 on dd-wrt
00:48 < beastwick_> I guess I'll have to wait until I am not home.
00:48 < beastwick_> is that a good indication traffic is moving through the VPN?
00:48 < beastwick_> I noticed when I screwed up the IP pool I lost connectivity until I killed the client.
01:10 <+hyper_ch> looking at the routing table is a good indication whether traffic is moving through the vpn
02:16 -!- dionysus70 is now known as dionysus69
02:34 < BadPractice> hi, i am trying to setup openvpn with network manager
02:35 < BadPractice> what openvpn.conf script do i need? i get an error start-stop-daemon: failed to start `/usr/sbin/openvpn'
02:38 <+hyper_ch> I don't use network manager with openvpn
02:42 < BadPractice> hyper_ch, why?
02:42 <+hyper_ch> why should I use network manager?
03:03 < BadPractice> anyone else?
03:50 < BadPractice> hi i try to start openvpn and get the error start-stop-daemon: failed to start `/usr/sbin/openvpn'
03:52 <@ordex> BadPractice: trying to start it with systemd?
03:53 < BadPractice> ordex, yes but i just want it to run
03:54 < BadPractice> it does not work no matter what i try
03:54 <@ordex> have you created a config file ?
03:55 < BadPractice> i think so
03:56 < BadPractice> well first i started to run openvpn with network manager
03:56 <@ordex> BadPractice: as a firs step you can just run it from command line
03:56 <@ordex> to make sure you have a proper config
03:56 <@ordex> then you can start it with systemd
03:57 <@ordex> or NM
03:57 < BadPractice> ok
03:57 < BadPractice> ordex, https://bpaste.net/show/619d5dc501db
03:58 < BadPractice> its saying something about logs but i never found them anywhere
03:59 <@ordex> BadPractice: start it from command line first
03:59 <@ordex> openvpn <config-file>
03:59 <@ordex> like that
04:01 < BadPractice> ordex, https://bpaste.net/show/3d67820f8cc1
04:01 <@ordex> apparently the credential are wrong
04:01 <@ordex> or the server does not use user/pass authentication
04:03 < BadPractice> ordex, oops wrong passwd
04:03 < BadPractice> it saies seq completed
04:03 <@ordex> it connected then, I guess
04:04 <@ordex> so openvpn and the config are fine
04:04 < BadPractice> hi
04:04 <@ordex> it connected then, I guess
04:04 < BadPractice> ordex, that worked
04:04 <@ordex> so openvpn and the config are fine
04:06 <@ordex> can you directly import this config via the nm-applet ?
04:07 < BadPractice> ordex, network manager tells me instantly the vpn fails cause openvpn fails to start
04:07 <@ordex> after you imported this config file you just used?
04:08 <@ordex> I am not really experienced with NM. I just have the applet in the tray bar and i imported the config from that
04:09 < BadPractice> ordex, yea does not work for me
04:10 <@ordex> weird, not sure why
04:10 <@ordex> have you checked the system log ?
04:10 < BadPractice> ordex, same config works with plain openvpn though
04:10 <@ordex> maybe it has some info ?
04:10 <@ordex> yeah it must be a NM thing
04:10 < BadPractice> ordex, it just tells me openvpn failed to start. Maybe it has to be in some group?
04:11 <@ordex> no clue .-.
04:11 <@ordex> BadPractice: also the log just says that ?
04:12 < BadPractice> no the message box that appears when i try to connect
04:12 < BadPractice> no idea how i get any more intel from the network manager
04:13 < BadPractice> ordex, can you help me to get openvpn to that point where i just have to run "openvpn" without adding anything else?
04:14 <@ordex> BadPractice: have you checked /var/log/messages ?
04:14 <@ordex> BadPractice: that depends on your distro
04:14 <@ordex> but check the log
04:14 <@ordex> may say why nm is failing
04:14 < BadPractice> ordex, /var/log/messages: No such file or directory
04:15 < BadPractice> this is a nightmare
04:15 <@ordex> BadPractice: what distro are you using ?
04:16 < BadPractice> gentoo
04:16 <@ordex> BadPractice: ah me too :)
04:16 <@ordex> BadPractice: sis you install syslog ?
04:16 <@ordex> *did
04:21 < BadPractice> ordex, hi
04:21 < BadPractice> news
04:21 < BadPractice> https://ubuntuforums.org/showthread.php?t=979085
04:21 <@vpnHelper> Title: [ubuntu] Network-manager-openvpn VPN failed to start (at ubuntuforums.org)
04:21 < BadPractice> ordex, switching to tap lets me connect but i dont got internet
04:22 <@ordex> BadPractice: how is this related to NM ?
04:22 <@ordex> you lost me
04:22 <@ordex> BadPractice: have you installed syslog on that system ?
04:22 < BadPractice> ordex, first post line 4 is EXACTLY my error
04:23 <@ordex> BadPractice: hat is a generic error
04:23 <@ordex> *that
04:23 < BadPractice> ordex, so what would you suggest?
04:23 <@ordex> BadPractice: I asked you several times if syslog is installed on your system
04:24 <@ordex> yet you haven't replied
04:24 < BadPractice>  ordex yes
04:24 < BadPractice> ordex, i think
04:24 <@ordex> check in ps aux if it is running
04:24 <@ordex> you should have /var/log/messages then
04:25 < BadPractice> ordex, well than its not
04:25 < BadPractice> ill install it
04:25 <@ordex> on my gentoo I have syslog-ng
04:25 <@ordex> BadPractice: did you install gentoo since not much time ?
04:26 < BadPractice> ordex, well its kinda complex. I still dont unsterstand everything sorry
04:26 <@ordex> BadPractice: that's fine, you have to learn. but it seems you are summing up too many things you don't understand :P
04:27 <@ordex> maybe starting with something simpler would have been easier instead of gentoo ?
04:27 < BadPractice> ordex, im trying :(
04:27 <@ordex> :P
04:27 < BadPractice> ordex, syslog installed
04:28 <@ordex> make sure it is running
04:28 <@ordex> however, the gentoo handbook giude you through this step of installing syslog
04:29 <@ordex> I wonder why you have not installed it
04:32 < BadPractice> ordex, uhm i think installing syslog fixed it
04:33 < BadPractice> ordex, can dial in the vpn now
04:33 <@ordex> does anybody pick upon the other side?
04:33 <@ordex> :P
04:33 <@ordex> just teasing :) but that could be one reason .. as NM might have wanted to use syslog to log, but it was not there
04:33 < BadPractice> ordex, how is that even possible? :S
04:33 < BadPractice> ok
04:34 < BadPractice> i dont even think its started. I just installed it and did not start lol
04:34 <@ordex> BadPractice: tell me the truth..did you follow the gentoo handbook when you installed your system?
04:34 <@ordex> maybe it has been started by some other service
04:34 <@ordex> you can start it now anyway
04:36 < BadPractice> how?
04:36 < BadPractice> never mind
04:36 < BadPractice> got it
04:36 < BadPractice> ordex, nope was not started
04:36 < BadPractice> i put it to default runlevel i guess
04:37 < BadPractice> ordex, thank you for your help
04:37 <@ordex> np, but seriously, make sure you have installed your gentoo system properly
04:37 <@ordex> otherwise you'll get a lot of other issues with no clear explanation
04:38 < BadPractice> im using gentoo since a couple of years now but there are still this issues ><
04:38 < BadPractice> i think im just stupid sorry
04:39 <@ordex> I leave that judgement to you :) but to me it just felt like you skipped steps
04:40 < BadPractice> not really skipped. It was just too much at once so i forgot
04:41 < BadPractice> ill read the handbook again i guess
04:41 <@ordex> :P
04:41 <@ordex> anyway
04:41 <@ordex> step by step .. and things get working
04:42 < BadPractice> why did you decide to use gentoo?
04:42 < BadPractice> just curious
06:01 < HyP3r> Kryczek: I have used scanme.nmap.org which should give the same result.
06:12 < krim10> hi. How come I get a "error: private key password verification failed" when the private key doesn't HAVE a password?
06:12 < krim10> Did I forget a flag or sth?
06:20 <@ordex> krim10: what happens if you use the command: openssl rsa -in $YOUR_KEY -text ?
06:20 <@ordex> the same private key that you use in the openvp
06:20 <@ordex> n
06:20 < krim10> Nevermind, I already found the problem
06:20 < krim10> The key had the wrong NL encoding (moved from linux to freebsd)
11:32 < Trupsalms> i would like to use my own server ip, for dns in openvpn server. My server is set up to block add domains, and is configure with dnsmasq, and squid.
11:32 < Trupsalms> i would like to use my own server as the dns in openvpn
11:44 -!- abenz__ is now known as abenz
11:50 < BillyCrook> My Goal is to not drop packets on tun0: https://paste.fedoraproject.org/paste/qe1ztweo7jnWw3FBZOchNA/
11:52 < BtbN> There's not much you can do about that. If the link is congested, packets will be dropped
11:52 < BillyCrook> what link?
11:53 < BillyCrook> If you're referring to the physical link, it's not.  utilization is about 5% with bursts to 10%
11:59 < BillyCrook> ^^ BtbN
12:15 < Logicgate> Hey guys
12:15 < Logicgate> So I can connect via my windows client to my openvpn server (centos) but I can't ping intranet ips
12:15 < Logicgate> and I cannot ping google.com
12:16 < Logicgate> here is my server conf
12:16 < Logicgate> https://pastebin.com/dbnvzuvU
12:18 < Logicgate> here are my iptables rules
12:18 < Logicgate> https://pastebin.com/DZfPFi3D
12:42 -!- Logicgate is now known as Guest87830
12:52 < Trupsalms> how to point openvpn to my servers ip address to resolve dns
14:39 < Trupsalms> i'd like to use myself, as the dns server put, everytime i try i lose connection
14:41 <+hyper_ch> ?dns
14:41 <+hyper_ch> !dns
14:41 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns
14:41 <+hyper_ch> !pushdns
14:41 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN
14:41 <@vpnHelper> for Android and OpenVPN Connect will happily accept push dhcp-option
14:41 <+hyper_ch> there you go
14:54 < Trupsalms> pushdns?
14:55 < Trupsalms> push "dhcp-option DNS 8.8.4.4"
14:55 < Trupsalms> is it a differnce between the to
14:56 < Trupsalms> when i change push "dhcp-option DNS 8.8.4.4" to push "dhcp-option DNS X.X.X.X"  X.X.X.X being my local server ip, i lose connectiong to the internet
14:58 < TyrfingMjolnir> For how long?
14:58 < TyrfingMjolnir> And do you loose connection to the internet? Or just DNS reply?
14:59 < Trupsalms> didn't time it, i would change the google ip to server ip, reboot wait, then connect and get no access over vpn
14:59 < Trupsalms> change back then reboot and can connect just fine
15:00 < Trupsalms> dns reply i'd guess, not webpage reply
15:02 < TyrfingMjolnir> Is this bind9?
15:02 < TyrfingMjolnir> Please turn on the logs for your DNS server and see what happens
15:03 < Trupsalms> no sir, think its just dnsmasq configured
15:04 < TyrfingMjolnir> Does it have an option to log?
15:05 < Trupsalms> dns works for regular connection lynx ping.eu or x-windows firefox ping.eu, but has an issue just over vpn
15:05 < TyrfingMjolnir> Its activity, i e
15:05 < TyrfingMjolnir> Which client?
15:06 < Trupsalms> pi-hole, on centos 7, Dual operation: LAN & VPN at the same time
15:07 < Trupsalms> testing work on the local network just fine, but over vpn it doesn't work, either don't block ads, when google dns is used, or doesn't display webpages when server address is used
15:07 < Trupsalms> client is android right now
15:09 < TyrfingMjolnir> I only have experience with iOS OpenVPN, Tunnelblick, and OpenVPN client for Windows.
15:10 < TyrfingMjolnir> Can you see the DNS settings on the android?
15:10 < TyrfingMjolnir> I assume it should be in IP settings or some sort of DHCP settings/reporting
15:17 < TyrfingMjolnir> I use ghostery in FF to block ads
15:34 < u0m3> !user
15:34 <@vpnHelper> (user [<channel>] <name>) -- Returns the last time <name> was seen and what <name> was last seen saying. This looks up <name> in the user seen database, which means that it could be any nick recognized as user <name> that was seen. <channel> is only necessary if the message isn't sent in the channel itself.
15:34 < Trupsalms> well i'm testing pi-hole as it claims to be a whole network ad blocker
15:34 < u0m3> !user-pass
15:34 < u0m3> !auth-user-pass
15:53 < Logicgate> I'm willing to pay for some consulting here
15:53 < Logicgate> I need to resolve this issue
15:53 < Logicgate> if anyone is interested in making some money, PM me
15:59 < DArqueBishop> Logicgate:
15:59 < DArqueBishop> !redirect
15:59 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
15:59 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
16:00 < Logicgate> DArqueBishop, I already have that in my config.
16:00 < DArqueBishop> Check the flowchart.
16:00 < Logicgate> Would you like to see my conf?
16:00 < DArqueBishop> I did. I didn't see a masquerading rule in your iptables.
16:01 < Logicgate> it's in there.
16:01 < DArqueBishop> Also, is IP forwarding enabled in your kernel?
16:01 < Logicgate> let me show you the raw file
16:01 < Logicgate> https://pastebin.com/fJhPESSr
16:02 < Logicgate> ip forwarding is also enabled.
16:02 < Logicgate> I'm legit lost right now.
16:02  * DArqueBishop nods.
16:03 < Logicgate> could the problem be residing on the client side?
16:03 < Logicgate> although I've tried with two different clients..
16:03 < DArqueBishop> Doubtful.
16:03 < Logicgate> from my phone and windows computer
16:03 < Logicgate> same result
16:04 < DArqueBishop> I'd help troubleshoot more, but I only popped in quickly to check in with friends.
16:04 < Logicgate> Damn it :(
16:04  * DArqueBishop is in the Houston area.
16:04 < Logicgate> my iptables conf is okay though?
16:15 < Logicgate> Got it
16:15 < Logicgate> damn
16:15 < Logicgate> what a pile of crap!
16:15 < Logicgate> changed server from 10.8.0.0 to 192.168.211.0
16:15 < Logicgate> :P
16:31 -!- abenz__ is now known as abenz
17:55 < |Mike|> re!
--- Day changed Mon Aug 28 2017
00:17 < redrabbit> hi, is there a way to block some clients from accessing the ressources behind the VPN while using theses clients as a gateway to the network behind them
00:17 < redrabbit> i have the 2nd part working but they can access everything like any other client
00:29 <@ordex> redrabbit: you can do tha with iptables, assuming the client IPs are static, no?
00:29 <@ordex> on the server you can prevent them from going anywhere
00:30 < redrabbit> right, so using routing and excluding the static IPs
00:30 < redrabbit> so, on openvpn config or not ?
00:32 <@ordex> you might be able to achieve this using the openvpn pf functionality. but it's a bit tricky to configure it
00:33 <@ordex> imho with iptables (out of the config) this should be quite easy
00:33 <@ordex> but I said with iptables. with routing it might be more complex (as you might need to setup policy routing ruleS)
00:33 < redrabbit> http://backreference.org/2010/06/18/openvpns-built-in-packet-filter/
00:34 < redrabbit> looks good to me
00:34 <@ordex> ok
00:35 < redrabbit> well, till i looked at the whole page
00:35 < redrabbit> lol
00:36 <@ordex> lol
00:36 <@ordex> with iptables is probably going to be one line, I believe
00:37 < redrabbit> :POSTROUTING ACCEPT [0:0]        -A POSTROUTING -s 10.99.0.0/16 -o eth0 -j MASQUERADE
00:38 < redrabbit> i guess i have to use something like postrouting deny, then add the clients IPs
00:38 <@ordex> it depends what you exactly want to block
00:38 < redrabbit> above is the beggining of my current ruleset
00:38 < redrabbit> well i still have to be able to access the network behind that client
00:39 <@ordex> do you want to prevent this clients from reaching the Internet? or they are supposed to be blocked from reaching any resource on the server LAN ?
00:39 <@ordex> *these
00:39 < redrabbit> from reaching any resource on the server LAN or use its internet gateway
00:40 < redrabbit> basically the client can't access anything, its used as a gateway to the network
00:40 <@ordex> so only other VPN clients (and the server) are expected to reach the LAN behind those clients?
00:40 < redrabbit> yes
00:40 <@ordex> ok
00:40 <@ordex> then imho you could block them in the FORWARD chain
00:40 <@ordex> just drop anything to/from the IPs of those clients
00:40 <@ordex> and nothing will go from tunX to any other interface
00:41 <@ordex> (for those IPs)
00:42 < redrabbit> i'm looking at my /etc/ufw/before.rules
00:43 < redrabbit> probably need to use ufw-before-forward $foo DROP
00:44 < redrabbit> oh.. or i could invert the issue
00:44 < redrabbit> and use a whitelist instead
00:45 <@ordex> are you on some *bsd?
00:45 < redrabbit> thanks for the advices
00:45 <@ordex> np :)
00:45 < redrabbit> debian jessie
00:45 <@ordex> oh ok
00:45 <@ordex> didn't know what ufw is
00:46 < redrabbit> a very easy to use firewall
00:46 < redrabbit> for dummies :p
00:46 < redrabbit> can't get too confused with it.. lol
00:47 <@ordex> hehe
00:47 <@ordex> ok
00:47 < redrabbit> im gonna toss that line -A POSTROUTING -s 10.99.0.0/16 -o eth0 -j MASQUERADE
00:47 < redrabbit> and replace with a list of allowed IPs
00:48 < redrabbit> i will try to do the block at the forward chain before though
00:49 < redrabbit> learn at the same time
00:50 < redrabbit> also, how do you manage to find the IP of your client in a case of failover servers
00:50 < redrabbit> i have 4 servers with 4 different subnets
00:51 < redrabbit> atm im 99% sure it connects to the first one.. just curious is there a proper way to deal with it. like when you use load balancing
00:52 <@ordex> redrabbit: but each server is an entry point in the lan, no? so each server should have its own fw rules
00:53 < redrabbit> 2 instance per server, 2 servers
00:53 < redrabbit> yes
00:53 <@ordex> redrabbit: consider that changing the MASQ rule won't block packets. Will simply let packet go out without NAT, which should not work, but you will see packets with the VPN IP in the LAN
00:53 < redrabbit> ah, sounds botched
00:54 < redrabbit> im going to follow your advice
07:02 < Deus3X> hi, i'm getting some problem with my openvpn client.... I need to allow incoming connection....
07:02 < |Mike|> ^ topic please
07:02 < |Mike|> You need another client to reach client2 ?
07:03 < Deus3X> the vps is using a openvpn client. all the traffic is going over the vpn
07:04 < Deus3X> i need to be able to use vps public ip for incoming connection
07:04 < Deus3X> vps has 1.1.1.1 as ip. using vpn it have 2.2.2.2
07:04 < Deus3X> i'd like to allow incoming traffic on 1.1.1.1
07:05 < Deus3X> i founded that solution on google ip rule add table 128 from a.b.c.d ip route add table 128 to a.b.c.0/24 dev eth0 ip route add table 128 default via x.x.x.1
07:06 < |Mike|> you have an incomming connection on the VPN his public IP and you're trying to send it to a client?
07:06 < Deus3X> but i'm doing something wrong.. If i will stop the openvpn client i can get the connection (so firewall port are correctly open on router)
07:06 < Deus3X> no
07:06 < |Mike|> e.g MySQL on client1 forwarded to the VPN his public IP
07:06 < |Mike|> ?
07:06 < Deus3X> i need to allow connection on pc's ip
07:07 < Deus3X> but the pc is using openvpn client to send all traffic over it
07:07 < Deus3X> (client have redirect gateway option)
07:08 < Deus3X> so the pc's ip is not accessible
08:21 < redrabbit> it should be accessible whether or not you are using the VPN
08:23 < |Mike|> depends on the firewall of the client jmo.
08:24 < Deus3X> https://paste.ofcode.org/327PE6MmKWLEHrZiQ7vtyvA
08:24 < Deus3X> the problem is 0.0.0.0/1 via 10.200.10.29 dev tun0
08:24 < Deus3X> that rule will forward all...
08:31 < |Mike|> what's up with using 0.0.0.0 anyway? :-)
08:35 < Deus3X> is the openvpn client...
08:35 < Deus3X> it will push the rule
09:27 < SlaSerX> hello
09:29 < SlaSerX> i run vpn server on my debian but when i try to connect i take this err
09:29 < SlaSerX> https://pastebin.com/ht3sXLf9
09:29 <@dazo> SlaSerX: what does the log on the remote side say?
09:32 < SlaSerX> remote side is a windows
09:33 < SlaSerX> just told me authorized request
09:33 <+hyper_ch> !configs
09:33 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
09:34 <@dazo> !logs
09:34 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
09:34 < SlaSerX> ok i will paste now
09:35 < SlaSerX> config
09:35 < SlaSerX> https://pastebin.com/HLWuV917
09:35 < SlaSerX> version is 2.3.4
09:35 < SlaSerX> and logs is that all i paste first
09:36 <@dazo> eek ... that's way old
09:36 <@dazo> client configs is needed too
09:37 < SlaSerX> ohh sorry
09:37 < SlaSerX> my wrong
09:37 < SlaSerX> i forget to run client services. .. :D
09:38 < SlaSerX> but i dont have a internet.. : > i need to make nat ? i have set ip frow.. on sysctl
09:39 < SlaSerX> yeah now work with nat
09:39 < SlaSerX> thx for supp
09:44 -!- abenz_ is now known as abenz
09:45 <@dazo> well, both server and client configs are needed
09:45 <@dazo> for Internet access over the VPN, then you need NAT ... otherwise, avoid it
09:55 < Deus3X> i'm becoming crazy... can someone help me with some rule/route ?
09:56 < Deus3X> on a centos vps i have a openvpn client running
09:56 < Deus3X> all the traffic is going over vpn (redirect-gateway def1)
09:57 < Deus3X> i need to allow incoming connection on an udp port
09:57 < Deus3X> so i added 3 simple rule...
09:57 < Deus3X> ip rule add from 10.1.1.10 table 128
09:58 < Deus3X> ip route add table 128 to 10.1.1.0/24 dev eth0
09:58 <@ordex> < Deus3X> i need to allow incoming connection on an udp port << on which address? VPN or public?
09:58 < Deus3X> ip route add table 128 default via 10.1.1.1
09:58 < Deus3X> public addres
09:58 <@ordex> 10.1.1.10 << is this your public address ?
09:59 < Deus3X> the centos vps is beind a router
09:59 <@ordex> I doubt..
09:59 <@ordex> ok, so that is your uplink address on eth0 ?
09:59 < Deus3X> 10.1.1.10 is eth0 ip of centos vps
09:59 <@ordex> ok
09:59 < Deus3X> 10.1.1.1 is gateway (router)
09:59 < Deus3X> why i still not able to connect?
10:00 < Deus3X> if openvpn client is stopped i can connect
10:00 <@ordex> have you tried to dump the traffic and see if you are receiving the packets on the udp port?
10:00 <@ordex> mh
10:00 < Deus3X> with openvpn client (redirect gateway) up i can't connect...
10:01 < Deus3X> but the routing table should be the solution...
10:01 <@ordex> yeah it should
10:01 <@ordex> I can't see anything wrong .. I would dump the traffic to see what's going on
10:01 < Deus3X> how can i dump it?
10:01 <@ordex> tcpdump
10:01 <@ordex> or wireshark (if you have gui)
10:02 <@ordex> I would filter by the udp port on all the interfacs and see which IP is using the VPS to reply
10:02 <@ordex> maybe it is replying over the VPN, although it should not
10:02 < Deus3X> can i use tcpdump only for an udp port?
10:02 < redrabbit> hi
10:02 <@ordex> sure, you can filter the way you wNT
10:02 <@ordex> want
10:02 <@ordex> check the man
10:03 < redrabbit> im trying to ping / rdp / access the network behind a win10 openvpn client that runs as a service
10:03 < redrabbit> i'm looking at the firewall rules atm
10:03 < redrabbit> looks like its getting blocked
10:04 < redrabbit> i can ping the server from the client
10:04 < redrabbit> but from the server i can't ping the client
10:05 < redrabbit> i allowed all the echo requests in win10 firewall
10:07 < Deus3X> tnx ordex now i'm dumping the port.. but seams that no connection is incoming....
10:08 <@ordex> well...if it's not incoming, I m not sure why the problem would be openvpn
10:08 < redrabbit> is there a way to turn the TAP device to behave like a private network
10:08 < Deus3X> let me try with openvpn stopped
10:14 < Deus3X> ok with openvpn up i'm getting incoming traffic on eth0
10:14 < Deus3X> but i really don't understand why i'm not able to connect....
10:14 < Deus3X> if openvpn client is down... it will work
10:15 < Deus3X> is a IAX connection...
10:17 <+hyper_ch> why shouldn't you get incoming traffic on eth0?
10:18 < Deus3X> there is an openvpn client with redirect-gateway def1
10:18 < Deus3X> anyway i think i got the problem
10:19 < Deus3X> iax connection is bidirectional...
10:19 < Deus3X> so i need to set ip rule from and also ip rule to
10:19 <+hyper_ch> but gateway is only for outgoing traffic, not incoming one
10:19 <+hyper_ch> or rather your routing table
10:20 <+hyper_ch> I think
10:20 < Deus3X> 0.0.0.0/1 via 10.200.10.29 dev tun0
10:20 < Deus3X> thats the problem
10:20 < Deus3X> def1 option will add that rule
10:20 < Deus3X> it will replace eth0 default
10:26 <@ordex> Deus3X: but the policy routing rule you created should work fine *as soon as the packets your connection generates have 10.1.1.10 as source IP*
10:27 < redrabbit> route 0.0.0.0 0.0.0.0 & route-metric 512 solved my issue + white listing the vp ip range in the service i want to access
10:27 < redrabbit> it turned TAP into a private network
10:28 < beastwick> hi everyone, I've set up OpenVPN on my DDWRT router and can connect behind my LAN. I am trying to connect remotely now and I can not. I see my client request come in on 22 using tcpdump, but it's almost as if the traffic never goes to the OpenVPN server listening on 22. The client hangs on establishing UDP connection.
10:28 < Deus3X> ordex now is working
10:28 < Deus3X> i had to add also an ip rule to....
10:28 <@ordex> what did you change ?
10:28 <@ordex> what rule did you add exactly ?
10:29 < Deus3X> rule from 10.1.1.10
10:29 < Deus3X> rule to public ip of the other server
10:29 <@ordex> uhm
10:29 < Deus3X> because it was a iax (voip) connection
10:30 <@ordex> I don't get why you'd need that
10:30 <@ordex> maybe there is some other setting that is conflicting
10:30 <@ordex> anyway, glad that now it is working!
10:30 < Deus3X> i think it was a iax specific
10:31 < Deus3X> it is a tunnel between 2 server
10:31 < Deus3X> i think that should be on the same interface to allow authentication....
10:31 < Deus3X> but i don't know why... :)
10:34 < Deus3X> anyway really tnx ordex
10:34 <@ordex> np
10:37 < redrabbit> beastwick: port 22 is strange for openvpn but that shouldt be the issue
10:37 -!- dionysus70 is now known as dionysus69
10:41 <@ordex> beastwick: firewall?
10:44 < beastwick> Hi, I am purposefully using 22 because I know it is open where I am.
10:45 < beastwick> I see 22 come into the router and in iptables I have allowed both UDP/TCP for dst:ssh
10:45 < beastwick> (22)
10:55 <@ordex> beastwick: are you sure the isp allows udp on 22 ?
11:00 < redrabbit> for bullet proof links i run a second TCP/443 instance
11:01 < redrabbit> if your isp blocks 22 udp though there is a chance they will block theses ports as well
11:02 < redrabbit> you could try to switch to tcp to make sure
11:02 < redrabbit> 22/tcp
11:18 -!- gthank is now known as gthank_away
11:19 -!- gthank_away is now known as gthank
13:24 < fas3r> n
13:24 < fas3r> Hello
13:25 < fas3r> Is it necessary to put the full path of the files on client side ?
13:25 < fas3r> I notice that it's not possible to use ~/Documents/myconfig.ovpn on client side
13:26 < fas3r> I have to put the full path, is it an normal behavior ?
13:31 < rob0> see --cd in the man page.  You can also use a relative path to the working directory where you started openvpn.
13:35 <@dazo> fas3r: ~/Documents.... is actually a full path.  But the ~ syntax probably isn't expanded to the proper path
14:03 < Fraz> hey
14:03 < Fraz> banco?
14:27 < rob0> el banco está cerrado
17:43 -!- Dougy [~dougy@openvpn/community/support/Dougy] has quit [Ping timeout: 240 seconds]
19:31 < nacelle> can one use ecc cipher or is that just control channel stuff still?
19:33 <+s7r> nacelle: what do you mean ecc cipher?
19:35 < nacelle> a cipher that isnt aes?
19:35 < nacelle> cipher aes-256-cbc, etc.
19:35 < nacelle> cipher echde-i've-no-clue
19:36 <+s7r> yes, the cipher is aes. ECC is just for key negotiation
19:36 <+s7r> ECDHE-ECDSA-AES256-GCM-SHA384
19:36 <+s7r> ECDHE -- Elliptic curve diffie hellman exchange
19:36 <+s7r> ECDSA - Elliptic curve digital signature algorithm
19:37 <+s7r> those are not ciphers
19:37 <+s7r> ECC is used during OpenVPN tunnel authentication and key exchange, which are the most important parts of VPN communication.
19:37 <+s7r> 384 bits ECDSA is equivalent to RSA 7680 bits.
19:37 < nacelle> right
19:37 < nacelle> i've read this
19:38 < nacelle> i wanted better performance out of what happens after the tunnel is up
19:38 < nacelle> with crappier hardware ;-)
19:39 < nacelle> its hard to tell sometimes with teh openvpn documentation, some of it can be painfully out of date if it doesnt reference a version, and then some for things that "arent" supported.
19:39 < nacelle> like parts of it still assert that you can only use tap devices on windows, which hasnt been the case for years.
19:39 <@plaisthos> nacelle: tls cipher does not affect your performance
19:39 < nacelle> right
19:39 <@plaisthos> !cipher
19:39 <@plaisthos> if you have 2.4 on both sides
19:39 <@plaisthos> you will get aes-gcm
19:39 < nacelle> i was just seeing of the transport could be changed to something not-so-aes
19:40 <@plaisthos> which is the fastest on modern hardware
19:40 <@plaisthos> just run openssl speed -evp aes-256-gcm to see what (raw) performance your cpu has
19:41 < nacelle> yeah, i get that, looking to outdo those.  stuck with them is ok too I guess.
19:41 < nacelle> y'all get hammered by the dumb a lot I imagine. sorry.
19:41 <@plaisthos> nacelle: no encryption is probably faster
19:41 < nacelle> thats not an option for this puzzle
19:41 < nacelle> but i've been trying it out to see what the overhead is
19:42 <@plaisthos> but gives you an idea how fast it gets without encryption
19:42 <@plaisthos> as a baseline
19:42 < nacelle> its definitely not pretty that openvpn binds to a single cpu, etc. for that stuff, even in non-encryption times
19:42 <@plaisthos> to give you an idea if encryption is actually your problem
19:42 <@plaisthos> yeah openvpn is old and single threaded
19:42 < nacelle> the encryption just adds another layer of slowness to it
19:42 < nacelle> i've worked around it a little bit by load balancing against openvpn processes internally
19:43 <@plaisthos> my cpu does about 2GB/s per core with aes-gcm
19:43 < nacelle> but thats just per session and not so great when i overlap users to processes
19:44  * nacelle should have just dug through the source in the first place
19:44  * nacelle sighs
19:44 < nacelle> its hot, i'm being lazy
19:45 < Kryczek> nacelle: try `openssl speed` to have an idea
19:46 < Kryczek> ah sorry plaisthos already suggested it
19:46 < nacelle> and i'd done it weeks before that :-)
19:46 <@ordex> aloha
19:46 < nacelle> thats probably the easiet though, yeah?
19:46 <@plaisthos> ordex: aloha
19:46 <@ordex> :)
19:47 < nacelle> without specifying it will eventually show all of them
19:47 <@ordex> long night plaisthos ?
19:47 < nacelle> and that would have answered it for me I guess. hrmpf
19:47 < Kryczek> nacelle: depends if your CPU has hardware acceleration of AES, otherwise ciphers like ChaCha20 can be faster
19:47 <@plaisthos> ordex: yeah
19:47 <@ordex> hehe
19:48 <@plaisthos> now I am testing chacha20 on my cpu :P
19:49 < Kryczek> ~10 years after having bought my Soekris Net5501 and the VPN1411 crypto accel card, I am still pissed off that the AMD Geode CPU does just as well without it heh
19:49 < nacelle> i have a small pile of crypto boards
19:49 < nacelle> i've zero inclination towards using any of them
19:50 < nacelle> one i want to sell asap, its probably worth something
19:50 <@ordex> plaisthos: cool. I was talking to syzzer about that just yesterday
19:50 <@plaisthos> chacha20 does ~1200 MB/s and chacha-poly1305 which is the fair comparison does ~945 MB/s
19:50 < nacelle> but i need to find a driver set to test it (cavium fips thing)
19:50 < Kryczek> nacelle: what CPU are we talking about in your case?
19:50 <@ordex> plaisthos: vs AES? what do you get
19:50 <@ordex> aes-gcm
19:50 <@plaisthos> all are at 256 byte size
19:50 < Kryczek> byte? :P
19:51 < Kryczek> wait, blocks, or?
19:51 < nacelle> Kryczek: its more than six... on the server side theres a mix of atom, core2, sandy bridge...
19:51 < Kryczek> nacelle: ah!
19:51 < nacelle> nothing super quick
19:52 < Kryczek> nacelle: do they all have a TPM?
19:52 <@ordex> plaisthos: what do you get on the same machine with aes-gcm?
19:52 <@plaisthos> ordex: 2 GB/s
19:52 < nacelle> Kryczek: i dont believe so, the atoms doubtfully so
19:52 <@ordex> oh wow
19:52 < nacelle> (they're old atom)
19:52 < Kryczek> nacelle: ah, pity, otherwise you could have the private keys in hardware so no one can copy them :)
19:53 <@plaisthos> with 1024byte it is 2,8 GB/s (aes) and 1,7 GB/s (chacha-poly)
19:54 <@ordex> I did not expect such drop. chacha20-poly should have HW acceleration too, no?
19:54 <@plaisthos> aes-ctr is 3,2 GB/s :)
19:54 <@ordex> plaisthos: are you using openssl 1.1 ?
19:54 <@plaisthos> yes
19:54 <@ordex> ye
19:54 < nacelle> Kryczek: yes, right.
19:56 <@plaisthos> ordex: macbook touch with skylake 6820HQ cpu
19:56 <@ordex> skylake ? what arch is that ?
19:56 <@plaisthos> ordex: what do you mean?
19:56 <@plaisthos> https://en.wikipedia.org/wiki/Skylake_(microarchitecture)
19:57 <@plaisthos> 6th gen intel core i7
19:57 <@plaisthos> notebook cpu
19:58 <@ordex> oh ok
19:58 <@ordex> that answers the question
19:58 <@ordex> it's a x86
19:58 <@plaisthos> yeah macbook should have answered that ;)
19:59 <@ordex> yeah, but who knows :P
20:00 <@plaisthos> ordex: but my fastest arm cpu here also has something in region of 1-2 GB/s
20:01 <@ordex> I see
20:02 <@plaisthos> But that nvidia tegra x is a monster of its own
20:02 <@ordex> nacelle: let's talk about this here: what are you hacking about? multi thread?
20:02 <@ordex> plaisthos: can it do crypto ?
20:03 <@plaisthos> yeah hardware acclerated aes instructions
20:04 <@ordex> ah cool
20:06 <@plaisthos> most modern phones can do that ;)
20:08 < nacelle> yes
20:08 < nacelle> i guess
20:14 <@plaisthos> hm
20:14 <@plaisthos> compling openssl for android sucks
20:14 <@plaisthos> I should just add that code to my app %)
20:21 <@ordex> plaisthos: why not using mbedtls ?
20:22 <@plaisthos> not feature complete
20:22 <@plaisthos> getting better
20:23 <@plaisthos> and also speed
20:23 <@plaisthos> mbedtls does not have assembler
20:23 <@ordex> not at all?
20:23 <@ordex> ok
20:23 <@ordex> I thought it was somehow ok for arm
20:23 <@plaisthos> might be
20:24 <@plaisthos> but openssl is just the what openvpn always used
20:24 <@plaisthos> and openssl is generating enough problems already
20:24 <@plaisthos> I don't want know what errors users are getting with mbedtls
20:27 < nacelle> weird, sha512 does better at 1024+ byte jobs than sha256
20:28 < nacelle> (on this core2)
20:30 <@plaisthos> 64+ bytes here :)
20:31 < nacelle> sha256           20596.08k    48663.92k    86833.33k   109118.26k   117866.82k
20:31 < nacelle> sha512           17708.08k    70122.35k   113137.37k   161602.51k   184818.05k
20:33 <@plaisthos> sha256           35158.34k   103936.79k   243165.01k   352014.90k   411497.81k   420592.07k
20:33 <@plaisthos> sha512           28340.74k   111919.35k   253012.91k   442697.80k   570209.93k   581637.50k
20:35 <@plaisthos> considering that the core2 is probably around 10 years old it is not that bad against a 1 year old ~3Ghz cpu
20:49 < nacelle> sha256           59555.97k   130733.27k   227189.16k   282481.66k   303177.97k
20:49 < nacelle> sha512           47801.10k   191783.57k   286452.99k   404741.99k   461116.76k
20:49 < nacelle> I think thats my fastest cpu atm
20:49 < nacelle> Intel(R) Xeon(R) CPU E3-1275 V2 @ 3.50GHz
20:49 < nacelle> "fastest"
20:50 < nacelle> it beasts the e5 I have, but not really :-)
20:53 <@ordex> sha256           66195.73k   149272.87k   280141.48k   350793.73k   372361.90k
20:53 <@ordex> sha512           44543.31k   178831.47k   308215.72k   465677.31k   542345.90k
20:53 <@ordex> just to do $something
20:55 < MacGyver> nacelle: That's not weird. SHA512 uses 512 bit states, has double the block size, but only slightly more rounds. Basically, it operates on about 5 cycles per byte rather than SHA256's 7,5 cycles per byte.
20:55 < MacGyver> Uh.
20:55 < MacGyver> SHA512 uses 1024-bit state*, wherease SHA256 has 512-bit state.
20:56 < MacGyver> Or well, either it's 256 and 512, or 512 and 1024. Point is, it's twice as large.
20:59 < Eugene> Depends upon your platform. 64-bit CPUs handle SHA512 faster; 32-bit ones handle SHA256 faster. It also varies based upon the implementation(the canon one in C is very fast). https://crypto.stackexchange.com/questions/26336/sha512-faster-than-sha256
20:59 <@vpnHelper> Title: hash - SHA512 faster than SHA256? - Cryptography Stack Exchange (at crypto.stackexchange.com)
21:00 < Eugene> Also of interest is SHA-384 and -224, which are truncated versiosn of the above, but which perform better in real-world applications because you get extra bytes left over for metadata(and thus, you can keep them in memory better for your big-ass B+ tree search)
21:02 < MacGyver> Well sure, if your machine has some limitations that don't apply to -256 but do to -512 (in this case I assume it's register sizes?) then your performance tanks. But if it doesn't, SHA512 is designed in such a way that it will be faster. Assuming messages larger than 1 blocksize.
21:03 < Eugene> Its because the integer operations match the size of the CPU registers, yeah
21:03 < Eugene> And indeed, the SHA-2 family is better. But also obsolete now that we have SHA-3, right :-p
21:03 < MacGyver> I do understand the surprise though; it's not the case for e.g. the SHA3 family of functions.
21:04 < Eugene> Give it a couple years, we'll get a silicon implementation just in time for SHA4 to hit the standards
21:04 < MacGyver> As in, SHA3-256 does actually take fewer cycles per byte than SHA3-512.
21:04 < MacGyver> But then again, everyone should be using SHAKE anyway.
21:07 < nacelle> are sha512 openvpn installations common?
21:08 < Eugene> "Where" :-p
21:12 < Eugene> I don't know of any comprehensive survey of real-world configs. I personally use --auth sha512, and have SHA512 algo on my certs. If I cared enough to rotate my PKI I would update to one of the EC family
21:13 < Eugene> But support for those is not yet universal anyway.... keeps getting better
23:04 -!- FlonnorMayGregor is now known as gtt
--- Day changed Tue Aug 29 2017
04:21 < numbdewd> Howdy. May anyone please suggest any more or less known Pluggable Transports that may be presumed to go under the radar of the GFW of CN and also western governments, and if anyone would be able to tell if it's possible to rotate such on auto without much hassle, or if there are any with presumed effective polymorphic features evading DPI effectively over time..?
04:24 < numbdewd> "Snowflake" -- ..good..?     What about "Shapeshifter Transports",anyone tried that..such as https://github.com/OperatorFoundation/shapeshifter-transports ?  Both very public and seemingly well-known and fairly widely deployed solutions
04:24 <@vpnHelper> Title: GitHub - OperatorFoundation/shapeshifter-transports: Shapeshifter Transports is a set of Pluggable Transports implementing the Go API from the Pluggable Transports 2.0 specification (at github.com)
04:26 < numbdewd> Also, if anybody could guesstimate if these things would likely play well along with other additional means of traffic obfuscation.. for example lets say this https://github.com/vecna/sniffjoke  ontop of whichever (then tcp-only yeah..)
04:26 <@vpnHelper> Title: GitHub - vecna/sniffjoke: a client-only layer of protection from the wiretap/sniff/IDS analysis (at github.com)
04:52 <@ordex> numbdewd: I know obfs4 is used with openvpn
04:52 <@ordex> but I have never used it myself
04:52 <@ordex> and that works pretty well[tm] as far as I know
04:54 < numbdewd> k.. guess might be best to just get around to trying that stuff if to find out for sure if it'd work at all..mh, might do it...soon.. (hopefully)..:d Been delaying that all  a while in uncertainty in case wouldn't work out and get stuck in a mess of reconfiguring  (lazy..ha..:z)...but yeah, i prolly should anyway..hm
04:55 < numbdewd> anyway, by the looks,description, and ur experience with obfs4 as well (which Ive only tried with TOR before iirc...),... guess it should work,aslong as it's done right, yeh.. heh.  mm...might try in a bit then! ..=)   Thanks for input btw..  interesting with these obfuscation methods, but seems possibly a bit messy setting up on each side and getting to persist in functional state as such for goo
04:56 <@ordex> :P
04:56 < numbdewd> ...good , and all...  but also haven't read all the read-mes as I yet either I guess..pfft. ... coffee first..^^
04:56 < numbdewd> ...mm..(sleep deprived^, tad hard to think atm..in some ways tleast. heh:P)  =)
04:57  * ordex injects coffee into numbdewd 's brain
04:57 < numbdewd> made me wonder btw., if them other "pluggable transports" , as would work with TOR, would work as-is without further (or much) changes with OpenVPN as well..  seems obfs and others does...?
04:58 <@ordex> maybe, I am not extremely familiar. but if settings are generic and not app specific, then yeah. it would just transport the tcp connection
04:58 <@ordex> whatever that is
04:58 < numbdewd> mm..lol,unsure if caffeine will have much effect really besides the warm drink,a change of focus for a bit and the psychological notion it might (at least in part) do some good..  afraid ive too high tolerance to get all that much out of it.  anyway.. will,shortly.. :z
04:58 < numbdewd> yeah..sounds like...hm..
04:59 < numbdewd> Ive found other more obscure PTs before, like on GitHub somewhere iirc there was one that made it appear as an SSH connection .., but wasn't finished development of (but close, still functional..possibly.. (unsure)) that seemed interesting, as some others too..
05:00 < numbdewd> (less-known / obscure ones would be attractive for sake of that by itself Id think -- few others would be using and likely little chance govt. or any such would have picked up and know to counter/detect it yet then.. :o)
05:01 < numbdewd> hm.. i dunno. maybe overkill anyway.. mostly just for playing aruond/experimenting anyway, heheh .. 8)
06:04 < Paprikachu> hi, i'm trying to set up openvpn for multiplayer games that only support LAN games
06:04 < Paprikachu> i can reach other computers on the vpn just fine (ping as well as tcp connections) but i cannot find any games on the network
06:12 < Paprikachu> i am using tap mode, so broadcasts should be going through. any idea why this isn't working?
06:14 < BtbN> That depends entirely on the games
06:14 < BtbN> And I doubt anyone here has experience with that
06:15 < BtbN> your safest bet is to build a transparent router box that connects one of its LAN ports exlusively to the tap bridge
06:15 < Paprikachu> i've tried two games, neither of them works unfortunately
06:16 < Paprikachu> is there a way to get wireshark to capture vpn packets?
06:18 <@ordex> Paprikachu: sure
06:18 <@ordex> it depends if you want them from "inside" or "outside" the tunnel
06:18 <@ordex> just dump on tunX (inside) or whatever uplink interface you have (outside)
06:18 <@ordex> on the outside you'll also see control packets of course
06:19 < Paprikachu> windows; the interface is not in the list
06:19 < Paprikachu> even if i run wireshark as admin
06:21 <@ordex> ah windows .. no clue then
06:22 <@dazo> well, it's a good starting point .... if the TAP adapter is not visible for windows programs (like wireshark) ... then getting basic networking working over that TAP adapter is a good start
06:23 <@dazo> once you can connect and poing the VPN server from the VPN client, then you can start looking further
06:24 < Paprikachu> like i said, i can ping and connect to other clients just fine, game discovery just isn't working
06:26 < Paprikachu> what is weird is that the interface shows up in the windows network and sharing center, but neither in wireshark nor the "new" system settings
07:36 -!- Dougy [~dougy@openvpn/community/support/Dougy] has joined #openvpn
07:36 < Dougy> hello men
07:41 < Kryczek> and women
08:12 < rob0> and device nodes?
08:21 < numbdewd> yo!
08:33 < redrabbit> im trying to access the ressources behind a win10 client, the ovpn configuration is good i did that with linux clients no problem, however i have no idea how to configure windows so it lets me access network ressources through the TAP
08:33 < redrabbit> probably needs some ip forwarding
08:35 <@ecrist> yeah, it will need that
08:35 <@ecrist> the other thing is you need routing for the VPN subnet from those other resources
08:35 <@ecrist> i.e. they need to know to route to that Windows host for the VPN connections
08:37 < redrabbit> i did the second part with linux machines, but i have no clue how to enable forwarding/masq on windows
08:38 < redrabbit> on linux its a piece of cake
08:39 < redrabbit> so far my attempts on the windows side of things have been a failure
08:39 < redrabbit> i try something and everything starts to fail
08:40 < redrabbit> http://keepthetech.com/2016/01/enable-ip-routing-on-windows10.html < tried this
08:40 <@vpnHelper> Title: Enable IP Routing In Windows 10 Using Command - KeepTheTech (at keepthetech.com)
08:40 <@ecrist> redrabbit: someone here might know, but it's not an openvpn thing, per se
08:40 <@ecrist> more of a windows networking thing
08:40 < redrabbit> yeah you are absolutely right
08:41 < redrabbit> if someone has a clue, dont hesitate, i dont disconnect
08:43 < dreadkop_> hey guys. i sucessfully set up a openvpn server on one of my VPS. i can use it without problems using tunnelblick on my macbook. However how can i export the .ovpn config for the openvpn client for windows ?
08:50 < rob0> redrabbit, and NAT (masq) is probably *not* needed; just IP forwarding and proper routes.
08:50 < rob0> !ipforward
08:50 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
08:50 < rob0> !winipforward
08:50 <@vpnHelper> "winipforward" is (#1) reboot after enabling it, or (#2) https://support.microsoft.com/EN-US/kb/230082 to enable ip forwarding on windows
08:50 < skyroveRR> Heya rob0
08:51 < rob0> skyroveRR, yo!  New toy arriving today, much geeky goodness!
08:51 < redrabbit> most helpful
08:58 < skyroveRR> redrabbit: oiiii.
09:57 < dreadkop_> is there an alternative openvpn client for windows ? official openvpn client can only manage one connection (unless i am really stupid)
09:58 <+hyper_ch> you could upgrade to linux
10:00 < dreadkop_> hyper_ch: haha... if it was for me that wouldn't be a problem... but 90% of the people using this vpn will run windows. + most of them are students so they cannot replace the university openvpn config with this one
10:01 <+hyper_ch> well, I tend to think openvpn client on windows can also handle more than 1 connection
10:01 <+hyper_ch> but never tried
10:02 < dreadkop_> yeah, just found that in google research as well. however (if existent) i'd like something like tunnelblick. load config, click connect, done.
10:03 <+hyper_ch> :)
10:03 < rob0> why can't openvpn on Windows handle more than one connection?  Sure, if options are conflicting you will have problems, but that's true on *any* OS
10:04 < dreadkop_> rob0: there is no option to switch between configs at first sight
10:04 < rob0> what does that mean?
10:04 < zvirbliukas> tunnelblick is MacOS app
10:04 <+hyper_ch> what happens if you run openvpn client from batch file using different configs?
10:04 < dreadkop_> that's right. i am looking for something similar in windows since openvpn client gives me a headache... and i will not set up it manually at all clients vie remote control haha
10:06 < dreadkop_> hyper_ch: let me check that later. maybe i can make a small batch for my people to run.
10:07 <+hyper_ch> do you need to run multiple configs or just one at a time?
10:07 <+hyper_ch> if so, maybe use somethign like zenity or kdialog (but for windows) to select the config to run
10:09 < dreadkop_> just one at a time but without any tinkering for the user to switch between the connections. need to run for now. i will look into viscosity and openvpn from commandline. otherwise i'm back in ~1h
10:09 < dreadkop_> thanks for now :)
10:12 <+hyper_ch> dreadkop_: I use that in a windows vm:  https://paste.simplylinux.ch/view/8e3914bb
10:24 <@dazo> dreadkop_: I believe it is possible to have more connections running on Windows too ... but you might need to pre-create the TAP adapters ... there should be a script in the openvpn/bin directory which does that for you
10:57 < Rapture> Anybody know of an openVPN security notification email subscription?
10:57 < Rapture> Managed to find the security advisory page but not subscribe or anything like that
10:58 <+hyper_ch> what for?
10:59 < Rapture> hyper_ch: for things like what would be on the security advisory page: https://openvpn.net/index.php/access-server/security-advisories.html
10:59 <@vpnHelper> Title: Security Advisories (at openvpn.net)
11:01 <+hyper_ch> just idle in here :)$
11:01 < Rapture> haha I was actually surprised I didn't already have this channel in my list. It must have gotten too long at one point :)
11:05 <@ordex> Rapture: if you are registered to the ml, you'll receive announcement about release containing security fixes too
11:09 <+hyper_ch> Rapture: run that in cron like every 6h or so and set the storage var to something permanent
11:09 <+hyper_ch> https://paste.simplylinux.ch/view/20330eff
11:09 <+hyper_ch> whenever it chagnes, you should get a popup with zenity (if you have zenity installed)
11:10 <+hyper_ch> or you could change it to kdialog
11:10 <+hyper_ch> run it as user of course
11:10 <+hyper_ch> or what ordex said ;)
11:11 < Rapture> ha, thanks :)
11:11 <+hyper_ch> quickly hacked together
11:14 <+hyper_ch> Rapture: been converting my pdf scripts on the weekend... need to add zenity support since my current distro doesn't have kdialog packaged :)
11:15 <+hyper_ch> s/need/needed/
11:15 <+hyper_ch> so it wasn't a big deal that little hack script
11:18 < Rapture> ya looks god!
11:18 < Rapture> good*
11:18 < rob0> Do note however that this channel has nothing to do with OpenVPN-AS.
11:18 <+hyper_ch> oh, that was as advisories...
11:19 <+hyper_ch> just put in any desired url :)=
11:20 <+hyper_ch> is there a reason why -as won't move to .com?
11:21 <@ecrist> hyper_ch: ?
11:21 <+hyper_ch> why does openvpn.net contain openvpn and openvpn-as?
11:22 <@ecrist> that's the way it is
11:22 <+hyper_ch> :)
11:23 <+hyper_ch> and there's a reason why it is the way it is?
11:23 < rob0> openvpn.com is a slimy cybersquatter
11:23 <+hyper_ch> cybersquatting still exists?
11:23 <+hyper_ch> that's so early 2000s :)
11:24 < rob0> but .org and .net are both OpenVPN
11:24 <+hyper_ch> :)
11:45 < redrabbit> cybersquatting is thriving
11:46 < redrabbit> they even have fancy labels to slap on it like it creates some value or something
11:46 < redrabbit> speculators
12:23 -!- abenz_ is now known as abenz
12:42 < dreadkop_> feedback: viscosity for windows works fine : import vpn config, click connect, done
12:59 < beastwick> hi everyone, I am trying to connect to my OpenVPN server on DDWRT over TCP 443, I see the client request come in, but nothing happens with the OpenVPN server.
12:59 < beastwick> 443 tcp is open and allowed in iptables (as https).
12:59 < beastwick> I see it is being listened on with netstat
13:00 < beastwick> the openvpn server is configured to listen on 443 TCP
13:01 <+hyper_ch> !configs
13:01 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
13:02 < beastwick> server config https://pastebin.com/0J6rZtun
13:04 < beastwick> client https://pastebin.com/8JE7ePGQ
13:05 <+hyper_ch> any reason why you're using tcp?
13:05 < beastwick> couldn't verify that udp packets were coming in from my location
13:06 < beastwick> I think where I am only tcp udp packets are allowed
13:06 <+hyper_ch> can you telnet to the server from your client?
13:06 < beastwick> to the openvpn server or ddwrt?
13:06 < beastwick> I am able to ssh into my ddwrt
13:06 <+hyper_ch> to the server
13:06 <+hyper_ch> or telnet from your computer to the openvpn server
13:06 < beastwick> mmm, does the openvpn server get an ip?
13:07 < beastwick> if so, where can I find it? I am running in TAP mode.
13:07 <+hyper_ch> it has a public ip
13:08 <+hyper_ch> 20xxxxxxx something
13:08 < beastwick> hyper I am sorry, I am confused. Do you mean my router's IP?
13:08 < beastwick> public WAN ip?
13:08 <+hyper_ch> your openvpn's plublic ip
13:08 <+hyper_ch> openvpn server's public ip
15:25 < teknix_> hello all
15:27 < teknix_> so i have a question. I am running ubuntu 16.04 and have a client config file with inline certs in /etc/openvpn however openvpn refuses to read or acknowledge the config file unless i run it directly using openvpn --config office.conf is there a way around this?
15:31 <@dazo> teknix_: how do you try to start openvpn when it fails?  and what does the logs say?
15:33 < teknix_> dazo: hah! crazy, after a reboot and asking a question it bloody worked.
15:33 < teknix_> lol
15:33 < teknix_> you got the magic touch
15:33 <@dazo> so I've heard!
15:35 < teknix_> hehehe
15:35 < teknix_> thank you for your willingness to help however
15:35 < teknix_> :)
15:37 <@dazo> Many years ago I worked in a company with weird beasts of computerized production machines.  And loading data could often fail.  The production manager soon discovered that if I just stood close to the machine when loading the biggest data files, it never failed ... if I was in the room next to it when they tried the same file, it would in 50% of the times fail
15:37 <@dazo> I'm not superstitious .... but it made me wonder!
15:39 < teknix_> fantastic! I think the machines can sense what COULD happen to them ;)
15:42 <@dazo> Oh ... here it is!  https://www.youtube.com/watch?v=bkqckq2tExU ... wow, those were the days
15:43 <@dazo> That's a smaller model than what we used (we had also colour thermo printer, this one have only monochrome) and ours had a laser engraving module
15:43 <@dazo> the main controller on those boxes ran OS/2 Warp
15:45 <@dazo> We actually reverse engineered the data format for a couple the thermo print modules ... so we could generate all the data files directly on Linux, instead of having to run some weird DOS or OS/2 software to convert JPGs or TIFF images to it's internal format
15:46 < teknix_> wow that machine is pretty awesome!
15:46 < teknix_> i bet jams were a SOB
15:46 <@dazo> well, as long as we kept the maintenance well, it ran quite well for many hours
15:47 <@dazo> the biggest issue was actually the printer .... the printer which was designed for it was truly crappy and expensive, the worst printer resolution you could imagine
15:47 < teknix_> dazo: if you dont mind me asking, how old are you?
15:47 <@dazo> 40+
15:48 <@dazo> we looked into some heavy duty printers, but those worked bad too ... too much paper jam
15:48 < teknix_> i was gonna say, you have to be close to my age bracket to even get to see that sort of equipment
15:48 < teknix_> <-- 37
15:48 <@dazo> so we discovered that cheap HP Laser Jet (4100?) did the job .... didn't handle more than 20-30.000 clicks, but we could replace them for 1/3 of the maintenance cost of the original printer
15:49 <@dazo> :)
15:49 < teknix_> yay for saving money lol
15:49 < teknix_> i still marvel at the size difference in some of this machinery from then to now
15:50 <@dazo> I haven't paid much attention to the what this industry uses today ... but we sure had fun :)
15:57 < deftjack> Anyone have suggestions on OS detection of clients?  I see it reported in the status log but no way to connect the dots not variables that get set for use in ccd, learn etc. I was considering use of nmap or similar to query the OS but that is not very reliable. Although even detecting, linux vs windows would be helpful.
16:00 < deftjack> I suppose I could grab all between TITLE and END and parse the info out...
16:12 -!- gthank is now known as gthank_away
16:14 -!- gthank_away is now known as gthank
18:10 < zamba> i have set up a tap layer-2 vpn tunnel between two locations to be able to use multicast iptv
18:10 < zamba> but i'm experiencing lags and intermittent picture freeze
18:10 < zamba> and then i read something about routed multicast?
18:21 < jadesoturi> hi all. im having trouble connecting to a openvpn server installed in a lxc on aproxmox server.
18:22 < jadesoturi> udp 1194 is open both on the router and on the lxc container. but im still getting the TSL handshake failed in 60 seconds error ...
18:22 < jadesoturi> what to start troubleshoting this?
18:32 < andarien> hello all, my openvpn server on my raspbian creates logs readable only by root, any clue how to convince it to create logs readable by the admin group instead?
18:32 < andarien> the reason is those logs, along with every other log rotated i need to .tar.gzip and archive it on a daily basis, but the script breaks unless i sudo it
19:34 <@ordex> moin
19:50 < monoxane> hey, its probably firewall but i can access the internet through my VPN but i cant access services on the server itself unless its proxied by something like cloudflare, any ideas?
19:50 < monoxane> yes, its behind NAT, yes NAT is set up correctly
19:53 < monoxane> I can access stuff via its private LAN IP but not the public NAT'd IP even though NAT and stuff works (i can access the services from non-VPN devices)
20:47 <@ordex> monoxane: does the server have the public IP? or is it behind another router/GW ?
20:48 <@ordex> inthe latter case, the router/GW may not apply port forwarding for connection coming from the "inside"
21:49 -!- abenz_ is now known as abenz
22:04 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:14 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:14 -!- mode/#openvpn [+o syzzer] by ChanServ
23:02 < redrabbit> does it matter to put accurate infos on your certs or you would leave them to default
23:02 < redrabbit> (home use)
23:02 < redrabbit> does it affect security in any way ect
23:04 < skyroveRR> Aside from the certificate name that should indicate your hostname, and the expiry, I don't think much else counts.
23:04 < iheartlinux> redrabbit: really the only two things that matters are "common name" and type
23:05 < iheartlinux> nsCertType = server, & nsCertType = client
23:06 < redrabbit> good to know
23:07 < iheartlinux> took alot of scouring for me to figure this out
23:14 < redrabbit> i really have to update my little openvpn how to
23:15 < redrabbit> remove the bloat and concentrate on the essential
23:20 < iheartlinux> besides not understanding ssl at the time, and openvpn's nuances concerning ssl, understanding how to statically assign ip's wasn't really covered in much detail either. Specifically the ifconfig-push requirement
23:27 < redrabbit> i should cover that on my site.. ideally
23:45 < iheartlinux> ifconfig-push as it related to ssl "common names." People should also understand that if the server does not assign the ip, either by ifconfig-push or by "server network netmask," then it will not communicate with the client(s).
23:47 < redrabbit> im quite happy i have not struggled with that
23:47 < redrabbit> had my fair share of troubleshoot but that ip assign part was a breeze
23:48 < iheartlinux> if you start out with "server network netmask" then you'd be ok
23:48 < redrabbit> all it takes is one bad how to and youre messed up
23:48 < redrabbit> :p
23:49 < iheartlinux> but I was hard headed, and wanted to assign my own ip's
23:49 < redrabbit> yep i have that setup
23:49 < redrabbit> its not a luxury imo
23:49 < iheartlinux> well then I could have used your "how to" lol
23:50 < redrabbit> current how to doesnt covers static ip but it will
23:50 < iheartlinux> not so bad once you understand it
23:50 < redrabbit> my own how to is full of crap
23:50 < redrabbit> i know what im saying when i talk about bad howtos
23:51 < redrabbit> at least it dosent break anything and works
23:51 < redrabbit> but its not secure enough/proper
23:51 < iheartlinux> ssl is implemented in various ways 4 sure
23:51 < redrabbit> and confusing
23:51 < redrabbit> i need to clarify this
23:52 < iheartlinux> polycom phones will only communicate with an asterisk server using a root (single depth) cert
--- Day changed Wed Aug 30 2017
04:26 < deftjack> Anyone know at what "stage" in client login that the openvpn status log will have full details of a client?  ie: it appears it is not entire filled out until after the learn-address script has completed, at the least.
04:31 < deftjack> https://paste.fedoraproject.org/paste/mtbUZ9TbcVAnD7SgFZbcXQ   ie: The CLIENT_LIST line is not present yet.
04:32 < deftjack> But even when the learn-address has run far enough to actually create firewall rules etc that line is still not present. The VPN knows everything about that line such as username, ip, CID, etc. I added a long sleep to learn-address as well and it still does not show up until at least the script has finished.
05:50 < devonrevenge> hai new install - how do I get tun and tap running - theres a thing I need to download right?
05:50 < devonrevenge> using arch linux
05:51 < rob0> You should have the Linux tun driver, unless you omitted it from your kernel/modules.
05:53 < devonrevenge> thars no tun in /dev
05:54 < devonrevenge> oh yes it is
05:54 < devonrevenge> I need tap though
05:56 < devonrevenge> Cannot ioctl TUNSETIFF tap: Operation not permitted (errno=1)
05:56 < rob0> tap is usually a bad idea.  Why do you "need" it?
05:57 < devonrevenge> because the .ovpn is sent to me by a company that asks that its not edited in anyway
06:00 < havoc> !as
06:00 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
06:01 < havoc> hmm, not that one
06:01 < rob0> !both
06:01 <@vpnHelper> "both" is (#1) If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead., or (#2) if you dont have access to both sides, come back when you do
06:03 < rob0> I am not sure about the error.  Are you running as root?  Is SELinux or similar in use?
06:04 <@ordex> devonrevenge: tun/tap are in the same driver
06:05 <@ordex> no need to have another module
06:05 <@ordex> the permission problem is probably because you are not running openvpn as root
06:06 < devonrevenge> ooooooh
06:07 < devonrevenge> that sounds like an obvious
08:44 < Sulumar> Hello everybody
08:45 < Sulumar> Anyone got experience with openvpn and pihole? I would like some help getting the routing working
08:48 < Sulumar> right now i can connect to my vpn from my cellphone and access a machine in my home network as long as i know the machines ip
08:50 < Sulumar> i would like it to work so that my phone uses my home dns through vpn while i am away. even route all trafic through the vpn if possible. I Tried divers tutorials but nothing seems to work right. Please help.
08:55 < |Mike|> Ok, you just defined your goal as asked in the topic :-)
08:55 < |Mike|> Feel free to throw your configs at us. Please use pastebin or something similair.
09:02 < Sulumar> Right Thx
09:02 < Sulumar> here is /etc/openvpn/server.conf
09:03 < Sulumar> https://pastebin.com/Q4fitbgU
09:04 < Sulumar> what else would be helpful? Has been a while since i did anything along trrhose lines
09:16 < deftjack> Anyone know a reliable way to get the client OS? I thought status had this but I was wrong. It only has the server version.
12:01 < SlaSerX> hello
12:01 < SlaSerX> how i can make my openvpn use pam auth..
12:11 < BtbN> I don't think it does natively.
12:12 < BtbN> OpenVPN usually uses a custom PKI for authentication. Not passwords and usernames.
12:13 < BtbN> I have a /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so here. So I guess you somehow can.
12:14 < BtbN> https://github.com/OpenVPN/openvpn/blob/v2.4.3/src/plugins/auth-pam/README.auth-pam
12:14 < SlaSerX> sure he use this plugins i find manuals but dont work correct
12:14 <@vpnHelper> Title: openvpn/README.auth-pam at v2.4.3 · OpenVPN/openvpn · GitHub (at github.com)
14:08 < Thermi> Hi, I have a setup where I need to run openvpn on a specific IPv4 and IPv6 address and port on a server. Right now, they are two distinct daemons. I have a client, that has two connection profiles to connect to the server , one for each protocol. The client enables the server to access a private network. I need to make sure the server's route to the private network always points to the right daemon's tun device. As I can't use the "route" keyword in
14:08 < Thermi> CCD config files and the daemons don't have the necessary privileges to add the corresponding route when the client's "route-up" or "learn-address"' hooks are called. Am I missing something?
15:19 < pattyland> !welcome
15:19 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
15:19 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
15:21 < pattyland> !goal
15:21 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:23 < pattyland> Uhm, I want to access the lan behind my server. Which works great! But when the openvpn service is running I can't access the Pi via IPv6… I guess something with DNS Rebind which is beyond my network knowledge :(
15:23 < pattyland> Would be nice if anybody has an idea where i should start looking!
16:31 < ginseng> hi, im trying to diagnose openvpn issue. when i turn iptables off, i can connect from client but internet requests just hang (i think cause i need iptables to forward the requests). if i turn iptables on i cannot connect to vpn server from client's network manager. any tips?
16:41 < ginseng> i think my issue is iptables is blocking 1194
16:44 <@plaisthos> !iptables
16:44 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this., or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG, or (#3) These are just the basics to get you
16:44 <@vpnHelper> started as firewall design is beyond this channel's scope; you can also see #netfilter
17:58 < bjonnh> I am running openvpn in a container (docker) that has access to a 10.0.0.0/24 network
17:59 < bjonnh> from inside the container, I can access the 10.0.0.4 machine
17:59 < bjonnh> connecting to openvpn from outside the container works
17:59 < bjonnh> accessing the openvpn network on 10.0.1.0/24 works
17:59 < bjonnh> but it doesn't seem that 10.0.0.0/24 is routed properly
17:59 < bjonnh> do I need more than push "route 10.0.0.0 255.255.255.0"
18:00 < bjonnh> I thought that was enough
18:00 < bjonnh> (there is no firewall in the container)
18:01 < bjonnh> on my client I have the following route: 10.0.0.0        10.0.1.1        255.255.255.0   UG    0      0        0 tun0
18:01 < bjonnh> (10.0.1.1 is the openvpn virtual endpoint which I can reach and interact with (running a nc -l inside the container, I can reach it from my client)
18:02 < bjonnh> and don't really know what else I should try
18:02 < DArqueBishop> bjonnh: does the default gateway for 10.0.0.0/24 know to send traffic for the VPN subnet to your Docker container?
18:02 < bjonnh> DArqueBishop: Oh…
18:03 < bjonnh> I didn't think about that
18:03 < bjonnh> that's an overlay network
18:04 < bjonnh> but why would it work from inside the container?
18:04 < bjonnh> 10.0.1.1 is the tun0 IP of the container
18:06 < bjonnh> should I try a 0.0.0.0 gw instead?
18:07 < DArqueBishop> But does the container have a 10.0.0.0/24 address, or an address that 10.0.0.0/24 can access?
18:07 < bjonnh> the container has a 10.0.0.0/24 address yes
18:07 < DArqueBishop> That's why it works inside the container.
18:09 < DArqueBishop> Just configure the default gateway for 10.0.0.0/24 to send traffic for the VPN subnet to the container's 10.0.0.0/24 address.
18:09 < DArqueBishop> Handy reference:
18:09 < DArqueBishop> !serverlan
18:09 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
18:09 < DArqueBishop> Anyway, signing off for now. EOL.
18:09 < bjonnh> thx
18:09 < bjonnh> I'll look into that
18:10 < bjonnh> I'm not sure I can do that with docker networks
18:20 < pattyland> !ipforward
18:20 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
18:25 < bjonnh> !linipforward
18:25 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
18:32 < bjonnh> well so I cannot do that it seems because docker is using some kind of virtual networking
22:04 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:14 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:14 -!- mode/#openvpn [+o syzzer] by ChanServ
22:50 < redrabbit> hi
22:50 < redrabbit> i can access 10.0.0.1 from my lan router 192.168.0.1
22:51 < redrabbit> i tried to put 10.0.0.1 as the default GW on win10
22:51 < redrabbit> it works on the paper (route print shows it)
22:51 < redrabbit> i can ping it
22:51 < redrabbit> but i cant access the web through it
22:51 < redrabbit> connectivity to 10.0.0.1 works
22:52 < redrabbit> route delete 0.0.0.0
22:52 < redrabbit> route ADD 10.0.0.0 MASK 255.255.0.0 192.168.0.1
22:52 < redrabbit> route ADD 0.0.0.0 MASK 0.0.0.0 10.0.0.1
22:52 < redrabbit> there are my windows 10 cmds
22:58 <@ordex> redrabbit: is the forwarding/nat enabled on the server acting as gw?
--- Day changed Thu Aug 31 2017
05:12 -!- abenz_ is now known as abenz
07:51 -!- SerusWor1 is now known as SerusWork
07:53 < pie__> idk if this is actually a thing but are there any good routing solvers? i.e. given some state of the routing network, make it so that some thing works or whatever
07:54 < pie__> this isnt really an openvpn question but i didnt know where to ask
08:01 < Thermi> No, because software can't read your mind.
08:02 <@ordex> Thermi: :D
08:02 <@ordex> pie__: first you should make your statement clear
08:02 <@ordex> second, there are several routing algorithms that can solve routing problems, given the state of the network. but I am not sure what you are really looking for
08:03 <@ordex> pie__: never heard of dijkstra or bellman-ford ?
08:03 < Thermi> ordex: It reads to me as if his routing setup isn't in any usable state to begin with
08:04 < Thermi> using dynamic routing would just cause broken routes to be distributed
08:04 <@ordex> Thermi: maybe, but he should explain himself first :P
08:04 <@ordex> he did not say where the logic has to run and what input is given
08:04 <@ordex> thus..
08:04 <@ordex> I can only generate random answers :D
08:05 < pie__> ive heard of it but i havent donemuch wrt algorithms, i mean what im looking for is if i know network A is on x subnet, and network b is on y subnet, and node j connects them, i want something that can generate a routing table on node j that will enable packets to traverse across the two networks if possible
08:06 <@ordex> pie__: it is too small as a problem to a "resolver" for you. you need a script :P
08:06 <@ordex> or to learn how to configure your routing table
08:06 < pie__> i know how to its just a pain in the butt :D
08:06 <@ordex> why ?
08:07 < pie__> because i have to type things :P
08:07 <@ordex> potentially there is not much to configure other than enabling forwarding and making sure node j has a route to both networks
08:07 <@ordex> pie__: probably you have to type nothing
08:07 <@ordex> only confiugure some files
08:08 <@ordex> if node j has two devices you have to configure them anyway - they will implicitly set the route to those two networks
08:08 < Thermi> pie__: For that, you would need to run dynamic routing on every router.
08:08 <@ordex> Thermi: is routes do not change over time I don't see why maing it complex
08:08 < Thermi> (Taking into account subnet's default routers and such)
08:08 <@ordex> *making
08:08 < pie__> well this time around stuff did seem to work rather smoothly, so this is also a curiosity thing
08:08 < Thermi> ordex: Because he obviously can't even configure routing correctly, I doubt he can write such a (complex) script.
08:09 <@ordex> but really, there is nothing to configure
08:09 < Thermi> Can't build a house with a roof if you can't even build a wall.
08:09 <@ordex> only the interfaces on j (they must be configured anyway otherwise the link would not work)
08:10 <@ordex> and nodes in the two subnets of course must know about j
08:10 <@ordex> but it depends on scenario. J might even be a DHCP server for both networks
08:10 <@ordex> the information given is not enough
08:11 <@ordex> if he wants to use IPv6 this would even just work by configuring radvd (or not even that)
08:11 <@ordex> so..this are all exercising our guesswork-enabled-brain
08:11 <@ordex> :D
08:11 <@ordex> *we
08:12 < pie__> well thanks for mentioning dynamic routing, at least i know what to look at :P
08:13 <@ordex> but don't forget that the way you explained it, this is not a dynamic scenario
08:13 < pie__> yeah
08:17 < |Mike|> Thermi: loving your ircname ;-)
08:18 < Thermi> |Mike|: How comes?
08:23 < _bt> anyone running openvpn-as client front end behind nginx?
08:24 <@ordex> !as
08:24 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
08:26 < |Mike|> Thermi: <3
08:26 < _bt> yeah
08:26 < _bt> nobody speaking ha
08:26 < |Mike|> I didn't even know about OpenVPN-as since you mentioned :/
08:35 < rawtaz> hi. quick question; OpenVPN Access Server (the commercial package) has support for Google Authenticator. this is not something that's built into OpenVPN in general, right, it's something they integrated themselves?
08:36 <@ordex> rawtaz: yeah, openvpn by itself has only a generic token mechanism. they probably built on top of it
08:37 < rawtaz> so totally generally speaking, if you were to install openvpn (for being a server) on e.g. linux, what would you need to add support for Google Authenticator (so an additional token/OTP is requested after supplying the password when connecting to the VPN)?
08:37 < rawtaz> in a KISS scenario, just having users in the most basic configuration, not with an LDAP, RADIUS etc
08:38 < rawtaz> i could look at how FreeNAS did it, i think they have support for GA
08:38 < _bt> i did it as well at a previous job it was fairly easy
08:38 < rawtaz> i guess the closest/simplest is a PAM module as suggested by the Ubuntu article
08:39 < _bt> i also rebuilt the openvpn-gui client to ask for the code
08:39 < rawtaz> aha
08:39 < _bt> but you could easily do it without any mods by just using the code as the password
08:40 < _bt> if you wanted password & code then it would be a bit more in depth
08:40 < rawtaz> this one looks interesting: https://github.com/evgeny-gridasov/openvpn-otp
08:40 <@vpnHelper> Title: GitHub - evgeny-gridasov/openvpn-otp: OpenVPN OTP token support plugin (at github.com)
08:41 < rawtaz> _bt: would the latter you mentioned be done by some hooked scripts on the server side?
08:42 < _bt> yeah
08:42 < _bt> let me have a look to see if i still have them
08:43 < rawtaz> cool. or if there was some guide you followed
08:44 < _bt> nah i wrote it myself
08:44 < _bt> i used oathtool & qrencode
08:47 < rawtaz> ok sweet
08:47 < |Mike|> quite nice.
08:48 < _bt> rawtaz: i used this " -auth-user-pass-verify /totp-verify.sh via-file"
08:48 < _bt> totp-verify.sh just took the pass and compared it to the current OTP for that user
08:49 < _bt> i also had new_client.sh which basically added a new user and gave them an OTP key and a QR code to scan, adding the details to a flat file which totp-verify extracts the key from to do the OTP check
08:49 < _bt> that was about it really, worked well and is still in use i believe
08:51 < rawtaz> nice
08:51 < _bt> oh also it made a .ovpn file for the client
08:51 < rawtaz> but does your passwords consist of only the OTP or password+OTP ?
08:51 < _bt> shouldn't be too difficult
08:51 < _bt> certificate + OTP
08:52 < rawtaz> ok, so the user put the OTP in the regular password box in the openvpn client
08:52 < _bt> for you, yes
08:52 < _bt> for me, i rebuilt the client
08:52 < _bt> to make it a bit of a smoother experience
08:53 < _bt> ie, i had a picture of the token and had enter token code, removed the need for username, etc
08:53 < rawtaz> ok
08:53 < rawtaz> well this was all helpful, thanks everyone
08:54 < rawtaz> -
09:16 < NinePenny> TOPIC
09:23 < redrabbit> redrabbit: is the forwarding/nat enabled on the server acting as gw? > Yes, if i use openvpn connect to connect to that VPN it configures it as a gateway and its working. It uses another netmask than 0.0.0.0 though
09:23 < redrabbit> my LAN router gives me direct access to my openvpn gateways
09:24 < redrabbit> but when i configure them manually with windows routing rules it doesnt work
09:24 < redrabbit> i can configure windows to use different gateways with this and it works (i was able to reconfigure it to use the previous gateway with route commands)
09:25 < redrabbit> but when i pick on my my openvpn gateways it doesnt give me internet connectivity
09:25 < redrabbit> i can still ping all my LAN + the vpn gateways
09:26 < redrabbit> route delete 0.0.0.0
09:26 < redrabbit> route ADD 10.0.0.0 MASK 255.255.0.0 192.168.0.1
09:26 < redrabbit> route ADD 0.0.0.0 MASK 0.0.0.0 10.0.0.1
09:26 < redrabbit> i'm sure i must be missing something there
09:26 < redrabbit> maybe use a different MASK like openvpn connect does
09:27 < redrabbit> (i cant ping 8.8.8.8 either so its not DNS issue)
09:28 < redrabbit> connectivity to the gatewat is good
10:24 < realies> can you save on traffic usage on your mobile device by having a constant openvpn connection and using compression?
10:31 < jacekowski> unlikely
10:31 < jacekowski> compression isn't that good
10:31 < jacekowski> and openvpn has overheads
10:31 < jacekowski> so most likely savings are going to be minimal
10:34 < realies> oh, is there any ways of doing so using tunneling and good compression?
10:38 < jacekowski> no
10:39 < jacekowski> any kind of compression that works on this kind of data (quite small data packets) will not be very good
10:41 <+hyper_ch> jacekowski: doesn't it more depend on what data you pipe through with regards to compressability?
10:45 < jacekowski> both
10:46 < jacekowski> most of internet trafic is now encrypted co compressibility is quite low
10:46 <+hyper_ch> most internet traffic is now encrypted?
10:46 <+hyper_ch> would be nice if it was like that
10:47 <+hyper_ch> still fail to see what encrypted internet traffic has to do with openvpn compression
10:47 < realies> so what if you buffer bigger chunks on the server side and compress the encrypted traffic?
10:47 < realies> that would introduce some latency indeed
10:57 <@ordex> hyper_ch: encrypted data tries to look "random" and "random" data is difficult to be compressed efficiently
10:58 < realies> ordex, even when in bigger chunks?
10:58 < realies> so... it is aware of the previous data sent? to maintain the randomness?
10:59 <@ordex> I am not an expert, but when compressing an object, usually repetitions and patterns are what helps and encrypted data has little of them
11:00 <@plaisthos> yeah
11:00 <@plaisthos> also defined as entropy
11:01 <@plaisthos> (one of the entropy definitions)
11:02 <@ordex> yup
11:03 <@plaisthos> if you could compress encrypted data well, you would be able to make predictions how the encrypted data looks
11:03 <@plaisthos> then you almost broke the crypto :)
11:03 <@ordex> :D
11:03 <@plaisthos> because the only you can make predictions about the ciphertext from the plaintext
11:05 <@plaisthos> For normal ciphers operations that do xor with plaintext, if you just double every byte in ciphertext you could of course compress but that is besides the point
13:25 -!- abenz__ is now known as abenz
16:10 < Dougy> i just discoevered marinetraffic.com... cool as f
16:59 < abenz_> Dougy: finally those articles about ships colliding makes sense
16:59 < abenz_> always wondered.. how can they possibly collide! are those people blind
16:59 < abenz_> but seeing that map..
17:00 -!- abenz_ is now known as abenz
17:02 < rawtaz> bah
17:02 < rawtaz> how hard can it be :)
17:03 < rawtaz> ok its hard
17:03 < rawtaz> really hard, by the looks of it
22:49 -!- pekster [~rewt@openvpn/community/developer/pekster] has joined #openvpn
22:49 -!- mode/#openvpn [+o pekster] by ChanServ
--- Day changed Fri Sep 01 2017
05:26 -!- abenz__ is now known as abenz
07:35 -!- def_jam is now known as eb0t
10:44 < hal9000x> Hey guys quick questions. I am a sysadmin that has inherited a previously written ansible playbook written about a year or so ago. It deployes openvpn 2.3.17 and spins up a mariadb back end and a php app that lets the customer have access to a cusomized front end for administrative tasks.
10:45 < hal9000x> so the idea is a user/pass auth is loaded into the DB, and then the php front ends has a simple user/group feature. Problem is this is on deprecated 2.3.17, I recommended to upgrade to latest openvpn stable and reploy the playbook fixing broken urls to repos. Boss wants to know why after upgrading security updates and openvpn it breaks, I have no idea, Is my route the best to take? (upgrade latest then redeploy custome software)
10:46 < hal9000x> we can no longer make client connections once we go from 2.3.17 > 2.4.3 any thoughts?
10:47 < hal9000x> has the entire security model been revised from 2.3.17 > 2.4.3 that when you upgrade it will not work?
10:47 < hal9000x> what is best plan of attack to get off production deprecated over to stable?
10:48 < hal9000x> also when you use a 2.3.17 server what is the compatibillity with clients, will clients greater than 2.3.17 e.g. 2.4.3 & 2.5 work with older 2.3.17 server?
10:49 < hal9000x> thanks for your valuable time
10:56 <@plaisthos> should all be compatible
10:56 <@plaisthos> unless you use options that have been removed or added in specific versions
10:57 <@plaisthos> you should give us a log of not connecting client, there is no general issue
10:57 <@plaisthos>  what is best plan of attack to get off production
10:57 <@plaisthos>                     deprecated over to stable?
10:57 <@plaisthos> 17:45:06 <hal9000x> also when you use a 2.3.17
10:57 < DArqueBishop> I have no experience with customized authentication or the API therein, but as a fellow sysadmin, I'd like to point out (after the fact, I know) that this should be a good lesson that you need to test these kinds of changes before moving into production.
10:57 <@plaisthos> I don't understand that question
10:58 < hal9000x> well the solution was already in place
10:58 < hal9000x> I have inherited it.
10:59 < hal9000x> lets start with a default 2.3.17 going to 2.4.3 > lets reask the question MINUS the custom app, any issues with a straight yum update from 2.3.17 > 2.4.3 and clients not making connections?
10:59 < hal9000x> has that been known have any issues, where you would need to just install new 2.4.3?
11:00 < rob0> might depend on the options you have set
11:00 <@plaisthos> hal9000x: I already answered that question
11:00 < hal9000x> just default yum update --security no other appended options
11:00 <@plaisthos> literally 3 minutes ago
11:01 < hal9000x> oh IM sorry I did not notice your response thank you too many windows opened let me read. Thanks.
11:02 < hal9000x> part of the issue is that the bossman rolled back to 2.3.17 on a vm, he does not have the logs any longer UGH, so I have no way to replicate it,
11:03 < hal9000x> I did notice 1 thing I cloned to VM and placed it into VMWARE player and upgraded the production server "OFFLINE" and upgraded to 2.4.3 and I noticed it would not start the service after IF "script-security == 3" "saving passwords in env variables" I had to comment that out in order to get the vpn server to start its service.
11:04 < hal9000x> im not even sure if that was his original issues since the logs do not exists, and he is terrified to upgrade....I do not know where to begin crap!
11:04 <@plaisthos> hal9000x: usually you would replicate the setup to a test setup
11:04 < DArqueBishop> hal9000x: I would build the 2.4.3 instance in a separate VM, and use that to test.
11:04 <@plaisthos> and not test on a live system
11:09 < havoc> is there an ENV for FQDN of the $trusted_ip?
11:09 <@plaisthos> nope
11:09 < havoc> if there is, I'll use it, if not, I'll do the resolution myself
11:09 < havoc> ok, thanks
11:09 <@plaisthos> openvpn does not do reverse ip lookups
11:09 < havoc> ok, thanks
11:10 <@plaisthos> so I have no idea what trusted_ip is but I know that there are no reverse lookups ;)
11:10 < havoc> this is just for logging; easy enough for me to do it, I just didn't want to waste the time if it was already there :)
11:10 < havoc> $trusted_ip is the public remote IP
11:11 < havoc> ...of the client
11:11 <@plaisthos> ah the authenticated remote IP
11:11 < havoc> yeah
11:12 < havoc> I'm adding some client info logging to the production vpn segments
11:12 < havoc> will make managing ~2,000 clients a bit easier
11:29 < hal9000x> plaisthos any known issues with script-security level = 3 I noticed when I upgraded that the service would not start unless I got rid of that in the server.conf
11:29 < hal9000x> thoughts?
11:31 < rob0> logs?
11:39 < redrabbit> how i can use an openvpn gateway i can ping as my main gateway on windows 10 with routing only, no openvpn client
11:41 < rob0> That's a Windows question, nothing to do with openvpn; perhaps "route /?" will help?  Also, "net /?"
11:42 < rob0> And of course the host running the openvpn must be willing and configured to route packets for other hosts.  See also,
11:42 < rob0> !serverlan
11:42 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
11:42 < rob0> !clientlan
11:42 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
11:42 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
11:43 < redrabbit> rob0: i have no trouble configuring windows to use the openvpn gateway at the main gatewy
11:43 < redrabbit> and connectivity to the gateway is good, i can ping it. however it doesnt give me access to the wan
11:43 < redrabbit> when i use openvpn connect it does work
11:44 < redrabbit> (i can ping the whole lan)
11:45 < redrabbit> in any case
11:46 < rob0> Did you look at any ^^ of that?
11:46 < hal9000x> anyone are there any known issues with the same username connecting simultaneously from 2 diff client ip addresses ? what is the limitation on that does anyone know?
11:46 < rob0> The flowcharts are very nice for troubleshooting problems.
11:47 < rob0> hal, by default any one cert can only have one active connection at a time.  We of course can't answer about your "username" custom authentication.
11:47 < hal9000x> user = dave (client @ 66.40.x.5) los angeles && user = dave (client f@ 67.34.x.8) san diego
11:47 < hal9000x> no not customization here
11:48 < rob0> give Dave another cert
11:48 < hal9000x> just default behavior or openvpn, can you have same user connected from 2 diff ips
11:48 < redrabbit> rob0: when i connect to the VPN directly with openvpn client on windows everything works
11:48 < DArqueBishop> hal9000x: not a technical limitation, but personally I would give pause to the security considerations of letting the same username log in twice from different locations simultaneously.
11:49 < DArqueBishop> (Aka, it's a bad idea.)
11:49 < hal9000x> I have a client that is using the user = dave at LA office and then built a cloud solution reusing the same user = dave on it, then claiming the cloud solution is super slow and crawls.
11:49 < redrabbit> its when i try to connect to the gateway using my linux server as the client + a route to gain access to that VPN subnet on the WIN10 machine
11:49 < hal9000x> could that cause one connection to crawl while the other is normal
11:49 < redrabbit> i get access to all the lan subnets but the wan gateway doesnt work
11:50 < DArqueBishop> hal9000x: I wouldn't believe so, but then like I said it's a bad idea for other reasons.
11:50 < hal9000x> okayt
11:50 < hal9000x> thanks
11:52 < redrabbit> so using the openvpn gateway at the default gateway doesnt look like its enough to make it work
11:52 < redrabbit> or im missing something
11:53 < redrabbit> openvpn connects points me to 10.0.0.5 as the gateway
11:53 < redrabbit> i have been trying to use 10.0.0.1 as the gw
11:53 < redrabbit> 10.0.0.5 is specific to that windows client
11:54 < redrabbit> linux uses 10.0.0.1..
11:55 < redrabbit> "Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. They must be taken from successive /30 subnets in order to be compatible with Windows clients and the TAP-Windows driver. Specifically, the last octet in the IP address of each endpoint pair must be taken from this set:"
11:56 < redrabbit> looks like my issue is there
12:48 <+hyper_ch> is there actually any limit how big github repos can be?
13:52 < redrabbit> ok looks like im doing it wrong from the start
13:53 < redrabbit> openvpn looks like it atribute a gateway adress for each client
13:53 < redrabbit> i cant just route myself to that gateway and use it from anther ip that is not an openvpn client
13:53 < redrabbit> back to square one
13:53 < redrabbit> i have two VPN servers on vps
13:54 < redrabbit> id like to chain them, so HOME > VPN1 > VPN2 > wan
13:55 < redrabbit> i suspect i may get a better throughput vs HOME > VPN2, because it looks like my isp provides poor peering to that location
13:56 < redrabbit> perfs from VPN1 are exelent, i can't really notice any difference when browsing vs using home connection directly
13:58 < redrabbit> i can ping all my vpns subnets from my main pc atm, even without connecting with windows, my home server is connected to the VPN1 and accesses VPN2 subnet through it, i can ping VPN2 subnet from my main PC
14:07 < redrabbit> "The problem is due to the fact that an OpenVPN server will only accept IP traffic through the tunnel of the connected client, if the source IP address matches what the server assigned the client when the tunnel was established. Traffic originating from any other source IP address going through the tunnel will be completely ignored by the server."
14:07 < redrabbit> ok thats my exact issue
15:17 < andarien> Which verbosity level will allow me log failed login attempts?
15:18 < andarien> talking about OpenVPN server of course.
16:38 < bjonnh> !selinux
16:38 < bjonnh> I get a Could not access file 'staticclients/xxxx': Permission denied (errno=13)
16:38 < bjonnh> access rights seems ok
16:38 < bjonnh> so I guess it is a selinux issue
16:39 < bjonnh> but I can't see anything wrong
16:39 < bjonnh> in my audit.log
16:40 < SviMik> bjonnh check the selinux log
16:40 < SviMik> oh. if nothing in audit.log, then it's probably not selinux... to make sure, just disable selinux temporarily
16:41 < bjonnh> client-config-dir is accessed with user/group of openvpn?
16:42 < SviMik> https://www.tecmint.com/disable-selinux-temporarily-permanently-in-centos-rhel-fedora/
16:42 <@vpnHelper> Title: How to Disable SELinux Temporarily or Permanently in RHEL/CentOS 7/6 (at www.tecmint.com)
16:42 < bjonnh>  not selinux related
16:42 < bjonnh> now it is weird they have the same rights as my server.conf
16:42  * bjonnh looks for typos
16:43 < bjonnh> all users have read rights
16:44 < SviMik> bjonnh check the user of openvpn process: ps aux | grep openvpn
16:44 < bjonnh> openvpn
16:44 < bjonnh> ^
16:44 < bjonnh> openvpn doesn't have access to /etc/openvpn
16:44 < bjonnh> that said
16:44 < bjonnh> but has access to /etc/openvpn/server/staticclients/xxx
16:45 < SviMik> chown openvpn /etc/openvpn -R
16:45 < bjonnh> is that even recommended?
16:46 < SviMik> well, I do that.
16:46 < bjonnh> ok
16:46 < SviMik> since /etc/openvpn belongs to openvpn, I see nothing wrong with that
16:47 < bjonnh> well that solved the problem ;)
16:47 < bjonnh> thx
16:48 < SviMik> yw :)
16:54 < redrabbit> sweet! i found how to daisy chain as much VPNs as i want...
16:55 < redrabbit> i simply use openvpn connect to connect to the server using its 10.x.x.1 internal gateway instead of the wan adress
16:55 < redrabbit> very practical
17:05 < bjonnh> one day you are going to loop them ;)
17:06 < bjonnh> 192.168.254.1   192.168.254.101 255.255.255.255 UGH   50     0        0 tun0
17:06 < bjonnh> 192.168.254.101 0.0.0.0         255.255.255.255 UH    50     0        0 tun0
17:06 < bjonnh> huh
17:14 < bjonnh> dumb
17:15 < redrabbit> well perfs are poor with that method
17:15 < redrabbit> just figured this
17:16 < redrabbit> VPN1 direct gives me 95mbps / 5 mbps (almost full line capacity)
17:16 < redrabbit> VPN2 direct 10 / 5 Mbps (europe to usa link)
17:17 < redrabbit> VPN1 > VPN2 down to 2 / 2 Mbps
17:21 < bjonnh> I can't get specific IP per clients work
17:21 < bjonnh> it gives an IP but then they can't talk to each other or to the "host"
17:21 < bjonnh> is that a problem with ifconfig-pool?
17:21 < redrabbit> needs masq + ip forward
17:22 < bjonnh> well if I let openvpn give an IP it works
17:22 < bjonnh> well didn't test between hosts though
17:23 < bjonnh> ok not between hosts
17:26 < bjonnh> https://pastebin.com/TymDG46K
17:26 < bjonnh> that's my server config
17:26 < bjonnh> (without the certs part)
17:29 < redrabbit> add client-to-client
17:30 < bjonnh> I can't ping 10.0.0.1
17:30 < bjonnh> anyway
17:30 < bjonnh> so there may be something else wrong
17:32 < bjonnh> what I want is 4 machines communicating together through openvpn (one being the server)
17:32 < bjonnh> so I don't need masquerade do I?
17:33 < rob0> nope
17:34 < bjonnh> I don't know what I change I used to be able to communicate with the server from the client… (client gEt 10.0.0.6 assigned, pinging 10.0.0.1)
17:34 < redrabbit> 4 machines communicating together through openvpn > add "client-to-client"
17:35 < bjonnh> yes but I can't get them to talk to each other
17:35 < bjonnh> and I can't even get my client to ping the server anymore
17:35 < rob0> --client-to-client bypasses the kernel routing for traffic internal to the VPN
17:35 < bjonnh> do I need that on clients too?
17:35 < redrabbit> no
17:36 < rob0> did you enable IP forwarding?
17:36 < bjonnh> on server or client?
17:36 < rob0> is there a firewall? ("The problem is your firewall, really.")
17:36 < bjonnh> and on tun0?
17:37 < bjonnh> ip forwarding is on
17:37 < bjonnh> I have a firewall on client and server yes
17:37 < rob0> !iptables
17:37 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this., or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG, or (#3) These are just the basics to get you started
17:37 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter
17:37 < rob0> (I'm assuming Linux?)
17:38 < bjonnh> yes linux
17:38 < bjonnh> disabling firewall on client doesn't change anything
17:39 < bjonnh> disabling on server doesn't change
17:40 < bjonnh> disabling on both still doesn't work
17:40 < bjonnh> so I guess it has to do with my server config
17:42 < bjonnh> ok found it
17:42 < bjonnh> I had a typo in my config
17:42 < bjonnh> route 10.0.0.1 255.255.255.0
17:42 < bjonnh> instead of
17:42 < bjonnh> route 10.0.0.0 255.255.255.0
17:44 < bjonnh> now I have also a doubt
17:44 < bjonnh> I have:
17:44 < bjonnh> ifconfig-pool 10.0.0.4 10.0.0.255
17:44 < bjonnh> that means that each client will have 4 IP dedicated (for different purposes)
17:44 < rob0> !/30
17:44 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
17:45 < bjonnh> so first client will get 10.0.0.6, second one 10.0.0.10…
17:45 < bjonnh> etc
17:45 < bjonnh> right?
17:45 < rob0> why do you want that?
17:46 < bjonnh> I don't really … want that
17:46 < bjonnh> !topology
17:46 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
17:46 < bjonnh> I just want to assign them IPs
17:47 < bjonnh> lets try with subnet then
17:48 < Eugene> "topology subnet" is what you want in almost every case. It blows my mind that it is not the default yet(backwards-compatibility is the cited reason I was given)
17:49 < bjonnh> wow
17:49 < bjonnh> that just…
17:49 < bjonnh> works
17:49 < Eugene> Yup. Sorry you didn't know
17:51 < bjonnh> that's great I learned some stuff ;)
17:51 < bjonnh> thx for your help all
17:57 < bjonnh> everybody can ping everybody
17:57 < bjonnh> Joy!
17:58 < redrabbit> nice info about topology subnet
17:58 < redrabbit> im reconfiguring my servers right now :p
17:58 < redrabbit> not that i need the extra ips.. but its way more simple to allocate fixed ips
18:03 < bjonnh> huh
18:03 < bjonnh> ping works, not tcp
18:03 < bjonnh> what did I do again
18:06 < bjonnh> ahh
18:06 < bjonnh> that time it is a firewall issue :)
18:14 -!- abenz__ is now known as abenz
22:44 -!- abenz_ is now known as abenz
23:43 < andarien> hey guys, i need my scripts to access the openvpn logs in linux, so that i can extract lines. Problem is -you guessed it- permissions.
23:44 < andarien> as the openvpn logs are stored in memory and not harddisk, with every reset permissions are also reset.
23:44 < andarien> Ideas?
23:46 < abenz> where is the log stored?
23:47 < abenz> "memory" ? are you talking about log/status or something else. How do you extract the "lines" ?
23:47 < andarien> have installed openvpn server on a raspberry. The /var/log is basically on a ramdisk sort
23:48 < andarien> all the logs are stored in memory to prevent sd-card writes.
23:48 < andarien> tmpfs
23:48 < abenz> I see
23:48 < andarien> i already have a script in logrotate to backup these logs on a NAS works like a charm.
23:49 < andarien> But now I need to get notifications through e-mail if something is suspicious. Done it with all other logs except openvpn. Because opevpn logs are way too protected.
23:50 < andarien> i can manually change permissions on the openvpn.log of course, but a reboot will reset those. So i tried chmoding them at rc.local but it doesnt work, probably because they are created afterwards.
23:50 < abenz> so you have systemd running there right?
23:51 < abenz> I'm on linux, but still on init based distro, and I run openvpn on embedded mostly (lede/openwrt)
23:51 < abenz> but what I would do (if I was in your situation) is modify the systemd service unit
23:51 < abenz> you can do "ExecStart", which allows you to execute a command/script after the service is up (or restarted)
23:51 < abenz> in our case, the service is openvpn
23:52 < andarien> hmm
23:53 < andarien> systemd should be on raspberry lemme check
23:53 < andarien> yes.
23:53 < andarien> good point, i will try that
23:53 < andarien> thanks for the advice
23:54 < andarien> isn't there a way to tell openvpn not to be psychotic over the log file though?
23:56 < abenz> so after you restart, what do the perms looks on the log file?
23:56 < abenz> s/looks/look like/
23:57 < andarien> its rw-------  root:root
23:57 < abenz> you run openvpn as who?
23:57 < andarien> i think...just think or hope, that if it was rwrw-- root:adm it would work
23:58 < andarien> tbh i dont know. I didn't touch it after it installed except configure the server
23:58 < andarien> let me see.
23:58 < abenz> ps | grep openvpn
23:59 < andarien> just a sec was rebooting it
--- Day changed Sat Sep 02 2017
00:00 < andarien> eh
00:00 < andarien> doesn't return anything.
00:00 < andarien> Nevertheless i can connect
00:01 < abenz> systemctl status openvpn
00:01 < abenz> systemctl status openvpn.service
00:03 < andarien> active loaded
00:04 < abenz> sorry I'm not familiar with systemd..
00:04 < abenz> wait for someone else to help..
00:05 < andarien> np, thx anyway
00:06 < andarien> ps aux did it
00:06 < andarien> it runs as nobody lol
00:23 <@ordex> nobody runs it !
00:30 < andarien> i know for sure nobody loves it
00:30 < andarien> not today
00:35 < andarien> thanks for the advice ordex, did it the systemd way and it works now!
04:25 < gospod2> im using pfsense and trying tap. I bridged local openvpn interface with another interface that is running DHCP server. my windows client is not getting any lease, whys that?
04:25 < gospod2> in firewall I'm allowing ALL traffic everywhere for testing
04:27 <@ordex> gospod2: assuming you really need tap, I'd suggest to use tcpdump to see where the packets get stopped
04:34 < gospod2> thats out of my knowledge scope, got an example or an easier way?
04:35 < gospod2> If I add DHCP start+end for this ovpn server, my client gets the assigned IP from this range, but the point is to use the local DHCP server, no?
04:38 <@ordex> gospod2: if that's your goal, yes
04:38 <@ordex> gospod2: so does the server get an IP frm the dhcp ?
04:41 < gospod2> ordex, just changed to dhcp client on ovpns2 interface and it got the lease
04:41 <@ordex> what is ovpns2 interface ?
04:41 < gospod2> this tap server interface
04:42 <@ordex> ok, which you said it is bridged with another interface, right ?
04:42 < gospod2> ye
04:42 <@ordex> and whereis the dhcp server running ?
04:42 < gospod2> on this "another interface"
04:42 <@ordex> you mean, on a host connected to this "other interface" ?
04:42 < gospod2> pfsense itself is running dhcp server on this another interface
04:43 <@ordex> openvpn is running on the pfsense host ? I mean, pfsense host and vpn server are the same ?
04:43 < gospod2> yeah
04:43 <@ordex> ok
04:43 <@ordex> why don't you run the dhcp server on the bridge interface then?
04:44 <@ordex> once you bridge, you have to configure layer3 and up directly on the bridge
04:44 <@ordex> not on the slave interfaces
04:44 < gospod2> the proper way is to run dhcp server on the bridge interface?
04:44 <@ordex> if you bridge? yes
04:44 <@ordex> imagine the setup is like this:
04:44 <@ordex> br0 = [ tap0, eth0 ]
04:44 <@ordex> tap0 and eth0 are bridged together in br0
04:45 <@ordex> they now form one broadcast domain that you access through br0
04:45 <@ordex> so you can run the dhcp server on br0
04:45 <@ordex> and it will serve both tap0 and eth0
04:45 <@ordex> br0 is your entry point now. tap0 and eth0 should not even have IPs
04:46 <@ordex> while br0 should have it
04:46 <@ordex> this is unrelated to openvpn, it's just about bridging to Ethernet interfaces
04:46 <@ordex> *two
04:46 < gospod2> why is openvpn server interface getting a lease over bridge from this another interface at the moment?
04:47 <@ordex> probably because of the bridging, although it is not a correct use
04:47 <@ordex> why would you run client and server on the same machine, from two ends of the same bridge ?
04:47 <@ordex> *DHCP client and server
04:47 < gospod2> just to test atm if atleast openvpn server interface is getting a lease
04:48 <@ordex> sure, but does not properly make sense
04:48 < gospod2> yeah
04:48 < gospod2> i know
04:48 < gospod2> thought if tap0 is getting a lease, a vpn client should also, no?
04:48 <@ordex> I don't know
04:48 <@ordex> it' a broken setup, I don't want to understand why it partly work :P
04:49 <@ordex> *it's
04:49 < gospod2> i also have a setup like this for like a year now:
04:50 < gospod2> exact same pfsense is running tap0 bridged to eth0, another pfsense is running ovpn client tap0 bridged to eth0
04:50 < gospod2> all clients seeing eth0 on 2nd pfsense are getting leases from 1st pfsense
04:50 < gospod2> thats wrong?
04:50 <@ordex> how are the two pfsense connected ?
04:50 < gospod2> over WAN
04:50 <@ordex> where is the dhcp server running?
04:50 < gospod2> 1st
04:50 < gospod2> eth0
04:50 <@ordex> over wan means eth0 ?
04:51 < gospod2> lets say wan is eth20
04:51 <@ordex> and how is eth20 connected to the bridge ?
04:51 < gospod2> eth20 = wan, tap0 is bridged to eth0, eth0 = lan with dhcp server
04:51 < gospod2> bridge not having an interface assigned
04:51 < gospod2> and its working fine
04:52 <@ordex> sorry i don't understand your setup with this information
04:52 < gospod2> on 2nd pfsense clients are getting leases from eth0 on pfsense1
04:53 < gospod2> eth0 running dhcp server > bridged to tap0 > wan on pfsense1 < wan on pfsense2 < tap0 bridged to eth0 < clients here getting dhcp leases from eth0 on pfsense1
04:53 < gospod2> exact same way im trying now (but client to pfsense setup)
04:54 <@ordex> how do packets from the WAN interface on pfsense1 flow to the bridge/eth0 and get a DHCP reply?
04:54 < gospod2> port is open?
04:54 <@ordex> port is open on the wan interface
04:54 <@ordex> and they get there. how do they reach the dhcp server then ?
04:54 <@ordex> this is what I am not understanding
04:55 <@ordex> on top of that, dhcp is a link local protocol
04:55 <@ordex> can't just go over wan without sharing the broadcast domain
04:55 <@ordex> so, there are pieces missing in your description
04:55 < gospod2> i see
04:55 < gospod2> so im just having luck that its working lol?
04:55 <@ordex> probably there is somemore bridging involved, or the pfsense are connected via vpn as well
04:55 <@ordex> well, I don't know
04:56 <@ordex> maybe you luckily configured something that worked but don't know how :D
04:56 < gospod2> ordex, in that pfsense to pfsense openvpn tap is involved 1
04:56 < gospod2> ! *
04:56 <@ordex> you said they are connected via wan, not via vpn
04:56 < gospod2> i wrote "tap0" on both ends
04:56 <@ordex> ok. so they are connected via VPN
04:57 < gospod2> ye
04:57 <@ordex> makes more sense now
04:57 < gospod2> i see now, wan doesnt matter then?
04:57 < gospod2> eth0 running dhcp server > bridged to tap0 > < tap0 bridged to eth0 < clients here getting dhcp leases from eth0 on pfsense1
04:57 <@ordex> right, because you have built a vpn on top of it
04:57 < gospod2> like this then
04:57 <@ordex> right
04:57 <@ordex> if tap0 is built on top of wan, lan, microwave, does not matter in this case
04:57 <@ordex> this makes sense
04:58 < gospod2> ye sorry for that :P
04:58 <@ordex> except that i'd rather see the dhcp server running on top of br0
04:58 <@ordex> it would be cleaner
04:58 <@ordex> I am not sure it would work all the time if you run it on eth0 directly
04:58 < gospod2> i understand that also now, but why is it working in this situation? :P luck?
04:58 <@ordex> dunno, maybe there is something else configured that makes the trick
04:58 < gospod2> i need to redo the topology then
04:59 <@ordex> usually when you bridge, you forget about the slaves
04:59 <@ordex> and run services directly on the bridge interface
04:59 <@ordex> because that is your entry point into the "extended broadcast domain"
04:59 <@ordex> the bridge then takes care of forwarding packets on one side or the other
05:00 < gospod2> i understand, thanks ordex !
05:00 <@ordex> np!
05:01 < gospod2> also if then: eth0(physical+VID) > br0 < tap0
05:01 < gospod2> client connected to eth0 will not suffer any perf loss to wan or other clients connected to eth0, right?
05:02 < gospod2> only dhcp packets are going to the bridge
05:02 < gospod2> ?
05:02 <@ordex> mh
05:02 <@ordex> when you say wan you mean towards tap0 ?
05:02 < gospod2> toward internet
05:02 < gospod2> like youtube.com
05:02 < gospod2> or other clients connected to eth0
05:02 <@ordex> first, what does this exactly mean: eth0(physical+VID) ?
05:03 < gospod2> its a physical NIC
05:03 <@ordex> both a VLAN and the plain interface ?
05:03 <@ordex> yap
05:03 <@ordex> the dhcp server does not introduce any perf loss per se i would say
05:03 < gospod2> i read somewhere and I also understand that if LAN>BRIDGE>LAN, those clients on both ends are going to suffer perf loss because traffic is going through a software bridge
05:03 < gospod2> ok thanks !
05:03 <@ordex> well maybe yes
05:04 <@ordex> but consider that when you go on the internet you pas through NAT
05:04 <@ordex> which is more complex than the software bridge
05:04 <@ordex> *pass
05:04 < gospod2> ja
05:04 < gospod2> bad example
05:04 < gospod2> only LAN clients i ment then
05:05 < gospod2> in this case only tap0(clients from pfsense2) is theoretically suffering from perf loss if gateway for pfsense2 is going through pfsense1's wan right?
05:05 < gospod2> *because of br0 on pfsense1
05:05 <@ordex> well, it also depends on the link speed
05:05 < gospod2> ye dont mind that
05:06 <@ordex> if the link speed is not high enough, it won't see any perf loss due to the re-routing to pfsense1
05:06 <@ordex> you have the perf loss of the vpn per se when going through tap0
05:06 <@ordex> I mea, openvpn introduces a perf loss as well
05:06 <@ordex> *mean
05:06 < gospod2> ok i understand, as long as physical clients on pfsense1 dont suffer perf loss for DHCP server being on br0 instead of eth0, i will redo the interfaces and do it like this always going forward from here
05:06 <@ordex> which is probably higher than the software bridge
05:06 < gospod2> yeah
05:07 <@ordex> ah no, moving the dhcp server won't change anything
05:07 < gospod2> thanks ordex, i really appreciate it!
05:07 <@ordex> np
05:07 <@ordex> :)
05:07 <@ordex> just try to understand more what's going before drawing conclusions :P
05:27 < Poltsi> Good morning. i have a pretty curious case. Set up openvpn between a server connected to an internal network (2 network devices, one to the public network, other to the private network). The client is a standalone server (VM) by one of the providers
05:28 < Poltsi> It is set up in brigding mode so that the standalone server gets an unused ip-address from the private network
05:28 < Poltsi> I can ping both ways the local ip-addresses on either servers
05:30 < Poltsi> however if I ping a certain other address in the private network, then I see no trafic whatsoever on the bridging server (using tcpdump), while if I ping another address, then I can see that they are transmitted, but without response
05:30 < Poltsi> The route on the standalone server has a 24-mask, which covers both addresses
05:33 < Poltsi> The bridging server does have ip_forward set to 1, and firewall rule allows all traffic to tap0
05:34 < Poltsi> The command to inspect the traffic (on the bridging server) is: tcpdump -nni tap0 "icmp[icmptype] == icmp-echo or icmp[icmptype] == icmp-echoreply"
05:36 < Poltsi> Oh and the version is 2.4.3
05:37 < Poltsi> What is more interesting is that I have the log cranked up to 6 and can see in the bridging log that packets are transferred when I ping the private address that tcpdump does not catch
05:46 -!- rax-Y is now known as rax-
05:54 < Poltsi> Another interesting observation. The standalone server does receive multicast traffic (when inspecting with 'tcpdump -i tap0') sent from another machine located in the private network
06:37 < smili> Hi everyone, I have VPN connected to my home network and wich to connect another VPN to my first VPN for specific ports. Ex: [Home-network]-----all-ports----[VPN1]----port:xxx----[VPN2] is it possible for a beginner to easily set this kind of configuration ? The end goal being for my local network to use VPN1 for most activities and VPN2 for specific ports.
06:39 < smili> wish not wich*
06:40 -!- def_jam is now known as eb0t
08:22 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: by bye]
09:32 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
09:32 -!- mode/#openvpn [+v s7r] by ChanServ
09:38 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: by bye]
09:51 <+hyper_ch> krzee: can you translate this for me into english?  https://eprint.iacr.org/2017/627.pdf
10:01 < Neobenedict> maybe people will be around this time
10:01 < Neobenedict> :(
10:02 < Neobenedict> i have a standard clients->server setup and working fine
10:02 < Neobenedict> on my server i am running a client instance and need to be able to access the subnet given from my home clients, how do I forward it
10:03 < Neobenedict> ie client->server (also rnning a client)->2nd server
10:04 < Neobenedict> i have added push "route 192.168.93.0 255.255.255.0" to openvpn's server.conf but that is not enough.
10:04 < rob0> You would fare better in IRC if you just leave your client connected when you're away.
10:05 < rob0> !clientlan
10:05 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
10:05 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
10:05 < rob0> ^^ follow the flowchart
10:05 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:05 -!- mode/#openvpn [+v s7r] by ChanServ
10:06 < Neobenedict> rob0: so i need to enable ip forwarding on windows?
10:06 < Neobenedict> !ipforward
10:06 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
10:06 < Neobenedict> !winipforward
10:06 <@vpnHelper> "winipforward" is (#1) reboot after enabling it, or (#2) https://support.microsoft.com/EN-US/kb/230082 to enable ip forwarding on windows
10:06 < rob0> you didn't mention Windows in the original question, you just said "standard"
10:07 < Neobenedict> windows -> linux -> linux
10:07 < Neobenedict> i wasn't aware it matters, that's why
10:07 < rob0> Usually it's easier to do fancy networking things on a Linux or Unix.
10:07 < redrabbit> windows 10 packet forward (access subnet behind win10 client) failed for me
10:07 < redrabbit> and i tried..
10:07 < redrabbit> please tell if you get it working
10:08 < redrabbit> with a linux client its a piece of cake though
10:08 < rob0> The concepts are the same, and there's no reason why a Windows-based server cannot provide access to client LANs.
10:09 < redrabbit> ah a windows server right
10:09 < redrabbit> i tried to do with with win10 -not a server-
10:09 < Neobenedict> ok let me reiterate
10:09 < redrabbit> with windows server edition yes its possible from what i gathered
10:09 < Neobenedict> my home computer (windows 7 ultimate) accesses my server (linux) and is assigned an ip 10.x.x.1 for example
10:10 < Neobenedict> on my linux server, i have an openvpn client running that sets up a vpn with another server and assigns several 192.168.x.0 subnets
10:10 < Neobenedict> i need to be able to access those 192.168.x.0 subnets from my home computer
10:10 < Neobenedict> one way or another
10:10 < rob0> for client LAN access, the client has to have IP forwarding enabled, and the proper routes must be set
10:10 < redrabbit> that's easier than sharing network behind the windows machine
10:11 < Neobenedict> no, I don't need to share the network behind the windows machine
10:11 < Neobenedict> the network behind the linux machine is what needs sharing, essentially
10:11 < rob0> then that is easy
10:11 < redrabbit> ok, you need some routes + iroute + client-to-client
10:11 < rob0> where did you get stuck on the flowchart?
10:11 < Neobenedict> so it is not client LAN, but server LAN
10:11 < rob0> !serverlan
10:11 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
10:11 < rob0> there's ^^ a better one for you
10:12 < Philip_J_Fry> iCloud storage to become encrypted with the rollout of iOS11
10:12 < redrabbit> you may need some masq if you want to access stuff that is not on the tun devicse
10:13 < Neobenedict> its on a tun0 adaptor
10:13 < redrabbit> no bother then
10:13 < Neobenedict> what is "vpn ip of the server"
10:13 < Neobenedict> which server
10:13 < rob0> NAT is for RFC1918 networks connecting to the IPv4 Internet, not for RFC1918-to-RFC1918.
10:14 < Neobenedict> i suspect i'm stuck at the home computer talking back
10:14 < Neobenedict> i have added a "push "route 192.168.93.0 255.255.255.0"" to the openvpn server config already.
10:15 < Neobenedict> however I still cannot ping any 192.168.93.x IPs from my home computer.
10:15 < Neobenedict> (I can ping them from the server)
10:15 < redrabbit> you need an iroute and --client-to-client
10:16 < Neobenedict> redrabbit: does the iroute go in the ccd?
10:17 < Neobenedict> I added this to ccd/<name>: iroute 192.168.93.0 255.255.255.0
10:17 < Neobenedict> i haven't done the client to client bit
10:19 < Neobenedict> nop, still can't ping
10:19 < Neobenedict> !route_outside_openvpn
10:19 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
10:21 < redrabbit> 17:13 < Neobenedic> i haven't done the client to client bit
10:21 < redrabbit> 17:15 < Neobenedic> nop, still can't ping
10:21 < redrabbit> use --client-to-client
10:21 < Neobenedict> redrabbit: i enabled it, it didn't work
10:21 < redrabbit> ah
10:21 < Neobenedict> is there anything I need to put in any of the client configs?
10:22 < redrabbit> its server side
10:22 < Neobenedict> is this correct for the ccd file?
10:22 < Neobenedict> ifconfig-push 10.8.0.6 10.8.0.5
10:22 < Neobenedict> iroute 192.168.93.0 255.255.255.0
10:23 < redrabbit> id switch to topology subnet by the way
10:23 < redrabbit> looks fine
10:24 < Neobenedict> and the following is in the server.conf:
10:24 < Neobenedict> push "route 192.168.93.0 255.255.255.0"
10:24 < Neobenedict> client-to-client
10:24 < redrabbit> you have ip forwarding on the client?
10:24 < redrabbit> linux client
10:24 < Neobenedict> yes
10:24 < Neobenedict> unless there are multiple types of forwarding
10:25 < redrabbit> id double check everything
10:25 < redrabbit> devil is in the details
10:25 < Neobenedict> also iptables
10:25 < Neobenedict> !forwarding
10:25 < Neobenedict> !ipforward
10:25 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
10:25 < Neobenedict> !linipforward
10:25 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
10:25 < Neobenedict> r (#3) you also must allow forwarding in your forward chain in iptables.
10:25 < Neobenedict> ok
10:26 < rob0> !/30
10:26 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
10:26 < Neobenedict> i only have a POSTROUTING clause
10:26 < rob0> !topology
10:26 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
10:26 < Neobenedict> so I need a FORWARD clause for tun+?
10:26 < Neobenedict> i assume tun+ covers tun0, tun1
10:26 < Neobenedict> etc
10:26 < Neobenedict> yeah, the /30 behavior is annoying
10:27 < rob0> remove your firewalls (policies at ACCEPT) to get this working
10:27 < Neobenedict> I'll get to that after this though
10:27 < Neobenedict> my firewall has these clauses: -A INPUT -j REJECT
10:27 < Neobenedict> -A FORWARD -j REJECT
10:27 < rob0> remove your firewalls (policies at ACCEPT) to get this working
10:27 < Neobenedict> i assume I should change that to add the eth0 interface
10:27 < Neobenedict> which is what it was for anyway
10:28 < Neobenedict> ok, let me try that
10:34 < Benedict> nope, didn't work
10:34 < Benedict> getting a shedload of these though ovpn-server[13771]: home/<my real ip>:57141 MULTI: bad source address from client [192.168.1.80], packet dropped
10:35 < rob0> IIRC that means you're missing the iroute
10:36 < rob0> !iroute
10:36 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
10:36 < Benedict> ovpn-server[13771]: home/<my real ip>:57141 MULTI: Learn: 192.168.93.20 -> home/<my real ip>:57141
10:36 < Benedict> what does that mean for this situation? good or bad?
10:37 < Benedict> does it mean 192.x is trying to contact my home computer and something is blocking it?
10:37 < rob0> is the VPN client (with the LAN you want to access) the gateway for that LAN?
10:38 < Benedict> 192.168.93.20 is what I was trying to ping
10:38 < Benedict> from windows
10:39 < Benedict> if that doesn't answer that question you'll have to reword it
10:39 < rob0> in any case the router for that LAN needs to know where to route the VPN and associated remote networks.
10:39 < rob0> do you know what a "gateway" is in IP networking terms?
10:40 < Benedict> i'm not sure how to find it in this instance
10:41 < Benedict> oh hm
10:41 < Benedict> i see what it might be doing
10:41 < Benedict> is it thinking the 192.168.93.20 belongs to my windows pc and just
10:42 < Benedict> routes it back on itself
10:42 < Benedict>  Subnet Mask . . . . . . . . . . . : 255.255.255.0
10:42 < Benedict>  Default Gateway . . . . . . . . . : 192.168.1.254
10:42 < Benedict> shouldn't be?
11:38 < rob0> got it figured out yet?
12:02 < gospod2> my windows server 2016 client I believe does not know where the packets should go (local wifi or VPN tunnel), how to force that the should always go through the tunnel if its connected?
12:02 < gospod2> dual gateway issue i believe
12:06 < rob0> !redirect
12:06 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
12:06 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
12:06 < rob0> ^^ that flowchart should help
12:07 < rob0> "windows server" is the openvpn client?
12:08 < gospod2> yeah
12:09 < KNERD> I put in a Buffalo /WZR-1750DHP, and all VPN traffic going through it is very very slow. Suggestiosn on what to look for?
12:10 < andarien> mtu just popped out of nowhere.
12:10 < gospod2> !def1
12:11 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
12:11 < gospod2> so i need "redirect-gateway def1" on client only or both?
12:18 < rob0> a server cannot redirect its gateway
12:18 < gospod2> so it turns out I already had "push redirect-gateway def1" on server but client is still using its own ip
12:18 < gospod2> on the picture im at "your vpn did not add routes correctly"
12:19 < gospod2> what routes should I then manualy add if pfsense+openvpn cant figure it out on its own lol?
12:26 < andarien> you said pfsense, is pfsense still free nowadays?
12:26 < arpwatch> Hi guys, I'm trying to update my openvpn 2.4.0-6 on debian and it is telling me  Samuli Seppänen  signature is invalid.  Did something change?
12:27 < gospod2> yes andarien
12:27 < andarien> good to know.
12:28 < andarien> arpwatch: you need to locally sign, its been reported in the past.
12:28 < andarien> arpwatch: gpg --lsign <DSA key>
12:28 < gospod2> andarien, what are you using?
12:29 < andarien> arpwatch: https://sourceforge.net/p/openvpn/mailman/message/35292243/
12:29 <@vpnHelper> Title: OpenVPN / Mailing Lists (at sourceforge.net)
12:29 < andarien> gospod3: i used to use first untangle, then pfsense, then zeroshell.
12:29 < arpwatch> ah ok thank you
12:29 < andarien> gospod2: for my load balancing/firewall projects
12:30 < gospod2> so ur using zeroshell atm?
12:30 < andarien> gospod2: zeroshell was still an infant back then, i loved pfsense. Nowadays I am not using any as I dont need any
12:30 < gospod2> what are you using then?
12:30 < andarien> gospod2: it was for a project i was doing with a friend in another area, i left so now she handles it. I think she's moved on to mikrotik routers for the tasks.
12:31 < andarien> gospod2: i'm not using any now, as i dont need them, as i said earlier.
12:32 < gospod2> whats firewalling u then?
12:32 < andarien> firewalling me? We had to use pfsense or some alternative to load balance multiple dsl lines to serve multiple clients.
12:33 < andarien> Load balancing was the main thing, and the firewall for basic protection for them.
12:34 < arpwatch> andarien, so would I download the keyring.gpg and locally sign it? http://build.openvpn.net/debian/openvpn/stable/keyring.gpg
12:36  * rob0 afk, out of time today
12:37 < gospod2> I still cant get all traffic to go through the VPN with "redirect-gateway def1"
12:37 < gospod2> What to do?
12:40 < KNERD> try disable firewall to see if that is blocking
12:43 < gospod2> firewall on what side?
12:43 < KNERD> server side
12:44 < KNERD> I have seen it before. Setting sin it blocking wexactly what you trying to do
12:44 < gospod2> Im allowing all traffic everywhere on tap0 on server-side
12:44 < KNERD> okay then, as you wish
12:44 < gospod2> ?
12:44 < gospod2> isnt allowing all traffic everywhere enough ?
12:45 < KNERD> Only tap0 is not "everywhere"
12:46 < gospod2> eth10 and tap0 are bridged to br0
12:46 < gospod2> all 3 have atm for testing *allow traffic everywhere+
12:46 < gospod2> *
12:47 < gospod2> i dont even know how to do more then that :D
12:49 < KNERD> as I said..disable firewall/iptables to make dusre
12:49 < KNERD> *sure
12:49 < KNERD> I was having same issue before and sure enough it was IP tables preventing  traffic from being rerouted
13:26 < gospod2> KNERD, so i disabled firewall, i can still ping local servers on the server side vpn, but web is still not going through the tunnel
13:26 < gospod2> so its not a firewall issue
13:27 < gospod2> that was tense disabling firewall
13:29 < KNERD> looks for this in IPtables:
13:29 < KNERD> :INPUT DROP [25:1582]
13:29 < KNERD> :FORWARD DROP [0:0]
13:29 < KNERD> soemthiing like that
13:30 < KNERD> gospod2: also try adding  bypass-dhcp
13:30 < KNERD> redirect-gateway def1 bypass-dhcp
13:31 < KNERD> I have this line and it works
13:31 < KNERD> push "redirect-gateway def1 bypass-dhcp
13:31 < gospod2> tried bypass-dhcp before and it borks everything
13:31 < KNERD> then your setup is not correct
13:47 < KNERD> gospod2: is this on a public IP address, or a lan?
13:47 < gospod2> what do you mean?
13:47 < gospod2> public
13:47 < gospod2> wan to wan
13:47 < gospod2> im testing with android hotspot on LTE
13:49 < KNERD> hthe server location
13:49 < KNERD> si the OpenVPN server on a LAN?
13:49 < gospod2> no
13:49 < gospod2> im getting on client: "NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
13:49 < gospod2> "
13:50 < KNERD> is redirect-gateway def1 on the client, or server?
13:50 < gospod2> push is on server
13:51 < gospod2> im pasting confs
13:51 < gospod2> server: https://paste.linux.community/view/ed47ab0a
13:51 < gospod2> client: https://paste.linux.community/view/12dffe7d
13:52 < gospod2> server is pfsense with eth10 bridged to tap0 (interface br0 has DHCP server) and the ovpn is getting the lease
13:52 < KNERD> try these lines
13:52 < KNERD> push "redirect-gateway def1 bypass-dhcp"
13:52 < gospod2> all interfaces have any any any for traffic
13:53 < KNERD> push "dhcp-option DNS 8.8.8.8"
13:53 < KNERD> push "dhcp-option DNS 8.8.4.4"
13:56 < KNERD> gospod2: i have set up about 50 VPN servers with this cofnig and works 100% of the time  https://pastebin.com/HXu6U6Pc
13:56 < KNERD> There is a note in there for Debian change
13:57 < KNERD> if that does not work, then it is an routing/IP tables issue
13:58 < gospod2> ok thanks
13:58 < KNERD> and you need this in IP Tables// iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE notice the IP address matches the one set in "server" in the config file. and eth0 is the public internet access you want access to formt he client
14:01 < KNERD> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
14:02 < gospod2> im missing server line in my server config
14:02 < gospod2> thats server side subnet'
14:02 < gospod2> ?*
14:02 < KNERD> apparantly I am told "server" in the config does not really mater
14:03 < KNERD> oh..you mean server 10.8.0.0 255.255.255.0?
14:04 < gospod2> ye
14:04 < KNERD> uyou need to tell the client what IP address they are working on
14:04 < KNERD> otherwise they cannot connunicate with the VPN
14:05 < gospod2> server 10.8.0.0 255.255.255.0 <-- 10.8.0.0/24 is ur local subnet the client is getting right?
14:05 < gospod2> i dont have that line and im getting a lease
14:05 < gospod2> atm im connected over VPN and typing here over RDP
14:05 < KNERD> yes, the client with grab an address from DHCP
14:07 < KNERD> there erver will get an address of 10.8.0.1
14:08 < gospod2> i can also see ur using tun, im on tap
14:10 < KNERD> because we want our traffice to be routed in and out of eth0
14:14 < gospod2> something must be wrong with pfsense then
14:14 < gospod2> in my situation
14:42 < Poltsi> Anyone here?
14:55 < KNERD> nope
14:55 < Poltsi> I see
14:55 < KNERD> those are all bots
14:56 < Poltsi> The bridging setup does not work for me :-(
14:57 < KNERD> then use routing
14:58 < Poltsi> Well the question is, why doesn't it work. AFAIK when I have a private network, and want to add a host (roadwarrior) to it so that the RW get's an IP-address from the private network ip-space, I should use bridging, yes?
15:00 < KNERD> That is like asking a automobile mechanic "I put gasoline in my car, but it wont start. Why?"
15:01 < Poltsi> Now I don't understand, why would my question, regarding the type of vpn, be like that?
15:01 < gospod2> lol
15:02 < KNERD> because without know what the engine is doing when the owner trys to start the engine, how can the mechanic make a guess?
15:03 < KNERD> Just like yoru case, we have no idea what under your server hood is doing
15:03 < gospod2> Poltsi, there are alot of stuff that makes your setup not work, you didnt mention any
15:03 < rob0> Bridging is almost always a bad idea.  If you don't know exactly why you "need" bridging it's almost certain that you do not.
15:06 < Poltsi> I have a server running elsewhere to which I would need to have a secured connection which is two-way to a number of servers in a private network. It would be simpler layout to not create extra networks inbetween, but rather have the external server aquire an address from the private network
15:06 < Poltsi> Oh, and I wrote details of my situation earlier, do you want me to copypaste them again?
15:08 < KNERD> sure
15:09 < Poltsi> 13:23 < Poltsi> Good morning. i have a pretty curious case. Set up openvpn between a server connected to an internal network (2 network devices, one to the public network, other to the  private network). The client is a standalone server (VM) by one of the providers
15:09 < Poltsi> 13:24 < Poltsi> It is set up in brigding mode so that the standalone server gets an unused ip-address from the private network
15:09 < Poltsi> 13:24 < Poltsi> I can ping both ways the local ip-addresses on either servers
15:09 < Poltsi> 13:26 < Poltsi> however if I ping a certain other address in the private network, then I see no trafic whatsoever on the bridging server (using tcpdump), while if I ping another address,  then I can see that they are transmitted, but without response
15:09 < Poltsi> 13:26 < Poltsi> The route on the standalone server has a 24-mask, which covers both addresses
15:09 < Poltsi> 13:29 < Poltsi> The bridging server does have ip_forward set to 1, and firewall rule allows all traffic to tap0
15:09 < Poltsi> 13:30 < Poltsi> The command to inspect the traffic (on the bridging server) is: tcpdump -nni tap0 "icmp[icmptype] == icmp-echo or icmp[icmptype] == icmp-echoreply"
15:09 < Poltsi> 13:32 < Poltsi> Oh and the version is 2.4.3
15:09 < Poltsi> 13:33 -!- SkinnyMelon [~SkinnyMel@51B699A5.dsl.pool.telekom.hu] has quit [Read error: Connection reset by peer]
15:09 < Poltsi> 13:33 < Poltsi> What is more interesting is that I have the log cranked up to 6 and can see in the bridging log that packets are transferred when I ping the private address that tcpdump  does not catch
15:10 < gospod2> holy shit i solved my own problem
15:11 < Poltsi> The configs are from what can be found under /usr/share/doc/openvpn-2.4.3/sample/
15:11 < gospod2> "route-gateway <ip of gateway>" to client and all is working finally
15:11 < Poltsi> Only changes are the specifc addresses
15:12 < gospod2> holy fcuking sh!t 12h for nothing
15:13 < KNERD> I would just connect them all together under a tunnel to a common server, and everyone else is a client, Just be doen with it
15:16 < Poltsi> Do you mean that all the servers, on the private network, as well as the external server would use openvpn to connect to a common tunnel?
15:16 < KNERD> yes
15:16 < KNERD> that is why they call it a Vritual Private Network
15:17 < KNERD> then witht he correct setup, everythign will be able to talk to each other on that same private netwrok
15:18 < KNERD> just like on a LAN
15:19 < Poltsi> Yes, I understand how it would work. My disagreement is that it would mean setting up the same thing on any device I have in the private network in order to get the external one accessing them. Contrast this to having it set up for exactly 2 machines with bridging
15:20 < KNERD> well you can spend 1 hour , or less doing that, or keep the next week trying to figure out your issue you having now
15:22 < Poltsi> Ok, do mean to say that the bridging implementation in openvpn is not production quality and should be avoided?
15:23 < gospod2> KNERD, for my bridged setup to work only this is needed now: "push "redirect-gateway def1"; push "route-gateway <gw ip>"
15:23 < gospod2> good to know if u ever come across setup like this
15:24 < KNERD> oh, okay..thanks
15:25 < KNERD> Poltsi: I believe that is what rob0 sated about half an hour agao
15:25 < gospod2> someone should really make an article and put this stuff online. it is nowhere to be found on google on how to do it with pfsense
15:26 < KNERD> the openvpn foolks want you to come to them for support $$
15:26 < KNERD> :-)
15:27 < Poltsi> Hmm... I read rob0's comment differently, if you mean this one: 22:59 < rob0> Bridging is almost always a bad idea.  If you don't know exactly why you "need" bridging it's almost certain that you do not.
15:31 < KNERD> Well you can discuss it with gospod2: as he seems to got it working out, if I am not mistaken  I have never personally messed with it
15:33 < gospod2> im not a networking genius and i dont even understand your setup (or what you want to do)
15:33 < gospod2> try to describe it with least amount of words
15:35 < gospod2> Poltsi, try adding to server conf --> push "redirect-gateway def1"; push "route-gateway <gw ip>
15:36 < Poltsi> This gw ip would be what exactly? The private ip address of the openvpn server?
15:36 < gospod2> DHCP server IP
15:36 < gospod2> on the server side
15:37 < gospod2> wait
15:37 < Poltsi> Let me describe my setup in some detail
15:37 < gospod2> is DHCP server on the gateway?
15:37 < gospod2> gw ip = gateway ip
15:37 < gospod2> no dont use detail
15:37 < gospod2> im no networking genius
15:37 < gospod2> least amount of words
15:38 < Poltsi> Ok. I have a private network (192.168.42.0/24) where I have a server (OVS) on the edge with private address 192.168.42.201 as well as a public ip. I have elsewhere on the public network a server (CS). The VPN should be between the CS and OVS so that the CS gets an ip-address of the private network
15:38 < Poltsi> The OVS is not the GW for the private network
15:38 < gospod2> OVS and CS are hostnames?
15:39 < Poltsi> Essentially yes, OVS == OpenVPNServer, the one with the server.conf
15:39 < Poltsi> CS == Client Server, the one that should get the ip address
15:40 < gospod2> so what is not working ? <--- this is a huge question that i dont know all the answers.
15:40 < gospod2> essentially u want to connect CS to where OVS is connected right?
15:41 < Poltsi> CS get's the 192.168.42.250 ip address as configured, and I can from CS ping 192.168.42.201 (OVS) as well as ping 192.168.42.250 (CS) from OVS
15:41 < gospod2> ok
15:41 < Poltsi> What is not working is any connection, or even ping from CS to any of the other hosts in the private network
15:42 < Poltsi> And there is something weird too...
15:42 < gospod2> paste your server conf
15:42 < Poltsi> Uno momento
15:42 < gospod2> and whats ur DHCP server IP and gateway IP
15:44 < gospod2> i understand weird only because I was looking at weirdness for the past 24h
15:44 < gospod2> im going tun for the next time trust me
15:45 < Poltsi> https://pastebin.com/qwjqZ0yU
15:46 < gospod2> im no expert
15:46 < Poltsi> DHCP and GW for the private network is 192.168.42.1
15:46 < gospod2> i suspect this line --> server-bridge 192.168.42.201 255.255.255.0 192.168.42.250 192.168.42.252
15:47 < gospod2> change it to
15:47 < gospod2> server-bridge 192.168.42.1 255.255.255.0 192.168.42.250 192.168.42.252
15:48 < gospod2> whats ur DHCP server range?
15:51 < Poltsi> 24-199, but I'm not using the DHCP-server to assign the ip-address for the external server
15:51 < Poltsi> The external server correctly gets the 192.168.42.250 address from the line you suspect
15:51 < gospod2> atm openvpn is assigning them if i understand it correctly
15:51 < Poltsi> Yes, and that's ok
15:52 < gospod2> u changed server-bridge line?
15:52 < Poltsi> I did, from 201 -> 1
15:52 < gospod2> ja is it working now?
15:52 < gospod2> first ip in server-bridge is gateway
15:52 < gospod2> 201 is not a gateway but a client
15:52 < Poltsi> Let me check. I can ping from the OVS to CS
15:53 < gospod2> ping 8.8.8.8 on CS
15:53 < Poltsi> Yes, that works too
15:53 < gospod2> ok try whats not working from before
15:54 < Poltsi> I can also ping from CS the 192.168.42.201
15:54 < Poltsi> But none of the private addresses of other servers in private network, for example 192.168.42.1 does not respond
15:54 < gospod2> leave .1 for the last
15:54 < gospod2> is there any other then .1 ?
15:55 < Poltsi> So the situation is the same as before
15:55 < gospod2> .1 is firewall/routing/networking issue
15:55 < Poltsi> Sure, the laptop I currently use, .179
15:55 < Poltsi> PING 192.168.42.250 (192.168.42.250) 56(84) bytes of data.
15:55 < Poltsi> From 192.168.42.179 icmp_seq=1 Destination Host Unreachable
15:56 < gospod2> you have a firewall/routing/networking issue
15:57 < gospod2> CS is there but not all the way I would say :D
15:57 < Poltsi> I've disabled the FW on both my laptop as well as the OVS, the CS has -j ACCEPT for anything 192.168.42.0 && tap0, ip_forward is 1 on both OVS as well as CS
15:58 < Poltsi> And when I run tcpdump on CS for tap0, I could see brodcast messages from another device in my private network
15:59 < gospod2> my problem was only route-gateway which pfsense was not pushing (only redirect-gateway) (bug I believe, will get fixed in 100 years)
15:59 < gospod2> while for you server-bridge is pushing route-gateway i think
15:59 < Poltsi> The most furiating thing is that on OVS, if I tcpdump the tap0 and ping 192.168.42.1 from CS, I can see the packets, but not if I ping any other private address
16:01 < gospod2> Poltsi, try adding push "redirect-gateway def1"; then if it doesnt work push "redirect-gateway def1 bypass-dhcp";
16:01 < gospod2> to server conf
16:02 < Poltsi> Ok, one moment
16:04 -!- abenz__ is now known as abenz
16:07 < Poltsi> That was not good, on CS it added a default gw for 0.0.0.0 to 192.168.42.1 which did not work
16:08 < Poltsi> And despite that I could not ping from CS to .179
16:09 < Poltsi> Besides, it would mean that the CS would route all traffic through the private GW
16:10 < gospod2> from my view that points that something is wrong with ur firewall/routing/networking and not openvpn server itself
16:11 < gospod2> thats outside my scope of knowledge sorry
16:11 < Poltsi> Ok, thanks for your effort
16:15 < gospod2> my advice is go tun
16:15 < gospod2> tap is not worth it
16:16 < gospod2> and first try to make everything work by forcing all traffic through tunnel.
16:17 < Poltsi> Unfortunately that is not an option, since the external server is, among other, a DNS-server for domains
16:18 < gospod2> lol
16:18 < gospod2> replicate DNS?
16:18 < Eugene> It sounds like you're tryting to do bridging. Don't.
16:19 < Eugene> !configs
16:19 < Eugene> !goal
16:19 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
16:19 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:36 < Poltsi> Seems like the issue might be in ARP, the external server requests who-has for the ip address I try to ping, but does not get the answer
16:42 < Eugene> If you really want to bridge, there's a couple things you should check: ip/ebtables rules(yes, both), bridge device is not set up correctly, sysctls blocking promiscuous mode on your NIC, switch blocking promisc mode on the NIC(yuuuup)
16:42 < Eugene> I assure you, routing is simpler
16:52 < Poltsi> iptables: I've disabled it temporarily on the OVS as well as the private machines I try to ping. On the OVS I've allowed all access to and from the tap0
16:53 < Poltsi> ebtables: On OVS and CS the tables are empty and default is ACCEPT
16:55 < sIRwa2> !welcome
16:55 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
16:55 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
16:55 < Poltsi> promiscuous mode should be ok, since I get these in the log: [2109173.519290] device br0 entered promiscuous mode
16:55 < Poltsi> ditto for any ethX
16:58 < Poltsi> ...and tap0
16:58 < Poltsi> So, I guess that leaves the br0 setup on OVS
17:03 < sIRwa2> hi short noobish question, if i run openvpn on my linux machine, should i still be able to access it via my external ISP ip? because my router should route it on the lan side ?? or is openvpn preventing that?
17:04 < sIRwa2> !route
17:04 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
17:08 < rob0> don't enable --redirect-gateway if you don't want to redirect the gateway.
17:09 < rob0> If you did enable it, correct, you cannot access it from outside via your ISP IP address.
17:11 < sIRwa2> tnx.  ill make sure to read up on that
17:17 < sIRwa2> !configs
17:17 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
20:33 < redrabbit> how would you chain two vpns from win10 ?
20:34 < redrabbit> i found a method but speeds are really bad because it connects as a client going through an already etablished tunnel so it passes through the same openvpn server twice, and i dont want to try to use a VM
21:39 < ldiamond> I'm trying to route all traffic through my VPN. I set 'push "redirect-gateway def1"' in the server config, but the effect is no more internet access on the client (i.e. it can access the VPN devices, not get out to the internet).
21:40 < ldiamond> I also have a bunch of other things pushed out, DNS servers, WINS, NTP.
21:41 < ldiamond> Still, I can't access the outside world when I start openvpn. It also cuts my internet connection after I shut down openvpn and I have to disable/enable my networking to restore it.
21:41 < ldiamond> Seems like it removes the default route and doesn't put it back after closing openvpn
21:53 <@ordex> ldiamond: about it not working whileopenvpn running: is forwarding/NAT enabled onthe server
21:53 <@ordex> ?
21:59 < ldiamond> ordex, what option is that? Is there another name?
21:59 <@ordex> no, that isnot something that openpn can configure for you
21:59 <@ordex> !nat
21:59 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
22:02 < ldiamond> ordex, yea that might be the issue, I dont see any firewall rule for that
22:05 < ldiamond> My openvpn server is on a LEDE router. I saw there was no zone forward to WAN. I added it but still no luck
22:06 <@ordex> ldiamond: did you read the howto above?
22:07 <@ordex> if you read that, you will see that there is more than just allowing the vpn traffic in the forward chain
22:08 < ldiamond> i read the first one, but idk the effect of allowing traffic to wan on ip tables.
22:09 <@ordex> ldiamond: maybe you can ask on the lede channel support, how to enable masquerading for anoher interface (i.e. the vpn)
22:09 <@ordex> !linnat
22:09 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
22:10 < ldiamond> Alright I'll check those and try again tomorrow
--- Day changed Sun Sep 03 2017
04:54 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: by bye]
04:54 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
04:54 -!- mode/#openvpn [+v s7r] by ChanServ
05:58 -!- abenz__ is now known as abenz
06:06 < seven-eleven> hi, is it possible to also route all traffic from a openvpn server through one of its clients?
06:06 < seven-eleven> outgoing traffic*
06:24 <@ordex> seven-eleven: think so. it's like having the client advertising a LAN, just a special one. although i never tried
06:24 <@ordex> !clientlan
06:24 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
06:24 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
06:25 < seven-eleven> ah nice, then I'll try that, thanks!
10:27 < Benedict> rob0: follow up from yesterday... it was a routing issue
10:27 < Benedict> my iptables rule was routing all traffic out to a public ip, instead of just eth0 traffic
10:32 -!- andarien_ is now known as andarien
12:15 -!- abenz_ is now known as abenz
12:24 < gregf> I just setup a openvpn server with the instructions found here https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
12:24 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com)
12:25 < gregf> i'm connected to the server right now i can ping 10.0.0.1, but when I go to ipchicken.com I still see my isp's ip address not my vpns
12:32 < gregf> hmm
12:32 < gregf> seems my routing table is wrong, I wonder what would cause this
12:32 < roasted> Hi friends. I'm curious how I can ensure that all of my traffic is routing through my VPN. Server is an Ubuntu server at my house. Client is an Ubuntu laptop. I'm working with a config file imported into network manager. When I'm tethered to my phone on my laptop pinging a web site, then shut off my home router, the ping doesn't stop, so it looks like it's falling back to my phone connection. Is there a way to hard lock that so if my VPN server at
12:32 < roasted> home shuts down all connectivity on my laptop (when VPN is active) also stops?
14:30 < lsik> hi guys
14:30 < lsik> i have one problem with openvpn
14:30 < lsik> its on raspi 1
14:30 < lsik> and its so slow, i have no idea how to improve perfomance
14:31 < lsik> do you have any idea?
15:09 < mynameisdebian> My Raspberry Pi NAS runs Linux/Samba.  I want to install OpenVPN on it to connect to my home network from a coffee shop.  When I do so, does the RPi act as a DHCP server and give my coffeeshop laptop a private IP address for my home network?  If so, will I have Samba access (my laptop is Windows)?
15:10 < BtbN> VPN is on layer 3. There is no DHCP.
15:11 < mynameisdebian> Then does the VPN client act like a network adapter, and have a private IP address?  I'm trying to understand where my client gets the IP address
15:11 < BtbN> From the VPN Server.
15:11 < BtbN> You define a network in its config.
15:14 -!- abenz_ is now known as abenz
15:14 < abenz> !ccd
15:14 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
15:28 < roasted> Correct me if I'm wrong but isn't the default behavior with open vpn on Linux (for both server and client) to route all traffic? I'm finding that even if I shut off my VPN server I still have connectivity, when I expected to lose all traffic period once that server went down.
15:31 < BtbN> if both would redirect all traffic, nobody would be able to connect anywhere
15:31 < BtbN> It does whatever it's told in it configuration.
15:33 < roasted> Yeah. I'm still trying to get a feel. I have two configurations. One so I can access resources in the network and another that I'm intending to be secure. But when I kill my server it still let's me browse online, suggesting it has to be running on my tethered phone network.
15:33 < roasted> Which concerns me. If I'm on public WiFi and vpn home, if my home connection drops then I'm just back to public WiFi, which I of course want to avoid
15:46 < rob0> !redirect
15:46 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
15:46 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
15:46 < rob0> --redirect-gateway is not default, no.
15:47 < rob0> Also, --redirect-gateway is for client only, you can't do that on a server (you'd end up trying to route tunnels through themselves, and that won't work.
16:02 < roasted> rob0: my understanding is the network manager for Ubuntu has an option that says use only for resources on this network, which is their variant of redirect gateway on client. But this isn't a means of routing all traffic, is it? I currently use it on another profile because I can leverage lan items and VPN server items. Gives me one leg in each network.
16:03 < roasted> It's hard for me to articulate what I'm trying to say on a phone keyboard
16:05 < roasted> I'll check that factoid then though. Thanks.
16:43 -!- abenz_ is now known as abenz
16:47 < mynameisdebian> What is the correct configuration for running a home OpenVPN server behind a cable modem if the modem does not have any native VPN capabilities?
16:48 < mynameisdebian> to access my home network from a remote location, and have my samba shares on my network be accessible?
16:49 < abenz> so the cable modem is also the router? (ie you have a single device?)
16:49 < mynameisdebian> yessir
16:50 < abenz> and the openvpn is server is what kind of device?
16:50 < mynameisdebian> I don't have it set up yet but it will be a Raspberry Pi (which is also operating as a NAS w/ Samba,NFS,SSH,(S)FTP)
16:51 < abenz> you simply need to forward the port you will use for openvpn to the raspberry pi
16:52 < mynameisdebian> Will my device be seen on the network as its own device, or is there some kind of NAT going on through the Pi?
16:53 < abenz> by default it will be its own, eg if your laptop/PC is 192.168.1.100, the Pi could be eg 192.168.1.102
16:54 < mynameisdebian> Is the IP address issued by the Pi, and if so is it done via DHCP?
16:55 < abenz> then to access shares locally, eg via ftp: ftp://192.168.1.102 (from your laptop/PC), but from VPN, you connect (after you open required ports on your cable modem) then there will be an IP used for the tunnel eg 10.0.8.x, but you can simply access the Pi using its local IP (eg 192.168.1.102)
16:58 < mynameisdebian> So my private IP will be 10.0.8.X (for example), but my gateway is that of the Pi (10.0.8.1 for example), and the Pi routes that address to my private network (192.168.1.X)?
17:00 < abenz> correct
17:02 < abenz> you set the tunnel range in the server, the client (eg client.ovpn) will not have it specified
17:02 < abenz> eg in server.conf: server 172.16.20.0 255.255.255.0
17:02 < abenz> or 10.0.8.0 (if we follow our earlier example)
19:13 -!- remirol is now known as lorimer
--- Day changed Mon Sep 04 2017
03:19 < Poltsi> I think I've figured out what is wrong with my bridging setup. It may very well be that there's ARP-filtering going on by the hypervisor on the server-side as it is running as a VM on top of oVirt
03:22 < Poltsi> To test this I set up a separate hardware running exactly the same OS and configurations as in my server VM, and now everything works as-should
03:40 < Floppe> !welcome
03:40 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
03:40 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
03:42 < Floppe> !goal get subnet routing to work on Windows server 2016 through tap adapter
03:56 < Floppe> !goal resolve windows server routing
03:57 <@ordex> !goal help Floppe
03:57 <@ordex> does not work today :/
03:59 < Floppe> heh, someone who have any hints on why Windows server 2016 does not route through tunnel although the route is in the table. Wireshark does not show them either so it's an issue on the server side.
08:15 <@dazo> Floppe: firewalling?  Network zone?
08:15  * dazo just guesses, have no Windows experience in this area
09:15 < JaguarDown> Trying to install 2.4.3 on Debian 9 but the configure script says the configure: error: openssl check failed. Here's some info https://pastebin.com/WKMBHg29
09:16 < JaguarDown> I came across a bug report that 2.4 couldn't build with openssl 1.1.0 but it was reported fixed.
09:40 < _bt> anyone able to connect to a PPTP vpn whilst connected to OpenVPN?
09:41 < _bt> i've enabled nf_conntrack_pptp and done echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
09:41 < _bt> cant seem to establish PPTP through it though
09:52 <@ordex> JaguarDown: I am not entirely sure support for ossl-1.1 is in 2.4.3
09:52 <@ordex> but I am not even sure that configure should fail
09:52 <@ordex> can you provide the full configure output and the configure.log ?
09:54 <@dazo> JaguarDown: I've build OpenVPN v2.4.3 against OpenSSL 1.1 successfully in Fedora 26 and 27 .... but you need one of the very the latest OpenVPN versions for this to work.  I don't recall now if it was 2.4.2 or 2.4.3 which came with the full OpenSSL 1.1 support, but going for 2.4.3 is reasonble
09:56 <@ordex> dazo: and I think you'd have problems at compile time, not configure time, righ t?
09:56 <@dazo> ordex: correct
09:57 <@dazo> complaining about some structs missing, iirc
09:57 <@ordex> yeah
09:58 <@ordex> JaguarDown: thus better showing us the full configure log, because the problem might be something simpler than an incompatibility with openssl-1.1
10:33 < roasted> if I'm pushing redirect-gateway from server, and also have redirect-gateway on my client .ovpn file, then VPN home (to where the VPN server is), should "what is my IP" not reflect my home's public IP? When I do this, I'm getting my phone (tethered to laptop) public IPv6 address...
10:38 < rob0> if your tunnel is ipv4-only, then ipv6 is not tunneled
10:38 < roasted> ah
10:38 < roasted> so testing on my phone likely isn't a great test then
10:41 < roasted> is that to suggest if my phone was pushing ipv4 then everything would have likely been kosher?
10:44 < roasted> it's definitely working in -some- capacity, as I can hit resources from home (ipv4) despite being tethered to my phone (ipv6), but the public ip not changing is what raised an eyebrow.
10:46 < rob0> You'd also have to redirect ipv6 to redirect ALL traffic.
10:47 < rob0> or, conversely, block/disable ipv6 on the client
10:48 < roasted> how would blocking/disabling ipv6 on the client help, given the client (in this context) is connected via my phone, which is exclusively using ipv6 to host the tethered connection?
10:50 < rob0> I didn't say what could "help", how could I know all your personal details?  I said how you could redirect all traffic.
10:51 < rob0> Also, you didn't say how you tested "what is my IP", so perhaps that test was wrong.
10:52 < roasted> just via google
10:54 < skyroveRR> Hiya roasted
10:55 < roasted> it changes immediately when I bounce between home and tethered so I figured that was a quick test
10:55 < roasted> hi skyroveRR
10:55 < skyroveRR> Err, rob0
10:55 < skyroveRR> Hehe :)
10:55 < rob0> :)
11:13 < roasted> well, that was weird. I disabled ipv6 on the VPN entry in network manager (ubuntu). I was getting an ipv4 different from my home public ip. activated vpn, got my home ipv4. nice. rebooted everything (phone and laptop) and repeated same steps, no dice, and now I'm seeing ipv6 again
11:13 < roasted> I wonder if my phone bounces between ipv4 and ipv6?
11:13 < rob0> dual-stack systems often do
11:15 < roasted> if my ISP is not providing ipv6, I wonder how I can even configure openvpn on my server to accommodate ipv6 networks (phone, etc) I may be on in the future to allow this to happen without issue.
11:15 < roasted> might have to do some digging
11:16 < Abbott> How can I list connected clients? My unit file is passing --status but /run/openvpn-server/noforward-status.conf doesn't exist. http://dpaste.com/3QVEFEA
11:17 < Abbott> Err status-noforward.conf doesn't exist, rather
11:29 <+hyper_ch> krzee: https://arxiv.org/abs/1708.09317
11:29 <@vpnHelper> Title: [1708.09317] Disguised Face Identification (DFI) with Facial KeyPoints using Spatial Fusion Convolutional Network (at arxiv.org)
11:30 < JaguarDown> ordex: Thank you for you reply, sorry I've been away. I am trying to install 2.4.3 actually. I will post the configure log
11:32 < JaguarDown> ordex: https://pastebin.com/fcffD67f
11:35 < JaguarDown> ordex: for the record I am simply running "sudo ./configure" with no options. I am more of an intermediate user and would be ignorant of any needed options unless I was told. I usually just follow the basic installation steps listed in the typical README/INSTALL files.
11:38 <@dazo> JaguarDown: which distro/OS are you building on?  What does pkg-config --modversion openssl  say?
11:38 < Abbott> I think the problem with my setup is the openvpn systemd file is running openvpn as the user "nobody" and thus, does not have access to /run/openvpn-server. Should openvpn be run as nobody? or should I chmod /run/openvpn-server to nobody? or just change permissions?
11:38 <@dazo> Abbott: which distro?  Tried using --user openvpn --group openvpn in your config instead of nobody?
11:39 < Abbott> dazo: debian
11:39 < Abbott> I'll set user and group to openvpn
11:39 <@dazo> Abbott: you might need to double check if the openvpn user exists though
11:39 < Abbott> should I chmod /run/openvpn-server to openvpn too, then?
11:40 <@dazo> Abbott: that should be the default
11:40 <@dazo> at least that is what we have in the tmpfiles config shipped with OpenVPN 2.4
11:40 < Abbott> I don't have an openvpn user
11:41 < Abbott> should one have been created? or was I supposed to do that myself
11:41 <@dazo> do you have /usr/lib/tmpfiles.d/openvpn.conf ?
11:41 <@dazo> hmmm .... that file actually says /run/openvpn-{client,server} should be owned by root
11:41 <@dazo> !logs
11:42 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
11:42 < Abbott> right now it is currently owned by root
11:42 <@dazo> Abbott: in most systemd distros /run is a tmpfs mount ... which effectively is a ramdisk .... so chown those directories won't make much difference after a boot
11:43 <@dazo> Abbott: we need logs now .... and !configs as well, to see what you're trying to do
11:43 <@dazo> !configs
11:43 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
11:44 < Abbott> server conf (haven't changed user and group yet): http://dpaste.com/1EAWX2Z
11:45 <@dazo> Abbott: I advice you to remove --log  ... then things goes into syslog and the systemd journal automatically
11:46 <@dazo> Abbott: and also take out --status .... as that is added by default
11:46 <@dazo> (see systemctl status openvpn-server@CONFIGNAME)
11:47 < Abbott> this is one of the client configs: http://dpaste.com/3N9QV6F
11:47 < Abbott> I'll remove those lines now
11:47 <@dazo> also ... the advantage of the systemd journal .... journalctl --since today -u openvpn-server@CONFIGNAME  ... and you get only the openvpn log data for that config
11:51 < Abbott> that's very useful
11:52 < Abbott> so should I set user and group to root then? it would seem that is what is expected
11:52 <@dazo> nope, let them be nobody for now .... that might be the "debian way to do it"
11:52 < JaguarDown> ordex: I am building on Debian 9. Here's the output of that command: https://pastebin.com/BdmzWvs6
11:52 <@dazo> I'm using RHEL/Fedora (and clones), and those distros have the openvpn user and group
11:52 < Abbott> but won't it not have access to the /run directory to write the status file?
11:53 <@dazo> JaguarDown: install the libopenssl-dev package
11:53 <@dazo> Abbott: OpenVPN starts with root privileges, sets up everything and then drops to --user/--group
11:54 < JaguarDown> dazo: Thanks I'll try that. Is there a certain repo I need? Apt couldn't locate that package.
11:54 <@dazo> JaguarDown: you might need a few other build dependencies too .... pkcs11-helper and libpam are those striking me right now, but might be a few more .... like systemd devel package
11:55 < JaguarDown> dazo: I think you're right, I'm pretty sure all that wasn't found by the configure script
11:55 <@dazo> JaguarDown: I have no real clue about debian repos ... but those should be available ..... those times I've tested building on Debian, there were some source repos I had to use
11:56 < JaguarDown> dazo: Okay I'll look into it, shouldn't be too hard to find
11:56 <@dazo> JaguarDown: oh ... it might be you need libssl-dev .... the debian naming is always confusing to me on the library side of things
11:56 < JaguarDown> dazo: that was the name
11:56 <@dazo> JaguarDown: apt-cache search have been my rescue :)
11:57 < JaguarDown> dazo: haha I'll have to keep that in mind
11:58 < JaguarDown> Okay here's my new ./configure output after installing libssl-dev for anyone who wants to take a stab at it. I'll be reviewing it as well: https://pastebin.com/rvB9Xczr
11:59 <@dazo> ahh, right ... liblzo-dev and I'd advice you to also install liblz4-dev too
12:01 < JaguarDown> Thanks! installing...I noticed OPENSSL check succeeded this time...
12:02 < JaguarDown> Okay this time libpam was missing, let me just find that package
12:04 < JaguarDown> If anyone knows the actual libpam package name for Debian 9 it would help greatly lol
12:05 < JaguarDown> apt-cache search spit out about a thousand lines on the search term...
12:06 <@dazo> apt-cache search libpam | grep -- -dev
12:07 < JaguarDown> Okay there is libpam-ocaml-dev, libpam0g-dev, and libpasswdqc-dev. Any ideas?
12:08 < JaguarDown> It might be libpam0g-dev "development files for PAM"
12:09 < JaguarDown> success...just have to install cmake as well lol
12:13 <@dazo> JaguarDown: CMake isn't really needed though
12:13 <@dazo> JaguarDown: that's only if you want to run the unit test suite  (which is far from complete)
12:15 < JaguarDown> dazo: oh okay. Well apparently the install succeeded...thanks for your help!
12:15 < JaguarDown> ordex: you as well
13:27 < bumbar_> i have enabled openvpn server on my asus router (using stock firmware), forwarded ports (tcp 443, 943, udp 1194) but can't connect on my phone via mobile data
13:42 -!- jnagro_ is now known as jnagro
13:50 -!- abenz__ is now known as abenz
13:51 -!- rax-Y is now known as rax-
14:39 < Conder_> hello, when i am connecting to openvpn on tcp/443, is it possible to distinguish this traffic from regular HTTPS traffic?
15:04 -!- dionysus70 is now known as dionysus69
15:26 < BtbN> Conder_, you mean for some proxy to redirect it to the right place?
15:27 <@plaisthos> Conder_: yes
15:27 <@plaisthos> some of openvpn's packet format is cleartext
15:29 < Conder_> plaisthos: and is there some option how to mask openvpn as regular https?
15:29 < BtbN> openvpn is not http
15:29 < BtbN> it behaves vastly different
15:30 < Conder_> BtbN: well, i am looking for solution. i connect to my openvpn server through some public wifi hotspot. and  if someone run traffic sniffer, he wont be able to identify if its https or openvpn
15:32 < ntd> Conder_, oh, but they will be able to do just that
15:32 < ntd> ...at least determine that it is not https
15:35 <@plaisthos> Conder_: no
15:35 <@plaisthos> openvpn isn't simply designed to behave like that
15:38 < ntd> also https doesn't work that way: https://en.wikipedia.org/wiki/Server_Name_Indication
15:38 <@vpnHelper> Title: Server Name Indication - Wikipedia (at en.wikipedia.org)
17:17 < ross`> Can someone help me? I'm trying to figure out the best way of tunneling ipv6 over my openvpn
17:17 < ross`> I currently have ipv4 working
17:17 < ross`> I want to add masquerading for ipv6
17:38 <@dazo> ross`: masquerading for IPv6 is really not recommended ...  why not just split up your IPv6 subnet into a smaller fragment for VPN tunnels?
17:39 <@dazo> (don't compare IPv4 directly with IPv6 ... even though lots are similar, there are lots of differences too ... and some of the IPv4 mistakes should really be avoided in IPv6)
18:33 -!- andarien_ is now known as andarien
19:09 -!- u0m3_ is now known as u0m3
20:28 -!- abenz_ is now known as abenz
21:26 -!- Ekho- is now known as Ekho
21:55 < m0rd3cai> anyone around for a quick question?
21:55 < m0rd3cai> just wondering if Openvpn Connect uses different ports than standard Openvpn.
21:56 < m0rd3cai> I can't get my vpn through my IPS firewall despite following their recommendations
21:57 <@ordex> m0rd3cai: OpenVPN connect just follow what the config says
21:57 <@ordex> it does not have a "predefined port"
21:58 <@ordex> and in any case:
21:58 <@ordex> !as
21:58 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
21:58 < m0rd3cai> thanks
23:20 -!- abenz__ is now known as abenz
--- Day changed Tue Sep 05 2017
00:27 < chris0000> I have an /etc/config/openvpn file which has option config /etc/openvpn/configuration1.ovpn in it and i have a 2nd /etc/openvpn/configuration2.ovpn and want to have both tunnels started on system boot. I tried adding a 2nd 	option config /etc/openvpn/configuration2.ovpn line to /etc/config/openvpn but see that doesn't work. Is there a proper way to do this?
00:46 < TyrfingMjolnir> i have OpenVPN set up in a way I can log in to it
00:46 < TyrfingMjolnir> What do I need to add to the configuration to be able for my traffic to appear from the server I log in to?
01:09 <@ordex> !redirect
01:09 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
01:09 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
01:09 <@ordex> TyrfingMjolnir: ^^^
01:29 < seven-eleven> hi, i need fixed IPs for my vpn clients, do I have to use client-config-dir to achieve this or can I alternatively maybe setup fixed IPs from the client side by simply adding in addition to the randomly pushed client IP a fixed virtual IP to the tun device?
01:29 <@ordex> seven-eleven: you got the best nick ever :D
01:30 < seven-eleven> ordex, thank you :-)
01:30 <@ordex> seven-eleven: how many of you around there? :P
01:30 <@ordex> seven-eleven: I don't think you can simply add an IP client side because the server need to know about it. so something server side is required
01:30 < seven-eleven> I encounterd seven-eleven daily in my last vacation
01:30 <@ordex> best it to use ccd, yes
01:30 <@ordex> I can see several from my window :P
01:31 < seven-eleven> hehe :-)
01:31 < seven-eleven> not sure if there are any in germany, because the discounter market is pretty competitive
01:32 <@ordex> yeah
01:32 <@ordex> never seen any there
01:33 < seven-eleven> my issue is that my droplets are created from the droplet image. I think => that I have to write a wrapper systemd unit that loads the right vpn client config by using the hostname as clue
01:34 < seven-eleven> from the same droplet image *
01:35 <@ordex> might be an idea
01:36 < seven-eleven> thanks for assuring! I'll give that a try
02:02 < TyrfingMjolnir> ordex: Thanks, I have the others set up I only need the #1
02:07 <+hyper_ch> hmm, where is krzee :(
02:08 -!- SerusWor1 is now known as SerusWork
05:08 < aditsu> hi, I have a client who's trying to connect from China and it's not working; these are some logs from the client side: http://dpaste.com/30N8JKX
05:10 < aditsu> I see something similar on the server: http://dpaste.com/0PFS916
05:11 < aditsu> other clients are connecting fine
05:11 < aditsu> any ideas what to do about it?
05:17 < Poltsi> Isn't China doing a crackdown on vpn-connections?
05:21 < Poltsi> According to this it would be in effect beginning of next year... http://theconversation.com/why-you-should-care-about-chinas-vpn-crackdown-82222
05:23 < aditsu> yeah I saw that, not sure if it's related; if there's a firewall, wouldn
05:24 < aditsu> wouldn't it block the initial packet too?
05:25 < Poltsi> Depends on how the filtering is done, yes if just certain ports, maybe if there is deeper packet inspection
05:28 < Poltsi> Out of curiosity, is the said client able to connect with the same device when outside China? Or is this a stationary client?
05:30 < aditsu> he said he also had problems outside China, but in the server logs I saw some messages that suggest a successful connection followed by a timeout
05:30 < Poltsi> Hmm... so, fuzzy
05:33 < aditsu> the server sent a PUSH_REPLY,route [...], then 10 min later there was an Inactivity timeout
05:34 < Poltsi> Well there might be something else, but now it does not get even to that stage, so probably a different issue
05:34 < aditsu> yes, exactly what I'm thinking
05:36 < aditsu> also I'm not 100% sure it's the same device
05:36 < Poltsi> Ok, so there are quite a number of variables in this
05:37 < aditsu> for now I'm just concerned about the problem connecting from China, as that's where he is now
05:38 < aditsu> I thought about trying to use tcp or a different port, but it seems there's no simple way to add that to an existing server
05:38 < Poltsi> I'm in no way an expert on openvpn (started using it just a week ago, or so), but FWIW I would begin with getting either the client to function as a remote, or preferably try to get eg. screen sharing in order to figure out what happens on the client-end
05:39 < Poltsi> One thing, has it ever worked from China?
05:39 < aditsu> yes, it used to work previously
05:40 < aditsu> not sure what additional info I could get, he sent me the openvpn logs
05:41 < Poltsi> The certainty that it is nothing on the client side that could affect the connection.
05:42 < Poltsi> Like... antivirus or something
05:42 < aditsu> hard to get any certainty about that.. and he's using a mac
05:44 < Poltsi> Upgrade the OS? MacOS is AFAIK not impervious to virii
05:44 <@ordex> aditsu: the log seems to show a choked connection
05:44 <@ordex> because something is passing but then it stops
05:45 < aditsu> ordex: I guess so
05:45 <@ordex> aditsu: could be the gfw is blocking some packets once it recognizes them
05:45 <@ordex> aditsu: have you tried with tls-crypt ?
05:45 < aditsu> you mean the great firewall?
05:46 <@ordex> aditsu: well, some firewall :D
05:46 <@ordex> being the client in china, the great firewall can be a problem too
05:46 <@ordex> aditsu: I'd suggest to give tls-crypt a try
05:46 < aditsu> wasn't sure what you meant by "gfw"
05:46 <@ordex> ah ok, yeah I meant that
05:46 < aditsu> I don't know tls-crypt, I'll check it out
05:46 <@ordex> it basically encrypts the tls handshake
05:46  * Poltsi fades out, work to do
05:46 < aditsu> Poltsi: thanks for your input
05:47 <@ordex> aditsu: so basically the point where the client stops, with tls-crypt would be encrypted, so maybe a higher chance to pass
05:47 < Poltsi> Np
05:47 <@ordex> aditsu: you can also dump the traffic on the server to see if you still receive something or if it stops all of a sudden
05:48 <@ordex> aditsu: btw I use your server as gentoo portage mirror :D thanks for that
05:48 < aditsu> oh you're welcome :)
05:49 <@ordex> aditsu: about "adding a port": a server can only listen on one port/protocol at the moment. but if it's running linux you can add a port redirect with iptables. so it will look like running on multiple ports (same protocol)
05:51 < aditsu> ordex: it's actually behind a router, I could add another port forward rule for that; tcp would be another issue though
05:51 <@ordex> aditsu: yap
05:51 <@ordex> unless you want to spawn another server with a slightly different config
05:52 < aditsu> yeah.. I saw some examples on the net, but it's not very simple
05:53 <@ordex> aditsu: uhm.. what? listening on tcp ?
05:53 <@ordex> it should be no different than running a server on udp, just with a different proto line
05:54 < aditsu> I mean having 2 openvpn servers that work together as one
05:55 < aditsu> it would be nice if openvpn could handle that internally - just add multiple things to listen on in the same config
05:55 < aditsu> maybe in some future version..
05:55 <@ordex> yeah
05:55 <@ordex> multi protocol is a nightmare .. I started working on that, but coming up with a "clean" solution is non trivial
05:56 <@ordex> btw, if you don't need to "synchronize" them, it should be ok to just run two instances on two different subnets/interfaces
05:56 <@ordex> but I guess you have more requirement
05:56 <@ordex> s
06:01 < aditsu> well.. I'm not sure it's worth the effort of setting up all that stuff just for this user
06:02 <@ordex> well, it's not even sure it will work
06:02 < aditsu> right
06:02 < aditsu> I added another port now (udp), will see if it helps
06:03 < aditsu> have to wait for him to get back to me :p
06:09 <@ordex> :P
06:09 <@ordex> but for testing, isn't it easier to just spawn a server on your laptop and test with it? so you don't risk breaking your server :-P
06:10 <@ordex> btw two months ago I managed from SZ to connect to my VPN server in the netherlands (without tls-crypt at that time), but this was before china announced they wanted to kill all the vpns
06:13 < aditsu> I'm not familiar enough with openvpn and it's not trivial enough for me to call it "just spawn(ing) a server on (my) laptop"
06:14 <@ordex> oh ok
06:14 < aditsu> it may take me a couple of hours to set up a new server and make sure everything is ok, and that is without the requirement of allowing an existing client (certificate) to connect
06:21 < aditsu> ordex: where's the official doc for tls-crypt?
06:43 <@ordex> aditsu: there should be a wikipage I guess, otherwise the manpage is pretty exhaustive
06:44 <@ordex> --tls-crypt
06:53 <+hyper_ch> krzee: https://cynosureprime.blogspot.ch/2017/08/320-million-hashes-exposed.html
07:08 < devonrevenge> ls
07:08 < devonrevenge> hai - im trying to get vpn like access with ssh, I need someone to hold my soft hands and stroke my hair (in a metaphorical sense) while they exploit how to do such a thing
07:09 < Dougy> what
07:09 < Dougy> lol
07:09 < Dougy> !howto
07:09 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
07:09 < devonrevenge> now I dont have access to openvpn on this box
07:09 < devonrevenge> im not sure who to ask actually
07:13 < aditsu> devonrevenge: you could use ssh tunnels for certain things
07:18 < devonrevenge> so you cant use it to create vpn like access but maybe for specific ports
07:21 < aditsu> ordex: found some info in the 2.4 man page; would tls-crypt on the server require using it on the clients too?
07:21 < aditsu> devonrevenge: I think so
07:22 < aditsu> well, depend what you mean by "vpn like access", but ssh doesn't create an actual vpn
07:27 < devonrevenge> so I could say do an nmap scan and all ips behind a box would come up also
07:27 < devonrevenge> but no vpn
07:28 < devonrevenge> I was thinking of some kind of IP table redirection
07:30 < devonrevenge> I would like to know how to do joe
07:33 < aditsu> you can run nmap on the ssh server ^_^
07:36 < devonrevenge> yeah but I got nikto and loads of other things I want to run but cant put on the box
07:36 < devonrevenge> and then theres the remote desktop connections which arent connecting
07:40 < aditsu> devonrevenge: if you know exactly what to connect to (mainly using tcp), you can use ssh tunnels; if useful, you can use ssh to create a socks proxy; otherwise, you probably can't do it with ssh
07:43 < devonrevenge> socks proxy - looking this up
07:46 < aditsu> btw, I hope you're not doing anything shady :p
07:51 <@novaflash> no no, just downright illegal :-P
07:52 < aditsu> well, I'm sure NSA is watching this :) (hello folks)
07:59 < devonrevenge> nope its all lerns
08:00 < devonrevenge> I wonder what they do watch - it makes sense to follow crypto and security
08:00 < devonrevenge> for breakthroughs rly
08:00 < devonrevenge> imo
08:12 < devonrevenge> imoso let me get ssh portforwarding straight, I devonrevenge wish to view alices webpage on the network behind bob
08:12 < devonrevenge> so I ssh forward port 80 to bob and then my browser will find alice??
08:12 < devonrevenge> I have ssh acces to bob just not alice
08:16 < DArqueBishop> devonrevenge: no offense, but...
08:16 < DArqueBishop> !notovpn
08:16 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn.
08:16 < devonrevenge> yeah not offended just who does talk about this goodness?
08:16 < devonrevenge> wait #hackers
08:19 < aditsu> #networking .. too late
08:21 < aditsu> or was it ##
08:21 < aditsu> anyway, I gotta go too
09:49 -!- fractal is now known as _fractal_
09:51 < _ADN_> is it possible to have two ca.key for a openvpn server?
09:51 -!- abenz__ is now known as abenz
09:55 < DArqueBishop> _ADN_: No.
09:56 < _ADN_> and the possibility of having one user cert that can have two server ca.key?
09:56 < rob0> you can run multiple server instances on the same host if you want, and different CA for each if desired.
09:56 < _ADN_> thx rob0 I am looking at the possibilities, currently I am running 4 OpenVPN but looking if I coudl reduce that number
14:50 -!- abenz_ is now known as abenz
14:52 -!- Dougy [~dougy@openvpn/community/support/Dougy] has quit [Ping timeout: 248 seconds]
17:12 -!- dionysus70 is now known as dionysus69
17:58 -!- abenz__ is now known as abenz
18:12 -!- abenz__ is now known as abenz
--- Day changed Wed Sep 06 2017
04:33 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has left #openvpn []
04:57 < TyrfingMjolnir> How can I do conditional redirects?
04:57 < TyrfingMjolnir> For example I would only like to redirect for certain IPs/hostnames
05:04 -!- ld50_ is now known as ld50
05:31 <@ordex> TyrfingMjolnir: it's just a matter of routing (with IPs)
05:31 <@ordex> with hostnames might be more difficult because they may resolve to different IPs
05:51 < TyrfingMjolnir> So I use the settings I have for the old bank to route handelsbanken.se to use the ISDN modem's IP? Good
05:51 < TyrfingMjolnir> I'll do that
05:52 < TyrfingMjolnir> But how can I have openvpn server send this setting to its client?
05:53 < TyrfingMjolnir> or set this in the .ovpn file? ordex
05:54 <@ordex> TyrfingMjolnir: you can try to push a route from the server, if you want all the client to have the same route
06:04 < Benedict> related question
06:05 < Benedict> if i add a route (ie exception) for a website with a domain name
06:05 < Benedict> instead of ip
06:05 < Benedict> does the vpn still resolve that domain
06:06 < Benedict> for example route google.com 255.255.255.255 192.168.1.80
06:06 < Benedict> how does it resolve google.com, using the 192.168.1.80 gateway or openvpn
06:07 <@ordex> does it work?
06:07 < Benedict> i haven't tested, reading stuff on google
06:07 < Benedict> :P
06:07 <@ordex> if it does I think openvpn will resolve it right before installing
06:27 < TyrfingMjolnir> ordex: This would be nice to have 2 ovpn config files; one for custom routing, one for no redirect and one for full d
06:28 < TyrfingMjolnir> redirect %/2/3/g
07:07 <@dazo> !iroute
07:07 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
07:07 <@dazo> !clientlan
07:07 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
07:07 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
07:08 < andrzejv> !ccd
07:08 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
08:08 < tcpdump> hey everyone
08:08 < tcpdump> is there a startup config for openvpn?
08:09 < tcpdump> Specifically, like an ifup script somewhere?
08:09 <@ecrist> tcpdump: yes/no
08:09 < tcpdump> I want openvpn to kick off a secondary .sh script when it comes up.
08:09 <@ecrist> openvpn can be started with all options on the command line
08:09 < tcpdump> Is there a way to do that?
08:09 <@ecrist> alternatively, you can pass a config file to openvpn with the --config option
08:09 <@ecrist> if you want a script to run on openvpn startup, that can be done, too
08:10 <@ecrist> are you talking from server side or client side?
08:10 < tcpdump> ecrist: client side.
08:10 <@ecrist> you want to use --up then
08:10 < tcpdump> what do you mean by  --up?
08:11 < tcpdump> I have the client running as a systemd service.
08:11 <@ecrist> !man
08:11 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
08:11 < tcpdump> I want the client to be connected anytime theres an Internet connection.
08:11 <@ecrist> start there.
08:11 < tcpdump> So if the network drops and comes back, I want to kick off a different shell script when tun0 comes up.
08:11 <@ecrist> I answered your question
08:12 < _ADN_> I pu this into my server push "redirect-gateway autolocal", but the metric is 35 and the DHCP is 25
08:12 < _ADN_> how can I lower the metric for the redirect GW?
08:13 < tcpdump> im reading.
08:14 < tcpdump> Is there any speed improvements in support ciphers in 2.4 vs 2.3>
08:14 < tcpdump> I think I head read somewhere that there was?
08:14 <@ecrist> tcpdump: that's dependent upon openssl library
08:15 < tcpdump> ecrist: so it looks like id add  --up /path/to/sh.sh to my unit file, most likely?
08:16 <@ecrist> yup
08:16 < tcpdump> ExecStart=/usr/sbin/openvpn --cd /etc/openvpn --config client.conf --daemon openvpn --writepid /run/openvpn.pid --status-version 2  --up /path/to/sh.sh
08:16 < tcpdump> so something like that?
08:16 < tcpdump> thanks!
08:16 <@ecrist> not to the unit file, to the config file
08:28 < _ADN_> route-metric for Windows will it sum up the metrics or it will give metric=5
08:28 < _ADN_> cause I read on google they will sum them up
08:29 <@ecrist> _ADN_: read the man page?
08:29 < havoc> heh, routing
08:29 < havoc> ecrist: have fun with that ;)
08:31 < _ADN_> I added into my config redirect-gateway autolocal but windows puts a metric of 35
08:33 <@ecrist> _ADN_: you stated that already
08:33 <@ecrist> did you read the man page?
08:34 < _ADN_> yes I read the --route --route-gateway --redirect-gateway
08:34 < _ADN_> --route-metric
08:34 < _ADN_> basicly all is around route
08:35 < _ADN_> so just replace "redirect-gateway autolocal" with "route 0.0.0.0 .0.0.0.0 10.11.X.X 10"
08:37 <@dazo> hehe ... https://twitter.com/stskeeps/status/905385811931222016
08:37 <@dazo> krzee: ^^^
08:40 < havoc> ding ding ding!
08:50 < tcpdump> haha true dazo
08:56 <@ecrist> dazo: yes, that's not a new statement though.
09:01 < tcpdump>  if I add up /path/to/mybin to my config it fails to start with a generic error of :   Sep 06 13:54:49 mydevice systemd[1]: [[0;1;39mopenvpn.service: Failed with result 'resources'.[[0m
09:01 < tcpdump> Any idea why that is?
09:28 <@dazo> tcpdump: what is the systemctl command line you use?
09:29 < iliv> are DH keys and tls-auth keys completely standalone or do they depend on a CA key/cert?
09:29 <@dazo> tcpdump: if using openvpn-{client,server}@.service units, those have become fairly strict
09:29 < iliv> for example, if I say recreate my CA can I reuse existing DH and tls-auth keys?
09:30 <@dazo> iliv: DH is not a key, it is actually considered to be a shared knowledge ... and the server sides needs DH for the TLS protocol.   DH is never used for the certificates at all
09:30 <@dazo> iliv: --tls-auth keys are something which is OpenVPN specific and actually hardens the TLS protocol ... and again nothing directly related to the certificates at all
09:32 < iliv> so both do not depend in any way on CA's key/cert like client keys/certs do and thus can be reused (I understand it is not the best practice but in this scneario seems perfectly acceptable)
09:36 < rob0> I wonder why you would want to reuse the dhparam?
09:39 < seven-eleven> hello
09:40 <@dazo> iliv: correct, neither --tls-crypt nor --dh have any influence on certificates at all.  They are more tied to the core of the TLS protocol, not the authentication handshake
09:41 < seven-eleven> how do i route all outgoing traffic from an openvpn-server over an openvpn-client? established connections from incoming traffic should be routed over the openvpn's server WAN IP, not the openvpn-client though
09:41 <@dazo> iliv: you can even rotate the --dh file every now and then too.  That's not unreasonable to do.  But not something you need to put high up on your todo list
09:41 < iliv> interesting :) thanks for the tip!
09:42 <@dazo> iliv: but if you replace/rotate the --tls-auth key .... then you need to update all clients as well.  So even though it is good to rotate that one too, it is much more difficult if you have a lot of clients
09:43 < iliv> rob0, well, I lost my CA so I need to recreate it. In the process I started to realise that DH and tls-auth apparently can be reused. I figured I'd confirm wiht someone who knows for sure.
09:43 <@dazo> iliv: we're working on a feature called tls-crypt-v2, which will be a far better alternative to both --tls-auth and --tls-crypt, where each client will have their independent own tls-crypt-v2 key ... that will be a big deal in the future
09:44 < iliv> cool
09:44 <@dazo> iliv: if you need to recreate your CA ... there's no point in saving/reusing --tls-auth or --dh files
09:47 < seven-eleven> this is what i tried so far (unsuccessfully unfortunately) http://dpaste.com/3AHC4Y1
09:50 <@dazo> seven-eleven: hmmm .... not sure the iroute stuff will work so well, tbh
09:50 <@dazo> rob0: ^^^ you might have some good thoughts on this one
09:51 < rob0> Yes.  The only actual use-case I can imagine for this is snowshoe spamming, to hide the actual origin of spam through the VPN clients.
09:52 <@dazo> heh
09:52 < rob0> I was once hired by a spammer to do exactly this.
09:52 < rob0> (quit when I found out what they were trying to do)
09:53 <@dazo> rob0: you should have completed and routed a duplicate message to the spamcop and similar spam/block services at the same time :-P
09:54 < rob0> I did notify Spamhaus.
09:54 <@dazo> ahh, good :)
09:55 <@dazo> seven-eleven: why do you try setup VPN in such a configuration?
09:56 < rob0> It's highly unusual, and questionable, why you would want to route packets back out through VPN clients.
09:56 < seven-eleven> i think it's not suitable for spamming, because even when you use load balanced tcp packets over multiple vpn clients, the destination host can look at the handshakes and see which IP belong together.
09:57 < seven-eleven> dazo, i want to scrape a website with about 40k request from the openvpn-server over my openvpn-client
09:57 < rob0> like a ddos?
09:58 < seven-eleven> no, there will be delays between each request, like 2-3 seconds, those are about 40 pages I want to scrape
09:58 < seven-eleven> 40k*
10:13 < MacGyver> Have you considered asking the website owner for a data dump?
10:17 < rob0> I suppose seven-eleven would be expecting that request to be denied.
10:21 < seven-eleven> it's a huge website and they don't have an api unfortunately. they only supply multiple text files which have missing relations between each other :-)
10:35 < rob0> seven-eleven, I guess you have not spent much time reading the LARTC howto?  By putting the /1 routes into the server's main route table, you're trying to route the tunnel through itself.  That obviously won't work.
10:38 < rob0> Each client will need a separate route table on the server.  And then some means of selecting the various tables for outbound HTTP.  That part is going to be very difficult, probably unattainable without custom code in the HTTP client.
10:42 < seven-eleven> rob0, haven't read the LARTC howto, I'll check it out, thanks. i was thinking by adding /1 you could split the network as explained by this answer https://serverfault.com/a/312977
10:42 <@vpnHelper> Title: networking - Why Openvpn use network 0.0.0.0 netmask 128.0.0.0 as default route? - Server Fault (at serverfault.com)
10:42 < rob0> servers NEVER use /1 rules to route through clients
10:42 < rob0> you're misunderstanding the context of what you read
10:43 < seven-eleven> rob0, "Each client will need a separate route table on the server." i would want to route traffic from the openvpn-server only over one openvpn-client, would I still need multiple routes then, or can they all be in one same subnet
10:43 < rob0> you can't route a tunnel through itself
10:43 < seven-eleven> mhm
10:44 < seven-eleven> so maybe just doing `ip route add default via 10.8.0.101 dev tun0` would do the trick or am I still thinking wrong :-)
10:44 < rob0> you can't route a tunnel through itself
10:45 < seven-eleven> okay, then i think the easiest solution is to just run an openvpn-server on the client too, and connect as a client from the server I create the requests from
10:45 < rob0> if your default route is the tunnel, what happens to the connections to the clients?
10:46 < rob0> LARTC
10:46 < seven-eleven> yeah, going to read that now :-)
10:46 < rob0> You cannot possibly accomplish this without a strong understanding of advanced routing concepts.
10:47 < rob0> How many days have you invested into this so far?
10:47 < seven-eleven> a couple of days
10:51 < seven-eleven> in that time i could have probably read and tried out 70% of LARTC's howto :-)
11:03 < MacGyver> seven-eleven: "Huge website" and "No API" does not preclude the possibility that they would be happy to snail-mail you a data dump on DVD.
11:04 < MacGyver> seven-eleven: There may be other reasons, but...
11:04 < MacGyver> seven-eleven: I'm just saying that sometimes there is a solution that does not involve technical hurdles and is less ethically questionable.
11:09 < DArqueBishop> *cough* Aaron Swartz *cough*
11:11 < MacGyver> Well *that* case clearly was an organization that was *not* going to mail a data dump on DVD.
11:12 < MacGyver> I'm basically saying, don't fall into this trap: https://www.xkcd.com/530/
11:12 <@vpnHelper> Title: xkcd: I'm An Idiot (at www.xkcd.com)
11:47 < seven-eleven> from LARTC: "If we want to do fancy things, we generate rules which point to different tables which allow us to override system wide routing rules." does this mean any custom table we create will overwrite the routes from the main table? if yes, do netfilter do this by looking at the table number and weighs smaller table numbers higher? main is number 254 out of 255
11:48 < MacGyver> No, it means you have custom tables which you can then point specific traffic at instead of the main table.
11:49 < MacGyver> It will not overwrite anything in the routes from the main table.
11:50 < seven-eleven> ah, good to know, thanks!
11:50 < MacGyver> And iirc it doesn't have a fallthrough.
11:50 < MacGyver> i.e. if there's no route for your traffic in the table you pointed it at, it will not be routable.
11:50 < MacGyver> Even if another table would have had a route.
11:51 < seven-eleven> so by default there is `from all lookup main `  and if i add now `from 42.42.42.42 lookup my_table` it will point the traffic to that table, because `from 42.42.42.42 ..` is more specific to that IP/subnet than `all`
11:53 < seven-eleven> implying that the traffic will point to table_1 if we have e.g. these rules:    `from 42.42.42.42/32 lookup table_1`    `from 42.42.42.42/24 lookup table_2` , because /32 is more exact than 24?
12:01 <@ecrist> that's normal routing - lower metric and more precise route wins
12:02 <@ecrist> that's also how def1 works in redirect-gateway
12:02 <@ecrist> it leaves the 0.0.0.0/0 route in place but provides two narrower routes
12:03 <@ecrist> !def1
12:03 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
12:04 < seven-eleven> ah got it, thanks for clarification!
12:04 < havoc> I remember pushing two /1 routes to manage "redirect-all"
12:04 < havoc> much easier now
12:05 < havoc> oh, in def1 now :)
12:06 < havoc> and it was precisely for the reason stated there; to not wipe out the default gateway
12:06 < havoc> again, much easier now
15:13 < gics> hello, can please someone help me with an openvpn service that doesn't start due to "permission denied" on tmp-dir, inside a chroot?
15:14 < gics> permission are 770 and chowned to the same "openvpn" user i wrote in the config
15:14 < gics> the only way i have to start it, is to chmod to 777
15:18 < gics> here is a paste https://pastebin.com/wxDNad2x
15:20 < gics> !welcome
15:20 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
15:20 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
15:20 < gics> !goal chroot
15:56 <@dazo> gics: that's odd ... I'm using the same thing in my configs ... and I use 0770 on the chroot /tmp dir
15:56 <@dazo> gics: can you pastebin your logs?
15:56 <@dazo> !logs
15:56 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
15:57 <@dazo> !logfile
15:57 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
16:03 < gics> dazo, i was here some times ago, similar problem but with old-stable debian. Now i'm with new stable debian, but it seems they haven't solved problem with systemd
16:05 < gics> if i start manually openvpn it doesn't throw me error about permission denied on tmp, but if i start it with systemctl the error comes out
16:06 < gics> i don't remember if you or ordex was the systemd master and helped me find a solution at that time :)
16:07 < gics> which, btw, wasn't a clean solution but i ended up simply starting openvpn manually and let it run, as is always online on a VPS
16:09 < gics> https://pastebin.com/0fLdptxK
16:13 <@dazo> gics: probably me .... and to be honest, I hope the Debian package maintainer doesn't fix it ... we should fix it upstream first :)
16:14 <@dazo> gics: I working my way through a longer openvpn patch queue right now .... but I'll have a closer look at this and keep you posted
16:15 <@dazo> gics: have you found a ticket on this issue in our bug tracker? ... if it's not there would you mind open a new ticket?
16:15 <@dazo> https://community.openvpn.net/openvpn/report/6
16:15 <@vpnHelper> Title: {6} All Tickets By Milestone (Including closed) – OpenVPN Community (at community.openvpn.net)
16:16 < gics> dazo, i found a debian bug tracker but is related on double // before tmp, so something you can simply fix with --tmp-dir
16:16 < gics> dazo, if you need the systemd,service that runs openvpn just tell me
16:17 <@dazo> yeah, all details will surely help
16:17 < gics> *i mean systemd.service file
16:17 <@dazo> I understood :)  yes, please :)
16:18 < gics> ops, i lost it, just 2 minutes i need to find it again
16:21 < gics> here is -> https://paste.debian.net/hidden/188802e3/
16:21 < gics> it seems to me, much more text lines compared to old-stable
16:22 < gics> but same problem :(
16:22 <@dazo> gics: okay, that's the debian mangled unit file ... I strongly do recommend using openvpn-server@.service  (config files must be in /etc/openvpn/server)
16:23 < gics> can't found that "openvpn-server@.service" but only openvpn@server.service and openvpn.service
16:24 <@dazo> which version of openvpn ?
16:24 < gics> OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017
16:25 <@dazo> hmmm .... openvpn-server@.service  should be shipped though
16:25 < gics> and yes my .conf is inside /etc/openvpn/server and symlinked in /etc/openvpn/
16:25 <@dazo> right
16:25 < gics> but i recall to have seen something like openvpn-server@.service in the past
16:27 <@dazo> https://paste.fedoraproject.org/paste/SzqTmFskBQD9HRZ32JOzVw/raw  ... this should be what we ship
16:27 < gics> maybe because i have now disabled  openvpn@server.service to start on boot? i'm trying the debian way in /etc/default/openvpn to start at boot ATM
16:27 < gics> i take a look on your link
16:28 <@dazo> eek .... that approach goes through some really odd hoops of generating service files on-the-fly, iirc
16:28 <@dazo> they kept that way on systemd, to avoid breaking old systems which got upgraded
16:29 < nplus> I have a quick question about client version numbers... for the windows installer, there is 2.4.3-I601 and 2.4.3-I602. What's the difference between them?
16:31 <@dazo> nplus: the I60x versions is just updates in either dependencies (openssl, liblz, pkcs11 stuff, etc) ... or just fixing bugs in the installer
16:31 <@dazo> 2.4.3 is the OpenVPN version itself
16:31 <@dazo> "Windows installer I602 includes updated OpenVPN GUI (11.8.0.0) and easy-rsa (2.3.0). The installer also fixes a security vulnerability in the service management code."
16:31 <@dazo> https://openvpn.net/index.php/open-source/downloads.html
16:31 <@vpnHelper> Title: Downloads (at openvpn.net)
16:32 <@dazo> right, the I60x also includes updates to the GUI front-end :)
16:32 < nplus> dazo: Ah I see - that makes sense!
16:32 < nplus> Thanks
16:33 < gics> dazo, i'm tempted to change that "PrivateTmp=true" to false, but from my poor systemd competences i understand that .service is generated on the fly
16:33 < nplus> The answer was right under my nose the whole time, but didn't know it
16:35 <@dazo> gics: hmmm would be interesting to see if that changes anything .... PrivateTmp=true actually means the service gets its own /tmp directory (not sure if also /var/tmp, I think that one too) ... so services won't be able to share data through tmpdirs
16:35 < gics> dazo, just tested but no luck, going back to true
16:36 <@dazo> gics: did you remember to do:  systemctl daemon-reload?
16:36 <@dazo> before trying
16:36 < gics> ops, no
16:36 < gics> no way, same permissions error
16:37 <@dazo> okay, good :)
16:37 < gics> type forking and type notify, i see this difference too
16:37 <@dazo> it's important to do the daemon-reload when modifying unit files ... systemctl might complains about it, though
16:37 <@dazo> yeah, that is significant
16:37 < gics> between my .service and yours
16:37 < gics> ok
16:38 <@dazo> Type=notify enables a tigher systemd integration in openvpn .... where PIDfile is no longer needed
16:39 < gics> no PIDfile?? ok i don't want to open a () here :) I have already too much stuff to worry about permissions now :)
16:40 < gics> WorkingDirectory is different too, but i think is insignificant, right?
16:40 <@dazo> You can safely switch to notify and hash out the PIDFile= line :)
16:41 <@dazo> I hope that the latest debian package have the latest systemd fixes though, which were added in 2.4.1 and 2.4.2 .... 2.4.3 had no systemd changes, afair
16:43 < gics> mmmmm, the backport is 2.4.3-4~bpo9+1
16:43 <@dazo> good! that sounds promising
16:43 < gics> let me see how install it
16:52 < gics> ok, installed new version, now i have openvpn@ openvpn-client@ openvpn-server@
16:52 <@dazo> ahh, good :)
16:52 < gics> dazo, but a new error too :)
16:52 < gics> --chroot directory fails with '/home/openvpn/jail': No such file or directory
16:53 < gics> which isn't true, i know for sure the dir there is
16:53 <@dazo> that one sounds familiar somehow .... but I am slightly confused why it appears
16:54 < gics> me too
16:54 <@dazo> but it was ages ago we fought that one
16:54 <@dazo> can you pastebin the new unit files?
16:54 < gics> also i'm confused because openvpn@server.service is vanished
16:54 < gics> sure, just let me find it
16:55 <@dazo> that's because of the debianism ... and the generator script
16:55 <@dazo> it is tied to the openvpn.service somehow
16:55 <@dazo> I never dived into the core details of how/why debian over-engineered this
16:56 <@dazo> let me get a chance to complete my patch queue work .... and I'll boot up my debian test VMs
16:56 < gics> i have many units, which one could help more? https://paste.debian.net/hidden/33344522/
16:57 <@dazo> okay .... a quick systemd tour :)
16:57 <@dazo> line 1:  The multi-user.target.wants keep symlinks to units enabled at boot time
16:57 < gics> ok
16:58 <@dazo> line 2: that's the debian openvpn.service stuff which does strange black magic for the openvpn@server.service stuff
16:58 <@dazo> line 3 + line 4 is related to line 2
16:58 < gics> ahha ok
16:58 <@dazo> and line 5+6 I have absolutely no clue ....
16:59 <@dazo> so that's probably part of the debinaistic over-engineering :-P
16:59 < gics> and i searched as openvpn.service, maybe there are many others units....i don't envy you :)
17:00 <@dazo> try: locate openvpn | grep \.service
17:00 < gics> more stuff :)
17:00 <@dazo> :)
17:00 <@dazo> the ones in lib/systemd/system/ and /etc/systemd/system are the relevant ones
17:01 < gics> https://paste.debian.net/984867/
17:01 <@dazo> the latter one (/etc) overrides the former (/lib) in case of conflicts
17:02 <@dazo> so ... /lib/systemd/system/openvpn-server@.service  this one should be our upstream ones
17:03 < gics> in fact is similar to your fedora one
17:03 < gics> more similar than the previous
17:03 <@dazo> yeah, that sounds promising :)
17:04 <@dazo> we actually work hard so all systemd distros ship the same ones .... so that the behaviour is identical across distros ... which helps us when giving support :)
17:04 <@dazo> predictable behaviour ftw!
17:04 < gics> ehhe
17:06 <@dazo> I have 2 more patches to review and apply, and do the 2.4 porting and send lots of mails....  and then I'll dig into this for real
17:16 -!- abenz__ is now known as abenz
17:26 < gics> dazo: i have problem with adsl. came back with my phone connection just to say thank you ;)
17:27 < gics> dazo: i hope tomorrow i can paste all the units
19:23 <@ordex> gics: I am no maintainer
23:12 -!- abenz_ is now known as abenz
23:27 -!- rax-Y is now known as rax-
--- Day changed Thu Sep 07 2017
01:06 < Fivestein> !welcome
01:06 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
01:06 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
01:07 < Fivestein> !goal connect to my test openvpn setup using a windows 10 client
01:09 < Fivestein> !goal
01:09 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:09 < Fivestein> I'm trying to figure out how to connect to my test openvpn setup using a windows 10 client
01:10 < Fivestein> !goal
01:10 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:10 < Fivestein> gah, nevermind
01:38 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 255 seconds]
01:39 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
01:39 -!- mode/#openvpn [+o syzzer] by ChanServ
01:58 < dPow> !ovpnuke
01:58 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
02:32 -!- upbeta______ is now known as upbeta
03:08 -!- whoa2 is now known as whoa
07:01 < gics> dazo, hello, i have pasted the debian .units like promised yesterday --> https://paste.debian.net/hidden/2e99517f/
14:19 -!- Dougy [~dougy@openvpn/community/support/Dougy] has joined #openvpn
15:13 -!- dionysus70 is now known as dionysus69
15:16 < xtuh> Hi, i have fresh installed ubuntu that i want to use as openvpn client. i have exported all needed files from server, i the /etc/openvpn i see 2 directories "server" and "client". i have my files in the "client" dir. if i cd to it and make "openvpn client.ovpn" then connection is established. but how to do that on system startup? in the /etc/defaults/openvpn i have uncomented line AUTOSTART="all" , but that didnt help. where did i wro
15:24 < gics> xtuh, I'm not an openvpn expert here, but i think that systemctl enable openvpn-client@.service should do the job
15:42 < xtuh> gics: i dont know why there is "server" and "client" dirs, but mooving all to /etc/openvpn and renaming .ovpn to .conf do the thing. thanks.
15:42 < xtuh> bye
16:16 -!- abenz_ is now known as abenz
17:02 < cluelessperson> has anyone here tested/experienced openvpn loadbalancing possibiliities?
17:02 < cluelessperson> using multiple server connections maybe?
17:31 -!- abenz_ is now known as abenz
18:50 < Daiwo> hmm ... I wish SoftEther had such a large community
20:17 < scj643> Seems UDP has connection issues with my clients
20:21 < Celmor> I'm using parameter --auth-user-pass $file (with $file containing Auth Username and Auth Password) but it still prompts me for them after running that line
20:29 < PrimePlaya24> "C:\Program Files\OpenVPN\easy-rsa" Why after installing OpenVPN i do not have an "easy-rsa" folder
20:36 < zoredache> I think it may be an non-default option you have to select in the Windows installer, but I am not certain
20:36 < zoredache> oh, but you disconnected, so nevermind
20:36 <@ordex> :p
20:40 < scj643> Could someone explain how I can make UDP more reliable
20:41 <@ordex> scj643: it depends on what the problem is
20:41 <@ordex> it can also be that your provider is dropping them
20:41 <@ordex> or maybe the link is just lossy, so you have a lot of missing packets
20:41 < scj643> I'm in a University network
20:41 <@ordex> wifi ?
20:41 < scj643> The server is o
20:41 < scj643> On wired
20:41 < scj643> Client is wireless
20:42 < scj643> Different subnets
20:42 <@ordex> that could be one reason for lossy link as well
20:42 <@ordex> scj643: but what is the problem you are seeing?
20:42 < scj643> I switched it to tcp let me switch it back
20:46 < scj643> I get SetTunnelSocket returned 1
20:46 < scj643> My client is an iPad
20:47 <@ordex> uhm
20:48 <@ordex> I guess you are using OpenVPN Connect ?
20:48 < scj643> Yep
20:48 <@ordex> I am not sure what that means .. Connect is developed by OpenVPN Tech. It is not opensource
20:48 <@ordex> !as
20:48 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
20:48 < scj643> Well shit
20:55 < zoredache> Do you have your keepalive set to something small on the server?  Is it timing out due to some power-saving feature of the tablet or something?
20:55 < scj643> It's just not conn
20:57 < scj643> I get waiting for server reply on Open VPN on Android
20:57 < scj643> The one that's not connect
20:58 <@ordex> scj643: any client that can connect? can you connect from another network? or the IP is only avaibale inside?
20:58 <@ordex> maybe you really have blocked UDP in the network
20:58 <@ordex> it could be "for security reasons"
20:58 <@ordex> whatever that may mean for them
21:00 < scj643> I can connect from my phone over wifi
21:01 < scj643> Windows if you click on a cmd window it will pausesb
21:01 < scj643> Pause shit
21:01 < scj643> I'm getting tls handshake errors on the server
21:02 < SimpleName> before connect complete, why have one or two minutes delay?
21:15 < scj643> TLS auth is just failing
21:21 < scj643> Might have figured it out
21:22 < scj643> Wasn't embedding my tls key properly
--- Day changed Fri Sep 08 2017
01:34 -!- abenz__ is now known as abenz
03:29 -!- abenz_ is now known as abenz
05:16 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 246 seconds]
05:17 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
05:17 -!- mode/#openvpn [+v RBecker] by ChanServ
06:16 < nbastin> is there any way for me to name the tap interface that the client creates?
06:25 < rob0> Well, that might depend on OS.  I know you can in Linux.  See --dev in the manual.  Also note that tap/bridging is almost always a bad idea.
06:26 < nbastin> yeah I guess if I look at the man page from the right angle I can actually set dev to whatever I want and then set dev-type
06:27 < nbastin> this was not clear from any of the sample config files.. :-)
06:29 < nbastin> as for tap we have to carry MPLS over the tunnel, there's no IP involved
06:30 < nbastin> this is for connections where l2tp over ipsec doesn't work
06:31 < Kryczek> nbastin: how does that work? Something write the MPLS directly into OpenVPN's virtual NIC?
06:31 < nbastin> Kryczek: the tap is connected to a soft bridge, which forwards the already-tagged MPLS packets over the tap interface
06:31 < nbastin> they're MPLSoE
06:31 < Kryczek> oh, right :)
06:31 < nbastin> (in this case, since the tap is ethernet)
06:32 < nbastin> if the tap could carry any L2, that'd be even better, but I can live with ethernet.. :-)
06:34 < nbastin> if I specify --dev, do I need to make the interface (same way we do on the server side?)
06:34 < nbastin> that would actually be more convenient for me
06:34 < Kryczek> nbastin: a nice thing with tap/bridging is also that you can activate the Spanning Tree Protocol on the Linux bridge
06:34 < nbastin> then I wouldn't need the up script and I could glue the interface before openvpn comes up
06:34 < nbastin> Kryczek: that depends on whether you think STP hello times of 2 seconds are nice or not.. :-)
06:34 < Kryczek> nbastin: so that you can easily have redundancy with 2 gateways on each side for example
06:35 < Kryczek> you can tune all the STP settings
06:35 < nbastin> we actually do have some with STP, where I tune the timers to 10sec, but it's still pretty chatty
06:36 < Kryczek> I did exactly that, not for MPLS, but for long distance line-of-sight microwave links
06:36 < nbastin> hrmph, the man page is unclear on whether I can make this interface first
06:36 < Kryczek> what do you mean?
06:36 < nbastin> on the server side we always make the tap interface, and then pass it into the config file
06:36 < nbastin> but on the client side historically I've put dev tap and then it makes one
06:37 < Kryczek> Linux or Windows or?
06:37 < nbastin> if I put dev foo, and dev-type tap, can I make foo?  or does openvpn still want to make foo?
06:37 < nbastin> linux
06:37 < Kryczek> I never created OpenVPN interfaces in Linux
06:37 < Kryczek> it always does it for me
06:37 < nbastin> if openvpn makes it I have to write an interface up script, which is ok but another thing to manage
06:37 < Kryczek> oooooh, you want to create it yourself first?
06:37 < nbastin> there's a moment between when openvpn makes the interface and attaches it to the bridge where it's up with no policy
06:37 < nbastin> yeah
06:38 < Kryczek> there might be a way but I've worked around that by creating a bridge to which OpenVPN attaches itself
06:38 < nbastin> on the server side for tap we make the tap first and pass it to the config
06:38 < Kryczek> so you can write all your MPLS stuff into the forever-existing bridge, and OpenVPN just links up with it
06:39 < nbastin> well it's not that simple, we do that too, but I need to know the port number
06:39 < nbastin> which doesn't exist until the port is made
06:39 < rob0> nbastin, indeed if no TCP/IP involved or layer 2 is necessary, tap is the choice.  (Most people who ask here are only using TCP/IP protocols.)
06:39 < nbastin> I mean I could make a dedicated bridge for each tunnel, and then connect *that* to the policy bridge, but that triggers a problematic amount of memory copies for packets
06:40 < Kryczek> nbastin: see the bridge-start script at the bottom of https://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html
06:40 <@vpnHelper> Title: Ethernet Bridging (at openvpn.net)
06:40 < nbastin> I would prefer to have (openvpn tap) - ovs - (CX-4 SR-IOV MPLS)
06:40 < Kryczek> nbastin: it does "openvpn --mktun --dev tap0" before the openvpn connection, if I understand correctly
06:41 < nbastin> wow that's...some crazy.. :-)
06:41 < nbastin> ok, I'll just try this by giving it an interface name I already made
06:41 < nbastin> :-)
06:41 < Kryczek> nbastin: if you are concerned by memory copies I would not use a userland VPN solution though ;)
06:42 < Kryczek> nbastin: have you looked into other in-kernel solutions like MPLS over GRE for example?
06:42 < nbastin> Kryczek: in situations where I need this, I have few choices.. :-)
06:42 < nbastin> GRE isn't secure, so it would be GRE over IPSEC, or something else, we tend to use L2TP over IPSEC
06:42 < nbastin> but not all networks forward strange IP protocols properly.. :-)
06:42 < nbastin> so then we have to revert to UDP
06:43 < nbastin> openvpn is the easy way to do that, and there's no reason to make the perf worse by copying the packets 4 more times.. :-)
06:43 < nbastin> (and having the linux kernel parse them...)
06:44 < Kryczek> true... just offering alternatives :)
06:45 < nbastin> if I run hw straight to openvpn, I can get around 1.2-1.3gbps, if I move it through a bunch of veths first that falls to 500-600mbps, if I use ovs patch interfaces it's a little better, but not a lot
06:45 < nbastin> and I lose a bunch of accounting
06:45 < Kryczek> out of curiosity may I ask what networks would not allow for IPsec (without NAT-T as you pointed out) ? Do you have to setup MPLS links through residential DSL boxes? :)
06:45 < nbastin> Kryczek: sometimes, basically
06:45 < nbastin> Kryczek: when people go on the road to hotels and stuff for conferences, and want to demo things
06:45 < nbastin> Kryczek: the networks are....crazy nonsense
06:46 < Kryczek> haha yeah
06:46 < nbastin> most of the permanent endpoints have raw L2 to each other in the first place.. :-)
06:47 < Kryczek> hopefully you don't have too much noise :P
06:47 < Kryczek> all the Windows machines advertising "Hello! I am John's Laptop! Does anyone want to hack me?"
06:48 < nbastin> ah yeah....we do a bunch of stuff to limit broadcast
06:48 < nbastin> dropbox lan sync is my personal favorite.. :-)
06:48 < Kryczek> plus all the WPAD broadcasts: "Does anyone want to intercept and possibly mess with my web traffic?"
06:48 < nbastin> we filter out mdns (v4/v6), netbios, upnp, and dropbox by default on all ports
06:48 < nbastin> other stuff depends on the site
06:49 < Kryczek> nice
06:49 < nbastin> yeah I was like wtf is all this chatty traffic on UDP 17500....
06:49 < nbastin> apparently everyone uses dropbox.. :-)
06:49 < nbastin> *swuash*
06:49 < nbastin> er, squash
06:50 < Kryczek> it's gone now, but MSN Messenger was fun too, broadcasting over the LAN to see if whoever you're chatting with, happens to be in the same LAN
06:50 < nbastin> yeah the L2 broadcast domain stuff is pretty fun, printers....
06:50 < nbastin> mdns takes care of a lot of the modern endpoints at least
06:51 < nbastin> hopefully I can pass it the interface, then it'll be really similar to the server code we already have
06:52 < Kryczek> good luck have fun :)
06:52 < nbastin> always!
06:57 <+hyper_ch> where is my krzee???
06:57 <+hyper_ch> krzee: https://phys.org/news/2017-09-identification-individuals-trait-whole-genome-sequencing.html - scary stuff
06:57 <@vpnHelper> Title: Identification of individuals by trait prediction using whole-genome sequencing data (at phys.org)
07:07 < scj643> What's the advantages of UDP vs TCP for an OpenVPN server
07:08 < rob0> !factoids search tcp
07:08 <@vpnHelper> 'tcp', 'tcp_nodelay', 'tcpdump', 'tcpip', 'tcptcp', 'tcptune', and 'win_tcplimit'
07:08 < rob0> !tp
07:08 < rob0> !tcp
07:08 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay
07:09 < scj643> I can't avoid it unless I can get iOS to co operate
07:10 < nbastin> the short answer is that tunneling tcp over tcp has pathologically bad interactions
07:10 < scj643> It seems to work fine in my Uni lan for connecting to Windows RDP
07:10 < nbastin> so if you make a VPN over tcp, and then run a tcp connection over THAT, you can encounter some real nonsense
07:10 < rob0> if the connection is perfect, it will be okay
07:10 < nbastin> I mean it'll work fine in a lossless environment
07:10 < scj643> Since they block RDP on their lan
07:10 < rob0> but if there is any lossage, you'll suffer
07:11 < nbastin> if you have any loss you now have two layers performing congestion control, and you can get into situations like being permanently stuck in slow start
07:11 < scj643> I can get UDP working with OpenVPN for Android
07:11 < scj643> But not OpenVPN connect for iOS
07:12 < rob0> !as
07:12 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
07:12 < scj643> I already know
07:12 < scj643> It's some issue with configs
07:13 < scj643> Going to try to get UDP working
07:14 < scj643> I need to embed all the certs in my configs
08:45 < scj643> I'm getting incoming packet auth failure
08:46 < scj643> No wonder shit ain't working open VPN access on iOS is old as balls
08:47 < scj643> Core 3.1.2
08:52 < DArqueBishop> scj643: that doesn't mean anything. My OpenVPN Connect client on my iPhone connects just fine to my OpenVPN server.
08:53 < scj643> UDP ?
08:55 < scj643> DArqueBishop: can you send me a striped version of your configs ?
08:55 < scj643> This is my server log https://ghostbin.com/paste/8tec7
08:58 < DArqueBishop> scj643: are you running the server with admin privileges?
08:58 < scj643> That could be it
08:58 < scj643> Also what about the float option
08:59 < scj643> Incoming packet rejected from [AF_INET]10.21.0.65:1194[2], expected peer address: [AF_INET]172.20.64.55:1194 (allow this incoming source address/port by removing --remote or adding --float)
09:00 < scj643> Ok that was because my server had multiple IPs
09:01 < scj643> Oh ok it's the multiple ips on my server that was screwing it up
09:02 < scj643> Binding it should fix that
09:22 < scj643> I got all my OpenVPN stuff sorted
12:20 -!- m0nkey_ is now known as m0nkey__
13:08 -!- krzie [63abbb41@openvpn/community/support/krzee] has joined #openvpn
13:08 -!- mode/#openvpn [+o krzie] by ChanServ
13:09 -!- DropItLikeItsHot is now known as AfroThundr54230
13:10 -!- mode/#openvpn [+vvvv |Mike| rob0 pppingme Eugene] by krzie
13:10 -!- mode/#openvpn [+vv Dougy _FBi] by krzie
13:53 -!- krzie [63abbb41@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds]
13:54 -!- Benedict is now known as Neobenedict
15:25 < Celmor> I'm using parameter --auth-user-pass $file (whereas $file contains Auth Username and Auth Password on separate lines) but it still prompts me for that Auth information when running that line
16:08 -!- AfroThundr54230 is now known as PityDaFool
22:53 -!- tcpdump is now known as KernelPanicAtThe
--- Day changed Sat Sep 09 2017
01:04 < SimpleName> why server push “ifconfig 10.8.0.6 10.8.0.5” to client, I think server’s vpn ip should be 10.0.0.1
01:19 <@ordex> it's the nature of the tunnel when you don't use topology subnet
02:36 -!- abenz__ is now known as abenz
03:02 < Poltsi> FYI, I now have the bridging working for a server-roadwarrior-styled setup where the server is running on oVirt. The problem was ARP filtering on the hypervisor, once the relevant vNIC profile was cleared of the ARP-filter, everything works fine between the private network and the roadwarrior
03:54 < SimpleName> ordex: https://paste.ofcode.org/E64qaTe94rFC2ZWtQrmSC5 i found more better anwser
03:54 < SimpleName> :D
03:55 < SimpleName> this is becuase windows can’t use p2p mode, just net30 mode
05:32 < cluelessperson> I'm having difficulty with network namespaces and openvpn
05:32 < cluelessperson> is there a neat way to handle thos?
05:33 < SimpleName> what’s diffcult?
05:33 < SimpleName> bridge them?
05:45 < cluelessperson> SimpleName: well
05:45 < cluelessperson> SimpleName: it seems you have to write a script to setup a namespace, route between them, startup openvpn within it, and oi
05:45 < cluelessperson> SimpleName: bridge them how?
05:45 < SimpleName> what’s your purpose
05:47 < SimpleName> create namespace , then create pair virtual interface, then move to netns, then bridge two veth,
05:51 < cluelessperson> SimpleName: bridge how?
05:51 < cluelessperson> SimpleName: to isolate an application to the vpn
05:52 < SimpleName> you first need to create different netns for it
05:52 < cluelessperson> SimpleName: for the vpn?  done
05:53 < SimpleName> cluelessperson: ok, then you may want to connect vpn and eth0
05:53 < SimpleName> so you first connect tun0 and veth0
05:54 < cluelessperson> how?
05:54 < SimpleName> with “ip link add veth0 type veth peer name veth1” create pair veth
05:55 < cluelessperson> done
05:55 < SimpleName> mv veth0 to your netns
05:56 < SimpleName> ip link set veth1 netns your_ns_name
05:57 < SimpleName> now you need to create a bridge with “brctl addbr bridge_name eth0”
05:59 < cluelessperson> SimpleName: will that disrupt the existing connections on eth0?
06:01 < SimpleName> cluelessperson: maybe you should first have some understand about it
06:11 -!- SimpleName_ is now known as SimpleName
06:15 < SimpleName> back
08:17 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Quit: ABANDON SHIP! ABANDON SHIP!]
08:40 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
08:40 -!- mode/#openvpn [+o novaflash] by ChanServ
09:15 -!- remirol is now known as lorimer
13:29 < mike309> can anyone help me debug an extremely slow openvpn connection?
13:29 < mike309> I have a very fast ethernet connection
13:30 < mike309> I set up my own openvpn server and am able to get fast connection speeds through that
13:30 < mike309> but the one the sysadmins set up at my work is very slow when I connect to it, so slow I can't even finish a test on speedtest.net
13:31 < mike309> the server.conf files are almost identical
13:31 < mike309> my colleague on the same LAN is able to get 10-15 Mbps up and down using my client.ovpn file
13:33 < mike309> any suggestions on what I should check/modify?
13:33 < mike309> locally, that is
13:34 < mike309> I'm using openvpn 2.4.3 on ubuntu 16.04
14:28 < seven-eleven> hello, i read the LARTC, but iam still not sure how to solve my problem. i want to route all traffic over the vpn, except outgoing traffic. i added a rule to always use the WAN_GATEWAY as default route for packets that origin from my WAN_INTERFACE http://dpaste.com/1WYJQKH    now I want to route all outgoing traffic over my tun0 device, but I can't just `ip route add default via 10.8.0.1`, because you can't route a tunnel over itself,
14:28 < seven-eleven> but I can maybe still just do `route default via 10.8.0.1` *but* also simply do `ip route add table 32 default via WAN_IP` && `ip rule add from 10.8.0.0/8 table 32`?  or do I have to add all routes except 10.8.0.0/8 manually like so (to make sure that the tunnel is not tunneling itself)?:   ip route add  .. 128.0.0.0/1  64.0.0.0/2   32.0.0.0/3   16.0.0.0/4  12.0.0.0/6  11.0.0.0/7  9.0.0.0/8 ... via 10.8.0.1
14:29 < seven-eleven> i was thining with  `ip route add table 32 default via WAN_IP` && `ip rule add from 10.8.0.0/8 table 32` I would hinder 10.8.0.0/8 to route through itself
16:46 -!- KernelPanicAtThe is now known as tshark
17:16 -!- abenz_ is now known as abenz
17:25 -!- Dougy [~dougy@openvpn/community/support/Dougy] has quit [Ping timeout: 264 seconds]
23:48 < amosbird> hello
23:49 < amosbird> why do I suddenly get this error
23:49 < amosbird> Options error: You must define CA file (--ca) or CA path (--capath)
23:49 < amosbird> i have ca inlined in my clien openvpn config
--- Day changed Sun Sep 10 2017
00:28 -!- abenz_ is now known as abenz
00:45 <@ordex> amosbird: how did you inline it ?
00:46 <@ordex> it seems like it is missing
00:46 < amosbird> <ca>
00:46 < amosbird> -----BEGIN CERTIFICATE-----
00:46 < amosbird> something like that
00:47 <@ordex> mh weird
00:47 <@ordex> how are you launching openvpn ?
00:49 < amosbird> um, just openvpn config.ovpn
01:00 <@ordex> amosbird: can you launch it with opnvpn config.ovpn --verb 4 and paste the entire log
01:00 <@ordex> ?
01:01 < amosbird> ok
01:02 < amosbird> hmm, the error changes
01:02 < amosbird> TLS Error: TLS handshake failed
01:02 < amosbird> weird
01:04 < amosbird> https://la.wentropy.com/oqik
01:11 <@ordex> tihs is something completely different I'd say
01:12 <@ordex> and the --ca error is gone, meaning that the file is parsed properly now
01:12 <@ordex> what you are seeing might be because of a firewall on the server
01:12 <@ordex> or something similar
01:12 <@ordex> or tls-auth/crypt misconfiguration
01:12 < amosbird> "or tls-auth/crypt misconfiguration " how can I debug that?
01:13 < amosbird> i'm sure that the network is accessible
01:18 <@ordex> you have to check the config on the server and on the client and make sure the tls-auth/crypt settings are matching
01:18 <@ordex> you could paste the configs here if you want
01:18 <@ordex> !confis
01:18 <@ordex> !configs
01:18 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
01:19 < amosbird> ok
01:26 < amosbird> ordex:  https://la.wentropy.com/lB6i
05:00 -!- abenz_ is now known as abenz
05:56 < danst> how do you make openvpn tun0 default gateway after connection on ubuntu linux
05:57 < danst> I've tried push "redirect-gateway def1" on server side, but no luck
05:58 < danst> so I have to manually route add default dev tun0 each time
06:01 < danst> I don't have default gateway because I'm connecting to VPN through socks proxy on localhost
06:01 < danst> which goes to iphone through usbmuxd
06:03 <@novaflash> generally it's not a great idea to add a default route to tun0. instead use 0/1 and 128/1 routes.
06:05 < danst> why not
06:05 < danst> it works
06:05 < danst> ok I've managed to do it shitty way
06:06 < danst> script-security 2
06:06 < danst> up up.sh with /sbin/route add default dev tun0
06:06 < danst> thank you
06:11 <@novaflash> if you have push "redirect-gateway def1" on the server then in theory an openvpn client connecting to this server should receive that instruction and should implement 0/1 and 128/1 routes to go through the vpn tunnel. does the client config have 'client' or 'pull' directives? do you see in the client side logs anything about routes being pushed? if you see the push parameters but the routes...
06:11 <@novaflash> ...are not implemented, are you perhaps not running openvpn with admin/root privileges on the client side? without that implementing routes can be blocked.
06:35 -!- abenz_ is now known as abenz
06:59 < amosbird> hmm
06:59 < amosbird> why does TLS Error: TLS key negotiation failed not produce any error messages in log?
07:12 <@novaflash> didn't that message just come from the log? *scratches head*
07:14 < amosbird> yeah, but it doesn't mention what's going wrong
07:21 < BtbN> The TLS key negotiation is
07:50 <@ordex> amosbird: the config you pasted were not complete
07:50 <@ordex> amosbird: it would be useful if you could also post the server log with verb 4
07:50 <@ordex> showing what happens during the client connection
07:51 <@ordex> because the problem could be on either end
07:51 < amosbird> ordex: the server log doesn't contain anything
07:52 < amosbird> here is the server log https://la.wentropy.com/lqjF
07:52 < amosbird> i don't see any error messages
07:59 <@ordex> amosbird: uhm, are you sure it is receiving the connection at all?
07:59 <@ordex> it would print at least one message upon the reception of the first packet
08:07 < amosbird> yeah, i'm confused too
08:07 < amosbird> but i can connect to the server via ssh
08:07 < amosbird> and the port 49999 is open
08:11 < danst> novaflash: it just can't pick up old default route because it doesn't exist
08:25 <@ordex> amosbird: did you open the udp port ?
08:26 <@ordex> danst: there is no default route? is the vpn server local then ?
08:26 <@ordex> in that case check the man, there is an option to specify in this case
08:45 < amosbird> ordex: yes
08:46 <@ordex> amosbird: well, to kill any doubt you can just dump the traffic on the server filtering for that port and see what you get
08:46 <@ordex> if you get nothing, then you know for sure where the problem might be
08:46 < amosbird> oh
08:47 < amosbird> what command can I do that?
08:49 <@ordex> I normally use tcpdump
08:55 < amosbird> hmm, tcpdump -i eno1 "udp dst port 49999" prints nothing
08:55 < amosbird> when connecting
08:56 <@ordex> well, I guess nothing is reaching the server then
08:56 <@ordex> either the port is still closed
08:56 <@ordex> or some other firewall is blocking the packet
08:57 < amosbird> but iptables prints no rules
09:06 <@ordex> maybe that port is blocked by your provider?
09:06 <@ordex> have you tried something else?
09:07 <@ordex> like the classic openvpn one  (1194)
09:07 <@ordex> or try tcp
10:09 < amosbird> ok
10:09 < amosbird> will tcp suffer performance degration?
10:10 < amosbird> hmm, tcp works
10:13 < BtbN> tcp is bad, you don't want it if you can anyhow avoid it
10:39 < amosbird> why udp doesn't work then?
10:41 <@ordex> maybe the provider (server or client side) is blocking that port or udp traffic at all
10:45 < amosbird> um, is there a tool i can use to test udp accessibility?
10:54 <@ordex> amosbird: nmap ? or just nc
10:54 <@ordex> amosbird: but openvpn is a clear example already
10:54 <@ordex> have you tried changing the port?
10:54 <@ordex> instead of switching to tcp
10:54 <@ordex> ?
10:59 -!- krzie [63abbb41@openvpn/community/support/krzee] has joined #openvpn
11:00 -!- mode/#openvpn [+o krzie] by ChanServ
12:08 -!- krzie [63abbb41@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds]
15:03 -!- krzie [63abbb41@openvpn/community/support/krzee] has joined #openvpn
15:03 -!- mode/#openvpn [+o krzie] by ChanServ
15:19 -!- badpixel is now known as badpixel_
15:19 -!- badpixel_ is now known as badpixel
15:22 -!- tshark is now known as tcpdump
16:40 -!- krzie [63abbb41@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds]
19:50 < amosbird> ordex: yeah, i tried udp 53
19:51 <@ordex> amosbird: have you tried using a client from another location? just to clarify if it is the client being blocked or the server?
19:52 < amosbird> ordex: oh, lemme try that
19:53 < amosbird> ordex: ah, you're right
19:53 < amosbird> another client works find
19:53 < amosbird> fine*
19:54 <@ordex> then it's likely to be the client's provider to be blocking udp
19:54 <@ordex> or the client itself (but I doubt it)
19:54 < amosbird> ok, thanks!
19:54 <@ordex> np
21:49 -!- abenz__ is now known as abenz
23:52 < misternumberone> hi, i have an openvpn 2.4.3 server (debian, tap, redirect-gateway, udp, AES-256) with several remote clients, all mixed platform. All clients and connections work perfectly except for one, a Windows 10 client (other W10 clients exist and have no issues). This client works fine for a few minutes and then the connection freezes, and only restarting all openvpn services will allow reconnection.
23:54 < misternumberone> using TAP utility to remove and reinstall tap adapter does not fix the issue, nor does reinstalling openvpn. Using a clean install of windows 10 resolves the issue completely. however i am unable to resolve the issue on the existing windows installation.
--- Day changed Mon Sep 11 2017
00:55 -!- abenz_ is now known as abenz
01:10 -!- abenz_ is now known as abenz
01:23 -!- abenz_ is now known as abenz
04:36 -!- abenz_ is now known as abenz
09:00 -!- dionysus70 is now known as dionysus69
10:32 < ttyX> what are we supposed to use instead of ifconfig-pool if we don't have a dhcp server handing out the ip config?
10:33 < ttyX> I understand it's deprecated so what replaced this?
10:44 < tdrusk> I used this guide to install openvpn and configure. https://github.com/Nyr/openvpn-install It works well, but tunnels all traffic. I'd prefer it only tunnel traffic that is necessary (the lan on the VPN side). Here's a pastebin of my server.conf. Any suggestions? https://pastebin.com/egD1MNKV
10:44 <@vpnHelper> Title: GitHub - Nyr/openvpn-install: OpenVPN road warrior installer for Debian, Ubuntu and CentOS (at github.com)
10:46 <+rob0> !redirect
10:46 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
10:46 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
10:46 <+rob0> Don't use --redirect-gateway if you don't want to redirect the gateway.
10:46 <+rob0> !howto
10:46 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
10:51 < tdrusk> That makes sense. Tried to remove it but couldn't access the LAN on the other side, which is 192.168.111.x. OpenVPN gives me 10.8.0.x network, so my next step would be to remove --redirect-gateway and add some kind of routing? right?
10:53 <+rob0> yep
10:53 < skyroveRR> Hiya rob0
10:53 <+rob0> !serverlan
10:53 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
10:53 <+rob0> skyroveRR, o/
10:55 < tdrusk> Thanks rob0. I'll do some research.
11:16 -!- dionysus70 is now known as dionysus69
11:44 -!- frank-- is now known as thumbs
11:57 < acidvegas> <-
11:58 < acidvegas> Hi can someone explain the script-security 2 up and down script to me
11:58 < acidvegas> my script has "up /etc/openvpn/update-resolv-conf"
11:58 < acidvegas> and for down also in the config but i dont have a file named update-resolv-.conf
12:09 < raboof> quick check: do I understand correctly that to be able to use 'port-share', I must use 'mode server' and thus 'tls-server', and I won't get away with 'static' key configuration?
12:11 <@dazo> raboof: correct
12:12 <@dazo> acidvegas: --script-security 2 is required to be able to run external scripts at all
12:12 < raboof> dazo: thx for the confirmation, too bad, will dig in later tonight then :)
12:12 < acidvegas> dazo: i know that but i dont have an update-resolve-conf file
12:12 < acidvegas> ive seen some people make but how does it get the specific dns for my vpn i want to use
12:13 <@dazo> acidvegas: well, that's not a script we ship ... might be a different software package you need to install
12:13 <@dazo> acidvegas: we ship a simpler script with openvpn .... client.up/down .... which may run update-resolv-conf if it is found
12:14 < acidvegas> dazo: specifically I am trying to just secure my dns using openvpn with privateinternetaccess
12:14 < acidvegas> I see https://wiki.archlinux.org/index.php/OpenVPN#DNS which links to a update-resolv-conf file
12:14 <@vpnHelper> Title: OpenVPN - ArchWiki (at wiki.archlinux.org)
12:14 < acidvegas> but again, idk how thats going to pull my specific servers dns and set it
12:19 < mike309> what should I look into if my openvpn connection starts at a reasonable speed, but very quickly gets slower, down to no connection at all?
12:21 -!- xemdetia_ is now known as xemdetia
12:22 < acidvegas> mike309: that would likely be the connection speeed of your vpn, your isp, or the level of encryption you are using
12:22 < acidvegas> more higher settings will slow down traffic a little
12:22 < acidvegas> which vpn are you using anywats
12:22 < mike309> openvpn 2.3.10 on the client
12:22 < mike309> I'm not sure which version on the server as I don't have access to that
12:23 < mike309> it's very strange, because an openvpn (server) instance I set up works great - no connection problems
12:23 < mike309> the one some colleagues in another office set up has the connection issue
12:24 < mike309> I checked the server.conf file and it's only a little different than mine
12:24 <@dazo> acidvegas: that Arch Linux url uses the client.up script we provide ... when connecting to a remote server, it pushes some DNS variables to the client (your openvpn process) which then runs this script with the DNS information ... and that script does whatever it is told to do with that info
12:24 < mike309> it has client-to-client enabled, and uses crl-verify
12:25 <@dazo> client.up will check if you have updates-resolv-conf available and run that with the DNS info .... or it will take a backup of /etc/resolv.conf and create a new one for you
12:26 < acidvegas> dazo: so basically the script sends a request to the vpn server for the dns info and uses that for /etc/resolv.conf?
12:26 <@dazo> acidvegas: nope, the script is provided with information the server have already pushed to the client
12:26 < acidvegas> oh thats right it sets like environ variables correct?
12:27 <@dazo> acidvegas: run openvpn with --verb 4 and check the logs, you'll see some PUSH_ log lines ... and then you'll see it kicks of the --up script later on
12:27 < acidvegas> ok, so i should just be using the up and down script provided in /usr/share/openvpn/contrib/pull-resolv-conf/ to secure my dns?
12:27 < acidvegas> is that the more modern route than update-resolv-conf
12:28 <@dazo> nope, update-resolv-conf is better .... but we provide a wrapper which works for everyone ... but if you have NetworkManager involved, then /etc/resolv.conf tends to get overwritten by it
12:29 < acidvegas> I can just modify the update-resol-conf script to chattr +i /etc/resolv.conf but my confusion lies in this
12:30 < acidvegas> i should place update-resolv-conf and chmod +x it
12:30 <@dazo> acidvegas: we don't ship or maintain update-resolv-conf, so ask those behind it
12:31 < acidvegas> ok thanks, also dazo do you think using the systemd update resolv is an even better choice than update-resolv-conf
12:31 <@dazo> most likely yes, but I have never tried it
12:32 <@dazo> systemd-resolvd will be more tightly connected with both systemd-networkd and NetworkManager .... so using that API to update DNS settings is more likely not be overwritten by networkd or NetworkManager
12:33 <@dazo> (but you need a fairly recent systemd version)
12:34 < acidvegas> I use netctl with wifi-menu not network manager
12:34 <@dazo> well, probably similar mechanisms there too
12:34 < acidvegas> and im on arch linux so im sure i have a recent version
12:34 <@dazo> systemctl --version
12:35 < acidvegas> systemd 234
12:36 <@dazo> that's recent enough :)
12:37 < acidvegas> ok cool, thanks for the info dazo
12:37 < acidvegas> gonna do some testing now
12:37 < acidvegas> and finish this PIA script im working on
12:43 < mike309> anything I can change on the client side to potentially help my slow connection?
12:43 < acidvegas> mike309: are you using a vpn server that someone setup fotr you to use or an offical vpn service
12:44 < mike309> acidevegas: one that someone set up for me
12:45 < mike309> I also set one up for myself, which doesn't have this problem
12:45 < mike309> my ethernet connection is pretty fast, 400+ Mbps up and down
12:46 < mike309> one the VPN I set up on DigitalOcean I get 60-70 Mbps up and down
12:46 < mike309> the one I'm having trouble with starts at about 5 Mbps down and then gets progressively slower, over about a minute, until there is no connection
12:48 < mike309> so you might think that the VPN server itself is to blame
12:48 < mike309> but my colleague sitting next to me was able to get 10 Mbps down consistently
12:48 < mike309> using that OpenVPN connection
12:51 < mike309> I've tried using the most recent OpenVPN on the client side, too (2.4.3)
12:58 < mike309> okay so both server and client are running ubuntu 16.04, openvpn 2.3.10
13:22 < mike309> acidvegas: if I get access to the server, is there anything I can check there?
13:23 < mike309> like I said, the differences between my working server.conf and the one that doesn't work are minimal
13:24 < mike309> just client-to-client and crl-verify settings
13:28 < acidvegas> dazo: what about if im using unbound as a local dsn cache forwarder and im using that systemd-update script
15:28 -!- dakar- is now known as dakar
15:28 -!- DrMac[WTF] is now known as DrMacinyasha
15:28 -!- n-st- is now known as n-st
15:28 -!- KCinJP_ is now known as KCinJP
15:29 -!- allizom1 is now known as allizom
15:29 -!- Dimtree_ is now known as Dimtree
15:39 < seven-eleven> hi
15:40 < seven-eleven> where are openvpn packages routed through that originate from openvpn-server and are reponses from incoming 1194 connections?
15:40 < seven-eleven> say the openvpn server tun0 is 10.8.0.1 peer 10.8.0.2, then it would route through 10.8.0.2?
15:57 <@dazo> seven-eleven: nope, it should route via  10.8.0.1, which is the server side
16:10 < seven-eleven> dazo, aight, giving that a try, (tried before but let's see) :-)
16:27 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 260 seconds]
16:41 < seven-eleven> dazo, does it travel like so:?  Packet_X @ client01 travels to server:1194 -> eth0 -> openvpn socket -> response -> 10.8.0.1 tun0  -> eth0 --> back to client
16:44 < seven-eleven> my issue is that I run both a vpn server and client on my machine, now when openvpn@client service is started then the vpn server on the machine isn't connectable by any of its peers
16:45 < vectr0n> putting `lport 0` in the client conf should stop it from using 1194 as the src port i think
16:45 < vectr0n> been awhile..
16:47 < seven-eleven> and yes the second vpn server pushes `redirect-gateway def1` to my machine, so there are default routes to the second vpn server which I will have to circumvent by adding the right rules for my machines vpn server
16:48 < seven-eleven> vectr0n, why would i want to do that
16:48 < vectr0n> the reason your server doesnt work is because the client is taking 1194 as its src port
16:48 < vectr0n> so then the server is unable to use it
16:48 < seven-eleven> hmm
16:49 < vectr0n> `lport 0` tells the client to use a random port for src
16:49 < vectr0n> then 1194 is free for the server
16:50 < seven-eleven> let me try that, a bit confusing that the client uses 1194
16:50 < vectr0n> for its outbound connections it defaults to using port 1194 as its source port
16:50 < vectr0n> thus the server can't use it as the client has it already
16:51 < vectr0n> the client doesnt need to use 1194 as its src port, it can  be anything
16:51 < seven-eleven> right
16:51 < vectr0n> add the lport restart client, then restart server
16:52 < vectr0n> should see the server listening on 1194 instead of the client src port
16:53 < vectr0n> i personally never keep ovpn running on 1194, to many scans looking for vuln software lol
16:53 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Read error: Connection reset by peer]
16:53 < seven-eleven> vectr0n, in /etc/openvpn/client2.conf is where i put lport 0 now
16:53 < vectr0n> yup
16:54 < vectr0n> you dont have to touch anything in the server config
16:56 < seven-eleven> vectr0n, with that random port setting it gives me an unhelpful error, going to debug http://dpaste.com/1W1BTEZ
16:56 < vectr0n> probably because the route was never applied?
16:57 < vectr0n> is client2 connecting to the server on the local host?
16:57 < seven-eleven> nope, it's a remote (second) vpn server
16:58 < vectr0n> do you have custom up/down scripts called?
16:58 < seven-eleven> remote 104.131.x.y 1194
16:58 < seven-eleven> yes too
16:58 < vectr0n> then its an issue w/ your script
16:58 < seven-eleven> only up /etc/openvpn/update-resolv-conf and down /etc/openvpn/update-resolv-conf
16:58 < seven-eleven> mhm
16:58 < vectr0n> you need to check your syntax in the scripts
16:59 < vectr0n> do those update-resolv-conf deal with routes at all or just pushing the name servers to resolv.conf?
16:59 < seven-eleven> let me check
16:59 < seven-eleven> "Parses DHCP options from openvpn to update resolv.conf"
16:59 < vectr0n> aha quick google suggests its an issue with your push "route xxxx"'s
17:00 < seven-eleven> it doesn't bother with routes at all
17:00 < vectr0n> https://serverfault.com/questions/757751/vpn-error-linux-route-add-command-failed
17:00 <@vpnHelper> Title: openvpn - VPN: ERROR: Linux route add command failed - Server Fault (at serverfault.com)
17:01 < vectr0n> did you include the ovpn subnet in the pushes? the server already does that
17:04 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
17:04 -!- mode/#openvpn [+v RBecker] by ChanServ
17:04 < seven-eleven> i don't know why it's complaining
17:04 < seven-eleven> i have commented all the pushes for testing this anyways. no they used not the subnet, but instead the server peer address
17:05 < seven-eleven> e.g  @ /etc/openvpn/ccd/my_client ifconfig-push 10.8.0.101 10.8.0.1
17:05 < seven-eleven> ah yes, also used subnet @server.conf push "route 10.8.0.0 255.255.255.0"
17:05 < vectr0n> 10.8.0.1 should be 255.255.255.0
17:05 < seven-eleven> yes
17:06 < vectr0n> comment out that push and see if it resolves
17:06 < seven-eleven> it's commented out ;)
17:06 < vectr0n> oh sorry
17:06 < vectr0n> fix the ccd.. ifconfig-push 10.8.0.101 255.255.255.0
17:08 < vectr0n> also where is the 10.9.x.x coming from?
17:09 < seven-eleven> 10.9.0.0 is the second openvpn server on node02
17:10 < seven-eleven> and node01 has both an openvpn-server 10.8.0.0/24 and a also an openvpn-cleint to 10.9.x.x
17:10 < vectr0n> gotcha
17:10 < vectr0n> i have to step away for 5-10min
17:11 < seven-eleven>  i'll hurry
17:11 < seven-eleven> oh so late already
17:12 < seven-eleven> still not working, where's the lport 0 thing documented, can't find a reference quickly#
17:15 < seven-eleven> maybe "nobind" already is enough
17:16 < seven-eleven> that won't make the client bind any specific port number, which I already used
17:16 < seven-eleven> any removing nobind makes lport 0 work now too
17:18 < seven-eleven> and once i add redirect-gateway def1 again on node02 10.9.0.1 server then no client can connect to the vpn server @node01 10.8.0.1 anymore, i think this is still a routing issue
17:19 < seven-eleven> so lport 0 was never the issue, because the clients did use a file, not port socket, having "nobind" directive set
17:20 < seven-eleven> s/can/can't
17:20 < seven-eleven> iam also off, goodnight
18:25 < redrabbit> i want to sync clients certs between two openvpn servers
18:25 < redrabbit> what is the file i should rsync
18:25 < redrabbit> (easy-rsa)
18:35 <@dazo> redrabbit: you should not do that .... the servers just need the server certificates, private key, dh-param and the CA certificate
18:35 <@dazo> the CA (easy-rsa) files should ideally be stored on an offline medium, only to be activated when you need to sign a new certificate
18:35 < redrabbit> that's what i needed, good info
18:36 < redrabbit> im gonna keep them on my home server then, and remove from the VPS
18:37 <@dazo> the CA private key is especially important to protect .... If I get a copy of your CA private key and it is not password protected, I can issue new certificates and connect to your servers without your knowledge (unless you pay close attention to the openvpn log files and recognise the new X.509 subject lines)
18:37 < devlap> Hi I am having trouble with my initial setup of openvpn-as. I have my client and am connecting with IP:PORT in the openvpn connect app. LDAP is working, I see it auth with the domain, and then the client just sits saying "Waiting for VPN server"
18:37 <@dazo> !as
18:37 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
18:42 < thumbs> /43/23
18:45 < redrabbit> on that subject is there a way to get notified when X client connects to your server
18:46 <@dazo> redrabbit: the quick and simple path is to look at --client-connect .... the more difficult path, is to write a plug-in in C and use --plugin
18:46 <@dazo> redrabbit: and then there is --management and --status you can look at too
18:47 <@dazo> (so 4 alternatives, with different approaches)
18:47 < redrabbit> i used that: systemctl status openvpn@server.service
18:47 < redrabbit> guess its sort of what --status does
18:47 <@dazo> that gives a different view ... which is more the overall status
18:47 < redrabbit> ok
18:47 <@dazo> nope, not at ll
18:47 <@dazo> *all
18:48 <@dazo> redrabbit: but move over to the new unit files .... openvpn-server@CONFIGNAME.service
18:49 < redrabbit> noted
18:49 <@dazo> (it requires moving around on a few config files ... but is better tuned towards both systemd and acting in a server role ... and we're continuing to harden that profile too)
18:50 < redrabbit> pardon me for beeing clueless but how do i look at --status ?
18:50 <@dazo> !man
18:50 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
18:50 < redrabbit> "Write operational status to file every n seconds. "
18:50 <@dazo> ^^^ the best approach to be less clueless ;-)
18:50 < redrabbit> oh, got it
18:51 < redrabbit> i thought it was a command to type. silly me
18:51 <@dazo> redrabbit: if you use openvpn-server@.service .... have a look in /run/openvpn-server/status.log  ;-)
18:52 <@dazo> ahh ... status-CONFIGNAME.log ;-)
23:45 -!- s7r_ [~s7r@openvpn/user/s7r] has joined #openvpn
23:45 -!- mode/#openvpn [+v s7r_] by ChanServ
23:46 -!- s7r [~s7r@openvpn/user/s7r] has quit [Read error: Connection reset by peer]
23:46 -!- s7r_ is now known as s7r
23:55 -!- abenz_ is now known as abenz
--- Day changed Tue Sep 12 2017
00:28 < brianw> I am using Ubuntu 16.04 LXD guest on an Ubuntu 16.04 server host. I cannot get systemd openvpn init to start the openvpn@test conf client config. But if I run the same exact command as root, it works and starts openvpn in deamon mode. Any help? Clues? Suggestions?
00:37 < acidvegas> BUCK
02:00 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
02:00 -!- mode/#openvpn [+o novaflash] by ChanServ
02:16 < seven-eleven> what happens if `redirect-gateway def1` is pushed from a second openvpn-server 10.9.0.1 to a machine that both runs openvpn-server 10.8.0.1 and an openvpn-client 10.9.0.6 ... i assume then 10.8.0.0/24 packages are routed to 10.9.0.1 ... if yes, should I create (A) a rule to default route package that originate from 10.8.0.0/24 via my WAN IP or via 10.8.0.1 ... i assume my WAN IP?
03:00 -!- abenz__ is now known as abenz
05:24 <@novaflash> afaik redirect-gateway def1 should implement 0/1 and 128/1 routes and not mess with the default gateway. it just overrides it with 2 more specific routes. local subnets are even more specific than that so are not affected by the default route or the 0/1 and 128/1 routes. so in effect, i don't think it affects that. routes for smaller subnets win over routes for larger subnets.
05:48 <@dazo> novaflash: your statement is correct :)
05:48 <@novaflash> hold on, taking a picture of this moment
05:48 <@dazo> :)
05:49 <@dazo> brianw: try using openvpn-server@.service or openvpn-client@.service unit files .... that's the upstream based unit files .... the distro provided unit files (openvpn@.service, openvpn.service) are known to be poor and faulty in most distros
05:55 <@dazo> !systemd
05:55 <@vpnHelper> "systemd" is (#1) the devil!, or (#2) At least for those who wants keep living in the past ...., or (#3) Have troubles with OpenVPN and systemd? Try reaching out to dazo, or (#4) https://fedoraproject.org/wiki/Openvpn#Working_with_systemd
05:55 <@dazo> !forget systemd
05:55 <@vpnHelper> Error: 4 factoids have that key.  Please specify which one to remove, or use * to designate all of them.
05:55 <@dazo> !forget systemd *
05:55 <@vpnHelper> Joo got it.
05:57 <@dazo> !learn systemd Most systemd based distros package the upstream OpenVPN openvpn-server@.service and openvpn-client@.service unit files.  Use those instead of the distro provided ones (openvpn.service, openvpn@.service), as they too often work poorly.
05:57 <@vpnHelper> Joo got it.
05:57 <@dazo> !systemd
05:57 <@dazo> !learn systemd as Most systemd based distros package the upstream OpenVPN openvpn-server@.service and openvpn-client@.service unit files.  Use those instead of the distro provided ones (openvpn.service, openvpn@.service), as they too often work poorly.
05:57 <@vpnHelper> Joo got it.
05:57 <@dazo> !systemd
05:57 <@vpnHelper> "systemd" is Most systemd based distros package the upstream OpenVPN openvpn-server@.service and openvpn-client@.service unit files. Use those instead of the distro provided ones (openvpn.service, openvpn@.service), as they too often work poorly.
05:57 <@novaflash> !dazo
05:57 <@vpnHelper> "dazo" is The project name krzee always forgets .... eurephia ... http://www.eurephia.net/
05:59 <@dazo> !learn systemd as Unfortunately, Debian have added some weird OpenVPN systemd integration trying to simulate how things worked before systemd arrived. These approaches often causes more confusion, so _do_ consider #1 carefully.
05:59 <@vpnHelper> Joo got it.
05:59 <@dazo> !systemd
05:59 <@vpnHelper> "systemd" is (#1) Most systemd based distros package the upstream OpenVPN openvpn-server@.service and openvpn-client@.service unit files. Use those instead of the distro provided ones (openvpn.service, openvpn@.service), as they too often work poorly., or (#2) Unfortunately, Debian have added some weird OpenVPN systemd integration trying to simulate how things worked before systemd arrived. These
05:59 <@vpnHelper> approaches often causes more confusion, so _do_ consider #1 carefully.
06:44 <@ordex> !dazo
06:44 <@vpnHelper> "dazo" is The project name krzee always forgets .... eurephia ... http://www.eurephia.net/
06:44 <@ordex> :D
06:44 <@ordex> we should say "systemd" here!
06:45 <+hyper_ch> krzee is still not back?
07:01 <@novaflash> where'd he go?
07:02 <+hyper_ch> he's not replying :(
07:03 <@novaflash> hmmm
07:04 -!- peterandre_ is now known as peterandre
07:40 <@dazo> krzee might be without net .... I believe Irma might have been quite close to where I believe he lives
07:41 < havoc> oh yeah, he's in the carribean, somewhere?
07:41 <@dazo> yeah, I believe so
07:44 <+hyper_ch> could be
07:52 < havoc> well, my 2,000+ ovpn client setup is ~2.5wks from going into production
07:53 < havoc> pretty slick setup, I think
08:01 < havoc> have a provisioning server running on udp:1194 w/ a /25
08:02 < havoc> production servers are udp:1195-2010, all /25's
08:04 < havoc> have scritps for [prod|prov].[client-connect|learn-address"client-disconnect] for both sets of servers, which call other stuff
08:04 < havoc> so I can change scripting w/o restarting vpn server(s)
08:05 < havoc> and production servers have a base conf included in the individual confs, which are onlt the dev/port/ifconfig stuff
08:06 < havoc> have a logging script that grabs all sorts of client info via ssh on [dis]connect
08:07 <@novaflash> havoc: but does it have access to pornhub.com?
08:07 < havoc> no, have shorewall setup for FW
08:07 <@novaflash> worthless, then
08:07 < havoc> which is slick as I can treat tun[1-16] as a single "zone"
08:10 < havoc> still need to work out a good way to recycle IPs
08:10 < havoc> I'm considering an sqlite db
08:11 < havoc> but I'm gonna try a 2,000 line bash file first
08:11 < havoc> it's only accessed/used when a client is [re]provisioned, so it's not run a lot, after initial deployment
08:12 <@novaflash> 2000 x ~15 bytes. shouldn't be an issue really.
08:12 < havoc> I'm not thinking it would, but I prefer to test, and *know* it won't be an issue
08:13 < havoc> a db is "easiest", SELECT blah WHERE host=UNASSIGNED SORT LIMIT 1
08:14 < havoc> I already have a script that generate the IPs sequentially, skipping network #, 1st IP (for GW/server), and bcast
08:14 < havoc> ...for all 17 /25's
08:15 < havoc> so I could mod it slightly to generate a bash file of a hash, of IP=>CN
08:16 < havoc> then have the provisioning script loop through the hash, ordered by KEY, until it finds the next NULL VAL
08:17 < havoc> oh, and the provisioning script flocks the critical bits of code
08:18 < havoc> ifconfig lines go in CCD files for all provisioned clients, and BIND is updated via nsupdate on client-[dis]connect
08:20 < havoc> "clients" are those little UBNT ER-X routers, w/ SSH keys for the VPN server installed on provisioning
08:21 < scj643> What should I use for file transfers over OpenVPN
08:21 <+hyper_ch> havoc: what hardware do you run for so many clients?
08:21 < havoc> actually, they're pre-installed, along w/ the unprovisioned vpn client configs
08:22 < havoc> hyper_ch: not sure, it's some vmware blade center at one of our colos somewhere
08:22 < scj643> I'm currently using FTP bound to the openvpn IP
08:22 < havoc> someone else set it up, and I put debian on it
08:22 < scj643> no security on the FTP server
08:23 <+hyper_ch> havoc: debian - the os of choice for servers :)
08:23 < scj643> No fedora :P
08:23 <+hyper_ch> scj643: why not use scp?
08:23 < havoc> hyper_ch: so far the load is negligible, according to top
08:23 < scj643> scp?
08:23 <+hyper_ch> well, if pornhub and retube are blocked, what else is there to do then on the vpn?
08:23 <+hyper_ch> redtube
08:24 < havoc> hyper_ch: but we can easily/quickly increase the resources
08:24 <+hyper_ch> scj643: yes, scp, or maybe sftp
08:24 < scj643> Host is windows server 2012 r2 (don't ask why)
08:24 < havoc> rsync!
08:24 < scj643> i need to stream files off it
08:24 <+hyper_ch> you probably also have youtube, vimeo, google, twitter and facebook blocked
08:24 <+hyper_ch> scj643: upgrade the server to debian
08:25 < havoc> hyper_ch: I don't actually block anything, specifically, I only allow specific things
08:25 < scj643> I've wanted to switch to fedora but never got around to it
08:25 < scj643> what has more overhead FTP or SMB
08:25 <+hyper_ch> deny from *; allow from 127.0.0.1 ?
08:25 < havoc> but the clients behind the routers are locked-down purpose built machines anyway, no web access
08:25 <@novaflash> scj643: simplest/worst solution is to set up a windows fileshare
08:25 < scj643> SMB doesn't work over my OpenVPN
08:26 <@novaflash> scj643: works fine here
08:26 <+hyper_ch> smb works fine over openvpn
08:26 <@novaflash> hyper_ch: well he did say "my OpenVPN", maybe his is set up shitty
08:26 < havoc> hyper_ch: so the vpn is for internal access only, Net access is via whatever the stations have
08:26 < DArqueBishop> scj643: SMB works fine over OpenVPN; have you tried accessing the fileshares via IP address?
08:26 <@novaflash> scj643: if you were trying to, don't use hostname, but ip address. like \\192.168.70.222\fileshare in explorer.
08:26  * DArqueBishop is willing to bet the problem is name resolution.
08:26 < scj643> I'm using IP
08:27 < havoc> then it's a firewall issue
08:27 <@novaflash> then the next probably cause of the problem is windows firewall
08:27 <@novaflash> lol
08:27 <@novaflash> yea
08:27 < havoc> jinx :)
08:27 <+hyper_ch> https://github.com/sjau/nixos/blob/master/configuration.nix#L75  --> my smb setup over vpn
08:27 <@vpnHelper> Title: nixos/configuration.nix at master · sjau/nixos · GitHub (at github.com)
08:28 < havoc> also, if it's a routed setup, between smb endpoints, you need NETBIOS over TCP enabled, and *possibly* WINS
08:28 < scj643> but would SMB be slower than ftp
08:28 < havoc> ...depending on if you want to access stuff by NETBIOS names, vs. IPs
08:29 < DArqueBishop> havoc: he said the fileserver was the VPN server. I bet the VPN subnet is in the "Public" zone and as such SMB ports are blocked in the firewall.
08:29 < scj643> i want access via IPs
08:29 <+hyper_ch> scj643: on 1gbit internet, there's no noticeable difference
08:29 < havoc> DArqueBishop: likely
08:29 < scj643> My openvpn IP is set to 10.9.0.1
08:29 < scj643> on the server
08:30 < scj643> windows says the specified network name is no longer available
08:30 < havoc> simplest fix, on Windows, is a Custom Advanced FW rulle to allow everything, all addresses, all ports, for openvpn.exe
08:30 < havoc> ...for all scopes
08:31 < scj643> I already got a rule for the subnet
08:31 < havoc> as DArqueBishop said/implied, Windows, by default, limits SMB to the Windows machine's local subnet
08:31 <@novaflash> with firewall shit the easiest thing to find out if it is the firewall or not is to just disable it for 10 seconds, see if it works then, then enable it again. if it worked while the firewall was offline, then it really is the firewall at fault. then work on refining the rules until it works.
08:32 <+hyper_ch> havoc: simplest fix is still upgrading to a proper debian :)
08:32 < havoc> that too :)
08:32 < DArqueBishop> He may not be allowed to make that change.
08:32 <+hyper_ch> he just has to tell the boss that this is the new windows 2018 server
08:33 <+hyper_ch> boss couldn't tell the difference anway
08:33 < DArqueBishop> Depends on his boss.
08:33 <+hyper_ch> windows 2018 server - Codename "Debian 9"
08:33 < scj643> It's my machine but I can't upgrade to Debian
08:33 < scj643> i only have remote access
08:33 <@novaflash> well at least he calls it an upgrade, i like that
08:34 < scj643> disabling windows firewall doesn't help
08:34 <+hyper_ch> !configs
08:34 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
08:34 < DArqueBishop> Moving Windows to Linux isn't always an upgrade.
08:34 <+hyper_ch> scj643: can you post the vpn configs
08:34 < scj643> yeah
08:34 <@novaflash> on like pastebin or w/e
08:35 < scj643> I know
08:36 < scj643> https://ghostbin.com/paste/yvhkg
08:36 <+hyper_ch> please read again the text above
08:38 < scj643> hyper_ch: https://gist.github.com/scj643/04a9035bad1e7f3e57488a57d7df0474
08:38 <@vpnHelper> Title: VPN Config · GitHub (at gist.github.com)
08:38 <+hyper_ch> !configs
08:38 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
08:38 <+hyper_ch> read that
08:38 < scj643> Oh
08:40 < scj643> https://gist.github.com/scj643/04a9035bad1e7f3e57488a57d7df0474 updated
08:40 <@vpnHelper> Title: VPN Config · GitHub (at gist.github.com)
08:40 <+hyper_ch> and client?
08:40 < scj643> That's going to be harder
08:40 < scj643> I embed my certs
08:44 < scj643> added client https://gist.github.com/scj643/04a9035bad1e7f3e57488a57d7df0474
08:44 <@vpnHelper> Title: VPN Config · GitHub (at gist.github.com)
08:45 < scj643> I removed my external IP from the client config
08:45 <+hyper_ch> looks all fine
08:45 <+hyper_ch> I use those mounting options for smb:   "noauto" "user" "uid=1000" "gid=100" "username=${userfs}" "password=${passwordfs}" "iocharset=utf8" "x-systemd.requires=${xsystemfs}"
08:46 < scj643> I'm using windows SMB
08:46 <+hyper_ch> I could post you my sama settings
08:48 <+hyper_ch> https://paste.simplylinux.ch/view/2e4afe31
08:49 < scj643> I'm not using samba though I'm using windows file sharing
08:49 <+hyper_ch> also, samba server is an own client in the vpn
08:49 <+hyper_ch> no idea about windows smb server
08:53 < scj643> Might be an MTU issue?
08:53 < scj643> ping -f -l 1472 10.9.0.1 fails
08:57 < scj643> Anything higher than 71 fails
09:07 < scj643> Ok seems pushing and having a fake default routing for an OpenVPN on windows helps
09:07 < scj643> At least with firewall not bitching
09:26 < alep_> Hi guys, I am setting up a VPN to connect to AWS
09:27 -!- alphor_ is now known as alphor
09:27 <+hyper_ch> congrats
09:27 < alep_> Is it possible to use openVPN client to connect to the AWS managed VPN gateway?
09:28 < alep_> or I have to provision a machine with openVPN server on it?
09:28 <+rob0> is AWS running an openvpn server?
09:28 <+rob0> you have to ask AWS, not us
09:29 < alep_> Online I found only example to set up a software VPN with opencpon
09:29 < alep_> so I suppose AWS does not run openvpn and you have to run it yourself on an instance
09:30 <+rob0> ^^ I'm sure you can run openvpn on an AWS instance, yes
09:30 < alep_> I wanted to ask if openvpn was compatible to connect to a different vpn server
09:30 <+rob0> no
09:30 < alep_> ok
09:30 < alep_> thanks
09:31 < alep_> last quick question
09:31 <+rob0> openvpn (GPL) can connect to commercial OpenVPN Access Server, but not to ipsec and other VPN nor VPN-like systems
09:31 <+hyper_ch> alep_: last question? in your whole life?
09:32 < alep_> can I set up the openvpn client on my laptop to use the VPN only for specific domain/ips?
09:32 <+rob0> um, ?
09:32 < alep_> hyper_ch: for the moment
09:32 <+rob0> IP routing is always by address, never by domain names.
09:33 <+hyper_ch> that's why it's called "IP routing" and not "DN routing", right?
09:34 <+rob0> I think you could be right about that :)
09:34 <+hyper_ch> easiest way would be to add the vpn ip to your hosts file for that domain name
09:34 <+hyper_ch> 10.x.x.x domain.tld
09:34 <+hyper_ch> then it will get routed through the vpn
09:34 <+rob0> the goal is not clear, and note that a --redirect-gateway redirects everything.
09:35 < scj643> Shouldn't I be using a topology of subnet?
09:35 < alep_> my goal is to use the VPN from my laptop only for connection to specific ips/domain not to the whole internet
09:35 <+rob0> scj643, generally, yes, the old /30 thing is silly
09:36 < scj643> Yeah I was using that
09:36 <+rob0> alep_, sounds like you want a HTTP proxy, perhaps
09:36 < alep_> well
09:36 < scj643> Would MTU interfere with SMB
09:37 < alep_> rob0: I would
09:38 < alep_> like to use also other protocol
09:39 < alep_> that I would like is to be able to connect to machines in a private network through a secure VPN from my laptop like there were publicly available on the internet
09:39 <+hyper_ch> alep_: you can use openvpn for that
09:39 < alep_> I think that the VPN is the best option
09:40 <+hyper_ch> just adjust your hosts file accordingly
09:40 < alep_> I know
09:40 <+hyper_ch> oh wait...
09:40 < alep_> but I was asking if I can set up on my laptop a selective "filter"
09:40 <+hyper_ch> that only works if all the desired endpoints are part of the vpn
09:41 < alep_> to go through the VPN only for specific addresses and otherwise just use the default gateway
09:41 < alep_> of cours
09:41 < alep_> of course
09:41 <+hyper_ch> and are those specific address vpn clients?
09:41 < alep_> I can make them
09:42 <+hyper_ch> then it's easy
09:42 <+hyper_ch> what I did is have a   data.domain.tld
09:42 <+hyper_ch> and vpn-data.domain.tld
09:42 < alep_> also they are in the same private network so I was thinking that the openvpn server could just grant access to the whole private network
09:42 <+hyper_ch> while in the office, I can just use data.domain.tld
09:42 <+hyper_ch> outside I use vpn-data.domain.tld ;)
09:43 <+hyper_ch> I have according host entries in my hosts file
09:43 < alep_> I see
09:43 < alep_> great thanks
09:43 < alep_> so you do the VPN selection on the host file
09:43 <+hyper_ch> and then just add:    10.8.0.121  vpn-xxx.domain.tld
09:44 <+hyper_ch> yeah
09:44 <+hyper_ch> actually, I do it in the dns
09:44 < alep_> sure
09:45 < alep_> great
09:45 < alep_> thanks for the chat
09:45 < alep_> I have been helpful before starting setting up stuff
09:47 <+hyper_ch> but with setting the vpn-addresses only on the dns zone file can be an issue
09:48 <+hyper_ch> some routers will not resolv "lan" ips from public zone files
09:48 <+hyper_ch> safe bet is using the hosts file
09:48 < alep_> yeah, I am not going to change the router or DNS
09:49 < alep_> we are a small team, it is faster just deploy some hosts files
09:49 < alep_> :P
09:50 <+rob0> !dnsmasq
09:50 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
09:51 <+hyper_ch> dnsmasq <3
09:52 < DArqueBishop> <alep_> we are a small team, it is faster just deploy some hosts files
09:53 < DArqueBishop> In the long term, dnsmasq is faster and easier.
09:54 <+rob0> just ONE hosts file, and it can thus be shared
09:54 < alep_> thanks, I will give it a look
09:55 < DArqueBishop> Not to mention if you make changes, you only need to make it on the server and not the clients.
10:01 <+hyper_ch> well, with nixos you could just make a commit to git and when you rebuild/uupdate the system the next time, it'll also be updated ;)
10:05 <@novaflash> that moment when you accidentally want to become a communist; cd /ussr
10:08 <+hyper_ch> what's wrong with being a communist?
10:10 <@novaflash> interesting question
10:10 <+rob0> Nechevo, tovarishch
10:11 <+hyper_ch> I still think that Communism would be great... but humans are too selfish and it won't work with us... maybe once we evolve it oculd work
10:12 <@novaflash> we are evolving
10:12 <@novaflash> just very slowly
10:13 <+hyper_ch> not really... we just made technological advances
10:13 <+hyper_ch> but didn't really evolve
10:13 <+hyper_ch> and those technological advances just mean we got better at killing stuff
10:15 <@novaflash> technological development is very much not the same as evolution and i would never make that comparison. no you misunderstand me. for example, people that have a high tolerance for nicotine survive while those with a low tolerance die faster and have less of a chance to pass on their genes. crude example but valid. same for other poisons and diseases.
10:15 <+hyper_ch> ok, we do evolve...
10:16 <@novaflash> yes and eventually all that's left are people that are drunk chainsmoking drugs abusers
10:16 <@novaflash> because the people that couldn't handle that died off :-P
10:18 <@novaflash> probably be fat too
10:20 <@novaflash> anyways, i'm obviously way ahead in evolution
10:29 < scj643> I swear if softether wasn't so bloated I would just use that
10:32 < raboof> I guess it evolved :D
10:32 <+hyper_ch> lol
10:33 <@novaflash> fantastic +1
10:34 < scj643> Softether seems to be a pretty good project but it's just too damn big
10:34 <+hyper_ch> novaflash: somebody has been listening in on our conversation
10:34 <@novaflash> hyper_ch: well we're not exactly scrambling our communication
10:34 <+hyper_ch> you don't use ssl to coneect to freenode?
10:35 <@novaflash> i am but i'm not using SSL to chat with you
10:35 <@novaflash> but we should...
10:35 <@novaflash> okay so, i'm going to send you some prime numbers now
10:35 <@novaflash> (a handshake may take a while like this.. ugh)
10:36 <+hyper_ch> :)
10:36 < scj643> I wish I was running a Linux server with multiple NICs
10:37 <@novaflash> scj643: well there are plenty of good offers out there :)
10:37 < scj643> Thing is I don't want to route internet traffic through my home
10:37 <@novaflash> scj643: but regarding your frustration about openvpn and your connection problem.. it's really not openvpn's fault. it's some sort of configuration problem, a route missing, a firewall blocking stuff, something like that. samba over openvpn works just fine, plenty of folks use it.
10:38 <@novaflash> scj643: what does that have to do with it.........................................................?
10:38 < scj643> I might end up just using softether again
10:38 < scj643> That way I can just use l2tp
10:39 <@novaflash> okay, well, if you're hoping somebody will jump up and say "STOP!! DON'T DO IT! DON'T GIVE IN TO THE DEVIL" then uh.. yeah. i mean if anyone wants to, that's okay i guess. but you have to do what you feel is right.
10:39 <@novaflash> having said that, openvpn and samba = fine. openvpn + not sending all your internet traffic through it = fine too.
10:40 < scj643> I think it's just windows smb sharing being a pita
10:42 <@novaflash> so here's what i'm thinking, if you care to hear it; if your openvpn tunnel is working, and you can ping from your vpn client to the ip address of the server, then the openvpn tunnel is ok. and if another service, different from ping, doesn't respond, then it's either a problem with a firewall, or with that service. like for example it's not listening on that ip.
10:42 <+rob0> If you don't want to redirect your gateway, don't use --redirect-gateway ... we did not put it there for you, you did.
10:42 <+rob0> By default --redirect-gateway is not set.
10:43 <+rob0> I don't get why that's such a common misunderstanding here.
10:44 < scj643> RDP works over VPN
10:44 <@novaflash> rob0: should have named it "--send_all_my_fucking_shit_to_the_fucking_vpn_fucking_server"
10:44 <+rob0> ikr?
10:45 <@novaflash> scj643: well then that proves that at least as far as openvpn is concerned, the problem is not in openvpn at all.
10:45 < scj643> novaflash: :D
10:45 <@novaflash> scj643: so now you're looking at some shitty problem with a firewall rule blocking smb/samba traffic, or smb being a dick or w/e
10:45 < scj643> FTP works too
10:45 < scj643> It's windows SMB being a dick
10:46 <@novaflash> okay i have a book here somewhere about that
10:46 <@novaflash> it's called "If SMB is being a dick, fuck it"
10:46 < scj643> I also have to use tun because I have mobile clients
10:46 < scj643> :)
10:46 <@novaflash> wait that could be interpreted wrong
10:46 <+rob0> Generally tun is the right choice.
10:47 <+rob0> !wins
10:47 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
10:47 < scj643> Thing is I'm connecting by IP
10:51 <@novaflash> scj643: i assume you are connecting by the interal IP that the openvpn server itself has? like 10.something
10:51 < scj643> 10.9.0.1
10:51 <@novaflash> maybe instead try to set things up so that the openvpn tunnel gives you a route that leads to the actual IP of the server on its primary network interface instead?
10:51 < scj643> I have 2 openvpn servers (one on my laptop so I can RDP in from the college) and the one on my home
10:51 <@novaflash> i'm just thinking out loud here
10:51 <@novaflash> maybe samba is just being a dick and not listening on the openvpn virtual adapter
10:52 < scj643> How can I make it route to the servers IP of 10.0.0.45
10:52 <@novaflash> i dunno, something like push "route 10.0.0.25 255.255.255.255 vpn_gateway" or something in the server config
10:52 <@novaflash> i'm more used to linux servers so not sure if that does the whole trick
10:53 < scj643> SMB port is open on the openvpn ip
10:53 <@novaflash> huh okay
10:53 <+rob0> Why did you connect to 10.9.0.1 when you wanted to connect to 10.0.0.45?
10:53 < scj643> No 10.0.0.45 is the internal ip  of my server
10:53 < scj643> the remote openvpn server is port forwarded
10:53 <+rob0> !serverlan
10:53 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
10:53 <@novaflash> rob0: the openvpn server runs on the same machine that he wants to access
10:54 < scj643> Yeah
10:54 <+rob0> what OS is this openvpn+SMB server?
10:54 <@novaflash> sadly
10:54 <@novaflash> windows
10:54 < scj643> WIndows server 2012 r2
10:54 <@novaflash> server something
10:54 < scj643> I really need to get a Linux box
10:54 <@novaflash> but if the smb port is open then yeah it should just be working.
10:55 <@novaflash> still thinking firewall here :-P
10:55 <+rob0> yes
10:55 < scj643> port 445 right
10:55 <@novaflash> or 339 or something
10:55 <@novaflash> i forget
10:55 < scj643> not 339
10:56 <+rob0> just disable the Windows firewall, we can't support it, and you should already be behind some router, correct?
10:56 < scj643> yeah
11:11 < brianw> dazo: systemctl enable openvpn-client@test.service  >>>  Failed to execute operation: No such file or directory
11:12 < brianw> dazo: going to work. bb ib 10 hours
12:57 < scj643> Thoughts on softether VPN?
13:02 < scj643> Somehow it's able to do bridging right in the setup
13:23 <@dazo> brianw: you need client configs to be stored under /etc/openvpn/client .... and /etc/openvpn/server for the openvpn-server@.service unit
13:23 <+rob0> We use openvpn, which also can do bridging, but bridging is seldom necessary nor a good idea.
13:23 <+rob0> scj643, ^^
13:26 < scj643> I've decided I'm going to use softether to test speeds of l2tp
13:30 <+hyper_ch> btw, anyone tested wireguard this far?
13:32 <@ordex> nop
13:33 < havoc> rob0: it's also explained in the HOWTO
13:34 < scj643> Ok SMB over l2tp works but it's a hell of a lot slower than ftp over OpenVPN
13:34 < havoc> hell, there's a whole page on the site dedicated to bridging
13:35 <+rob0> havoc?
13:35 < scj643> But over OpenVPN and ftp some files can't be streamed
13:35 < havoc> rob0: re: bridging, it he wants info on it, there's a bunch on the openvpn site
13:36 < havoc> s/it/if/
13:36 <+rob0> yes, of course, but bridging is probably not needed
13:36 < havoc> I use it, occasionally, but not for very long, it's always a temp measure for me
13:37 < havoc> e.g. we get a temp office for a few months
13:37 < scj643> Using windows server was one of the worst decisions I've made
13:37 < havoc> I just drop it on the main office LAN and be done with it
13:38 <+hyper_ch> why would someone torture themselves with windows server...
13:39 < havoc> money
13:39 < DArqueBishop> There are some things MS/Windows does better than Linux.
13:39 <+hyper_ch> that would be?
13:39 <+rob0> marketing :)
13:39 < havoc> hyper_ch: sell? :)
13:40 < scj643> Windows server sucks ass
13:40 < havoc> reality is that all shops are pretty much Windows on the front end, and Linux on the back end
13:40 <+hyper_ch> they do better marekting that's true
13:41 < scj643> SMB seems to be the only good thing for files
13:41 < havoc> a good admin/devops/guru knows both
13:41 < scj643> having an ftp server some files refuse to open
13:41 < scj643> can't mount ftp in windows easily
13:42 <+hyper_ch> havoc: then it's great that I'm no good admin/devops/guru
13:42 < havoc> eh, it's a job, one I hope to soon leave
13:42 < havoc> Wife and I can start a metal fab biz
13:42 <+hyper_ch> I'm just a hobbyist with computers
13:43 <+hyper_ch> I know where I can find the on/off button
13:43 < havoc> ah, this is my life :(
13:43 < havoc> ok, time to go do carpentry, bbl
13:44 <+hyper_ch> it's 20:40h... aren't they closed?
13:46 <+rob0> no, I don't do Windows, and I don't seek jobs which do Windows.  I am a specialist.
13:48 < DArqueBishop> hyper_ch: at the very least, Active Directory and groupware (aka, Exchange).
13:49 < DArqueBishop> MS Office as well.
13:51 <+rob0> hmm, I won't argue the first two, but IME MS Office has been buggy.  10 years ago I had a job where I had to waste a lot of time working around Excel bugs.
13:51 <+hyper_ch> exchange is the only thing I haven't found an equivalent replacement for
13:51 <+hyper_ch> but actually horde with AS support comes close to what I need form Exchange
13:52 <+hyper_ch> rob0: s/bugs/features/
13:52 < DArqueBishop> rob0: on the other hand, most accountants I've worked with would laugh at you if you tried to suggest any spreadsheet was better than Excel, especially in terms of macros and such.
13:53 < DArqueBishop> Also, at the last couple of manufacturing firms I worked at, you couldn't even get the engineering design software they used on Linux, or even anything that came close to it in terms of functionality.
13:55 <+rob0> I was doing land/mineral ownership reports, and finding mathematical errors in Excel's calculations.
13:58 < DArqueBishop> I never said Excel/Office wasn't buggy. I'm saying it's the least worst option.
14:30 < scj643> I've decided to go with FTP with IIS
14:31 < scj643> Since FileZilla server has issues
14:39 <@dazo> FTP!?  In 2017???   geee
14:42 < BtbN> FTP is the issue
14:42 < BtbN> doesn't need any others
14:44 <@dazo> !man
14:44 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
14:50 < scj643> IIS works for me
14:50 < scj643> no file read issues
14:50 < scj643> Besides openvpn is the encryption
14:57 < BtbN> "working" and being a good idea or in any way secure are two entirely different things
14:57 < BtbN> nobody should be using ftp anymore
15:26 < mike309> !goal
15:26 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:45 -!- def_jam is now known as eb0t
17:43 < zx2c4> hyper_ch: yep!
18:54 -!- evil_gregf is now known as gregf
23:14 <+hyper_ch> zx2c4: I know that you use it ;)
23:24 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds]
--- Day changed Wed Sep 13 2017
02:32 < brianw> dazo: Hello again. I now have; /etc/openvpn/client/test.conf and when I try `systemctl enable openvpn-client@test`, I get; Failed to execute operation: No such file or directory. ANy other suggestions?
02:34 <+hyper_ch> brianw: what distro? did you install openvpn from the distro packages or did you compile it yourself?
02:36 < brianw> hyper_ch: Ubuntu 16.04 Server (LXD guest) on an Ubuntu 16.04 metal.
02:37 <+hyper_ch> no idea
02:37 < brianw> hyper_ch: I can connect using the same command that systemd would use to start the deamon.
02:37  * hyper_ch eyes dazo
02:38 < brianw> hyper_ch: And I installed using apt w/ the base repo's.
02:39 <+hyper_ch> well, I don't use ubuntu
02:39 <+hyper_ch> and on the debians I compiled openvpn myself
02:39 <+hyper_ch> and have the configs in /etc/openvpn/
02:39 <+hyper_ch> and I think I run the same command to start them
02:39 <+hyper_ch> and on nixos it's way different again
02:39 < brianw> hyper_ch: I usually use CentOS7, but I am setting this box for a friend with little unix like OS experience..
02:40 <+hyper_ch> btw, centos... I need to use centos for a software I use, but now I have an upgrade issue
02:40 < brianw> hyper_ch: heh. Ya there is that occasionaly.
02:40 <+hyper_ch> Total size: 1.2 G
02:40 <+hyper_ch> Is this ok [y/N]: y
02:40 <+hyper_ch> Downloading Packages:
02:41 <+hyper_ch> Running rpm_check_debug
02:41 <+hyper_ch> Running Transaction Test
02:41 <+hyper_ch> Transaction Check Error:
02:41 <+hyper_ch>   package kernel-2.6.32-642.15.1.el6.x86_64 (which is newer than kernel-2.6.32-642.13.1.el6.x86_64) is already installed
02:41 <+hyper_ch> maybe you know a solution?
02:41 <+hyper_ch> why does it want to install an older version when a newer kernel is alrady there?
02:41 < brianw> hyper_ch: I can only assume that a package is requiring that version....
02:41 <+hyper_ch> awwww
02:41 < brianw> hyper_ch: This is using `yum update` ??
02:41 <+hyper_ch> btw, that's how I start vpn clients on nixos:  https://github.com/sjau/nixos/blob/master/configuration.nix#L332
02:41 <@vpnHelper> Title: nixos/configuration.nix at master · sjau/nixos · GitHub (at github.com)
02:42 <+hyper_ch> yum update and yum upgrade
02:42 <+hyper_ch> both the same
02:43 < brianw> Ahh nixos. I always wanted to check that out....
02:44 <+hyper_ch> how so?
02:44 <+hyper_ch> and how do you know about it?
02:44 < brianw> hyper_ch: I read about it a while ago...
02:44 <+hyper_ch> it's... different :)
02:44 < brianw> hyper_ch: I was using Gentoo 12 years ago, so I know different. :)
02:45 <+hyper_ch> and then you got a life?
02:45 < brianw> s/was/started/
02:45 <+hyper_ch> (only people with no friends and no life use gentoos) /me hides
02:45 <+hyper_ch> never used gentoo :)
02:45 < brianw> hyper_ch: at the time very few distros would work with what we needed without much hand holding. Gentoo just worked
02:46 <+hyper_ch> I guess nixos and gentoo have quite a few similarities
02:46 < brianw> Gentoo was great for a life. Started you compiling and go to stuff.... :)
02:47 <+hyper_ch> nixos has its share of problems also... especially if you want to use stuff that's not packaged already it can be a pain
02:47 < brianw> BTW; I have a way of starting openvpn now. I just want systemd to babysit it....
02:48 <+hyper_ch> you sure systemd looks in /etc/openvpn/[config|server]?
02:48 <+hyper_ch> on ubuntu?
02:48 <+hyper_ch> it might well be, that it just looks for config files in /etc/openvpn/
02:48 <+hyper_ch> at least back in upstart (ubuntu) and sys-v-init (debian) the conf files only had to reside in /etc/openvpn/
02:49 < brianw> hyper_ch: how do I check. To be honest I am much more familiar with sysv and openrc
02:49 <+hyper_ch> copy the config file to /etc/openvpn/
02:49  * brianw always tries to forget upstart
02:49 <+hyper_ch> and run that systemd command again
02:49 <+hyper_ch> either it works or it doesn't
02:49 < brianw> hyper_ch: already tried that. It does add the unit, but then fails to start it....
02:49 <+hyper_ch> howso? can you share the config?
02:50 < brianw> hyper_ch: the config starts from the cli as well as the same command that systemd attpets to start it with...
02:50 < brianw> hold up.
02:54 < brianw> hyper_ch: https://pastebin.com/cZXWGV2V
02:54 <+hyper_ch> uwww. pastebin.com :)
02:54 < brianw> Heh
02:54 <+hyper_ch> delete that post
02:54 <+hyper_ch> there's certs in there
02:54 < brianw> public certs
02:55 < brianw> Useless without auth
02:56 <+hyper_ch> may I suggest to replace dev tun with:  https://paste.simplylinux.ch/view/8d665203
02:57 <+hyper_ch> becasue that way you can name the dev device to a name
02:57 <+hyper_ch> so with ifconfig it then shows accordingly
02:57 < brianw> hyper_ch: I understand your reasoning, but this will be the only tunnel on this box.
02:58 <+hyper_ch> until there's more ;)
02:58 <+hyper_ch> I connect meanwhile to 6 vpns ;)
02:58 <+hyper_ch> and also started with just 1
02:59 < brianw> hyper_ch: Like I said, this is for a friend. And the container is single purpose; route certain LAN clients out the vpn client....
02:59 <+hyper_ch> no idea why systemd doesn't want to start that
03:00 <+hyper_ch> what permissions does the auth.txt have?
03:00 <+hyper_ch> maybe it's because it will start the tunnel as the user then and that user doesn't have read access to auth.txt?
03:00 < brianw> hyper_ch: the only way I can get systemd to even add the unit is to use the following structure; /etc/openvpn/CONFIGNAME/CONFIGNAME.conf
03:01 < brianw> hyper_ch: which user? nobody?
03:01 < brianw> It won't hand that off until after the tunnel is up...
03:01 <+hyper_ch> don't know under which user you tried to add it to systemd
03:01 < brianw> hyper_ch: root...
03:01 < brianw> hyper_ch: only root can modify systemd AFAIK...
03:02 <+hyper_ch> no idea
03:02 <+hyper_ch> systemd is like this big black mystery
03:02 <+hyper_ch> that just works mostly
03:02 <+hyper_ch> and if not, then google could be your friend
03:02 < brianw> hyper_ch: I know... I so miss openrc. I Was like expert level 5 there...
03:03 <+hyper_ch> sys-v-init was great :)
03:03 <+hyper_ch> never heard of openrc before
03:03 < brianw> Well ya, and sysv
03:04 < brianw> I think my issue stems from being in an unproveleged LXD container... Something in systemd and LXD are not playing nicely...
03:05 <+hyper_ch> on debian, I have the config files in /etc/openvpn/xxx.conf
03:05 <+hyper_ch> and just do:   systemctl restart openvpn@xxx.service
03:05 < brianw> Debian is not working with LXD presently I think.
03:06 <+hyper_ch> lxd is one of those new trendy things I think
03:06 <+hyper_ch> like twitter and facebook - where everybody is hyped about
03:06 < brianw> hyper_ch: I have been using lxc for years now...
03:06 <+hyper_ch> never used it :)
03:06 <+hyper_ch> I keep missing out on those hypes ;)
03:07 < brianw> hyper_ch: I never saw it as hype, but to each his own. :)
03:08 <+hyper_ch> everything is a hype... in a 1000 years (if we haven't annihilated ourselfs or a meteor struck earth or or or), nobody will care about it anymore ;)
03:08 < brianw> ok. I think I may have figured it out! BRB
03:09 < brianw> YES!
03:10 <+hyper_ch> yes we can?
03:10 < brianw> We got it going!
03:11 <+hyper_ch> what did you do?
03:12 < brianw> took out the nproc limit in openvpn systemd init file
03:12 <+hyper_ch> no idea what that is good for
03:12 < brianw> open processes
03:13 < brianw> It was set to 10. But all the processes in an LXD container are tied to one user
03:13 < brianw> Like lumped together to an unpriveleged user on the host.
03:13 < brianw> Tme to submit a bug
03:14 < brianw> Thanks for the talk. Have a good night hyper_ch
03:15 <+hyper_ch> cya
05:51 < TyrfingMjolnir> I have built keys on a separate system SD Card connected to a Lenovo X240 that is never online, now what to do?
06:13 < TyrfingMjolnir> Which folder on the OpenVPN server do I copy which files to?
06:16 < BtbN> Wherever you like them, really
06:16 < TyrfingMjolnir> But OpenVPN server will have to find them
06:17 < TyrfingMjolnir> Is there a path in the config?
06:17 < BtbN> You can write any path you like there.
06:19 < TyrfingMjolnir> Where?
06:19 < TyrfingMjolnir> And if no path is defined what is the default path?
06:20 < BtbN> There is no default path.
06:20 < TyrfingMjolnir> And the parameter to use to set the path is?
06:28 < TyrfingMjolnir> Will the user's keys be searched for in the same folder as ca is defined?
06:30 < TyrfingMjolnir> I see, I only have to configure ca, cert, key, and dh then store the .ovpn in the imap folder of each user
07:09 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 246 seconds]
07:19 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
07:19 -!- mode/#openvpn [+o dazo] by ChanServ
08:23 < pirx> hello! i am trying to import an OpenVPN Config into an ovpn "connection" in the ubuntu network manager. it looks like this: https://hastebin.com/vewulecuci.cs
08:23 <@vpnHelper> Title: hastebin (at hastebin.com)
08:23 < pirx> almost works, but it refuses to pick up on the ca-line
08:23 < pirx> any suggestions?
08:24 < pirx> i already tried to pick a file from the CA option, and export that file. and then thats what i get (up in the hastbin above)
08:24 < pirx> but if i remove the vpn-connection and try to re-import it, it just ignores the ca-line
08:45 < DArqueBishop> TyrfingMjolnir: if it makes things easier, you can always embed the certs into the ovpn/conf file.
08:45 < DArqueBishop> !embed
08:45 < DArqueBishop> !factoids
08:45 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
08:45 < DArqueBishop> !inline
08:45 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV, or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
08:46 < nktech1135> Hi all. I have a rather strange issue with openvpn. I'm running a client server network using pfsense as the client side endpoint and a windows server as the server side endpoint. I can ping anything on the server lan but can't use ssh or rdp consistently. It does work sometimes. The server lan also is connected to a site to site ipsec vpn managed by another device and from my client machine i can connect to any machine
08:46 < nktech1135> on the remote lan via ssh or rdp consistently. Does this make any sense to anyone?
09:52 < bovis> I'm trying to sign a client certificate request with a CA using easyrsa. I keep getting this error: https://gist.github.com/anonymous/e7664f11eef47e15f80599af35696e95 Clearly the file is missing. How can I create it? And why exactly do I need the cakey.pem file?
09:52 <@vpnHelper> Title: signing requests · GitHub (at gist.github.com)
11:39 < TyrfingMjolnir> DArqueBishop: I wrote a script some years back that compiles the 3 files into 1 ovpn file
12:10 < Kryczek> Hi! I have a working setup but when I try to connect with my Android phone it fails on the client side, with the first error in the logs being "EVENT: EPKI_INVALID_ALIAS info='foobar'" where foobar is the name of my phone; any idea what causes this? :)
14:02 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
14:02 -!- mode/#openvpn [+v s7r] by ChanServ
14:04 < Eugene> !configs
14:04 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
14:09 < cmanns> Slow OpenVPN tips?
14:19 <@ecrist> !tcp
14:19 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay
14:32 < cmanns> I use UDP
14:33 < cmanns> Android client bearly gets .10-1mbps
14:34 <+rob0> Kind of hard to guess with no information at all, but I'll try, can't resist a WAG. :)  My WAG is that you're using --redirect-gateway with an upload-limited server.
14:37 < cmanns> Sadly I toyed with mtu and network interface settings (checksum offload, etc on kvm vmachine) now went from .10 to 1mbps to 15 down
14:39 < cmanns> Using redirect gateway. Gigabit server that I've used OpenVPN on before, yet to test with desktops- I wanted it for Android use primarily.
15:06 <@dazo> cmanns: VPN performance is strictly bound to the performance of the slowest link speed.  So if you have poor upload speed from your Android client, it will be slow in general
15:07 < cmanns> It has 6mbps upload w/out vpn
15:08 <@dazo> cmanns: against your own server?
15:08 < cmanns> Yeah
15:09 <@dazo> well, then !logs and !configs are needed
15:09 <@dazo> !logs
15:09 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
15:09 <@dazo> !configs
15:09 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
15:14 < cmanns> Ill try it next on desktop
15:17 <@dazo> the "OpenVPN for Android" have a possibility to export a generated config + logs
15:17 <@dazo> but comparing against a desktop is also valuable
17:34 -!- abenz__ is now known as abenz
18:14 <+|Mike|> aloha!
18:54 < spigot> any tricks for getting systemd to wait until a connection has been made to start dependencies when systemd-networkd-wait-online isn't available (openvpn is caled inside a network namespace)? hello from the fringe use case, as usual :D
20:00 -!- abenz__ is now known as abenz
20:23 < awesomeash> !welcome
20:23 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
20:23 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
20:25 < awesomeash> !welcome !goal does ubuntu have a gui for openvpn or nordvpn if so I would like to install i previously used openvpn with windows and configured easily no finding it so easy with ubuntu
20:26 < awesomeash> talkative lot ... :)
20:26 < awesomeash> !goal does ubuntu have a gui for openvpn or nordvpn if so I would like to install i previously used openvpn with windows and configured easily no finding it so easy with ubuntu
20:27 < awesomeash> ok given everyone looks like they are asleep ...
20:27  * awesomeash is saying bye for now
--- Day changed Thu Sep 14 2017
02:14 <+hyper_ch> krzee: "Bash" can be used to infect Windows with malware? interesting - https://blog.checkpoint.com/2017/09/11/beware-bashware-new-method-malware-bypass-security-solutions/  :)
02:14 <@vpnHelper> Title: Beware of the Bashware: A New Method for Any Malware to Bypass Security Solutions | Check Point Blog (at blog.checkpoint.com)
02:56 < Mirabelle> Good afternon
02:57 <+hyper_ch> LIES!!!
02:57 <+hyper_ch> it's morning
02:57 < Mirabelle> lol
02:57 <+hyper_ch> and it's not good... it's cold and grey outside
02:57 <+hyper_ch> and I haven't had coffee yet
02:57 < Mirabelle> Depends where you are :D
02:57 <+hyper_ch> anyway, howdy :)
02:57 <+hyper_ch> in my opinion the only place that counts is where I am ;)
02:57 < Mirabelle> Is someone is able to tell how much is less secure to use tls-auth(openvpn2.3) instead of tls-crypt (openvpn2.4)
02:58  * hyper_ch eyes syzzer
03:00 <+hyper_ch> no idea.... maybe dazo, ecrist know also
03:09 < Mirabelle> Ok, I will wait for an answer so.
04:21 < Mirabelle> Is someone is able to tell how much is less secure to use tls-auth(openvpn2.3) instead of tls-crypt (openvpn2.4)
04:22 <+hyper_ch> Mirabelle: I highlighted all the important people excep plaisthos.... I'm sure one will get back to you when they come back online
04:23 < Mirabelle> Sorry, I didn't noticed :( Thank you for the highlighting
04:23 <+hyper_ch> well, plaisthos is now highlighted as well :)
04:25 < Kryczek> Hi! I have a working setup for Linux and iOS clients but when I try to connect with my Android phone it fails without error on the server side, and with the first error in the client logs being "EVENT: EPKI_INVALID_ALIAS info='foobar'" where foobar is the name of my phone; any idea what causes this? :)
05:19 < Kryczek> Mirabelle: I'd say tls-auth is not any less secure, tls-crypt is more like cherries on top: hiding the certificates in case they were mistakenly filled with sensitive info, and apparently some resistance to cracking by quantum computers
05:23 < Kryczek> Then again I need to investigate why I get countless "WARNING: Bad encapsulated packet length from peer ([0-9]+), which must be > 0 and <= 1626" in my logs despite having tls-auth enabled
05:24 < Kryczek> (when non-OpenVPN clients try to connect, e.g. scanners and other worms on the Internet)
05:41 < pirx> hello! i am trying to import an OpenVPN Config into an ovpn "connection" in the ubuntu network manager. it looks like this: https://hastebin.com/vewulecuci.cs
05:41 <@vpnHelper> Title: hastebin (at hastebin.com)
05:41 < pirx> almost works, but it refuses to pick up on the ca-line
05:41 < pirx> i already tried to pick a file from the CA option, and export that file. and then thats what i get (up in the hastbin above)
05:42 < pirx> any suggestions?
05:42 <+hyper_ch> I get a darkblue page when I open that url... I assume it wants me to enable JS
05:43 < pirx> ah, https://pastebin.com/XX2icya7
05:43 <+hyper_ch> pastebin.com is evil
05:43 <+hyper_ch> why not integrate the ca into the config file?
05:45 <+hyper_ch> pirx: https://paste.simplylinux.ch/view/2776605c
05:45 <+hyper_ch> just open the ca.crt in a text editor and post it between <ca> and </ca>
05:45 < pirx> cool, will try that!
05:46 < pirx> i see it seems super easy to include client certs there too, nice!
05:46 <+hyper_ch> you can include all certs and keys into the config
05:47 <+hyper_ch> only the tls-key has a slight complication to it
05:47 < Mirabelle> @Kryczek I don't really understand in which point what you said isn't done by tls-aut "hiding the certificates in case they were mistakenly filled with sensitive"-> isn't required to valid the secret key before begin to exchange certificate ?
05:49 <+hyper_ch> pirx: https://paste.simplylinux.ch/view/c34447d0
05:50 <+hyper_ch> having all things integreated into the config file is nice, because then you don't have to worry about paths etc
05:54 < pirx> hyper_ch: thansk, works fine!
05:55 <+hyper_ch> why add to network manager and not autorun? any reason?
05:55 < Kryczek> Mirabelle: if you're connecting from a public wifi hotspot for example, you would authenticate correctly but then everyone else can see the certificates
05:56 < pirx> sorry, i dont know what you mean by "autorun" :)
05:56 <+hyper_ch> don't worry
05:56 < Mirabelle> @Kryczek damned :(
05:56 < Mirabelle> exactly what I wanted to avoid :(
05:56 < Mirabelle> and I am not able to migrate to openvpn 2.4
05:56 < Kryczek> Mirabelle: why? What kind of sensitive information do you store in certs?
05:57 <+hyper_ch> what did you want to avoid?
05:58 < pirx> hyper_ch: if you have a lik for "autorun" i would appreciate it:) is it a windows-thing you mean? i am running ubuntu linux
05:59 < Mirabelle> I have personal information in them, I think I will had to create news
05:59 <+hyper_ch> basically add the config to /etc/openvpn/client/xxx.conf
06:00 <+hyper_ch> maybe not a good idea, let me recheck
06:02 < pirx> i am testing the auth-user-pass option now. but it doesnt pick up on that either. any trick?
06:02 < pirx> it references a simple user.txt file that has a (fake) user + pwd, each on a line by its own
06:03 <+hyper_ch> what ubuntu are you on?
06:03 < pirx> 16.10
06:03 <+hyper_ch> that does not use systemd irght?
06:04 <+hyper_ch> also, bad to use 16.10
06:04 <+hyper_ch> support is only 9 months
06:04 < Kryczek> Mirabelle: it's best to configure everything with just codenames and keep the mapping internally; I see too many devices leaking so much information... Typically broadcasts like "John Smith's iPhone" and Windows "SOMECOMPANY" domains, I imagine the hacker next door is like "Neat! John Smith from SOMECOMPANY is exactly who I wanted to hack!"
06:04 <+hyper_ch> which did run out in july
06:04 < pirx> hyper_ch: yes, you are right, i'll upgrade
06:04 < pirx> but thanks for the <ca> info!
06:05 <+hyper_ch> 17.04 has 3 years support
06:05 < Mirabelle> @Kryczek Thank you verymuch for the advices ! I will immediately check my certificates
06:05 <+hyper_ch> but with the auth.txt file it should also work with network manager
06:05 < Kryczek> Mirabelle: and device names ;) You're welcome, my pleasure.
06:05 <+hyper_ch> but buasically you'd put the config to /etc/openvpn/client/
06:05 <+hyper_ch> and the auth.txt to /etc/openvpn/auth.txt
06:06 <+hyper_ch> in the config you'll have a line for the auth.txt and (absolute) path
06:06 < Mirabelle> @My pleasure and an honnor to speak with someone skillfull as you are
06:06 < Kryczek> aw come on you're going to make me blush! :P
06:07 <+hyper_ch> then it should be    systemctl openvpn@[configname].service
06:07 <+hyper_ch> then it should be    systemctl enable openvpn@[configname].service
06:07 <+hyper_ch> and then    systemctl start openvpn@[configname].service
06:07 <+hyper_ch> to start it.... upon reboot it should get autostarted
06:08 <+hyper_ch> but I'm still not sure about systemd in general
06:15 <+|Mike|> ls -slah
06:15 <+|Mike|> err, wrong terminal
06:17 <+hyper_ch> you have a terminal as irc client? :)
06:20 <+|Mike|> hyper_ch: haha, just got the wrong terminal open :) Sometimes you just don't look before writing
06:57 < havoc> any sign of krzee yet?
06:59 <+hyper_ch> no /me is a sad panda
06:59 < havoc> ok
07:06 <+rob0> krzee is indestructible; krzee will return.
07:11 < mitescugd> So, I have this issue : I am using nordvpn which supports ovpn clients. When I run the client, obviously all traffic is routed to the vpn - but this is a problem since I cannot ssh into the server on which I'm running the client. So, to avoid that, I specify in the client config, "route-nopull", and then I route an ip (let's say checkip.dyndns.org), to the vpn, (route <ip> <mask> <vpn's ip>). The only
07:11 < mitescugd> problem is the following - I curl checkip.dyndns.org, but sometimes it gives me the ip of the vpn server (expected and desired behaviour), but other times it gives me my vps's ip (as if the traffic is not routed)
07:11 < mitescugd> I increased verbosity level of the client, but for the requests whose responses are not routed, the client does not log anything.
07:11 < mitescugd> Any idea why this would happen?
07:23 < havoc> well, I have my address recycler mostly framed out
07:23 < havoc> a few bash quirks, but almost done
08:26 < TyrfingMjolnir> This is from my SD card, where do I put which file? http://termbin.com/valm
11:04 < argusbr> i have one server gigabit full duplex i need use openvpn gigabit conexion  what should I do
11:04 < argusbr> my vpn server support gigabit conections
11:25 < JackWinter1> a quick question please.  i've had an openvpn running for a long time, but decied to create a new pki, as the old one used encryption that nowdays is deemed insecure..
11:25 < JackWinter1> was a long time ago that i set it all up so have forgotten a lot.  but does each client get their own key and certificate, or are they the same for all clients?
11:26 <@plaisthos> you can both ca files inthe the same ca.pem file and yor server will accept clients from both pki
11:26 < JackWinter1> think the former, but really am not sure
11:26 <@plaisthos> typically individiual certificates
11:26 < DArqueBishop> Each client gets their own cert/key. They also need the CA's cert.
11:27 < DArqueBishop> (Unless you use --duplicate-cn, but that's not really recommended.)
11:27 <+rob0> Some people set it up with shared certs, but that is ^^ silly.)
11:27 < JackWinter1> yeah, sure.  ok, thanks that's all i needed to ask :)
18:30 <+|Mike|> TyrfingMjolnir: which file are you referring to?
18:32 -!- def_jam is now known as eb0t
19:06 -!- Elon_Satoshi is now known as noordinarysatosh
19:06 -!- noordinarysatosh is now known as noordinaryelon
19:14 -!- noordinaryelon is now known as noordinaryspider
20:31 <@dazo> hyper_ch: eeeek .... use the new unit files when you help people .... openvpn-{client,server}@CONFIGNAME.service
20:32 <@dazo> hyper_ch: most distros (Fedora being the exception) have not enabled a better systemd integration for OpenVPN .... the  openvpn-{client,server}@CONFIGNAME.service unit files should (in theory at least) be our own upstream unit files and they should be identical accross distributions
20:32 <@dazo> plus it provides security hardening and a much better systemd integration (like, it doesn't need a PID file any more)
22:33 -!- abenz_ is now known as abenz
23:44 <+hyper_ch> dazo: systemd is one big mystery that nobody really understands
--- Day changed Fri Sep 15 2017
03:02 < JackWinter1> talking about client/server?  why that change in openvpn?  i (used to) just start openvpn with different config files, is there some other improvement apart from moving the config files into subdirs?
03:03 <+hyper_ch> IMHO not really
03:03 < JackWinter1> or is that on my downstream?
03:03 <+hyper_ch> old debian was: put configs in /etc/openvpn
03:03 <+hyper_ch> they'll get autostarted
03:03 < JackWinter1> all of them?
03:03 <+hyper_ch> in old debian it was like that
03:03 <+hyper_ch> before systemd
03:03 < JackWinter1> bleh :)
03:04 <+hyper_ch> there was an init script that just used /etc/openvpn/*.conf
03:04 < JackWinter1> yeah, i see.  very flexible solution
03:04 <+hyper_ch> fail to see that client/server thing as well
03:04 < JackWinter1> is that openvpn upstream?
03:05 < JackWinter1> or is it systemd specific?
03:05 <+hyper_ch> no idea
03:07 < JackWinter1> are we supposed to move certs and other files into the client/server subdirs too?
03:08 < JackWinter1> or is that just for the config files themselves?
03:10 <+hyper_ch> I integrate certs and stuff directly into the config
03:12 < JackWinter1> i have mine with absolute paths in the config too, didn't even know there might be another way of doing it :)
03:17 <+hyper_ch> there is
03:18 <+hyper_ch> <ca> ... </ca>
03:18 <+hyper_ch> <key> ... </key>
03:18 <+hyper_ch> <cert> ... </cert>
03:18 <+hyper_ch> key-direction 0 # for server
03:18 <+hyper_ch> key-direction 1 # for clients
03:18 <+hyper_ch> <tls-auth> ... </tls-auth>
03:18 <+hyper_ch> keydirection is necessary for the tls-auth
03:19 <+hyper_ch> https://github.com/sjau/sipGenVPN/blob/master/common.sh#L77
03:19 <@vpnHelper> Title: sipGenVPN/common.sh at master · sjau/sipGenVPN · GitHub (at github.com)
04:01 -!- abenz_ is now known as abenz
04:56 < winsoff> I'm on Windows--how do I connect to an OpenVPN server with just an IP address?
06:59 < msn> if i create a new file in clientconfigdir and then connect the host with corresponding CNAME does that work or is there a way to load that config
06:59 < msn> I have a host which is being given an IP from the pool instead of clientconfig i have specified even after multiple client restarts
07:02 < msn> nvm fixed it :) thanks for help;
07:28 -!- abenz_ is now known as abenz
10:23 < havoc> still no krzee :(
10:24 <+hyper_ch> yeah :(
10:27 < havoc> well, got my IP recycler, for the ifconfig-pool, pretty much done
10:28 < havoc> thought about using sqlite, but bash/sed/awk get it done, for all the load it'll have
10:28 < havoc> and no external deps
14:07 -!- svm_invi_ is now known as svm_invictvs
14:17 -!- xemdetia_ is now known as xemdetia
14:50 < raboof> ok, so I started with the 'how to' guide, and got to a point where I could ping the openvpn server on 10.9.8.1 (assigning the client 10.9.8.2)
14:51 < raboof> then I wanted to port-share, so I set up certificates with easy-rsa
14:52 < raboof> now the server logs 'bad source address for client', showing both 10.9.8.2 (which makes some sense, as it's the client tunnel ip) and the IP associated with the wifi interface on the client
14:52 < raboof> what would be the best guide to follow next? :)
15:01 < raboof> my server has just 1 public IPv4 IP and I'd like my client's traffic to be routed out through it
15:02 < raboof> s/routed/NATed/
15:11 < bdspice> hello
15:11 < bdspice> is there any one alive now?
15:47 <@dazo> !ask
15:47 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
17:36 -!- abenz_ is now known as abenz
21:21 < {HD}> Hey, I just setup an openvpn connection from my pfsense to my ios device. I have "Force all client generated traffic throught the tunnel" checked because I want it to pass through my local servers but when I do that I can no longer access anything that is not on my network. There is no wan access...
21:21 < {HD}> any ideas?
23:17 < tcpdump> Hey everyone, Im trying to figure out the --up cmd  piece here. Im wanting to invoke a .sh script at tun creation that really has nothing to do with openvpn, per se.  Is that possible or is my up script really reserved for openvpn related commands?
23:25 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
23:26 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
23:26 -!- mode/#openvpn [+v s7r] by ChanServ
23:26 < abenz> tcpdump: you can do anything with the script
23:27 < tcpdump> abenz: Ive found that if I write a generic .sh script  and add   "up /path/tomy/script.sh"
23:27 < tcpdump> systemd fails to start openvpn.
23:28 < tcpdump> I have the client running as a service.
23:28 < abenz> why does it fail? read the log
23:29 < abenz> did you add "script-security 2" to your config?
23:43 <@ordex> tcpdump: abenz is probably right. But you should really check the log first: it will say what's wrong
23:44 < tcpdump> abenz: i did not.. I need to do that in conjunction to the up?
23:44 < tcpdump> let me try that real quick.  1 sec
23:48 < tcpdump> abenz: geez that was it...
23:49 < tcpdump> when I added that it stops freaking out.  The error before was rather vauge though.
23:49 < tcpdump> It just had a generic "connected to remote peer ."
23:49 < tcpdump> or something close to that.
23:49 < tcpdump> and then died
23:50 < tcpdump> Ok, so when I do it that way, with  "up" it wont exec the command until the connection is fully up?
23:58 < tcpdump> Wow
23:58 < tcpdump> that works really well...
23:58 < tcpdump> thanks
23:59 < abenz> :)
23:59 < tcpdump> the security part was what I was missing.
23:59 < tcpdump> :/
23:59 < tcpdump> You dont by chance know network manager well, do you? :)
--- Day changed Sat Sep 16 2017
00:03 < abenz> on most my systems I use command line
00:04 < abenz> but I think I tried network manager once on a laptop
00:04 < abenz> I just imported .ovpn file and it worked
00:10 < tcpdump> nice!
00:10 < tcpdump> abenz: soooo
00:10 < tcpdump> whats the difference in    up and --up-restart  ?
00:11 < tcpdump> is up restart if Im using it as a service?
00:11 < tcpdump> and systemd restarts it?
00:11 < tcpdump> or if you reconnect?
00:15 < abenz> up-restart will call the up script for restarts
00:15 < abenz> as oppposed to first initilization only
00:15 < tcpdump> im sorry - Im trying to understand what a "Restart" is.  Is that when it drops and reconnects, but the pid never died?
00:15 < tcpdump> like a reconnect?
00:16 < tcpdump> as opposed to initial connection?
00:16 < tcpdump> I asked the question the wrong way before.
00:16 < tcpdump> sorry
00:17 < abenz> tcpdump: https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
00:17 <@vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net)
00:17 < abenz> hit Ctrl+F
00:17 < abenz> enter: --up cmd
00:19 < tcpdump> Got it! Thanks...
00:20 < tcpdump> So I have all those conditions met.. so should be good to go.  :)
00:20 < tcpdump> Thanks again.
00:20 < abenz> :)
00:20 < tcpdump> That made everything so much better.
00:21 <@ordex> tcpdump: abenz: that page is outdated. you may want to consult the man of the latest page https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
00:21 <@vpnHelper> Title: Openvpn24ManPage – OpenVPN Community (at community.openvpn.net)
00:25 < abenz> ordex: updating my bookmarks :)
00:25 <@ordex> :)
04:25 -!- abenz_ is now known as abenz
05:51 <+hyper_ch> krzee: oh, this gotta to be good... Talk between Mike Godwin and Mike Masnick - Godwin's Law and Streisand Effect  https://www.youtube-nocookie.com/embed/lP1atx0m9lg
05:51 <@vpnHelper> Title: WHD.usa 2017: What Do You Meme? Godwin’s Law vs. The Streisand Effect - YouTube (at www.youtube-nocookie.com)
06:05 < Neobenedict> hi
06:05 < Neobenedict> i cant seem to get port forwarding to work at all any help
06:05 < Neobenedict> port forward a port to a client from server
06:06 < Neobenedict> -A PREROUTING -p tcp -d <public ip> --dport 49998 -j DNAT --to-destination 10.8.0.2:49999
06:06 < Neobenedict> doesnt work
06:06 <+hyper_ch> you want to forward a port from the public to the vpn?
06:07 < Neobenedict> yes
06:07 < Neobenedict> i want to port forward on my computer through my server
06:07 < Neobenedict> so in reverse the public internet needs to forward itself thru openvpn to my computer.
06:08 < Neobenedict> (on a certain port)
06:09 <+hyper_ch> Neobenedict: I use that on the vpn server:  https://paste.simplylinux.ch/view/26983dae
06:11 <+hyper_ch> first resetting all the iptable rules
06:12 <+hyper_ch> then adding required portforwarding.... I do udp and tcp.....
06:12 <+hyper_ch> with the portArr I can assign the port and to which client it should go... in the above example the only client is 10.8.0.8
06:13 <+hyper_ch> well, that works for me :)
06:15 < Neobenedict> i cant use that script
06:15 < Neobenedict> but im doing the same thing
06:15 < Neobenedict> and it just wont work
06:15 < Neobenedict> :/
06:15 <+hyper_ch> do you have enable ipforwarding ont he server?
06:16 <+hyper_ch> !ipforward
06:16 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
06:16 <+hyper_ch> you need the prerouting, forward and the postrouting
06:17 < Neobenedict> yes i have ip forwarding
06:17 < Neobenedict> if i cant ping the client from the server
06:17 < Neobenedict> is that bad
06:17 <+hyper_ch> check your client's firewall
06:18 < Neobenedict> my client is a windows machine
06:18 < Neobenedict> it has no firewall
06:18 < Neobenedict> it should be pingable, no?
06:18 <+hyper_ch> you should upgrade your client to Linux
06:18 < Neobenedict> lol
06:18 <+hyper_ch> pretty sure it has a firewall
06:19 <+hyper_ch> or it's out-of-support aka XP
06:19 <+hyper_ch> even xp had a firewall... intereswting
06:21 <+hyper_ch> anyway, it's your client's problem that it can't be pinged or reached
06:21 <+hyper_ch> nothing wrong with openvpn here
07:03 < bnyio> Hi, quick question: is there a way to pass a password via commandline argument to the openvpn client. (Not as filename like in --auth-user-pass). more something like "--username test --password secret"?
07:04 <+hyper_ch> you could use tcl
07:05 <+hyper_ch> and script it to automate it
07:05 < havoc> or shell redirection
07:05 <+hyper_ch> openvpn doesn't have any such capabilities itself to my knowledge
07:05 <+hyper_ch> and what's wrong with auth.txt?
07:06 < bnyio> Could you please explain how. I have a bash script that does parsing username and password by itself (gpg) and want to pass it to the client.
07:07 <+hyper_ch> bnyio: here's how I use tcl/expect to provide password for MariaDB  https://github.com/sjau/perfectDebian/blob/master/install.sh#L241
07:07 <@vpnHelper> Title: perfectDebian/install.sh at master · sjau/perfectDebian · GitHub (at github.com)
07:08 <+hyper_ch> or here for roundcube:  https://github.com/sjau/perfectDebian/blob/master/install.sh#L440
07:08 <@vpnHelper> Title: perfectDebian/install.sh at master · sjau/perfectDebian · GitHub (at github.com)
07:09 <+hyper_ch> actually, line 444 should be removed :)
07:11 <+hyper_ch> bnyio: those two examples should show you
07:12 < bnyio> hyper_ch: thanks I'll take a look at this.
07:12 <+hyper_ch> bnyio: here's another one with a whole bunch of questions:   https://github.com/sjau/perfectDebian/blob/master/install.sh#L478
07:12 <@vpnHelper> Title: perfectDebian/install.sh at master · sjau/perfectDebian · GitHub (at github.com)
07:16 < bnyio> I Havent used expect before, but sounds like this could help. I'll play around with this a bit. thanks for the hint.
07:16 <+hyper_ch> it's tcl :)
07:16 < havoc> heh, I haven't even thought of tcl/tk in *decades*
07:17 <+hyper_ch> https://www.tcl.tk/man/expect5.31/expect.1.html
07:17 <@vpnHelper> Title: Manpage of EXPECT (at www.tcl.tk)
07:17 <+hyper_ch> expect - programmed dialogue with interactive programs, Version 5
07:17 < bnyio> havent used tcl neither :-)
07:17 <+hyper_ch> I rarely use it myself
07:29 -!- abenz_ is now known as abenz
10:44 < __rob> hi
10:45 < __rob> I'm using openvpn with a socks5 proxy and am finding it seems really slow
10:45 < __rob> compared to using the socks5 proxy directly in Chrome
10:46 < __rob> trying to figure out exactly what might be causing the problems
10:46 < __rob> its to the point that web pages time out, and pinging google dns servers will only work intermitantly
10:48 <+hyper_ch> why use socks5 proxy?
10:48 < __rob> well, I'm tethering my laptop through my mobile on a provider that doesn't allow tethering
10:49 < __rob> so the phone provides the tunnel to another pc
10:49 < __rob> and I connect openvpn using this tunnel to the openvpn server
10:49 < __rob> which is on the same pc as the tunnel is connected to
10:53 <+hyper_ch> how can the provider know if you're tethering?
10:54 < __rob> no idea, but if i browse it goes to the providers website
10:55 < __rob> saying that "sorry you cant tether""
10:55 <+hyper_ch> weird
10:55 <+hyper_ch> well, don't know about socks proxy
10:55 < Elon_Satoshi> ISPs are weird lol
10:55 < __rob> https://i.snag.gy/FuXc8v.jpg
10:55 < __rob> that is my setup
10:56 < Elon_Satoshi> Mine used to connection reset when I tried to load example.com/download/
10:56 < __rob> has been working ok, never as fast as using the socks5 proxy directly
10:56 < __rob> but today was really slow
10:56 <+hyper_ch> do you use a phone you got from your provider?
10:56 < __rob> turned off all logging etc.. on server client for OVPN
10:56 < __rob> no, chinese phone
10:56 < Elon_Satoshi> And I've never found anybody else with that issue, and I've never had that issue again
10:56 <+hyper_ch> maybe it has custom firmware on it that makes it detectable
10:56 < Elon_Satoshi> And I can't remember whether it was in http or https
10:56 < __rob> think they look at the traffic and can tell
10:57 < __rob> which they cant if its encrypted
10:57 <+hyper_ch> as said, no idea about socks proxy
10:57 < __rob> with the SSH tunnel
10:57 < __rob> yeah, ok
10:57 < __rob> hoping it might be something I could change in the config to get it running faster
10:58 <+hyper_ch> on the hotspot phone
10:58 <+hyper_ch> it also routes everything through the vpn?
10:59 < __rob> when the VPN is connected (via the tunnel) everything from the PC goes through the vpn
10:59 <+hyper_ch> you use your phone as hotspot, right?
10:59 <+hyper_ch> and you have a openvpn server somewhere, right?
10:59 < __rob> yea
10:59 <+hyper_ch> so, the phone also uses the openvpn tunnel?
11:00 < __rob> no, the phone is just providing the ssh tunnel
11:00 < __rob> I connect to the phones wifi network
11:00 <+hyper_ch> make the phone also use the openvpn tunnel and route all traffic through it
11:00 <+hyper_ch> then see, if openvpn is still slow
11:00 < __rob> and use 192.168.43.1 for the proxy in openvpn config
11:01 < __rob> (which is my phones ip )
11:01 < __rob> for the hotspot
11:01 < __rob> yes, ok worth a try
11:01 <+hyper_ch> reduce complexity and test
11:01 <+hyper_ch> if it works fine
11:01 <+hyper_ch> add more complexity
11:01 <+hyper_ch> until you find otu where it breaks
14:53 -!- dionysus70 is now known as dionysus69
15:55 < oshekfeh> Hi guys, I want to access internet from my mobile devices using vpn. I installed successfully openvpn server in my AWS server so I can establish a conneciton between my mobile device and my server. But the internet still go though my ISP not through my vpn server. Is there any specific configuration can be done on my server or my mobile to route the traffic through my vpn server?!
19:01 < derpSaucey> how do I make the client route trafic by-default through a network?
19:04 < derpSaucey> found this website
19:04 < derpSaucey> https://serverfault.com/questions/776944/openvpn-route-all-traffic-through-vpn-but-through-particular-client-not-server
19:04 <@vpnHelper> Title: linux - openvpn route ALL traffic through VPN but through particular client (not server) - Server Fault (at serverfault.com)
19:04 < derpSaucey> so...kinda wanna try it
19:05 < derpSaucey> I don't know what my `EXIT_IP` is
19:07 -!- abenz_ is now known as abenz
19:28 < derpSaucey> k. found the `gateway redirect` option on my pfsense instance
--- Day changed Sun Sep 17 2017
04:03 < cluelessperson> hey guys
04:03 < cluelessperson> I use openvpn a lot
04:04 <+hyper_ch> congrats
04:04 < cluelessperson> at home I have an openvpn connection, and it seems to be limited to like 344 mbps, on a 1gbps connection
04:04 < cluelessperson> how do I speed this up?
04:04 <+hyper_ch> depends
04:04 <+hyper_ch> could be throttling by your isp
04:05 <+hyper_ch> could be your cpu can't handle the encryption part
04:05 < cluelessperson> hyper_ch: it's on the local lan
04:05 <+hyper_ch> could be the vpn server can't handle the encryption part
04:05 <+hyper_ch> there might be gnomes in your machines
04:05 < cluelessperson> well, how do I speed it up?
04:05 < cluelessperson> seems to be hitting 15% on my windows machine
04:06 < cluelessperson> 30% on my server
04:06 < cluelessperson> so it's not even using one thread
04:06 <+hyper_ch> old article, not sure if it's still valid:  https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
04:06 < cluelessperson> one full core
04:06 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net)
04:07 < cluelessperson> hyper_ch: oh sweet, that's looking promising, thank you, I'll try it
04:07 < cluelessperson> hyper_ch: it makes sense  overhead is probably what's killing it
04:08 <+hyper_ch> I wonder if --engine aesni is now default
04:08 < Kryczek> cluelessperson: I too am a fan of OpenVPN but I have to say for high performance IPsec is best, especially in a LAN from machine to machine you should be using encrypted transport (as in IPsec Transport) as opposed to encrypted tunnels (as in IPsec Tunnel or OpenVPN)
04:08  * hyper_ch eyes dazo, ecrist
04:09 < cluelessperson> Kryczek: I use openvpn for a combination of vpning across the internet multiple machines for mainly low bandwidth stuff, and on my home connection for security reasons
04:09 < cluelessperson> I roll Root and intermediary CAs and user certs
04:09 < cluelessperson> the focus is security
04:09 < Kryczek> not to mention multithreading considerations and having the bulk encryption/decryption done entirely in kernel as opposed to having to go to userland every time :)
04:10 < Kryczek> cluelessperson: IPsec is not less secure
04:10 < cluelessperson> Kryczek: I'm concerned about it being less dynamic
04:10 < Kryczek> cluelessperson: and you can keep the same PKI
04:10 < Kryczek> cluelessperson: I use both OpenVPN and IPsec, for the same purposes :)
04:11 < Kryczek> I was suggesting using IPsec just for the 1Gbps use case
04:11 < cluelessperson> Kryczek: ah, what do you suggest using as the server (software) ?
04:12 < Kryczek> cluelessperson: Windows supports IPsec natively since 2000
04:12 < Kryczek> there is a MMC for it
04:12 < cluelessperson> Kryczek: I'm asking about the server (debian) :P
04:12 < Kryczek> ah sorry I thought both client and server were windows :)
04:13 < Kryczek> cluelessperson: in Linux it's split two ways: one part is interacting with the kernel for setting keys, which you can even do manually for testing for example, so first you need the ipsec-tools package
04:14 < Kryczek> cluelessperson: then you have a choice for the second part, the dynamic key management derived from certificate authentication etc, aka the ISAKMP/IKE phase
04:14 < Kryczek> cluelessperson: most tutorials describe the raccoon package for that part, but I don't like that raccoon runs as root, so I use the "isakmpd" (OpenBSD's ISAKMP daemon) package on Debian
04:15 < Kryczek> cluelessperson: isakmpd is the thing that will be listening on UDP port 500 and/or 4500 (especially if you want NAT Traversal) to authenticate clients and provide them with session keys, then all the rest is done in kernel hence the high speed
04:16 < Kryczek> cluelessperson: StrongSWAN is my favourite IPsec suite but it's for really advanced setups (e.g. with TPM Remote Attestation)
04:17 < Kryczek> cluelessperson: so here I would recommend just ipsec-tools and isakmpd :)
04:18 < Kryczek> cluelessperson: hopefully your Windows is 7 or more recent, otherwise you might have to use 3DES instead of AES
04:20 < Kryczek> also use a counter mode (CTR or GCM) rather than block chaining (CBC)
04:21 < Kryczek> for faster performance since counter mode allows for out of order decryption
04:24 <+hyper_ch> ok, aesni is used by default if available
04:25 <+hyper_ch> increasing tun-mtu seems to speed up things
04:27 <+hyper_ch> once I get gigabit in the office (like in 2 weeks) I can then test as at home I already have gigabit
04:30 < Kryczek> 9000 MTU with jumbo frames would also speed up things ;)
05:40 -!- abenz_ is now known as abenz
06:04 <+hyper_ch> do jumbo frames have a negative effect on WAN or non-gigabit wan connections?
06:26 < Kryczek> hyper_ch: as far as I know they do not exist outside of gigabit LANs
06:27 < Kryczek> hyper_ch: if somehow you send a 9000B packet to the Internet, it will end up being fragmented
06:27 < Kryczek> so not too big of a deal (unless the application on top really does not like it) but you would be introducing some unnecessary overhead
06:27 <+hyper_ch> and will cause the internet to implode?
06:28 < Kryczek> TCP connections will most likely perform their own Path MTU Discovery (PMTUD) anyway
06:29 <+hyper_ch> so, if you have a gigabit connection at the office
06:29 <+hyper_ch> and a gigabit connection at home... how to get most out of it?
06:42 < Kryczek> hyper_ch: between the two?
06:42 <+hyper_ch> yes
06:43 < Kryczek> ah sorry you mean Gigabit Internet access, not Gigabit Ethernet?
06:43 <+hyper_ch> well, my home is not at my office
06:43 <+hyper_ch> so, internet
06:43 < Kryczek> I don't know if Gigabit Internet has jumbo frames, I imagine it's unlikely as you'll probably hit a router limited to ~1500 bytes somewhere
06:44 < Kryczek> hyper_ch: yes I mean at first I thought maybe you meant Gbps Ethernet in both your home and office, but with slower Internet between the two
06:44 < Kryczek> I am not as lucky as to have Gigabit Internet so I don't know :)
06:44 <+hyper_ch> no no, it's for backup
06:44 <+hyper_ch> I make backups from home to the office
06:44 <+hyper_ch> and from the office to home
06:46 <+hyper_ch> isn't mtu = 1500 something from pre-historic times?
06:47 < Kryczek> if you want the absolute most it would help to make sure you do not waste dozens of bytes per packet, typically by having Ethernet>IP>UDP>[OpenVPN or IPsec NAT-T]>IP>[...]
06:48 < Kryczek> if you can make the machines on both ends face each other or if you have advanced enough NAT that can properly forward IPsec, you could make this as short as Ethernet>IPsec>[...]
06:48 < Kryczek> the [...] part representing whatever you do with the connection, e.g. TCP>HTTP if it's a web connection
06:48 <+hyper_ch> ipsec... no thx
06:48 < Kryczek> why?
06:49 <+hyper_ch> fail to see how that's any useful
06:49 < Kryczek> Ethernet>IP>UDP>[OpenVPN or IPsec NAT-T]>IP>[...]
06:49 < Kryczek> Ethernet>IPsec>[...]
06:49 < Kryczek> is that clear enough? :)
06:49 < Kryczek> the top one has much higher overhead
06:50 <+hyper_ch> no thx to ipsec
06:50 < Kryczek> pfft
06:50 < Kryczek> wilfull ignorance
06:51 <+hyper_ch> if thinking this makes you happy, then I won't argue
06:54 < Kryczek> you're not even providing any argument
06:54 < Kryczek> "no thx to ipsec" herp derp
06:55 <+hyper_ch> I fail to see why I should even provide an argument
06:55 <+hyper_ch> I have no interest in ipsec and I didn't ask on how to optimze for ipsec
06:56 <+hyper_ch> I wondered how I could optimize gigabit internet for openvpn
06:56 < Kryczek> you can't because it makes no sense
06:56 < Kryczek> it's not even multithreaded yet
06:57 <+hyper_ch> think whatever makes you feel good
06:57 < Kryczek> your question is like "how can I optimize my motorcycle for Formula 1 racing?"
06:57 <+hyper_ch> think whatever makes you feel good
06:58 < Kryczek> hah
07:13 < janem> can anyone explain why my openvpn bridge setup is serving clients a ip from the "server-bridge" defined pool, AND it gets an IP from the remote dhcp service? So clients gets two ip-addresses on the tap interface...
07:21 < janem> OS X client and using Tunnelblick
09:11 < rob0> janem, the question contains the answer.  You have two processes (openvpn client, DHCP client) each assigning an IP address to the interface.  If you want DHCP, don't tell openvpn to give addresses from a pool.  If you want the openvpn pool, disable the DHCP client.
10:40 < janem> rob0: thanks for the reply. I dont want dhcp, and I dont quite get how I would disable it. I would have to disable dhcp for the clients tap0 interface?
11:20 <+hyper_ch> still no new from krzee :(
18:11 -!- abenz__ is now known as abenz
18:28 <+|Mike|> hyper_ch: i'm getting his phone number through someone :)
22:00 <@ordex> hyper_ch: I wonder if he had to relocate :/
23:04 < marvin3> hi
23:05 < marvin3> I am having trouble importing ovpn files on openvpn client running on android phone. they are placed on SD card but I don't even see them to select them
23:05 < marvin3> I have ca.crt client.crt client.key and client.ovpn on the root of the sd card
23:06 < BenderRodriguez> hello
23:06 < BenderRodriguez> I need help
23:07 < BenderRodriguez> The openvpn daemon is unable to start and fails with a permissions denied error while attempting to read the various cert/keys under /etc/openvpn
23:07 < BenderRodriguez> what is the proper permissions/ownership structure for these files in order for it to read it properly while keeping it secure
23:07 < skyroveRR> Typically root.
23:07 < BenderRodriguez> I thought about creating a separate directory under /openvpn, creating a specific user for this direcrtory and then specifying the permissions
23:07 < BenderRodriguez> but that didn't work either
23:07 < BenderRodriguez> it just fails with permissions denied. Very odd.
23:08 < skyroveRR> What user are you running the daemon as?
23:08 < BenderRodriguez> I'm starting it under root, so I guess root
23:09 < skyroveRR> You're starting it as root, but then, are you telling openvpn to switch to nobody or some other user/group?
23:15 < BenderRodriguez> skyroveRR: not sure i understand. I'm not telling to switch to anything as far as I know
23:21 < BenderRodriguez> ok nvm
23:21 < BenderRodriguez> SELinux was the culprit
23:32 < skyroveRR> BenderRodriguez: could have mentioned the distro in your question.
23:48 <+hyper_ch> |Mike|: he has a phone number? but that makes him trackable...
23:49 <+hyper_ch> marvin3: you could also integrate the keys and certs intot he config file... also you might want to use .ovpn file extension on android
23:50 <+hyper_ch> BenderRodriguez: or you could just integrate the certs and keys into the config files
23:59 < BenderRodriguez> hyper_ch: explain
--- Day changed Mon Sep 18 2017
00:02 <+hyper_ch> what's there to explain?
00:06 < BenderRodriguez> hyper_ch: explain what you mean by integrating certs and keys into the config files
00:06 < BenderRodriguez> hyper_ch: explain how you would do that, the formatting etc.
00:08 <+hyper_ch> BenderRodriguez: https://lmgtfy.com/?q=openvpn+integreated+keys
00:08 <@vpnHelper> Title: LMGTFY (at lmgtfy.com)
00:40 -!- abenz_ is now known as abenz
00:43 < BenderRodriguez> hyper_ch: thanks for the help...
01:15 < marvin3> hi
01:16 < marvin3> when accessing machines other than vpn server through the vpn. should I just do ethernet bridging? what is the prefered way? https://openvpn.net/index.php/open-source/documentation/howto.html#scope
01:16 <@vpnHelper> Title: HOWTO (at openvpn.net)
01:16 <+hyper_ch> marvin3: what other machines?
01:17 <+hyper_ch> do you route all your traffic through the vpn?
01:18 < marvin3> I don't know? I have machine A that runs OpenVPN sever. and machine B that is on the same LAN as the server. I want to access both machine A and B through the same VPN. currently I can only access machine A
01:18 <+hyper_ch> well, you should know how you have configured things
01:18 <+hyper_ch> !configs
01:18 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
01:18 < marvin3> moment
01:24 < marvin3> hyper_ch here: http://lpaste.net/358539
01:25 <+hyper_ch> no traffic is routed through the vpn except when you try to access a VPN IP
01:25 <+hyper_ch> so you can still access everything else like normal
01:25 <+hyper_ch> if you access google.com it won't use the vpn for that
01:26 < marvin3> you are talking about client?
01:26 <+hyper_ch> if you access a client with vpn ip 10.8.0.x and you use that ip it will go through the vpn
01:27 < marvin3> but how does client access machine B, the non-openvpn server machine? I did not assign it any 10.8.0.x IP. or is it assigned automatically?
01:27 <+hyper_ch> marvin3: I have no idea where you see the problem or what you want to achieve
01:28 < marvin3> I want to access both machine A (running openvpn server) and machine B (on the same LAN as machine A) through android phone that is connected on internet
01:28 < marvin3> via mobile connection, not through the same lan
01:28 <+hyper_ch> ok
01:30 < marvin3> so can this be done out of the box? or not? I thought I was on track with https://openvpn.net/index.php/open-source/documentation/howto.html#scope but now I am no longer sure
01:30 <@vpnHelper> Title: HOWTO (at openvpn.net)
01:35 <+hyper_ch> marvin3: may I suggest a bit a better config?
01:35 < marvin3> sure
01:36 <+hyper_ch> https://paste.simplylinux.ch/view/6ba76bf1
01:36 <+hyper_ch> if you want to talk clients with one another, use client-to-client option
01:37 <+hyper_ch> using     dev xxxxx   and dev-type tun
01:37 <+hyper_ch> you can easily give the dev interface a name (useful when you have multiple vpns)
01:37 <+hyper_ch> with the ccd you can easily push custom config stuff to client or assign them a static ip
01:38 < marvin3> does machine B also have to connect to VPN server, that is on the same LAN? I was hoping server can do all the lifting
01:38 <+hyper_ch> you can integrated the certs and keys directly into the config file (I prefer it that way meanwhile)... it just makes it less hassle to prot from one place to another
01:38 < marvin3> on a second thought that question probably doesn't make sense
01:38 <@ordex> marvin3: no need. the server cna act as gateway for the lan behind him
01:38 <@ordex> *can
01:38 <+hyper_ch> instead of remove IP you could use a free dyndns service
01:39 <+hyper_ch> or do you have a static ip?
01:39 < marvin3> I will, I'm just testing things out now
01:40 <+hyper_ch> client-to-client  and   topology subnet are the essential things that you were missing IMHO
01:41 <+hyper_ch> my other changes are more cosmetical / convenience
01:41 <+hyper_ch> on your router, you'll need to enable port forwarding to your vpn server
01:42 <@ordex> hyper_ch: it depends what is goal is, I'd say
01:42 <@ordex> not sure why you are giving all these general suggestions when he did not ask for them :P
01:42 <+hyper_ch> because they are convenient
01:43 <@ordex> hyper_ch: convenient if he is doing what you have in mind. not convenient/dangerous if he is doing something else, no ?
01:43 <@ordex> client-to-client might be dangerous if you have client isolation in mind, no?
01:43 <@ordex> and port forarding is required only if the VPN server is behind a router/NAT
01:43 <+hyper_ch> he said he wanted to access stuff from his android
01:44 <+hyper_ch> ‎[08:23] ‎<‎marvin3‎>‎ I want to access both machine A (running openvpn server) and machine B (on the same LAN as machine A) through android phone that is connected on internet
01:44 <@ordex> yup, he did not say he can't connect
01:44 <@ordex> anyway, just wanted to redirect the discussion towards the problem he mentioned
01:44 <@ordex> and machine B is not a VPN client
01:45 <@ordex> no?
01:45 <+hyper_ch> I assumed it was also a vpn client
01:45 <@ordex> he said it's on the same LAN as the server
01:45 <@ordex> and:
01:45 <@ordex> [1431.55] < marvin3> does machine B also have to connect to VPN server, that is on the same LAN? I was hoping server can do all the lifting
01:45 <@ordex> which clearly means he wants to avoid that :P
01:45 <+hyper_ch> that's one interpretation ;)
01:46 <@ordex> hehe sure
01:46 <@ordex> marvin3: is machine B connected to the VPN?
01:46 <@ordex> or is it just phisically in the same LAN as the server?
01:46 <+hyper_ch> or do you run openvpn on the router?
01:48 < marvin3> machine B is on the same LAN as the server
02:02 < marvin3> ok so I did some minor tweaking, and now I am connecting fine again, with your config. but how does client access machine B? what is the 10.8.x.x ip? I tried 10.8.0.2, but that would have been too easy
02:04 <+hyper_ch> marvin3: well, machine B is not in the vpn so it can't be access through the vpn.... I'd also make machine B a vpn client but the other option is routing the lan
02:06 < marvin3> what option is prefered?
02:07 <@ordex> also NAT is an option, but it depends is machine B is ever required to start any connection
02:07 <@ordex> *if
02:07 <+hyper_ch> I prefer making machien b a client as well... but all you'll have to do to avoid that is   enable ipforwarding and push the lan route
02:09 <+hyper_ch> marvin3: what's your lan network? 192.168.0.x?
02:09 < marvin3> yes
02:09 <+hyper_ch> and also check the the network in your android phone when connected to 3g/4g
02:09 <+hyper_ch> it's usually also nated
02:10 <+hyper_ch> e.g. my provider currently assings me 10.135.151x
02:11 <+hyper_ch> you must make sure that the lan network from your cell phone provider is different than the lan network you use at home
02:11 < marvin3> I see
02:11 <+hyper_ch> then you need to enable ipforwarding
02:11 <+hyper_ch> !ipforward
02:12 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
02:12 < marvin3> in that case phone would access machine B via 192.168.0.x IP, or 10.8.0.x?
02:12 <+hyper_ch> and then add to the server config:    push "route 192.168.0.0 255.255.255.0"  --> or use your current lan subnet
02:12 <+hyper_ch> then the phone would access via 192.168.0.x
02:13 <+hyper_ch> and not through a vpn ip
02:13 < marvin3> i also wanted to access both machines through public wifis, so if whether it works or not depends on network settings then that would be problematic
02:13 <+hyper_ch> marvin3: in that case I'd recommend making your machine B a vpn client as well
02:13 < marvin3> yeah
02:13 <+hyper_ch> with your chose vpn subnet 10.8.0.x there should be very little hassle
02:14 <+hyper_ch> I ahven't encountered yet a public lan that uses that
02:14 <+hyper_ch> I'm not saying they don't exist, I just haven't encountered one yet
02:14 < marvin3> in any it is far less likely than public wifi using 192.168.0.x
02:14 < marvin3> +case
02:15 <+hyper_ch> well, most router manufacturers do use 192.168.0.x
02:15 <+hyper_ch> and if someone sets up a public wifi, it's likely they use that as well
02:15 <+hyper_ch> or 192.168.1.x
02:22 < marvin3> so how much resources does openvpn client use? machine B is satellite receiver with arm CPU and not a lot of ram
02:22 < marvin3> i guess if it works fine on phone it should work there as well
02:24 <@ordex> if the reciver has static IP you can also have the VPN server just push a /32 for that and you will avoid any network conflict
02:25 <@ordex> because *receiver
02:25 < marvin3> it has static LAN ip
02:26 < marvin3> what does "push a /32" mean?
02:26 <+hyper_ch> openvpn doesn't reqire much ressources... but stuff needs to be de/encrypted though
02:27 < marvin3> i'll be streaming live tv, so a lot of bandwidth
02:27 < marvin3> not sure how relevant that is
02:29 <+hyper_ch> it is relevant as more data needs to be en/decrypted
02:30 <+hyper_ch> of course a weaker algorithm could be used or even none at all
02:30 < marvin3> some channels are 20 Mbps or more
02:30 <+hyper_ch> no idea how strong/weak your arm cpu is
02:30 < marvin3> my main goal is to avoid opening receiver's port. other than that, i don't care if stream is encrypted or not
02:41 < marvin3> what can I do to reduce resources open uses on receiver to minimum, even if it means using more resources on VPN server?
02:43 <+hyper_ch> add    cipher none      to client and server configs to disable encryption completely
02:43 <+hyper_ch> not really advised though
02:43 < marvin3> yes. if possible i would only like to disable it for streaming video
02:44 <+hyper_ch> then enable ip forwarding and push the lan route
02:44 <+hyper_ch> then the arm has least overheard
03:19 < marvin3> do I have to run build-dh again after adding a new client?
03:26 <+hyper_ch> no
03:38 <@ordex> "< marvin3> what does "push a /32" mean?" << that you can push a route for a single host to your VPN clients. such route is the most "specific" therefore it will always be preferred and won't conflict with any local IP assignment
05:27 < marvin3> thanks for help! i'll try to get it working when i wake up
06:05 -!- abenz_ is now known as abenz
07:42 < havoc> I push 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 to all clients from my office ovpn server
07:42 < havoc> but with high metrics
09:40 <@ordex> havoc: can you choose the metric for pushed routes?
09:56 < havoc> ordex: --route network/IP [netmask] [gateway] [metric]
09:56 < havoc> so yes
09:56 <@ecrist> havoc: that seems like a horrible idea.
09:56 < havoc> it's not
09:57 < havoc> and for the clients that don't entirely respect metrics, it's a pretty broad route, so mre specific routes take precedence
09:57 <@ecrist> it is
09:57 < havoc> the reason for it is all the private subents in our organization
09:58 < havoc> this is easier than pushing >250 other routes
09:58 < havoc> and no, it's not a horrible idea
09:58 < havoc> it is ideally suited for this specific situation
09:59 < Zxyzk> Hi, I've a little question... I'll trying to put a script in server.conf in this way: client-connect /NameDirectory/script.sh but in log I've this message: "external program exited with error status: 1" . In script I've put this command: su -c "NameDirectory/script.sh" -s /bin/sh NameOfUser
10:00 <@dazo> !logs
10:00 <@dazo> !configs
10:00 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
10:00 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
11:00 < swapman> hey guys, i need help in building an android app based on ics-openvpn which connects to my openvpn server without the need of client config, username and pass. I'm new to android app development.
11:00 < swapman> i don't know how to hard code the parameters passed by the config file.
11:14 < swapman> anyone?
11:34 <@ordex> swapman: you can just use a config file with everything hardcoded and then tell your app to launch openvpn with that config
11:34 <@ordex> no?
11:34 <@ordex> ah you switched to the other channel already :)
11:37 < swapman> yes i switched to the devel channel
11:37 < swapman> thanks for your help
11:56 <+hyper_ch> krzee: https://arstechnica.com/gadgets/2017/09/drm-for-html5-published-as-a-w3c-recommendation-after-58-4-approval/  :(
11:56 <@vpnHelper> Title: HTML5 DRM finally makes it as an official W3C Recommendation | Ars Technica (at arstechnica.com)
12:28 <+hyper_ch> wow, EFF has resigned from W3C - https://www.eff.org/deeplinks/2017/09/open-letter-w3c-director-ceo-team-and-membership
12:32 <@ordex> makes sense at this point
12:33 <@ordex> W3C is a business thing
12:33 <@ordex> there not much to do I think :/
12:33 <@ordex> I mean not much to do inside W3C
12:35 <+hyper_ch> good bye www
14:10 < greyline> hi all
14:10 < greyline> how can I find out my OpenVPN ip? in linux
14:15 < greyline> somebody?
14:22 < greyline> somebody?
14:24 < rob0> "ip addr"
14:24 < greyline> rob0: ????? in ifconfig?
14:24 < greyline> rob0: or where?
14:24 < rob0> sigh
14:25 < greyline> rob0: just answer, please
14:25 < rob0> I did
14:25 < greyline> rob0: no, you didn't. I asked where to find the ip address... in ifconfig?
14:26 < rob0> I'm not here to try to explain every detail of GNU/Linux use to you.  I gave you a literal answer to your question.
14:26 < rob0> !sweet
14:26 <@vpnHelper> "sweet" is http://sweet.nodns4.us/ =(
14:26 < rob0> good luck
14:27 < greyline> rob0: nice...
14:27 < greyline> rob0: then why is it a support channel...
14:27 < rob0> !notovpn
14:27 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn.
14:27 < rob0> also !sweet -- you are a help vampire
14:28 < greyline> rob0: O.o ....
14:28 < greyline> rob0: khmmidiotkhmm
14:30 < DArqueBishop> He DID answer your question.
14:31 < DArqueBishop> ifconfig has been deprecated for years. "ip" is the tool you're looking for... specifically, "ip addr".
15:31 < tcpdump> Ok, so - oddity.   I've added the following two lines to my openvpn config:     script-security 2    and   up /usr/bin/checkin-ifup
15:31 < tcpdump> when I have that line in my config it takes openvpn around 5 mins to bring up the interface tun0
15:31 < tcpdump> when I have it commented out its 2-5 seconds.
15:33 < tcpdump> https://www.irccloud.com/pastebin/OMS7CKRu/
15:33 < tcpdump> Theres the whole config...
15:35 < rob0> I'd guess maybe the script (which you didn't show us) is doing something in all that time.
15:35 < rob0> !logs
15:35 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
15:37 < rob0> You should probably also insert echo/printf lines in the script, appended to a script logfile
15:44 < tcpdump> im dumping journal logs now.
15:45 < tcpdump> I can exec the remote file myself in 200 ms
15:45 < tcpdump> 1 sec
15:55 < tcpdump> well, theres something
15:55 < tcpdump> https://www.irccloud.com/pastebin/P85PGwsC/
15:55 < tcpdump> Mon Sep 18 20:49:27 2017 /usr/bin/checkin-ifup tun0 1500 1558   init
15:55 < tcpdump> Mon Sep 18 20:49:27 2017 WARNING: Failed running command (--up/--down): could not execute external program
15:55 < tcpdump> Any way to make that more verbose?
17:48 < baconology> is there a gui that you recommend for monitoring/adminstering openvpn in a windowing environment?
17:48 < baconology> !ovpnuke
17:48 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
17:51 < baconology> i probably just lost my question in doing that, sorry
18:04 <@dazo> baconology: There probably exists some tools around, using the management interface .... but nothing we're really heard being a "killer app"
18:04 <@dazo> baconology: and then there is OpenVPN Access Server ... which is a proprietary/non-open-source web based management interface on top of openvpn
18:06 <@dazo> tcpdump: hard to tell ... which distro?
18:06 <@dazo> tcpdump: do you use --chroot?
18:07 <@dazo> ahh, sorry ... saw the config now
18:08 <@dazo> tcpdump: so no chroot .... how do you start openvpn?  That's the first step to figure out what's going on
18:10 < baconology> oh, is it free?
18:10 < baconology> i mean, if it is 50$ i think my company would buy
18:10 < baconology> if its $1500 im f***ed
18:11 < rob0> AS is not free.
18:11 < rob0> !as
18:11 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
18:11 < baconology> also thank you for all the good work you guys do to support innovation
18:11 < baconology> so i can take the work out of doing VPN and focus on having a VPN
18:11 <+|Mike|> what kind of stuff would you like to monitor?
18:11 < baconology> failed logins
18:12 < baconology> bandwidth/file accss
18:12 < baconology> but more than anything trying to take the 40 steps out of configuring it
18:12 < baconology> creating key files etc
18:12 < rob0> AS does take a lot of the work out of it, I understand.  I never ran AS myself, but I used to work for a company which bought it.
18:12 < baconology> i mean i like that you can deploy it 100% how you want, it would just be nice if I could get it 90% of the way there for 90% of people
18:13 < baconology> yeah our company can't afford a full time admin and im really trying hard not to do the windowws server 2012 thing
18:13 < rob0> They had a web interface where I authenticated and was given a key, cert and config, all of which worked fine with my GPL openvpn as client.
18:14 < rob0> that's all I can tell you; if you want more information about AS, ^^ go to their channel or web site
18:19 < baconology> where would i look for openvpn compatibility with 2-factor auth like yubikeys
18:20 < baconology> google i guess
18:20 < baconology> awesome, challenge response
18:22 < baconology> oh god what have i decided to do
18:24 < Eugene> baconology - I typically use a pfsense router, with RADIUS against our Active Directory environment. No real GUI needed; just manage users as normal in AD
18:25 < Eugene> For simple setups, anyway
18:29 <@dazo> baconology: https://openvpn.net/index.php/access-server/overview.html ... depends on how many users, there's minimum 10 users at $150/year
18:29 <@vpnHelper> Title: Access Server Overview (at openvpn.net)
18:36 < baconology> lol https://developers.yubico.com/yubico-pam/YubiKey_and_OpenVPN_via_PAM.html
18:36 <@vpnHelper> Title: YubiKey and OpenVPN via PAM (at developers.yubico.com)
18:36 < baconology> here we go
18:37 <@dazo> baconology: there's also recently arrived a perl script for review, using the "long yubikey auth strings" instead of 6 digit OTP codes
18:37  * dazo digs up the URL
18:37 <@dazo> https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15132.html
18:37 <@vpnHelper> Title: [Openvpn-devel] RFCv4: Yubikey authentication for OpenVPN (at www.mail-archive.com)
18:38 <@dazo> baconology: that's a fairly easy script to get rolling, if you don't mind having your users enrolled in the yubicloud .... but it's also possible to run your own yubicloud as well
18:41 < baconology> oh thats awesome
18:41 < baconology> much better
18:42  * baconology reads
18:48 <+|Mike|> the developer of that script is also in this channel fyi.
18:49 < rob0> !yubikey
18:50 < rob0> dazo, maybe add !yubikey to the bot?
18:50 < rob0> I would but I don't have bot privilege ... an openvpn project cloak is required
19:02 <@dazo> |Mike|: almost, he's in #openvpn-devel
19:02 <@dazo> CRCinAU
19:03 <@dazo> rob0: yeah, we can do that once the script have been properly reviewed and applied to our git tree
19:39 < gadget> !goal
19:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:39 < gadget> !welcome
19:39 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
19:39 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
19:47 < thumbs> !1925
19:47 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
19:49 < BenderRodriguez> thumbs!
19:49 < BenderRodriguez> I haven't seen you since my apache days
19:50 < thumbs> you have not?
20:07 < acidvegas> <-
20:09 < gadget> !goal I would like to use openvpn client to allow access to my vpn for only a few ips/computers on a secondary access point which is on the same network as the primary.
20:09 < acidvegas> !goal install an openvpn server in gadgets brain
20:10 < gadget> lol
20:10 < gadget> i feel like it's already been done with all the work i;ve been doing
20:11 < gadget> I'm not really sure if this si the place to ask. I can setup the vpn fine on its own but I can't get the above solution to work.
20:11 < tcpdump> Woot 162 mph on i44
20:11 < tcpdump> Sorry
20:11 < tcpdump> Wrong Chan
20:12 < gadget> you and me both :/
20:12 < tcpdump> #awkward
20:13  * gadget needs an invite
20:13 < tcpdump> For what?
20:13 < gadget> #awkward
20:15 < gadget> !heartbleed
20:15 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl, or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised., or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected., or (#4)
20:15 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed, or (#5) http://xkcd.com/1354/
20:23 < tcpdump> Nice
21:26 < mrpops2ko> can you establish a site to site vpn, from a nested vpn already
22:30 < tcpdump> Ok back
22:30 < tcpdump> geez
22:30 < tcpdump> what a night
22:30 < tcpdump> So anyhow, where I left off...
22:33 < tcpdump> figured it out...
22:33 < tcpdump> so in case anyone ever see this
22:34 < tcpdump> https://www.irccloud.com/pastebin/klzb92LP/
22:34 < tcpdump> make sure you have an interpreter specified....
22:34 < tcpdump> ex:   #!/bin/sh
22:37 < tcpdump> one must always she-bang
23:25 < lordarkmemo> hi, i setup a router as a openvpn client.  I dont want that all computers conected to the routers goes through the tunnel, just selected ones.
--- Day changed Tue Sep 19 2017
00:03 <+hyper_ch> lordarkmemo: then you need to setup according routing for them
00:56 -!- instantp10neer_ is now known as instantp10neer
01:11 -!- Netsplit over, joins: plaisthos
01:11 -!- Netsplit *.net <-> *.split quits: +|Mike|
01:11 -!- mode/#openvpn [+o plaisthos] by ChanServ
01:11 -!- mode/#openvpn [+o ordex] by ChanServ
01:56 <+hyper_ch> krzee still missing?
02:18 < TyrfingMjolnir> Where is the link to the openvpn easyrsa howto?
02:19 < TyrfingMjolnir> https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
02:19 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net)
02:19 < TyrfingMjolnir> It's easy-rsa not easyrsa
02:20 < TyrfingMjolnir> PKI procedure point 1, 2, and 3
02:20 < TyrfingMjolnir> How are these keys based on each other?
02:28 < TyrfingMjolnir> For every step it says to make a new folder.
02:31 <+hyper_ch> if you want to create all certs and keys yourself, you can use this:  https://community.openvpn.net/openvpn/wiki/EasyRSA3-Insecure-PKI
02:31 <@vpnHelper> Title: EasyRSA3-Insecure-PKI – OpenVPN Community (at community.openvpn.net)
02:40 < TyrfingMjolnir> I see point 5 and 6 deals with this
02:41 < TyrfingMjolnir> For me this is all on an SD card where the form is /ca /ca/server /ca/server/clientX
06:19 -!- abenz__ is now known as abenz
07:25 < TyrfingMjolnir> What's the deal with the requests and the signing? Can I client any server with the same CA connect to any of the servers signed with that CA?
07:26 < TyrfingMjolnir> %s/I/any/g
07:28 < TyrfingMjolnir> What's the deal with the requests and the signing? Can a client connect to any server signed by the same CA?
07:38 < rob0> that's how it's done, right
08:07 <@dazo> TyrfingMjolnir: the CA is a third party which (should) have done carefully checking of the certificate requests ("Yes, this user is the one it claims to be, I approve and sign this certificate request", which ends up as a certificate)
08:08 <@dazo> TyrfingMjolnir: so when a client connects to a server, it sends the certificate which contains the "meta data" about the user (X.509 Subject such as CN, etc) and a signature with a reference  to the CA which did the signing
08:10 <@dazo> TyrfingMjolnir: the server looks at the signed data and the signature, and is able to check that signature by using the local copy of the CA certificate ... as long as the server trusts that CA and the client certificate signature matches ... then this user can be trusted
08:10 <@dazo> that's the "sightly longer description" of how this works
08:23 -!- |Mike| [~mike@178.255.49.239] has joined #openvpn
08:41 -!- |Mike| [~mike@178.255.49.239] has quit [Quit: leaving]
08:55 -!- |Mike| [~mike@178.255.49.239] has joined #openvpn
08:55 -!- |Mike| [~mike@178.255.49.239] has left #openvpn []
08:59 -!- |Mike| [~mike@178.255.49.239] has joined #openvpn
09:25 <@dazo> rob0: Need to pick your brain about an absurd setup .... I have a site with a single public IP address (currently hard to get more) but I would need to have two physical boxes sharing that - preferably without NAT (for performance+stability).  So do you think having a bridged router in front (being one of the hosts) sharing the same MAC address (mac clone) and have both hosts using the same IP address?
09:25 <@dazo> rob0: Each host is guaranteed to not listen to the same ports and both hosts will do -j DROP as default fw policy
09:26 <@dazo> (the alternative would be to have NAT on the front router ... which would end up with double-NAT on the network behind the server behind)
09:28 <@dazo> One of the intended goals is to actually make the "front router" as invisible as possible
09:28 <@dazo> But I'm concerned the L2 layer will be completely confused and cause total havoc
09:29 <@dazo> unless there are some transparent gateway features in iptables I'm not aware of ...
10:04 < rob0> sharing an IP address could be tricky
10:04 < rob0> yep, L2 havoc
10:07 <@plaisthos> dazo: are thinking about something like hrsp, carp?
10:09 <@plaisthos> otherwise you can get away with using a multicast mac address
10:09 <@plaisthos> but cisco switches don't like multicast macs being used for unicast
10:11 <@dazo> plaisthos: I have a physical server I'd like to manage over IPMI, but need to do that "in front" of it - so if the networking is down on the server, I can use IPMI SOL from a side channel ... and to have that side channel, I need to have a device with a public IP not affected by server
10:11 <@dazo> but I'm not keen to do a double NAT
10:11 < havoc> dazo: I'm curious, why are you not having each box be forwarded to from the router at that single public IP?
10:12 <@dazo> havoc: double nat
10:12 < havoc> ah, they can't be NAT'd
10:12 < havoc> servers
10:12 < havoc> although 1:1 *may* work anyway
10:13 <@dazo> the server is acting as a firewall ... so if that goes down and I'm too far away to drop-by ...... you get the picture :)
10:13 < havoc> yeah :|
10:13 < havoc> sounds like one of those situations where the Wrong Thing is the Only Thing
10:15 <@dazo> and due to weird ISP restrictions, it is currently not possible to get more IPv4 addresses without cashing out a considerable amount of money .... They have IPv6 "testing" available, which they also charge an insane amount for too (€45 per MONTH!)
10:15 <@dazo> yeah .... I would really like to do the right thing .... but ....
10:24 <@plaisthos> dazo: some network cards can do this
10:25 <@plaisthos> stealing a port from the mac/ip of the physical server
10:26 <@plaisthos> dazo: wtf
10:26 <@plaisthos> (at 45 EUR)
10:32 <@dazo> plaisthos: yeah the price is absurd ... and we would even have agree to that being a completely unsupported service without any kind of SLA ...
10:33 <@dazo> plaisthos: I'm considering to lend out either a TP-Link router or a Turris omnia router
10:33 <@dazo> the latter one might have some tweaks, but need to dig into it
10:33 <@plaisthos> I have no idea about that :)
10:37 <@dazo> :)
10:46 <+hyper_ch> any news from krzee?
10:50 <@ordex> I haven't heard of him yet
10:50 <@ordex> I am a bit worried
10:50 <+hyper_ch> it seems his status has changed here in irc
10:51 <@ordex> Auto away at Fri Aug 25 22:01:05 2017
10:51 <+hyper_ch> hmmm, now I see the away icon again
10:51 <+hyper_ch> just took some time I guess :(
10:51 <+hyper_ch> almost a month
10:51 <+hyper_ch> well, 3 weeks
10:52 <+hyper_ch> 3 1/2 weeks
10:55 < rob0> don't worry, he couldn't have gotten a life!
10:56 <+hyper_ch> btw, who knows stuff about ethernet cables? I still have like a gazillion old cat 5 or 5e calbe in my apartement.... and I think I should upgrade them to cat 6... but what's the different between cat 6, cat 6a, cat 6e?=
10:56 <+hyper_ch> rob0: but nature could have attacked him
10:57 < rob0> weed protects against that, right?
11:07 < memo1> I set a router as a openvpn client.  I want that only one machine goes througt the tunnel, not all. How i do that?
11:09 <+hyper_ch> set according routing table on that machine
11:13 < memo1> hyper_ch: let me explain better.  My setup is like this.  computers---Router (openvpn Cliente) ======tunnel openvpn======= Amazon aws (Openvpn Server). All my computers are taking the tunnel
11:15 <+hyper_ch> why then setup opevpn on the router if you only want one machine to go through it? better to setup openvpn on that machine IMHO
11:19 < havoc> ok, what ports, on the client side, need to be open for the TLS suth to complete successfully?
11:19 < memo1> hyper_ch: youare totally right.  But all my employs are complaining about slow internet.  I prefer security over speed.  But, in any case there is a easy way to do it from the server?, using de openvpn config file?
11:19 <+hyper_ch> "server"?
11:19 <+hyper_ch> what do you refer to as "server" now?
11:19 < memo1> hyper_ch: the openvpn server
11:19 < |Mike|> hyper_ch: no news and phone number on krzee :x
11:20 <+hyper_ch> !configs
11:20 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
11:20 <+hyper_ch> @memo1 see above
11:20 < |Mike|> hyper_ch: https://www.howtogeek.com/70494/what-kind-of-ethernet-cat-5e6a-cable-should-i-use/
11:21 < |Mike|> memo1: remove the client from the router and install it on the 'computer' that needs to go over the VPN :-)
11:22 < |Mike|> problem solved.
11:23 <+hyper_ch> |Mike|: thx for the link
11:24 < ExoUNX> is openvpn any more reliable over TCP?
11:24 < |Mike|> there's a big price difference between the utp, s/utp, st and s/stp as you'll notice
11:25 <+hyper_ch> |Mike|: :)
11:25 <+hyper_ch> around $20 / 3m it seems
11:26 < memo1> hyper_ch: Ok
11:26 < memo1> |Mike|: ok
11:30 <+hyper_ch> if you don't want to route more than 1 machine through the vpn, why not just setup openvpn on that machine...
11:33 < |Mike|> exactly. Takes a lot of route ninja style foo-shizzle away imho
11:47 < havoc> "what causes TLS auth to time out, as viewed from the server?"
11:48 < havoc> I know, it's the client side firewall, but what specifically on the client firewall?
11:48 < memo1> hyper_ch: basically, because is an equiqment that not support openvpn
11:48 <+hyper_ch> well, then I need configs
11:55 <+hyper_ch> I still wonder what machine that is that can't install openvpn
12:00  * |Mike| too...
12:15 < memo1> hyper_ch: is a router with simcard, that dont support openwrt or ddwrt.
12:16 <+hyper_ch> I don't really understand
12:16 < memo1> hyper_ch: :(, sorry.
12:17 < memo1> hyper_ch: i going to show you the configs.  Later.
12:25 < havoc> so no comments on the TLS auth failure then?
12:26 <+hyper_ch> you already said it's the firewall
12:26 <+hyper_ch> fail to see what other answer you want
12:26 < havoc> it's usually the fw, yes, but what specific ports?
12:27 <+hyper_ch> the one over which you try to establish the vpn connection
12:27 < havoc> and if the fw is blocking stuff, how does the server even get the initial TLS packet from the client?
12:27 < havoc> details matter
12:27 <+hyper_ch> it's your system... not ours
12:27 <+hyper_ch> you have access to logs
12:27 < havoc> hyper_ch: if it connects over say, udp:1194, the how can it possibly fail, if an initial packet reaches the server?
12:28 < havoc> I only have access the to server side for this :(
12:28 < havoc> so what you're saying is that you don't know the details of the process :(
12:28 < havoc> udp:1194 must be open, or no packet could ever reach the server on that port
12:28 <+hyper_ch> I'm confused
12:28 <+hyper_ch> the server won't initiate connection to the client
12:29 < havoc> I didn't say it did
12:29 <+hyper_ch> ‎[19:23] ‎<‎havoc‎>‎ I only have access the to server side for this :(
12:29 < havoc> I said, specifically, that I'm seeing the initial TLS packet, in the server side logs, then nothing else
12:30 < havoc> the client is obviously trying to connect, or there would be nothing in the server logs :)
12:30 <+hyper_ch> set verbosity to a higher level
12:30 < havoc> I'm pretty sure the client site is filtered, outgoing, but I need to have some details to go back at their IT dept with :(
12:30 <+hyper_ch> and get logs from the client
12:31 < havoc> what --verb would be good for that?
12:31 < havoc> 3? 4?
12:31 <+hyper_ch> at least 5 IMHO
12:31 < havoc> ok, thanks
12:31 < havoc> I think I'm at 3 on everything
12:32 <+hyper_ch> you could go higher in verbosity
12:37 < havoc> I'm just trying to figure out what specifically I need to tell this client's IT dept
12:37 <+hyper_ch> have one of those it dep guys come in here
12:38 < havoc> not likely
12:38 < havoc> they are less than cooperative :(
12:38 <+hyper_ch> tell your client that his it dep is uncooperative
12:38 < havoc> our client is the State
12:39 < havoc> these are vendors, for which we are a Provider, for a gov contract :(
12:39 < havoc> i.e. Nightmare
12:40 <+hyper_ch> tell them they need to upgrade from from Windows to Linux ;)
12:41 < havoc> yeah, that'll happen...ever
12:56 < |Mike|> havoc: quite sure it's on the clients end tho :-)
13:28 < detha> is there a better way than connect/disconnect scripts to add routes to subnets behind clients while the client is connected?
13:37 < havoc> |Mike|: yeah, no kidding ;)
13:37 < havoc> several hundred other clients are connecting fine, a dozen are not
13:37 < havoc> so yeah, on the client side
13:44 <+hyper_ch> make them upgrade to Linux
13:47 < pohvak> hello has somebody use openvpn on a Grandstream GXP1610 phone? the web GUI to config the phone has an OpenVPN configuration tool, but i cant get the phone to connect to the VPN
13:49 <+hyper_ch> pohvak: no, only used openvpn on cisco and yealink
13:50 < |Mike|> havoc: from that same company?
13:51 <+hyper_ch> pohvak: here's a working server config for gxp1610  https://forums.grandstream.com/forums/index.php?topic=28881.msg83301#msg83301
13:51 <@vpnHelper> Title: GXP1628 OpenVPN support (at forums.grandstream.com)
13:52 <+hyper_ch> probably best to start with that config (change port and subnet of course)
13:52 <+hyper_ch> and probably use 2048bit rsa certs for testing
13:53 < pohvak> im currently using 1024bit certs on my openvpn server, could be that the reason? will try with 2048bit
13:53 <+hyper_ch> probably not
13:53 <+hyper_ch> my old cisco only supports up to 2048 bit rsa certs
13:53 <+hyper_ch> that's why I suggested it
13:53 < pohvak> ok
13:54 <+hyper_ch> 1024 should probably work as well
13:54 <+hyper_ch> but just use those settings as vpn server
13:54 <+hyper_ch> and then try to connect with the phone
13:54 < pohvak> to test that config y put it on my server.ovpn file right?
13:54 < pohvak> i* put it*
13:55 <+hyper_ch> I don't know what your system looks like
13:55 <+hyper_ch> but backup the your current config file
13:55 <+hyper_ch> then put that stuff in
13:56 <+hyper_ch> adjust port, desired subnet, path to keys and certs
13:57 < pohvak> ok
13:57 < pohvak> will try it
13:57 < pohvak> thanks
13:57 <+hyper_ch> good luck
14:02 < havoc> |Mike|: no, from a few, but they're known issues w/ these companies, and their stupid security policies
14:02 < havoc> Firestone is one of them
14:02 <+hyper_ch> firestone... sounds like a PMC
14:03 < havoc> automotive/tire biz
14:03 <+hyper_ch> There's Bridgestone... but never heard of Firestone :)
14:04 < havoc> just another tire company, fairly old one
14:04 <+hyper_ch> :)
14:04 <+hyper_ch> well, it sounded like a PMC :)
14:04 < havoc> you must not be in the US
14:04 < havoc> but even so, they are old, older than bridgestone by far
14:04 < DArqueBishop> Actually, Bridgestone has owned Firestone for nearly thirty years.
14:04 <+hyper_ch> I am not in the US
14:05 < havoc> msot Fords ship w/ firestones on them from the factory, in whatever country that factory may be
14:05 < havoc> DArqueBishop: ok, hand't known that, but ok :)
14:05 < havoc> whatever, their IT policie are horrendous
14:05 < DArqueBishop> Neither had I. I thought they were the same company and Googled it to make sure.
14:07 <+hyper_ch> never owned a Ford
14:07 <+hyper_ch> probably never will
14:07 <+hyper_ch> however, my next car will probably come from the US
14:08 < havoc> I don't own a ford either, I'm just saying that they OE equip w/ Firestone, and that Firestone si an *old* company :)
14:08 < havoc> I drive a Toyota, Wife drives a Subaru :)
14:09 <+hyper_ch> pondering to get Tesla Model 3
14:10 <+hyper_ch> I did put myself onto that list last year... but probably won't be before mid-2018 until they're available here
14:21 < havoc> my Tundra is actually more "american made" than most "american" vehicles
14:21 < havoc> not that I really care
14:21 < havoc> it's "better" made, that's all I cared about
14:49 < |Mike|> havoc: I'd blame those companies imho :-P
15:15 < havoc> |Mike|: duh ;)
15:15 < havoc> but I am also choicless :(
15:15 < havoc> I gotta deal with What Is, not what I Want It To Be
15:29 < MannyLNJ> Good evening, I admit I am very clueless what it comes to VPN. I am trying to setup a VPN based on the info at https://github.com/Nyr/openvpn-install I was able to copy the .ovpn file to my remote system but I am unable to make a connection. I'm getting the message TLS Error TLS key negotiation failed to occur within 60 seconds any help would pe appreciated
15:29 <@vpnHelper> Title: GitHub - Nyr/openvpn-install: OpenVPN road warrior installer for Debian, Ubuntu and CentOS (at github.com)
15:30 < havoc> MannyLNJ: 99% it's the firewall on the client side
15:32 < MannyLNJ> havoc, I have ufw disabled on the client as a diagnostic so I doubt it's a firewall issue on my client
15:33 < havoc> then I got nothin, sorry
15:33 < DArqueBishop> What about on the server side?
15:33 < DArqueBishop> Also:
15:33 < DArqueBishop> !blog
15:33 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
15:33 < DArqueBishop> !howto
15:33 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
15:34 < havoc> https://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html
15:34 <@vpnHelper> Title: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) (at openvpn.net)
15:34 < MannyLNJ> DArqueBishop, I am not sure about the server. It's in my home and I forget if there is a firewall on it
15:36 < DArqueBishop> Well, the server's firewall settings would be the first thing to check. In addition, if it's behind a router using NAT you'll need the port forwarded from the router to the server.
15:38 < MannyLNJ> DArqueBishop, I know 433 is set for fowarding and what is what I used in the script.
15:38 < DArqueBishop> 433? Or 443?
15:39 < MannyLNJ> DArqueBishop, let me check over ssh
15:39 < DArqueBishop> While you're at it, check the firewall.
15:40 < MannyLNJ> DArqueBishop, 443 and I also have 3128 open
15:45 < MannyLNJ> DArqueBishop, I checked and there is no firewall running I will have to wait until I am home to check for open ports on the router
15:50 < |Mike|> not 1194?
15:51 < MannyLNJ> I don't think I have 1194 open on the router
15:53 < |Mike|> your vpn server is within the same network as the client, right?
15:53 < DArqueBishop> He may not be using 1194/udp for his server port.
15:54 < |Mike|> if he blindly ran the script;
15:54 < |Mike|> if hash sestatus 2>/dev/null; then
15:54 < |Mike|> 					if sestatus | grep "Current mode" | grep -qs "enforcing"; then
15:54 < |Mike|> 						if [[ "$PORT" != '1194' || "$PROTOCOL" = 'tcp' ]]; then
15:54 < |Mike|> 							semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT
15:55 < |Mike|> hrhr, line 206 gave him the option to make up his mind. Could be anything
15:55 < |Mike|> MannyLNJ:
15:55 < |Mike|> !configs
15:55 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
15:58 < MannyLNJ> |Mike|, and DArqueBishop I think I am going to stop now because I an getting the feeling that I will just complicate things more. I'm in California tethering to a iphone and my home pc is in New Jersey, I am able to use SSH so I will just scp for now to move files
17:17 -!- abenz_ is now known as abenz
22:05 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:15 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:15 -!- mode/#openvpn [+o syzzer] by ChanServ
23:54 -!- mundus2018 is now known as mundus
23:57 -!- mundus is now known as mundus2018
23:58 -!- mundus2018 is now known as mundus
--- Day changed Wed Sep 20 2017
00:04 < meyou_> is there any part of a generated/autologon ovpn file where i should _not_ change the host/ip of the target?
00:04 < meyou_> for connecting via a public IP through a nat
00:05 < meyou_> OVPN_ACCESS_SERVER_WSHOST OVPN_ACCESS_SERVER_PROFILE are the ones i'm wondering about
00:05 < meyou_> i know i'd need to change the "remote x.x.x.x" line
00:05 <+hyper_ch> no idea about access server... that's a different product
00:06 <@ordex> !as
00:06 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
00:06 <@ordex> meyou_: ^^
00:07 < meyou_> tx
00:07 < tx> np
00:07 <@ordex> lol
00:07 < meyou_> lol
00:09 <+hyper_ch> around 10 more days until I get finally gigabit internet in the office as well
00:11 < abenz> what kind of hardware does one need to push 1gigabit openvpn (with highest encryption) ?
00:11 < abenz> will eg an AMD 1.3Ghz jaguar quad core be able to handle it?
00:12 <+hyper_ch> I doubt it
00:12 < abenz> ryzen 3 perhaps?
00:12 <+hyper_ch> no idea what that is
00:12 <+hyper_ch> isn't ryzen a game?
00:12 <+hyper_ch> old article:  https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
00:12 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net)
00:13 <+hyper_ch> most important part would probably be aes-ni support
00:13 < abenz> its the cpu that amd made to stop the daylight thefts of intel
00:13 <+hyper_ch> the last decade or so I only bought intel stuff because intel just works on linux
00:13 <+hyper_ch> wifi, video, cpu
00:14 <+hyper_ch> openvpn is single threaded, so multi-core won't help much
00:15 <+hyper_ch> anyway, I'll test what speeds I can achieve when I also get gigabit at the office
00:15 < abenz> pls share!
00:15 <+hyper_ch> needed to wait 3 months
00:15 <+hyper_ch> got gigabit at home for 5 months already
00:16 < abenz> also, AMD is more OSS friendly, I'm no fanboy but the reason I dont recommend intel is here: https://www.youtube.com/watch?v=osSMJRyxG0k
00:16 < abenz> I only have 50mbps
00:16 < meyou_> i was paying $80/mo for gigabit + TV at home, now I pay $90/mo for 150Mbps with no TV :(
00:16 <+hyper_ch> notebook cpu:  https://paste.simplylinux.ch/view/9583fbb7
00:16 < meyou_> worst move ever
00:16 < abenz> so my question was just out of curiosity
00:16 <+hyper_ch> home server cpu https://paste.simplylinux.ch/view/3dd8ef18
00:18 <+hyper_ch> meyou_: sucks to be you
00:20 <+hyper_ch> but this is nice:  https://paste.simplylinux.ch/view/d6367fdb
00:20 < abenz> 1.8ms ?
00:20 < abenz> is that with direct laser beam?
00:20 < abenz> lol
00:21 <+hyper_ch> fiber - of course it's laser :) sort of
00:47 < tx> https://hastebin.com/civohiwoye.nginx
00:47 <@vpnHelper> Title: hastebin (at hastebin.com)
00:47 < tx> what of it?
01:11 < meyou_> so i've been spending the past couple hours trying to get a bootleg openvpn tunnel inside an stunnel wrapper to get around the great firewall of china
01:11 < meyou_> and suddenly the site to site on our routers just popped back online
01:12 < meyou_> womp womp
01:16 < abenz> are you using static keys or pki ?
01:20 < meyou_> static
01:27 < oriceon> Hi there. There is a way from a command line to see in wich vpn i am connected?
01:27 < oriceon> Something like vpn config name or vpn remote address
01:27 < oriceon> or some identification method
01:39 <@ordex> ordex: "ps aux | grep openvpn" should show you the running process with its arguments
01:40 <+hyper_ch> tx: I only see a blue background
01:40 <+hyper_ch> meyou_: are you just trying to ship around the GFW?
01:41 <+hyper_ch> ordex: or better name your tun devices in the config
01:41 <+hyper_ch> e.g. homeVPN officeVPN ...
01:41 < meyou_> well i was, it's on the warming tray for now in case they decide to cut us off right before Shanghai gets to work
01:42 < meyou_> (again)
01:42 <+hyper_ch> but I guess you can't expect more than a 4 minute attention span nowadays
01:43 <+hyper_ch> meyou_: if it's not about secure traffic but just getting around the GFW, you might want to have a look at wireguard... it's rather new so there's a good chance the GFW doesn't have it on its radar yet
01:43 <+hyper_ch> (it's always good to have a backup plan)
01:44 <@ordex> it's gonna be a temporary thing anyway
01:44 <@ordex> obfsproxy is also a good option
01:44 < meyou_> i mean relatively secure traffic would be nice, it's just your typical business site to site between US offices and a China office
01:45 < meyou_> less worried about the chinese government snooping than some rando scammer/hacker
01:47 <+hyper_ch> well, wireguard sounds also secure.. it's just that it's rather new and not so tested from what I gather
01:47 <+hyper_ch> hence they're cautious about it themselves
01:47 <+hyper_ch> it's from the same guy that wrote the pass (password manager)
01:48 <+hyper_ch> "WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come."
01:48 <+hyper_ch> just thought you might give it a try :)
01:50 < meyou_> i'll have to check it out. i had just gotten the openvpn/stunnel setup to the point where it _should_ have worked, and was about to start trying to isolate why it wasn't when i noticed our china host come online in our US vcenter >_< tunnel had been up for almost an hour
01:51 <+hyper_ch> so is the GFW really as bad as it's said?
01:51 <+hyper_ch> and won't you get into trouble trying to circumvent it?
01:52 < meyou_> well i saw on twitter some dude in china got 3 days in jail for selling client vpn's to individuals
01:52 < meyou_> and i figure the government is probably more worried about individuals getting access to western media than businesses being able to function :p
01:53 < meyou_> but ultimately it wasn't my decision, i got the go ahead to try it and i'm stateside :p
01:53 <+hyper_ch> but don't businesses in general consist of "individuals"?
01:54 <+hyper_ch> stateside?
01:54 < meyou_> right but this tunnel only serves the company network, internet is still going out the chinese ISP
01:54 < meyou_> i'm an IT dude in the US just trying to get my client's office back online
01:55 <+hyper_ch> ah, with stateside you mean being in the US
01:56 < meyou_> i'm guessing the ISP's were flooded with other businesses crippled by the blocks
01:56 < meyou_> and they decided to relax the rules a bit, we had opened a ticket with the ISP earlier but they didn't seem to helpful
01:57 < meyou_> seems like the client vpn that they use for remote work in China is still b0rked though
01:58 < meyou_> now to figure out if it's the government/isp or just some change another tech made while troubleshooting it earlier today
04:07 <@ordex> dazo: do you use nm-applet?
04:07 <@ordex> I just realized that it does not want to import config files having the extra-certs option
05:20 <+hyper_ch> meyou_: https://torrentfreak.com/another-chinese-developer-arrested-for-selling-vpn-access-170920
05:20 <@vpnHelper> Title: Another Chinese Developer Arrested For Selling VPN Access - TorrentFreak (at torrentfreak.com)
05:22 <@ordex> mh
05:23 <+hyper_ch> interesting that TF just published that article today when meyou_ and I have spoken about this a bit earlier
05:24 <@ordex> hehe maybe it's a sign
05:24 <@ordex> on the newspaper here there is nothing about that
05:24 <@ordex> but can't exclude the news is not really public
05:24 <@ordex> ah well there is an article from two days ago
05:24 <@ordex> Chinese software developer gets three days’ detention for helping internet users to bypass Great Firewall
05:24 <+hyper_ch> "The Nanjinger reports that a software developer, named as Mr. Zhao from Nanjing, was arrested August 21 for contravening the new laws on VPN licensing."
05:25 <+hyper_ch> "The prices he asked were indeed small – just $1.50 per month or around $18 for two years’ service. Based on reported total revenues of just $164 for the entire business, it’s possible he had around 100 customers, or indeed far fewer."
05:25 <@ordex> Earlier this year, a 26-year-old entrepreneur who sold VPN services in Dongguan, southern China’s Guangdong province, was sentenced to nine months in prison.
05:25 <@ordex> yeah
05:26 <@ordex> the police seized the earning "1080 yuan"
05:26 <@ordex> :D
05:26 <@ordex> people just disappear sometimes :P
05:26 <+hyper_ch> well, the sad thing is, we also turn into a surveillance state
05:26 <@ordex> "we" ?
05:27 <@ordex> what do you mean?
05:27 <+hyper_ch> the problem is, that the current government might still ahve good intentions... but go down the road 10-20 years.... surveillance still in place but what kind of government do you have then?
05:27 <+hyper_ch> ordex: we = "The western countries" in general
05:28 <@ordex> ah
05:28 <@ordex> yeah, we are slowly going that way. that's why we have to keep fighting
05:28 <@ordex> hopefully people don't get arrested for that yet
05:28 <@ordex> if we get there, it will be really sad
05:28 <+hyper_ch> maybe not under current government
05:28 <+hyper_ch> but who will be in power in 10 years?
05:28 <@ordex> but, that's why we should not accept what happens without doing anything
05:28 <@ordex> hehe
05:29 <@ordex> yeah
05:29 <@ordex> everything is possible, but we craft the future
05:30 <+hyper_ch> yeah.. unfortunately my fellow countymen and -women voted just recently in favour of having our secret serivce broader surveillance powers
05:31 <@ordex> well, where do these fellows get their info from? why not trying to give them different information
05:31 <@ordex> or why not trying to expose the risk of what they are agreeing to
05:31 <@ordex> most of the people don't even understand the problem we are complaining about
05:32 <@ordex> let alone have them be against that
05:32 <+hyper_ch> http://www.bbc.com/news/world-europe-37465853  :(
05:32 <@vpnHelper> Title: Swiss endorse new surveillance powers - BBC News (at www.bbc.com)
05:32 <@ordex> ah yeah I knew about that
05:32 <+hyper_ch> you know, terrorists everywhere
05:33 <@ordex> yeah, in my pockets
05:33 <+hyper_ch> its more likely to be hit by lightning than being in a terror act
05:33 <@ordex> fear is the strongest propaganda
05:33 <@ordex> maybe finding a way to have people fear those who have power, might be a good approach
05:34 <+hyper_ch> The Swiss defence minister, Guy Parmelin, insisted that the country was “leaving the basement and coming up to the ground floor by international standards” and it was in no way comparable to the level of surveillance of major powers such as the US.  -->  not really a thing to aspire
05:34 <@ordex> yeah
05:34 <+hyper_ch> Green party politician Lisa Mazzone told RTS that the law was approved due to a “campaign about fear of attacks”.  --> she summarized it well
05:35 <@ordex> yap
05:35 <@ordex> but it's the same everywhere
05:36 <@ordex> honestly, although I always ty to make my speech when I enter these discussions, I gave up on trying to "convince" people
05:36 <@ordex> everybody is free to screw himself up
05:36 <@ordex> but I should be free to choose my way of detening and using my data
05:36 <@ordex> and my freedom
05:38 <+hyper_ch> http://globalriskinsights.com/2015/11/low-probability-high-impact-events-why-are-people-afraid-of-terrorism/
05:39 <@vpnHelper> Title: Low-probability, high-impact events: Why are people afraid of terrorism? | Global Risk Insights (at globalriskinsights.com)
05:39 <@ordex> hehe
05:40 <@ordex> this is a very good way of disclosing of how the terror excuse it used to inject budget in the defende sector
05:40 <@ordex> hehe nice the comparison with smoking
05:41 <+hyper_ch> :)
05:41 <@ordex> you can do many of these pairing
05:41 <@ordex> when you have a problem that is inflated by the politics
05:41 <@ordex> i.e. immigration problem in southern europe: now this the EMERGENCY
05:41 <+hyper_ch> or did you know because of 9/11 a lot of people cancelled their flights and took car out of fear... well that cause another 1000 additional traffic deads
05:41 <@ordex> people in Italy don't realize that corruption costs us more than 10 times what we spend for immigrants
05:41 <@ordex> hehe
05:42 <@ordex> yeah the list is long i think :)
05:42 <+hyper_ch> but don' all those migrants not try to get to France and Germany anyway and use Italy just to transverse?
05:42 <@ordex> well, people think thay are ALL pushed back :P
05:43 <@ordex> that's the media tries to convey
05:43 <@ordex> hehe
05:43 <@ordex> anyway, this gets broader and broader
05:43 <@ordex> but the bottomline is the same
05:43 <@ordex> but this highlights the fact that we don't learn
05:43 <@ordex> we always fall into the same trap eventually
05:43 <+hyper_ch> https://gitlab.com/gnachman/iterm2/issues/6050  -   What happened: iTerm sent various things (including passwords) in plain text to my ISP's DNS server
05:44 <@ordex> lol
05:45 <@ordex> LOL²
05:45 <@ordex> :D
05:45 < plasma> lol
06:08 -!- abenz_ is now known as abenz
06:49 < havoc> ordex: just stupid humans doing stupid human things :(
06:49 < Askh0l3> !welcome
06:49 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
06:49 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
06:49 <@ordex> havoc: yeah, just do your best and try to be happy :) you can;t fix it all
06:49 < havoc> ordex: be happy, and not be part of the problem
06:50 < havoc> you may not be able to solve it, but you don't have to contribute to it either
06:50 <@ordex> havoc: yeah..I mean, if somebody "wants" the problem, you can't prevent them from having it
06:50 <@ordex> you can't judge them, they might be "right" on their own
06:50 <@ordex> so just let them be
06:50 <@ordex> as soon as they lewt you be :)
06:50 <@ordex> *let
07:01 < |Mike|> moin!
07:02 < havoc> morning
07:03 < havoc> how can the server side recieve the first TLS auth packet if the client side port is blocked?
07:04 < havoc> i.e. in the common case where the TLS auth fails?
07:04 < havoc> I'm not asking how to fix it, I'm trying to understand, in detail, the process
07:04 < havoc> I feel that I'm missing something significant
07:05 -!- SerusWor1 is now known as SerusWork
07:13 <@ordex> havoc: " the client side port is blocked" what does it mean ?
07:13 <@ordex> the client has the port blocked?
07:14 <@ordex> usually that would be blocked for incoming packets, not outgoing
07:14 < havoc> the error is commonly attributed to the client side firewall blocking access to, say, udp:1194
07:14 < havoc> but if the client's access is blocked, how can the server ever recieve the initial TLS auth packet?
07:15 < havoc> we're having issues with some of this gov program's vendors
07:16 < havoc> our ovpn devices are unable to connect on their networks
07:16 < havoc> being our devices, we know the device itself isn't the issue, it's something to do with the vendor's perimeter firewall
07:16 < |Mike|> incoming firewall blocks it at the clients side, the client is able to send out the first package but can't establish a connection?
07:16 < havoc> unfortunately, it is up to us to "prove" it :(
07:17 < havoc> the clients are NAT'd
07:17 <@ordex> havoc: well, if the GW/FW blocks outgoing pakcet to "unknown" ports, there is not much you can do
07:17 < havoc> so there should never be anything incoming
07:18 <@ordex> on the server ?
07:18 < havoc> ordex: right, but if the outgoing port is blocked, how can that initial packet ever get out, as connections are initiated by the client?
07:18 <@ordex> ah then it is not blocked
07:18 < havoc> no, a NAT'd client should never have anything incoming, at least not the SYN
07:18 <@ordex> if you see the packet on the server ... then the por tis not blocked, no ?
07:18 <@ordex> havoc: we are talking about outgoing, not incoming, no ?
07:18 < havoc> this is what I', trying to figure out
07:19 <@ordex> ok
07:19 < havoc> the server gets the initial TLS auth packet, but that's it, then TLS fails to occur in 60s....
07:19 < havoc> at the moment I can only see things from the server side
07:19 < havoc> and yes, this is clearly something to do with the client side network
07:20 < havoc> I'm trying to figure out what, so I can tell these clowns, in no uncertain terms, what to do
07:21 < havoc> but I know the client device itself is not the issue, nor is its config, as >300 of them are working fine, and all are identical configs
07:21 < |Mike|> https://i-technet.sec.s-msft.com/dynimg/IC197609.gif
07:21 < havoc> so the problem is clearly a perimeter issue with the client side vendor's network
07:22 < havoc> |Mike|: thanks, but over udp:1194 ?
07:22 < havoc> assuming that's what the server is listening on?
07:23 < havoc> my confisuion is the server seeing the first (SYN) packet, and then nothing
07:23 < havoc> that would imply that the client side perimeter is blocking SYN-ACKs?
07:25 < havoc> it's not a pressing issue, today, but will become so next week
07:25 < havoc> we're skipping over these know problem-vendors until the end of the deployment
07:29 < |Mike|> the client reaches out to the server so you'll always see an incoming connection imho.
07:30 < |Mike|> won't it be easier to put the question at the owner of the network?
07:30 < havoc> right, the SYN/initial packet, but if that gets through, then where's the problem with the rest?
07:30 < havoc> |Mike|: absolutely not :(
07:30 < havoc> this is what we do, often, with these clowns :(
07:32 < havoc> |Mike|: the issue in the industry is that you have to PROVE that it's their problem before they'll even consider it
07:32 < |Mike|> another idea; why not put the openvpn udp port on 443 and try that?
07:33 < |Mike|> They probably have 443 open on tcp/udp levels
07:33 < havoc> well, it'd be tcp:443, not udp:443
07:33 < havoc> and fake it as HTTPS traffic, I know
07:33 < havoc> again, I'm trying to understand the problem right now, not necessarily fix it
07:34 < |Mike|> (that's how I used to "fix" problems as above)
07:34 < havoc> as it will reoccur, I'm sure; these known problem vendors have a habit of fixing their shit, then reverting a couple weeks later, and we start all over again :(
07:35 < |Mike|> Have you tried reaching out to the system administrator on their end?
07:35 < havoc> yes, many many times over the years
07:35 < havoc> we have no direct access to them
07:35 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
07:35 < havoc> many layers of BS in between :(
07:36 < havoc> these companies are the types that block ICMP, whitelist all IPs for outgoing traffic, etc...
07:36 < havoc> draconian/stupid/useless :(
07:36 < havoc> yet we have no choice but to deal with them :(
07:37 < |Mike|> I recognize the issues you're running into....
07:37 < havoc> when our installers get back to one of these stations, I'll namp it from the server, and namp the server from the station
07:38 < havoc> I can probably get in to a machine behind our device via teamviewer or something
07:38 < |Mike|> Best possible option. RDP won't work in those networks I guess ;-)
07:39 < havoc> or I have one of our installers put the secondary device connection on mifi
07:39 < |Mike|> anyway, I have to head out and do my thing
07:39 < havoc> have fun :)
07:39 < |Mike|> 4G not an option?
07:39 < havoc> yeah, MiFi
07:39 < |Mike|> Mobile internet instead of dealing with the costumers network
07:39 < havoc> or whatever they happen to have there for a cellular device
07:39 < |Mike|> wops, misread that as wifi haha
07:39 < havoc> no, mobile Net to diagnose the problem
07:40 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
07:40 -!- mode/#openvpn [+o syzzer] by ChanServ
09:32 < zx2c4> hyper_ch: :P
09:40 -!- peder_ is now known as peder
10:04 <+hyper_ch> zx2c4: ?
10:05 < zx2c4> hyper_ch: oh, maybe im late to the party
10:05 < zx2c4> just saw your comments earlier, thats all
10:07 < rob0> party!!!
10:07 <+hyper_ch> havoc: the problem is that your client hasn't upgraded to Linux yet
10:07 <+hyper_ch> zx2c4: you need to fix qtpass on Nixos :(
10:08 < havoc> hyper_ch: the ovpn client IS linux
10:09 <+hyper_ch> the client has no kernel ;) so it can't be linux
10:21 < DArqueBishop> havoc: do you provide the hardware for the client system or is it something your customer provided?
10:22 < havoc> DArqueBishop: we provide it, they are all identical routers w/ identical configs, until setup, when they get assigned a unique hostname
10:23 < DArqueBishop> havoc: have you tried replacing the client?
10:23 < DArqueBishop> If you've replaced the client and the problem persists, then it's strong evidence the problem is with their network environment.
10:23 < havoc> then when they connect to udp:1194, and their hostname is not the default, they are "provisioned", given new keys and config, and reconnect to udp:[1195-2010]
10:23 < havoc> DArqueBishop: yes, and yes, not my first rodeo ;)
10:24 < DArqueBishop> ...
10:24 < DArqueBishop> Wow. The hardware is replaced and they're still insisting that it's not something on their end? That's... incredibly stupid.
10:24 < havoc> would anyone be interested in the provisioning setup?
10:24 < havoc> I think it's good/interesting enough that others may want it
10:25 < havoc> DArqueBishop: this is the way most corps operate :(
10:25 < DArqueBishop> I must have worked for smart corps, then.
10:25 < havoc> anyway, we got the green light to skip all the known problem stations, and move them to dead last in deployment
10:26 < DArqueBishop> Nice.
10:27 < DArqueBishop> Although, my last gig was at a Fortune 50 company and dealing with their IT was like pulling teeth sometimes.
10:27 < DArqueBishop> (I was the network admin for their shared R&D labs.)
10:28 < havoc> most IT ppl in these envs are siloed, and there is much bureaucracy
14:29 -!- svm_invi_ is now known as svm_invictvs
17:22 -!- NP-Completeass is now known as NP-Hardass
17:59 < spacedust> hi im trying to connect roadwarriros over a routed network but i think im having mtu problems
18:00 < spacedust> im trying to lower the mtu but it doesnt seem to work
18:00 < |Mike|> topic please
18:00 <@dazo> !topic
18:00 <@vpnHelper> "topic" is see /topic instead.
18:00 -!- dazo changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire /topic || Current Release:2.4.3 (21 June 2017) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || Your problem is probably firewall. Really || TAP/bridging is almost always a bad idea || Vulninfo: !heartbleed !poodle !ovpnuke !sweet32 || EasyRSA v3.0.3 Released!
18:01 < spacedust> could anyone tell me exactly what option i need in server (linux) / client (windows) to have an mtu of 1300 to test if its that the problem ?
18:01 <@dazo> !man
18:01 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
18:01 < spacedust> my problem isnt firewall, since pings go well but not else
18:01 <+_FBi> heya dazo
18:01 < spacedust> even telnet connection
18:01 <@dazo> _FBi: hey!
18:02 < spacedust> i tried setting --tun-mtu 1500 --fragment 1400 --mssfix on the server and on the client as well
18:02 <+_FBi> Supper time * Waves to the room*
18:03 <+_FBi> !struts
18:03 <+_FBi> /jokes
18:03 <+_FBi> cya guys
18:03 < |Mike|> _FBi: not funny :-P
18:12 < |Mike|> spacedust: have you tried this: https://www.sonassi.com/help/troubleshooting/setting-correct-mtu-for-openvpn
18:12 <@vpnHelper> Title: Setting correct MTU for OpenVPN | Magento Hosting by Sonassi (at www.sonassi.com)
18:12 < |Mike|> ?
18:38 < spacedust> |Mike|: i actually found out its not an mtu issue, since i reverted back to the original setup
18:39 < spacedust> |Mike|: the issue is openvpn runs on a qemu vm, on top of a debian which has bridge mode active to give net to the vms
18:39 < spacedust> and i can not connect to any of the vms running on that machine, just to the openvpn server vm :)
18:39 < spacedust> i blame a soho switch that got there somehow
18:39 < spacedust> or is it me ? :D
21:36 -!- mundus is now known as mundus2018
--- Day changed Thu Sep 21 2017
00:09 < careta> hey guys, my openvpn server is configured for port 50255, but when I connect to it, it tries to force a connection on 26887, and the client will only connect if I use --float
00:09 < careta> however this is a problem for me, as I need to NAT the connections using the firewall in front of the openvpn server, and I want all connections to go through port 50255, which is the NAT'ed port
00:10 < careta> how can I force it to use 50255?
00:12 < careta> Incoming packet rejected from [AF_INET]IP:26887[2], expected peer address: [AF_INET]IP:50255
00:21 < careta> no ideas?
00:24 <@ordex> careta: it should not use another port
00:24 <@ordex> are you sure it isn't the server NAT playing some weird trick ?
00:26 < careta> ordex, maybe it's the shitty router I have?
00:26 <@ordex> honestly i don't know
00:26 < careta> I have mapped external 50255 to internal 50255 on my server
00:26 <@ordex> can you run tcpdump on the server to see if it's the server changing the port or not ?
00:26 < careta> trying to debug it with tcpdump
00:26 < careta> yes
00:27 <@ordex> check incoming and outgoing packets on the vpn server and see if they have the port changed
00:27 <@ordex> if not, then it's the router changing it
00:27 < careta> nope, seems the port is correct 50255
00:27 < careta> what a piece of crap this router
00:27 <@ordex> weird
00:27 <@ordex> not sure why it would do that
00:28 < careta> because it's crap, I've had lots of problems with it
00:29 < careta> the router changes the outgoing port, but then it doesn't route it for incoming packets
00:29 < careta> unbelievable
00:32 < tcpdump> careta: you using udp or tcp?
00:32 < tcpdump> try tcp
00:32 < careta> the weird thing is that ssh works fine
00:32 < tcpdump> careta: ssh is tcp :)
00:32 < careta> tcpdump, hmm yeah
00:32 < careta> good idea
00:32 < tcpdump> ovpn is typically udp
00:32 < tcpdump> So heres what happens....
00:33 < tcpdump> Well, its a lot of explains, and im tired.
00:33 < tcpdump> try TCP for your ovpn proto
00:33 < careta> sure, I'll try that
00:33 < careta> one sec
00:33 < tcpdump> theres shit tons of different NATs (thats dramatic - theres 4).
00:33 < tcpdump> And none of them do UDP well  lol
00:33 < tcpdump> Unless connection was initiated from the server.
00:34 <@ordex> tcpdump: mah linux usually does basic UDP NAT pretty well
00:36 < tcpdump> Never heard of mah linux, whats it based on?!
00:36 < tcpdump> :P
00:36 < tcpdump> jk btw
00:37 <@ordex> :)
00:39 < tcpdump> I miss the days when troubleshooting OVPN was the hardest task I had.
00:42 <@ordex> hehe
00:42 <@ordex> I miss the days when I had no task
00:42 <@ordex> only hobbies :)
00:46 < careta> tcpdump, awesome, works now
00:46 < tcpdump> Sweet
00:46 < tcpdump> NATs
00:47 < tcpdump> So routers may not use the same.port on the inside and outside.
00:47 < tcpdump> They will often translate between ingress and egress.
00:48 < tcpdump> ordex: what's that like? :)
00:48 < careta> wouldn't have a problem with that if the router was smart enough to adjust the firewall dynamically
00:50 < tcpdump> Alright need time
00:50 < tcpdump> Later
00:50 < tcpdump> Bed
00:50 < careta> thanks man
00:50 < tcpdump> Yw
01:10 < careta> now on to the next challenge, routing all traffic through the VPN
01:11 < careta> I'm using the redirect-gateway option, and forcing the opendns servers onto the client
01:11 < careta> however I cn
01:12 < careta> cant ping anything besides the remote server
02:02 <@ordex> !forwarding
02:02 <@ordex> !nat
02:02 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
02:02 <@ordex> ah he is gone
02:10 < careta> ok so I can see in wireshark on my client tun interface that I'm sending packets to the server, and the server is receiving them on its tun interface
02:11 < careta> but any client request to lets say google just hangs
02:12 < careta> so the server is not routing packets back to the client
02:14 < careta> I've added the masquerade entry in the iptables on the server
02:16 <+hyper_ch> !configs
02:16 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
02:19 < careta> hyper_ch, https://pastebin.com/gYTyB3gJ
02:20 < detha> !route
02:20 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
02:21 <+hyper_ch> careta: out of curiosity: why use tcp?
02:21 < careta> hyper_ch, had an earlier discussion here about this, my router is crap so udp didn't work
02:21 <+hyper_ch> and I assume that's not the real remote address?  remote 127.0.0.1 50255
02:22 < careta> you're right, that's not the real one
02:22 <+hyper_ch> can you ping IPs find?
02:22 < careta> nope, only the VPN ones
02:22 < careta> can't reach any external IPs
02:23 <+hyper_ch> careta: cat /proc/sys/net/ipv4/ip_forward
02:24 < careta> hyper_ch, it's at 1, and I also have iptables nat    0     0 MASQUERADE  all  --  any    enp1s0  10.8.0.0/24          anywhere
02:24 <+hyper_ch> the server can ping ips as normal?
02:24 < careta> yes, no problem at all
02:30 < careta> I'm at a loss
02:30 < careta> what should I do?
02:31 <+hyper_ch> careta: I use this script on one of my vpn servers to empty iptables and set up portwarding to clients:  https://paste.simplylinux.ch/view/55795aae
02:31 < careta> thanks, I will try that
02:32 <+hyper_ch> also set your ethernet device accordingly... its eth0 that machine
02:36 <@ordex> !nat
02:36 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
02:36 <@ordex> !
02:36 <@ordex> oh I think you have checked that
02:36 <+hyper_ch> ordex: how comes you're so helpful this early in the morning?
02:36 <@ordex> careta: what does tcpdump says on enp1s0 when you ping google from the client?
02:36 <@ordex> hyper_ch: almost part time here
02:36 <@ordex> morning is long gone :P
02:36 <@ordex> *party
02:37 <+hyper_ch> morning has just begun
02:37 <@ordex> well, it depends where you are :D
02:37 <+hyper_ch> 09:30 - perfect time for first cup of coffee
02:37 <@ordex> hehe
02:37 <@ordex> good idea
02:37 <+hyper_ch> ordex: since I'm the center of all universes, multiverses etc.... it doens't matter where anyone else is ;)
02:37 <@ordex> :D right
02:38 <+hyper_ch> IMHO
02:39 < careta> ordex, 08:33:59.320426 IP 10.8.0.6 > sa-in-f105.1e100.net: ICMP echo request, id 28853, seq 1, length 64
02:39 <@ordex> careta: that's on enp1s0 ?
02:39 < careta> ordex, yes
02:39 <@ordex> clearly no masquerading is being applied
02:39 <@ordex> because the source IP has not been changed
02:39 < careta> ah dammit I cleared the rules, one sec
02:39 <@ordex> I guess your MASQ rule is wrong then
02:39 <@ordex> ah
02:40 < careta> 08:35:12.725861 IP 10.8.0.6 > 74.125.24.103: ICMP echo request, id 29853, seq 1, length 64
02:40 < careta> now with masq
02:41 <@ordex> well
02:41 <@ordex> still wrong
02:41 <@ordex> what's the exact rule you are applying ?
02:41 <@ordex> can you paste somewhere the output of iptables -t nat -vnL POSTROUTING ?
02:41 <@ordex> *also
02:41 < careta> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp1s0 -j MASQUERADE
02:42 <@ordex> caould you also paste the full postrouting chain, please? or isnt there anything else?
02:42 < careta> just this entry     0     0 MASQUERADE  all  --  *      enp1s0  10.8.0.0/24          0.0.0.0/0
02:43 <@ordex> mh clearly there is no matching..I wonder why
02:43 <@ordex> who had enough coffee already? hyper_ch !
02:44 <+hyper_ch> ordex: ?
02:44 <@ordex> find the problem!
02:44 <@ordex> :D
02:44 <+hyper_ch> I don't have any problem :)
02:45 <@ordex> :P
02:45 <@ordex> careta: must be something stupid
02:46 <@ordex> careta: what's the IP on enp1s0 ?
02:46 <@ordex> is enp1s0 in a bridge or something?
02:47 < careta> oh yes it's on a bridge
02:47 < careta> br0, which is the interface used by a kvm client
02:47 < careta> enp1s0 is 192.168.69.69
02:47 <@ordex> uhm
02:48 <+hyper_ch> know your interfaces!!!
02:48 <@ordex> are you saying that enp1s0 is enslaved in br0 ?
02:48 <@ordex> can you paste brctl show?
02:48 <@ordex> (not here if it's more than one line, please)
02:48 < careta> https://pastebin.com/mBgutVy3
02:50 <@ordex> yeah enp1s0 is a slave, therefore the IP on it does not really make sense
02:50 <@ordex> on top of that the interface assigned for routing is br0, so the rule must match against that
02:50 <@ordex> not enp1s0
02:50 < careta> so what if I delete that bridge?
02:51 <@ordex> uhm, that is a question for yourself :P
02:51 < careta> I can do that no problem
02:51 < careta> don't care about that client
02:51 <@ordex> as I said, you have to modify the MASQ rule to use br0
02:51 <@ordex> to make it work in this setup
02:51 < careta> ok, one sec
02:51 <@ordex> but if you don't want the bridge ..then remove it
02:51 <+hyper_ch> ordex: you know a lot about interfaces, bridging and routing :)
02:51 < careta> I need to configure it properly to be honest, another thing I need to look into
02:52 <@ordex> I broke the bridge code quite often :D
02:52 <@ordex> careta: that sound slike a good idea :)
02:52 <@ordex> *sounds
02:52 <@ordex> no need to configure something around a broken setup. fix it first :)
02:57 < careta> ordex, thank you oh great lord
02:57 < careta> problem solved
02:57 < careta> jesus christ what an ordeal
02:57 <@ordex> lol
02:58 <@ordex> next time fix your setup first :P
02:58 < careta> honestly I need to set up the kvm clients properly but it was all done in a rush
02:58 <@ordex> glad it works now
03:00 <+hyper_ch> doing things in a rush is almost never a good idea
03:01 < careta> hyper_ch, true but sometimes there is no other choice
03:01 < temuccio> hello all...I need help with a vpn network...I have one client and one server....the connection works fine form 1-2 day, after the connection is on but doesn't works (ping, ssh, etc unreachable)....If I go on the client via public IP and restart daemon vpn, it's works fine about 1-2 day. Can you help me?
03:01 <+hyper_ch> there's always a choice
03:01 <+hyper_ch> !configs
03:01 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
03:56 -!- abenz_ is now known as abenz
06:30 < AquaL1te> just a simple question does AES GCM has any major advantages compared to CBC? as far as i read GCM has integrety checking and some counters which makes it better resistant against data corruption? second question is that AES 128 is still very secure and there is so far as i read a 40% performance difference between AES 128 and AES 256, is there any reason to use AES 256?
06:30 < AquaL1te> and when someone would like to enforce AES-128, then both the cipher and tls-cipher on the server must be configured to use them right? and the client needs to specify the cipher option in its config as well
07:00 < TyrfingMjolnir> I'm here
07:00 < TyrfingMjolnir> https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
07:00 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net)
07:01 < TyrfingMjolnir> Point 6b and 6c does not work
07:01 < TyrfingMjolnir> Error message: unknown type server
07:01 < TyrfingMjolnir> Error message: unknown type client
07:04 <+hyper_ch> TyrfingMjolnir: are you the one who issues alls certs and keys? or do clients need to submit csr?
07:10 < TyrfingMjolnir> For now I have ca/server/client
07:10 < TyrfingMjolnir> In that hierarchy for testing
07:11 < TyrfingMjolnir> ca/pki
07:11 < TyrfingMjolnir> ca/server/pki
07:11 < TyrfingMjolnir> ca/server/client/reqs
07:11 < TyrfingMjolnir> hyper_ch:
07:11 < TyrfingMjolnir> I have easyrsa in /opt folder
07:11 <+hyper_ch> that wasn't my question
07:12 < TyrfingMjolnir> Right now I'm on all sides of the equation
07:12 <+hyper_ch> do you wnat to create/issue all certs or should clients submit csr
07:12 < TyrfingMjolnir> I would like to have both options
07:12 < TyrfingMjolnir> Right now I'm trying out the HOW-TO: https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
07:12 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net)
07:17 < TyrfingMjolnir> hyper_ch: I might as well issue everything myself.
07:17 < TyrfingMjolnir> I have this set of data on a separate SD card
07:17 <+hyper_ch> then use that:  https://community.openvpn.net/openvpn/wiki/EasyRSA3-Insecure-PKI
07:17 <@vpnHelper> Title: EasyRSA3-Insecure-PKI – OpenVPN Community (at community.openvpn.net)
07:17 <+hyper_ch> in step 7 you can also add "nopass" to not be required to have a password
07:18 < TyrfingMjolnir> hyper_ch: And the good way?
07:18 <+hyper_ch> no idea what you mean by the good way
07:20 < TyrfingMjolnir> This one: https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
07:20 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net)
07:21 < TyrfingMjolnir> EasyRSA v3 Insecure PKI Howto must be no good
07:26 < rob0> you just need to understand a bit more about a PKI
07:27 < rob0> Many userbases have technically ignorant and incompetent users, and you are pretty much forced to do it the insecure way.
07:27 < rob0> You need trained and capable users if you want to do the more-secure PKI.
07:27 < havoc> ^^^^^
07:28 < havoc> users + CSRs == a whole lotta headaches
07:28 < TyrfingMjolnir> I want to try them both so that I can make up my mind on what to choose
07:28 < TyrfingMjolnir> I may write a Cocoa app for the users to make their own requests
07:29 < TyrfingMjolnir> Not sure how I could make a Cocoa Touch app though...
07:29 < rob0> first YOU have to "get it"
07:29 < TyrfingMjolnir> Generate a full ovpn file and have it open in OpenVPN
07:29 < TyrfingMjolnir> I got it
07:29 < rob0> THEN you start training
07:30 < havoc> my PKI [for this big project] isn't the most secure
07:30 < TyrfingMjolnir> The issue was that I had linked easyrsa script to /opt/local/bin
07:30 < havoc> but then I also have to automate everything for 2,000+ clients
07:30 < TyrfingMjolnir> And this folder was required /opt/easy-rsa/easyrsa3/x509-types/
07:31 < TyrfingMjolnir> So I had to type /opt/easy-rsa/easyrsa3/easyrsa opposed to easyrsa
07:31 < rob0> I'd just put it all in a $HOME for a dedicated CA admin user.
07:31 < rob0> and keeping the data on removable media is a good idea too
07:31 < TyrfingMjolnir> Are there any benefits to using TRNG when signing?
07:31 < TyrfingMjolnir> I have the data on SD Card that I store in the safe
07:44 < temuccio> hello all
07:44 < temuccio> I need help on my connection because I don't find problem
07:44 < temuccio> bu after a lot of time, it's go down
07:44 < temuccio> I have interface tun0 up
07:44 < temuccio> but doesn't ping
07:56 <@dazo> !logs
07:56 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
07:56 <@dazo> !configs
07:56 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
07:57 < TyrfingMjolnir> Is there a way to query the running openvpn server for the active settings_
07:57 < TyrfingMjolnir> Like nginx -t
08:00 <@dazo> nginx -t only checks the syntax .... but no, there's no real direct equivalent .... you could probably come a far way with  openvpn --config $CONFIG_FILE --dev null --port $SOME_UNUSED_PORT --nobind , but it will try to connect to the remote (if using client configs)
08:02 < temuccio> this is client log: https://dpaste.de/KrU0
08:04 < temuccio> this is my server log: https://dpaste.de/wbSJ
08:04 <@dazo> ehm .... --verb 4 please as indicated in !logs ... and the *complete* log file from when openvpn starts to you stop it
08:05 < temuccio> this log is when I restart openvpn (at 9:52)
08:06 < temuccio> I add verbose
08:06 <@dazo> the server log is definitely mangled
08:08 < temuccio> I have restart, but the block are after 5-6 hours
08:11 <@dazo> then we wait :)
08:11 -!- Dougy [~dougy@openvpn/community/support/Dougy] has joined #openvpn
08:16 < temuccio> thanks
08:21 <+hyper_ch> still no news from krzee?
08:22 <@dazo> have not heard anything .... :/
08:22  * dazo no like
08:23 <+hyper_ch> I use an encrypted vm for the certs and only fire it up if I need new certs
08:23 <@dazo> +1
08:24 <@dazo> hyper_ch: an encrypted iscsi device, only being activated when needed could also work
08:24 <+hyper_ch> vm is simpler
08:24 <+hyper_ch> it's on the server
08:24 <+hyper_ch> so it won't run away
08:25 <+hyper_ch> or get dragged to some obscure place by my feline cohabitants
08:25 <@dazo> I have some sensitive on a double-encrypted iscsi drives ... which I can reach via VPN .... decrypt, enable iscsi on server, log into iscsi on laptop (via VPN) and decrypted on the laptop
08:26 <@dazo> have a couple of scripts doing that process for me ... so it's just the matter of entering the various passwords
08:26 <+hyper_ch> you have more than one password? oO
08:26 <@dazo> double encrypted
08:26 <+hyper_ch> it's probalby dazo1, dazo2, dazo3
08:26 <+hyper_ch> servers are also encrypted here
08:27 <@dazo> hahaha
08:27 <@dazo> nope :)
08:29 <+hyper_ch> so, does anyone else use pass was password manager in here? excep zx2c4 of course
08:31 < zx2c4> i stopped using pass in favor of last pass
08:31 < zx2c4> i love to put my passwords with javascript crypto in the web browser
08:31 < zx2c4> jk jk !
08:32 <+hyper_ch> zx2c4: I believe you.
08:33 <+hyper_ch> geez, I should get a new notebook.. the cpu takes forever to comile vbox
08:35 < rob0> hyper_ch, a VM for your CA might not be a good idea, unless you have provided it with a good source of random data.
08:36 <+hyper_ch> rob0: you don't harness cosmic microwave background for encryption?
08:36  * rob0 needs to start doing that
08:37 <+hyper_ch> https://motherboard.vice.com/en_us/article/53dp4z/harnessing-the-chaos-of-the-cosmic-microwave-background-for-better-encryption
08:37 <@vpnHelper> Title: Harnessing the Chaos of the Cosmic Microwave Background for Better Encryption - Motherboard (at motherboard.vice.com)
08:38 < |Mike|> passmanagers are mongrels. I use gpg!
08:38 <+hyper_ch> |Mike|: pass uses gpg
08:38 <+hyper_ch> and bash
08:38 < |Mike|> I use vi + gpg
08:38 <+hyper_ch> bash > vi
08:38 < |Mike|> and my crypto dongle from german privacy foundation o/
08:39 < |Mike|> never.
08:40 <@dazo> hyper_ch: I use pass too, with passff (heard there are some better alternatives, but haven't dug into it yet)
08:40 <+hyper_ch> what's passff? is that something for firefox?
08:40 <@dazo> yeah, it bridges pass with firefox
08:40 < |Mike|> zx2... firefox extiosn
08:41 <+hyper_ch> isn't that the same as directly installing last pass? oO
08:42 <@dazo> no, not really ... as lastpass uses their closed/proprietary storage - even worse if using their cloud options .... while pass uses gpg + git to a server I control (and is not available directly on the internet)
08:43 <+hyper_ch> git is good.. but the bad thing with pass and git is I can't put that on a public git server because everybody would see my pr0n sites Web/xxxxxxx.gpg
08:43 < havoc> keepass
08:44 <+hyper_ch> if pass could also encrypt the path and filenames somehow...
08:44 <+hyper_ch> well, I have it on my private git home server
08:44 <@dazo> hyper_ch: heard of VPN? :-P
08:44 < havoc> re: yesterday's discussion on TLS auth and firewalls, problem is solved
08:44 <+hyper_ch> dazo: fail to see how vpn plays in there
08:45 < havoc> we found the correct clauses in the contract to beat them over the head with :)
08:45 <+hyper_ch> if paths and files were also encrypted, I just could put it on github
08:45 <@dazo> hyper_ch: pass -> git -> ssh -> vpn > [secure box]
08:45 <+hyper_ch> havoc: so your client upgrades to Linux now?
08:45 < havoc> hyper_ch: linux has nothing to do with it
08:45 < havoc> nor does any OS
08:46 < havoc> it's their stupid "security" policies
08:46 <+hyper_ch> you didn't have to tell your client that ;)
08:46 <+hyper_ch> what did they do?
08:46 <+hyper_ch> they let send out tls but block anything incoming?
08:46 < havoc> it's not what their running either, it's all our gear, it's their perimeter security that's the issue
08:47 < havoc> hyper_ch: that's my guess, but now we can just ignore them until end of deployment
08:47 < havoc> ...and not be penalized for late delivery, as They are in violation of contract
08:47 <@dazo> that's a sweet moment :)
08:47 < havoc> so the problem isn't really solved, but the problem isn't really technical either, it's proceedural/policy :(
08:48 <+hyper_ch> :)
08:48 <+hyper_ch> they're so secure not even a vpn can go through ;)
08:48 < havoc> so rather than having to prove specifically what needs to be changed, we just hit them with the contract, and move on
08:49 < havoc> these people what to whitelist outgoing traffic by destination IP
08:49 < havoc> so much Wrong with that ;)
08:52 < havoc> we had actually considered running openvpn on tcp:443, but that only works for 125 clients (in the /25)
08:53 < havoc> but I don't like technical work-arounds for non-technical problems
08:53 <@dazo> +1
08:53 < |Mike|> i'd have gone for the tcp:443 solution and leave the bashing behind :-P
08:55 < |Mike|> https://github.com/elg/Dirty-tools/blob/master/gpgvi.sh
08:55 <@vpnHelper> Title: Dirty-tools/gpgvi.sh at master · elg/Dirty-tools · GitHub (at github.com)
09:02 <@dazo> |Mike|: ehm?  why not this?  https://vim.sourceforge.io/scripts/script.php?script_id=3645
09:02 <@vpnHelper> Title: gnupg.vim - Plugin for transparent editing of gpg encrypted files. : vim online (at vim.sourceforge.io)
09:05 < |Mike|> dazo: didn't know that it existed :x
09:05 < |Mike|> tnx.
09:06 < DArqueBishop> <havoc> these people what to whitelist outgoing traffic by destination IP
09:06 < DArqueBishop> ...
09:07 < DArqueBishop> That's just silly.
09:29 < tcpdump> hey everyone
09:29 < tcpdump> Hows it going today?
09:59 < havoc> DArqueBishop: ya think? ;)
10:05 -!- abenz_ is now known as abenz
10:34 < mike309> I have access to an openvpn server that someone else set up. I can connect and get good performance when running debian 9.1, but connection starts quick, but quickly gets slow and dies in Ubuntu 16.04
10:35 < mike309> any suggestions on what I should check about the differences between the two systems?
10:39 < mike309> this is based on fresh installs
10:40 < mike309> debian is running openvpn 2.4.0, ubuntu is 2.3.10, but I also installed 2.4.3 from source with no change
11:16 -!- johnny56_ is now known as johnny56
12:01 < albech> Hi all. Trying to configure an openvpn server on GCP and I can connect to the server fine from my clients, but it will not perform the ip forwarding. I have enabled ip forwarding in the kernel and on the vm container. Any ideas?
12:03 < albech> GCP = Google Cloud Platform if anyone wondering.
12:04 < Dougy> interesting
12:04 < Dougy> i am not familiar with that plaform at all. what do you get
12:04 < Dougy> just a linux vm?
12:04 < albech> Dougy: similar to EC2
12:04 < albech> Dougy: they have a free tier now
12:04 < Dougy> albech: also not familiar
12:04 < Dougy> :)
12:04 < albech> Dougy: The whole platform is slow
12:05 < albech> Dont know Amazon EC2? ;)
12:06 < albech> And yes, what i have now is just a linux vm
12:07 < Dougy> albech: i don't do much cloud, dont trust it
12:07 < Dougy> :)
12:08 <@ordex> !nat
12:08 < albech> Dougy: same here, but a VPN to a US location is good for streaming TV ;)
12:08 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
12:08 <@ordex> albech: ^^
12:08 <@ordex> make sure you follow the various steps. ip_forward is one of them only
12:09 < albech> ordex: i have set up masquerading
12:09 <@ordex> ok, and the client has the VPN server set ad default GW?
12:09 < albech> ordex: will read it though.. i have another openvpn server running in out own dc and it works just perfect.
12:10 < albech> ordex: i tried using it a default gw just for troubleshooting and nothing.
12:10 < albech> brb
12:15 < havoc> openvpn[1800]: UDPv4 link local: [undef]
12:15 < havoc> is that normal?
12:15 < havoc> got a client that's not connecting to the server, it's as if it's not even trying
12:15 < havoc> I see nothing on the server side, and it's not a fw issue
12:17 < havoc> lets see what verb 7 has to say....
12:18 < havoc> hmm: TLS Warning: no data channel send key available
12:20 < havoc> ah, the tun iface isn't being created, WTF?
12:20 < havoc> how do I fix that?
12:22 <@ordex> havoc: tun module loaded?
12:23 < havoc> ordex: yes
12:23 < havoc> this is weird as all these devices are identical
12:24 < havoc> it is my understanding that the TUN isn't created until after negotiation w/ the server?
12:24 < havoc> and no packets are getting to the server, at all, in which case the TUN would never be created, right?
12:26 < havoc> eh, I told them to reboot the cable modem, and/or move on
12:26 < havoc> it's either the modem, or permiterfirewall
12:30 < albech> back
12:45 < kishmesh> hi. I'm just learning how to setup my own vpn server. On my server I have a network card eth0 which is connected to WAN with static public ip. When I start the vpn server a tun0 device is created and a 10.8/24 network created. The goal is that VPN clients can use the internet access on eth0. Do I need a NAT for that?
12:45 <+hyper_ch> !ipforward
12:45 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
12:47 < albech> !linipforward
12:47 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
12:52 < kishmesh> !fbsdipforward
12:52 <@vpnHelper> "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd
12:53 < albech> Seems like a lot of trouble to go through for configuring the network - https://cloud.google.com/compute/docs/vpc/special-configurations
12:53 <@vpnHelper> Title: Special Configurations | Compute Engine Documentation | Google Cloud Platform (at cloud.google.com)
12:53 < kishmesh> hyper_ch: but is that enough? how does does an outgoing packet arriving at tun0 know that it need to be forwared to eth0 ?
12:53 < kishmesh> because eth0 is set as default gateway?
12:54 <+hyper_ch> it's some kind of magic that others are much better at explaining than me
12:54 < rob0> yes, you need NAT for that
12:54 < rob0> !redirect
12:54 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
12:54 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
12:54 < rob0> ^^ flowchart
12:55 <+hyper_ch> rob0: not incoming packages.. outgoing ones
12:55 <+hyper_ch> a packes from the vpn should reach the outside world
12:55 < rob0> "The goal is that VPN clients can use the Internet access on eth0."
12:56 <+hyper_ch> yeah, so the vpn client want to speak to the internet
12:56 <+hyper_ch> or maybe I'm just misunderstanding that
13:07 < PipeItToDevNull> Hey yall, is there a known issue with the PAM auth module and having "." in a users name? I can authenticate any user that does not have a "."
14:37 < albech> what would be the simplest iptable rule to just forward all traffic from tun0 to eth1?
14:40 < albech> after reading https://cloud.google.com/compute/docs/vpc/special-configurations i am wondering why they are making virtual interface. I dont quite understand why that is necessary. Could be some crap related to the GCP.
14:40 <@vpnHelper> Title: Special Configurations | Compute Engine Documentation | Google Cloud Platform (at cloud.google.com)
16:53 < dedondesta> is there a reason to change KEY_COUNTRY,KEY_PROVINCE,KEY_CITY,KEY_ORG etc?
16:55 < PipeItToDevNull> dedondesta, no technical reason
16:56 < dedondesta> got it
16:56 < dedondesta> thanks
17:43 < |Mike|> re!
17:45 < Neobenedict> hi all
17:45 < Neobenedict> ive set up port forwarding with my openvpn + iptables but i'm not getting any peers in my torrents (or very few) when I would otherwise - dht seems to partially work but trackers themselves are stuck "updating" - any ideas
17:46 < Neobenedict> port forwarding works (i tested by asking others to access a web server i was hosting thru the vpn)
17:46 < Neobenedict> something else isn't working however.
17:57 < |Mike|> neobenedict: could it be that your provider blocks stuff like torrents?
17:59 < neobenedict> |Mike|: no, quite the opposite
18:00 < neobenedict> i think utorrent is being weird
18:00 < neobenedict> since I can download now but I couldn't yesterday
18:00 < neobenedict> and i've changed nothing
18:00 < neobenedict> lol
18:14 < |Mike|> neobenedict: the traffic is going over the vpn? ;-)
18:15 < neobenedict> |Mike|: hope so :P
18:19 < SupaYoshi> Hi, I have OpenVPN setup, working just fine on 2 endpoints. But the download speed is aprox. ~ around 2Mbps max.
18:19 < SupaYoshi> but my upload speed is 60 Mbps at one endpoint (server location) and 15 Mbps at the other Vpn server location.
18:20 < SupaYoshi> What is the cause of this, and what can I do to improve the Mbps speed.
18:23 < neobenedict> disable comp-lzo
18:23 < neobenedict> maybe
18:23 < |Mike|> hardware, key strenght, ...
18:23 < neobenedict> dont use tcp
18:23 < neobenedict> push "sndbuf 393216"
18:23 < neobenedict> push "rcvbuf 393216"
18:23 < neobenedict> etc
18:23 < |Mike|> it's like running openvpn server on a raspberry pi A model
18:23 < neobenedict> lol
18:23 < |Mike|> will be def. slow.
18:23 < SupaYoshi> I don't run it on that, I run it on a HP Microserver,
18:23 < |Mike|> SupaYoshi: got configs?
18:23 < SupaYoshi> But the other endpoint is a Synology Play 216.
18:23 < neobenedict> |Mike|: do you think under any system openvpn could reach close to gigabit speed
18:24 < SupaYoshi> Yeah I've got a config.
18:24 < |Mike|> !configs
18:24 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
18:24 < neobenedict> is it purely cpu limiation?
18:24 < neobenedict> on host/client
18:25 < SupaYoshi> http://paste.ubuntu.com/25589155/
18:25 < SupaYoshi> this is one config for one server.
18:25 < |Mike|> neobenedict: https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
18:25 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net)
18:25 < neobenedict> i was just reading that
18:26 < neobenedict> "The real performance gain is expected from the AES-NI capable hardware, such as the Intel Xeon X5660"
18:26 < neobenedict> i actually have an x5650
18:26 < neobenedict> :D
18:27 < SupaYoshi> http://paste.ubuntu.com/25589166/
18:27 < SupaYoshi> that's the other config.
18:28 < |Mike|> SupaYoshi: might be handy for you to read the previous link as well. Clearly explains al the tweaks on key strenght - encryption use, mtu settings etc.
18:28 < SupaYoshi> Ty.
18:29 < SupaYoshi> But what about my config so far? I'm reading already!
18:29 < neobenedict> if you turn off encryption
18:29 < neobenedict> isn't that kinda pointless
18:30 < neobenedict> certainly for most uses unless you are using openvpn just to connect services i guess
18:30 < SupaYoshi> I would like to know this too ^
18:31 < |Mike|> SupaYoshi: you're using blowfish cbc 256 or ? Where did you get the msfix and tun-mtu 1400 from?
18:31 < |Mike|> !mtu
18:31 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting, or (#3) useful info here: https://forum.pfsense.org/index.php?topic=67080.0
18:32 < |Mike|> SupaYoshi: ik zie dat je mede Nederlander bent (oud GoT topic ;) )
18:35 < SupaYoshi> Ja klopt.
18:41 -!- svm_invi_ is now known as svm_invictvs
19:36 < kishmesh> hi. i'm running openvpn client in chrooted environment. when I kill the client (ctrl-c) I get messages like " Linux route delete command failed" Is this because it cannot fine the binaries like "route"? I would think it would exited crhooted env before executing these commands?
21:18 -!- abenz_ is now known as abenz
--- Log closed Fri Sep 22 00:03:24 2017
--- Log opened Fri Sep 22 07:28:15 2017
07:28 -!- Irssi: #openvpn: Total of 285 nicks [9 ops, 0 halfops, 4 voices, 272 normal]
07:28 -!- mode/#openvpn [+o ecrist] by ChanServ
07:28 -!- Irssi: Join to #openvpn was synced in 2 secs
07:29 < |Mike|> !ipv6
07:29 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6, or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ, or (#3) http://xkcd.com/865/, or (#4) to ignore ipv6 from the server see !noipv6client
07:29 < |Mike|> spY|da: ^^
07:33 < dedondesta> spY|da: you have only ipv6 at home?
07:33 < dedondesta> spY|da: no ipv4?
07:49 < spY|da> dedondesta: it is a dual stack lite
07:50 < spY|da> i share my ipv4 adress with a bunch of people
07:51 < spY|da> the idea was using my dedicated server located in a data center with ipv4 and ipv6 to connect home and work
07:58 < dedondesta> spY|da: then you can setup everything on ipv6
07:58 < dedondesta> errr
07:58 < dedondesta> ipv4
08:45 < spY|da> thanks i will give it a try
09:24 < D4ni3l> Hi
11:32 < polprog> hi
11:32 < polprog> i need help with generating new client certs/keys
11:33 < polprog> im generating them with easy-rsa
11:33 < polprog> by executing . ./vars and then ./build-key clientname
11:34 < polprog> then, i copy the ovpn config file, ca.crt, clientname.crt, and clientname.key to another machine
11:35 < polprog> when i try to run openvpn config.ovpn (with changed ca, cert and jey variables so they point at proper files) it gives the "self signed certificate in certificate chain" error
11:35 < polprog> what am i doing wrong?
11:35 < polprog> all the old (previously generated keys) work
11:35 < polprog> i suspect it's a client side issue...
11:36 < polprog> (since it's the openvpn client that gives the error, no errors in server logs except for "TLS handshake failed")
11:36 < polprog> im quite new to rsa/vpn stuff and i need to set it up to tie two servers
11:38 < rob0> if you're only connecting two, and you understand the idea of loss of forward security, you can use p2p mode with a static key.
11:38 < rob0> it's MUCH easier.
11:40 < polprog> im not only connecting two
11:40 < polprog> currently it's at 4 devices, and many more can come
11:40 < rob0> A cron job to rotate the static key weekly, and your exposure is only a week at a time.  Probably nothing to worry about unless a gov't-level entity is hunting you.
11:40 < rob0> ah
11:41 < polprog> that's why the problem of adding new keys came up
11:41 < rob0> I can only guess you're lacking the proper CA certificate somewhere.
11:41 < polprog> meaning? ca.crt file?
11:42 <@ordex> is ./build-key the right command for creating a client cert signed by the CA?
11:43 <@ordex> I am not 100% sure
11:43 < rob0> ah, there should be a step to sign the CSR
11:44 <@ordex> that's not necessarily needed
11:45 <@ordex> the CSR is required when you want the client to generate it's own key, but in this case polprog is doing everything directly
11:45 <@ordex> *its
11:45 < polprog> well, it's asking whether to signt it at the end
11:45 <@ordex> the how to says ./build-key, so I guess it is correct
11:45 <@ordex> polprog: are the other clients that are working properly running the same openvpn version?
11:46 < polprog> i guess
11:46 <@ordex> and openssl/mbedtls version too?
11:46 < polprog> yes, yes
11:46 <@ordex> polprog: better check :P
11:46 <@ordex> ok
11:46 <@ordex> because these checks became more stringent with latest versions of openssl I think
11:47 < polprog> i specifically created a test key the same way and used it on my laptop which connects with no problems. and it shown the said error when trying to use the new test key
11:47 < polprog> the old key works flawlessly
11:48 <+hyper_ch> polprog: you0re still using easyrsa2... you should move to easyrsa3
11:48 < polprog> do i? probably. but that's nothing secret there
11:49 <+hyper_ch> yes, you still use easyrsa2
11:50 <+hyper_ch> the  . ./vars  is a tell :)
11:50 < polprog> so... what exactly does the error mean?
11:50 < polprog> self signed certificate
11:51 <+hyper_ch> no idea.... didn't see any error you posted.. just noticed you still use v2
11:51 <+hyper_ch> it's not like easyrsa3 was released almost 2 years ago...
11:52 < polprog> what am i doing wrong during the key gen process?
11:52 < polprog> i can post the client log if that helps
11:53 <+hyper_ch> no, there's no point in supporting easyrsa2 anymore :)
11:53 <+hyper_ch> IMHO
11:53 < polprog> but the previous keys work!
11:58 < DArqueBishop> polprog: stupid question, but you changed the keys on the server too, right?
11:59 < polprog> meaning?
11:59 < polprog> ho do i do that
11:59 < polprog> how*
12:00 < rob0> Clients and server must have the same CA certificate.  That CA must be the issuer of those client & server certificates.
12:01 < polprog> the file is surely the same (checked md5)
12:01 <+hyper_ch> use sha256sum... md5 is seriously deprected
12:01 < DArqueBishop> Ah, so you didn't create a new CA when you rebuilt the keys?
12:01 < polprog> i did
12:01 < DArqueBishop> Right.
12:01 < polprog> hyper_ch: md5sum is ok when i want to compare if two file shave the same content
12:01 < polprog> files*
12:02 < DArqueBishop> So, you need new keys on the server too if you changed the CA.
12:02 < polprog> ./build-key-server ?
12:02 < DArqueBishop> I believe the command is ./build-key-server.
12:02 < DArqueBishop> Right.
12:02 < polprog> that could be the case
12:02 < polprog> let me try, ill delete the old (not working keys) and try again
12:06 < polprog> still, self-digned
12:06 < polprog> signed*
12:06 < polprog> what value that i enter during the keygen defined who's signing it?
12:21 < polprog> when generating the keys, which parameters may not be the same so the self-signed error doesnt show up?
12:26 -!- NotSecwitter is now known as NonSecwitter
12:57 < hydrian> All has anyone been having problems with OpenVPN Connect 1.1.1 on iOS 11. It connects but no data will transfer.
13:00 < polprog> i give
13:00 < polprog> up. i have no idea why the hell does the easy-rsa generate self signed certs
13:01 < polprog> and i probably invalidated the certs i used before since the ones that DID work dont now. im done
13:09 < polprog> ill try with easyrsa3
13:09 < polprog> ...
13:13 < rob0> The only self-signed cert should be the CA cert.  If that was the issuer of the server cert and all client certs, it should work fine.
13:13 < rob0> !as
13:13 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
13:13 < rob0> hydrian, ^^
13:15 < polprog> rob0: how can i make sure the issuer of the server cert and client certs is the CA cert? im trying to use easyrsa3 now
13:18 < hydrian> rob0: It doesn't say that in the topic. It just says 'Access-Server" /join #openvpn-as. Nothing about OpenVPN Connect.
13:19 < hydrian> I'll try #openvpn-as
13:20 < rob0> Right, it's not in the /topic (thanks for reading the /topic!)
13:38 < polprog> okay.. managed to fix the mess
13:39 < polprog> still using easyrsa2, what do i need to execute to create new keys for later use? just . ./vars and then ./build-key?
13:42 < DArqueBishop> Right.
13:42 < polprog> thanks
13:43 < polprog> hope i wont have to deal with self signed certs ever again. i still dont know what was the exact cause then, except for knowing that some two parameters were the same!
13:52 < polprog> lesson learned. thanks!
14:16 < m00n_urn> hello!
14:41 <+hyper_ch> hi m00n_urn
14:41 <+hyper_ch> krzee: https://twitter.com/jupenur/status/911286403434246144
16:53 < kishmesh> in openvpn it is possible to push the dns server setting to the client, e.g. push "dhcp-option DNS 192.168.4.1" ... is there a way to push a random DNS from a preconfigured list?
16:56 < kishmesh> and when I try to "block-outside-dns" I get the erorr Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: block-outside-dns (2.4.3)
16:56 < kishmesh> any idea what I'm doing wrong?
17:02 < vectr0n> it only works on windows 10 apparently
17:04 < vectr0n> also only in openvpn 2.3.9+
17:04 < vectr0n> on*
17:59 < |Mike|> morning!
18:11 < havoc> bah
18:11 < |Mike|> kia ora havoc
18:12 < havoc> thanks?
18:13 < havoc> ~590/1725 cpn clients provisioned so far
18:13 < havoc> not too bad
18:14 < havoc> got 8 days to get the rest done, which ain't gonna happen, but oh well
18:14 < havoc> s/cpn/vpn/
18:18 < |Mike|> wtf do you need so many clients for?
18:19 < havoc> contract
18:19 < |Mike|> 1725 clients?!
18:19 < Eugene> Big contract?
18:22 < |Mike|> nooo shit hehe
18:54 < |Mike|> http://beta.speedtest.net/nl/result/6647322080
18:55 <@vpnHelper> Title: Speedtest by Ookla - The Global Broadband Speed Test (at beta.speedtest.net)
18:55 < |Mike|> I could use better internet over here ;-)
18:58 < michalrus> Hey! I’ve got a quick question. I’ve got a real LAN at home, 10.7.0.0/24, with a router 10.7.0.1 running an OpenVPN client in 10.8.0.0./24. As a road warrior I can connect to 10.7.0.0/24 from my laptop via OpenVPN w/o problems. However, when I get back home, I have two conflicting routes to 10.7.0.0/24: one through real eth0, and the other one through tun0. How to solve this? When I’m at home, I’d
18:58 < michalrus> obviously want to use the faster eth0. This has to be automatic, as one of the road warriors will be my mother. =)
19:00 < michalrus> One idea I have would be to use NAT at 10.7.0.1 so that the LAN has two address spaces: real 10.6.* and translated 10.7.* for the VPN. Then there’s no conflict and I can choose which interface I use at IP address level.
19:00 < michalrus> But you call NAT a hack, so… maybe there’s something better?
19:32 < havoc> |Mike|: gonna be >2,000 clients
20:05 <@ordex> cool
20:10 < kishmesh> from reading my openvpn server logs, PUSH_REPLY with (status 1) ... does that indicate an error?
--- Day changed Sat Sep 23 2017
05:55 -!- rax-Y is now known as rax-
05:57 < matt_> does openvpn support a 'client follow' feature kinda like mosh, where the server will update the clients ip / port when the client suddenly moves?
06:43 < rob0> The way that works, the client loses connection from the old address, reconnects.  With default settings I think it's pretty fast, less than a minute of disconnection.
06:43 < rob0> !ping-restart
06:43 < rob0> see --ping-restart in the manual
06:49 < matt_> rob0: yea, i use that atm, i was looking into a way to run voip over a single udp port for audio in both directions and have the ability to roam between wireless and 4g
06:51 < matt_> ive also come across some wire nating setups on public wifi's, one would nat one source port to one public ip and nat a different source port to a different ip, which was totally killing any audio
06:51 < matt_> iax2 helps but, apprantly, thats not being maintained for much longer
06:55 < kishmesh> hi. so i'm still wondering how I can verify that my DNS queries go through the VPN tunnel and not my regular WAN connection. Any ideas?
06:57 < matt_> kishmesh: I would just tcpdump -i tun0 -n port 53 or something
07:01 -!- abenz__ is now known as abenz
07:01 < kishmesh> matt_: true. I did use wireshark to do that and I can see that the DNS request goes through my tun device. I wonder if that is enough of a check.
07:02 < kishmesh> i'm confused about many dns leak test services. they show you what DNS server you are unsing, but they do not determine/check the source IP address of the DNS request.
07:03 < kishmesh> to me that is super misleading providing false sense of security.
07:03 < kishmesh> i've also been considering to run my own DNS server
07:04 < rob0> ^^ very easy
07:04 < kishmesh> rob0: ?
07:05 < rob0> you JUST SAID 'run my own DNS server'
07:06 < rob0> Also, if a client's gateway is redirected, that means ALL traffic except the tunnel itself goes over the VPN.
07:07 < kishmesh> rob0: yes I'm aware of "gateway-redirect" which I'm using. I'm feeling insecure because of the described "dns leak issue" above and wanted to make sure it works.
07:09 < rob0> it's "--redirect-gateway", and try "ip route get 8.8.8.8" on a Linux client.
07:09 < kishmesh> sorry, i meant, the "dns leak test" sites confused me
07:10 < |Mike|> orrr use block-outside-dns ;-)
07:11 < kishmesh> rob0: ok thanks, I wasn't aware of the "ip route get" command
07:11 < kishmesh> Mike--: that only works for windows afaik
07:14 < matt_> kishmesh: Ok, you could use tcpdump/tshark on your main interface and filter on port 53 to be sure
07:15 < matt_> kishmesh: of if you really want, you could use iptables to drop any udp/53 and tcp/53 going towards your nameserver you have set and -o of your main interface, so if they dont go down the tunnel dns stops working
07:15 < matt_> kishmesh: if you do that tho, you will need to make sure you can bring the vpn up without relying on dns
07:16 < matt_> kishmesh: also, anything only shouldn't be able to tell you what the source ip of your machine is, only the resolvers you have set will be able to do that
07:17 < matt_> *anything online
07:17 < |Mike|> assumed that you're using windows kishmesh ;)
07:17 < |Mike|> my bad.
07:19 < matt_> oh, lol, yea sorry, assumed you were using linux
07:19 < kishmesh> matt_: cool. thank you for your recommendation. i'm now doing tcpdump on outgoing interface port 53 on vpn server. if I trigger DNS query on client and see request there I can be quite certain it works correctly.
07:20 < kishmesh> i am using GNU/Linux indeed :-)
07:20 < rob0> DNS queries are usually udp/53, but they can also be tcp/53
07:21 < kishmesh> rob0: i didn't restrict the protocol
07:21 < kishmesh> in my tcpdump expression
07:23 < kishmesh> i do like the idea to configure my local firewall to block leaking dns requests
07:24 < kishmesh> matt_: anything online shouldn't be able to tlle the source ip of my machine? you mean the non-vpn public ip?
07:24 < rob0> block, or just redirect them?
07:25 < kishmesh> rob0: i'd block, since I'm using redirect-gateway, i would assume everything is routed through vpn anyway
07:26 < kishmesh> matt_: that is the whole idea, if I use vpn, external instance should only ever see my public vpn ip.
07:26 < matt_> kishmesh: any, so if I ran a DNS server on ip 1.1.1.1 and you used it as a resolver, when you send it a request I can see the request from you but I will then resolve the request by contacting remote nameservers all over the place
07:26 < rob0> at least for ipv4 you can use the REDIRECT target in nat/PREROUTING
07:26 < matt_> but all of those nameservers will see the request comming from 1.1.1.1 and not your address
07:27 < matt_> kishmesh: ok cool
07:27 < kishmesh> matt_: 1.1.1.1?
07:28 < kishmesh> matt_: ah nevermind ;-)
07:28 < matt_> kishmesh: yea, just an example
07:29 < kishmesh> https://howdns.works :-)
07:29 <@vpnHelper> Title: How DNS workscover copy (at howdns.works)
07:29 < matt_> kishmesh: so, networks that I look after, all of the machines on desks have public ip's but, from a dns point of view, all of the dns lookups will come from our external resolvers
07:30 < kishmesh> matt_: yes, and isn't 8.8.8.8 such a resolver?
07:31 < matt_> kishmesh: yea, exactly, so if you set your nameserver to 8.8.8.8 and your public ip was 8.8.8.8, if you looked up one of my domains I wouldn't see 1.1.1.1 in my nameserver logs
07:31 < matt_> I prob wouldn't even see 8.8.8.8 as thats an anycast address, I would see the uniq IP of the server behind 8.8.8.8 that recived your query
07:32 < kishmesh> matt_: ok that I need to clarify my goal. I want to make sure that the resolver's only see my vpn's public ip, not my official WAN ip ;-0
07:32 < kishmesh> s/that/than
07:33 < matt_> kishmesh: ok, yea it would be fine
07:33 < rob0> what did you get with the "ip route get .."?
07:35 < kishmesh> rob0: I can see that requests go through tun0 device
07:35  * kishmesh brb
07:37 < matt_> this cartoon, its very good but theres a point ive just seen that I think is a little wrong
07:37 < matt_> it says there are 13 root servers
07:38 < rob0> 13 by name, but many more because they are anycast
07:38 < matt_> but theres 13 root addresses, not servers, each address is allocated to a single company and they run hundreds, maybe thousands, of servers behind them
07:38 < matt_> rob0: yea
07:39 < matt_> oh wait
07:39 < matt_> ok, it says about it, I just didn't read far enough ahead
07:42 < kishmesh> matt_: :-)
07:42 < kishmesh> in any way, one can see that DNS is quite a centralized hierarchy
07:42 < rob0> centralized?
07:43 < rob0> only the root is, TLDs and other domains are all run independently
07:44 < kishmesh> yes, if the root servers go down ...
07:44 < matt_> erm.., yea, and the root records normally have very high cache timeouts so, even if they where all offline, stuff would prob still work for like a week or so
07:45 < kishmesh> still, if we consider that the entire "world" relies on this.
07:45 < rob0> for the root servers to go down you'd be looking at something serious, like nuclear war or similar calamity
07:45 < rob0> you'd have bigger worries than DNS at that point :)
07:45 < kishmesh> rob0: I recall reading wikipedia article on root servers and that there have been attacks
07:46 < rob0> nothing has actually stopped them yet
07:46 < havoc> it's ok, they're not managed by Equifax ;)
07:46 < kishmesh> :-)
07:46 < matt_> yea, you would prob also be able to find lists that contain the tls nameservers and just dump them into your resolvers, allowing stuff to work without them, that would be on a per reolver basis tho
07:46 < matt_> s/tls/tld
07:46 < havoc> but the root servers are under constant attack, and have been for many, many years
07:46 < rob0> some root servers allow axfr of the root zone
07:47 < kishmesh> havoc: really? who is attacking them?
07:47 < matt_> rob0: ohh, do they, ive never tried that
07:47 < matt_> dig @a.root-servers.net IN AXFR ??
07:47 < kishmesh> what is axfr?
07:47 < havoc> kishmesh: anyone who wants to create chaos, make a name for themselves, etc..?
07:47 < matt_> kishmesh: zone transfur
07:47 < rob0> you forgot the "." to indicate what you want to axfr
07:48 < matt_> rob0: yea :), ohh a dosn't but b. does
07:48 < rob0> and I don't know if A-root does; I do know that ISC's F-root did
07:48 < matt_> cool
07:48 < matt_> dig @b.root-servers.net . IN AXFR
07:48 < matt_> thats cool
07:52 < rob0> F-root still does
07:53 < rob0> 2.2MB, and wow, look at all that garbage in there
07:59 < kishmesh> another vpn question. I'm using "chroot" for my vpn client. If I don't define "user/group" settings, what user/group will the process run as? what are the security implications?
08:11 < |Mike|> root
08:23 < matt_> rob0: garbage? dnssec?
09:07 < rob0> matt_, no, DNSSEC is not garbage; I refer to all the vanity TLDs from ICANN's huge money grab.
09:08 < matt_> lol ok
09:14 <+hyper_ch> there's no rob0 gTLD yet?
09:16 < rob0> you know, I would have applied for that, but I can't afford it!
09:17 <+hyper_ch> you just need to find a sponsor ;)
09:17 < rob0> hmm, maybe so
09:17 <+hyper_ch> how much is it?
09:17 < rob0> "if you have to ask, you can't afford it"
09:18 <+hyper_ch> :)
09:44 < jffvip> !welcome
09:44 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
09:44 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
09:45 < jffvip> !1925
09:45 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
09:51 -!- albech1 is now known as albech
10:20 -!- u0m3__ is now known as u0m3
11:16 -!- dionysus70 is now known as dionysus69
12:41 < AquaL1te> what would be better? AES-256-CBC or AES-256-GCM? i read that CBC is the default (blowfish then of course, but still CBC) but that GCM (AES-256-GCM) has a counter and therefore is better resistent against data corruption
12:43 < skyroveRR> Use whichever one you please, I use lower ciphers due to hardware restrictions.
12:44 < skyroveRR> Besides, it's the higher grade ciphers that will be targeted and fucked with more frequently than the lower grade ciphers
12:46 < AquaL1te> skyroveRR: sure, AES-128 would be fine too, but i'm wondering more about the real difference between CBC and GCM for openvpn. both work of course, but does GCM has any benefits with openvpn? anyone knows?
12:47 < kishmesh> does anyone run your vpn client as unprivileged user as described in https://openvpn.net/index.php/open-source/documentation/howto.html#security
12:48 <@vpnHelper> Title: HOWTO (at openvpn.net)
12:48 < kishmesh> i find this super confusing especially in connection with chroot
12:49 < kishmesh> so one thing is that the openvpn process is run as another user in an isolated environment (afaiu accomplished with chroot option)
12:50 < kishmesh> this works for me but I still have to start the client with "sudo"
12:51 < kishmesh> so I tried unprivileged mode as described (yes this is GNU/Linux), however, I get "Options error: Temporary directory (--tmp-dir) fails with '/var/openvpn//tmp': permission denied" error
12:52 < skyroveRR> AquaL1te: https://crypto.stackexchange.com/questions/2310/what-is-the-difference-between-cbc-and-gcm-mode
12:52 <@vpnHelper> Title: encryption - What is the difference between CBC and GCM mode? - Cryptography Stack Exchange (at crypto.stackexchange.com)
12:52 < skyroveRR> https://www.leozqin.me/aes-chain-block-cipher-vs-galoiscounter-modes-of-operation/
12:52 <@vpnHelper> Title: AES Chain Block Cipher vs Galois/Counter Modes of Operation Leo Qin (at www.leozqin.me)
12:53 < AquaL1te> skyroveRR: yes, that's what i already briefly summarized :) the question is more, does it really make a difference for openvpn since it's then more used as a stream-cipher (right?)
12:53 < skyroveRR> AquaL1te: don't think so.
12:54 < skyroveRR> AquaL1te: would depend on how openssl implements that stuff also.
12:57 < AquaL1te> if no one really knows i'll stick to GCM, since it's recommended on the official openvpn wiki in terms of hardening. but if it screws up performance (so far i haven't seen evidence of that) then i would use CBC again. if anyone really knows the pro's and cons then please let me know. thanks!
13:01 < |Mike|> !sweet32
13:01 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32
13:03 < AquaL1te> |Mike|: is info that meant for me?
13:05 < |Mike|> no sorry, reading and checking if all openvpn servers and clients are actually 'ok' now (internal networks...)
13:28 <+_FBi> in the cert, only the first bit is used -- can anyone help me remember that part that's referring too?
13:34 < kishmesh> so I'm starting openvpn client with "sudo", i'm using chroot with a system user/group, and i'm using up/down scripts provided by openvpn to handle /etc/resolv.conf management.
13:36 < kishmesh> when I start the client, after /etc/openvpn/client.up was called, I see some "ERROR: Linux route add command failed: external program exited with error status: 2" File Exists
13:36 < kishmesh> is that a problem?
13:36 < kishmesh> I wished there was a better way to debug this to see which user and with which paramters the "route add" command is called.
13:37 < kishmesh> raising --verb value does not seem to bring more information
13:37 < kishmesh> when I interrupt the client I have similar error messages like "ERROR: Linux route delete command failed: could not execute external program"
13:38 < kishmesh> rather weakens my confidence that openvpn is working correctly.
13:39 < kishmesh> and yes, I'm using "down-root" plugin for calling the /etc/openvpn/client.down script
14:15 < kishmesh> the "route delete" error part definitely seems like a permission issue as running without chroot not error appears.
14:15 < kishmesh> running with chroot but user/group root produces error
14:16 < kishmesh> the programs "ip" and "route" exist in chroot env subfolder /bin
14:39 < kishmesh> i'm pretty sure now it's a problem with chrooting and permissions.
14:54 < kishmesh> so I'm trying to simulate the "chrooting" by hand. From the client log I can see that it first chroots, then changes the UID/GID. How exactly does it change ids?
14:55 < kishmesh> this is the best I could find https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/platform.c#L94
14:55 <@vpnHelper> Title: openvpn/platform.c at master · OpenVPN/openvpn · GitHub (at github.com)
15:07 < kishmesh> what a mess ... http://unixwiz.net/techtips/chroot-practices.html
15:07 <@vpnHelper> Title: Best Practices for UNIX chroot() Operations (at unixwiz.net)
15:32 < kishmesh> openvpn chroot really a mistery to me.
15:51 -!- EmperorTom is now known as _quadDamage
18:11 < |Mike|> *yawn*
21:35 -!- abenz_ is now known as abenz
--- Day changed Sun Sep 24 2017
03:47 -!- abenz_ is now known as abenz
06:31 < nbastin> if I make the tun interface for a server, start the server, and then move that tun interface into another namespace, anyone know if that will continue to work?  :-)
06:36 < nbastin> meh, even that will create a problem even if it does work
06:36 < nbastin> hrmph
06:54 < dedondesta> nbastin: what do you mean by another namespace?
06:58 < nbastin> a different network namespace than the root
06:59 < nbastin> with tap this isn't a problem since I can directly attach the tap interface to any bridge, keeping them separate from each other, but with tun it has to route through the kernel stack, so I need to use a network namespace if I want to keep two servers isolated
07:01 < nbastin> I could run the server completely in the namespace, but then they need independent internet-facing interfaces, since you can't put an interface in more than one namespace
07:01 < nbastin> so I was hoping to start the server in the root namespace, and then move the tun port into a new namespace once the server was running (where it will still have a handle to it, but the kernel stack will change)
07:04 <@ordex> nbastin: why not starting te tun directly in its own namespace?
07:04 <@ordex> oh I read the rest of your messages now :)
07:04 <@ordex> although I do not fully understand
07:05 <@ordex> does each namespace have its own internet facing interface? maybe not ?
07:07 < nbastin> no
07:07 < nbastin> that's why I need openvpn to be in the root namespace
07:07 < nbastin> because it has to be able to access eth0 (or whatever)
07:08 < nbastin> I mean I could put all of openvpn in another namespace and then provide a layer of NAT, but I was trying to avoid that
07:08 < nbastin> and it works weirdly with TLS so I wasn't sure how that would work out anyhow
07:09 < nbastin> what I really need is for openvpn to natively support namespaces, so you can tell it to use an interface in another namespace
07:10 < nbastin> I wouldn't do any of this, but android/ios clients need tun
07:12 <@ordex> yeah
07:12 <@ordex> proper support would be better: i.e. start in root, but create interface in nsX
07:13 < nbastin> yeah
07:13 < nbastin> or use the one I created in nsX
07:13 < nbastin> it could be a simple variant of the dev syntax
07:13 <@ordex> yeah
07:13 <@ordex> same
07:13 < nbastin> where it's like dev <intf> [ns]
07:13 <@ordex> well it's not about the syntax, of course :P
07:14 < nbastin> well it's important to think about.. :-)
07:14 < nbastin> I haven't poked around the openvpn source at all...it might not actually be that difficult
07:14 < nbastin> as long as it gets the interface in one spot and just holds on to it
07:14 <@ordex> you could try
07:14 <@ordex> I would be happy to provide some guidance
07:14 < nbastin> is there already supported stuff that doesn't work on windows?
07:15 < nbastin> this would really only work on linux
07:15 < nbastin> there's some namespace support in *bsd, although I'm less sure how it works
07:16 < nbastin> I'm going to try to get my basic server orchestration stuff up and running for this, but I might start looking at code later this afternoon
07:16 < nbastin> especially if it doesn't work.. :-)
07:16 <@ordex> well, in the code there are several section where we use ifdef (in a not clean way and that needs to be cleaned up) to split platform-specific code
07:16 <@ordex> :)
07:16 <@ordex> please do
07:17 < nbastin> it's this hinky topology now where I put the tun in a different ns, and then a veth pair back into the topology I really want
07:17 < nbastin> and the kernel stack handles the L3-back-to-L2 framing for me in that namespace
07:17 < nbastin> I mean *really* what I want is openvpn to support L3 tunnels that terminate on an L2 interface in linux
07:18 <@ordex> why L3 to L2 ?
07:18 < nbastin> so I don't have any of this nonsense in the first place
07:18 <@ordex> what's the goal behind ?
07:18 < nbastin> I have to put these packets back on a physical network
07:18 <@ordex> can't you route them?
07:18 < nbastin> this is just a gateway, so somewhere I gotta put them back to full frames
07:18 <@ordex> that would be your "L3 to L2"
07:19 < nbastin> well that's basically what I'm doing - the stack routes between the tun and the veth
07:19 < nbastin> but that means I need more subnets than I want
07:19 < nbastin> on top fo being kinda hinky and requiring a namespace
07:19 <@ordex> veth is the pair in and out the ns ?
07:19 < nbastin> yeah
07:19 <@ordex> ah ok I see
07:19 < nbastin> so one half is in the ns, and one half is out
07:19 < nbastin> you give the one in the ns an IP, and the one outside is hooked into OVS
07:19 <@ordex> how would the openvpn support for ns solve this?
07:20 < nbastin> well it wouldn't, it solves a *different* problem.. :-)
07:20 <@ordex> ah ok
07:20 < nbastin> which is I have to make the tun in the root namespace
07:20 <@ordex> I missed the context switch
07:20 <@ordex> hehe
07:20 < nbastin> and temporarily give it an IP in the root namespace
07:20 < nbastin> which could be Bad(tm)
07:20 < nbastin> before I can move it to the namespace
07:21 < nbastin> if openvpn supported namespaces I would never run the risk of an IP clash in the root namespace, as the tun would never exist in the root
07:21 < nbastin> the service we operate provides the user with their own isolated L2, so in theory they can use any address space they want
07:21 < nbastin> but in this case I have to protect against using a pool that is also in the root namespace
07:21 < nbastin> because for 2 seconds it'll live in the root namespace
07:23 <@ordex> " with their own isolated L2" << VPN users ?
07:23 < nbastin> well these vpns are *into* our infra
07:23 < nbastin> it's a giant network testbed
07:24 < nbastin> so if they want to connect their laptop, or a network in their lab, to their topology in our testbed
07:24 < nbastin> they can use openvpn if they come over the internet
07:24 < nbastin> if they have access to internet2 or glif they can usually just get a VLAN into the topology from their instutition
07:24 < nbastin> but if they come over the internet then they need a vpn
07:25 < nbastin> sometimes they use openvpn even over an L2 service so they can get MPLS tags or more vlans
07:25 < nbastin> although we usually use L2TP for that
07:25 <@ordex> I see
07:25 <@ordex> but if you use openvpn with tun, how can they get the full L2 experience over the VPN?
07:25 < nbastin> they can't
07:26 < nbastin> but some people want to connect their tablets into their networks
07:26 < nbastin> which obviously will happen at IP anyhow
07:26 < nbastin> so we give them control over the config (subnets, pools, routes, etc.)
07:26 < nbastin> and then we orchestrate the server and certificate setup
07:26 < nbastin> and connect it to their topo
07:26 < nbastin> but it's this "connect it to their topo" part that is complicated.. :-)
07:27 < nbastin> for tap tunnels we just ask them what bridge they want the tap connected to
07:27 < nbastin> and that bridge is already in their topology
07:27 < nbastin> and we just plug it in
07:27 < nbastin> for tun, we can't add a tun port to a bridge, so we have to get from the tun port to something I can plug into their topo
07:28 < nbastin> so this namespace is basically a tiny router instance between their pool subnet, and whatever subnets they want to expose from their topology
07:28 < nbastin> if openvpn could somehow terminate tun clients into a tap interface, that would really be what I want
07:30 < nbastin> it would need to make a MAC for each client on the server side
07:30 < nbastin> logically it's not that hard to reason about, but I'm not sure if the code would be that simple
07:31 <@ordex> ok I think I understand
07:31 <@ordex> so you don't really need them to be connected at L2 in their topo, you only want them to be able to reach the entire network
07:31 <@ordex> I mean, that's the best you can do with tun
07:31 < nbastin> well in this case they just need to be able to reach whatever they configure them to
07:32 < nbastin> if they have lots of vlans and subnets and stuff, you can't be on all of them with tun
07:32 < nbastin> so they might have to choose
07:32 < nbastin> (if there's no connectivity between segments otherwise)
07:32 < nbastin> obviously if they have full routing in their topology, then there's no problem
07:32 < nbastin> but if they're using a bunch of MPLS or something, their ipad isn't going to know how to speak that.. :-)
07:33 < nbastin> but a lot of people have been asking to get their tablets connected to their management IP networks
07:33 < nbastin> so they can monitor things from their desks
07:33 < nbastin> or whever they are
07:33 < nbastin> which makes enough sense that I'm trying to make it work.. :-)
07:33 < nbastin> but our perspective is from L2, so I have no information about the internal L3 of their topologies
07:33 < nbastin> so whatever I do has to be sufficiently generic
07:34 < nbastin> (in theory our perspective is really from L1, but as a practical matter it tends to be L2 ethernet)
07:34 < nbastin> we just orchestrate the graph, they run whatever on it they want
07:37 < nbastin> if there was some kind of "tap-emulation" mode then openvpn could represent each client with a MAC on the server side and even DHCP for those macs individually, and give those IPs to the clients (using the normal push options)
07:37 < nbastin> and then the tun could come right into an existing subnet
07:38 < nbastin> the way it works now I'm going to have to remind users that they'll have to support this pool in all their existing routing schemes
07:39 < nbastin> this extra subnet is sortof a pesky routing problem
07:41 < nbastin> (or I need openvpn to speak OSPF/BGP to make this route announcement.. :-)
07:46 < nbastin> I wonder if I can just automatically force a quagga instance to get created with this openvpn tun interface on it...
07:49 < nbastin> wrapping my head around the permutations is painful.. :-)
07:50 < nbastin> "tap-emulation" would have to respond to arp as well, and otherwise drop packets unless their ethertype was 0x800 or 0x86dd
07:53 < nbastin> openvpn would have to be running as root in that case, or at least have NET_RAW cap
07:54 < nbastin> supporting such a mode for v4 would be fairly easy, v6 could get hairy
07:56 < nbastin> ordex: would something like this tap-emulation be accepted, or too weird for upstream?
08:03 < nbastin> I guess I'd add some DEV_TYPE_TAPE
08:03 < nbastin> ok, maybe tape is a bad name.. :-)
08:12 < nbastin> ordex: if you're around at some point, if you could point me at the basic packet processing pipeline from both sides - I skimmed tun.c and am poking around but a few pointers would probably save some time
08:25 <@ordex> nbastin: tap emulation? I have the feeling you will be hunted and burned like (unfortunately) happened to witches in the past
08:26 < nbastin> aw
08:26 < nbastin> but it seems so reasonable!  :-)
08:26 < nbastin> it would allow the server to sit on a pre-existing LAN and clients would just be normal hosts on it
08:31 < nbastin> is io_wait_dowork used for tap, or just for tun and udp/tcp side?
08:33 < nbastin> process_io comments seem to indicate just TUN, but I can't tell if that's really right
08:34 <@ordex> can't remember
08:34 <@ordex> I'd need to deep dive
08:34 <@ordex> :)
08:34 < nbastin> is there like an RFC process or something for openvpn?
08:34 < nbastin> like if I wrote up the logical design
08:34 <@ordex> nope
08:35 <@ordex> there are some doc around, but nothing comprehensiv
08:35 <@ordex> e
08:35 < rob0> Easy way to tell a witch!  Put her on a balance with a duck on the other side.  If they balance, burn her, BURN HER!!
08:35 < nbastin> I mostly mean so people could comment with hatred before I wrote all the code.. :-)
08:35 < nbastin> it honestly seems like a very logical thing to support, instead of forcing users through routing contortions
08:38 < nbastin> it would look like tun on the client side, but tap on the server side
08:39 < nbastin> rob0: I'm probably not a witch, or that's a very large duck.. :-)
08:41 < nbastin> ok, well, back to insane network namespace routing hell solution
08:47 < nbastin> If I had infinite time I would probably work on using libpcap in openvpn anyhow.. :-)
08:51 <@ordex> if we had inifinite time ...
08:51 <@ordex> :)
08:51 < nbastin> I'm on vacation for another 4 weeks, I've got some options.. :-)
08:52 < nbastin> trying to spend time fixing some low-prio testbed things
08:52 < nbastin> the stuff on the bottom of the list never gets serviced during regular hours.. :-)
08:53 < nbastin> although pcap support is probably something I'd give to a grad student
08:53 < nbastin> large enough to be a good project but small enough to get done
08:55 < nbastin> this netns thing I might do, although initial skim through the code makes it harder
08:55 < nbastin> as it forks to call ifconfig instead of using netlink sockets
08:55 < nbastin> and ifconfig doesn't know anything about namespaces
08:57 < nbastin> I forgot that we had to add ifconfig to our systems to support openvpn
08:58 <@ordex> nbastin: why?
08:58 <@ordex> openvpn can be compiled with iproute2 support
08:58 < nbastin> why which?  :-)
08:58 <@ordex> sorry :D
08:58 <@ordex> about ifconfig
08:58 < nbastin> oh?
08:58 <@ordex> I have it that way on my system
08:59 <@ordex> maybe your distro packages it by default with old net-tools support?
08:59 <@ordex> it's a compilation flag, so need to be arranged by who creates the package
08:59 <@ordex> *needs
08:59 < nbastin> does iproute2 support use ip, or does it use netlink directly?
08:59 < nbastin> I didn't see any of that in the code I skimmed (of either)
09:00 <@ordex> it uses ip
09:00 <@ordex> I have prepared and sent a patch to include netlink support
09:00 < nbastin> is there like, some fundamental reason it does that?
09:00 < nbastin> ah
09:00 <@ordex> but that requires more time ..
09:00 <@ordex> easiness :)
09:01 <@ordex> we have that conversion on the plate
09:01 < nbastin> using netlink means I could give it CAP_NET_ADMIN and then start it as any user.. :-)
09:01 < nbastin> if it calls ip it has to be root to set them up
09:02 < nbastin> (well, if it could sudo I could give the openvpn user sudo privs to ip)
09:02 <@ordex> nbastin: feel free to "test" the patch if you want
09:02 <@ordex> :)
09:02 < nbastin> but that's the wrong way to do it
09:02 < nbastin> I could merge it and build on our test site
09:02 < nbastin> is there a PR?
09:02 <@ordex> let me check
09:02 <@ordex> not a PR
09:03 <@ordex> maybe it's still just idling in my branch
09:03 < nbastin> a branch in a repo is fine
09:03 < nbastin> same difference as far as I'm concerned, the PR I'd just grab the branch from.. :-)
09:03 <@ordex> yeah it's in my branch
09:03 <@ordex> one sec
09:04 <@ordex> git@github.com:ordex/openvpn.git and the branch is "sitnl"
09:04 <@ordex> but it is based on an old mater
09:04 <@ordex> I can try rebasing now
09:04 < nbastin> I'm pulling your repo now, I'll look at it later tonight
09:04 <@ordex> mh
09:05 < nbastin> I already forked the main so I can do the merge if it's not too painful.. :-)
09:05 <@ordex> my branch containsa few more patches that are not yet in master
09:05 <@ordex> might be better to keep those
09:05 < nbastin> I would want to start with iproute2 for namespace support anyhow
09:05 < nbastin> no point in redoing that work
09:05 < nbastin> that setup stuff looked relatively straightforward
09:06 < nbastin> just need to twiddle the few functions that play with interfaces on setup
09:07 < nbastin> CAP_NET_ADMIN will allow it to grab other namespaces as well if it runs in root
09:11 < nbastin> oh, speaking of things people will hate
09:11 < nbastin> I suppose it would be frowned upon to support a tap per client?
09:12 <@ordex> I think that would be reasonable
09:12 <@ordex> actually
09:12 <@ordex> there is a patchset floating around
09:12 <@ordex> that I am currently revieweing
09:12 <@ordex> where you can assign VLANs to clients
09:12 <@ordex> thus you can logically split them
09:12 < nbastin> well I want to assign a port to each client
09:13 <@ordex> yeah, in this case you'd have one tap but multiple VLANs coming out
09:13 <@ordex> pretty much the same, no ?
09:13 < nbastin> we had an endpoint where we ran out of ports, since we bring up a server for each client
09:13 < nbastin> well not in our case, we allow all the vlans to each user
09:13 < nbastin> so I need them to be separate ports
09:13 <@ordex> ah
09:13 <@ordex> well you can do QinQ :)
09:13 < nbastin> some of them DO qinq.. :-)
09:14 < nbastin> I just want to assign a port to each key
09:14 < nbastin> (we preassign the ports)
09:14 <@ordex> well, on the client side they don't see the VLAN
09:14 <@ordex> it's just a server side thing basically
09:14 <@ordex> so the client can still do he wants
09:14 <@ordex> but on the server you can channel the different VLANs the way you want
09:14 < nbastin> you can't just make it pre-existing ports?  :-)  handling the vlans in software is less optiaml
09:15 <@ordex> hehe
09:15 <@ordex> handle the client demultiplexing of a VPN server in software is already draining your power :P
09:15 < nbastin> we give the vpn a "tap" port that is a hardware interface (well, where we had the problem of running out)
09:15 <@ordex> *handling
09:15 <@ordex> tap that is hardware?
09:16 < nbastin> we have a site with corsa boxes that terminate our vpns, and we provide a tap that is a channelized port
09:16 < nbastin> so openvpn sends directly into the switch chip
09:16 < nbastin> through what looks like a tap interface to it
09:17 <@ordex> basically a simple Ethernet interface mapped into a onboard switch?
09:17 < nbastin> yeah
09:17 <@ordex> ok
09:17 < nbastin> it's an FPGA, but it looks like a switch.. :-)
09:17 <@ordex> well, matter of perspective :P
09:17 < nbastin> but we'd like to do the same for the new tomahawks we have from broadcom as well
09:17 < nbastin> I just haven't built the images yet
09:18 < nbastin> but it gets possible to support 30-50k vpns with hardware performance isolation, and then we start to run out of ports
09:18 < nbastin> and I shouldn't need a port per vlan.. :-)
09:18 < nbastin> (udp port)
09:18 < nbastin> er, vpn
09:19 <@ordex> "30-50k vpns with hardware performance isolation" << does it mean you create 30/50k of those ethernet ports that end up in the switch ?
09:20 < nbastin> yeah, so on the 100G interfaces we can channelize up to 1024 interfaces per
09:20 < nbastin> and now we've got switches with 48 100G
09:20 < nbastin> so things can get out of hand
09:21 <@ordex> why do you need one of these Eth ports per VPN ? ths port is basically the "uplink", right? or is it the one connecting to the local infrastructure?
09:21 < nbastin> the port is in their graph, and I need to keep them separate from other graphs
09:21 < nbastin> (users)
09:21 < nbastin> the user basically requests a given network graph from the testbed (vertices being anything from a switch/router to a server or host)
09:22 <@ordex> ok, so that port is connecting to the infrastructure
09:22 < nbastin> edges coming in over the WAN are often on some kind of VPN
09:22 < nbastin> (tunnel, in our lingo)
09:22 <@ordex> and is bridged with the VPn to give the user access to that resource
09:22 < nbastin> right
09:22 <@ordex> ok
09:22 <@ordex> now I understand
09:23 <@ordex> so you'd like to have one tap per client so that you can just bridge it with the related Eth port
09:23 <@ordex> instead of doing this with one server per client
09:23 < nbastin> so if you have like, a microscope in your lab that scans skin samples or something (one user), then you add that microscope to your data processing topology
09:23 < nbastin> so that edge is probably over L2TP or OpenVPN
09:23 <@ordex> (which gives you thr same result in terms of number of tap interfaces)
09:23 < nbastin> right
09:23 < nbastin> right now the orchestrator just allocates them a UDP port
09:23 < nbastin> and that maps to one tap interface
09:23 <@ordex> okok, no need to give me the full details of what data passes over the VPN :P otherwise it's too much
09:23 < nbastin> but it scales poorly
09:23 <@ordex> yeah
09:23 <@ordex> of course
09:23 <@ordex> although
09:24 <@ordex> you have the pro
09:24 < nbastin> although it is faster...
09:24 <@ordex> that by doing this you have one process per user
09:24 < nbastin> yeah I mean that's a separate problem.. :-)
09:24 <@ordex> rather than one process for *all* the users
09:24 <@ordex> yeah, but you will create it
09:24 <@ordex> by using the solution you are proposing
09:24 < nbastin> I'd probably need to teach the orchestrator about bandwidth
09:24 < nbastin> so low bandwidth users could live on one port
09:24 < nbastin> (or a set)
09:24 < nbastin> but high bandwidth users get their own
09:25 < nbastin> or like, each server is allocated like, 1.4Gbps of SLA
09:25 < nbastin> which is about what we can get from openvpn
09:25 < nbastin> and if you ask for 100mbps or 10mbps or whatever I can put N users on a server
09:25 < nbastin> the orchestrator has a bunch of allocation pools so that wouldn't be hard to manage
09:25 <@ordex> why not handlng everything with routing? instead of bridging? you'd not need one port per client then
09:25 < nbastin> and would at least provide some relief on the ports
09:25 < nbastin> a lot of these devices don't speak IP
09:26 <@ordex> ah
09:26 <@ordex> ok
09:26 <@ordex> then you need tap
09:26 <@ordex> :P
09:26 < nbastin> some do, but a lot of our users are running MPLS
09:26 <@ordex> on top of the vpn? waah
09:26 <@ordex> ok
09:26 < nbastin> most of our infra is high mtu, so we set the vpns to 7000 byte MTU
09:26 < nbastin> so it's not that bad
09:26 <@ordex> I was just about to ask :D
09:27 < nbastin> (we could push higher, most of it supports at least 9216, so we could go to 8500 at least)
09:27 < nbastin> I just grabbed 7000 out of thin air one day and set it.. :-)
09:27 <@ordex> sounds good
09:27 <@ordex> :)
09:27 < nbastin> some things are carefully considered, some are not.. :-)
09:27 <@ordex> the latter usually work best
09:28 < nbastin> really careful consideration comes when some user wants some performance metric we can't meet
09:28 < nbastin> but those aren't over tunnels anyhow
09:28 < nbastin> or they're NVGRE on hardware or something
09:28 <@ordex> mostly care about bandwidth or latency ?
09:28 < nbastin> yeah I mean people who care about latency stay on RDMA on the inifiniband side
09:28 < nbastin> most people just care about their campus firewall not being in their way
09:29 < nbastin> or having to deal with their institution IT people to get a circuit
09:29 <@ordex> I see
09:29 < nbastin> if they want 100Mbps or less, we don't pay much attention
09:29 <@ordex> you got all kind of PHYs there, eh ?
09:29 < nbastin> tons. :_)
09:29 <@ordex> :)
09:30 < nbastin> and now I'm on vacation in switzerland, so I'm trying to fix some of the things we don't care enough about to make priorities.. :-)
09:30 < nbastin> (like ipads reaching management nets)
09:30 < nbastin> hence this tun nonsense
09:30 < nbastin> but at the very least it means extra routes in the topos, and I'm sure that's going to be a source of confusion or at least pain
09:31 < nbastin> which is why I wish for my tap-emulation.. :-)
09:31 <@ordex> well, I am sure tap-emulation will create other corner cases
09:31 <@ordex> and what about people not speaking IP ?
09:31 < nbastin> well they're just screwed, their ipad only speaks IP.. :-)
09:31 < nbastin> I mean the client is the controlling factor here mostly
09:31 < nbastin> in this L3 case
09:31 <@ordex> yap
09:32 <@ordex> ah this tun-mess is only for a few bunch of clients?
09:32 <@ordex> like iPads and other cr0ps that can't do tap ?
09:32 < nbastin> right
09:32 < nbastin> otherwise they'd use tap
09:32 < nbastin> and we already have rich support for that
09:32 <@ordex> I see
09:32 <@ordex> ok
09:32 < nbastin> but a lot of people have large and long-lived topos now that have real management software
09:32 < nbastin> and those things have like ipad/iphone apps
09:32 < nbastin> and they'd like to use them
09:33 < nbastin> I'm not insensitive to that, so I figured I'd see what I could do.. :-)
09:33 < nbastin> and I think my solution will work (still working on the orchestration of all this namespace routing)
09:33 < nbastin> but it's kludgy, and it means their management server needs a route back to the openvpn server
09:33 <@ordex> why do you need ns to handle this?
09:34 <@ordex> if you are doing routing
09:34 < nbastin> which I'm sure will cause me a new kind of pain
09:34 < nbastin> well, so maybe I should draw pictures...but.. :-)
09:34 <@ordex> couldn't you you just have one server with one tun and route each IP (or class) to the proper back-interface ?
09:34 < nbastin> I don't know their IP space, we don't work at L3
09:34 < nbastin> so I can't say that topo X and topoY have different IP space
09:34 < nbastin> (they don't have to now)
09:34 <@ordex> but on the VPN link you'll have to assign them an IP, no?
09:34 <@ordex> ah
09:34 <@ordex> ok
09:34 < nbastin> wel they will give us the pool subnet
09:34 < nbastin> but that's fine
09:35 < nbastin> since it's just their clients
09:35 < nbastin> but this tun interface has to be isolated
09:35 < nbastin> from other tun interfaces that have the same ip subnet
09:35 <@ordex> oh that can happen
09:35 <@ordex> ?
09:35 <@ordex> ok
09:35 < nbastin> sure, since we don't control IP space
09:35 <@ordex> so definitely must be a separate "channel"
09:35 < nbastin> right
09:35 < nbastin> so with tap this is not a problem, because their tap is plumbed into a bridge
09:35 < nbastin> and that bridge can't connect to other topologies
09:35 <@ordex> but, to enable the tun-to-veth routing you must know their subnets, no ?
09:35 <@ordex> yap
09:35 < nbastin> so if they use 10/8, and someone else uses 10/8, that's all fine
09:35 <@ordex> easypeasy
09:36 < nbastin> well they pass the subnet into the orchestrator (for the request to allocate the vpn)
09:36 < nbastin> that tun interface will live in a namespace
09:36 < nbastin> so it'll be basically in a whole separate space
09:36 < nbastin> which is fine
09:36 < nbastin> but its not a tap, so I can't connect it directly to their topology
09:36 < nbastin> I have to route it to a veth pair
09:36 < nbastin> so I can atttach the veth to their L2
09:37 < nbastin> so they have like, 10.80.5.0/24 as their management net, and now they need a route to a separate pool subnet
09:37 < nbastin> instead of having their ipad on 10.80.5.0/24
09:37 < nbastin> so they send me like, oh we want 10.80.6.0/24 as our pool subnet
09:37 < nbastin> that's fine, we make that happen
09:37 < nbastin> but then their management head needs to know that 10.80.6.0/24 is reachable through 10.80.5.250 or something
09:38 < nbastin> (whatever the veth is in the namespace)
09:38 <@ordex> yap
09:38 < nbastin> and they probably already have 10.80.5.1 as the router for the default for that subnet
09:38 < nbastin> so now you have one LAN with two routers
09:38 < nbastin> it's not impossible, it's just annoying
09:38 <@ordex> same as the guys in 10.80.6.0/24 need to know how to reach back the client, no? or there is NAT in between with a GW in 10.80.6.0/24 ?
09:38 <@ordex> yap
09:39 < nbastin> well 10.80.6.0/24 on openvpn get pushed a route to say 10/8 even, or whatever space they are using
09:39 < nbastin> they get a single default.. :-)
09:39 < nbastin> the problem is lans that USED to have a single default now need a new route
09:39 < nbastin> on the hosts
09:39 < nbastin> to reach the VPN clients
09:39 <@ordex> yap
09:39 < nbastin> or they need to attach the vpn clients to a router more directly
09:40 < nbastin> except openvpn doesn't speak a routing protocol
09:40 < nbastin> so they still need to find a way to advertise that route
09:40 < nbastin> so even if they put it on a new router interface, they still have to redistrubute a static route
09:41 < nbastin> or if they'r eusing dhcp they need to add more route options
09:41 < nbastin> all of which is possible, but would be unnecessary if the VPN clients could just be on the existing LAN.. :-)
09:41 < nbastin> which was my thought for "tap-emulation" which was tun clients but on a tap output on the server
09:43 <@ordex> mh
09:43 <@ordex> but then
09:43 <@ordex> who would assign the IP to the VPN client ?
09:44 <@ordex> you'd bridge the tap directly with the infra LAN
09:44 <@ordex> so I presume you'd assign an IP from that class? or maybe there is a dhcp server running on the LAN ?
09:44 < nbastin> well, so either it's a carve-out that openvpn has in the subnet (e.g. dhcp has 2-200 and openvpn has 201-250 or something)
09:44 < nbastin> which openvpn already sortof supports
09:44 < nbastin> or openvpn would dhcp for the client
09:45 <@ordex> ok
09:45 < nbastin> openvpn gives each client a unique MAC, and then it dhcps for them and answers arp
09:45 < nbastin> otherwise it drops all traffic not ethertype 0x800
09:45 < nbastin> when it receives traffic on that tap interface, it looks at the mac and sends the payload to the client for that mac
09:45 < nbastin> it would have to operate the tap in promisc, but otherwise is the same
09:46 <@ordex> so basically
09:46 < nbastin> (0x86dd for ipv6 if you want that support)
09:46 <@ordex> you don't need real L2 support, but you'd only want that the VPN interface could share the network segment of another Eth interface on the server
09:46 <@ordex> righ t?
09:46 < nbastin> but I think ipv6 will require more openvpn-answering for RA and shit that I forget right now.. :-)
09:46 < nbastin> right
09:46 <@ordex> and having a tap-emulation support on the server would allow you to bridge the interface on the server
09:46 < nbastin> it's not pushing L2 to the client
09:46 <@ordex> even though the client would only send L3 packets
09:46 < nbastin> it's just providing L2 to the server side so I can plug that interface into a bridge
09:46 <@ordex> right
09:47 <@ordex> so it's really just a server thing
09:47 < nbastin> I mean, tun is doing that now, just using the linux kernel to do it
09:47 < nbastin> but it requires routing on the server side
09:47 < nbastin> yes, 100% server, the clients don't know the difference
09:47 <@ordex> yeah you'd like to do bridging
09:47 <@ordex> so to share the same domain
09:47 < nbastin> right, whcih we mostly do, but you can't do that on ios/android unless you root them
09:47 <@ordex> yap
09:48 < nbastin> this would allow that type of behaviour, but without the root
09:48 <@ordex> well
09:48 <@ordex> as you said before, it is not the same as having tap support on the client
09:48 < nbastin> ipv4 is pretty simple, I would have to think harder about ipv6
09:48 <@ordex> but it would work for this use case
09:48 <@ordex> eh
09:48 <@ordex> that's painful
09:48 < nbastin> it's always L3 on the client, but the server side gets more flexibility in topology
09:48 <@ordex> with all kind of packets
09:48 <@ordex> right
09:49 <@ordex> one thing you could do
09:49 <@ordex> is to imagine the server is advertising all the client IPs in the LAN with its own MAC
09:49 <@ordex> so a unique MAC (the one from the server) that is used to reply to any L3 request
09:49 <@ordex> so that every packet with those IPs is always sent to the server
09:49 < nbastin> well, you could do that but then the DHCP server wouldn't work.. :-)
09:49 <@ordex> and this should be the same for IPv6
09:49 < nbastin> I mean if you had a separate pool that would be fine
09:49 <@ordex> DHCP server ?
09:49 <@ordex> yeah
09:49 < nbastin> but if you wanted to work with lan dhcp that wouldn't work
09:49 <@ordex> I am imagining openvpn is assigning the IPs directly
09:49 <@ordex> no DHCP involved
09:50 < nbastin> but I could live with a separate pool
09:50 < nbastin> sure
09:50 <@ordex> well
09:50 < nbastin> then you don't even need macs, but macs would really be better - you have to parse the packet anyhow
09:50 <@ordex> how would a DHCP request from the client reach the DHCP server in the LAN ?
09:50 < nbastin> it wouldn't
09:50 < nbastin> the client doesn't dhcp
09:50 <@ordex> right
09:50 <@ordex> ah
09:50 < nbastin> openvpn does
09:50 < nbastin> and sends that IP to the client
09:50 <@ordex> the server would fake it to decide what IP to assign?
09:50 <@ordex> ah ok
09:50 <@ordex> bleah
09:50 <@ordex> :D
09:50 < nbastin> right
09:50 <@ordex> ok
09:50 < nbastin> I mean I figure for performance reasons you'd actually allocate the next MAC ahead of time
09:51 < nbastin> so you'd already have the IP for the "next" client
09:51 < nbastin> there wouldn't be a connect delay then
09:51 <@ordex> I'd really stick to a separate pool for the VPN
09:51 < nbastin> but DHCP is a nuance you don't need
09:51 <@ordex> disjoint from the server
09:51 < nbastin> you can just carve out a pool
09:51 < nbastin> yeah
09:51 <@ordex> disjoint from the DHCP
09:51 <@ordex> yeah
09:51 <@ordex> does not make sense in this case
09:51 < nbastin> so then the only thing openvpn needs to do is arp
09:51 < nbastin> and in fact if it assigned all those IPs to the tap
09:51 < nbastin> it wouldn't even need to arp
09:51 < nbastin> actually it would be NO different
09:51 <@ordex> ARP and IPv6 neighbour discovery with all the cr0p
09:51 < nbastin> from what it does now
09:52 < nbastin> if you just assigned all the client IPs
09:52 < nbastin> to the tap interface
09:52 < nbastin> as they came in
09:52 <@ordex> right
09:52 < nbastin> linux would handle it for you
09:52 <@ordex> but then it would not route inside the VPN
09:52 < nbastin> right
09:52 < nbastin> but we don't want it to.. :_)
09:52 <@ordex> hehe
09:52 <@ordex> right
09:52 < nbastin> actually if you leave out dhcp, and config the tap interface
09:52 <@ordex> but that's definitely the way to "fix" the outern world
09:52 < nbastin> this is much more simple
09:52 <@ordex> it owuld behave like having all the IPs assigned to the interface
09:53 < nbastin> hrm
09:53 < nbastin> would that just work now if you did it yourself?
09:53 <@ordex> nope
09:53 < nbastin> probably not, yeah
09:53 < nbastin> because it knows too much about tun and tap
09:53 <@ordex> because you fixed the "outern" world, but not the VPN yet :P
09:53 <@ordex> now all the packets for the clients are going to the server
09:53 < nbastin> the VPN you just strip the L2 header and handle the normal pipeline
09:54 < nbastin> but you need the extra step to strip them
09:54 <@ordex> but then the interface would need to specially handle the packets to send them in the VPN instead of delivering them to the upper layer
09:54 < nbastin> because the tun already did that for you
09:54 <@ordex> right
09:54 < nbastin> but that's less complicated than what I originally thought.. :-)
09:54 <@ordex> well, you still need to inspect every packet, check the IP and send them in the tunnel if not-local
09:55 < nbastin> but they'll never be local
09:55 < nbastin> if you get them
09:55 < nbastin> if you set the IPs on the interface, they'll only be delivered to you if they are for a tunnel
09:55 <@ordex> well, the server will have an IP on the tap interface too
09:55 < nbastin> no!
09:55 < nbastin> the server does not exist
09:55 < nbastin> it's transparent in this case
09:55 <@ordex> well
09:55 <@ordex> I know
09:55 <@ordex> but generally it can exist
09:55 <@ordex> so you can't just rule that out
09:55 <@ordex> for simplicity
09:55 <@ordex> you could
09:55 <@ordex> and add that later
09:55 < nbastin> well, but why?
09:55 < nbastin> I mean sure you can give the server an IP
09:56 <@ordex> well, from a generic openvpn perspective
09:56 < nbastin> it doesn't really matter
09:56 < nbastin> but it's not routing so it's just hostX
09:56 <@ordex> the server might want to do anything, so it needs to be allowed to have its own IP
09:56 <@ordex> yap
09:56 < nbastin> sure, that's fine
09:56 < nbastin> but it's a host not a network forwarding device
09:56 <@ordex> you just have to make sure that packets to that IP are delivered up instead of being sent to the VPN
09:56 <@ordex> right
09:56 < nbastin> sure
09:56 <@ordex> although
09:56 < nbastin> I mean you're picking the VPN from the dest IP anyhow
09:56 < nbastin> so that's already handled.. :-)
09:56 <@ordex> it could be a GW towards other networks
09:56 <@ordex> :)
09:57 < nbastin> nooooo!
09:57 < nbastin> the whole point is that they get the route for the normal router
09:57 <@ordex> well, potentially, it could :P
09:57 <@ordex> I know
09:57 < nbastin> the openvpn server can't reach other networks, you are on the lan
09:57 < nbastin> I mean ok fine I see if the openvpn server has other netowrks on tunnels
09:57 < nbastin> NOT ALLOWED
09:57 < nbastin> :-)
09:57 <@ordex> I am just thinking how to shape the solution so that the solution is applicable to openvpn in general. not just your case
09:57 <@ordex> ehehe
09:58 < nbastin> right i mean so the one case would be if other tunnels came in with networks attached instead of just hosts
09:58 <@ordex> well not just that
09:58 < nbastin> I could live with that, it's still openvpn IP used in a normal way
09:58 < nbastin> nothing magic
09:58 <@ordex> imagine that this server has a 3rd Eth interface
09:58 <@ordex> connected to another network
09:58 < nbastin> I mean this server has hundreds of eth interfaces.. :-)
09:58 <@ordex> and the server wants to be a L3 GW between all this infra and this other network
09:58 <@ordex> yeah
09:58 <@ordex> let's make it +1 :D
09:59 < nbastin> yeah I mean in my preference if you ran a server in this mode it would be in LAN mode all the time
09:59 <@ordex> btw
09:59 < nbastin> but I see your point
09:59 <@ordex> yeah
09:59 <@ordex> btw
09:59 <@ordex> one thing
09:59 <@ordex> when configured in this mode
09:59 <@ordex> the "tap-emulated" interface would need to be bridged
09:59 < nbastin> yes
09:59 < nbastin> by design.. :-)
09:59 <@ordex> so openvpn would need to understand that it is bridged and should "attach" the client IPs to the bridge, not to the tun-emulated iface
09:59 <@ordex> unles
09:59 <@ordex> unless
09:59 < nbastin> hrm, no
10:00 <@ordex> why not ?
10:00 < nbastin> the client IPs are "attached" to the tap interface
10:00 < nbastin> ip addr add X/Y dev tap
10:00 < nbastin> this "port" on the bridge has many IPs
10:00 < nbastin> proper mac learning happens, etc.
10:00 <@ordex> well, that's not properly correct when you are bridging tap
10:00 < nbastin> of course it is
10:00 < nbastin> it's openvpn as a bridge itself
10:00 <@ordex> normally that would happen in the bridge interface
10:00 <@ordex> not anymore on the single port
10:00 <@ordex> because L3 is configured on the bridge at that point
10:00 < nbastin> if you imagine openvpn AS a bridge
10:00 <@ordex> not on the slave port anymore
10:00 < nbastin> which it is in thie case
10:01 <@ordex> what is openvpn AS?
10:01 < nbastin> that's just a trunk port to another bridge (or anywhere)
10:01 < nbastin> I mean *as*
10:01 < nbastin> :-)
10:01 <@ordex> oh ok
10:01 < nbastin> it's a bridge
10:01 <@ordex> :D
10:01 < nbastin> openvpn is a bridge
10:01 < nbastin> in this case
10:01 < nbastin> think about it as two bridges connected
10:01 < nbastin> and a bunch of clients on bridge A
10:01 <@ordex> well, now I am talking about how the soft-bridge in linux normally works
10:01 <@ordex> in general
10:01 < nbastin> bridge B learns all their MACs on one port
10:01 <@ordex> right
10:01 <@ordex> but to do the ARP and IPv6 game, the IPs have to be on the bridge
10:02 < nbastin> no
10:02 <@ordex> uhm
10:02 < nbastin> the ips on the tap will arp
10:02 < nbastin> linux will arp them for you, trust me.. :-)
10:02 <@ordex> mh maybe arp will still work ..
10:02 < nbastin> if you make 100 /32 ips on the tap, they'll all arp
10:02 <@ordex> it would not work if you would try to use them normally
10:02 < nbastin> that bridge will learn one mac (in this case)
10:02 < nbastin> and the hosts will get 100 ips on one mac
10:02 < nbastin> normally?
10:02 <@ordex> well, if you have br0 = [eth0, eth1]
10:02 < nbastin> this is no different from a server with 100 aliases
10:02 <@ordex> and you want to join this network
10:03 <@ordex> you will normally assign an IP to br0
10:03 <@ordex> in this case
10:03 <@ordex> nor to eth0 or eth1
10:03 <@ordex> *not
10:03 < nbastin> no, you only assign the IP to br0 if you want the HOST to have an IP
10:03 < nbastin> but we don't want that
10:03 <@ordex> right
10:03 < nbastin> openvpn is not the host
10:03 <@ordex> that's what you *normally* do
10:03 < nbastin> linux is the host, and it doesn't need an IP
10:03 < nbastin> :-)
10:03 <@ordex> that's what I meant before
10:03 <@ordex> yeah
10:03 < nbastin> I mean it could have one, or not have one, separate from all of this
10:03 <@ordex> right
10:03 <@ordex> but it is not important for your case
10:03 <@ordex> I understand that :D
10:04 < nbastin> well or any case
10:04 < nbastin> if the user wants the host on the VPN, they can give an IP to the bridge
10:04 < nbastin> but that's really just a port on the bridge
10:04 <@ordex> yap
10:04 <@ordex> right
10:04 <@ordex> well
10:04 <@ordex> for the host is handled differently
10:04 < nbastin> it's really br0 = [eth0, eth1, br0]
10:04 <@ordex> not really
10:04 < nbastin> the br0 netdev is not the bridge
10:04 <@ordex> the kernel handles that differently
10:04 <@ordex> right
10:04 < nbastin> no it doesn't
10:04 <@ordex> but it's on top
10:04 < nbastin> not anymore
10:04 <@ordex> not inside
10:05 <@ordex> uhm
10:05 < nbastin> once we merged OVS into the kernel, that's just an interface
10:05 < nbastin> it's not the same as the way the linux bridge worked
10:05 <@ordex> 100% like the others?
10:05 < nbastin> it appears the same to the user
10:05 < nbastin> but it's a full netdev
10:05 <@ordex> mh, I want to check this
10:05 < nbastin> it's the "internal" port to the bridge
10:05 < nbastin> there's a bridge port marked "internal" in the bridge module, and that's the br0 netdev
10:05 <@ordex> last time I broke the bridge if was still different
10:05 < nbastin> it has the same name as the bridge for historical reasons
10:06 < nbastin> but it doesn't behave that way anymore
10:06 < nbastin> because that way was crazy. :-)
10:06 <@ordex> I see
10:06 <@ordex> well, ugly and dirty :P
10:06 <@ordex> when was this change introduced?
10:06 < nbastin> so really what you have is a 3-port bridge
10:06 < nbastin> when OVS was merged as the kernel bridge
10:06 < nbastin> 3.3 something I think
10:06  * ordex is synching net-next in the meantime
10:07 < nbastin> I mean the way the ovs module works is...sortof crazy complicated but we can get into it if we need to.. :-)
10:07 <@ordex> I still remember when there was a separate codepath
10:07 < nbastin> since there's only one kernel table, but it's sliced by user space bridges
10:07 <@ordex> honestly, I don't know what OVS is :)
10:07 <@ordex> openswitch ?
10:07 < nbastin> openvswitch
10:07 <@ordex> alright
10:08 < nbastin> http://openvswitch.org/
10:08 <@vpnHelper> Title: Open vSwitch (at openvswitch.org)
10:08 <@ordex> yap
10:08 < nbastin> which is not that helpful
10:08 < nbastin> but brctl now controls that module
10:08 < nbastin> instead of the old linux bridge
10:08 <@ordex> mah, a couple of months ago a friend of mine was trying to sell me how many problems you can solve with openvswitch .. but ..mah
10:09 <@ordex> by default ?
10:09 < nbastin> in 2017 OVS means the userspace tools, since the module is the same.. :-)
10:09 < nbastin> yeah, but the bridge is separate from the tools
10:09 < nbastin> ovs-ctl and brctl use the same kernel table
10:09 <@ordex> I don't even have ovs compile din my kernel
10:09 < nbastin> the ovs kernel module is just a much more advanced table
10:09 < nbastin> it's in the tree
10:09 <@ordex> yeah its there, but I have enabled it
10:10 <@ordex> *its
10:10 <@ordex> *it's
10:10 < nbastin> I don't know what happens if you don't enable it.. :-)
10:10 < nbastin> yeah, 3.3
10:10 <@ordex> :D I never had it enabled, so I did not switch it on when it appeared :P
10:10 <@ordex> I think it keeps on using bridge as before (?)
10:10 < nbastin> it should have replaced the bridge
10:11 <@ordex> and in the bridge code by itself there is no trace of ovs
10:11 < nbastin> I think the enabling module just enables the extra APIs
10:11 <@ordex> aaaah
10:11 <@ordex> mh
10:11 < nbastin> it is a drop-in replacement for linux-bridge
10:11 < nbastin> it's a pure superset
10:11 <@ordex> well, maybe you enable ovs and bridge gets forcefully disabled  ?
10:11 < nbastin> with some netlink cleanup, like the interface
10:11 < nbastin> you can still use brctl
10:12 <@ordex> sure, if ovs is implementing its interface
10:12 < nbastin> it would operate the same if you use the same userspace utilities
10:12 < nbastin> you only get "advanced" ovs features if you use ovs-vsctl
10:12 < nbastin> brctl works the same
10:12 < nbastin> well, stp works better.. :-)
10:12 <@ordex> yeah I see
10:12 <@ordex> btw the code in the bridge folder is still the same ugly code as before :P
10:12 <@ordex> "stp works" ? :P
10:12 < nbastin> yeah I need to poke around, I trust ben when he said it was the mainline replacement.. :-)
10:13 < nbastin> but I have stopped working on OVS much
10:13 < nbastin> I don't care much about the new features
10:13 < nbastin> but the point is that the bridge "interface" is just a netdev
10:13 < nbastin> like any other port on the bridge
10:13 < nbastin> it sends packets into the bridge table
10:13 < nbastin> and they get switched the same way as eth0 or eth1 or whatever
10:14 < nbastin> it just has the same name as the bridge because that's what the linux bridge always did
10:14 < nbastin> topologically speaking you can view the bridge as a separate vertex from the host
10:14 <@ordex> weird, even in the OVS makefile i don't see anything that conflicts with BRIDGE. maybe Ben  meant that it is the logical replacement, but code-wise they are still two separate thing ?
10:14 < nbastin> if you assigned an IP in that lan to it, that would work
10:15 < nbastin> I am not sure, I honstly thought it completely replaced the whole subsystem, which may be wrong
10:15 <@ordex> I see
10:15 <@ordex> ok
10:15 <@ordex> anyway, not important
10:15 < nbastin> but the point is the host can still be configured the way the user wants, and that is the users problem.. :-)
10:15 < nbastin> if openvpn is listening on a port NOT on that bridge...
10:15 <@ordex> yap
10:15 <@ordex> right
10:15 < nbastin> then the server IP is the gateway
10:16 < nbastin> for that other network
10:16 <@ordex> I assume the uplink is somewhere else
10:16 < nbastin> that seems fine
10:16 < nbastin> then it pushes eth3 network with openvpn server IP gateway
10:17 < nbastin> this will end up in sadness for people because it's not a real router, but that's their own fault for setting this up in the first place.. :-)
10:17 < nbastin> (other hosts on the non-openvpn LAN will not know to use openvpn as the gateway for eth3, probably)
10:18 < nbastin> but that's still a separate network configuration issue
10:18 < nbastin> you make the pain you enjoy.. :-)
10:18 <@ordex> why did you introduce eth3? I lost that part :D
10:19 < nbastin> oh sorry, eth2?
10:19 < nbastin> I thought you made it eth3 a while ago.. :-)
10:19 <@ordex> ah
10:19 <@ordex> the external interface
10:19 <@ordex> yeah yeah
10:19 < nbastin> anyhow, I still think tun-e doesn't change anything except the packet headers
10:19 <@ordex> how to send people out of there is another problem
10:19 < nbastin> it unrolls L3 data from the tunnel and puts it on L2 frames
10:19 <@ordex> well, it removes the ethernet header
10:19 <@ordex> yeah
10:19 <@ordex> on the way in
10:20 <@ordex> yes
10:20 < nbastin> yeah in fact it doesn't even put it on the L2 frame
10:20 < nbastin> it just sends it on the socket
10:20 < nbastin> oh
10:20 < nbastin> it can't do that.. :-)
10:20 < nbastin> it DOES need to use a raw socket to use the right IP
10:20 <@ordex> which socket are you talking about now ?:)
10:20 <@ordex> on the LAN side there is no need for a socket, no?
10:20 < nbastin> well how does openvpn send packets on the tap interface?  :-)
10:21 <@ordex> I'd need to check, but I guess you have a raw socket where you just push data out
10:21 < nbastin> this is the part that changes, I think
10:21 < nbastin> tap sends the packet it got off the vpn, so no change
10:21 < nbastin> tun sends an IP packet, and the linux kernel figures it out, since it's a tun
10:21 <@ordex> right
10:21 < nbastin> in this case it has to be tap plus raw socket to build the header itself
10:22 < nbastin> receiving can be handled by linux kernel, but sending has to be handled by openvpn
10:22 <@ordex> you lost me, I don't know on which side you are and which direction you are going :P
10:22 < nbastin> so when you receive from the LAN
10:22 <@ordex> alright
10:22 < nbastin> you'll only get packets for the IPs you put on the tap
10:22 < nbastin> and linux will arp them for you
10:22 < nbastin> so that's all good
10:22 < nbastin> you look at the IP dest, you strip the L2, you send over the SSL
10:22 <@ordex> I think openvpn gets all the packets received on the TAP, not just those for that IP
10:23 < nbastin> openvpn will get them for any IP on the tap
10:23 < nbastin> plus any broadcast
10:23 < nbastin> and any flood
10:23 <@ordex> mh
10:23 < nbastin> the flood are the ones you need to drop
10:23 < nbastin> so you do need to MAC filter
10:23 < nbastin> well, you could send them too
10:23 <@ordex> you also want to send broadcasts over the VPN?
10:23 < nbastin> I mean if it's 255.255.255.255, I suppose that goes to the tunnel
10:23 < nbastin> you should
10:23 < nbastin> if you're on the lan
10:24 < nbastin> you're on the lan
10:24 <@ordex> what will a tun do with a broadcast with no L2?
10:24 < nbastin> well they have source IPs
10:24 <@ordex> right
10:24 <@ordex> but not sure it can really work as is
10:24 < nbastin> you can't send FF:FF:FF:FF:FF:FF to the tunnel
10:24 < nbastin> but if it's 255.255.255.255, then send it
10:24 <@ordex> tun won't really understand I guess
10:24 < nbastin> it will
10:24 < nbastin> I mean it actually does exactly that now
10:24 < nbastin> IP broadcasts go to the client
10:24 < nbastin> L2 broadcasts do not
10:24 <@ordex> oh does it? ok never tried to send broadcasts over tun
10:25 <@ordex> not sure how
10:25 < nbastin> yeah, I mean WINS and shit works
10:25 < nbastin> which is broadcast for discovery
10:25 <@ordex> discovery works over tun ?
10:25 <@ordex> uhm
10:25 < nbastin> for IP
10:25 <@ordex> interesting
10:25 < nbastin> not for L2
10:25 < nbastin> you can't find a zeroconf printer probably
10:25 < nbastin> but dropbox lan sync works (sadly)
10:25 < nbastin> (we have to filter that)
10:26 < nbastin> since it's really wan-sync.. :-)
10:26 <@ordex> I am wondering how it can
10:26 <@ordex> have you ever tcpdump'd that ?
10:26 <@ordex> to see what's really going over tun ?
10:26 < nbastin> uh, probably
10:26 < nbastin> I don't think I have any of them
10:26 < nbastin> I tcpdump'd it to find the ports I cared about
10:26 < nbastin> the tunnel gets a 255.255.255.255 dest with a real source
10:27 < nbastin> I mean that's not that magical
10:27 < nbastin> all the tun does is strip the L2
10:27 < nbastin> (well and munge TTL for no good reason)
10:27 <@ordex> sure but once it gets on the other side?
10:27 <@ordex> it won't be "routed"
10:27 < nbastin> I dunno what it looks like on the client side
10:27 < nbastin> well no
10:27 < nbastin> but you don't want it to be routed.. :-)
10:27 <@ordex> it may only work between client and server
10:27 < nbastin> but the host gets it
10:28 <@ordex> I mean broadcast over the VPN link only :D
10:28 < nbastin> (client host)
10:28 < nbastin> right that broadcast is link-local
10:28 <@ordex> right
10:28 <@ordex> although the concept of link-local is usually related to L2 :P which in this case does not exist
10:28 <@ordex> but it can still work
10:28 < nbastin> but the host still gets that link-local broadcast (at least on actual computers, I dunno wtf ios/android do)
10:28 <@ordex> limited to that
10:28 <@ordex> :D
10:28 <@ordex> me neither
10:29 < nbastin> I will find out tonight, although I can't tcpdump on my tablet
10:29 < nbastin> so that won't help much
10:29 <@ordex> can't do that on the server ?
10:30 < nbastin> sure but that won't make clear what the client actually sends into the stack
10:30 < nbastin> the server side I know sends the full broadcast IP header into the client
10:30 < nbastin> it's a pain to look at, but we tore apart a bunch of traces once
10:31 <@ordex> yeah, I was thinking we could see what the server receives from the client
10:31 < nbastin> with full keys to decrypt the payloads
10:31 <@ordex> I guessed the client initiazed the broadcast
10:31 < gregf> If I setup openvpn and it gives me a 10.0.0.0 network address but my internal servers are on 192.168.1.0, and my home network is on 192.168.1.0 is that going to work how I expect or do I have to change things around?
10:31 < nbastin> oh I was thinking from the lan side
10:31 <@ordex> oh ok
10:31 < nbastin> gregf: that should work fine
10:32 < nbastin> gregf: you'll use 10 network to reach teh vpn, and still 192.168 for your local
10:32 < gregf> hmm how does that map though
10:32 < nbastin> map?
10:32 < gregf> if my internal network on the vpn side is 192.168.1.0 not 10.0.0.0 how do i connect to those servers without conflicting with my internal network at home
10:33 < gregf> maybe i'm asking the question badly
10:33 < gregf> just trying to understand how this works
10:33 <@ordex> gregf: yeah that will conflict
10:33 < gregf> ok
10:33 <@ordex> gregf: either you use a more specific route for the servers
10:33 <@ordex> like a /32
10:33 < gregf> so i should change the work network to a 10.x or change my home network
10:33 <@ordex> IP_SERVER/32
10:33 < gregf> k
10:33 <@ordex> gregf: to anything that is not the same on both sides
10:33 <@ordex> that's the easiest
10:33 < gregf> ty
10:33 <@ordex> but you can try with a specific /32 route if you have to reach only 1 or 2 servers
10:33 < gregf> just wanted to make sure there wasn't something kind of magic going on behind the scenes
10:34 <@ordex> unfortunately no magic yet
10:34 <@ordex> that's planned for life2.0 ;D
10:34 < gregf> were setting up this network from scratch so its pretty easy to just use a 10.x network
10:34 < nbastin> I guess I misunderstood that question....the servers you want to reach are...well, nevermind.. :-)
10:34 <@ordex> gregf: don't mix it up with the VPN too
10:35 <@ordex> nbastin: home and work have the same subnet. home and work are connected via VPN
10:35 <@ordex> from home he wants to reach servers at work
10:35 <@ordex> routes will conflict
10:35 < nbastin> ordex: ah yes for sure
10:35 < nbastin> The openvpn 4.7 feature for pure NAT remapping with DNS support.. :-P
10:36 <@ordex> and DHT magic
10:36 < nbastin> and by 4.7, a bunch of other magic will be required as well.. :-)
10:40 < nbastin> ok, anyhow, I think Tun-E is a great idea that can be made to work, but for now I have to make silly routing hell work.. :-)
10:41 < nbastin> er, Tap-E
10:41 < nbastin> !!
10:41 < nbastin> Tap-E!
10:41 <@ordex> TapE
10:41 <@ordex> :D
10:41 < nbastin> ductTapE
10:41 <@ordex> lol
10:41 < nbastin> otherwise spelled b-a-n-d-a-g-e
10:41 < nbastin> :-)
10:42 < nbastin> but actually I think this is not a bandage, it's a perfectly normal thing to want
10:42 < nbastin> get tun clients into your existing LAN segment
10:42 < nbastin> no routing, no fuss
10:42 < nbastin> if you wanted more features, then you need to work harder.. :-)
10:43 <@ordex> well
10:43 <@ordex> the point is that 99.9% of the people don't ant L2, but just basic routing
10:43 <@ordex> and 99.99% of the people do not understand L2
10:43 <@ordex> thus *you* want them to use tun
10:43 <@ordex> :D
10:43 < nbastin> I'm not sure they want basic routing, it's just forced on them.. :-)
10:44 <@ordex> well, -routing +NAT
10:44 < nbastin> I mean "connect my client into my existing LAN" seems mostly like what people often want
10:44 <@ordex> and the average joe is happy
10:44 <@ordex> nah
10:44 < nbastin> right, but why NAT when you shouldn't have to
10:44 <@ordex> they normally want to access some server
10:44 <@ordex> without any fuxx and L2 requires to understand what you are doing
10:44 <@ordex> while setting up the VPN server as GW/NAt does not
10:44 < nbastin> I mean mostly they normally want to access the internet...from a tunnel over the internet...but lets ignore those people.. :-)
10:45 <@ordex> they are a big chunk :P
10:45 < nbastin> sure, but that's not an interesting use case from any of these perspectives
10:45 < nbastin> they are well served by the existing support
10:45 <@ordex> yap
10:45 < nbastin> but if you're an enterprise offering vpn to your employees, isn't connecting to the existing LAN possibly easier than adding a bunch of routing?
10:46 <@ordex> dunno
10:46 < nbastin> and by enterprise I mean "small business".. :-)
10:46 < nbastin> if you're an enterprise you have probably IT people and subnets and blah blah
10:46 <@ordex> maybe yeah
10:46 <@ordex> well, it really depends i guess :P
10:46 < nbastin> I mean "vpn into my existing network" seems like a perfectly sensible request
10:46 < nbastin> but it's pretty complicated right now
10:47 < nbastin> you have to add a new subnet and then route to it
10:47 <@ordex> mah often NAt is enough
10:47 <@ordex> becayse connections only go one way
10:47 < nbastin> if you already don't know what you're doing and don't have IT support, that's just a pain
10:47 <@ordex> :D
10:47 < nbastin> and by nat you mean pat.. :-)
10:47 <@ordex> pat ?
10:47 <@ordex> like *pat* *pat*
10:47 < nbastin> port-address-translation
10:47 < nbastin> ITS NEVER NAT
10:47 < nbastin> :-)
10:48 < nbastin> nat is pure one-to-one IP addresses
10:48 <@ordex> hehe I don't decide names :)
10:48 < nbastin> people use NAT to describe a thing that is rarely NAT
10:48 < nbastin> I blame linux for this
10:48 <@ordex> well, the iptables table is called nat :P
10:48 < nbastin> and that table does NAT, the problem is it also does PAT
10:49 < nbastin> PAT is conntrack, NAT is not
10:49 < nbastin> NAT is like oh we bought this other company and they use this address space, lets map that onto this other address space
10:49 < nbastin> but each IP is still unique
10:49 <@ordex> I see
10:49 < nbastin> that is different from PAT, which is port-multiplexing on the same IP
10:50 <@ordex> well NAt then could be a specific case of PAT
10:50 <@ordex> no?
10:50 <@ordex> where *all* the ports are mapped to the sameip:port :P
10:50 <@ordex> yeah
10:50 <@ordex> anyway
10:50 < nbastin> I suppose if you wanted to view it that way.. :-)
10:50 <@ordex> hehe
10:52 <@ordex> there are so many improvements to implements
10:52 <@ordex> if only there were resources for all of them ..
10:53 < nbastin> perf!  :-)
10:53 < nbastin> thread per client!  :-)
10:54 < nbastin> really process per client would be better on most *nix
10:54 < nbastin> just fork and pass the coekt
10:54 < nbastin> socket
10:54 <@ordex> hehe
10:55 < nbastin> namespaces would be good, I guess, as an incremental step to betterness.. :-)
10:56 < nbastin> it would be nice to spawn more threads/processes for a single client/server pair and hash connections internally
10:56 <@ordex> is a process running in the root ns allowed to drive a iface in another ns ?
10:56 < nbastin> yes
10:57 < nbastin> from the root NS you can drive an interface in any namespace, given proper privileges
10:57 < nbastin> from another namespace you would need access to the root loopback to do it
10:57 < nbastin> (which is a per-namespace decision)
10:58 <@ordex> nic
10:58 <@ordex> e
11:00 <@ordex> ok..time for me to disappear :)
11:00 <@ordex> nice chat
11:00 <@ordex> talk soon!
11:05 < nbastin> :-)
11:05 < nbastin> I shall stab things over and over until android works
11:07 <+hyper_ch> doing the same thing over and over and expect a different result? Isn't that the definition of insanity?
11:30 < nbastin> I'll stab different things.
11:45 < x86_64> !welcome
11:45 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
11:45 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
11:46 < x86_64> !goal
11:46 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:37 < anicow> hey guys what does this error mean? Sun Sep 24 14:30:28 2017 ERROR: The TAP-Windows driver rejected a TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT DeviceIoControl call
13:37 < anicow> i see next to no results in google.
13:38 < anicow> it happens right after Sun Sep 24 14:30:28 2017 Notified TAP-Windows driver to set a DHCP IP/netmas
13:41 < anicow> i figured it out
13:41 < anicow> the error was in my server.conf i was using push "dhcp-option DNS 8.8.8.8"
13:42 < anicow> but before i was using an incorrectip address that did not exist, instead of 8.8.8.8
13:42 < anicow> i fixed that now it connects
13:52 -!- albech1 is now known as albech
14:19 < Neobenedict> http://www.speedtest.net/my-result/6651780842
14:19 < Neobenedict> why
14:19 <@vpnHelper> Title: Speedtest.net by Ookla - My Results (at www.speedtest.net)
14:19 < Neobenedict> any ideas how something like this could happen
14:19 < Neobenedict> without vpn 500+ mbit
14:19 < Neobenedict> and 800+mbit upload
14:20 < Neobenedict> with vpn, .. that happens
14:20 < BtbN> bad routing, congested link somewhere, ...
14:21 < Neobenedict> !paste
14:21 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2)
14:21 <@vpnHelper> paste.ee is also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
14:21 < Neobenedict> https://gist.github.com/anonymous/a13d899bd96a03e5b91098f92b91b772
14:21 <@vpnHelper> Title: gist:a13d899bd96a03e5b91098f92b91b772 · GitHub (at gist.github.com)
14:21 < Neobenedict> server config
14:33 < Neobenedict> changing port hasnt helped
14:38 < Neobenedict_> ok looks like a congested route
14:38 < Neobenedict_> god damn it
15:58 -!- albech1 is now known as albech
16:05 < Random1> hi there
16:05 < Random1> i have a simple request - on windows 10 here using OpenVPN to connect to a vpn that gives me a differnt WAN IP (like most vpns generally do) , i am wondering if there is any way client-side i can make it so when I connect to the vpn that its not my default internet connection
16:06 < Random1> the idea being only using the vpn for 1 or 2 applications (which i have a program called ForceIP that forces a network interface to be used for whatever calls with api on the fly winsock injecting) and i see openvpn uses a 2nd virtual network interface so what i'm asking seems like would be possible just not sure how to do it
16:06 < Random1> would anyone have some insight or be able to point in the right direction for this plz?
16:07 < vectr0n> is it normal when disallowing communication between clients, the vpn clients are unable to access the lan behind the ovpn server? when i allow communication between clients, all is good. im not even sure its possible to do what im looking for, actually im almost sure, but doesnt hurt to ask
16:14 -!- nocaberi is now known as Bock
17:40 -!- svm_invi_ is now known as svm_invictvs
20:16 -!- mode/#openvpn [+v Dougy] by ChanServ
20:16 <+Dougy> oh wow, it still exists
20:16 <+Dougy> cool
20:17  * Dougy waves to s7r, ecrist, dazo, krzee and hyper_ch
21:17 -!- mundus2018 is now known as mundus
21:39 -!- mundus is now known as Mundus
21:43 -!- Mundus is now known as mundus
23:33 <+hyper_ch> Dougy: what still exists?
--- Day changed Mon Sep 25 2017
00:10 -!- abenz_ is now known as abenz
05:01 < frodox> Hi all. What is the difference between `proto tcp` vs `proto tcp-client` ? I used `tcp-client`, but my connection getting broken time to time, and I haven't such problem with `proto tcp`. But this option isn't documented...
06:00 < rob0> I would guess that "--proto tcp" looks at the --remote setting; if set it falls back to tcp-client, and if not set, tcp-server.
06:23 <@ordex> frodox: "proto tcp" by itself is ambiguous and it relies on other options to understand if it is an actual tcp-client or tcp-server
06:24 <@ordex> when you write tcp-client/server you are making it explicit
06:24 < frodox> ah
06:24 < frodox> ok, thank you
06:24 <@ordex> np
06:49 <@dazo> Dougy: you've been away for too long!!! :)
08:10 -!- EmperorTom is now known as _quadDamage
08:14 < havoc> I think windows clients need the --tcp-client to be specified if using tcp
08:15 < havoc> a bug/oddity of windows; that --proto tcp isn't enough, or at least that's a specific issue I had w/ windows clients when trying to run on tcp:443
08:15 < havoc> but that was also long ago
08:36 <@ordex> havoc: maybe that was fixed (?) because in the option parser there is a post-process routine that just checks all the options and if the proto was tcp only, will then set it to tcp-server or tcp-client
08:36 <@ordex> but i wouldn't exclude this was b0rken in the past :P
08:47 < havoc> ordex: possibly, as I said, a looong time ago
08:47 <@ordex> hehe
08:48 < havoc> a decade or more, actually
08:50 < havoc> windows clients have to be handled slightly differently anyway
08:51 < havoc> of our 2,000 ovpn client rollout, got about a hundred fails so far
08:51 < havoc> due to the perimeter fw crap
08:51 < havoc> oh well
10:23 <@ecrist> hey there Dougy 
10:30 <+hyper_ch> krzee has been idle for 30 days, 12 hours, 22 minutes and 13 seconds
10:32 <+_FBi> heh
10:33 <+_FBi> is he winning the idle competition?
10:34 <+hyper_ch> no, I'm worried about him :(
10:43 <@ordex> hopefully he is fine..but i guess his place is not really ok :/
10:44 <+hyper_ch> his bnc at least is still working
11:02 < DArqueBishop> ... which doesn't really mean anything/
11:05 <+hyper_ch> I know
11:05 <+hyper_ch> but it at least means the bnc account is still paid for...
11:05 <+hyper_ch> so it's something positive
11:05 <+hyper_ch> s|account|account/server|
11:09  * DArqueBishop shrugs.
11:10 <+hyper_ch> you have to stay positive :)
14:58 -!- dionysus70 is now known as dionysus69
16:26 < rem5> when configuring OpenVPN AS for multiple remotes, do you have to do a -remote * first? does anyone have an example? I'm trying whats in the docs, but its not working
16:27 < rem5> with this config i get 'NoneType' object is not iterable
16:28 < rem5> it seems like it can't iterate over the remotes
16:29 < vectr0n> !as
16:29 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
16:31 < rem5> so sorry, failed topic
20:24 < darkdrgn2k> hi all
20:25 < BenderRodriguez> hi all
20:25 < BenderRodriguez> I need help!
20:25 < BenderRodriguez> my openvpn server went down and won't restart
20:25 < darkdrgn2k> would tls-auth help get around  Deep Packet Inspection?
20:25 < BenderRodriguez> the systemd service that is
20:25 < darkdrgn2k> BenderRodriguez: did you check you logs?
20:27 < BenderRodriguez> hmm
20:27 < BenderRodriguez> seems to be a SELinux issue again
20:28 < BenderRodriguez> the contexts on the /etc/openvpn directory has changed
20:30 < darkdrgn2k> ther eyou go
20:43 < darkdrgn2k> so anyone
20:43 < darkdrgn2k> DPI and tls-auth ?
20:44 < cstk421> what is the proper method of having openvpn auto re establish the tunnel after it loses or changes WAN connectivity ?
20:44 < cstk421> is it built in or do i need a bash script to do it ?
20:44 < darkdrgn2k> cstk421: client or server/
20:45 < cstk421> client sorry
20:45 < cstk421> debian based
20:45 < darkdrgn2k> resolv-retry infinity
20:45 < darkdrgn2k> and keep alive
20:46 < cstk421> i tried that and the tunnel wont connect if i add those in the .conf file
20:46 < cstk421> i also read those are for the server side
20:46 < darkdrgn2k> resolv-retry infinity isnt
20:46 < darkdrgn2k> htats clietn
20:46 < cstk421> copy that ill try it
20:46 < darkdrgn2k> keep alive is usualy for server
20:46 < cstk421> is it infinity ? or infinite ?
20:47 < cstk421> googled it it was infinite
20:47 < darkdrgn2k> infinite
20:47 < cstk421> yep thx ill report back
20:49 < darkdrgn2k> also udp is more forgiving on disconnects
20:50 < cstk421> which is what im using
20:50 < cstk421> but good to know
20:50 < darkdrgn2k> it can servive short disconnects
20:50 < darkdrgn2k> also if your ip changes allot server side float is good too
20:51 < cstk421> copy that
20:51 < cstk421> does it matter where i put the command in the conf file ?
20:52 < cstk421> first / last  ?
20:52 < darkdrgn2k> nop'
20:52 < cstk421> k
20:53 < darkdrgn2k> you can alos try
20:53 < darkdrgn2k>      ping-restart 120
20:53 < darkdrgn2k> and ping 10
20:56 < cstk421> well damn
20:56 < cstk421> it worked
20:57 < cstk421> preciate it
20:57 < cstk421> save me from a billion power cycles on the pi
20:58 < cstk421> bounced among all 3 wan connections and re established the tunnell
20:58 < cstk421> perfect
20:58 < cstk421> thanks again darkdrgn2k
21:28 < darkdrgn2k> any time :)
22:37 -!- ketas is now known as ketas-
23:10 -!- ohnx- is now known as ohnx
--- Day changed Tue Sep 26 2017
08:04 < vishesh92> Hi. I have setup google authenticator pam with VPN and it is working fine. But if I am disconnected from internet even for a second, it asks for the password again. This becomes frustrating because I have to take out my mobile to enter the authentication code. Is there a way around this?
09:02 <@ecrist> first, don't disappear after asking a question.
09:18 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: by bye]
09:19 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
09:19 -!- mode/#openvpn [+v s7r] by ChanServ
09:45 -!- NotSecwitter is now known as NonSecwitter
09:49 < revoker> hi! is it possible to revoke vpn server certificates? if someone stole the server's private key
09:50 < revoker> !heartbleed
09:50 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl, or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised., or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected., or (#4)
09:50 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed, or (#5) http://xkcd.com/1354/
10:01 -!- revoker is now known as egonsen_
10:18 < DArqueBishop> revoker: you can put them in a CRL.
10:18 < DArqueBishop> !crl
10:18 <@vpnHelper> "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with
10:18 <@vpnHelper> openvpn) that will create the CRL file for you. ssl-admin will also build a crl for you, or (#3) openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem
10:19 < DArqueBishop> Otherwise, if you're truly paranoid, you can create a completely new CA.
10:20 < DArqueBishop> I think the issue with the CRL is that you'd need to distribute it to all of the clients.
10:54 < NonSecwitter> kuahara: 2.1.1 is old, iirc
10:56 <+hyper_ch> that's from before the Dawn of Time or so...
10:58 < NonSecwitter> pfsense currently includes 2.3.9
10:58 < NonSecwitter> is 3 live?
10:59 <+hyper_ch> you want 2.4.x
10:59 < kuahara> are .ovpn files from 2.1.1 compatible in the current openvpn release?
10:59 < NonSecwitter> i think that might be available on pfsense... there is an update I need to run
11:01 <+hyper_ch> I think there's one thing that's deprecated now....
11:02 < NonSecwitter> as long as it doesn't break the connection with our old clients
11:02 < NonSecwitter> we can't get out to update them all
11:02 <+hyper_ch> now it's  remote-cert-tls server   but that used to be differnet... no idea when it changed
11:02 <+hyper_ch> the old version should still working I think
11:03 <+hyper_ch> ah,  ns-cert-type   was the old one
11:03 <+hyper_ch> http://forum.ipfire.org/viewtopic.php?t=18852
11:03 <@vpnHelper> Title: OpenVPN '--ns-cert-type' is deprecated - forum.ipfire.org (at forum.ipfire.org)
11:04 <+hyper_ch> "This option is deprecated. Use the more modern equivalent --remote-cert-tls instead. This option will be removed in OpenVPN 2.5."
11:04 <+hyper_ch> so still usable in 2.4
12:16 <+Dougy> pfsense
12:16 <+Dougy> ah my beloved
13:42 <@dazo> NonSecwitter: 2.3.x is the old stable branch, we do maintain it - but only for major bug fixes and security updates.  But no new feature is planned there at all.  2.4 is the current stable release, which will also not see much new fancy features ... but if there's a true benefit with a low maintenance "cost" and low chance for new bugs, we might consider adding it
13:43 < NonSecwitter> gotcha. makes sense. I just need to run the update on pfense
13:43 <@dazo> but I think that we will in not too far future label 2.3 deprecated and more push people more consistently to move forward to 2.4
13:44 < NonSecwitter> we're trying to get away from PC based VPNs anyways
13:44 < rob0> toward what instead?
13:44 < NonSecwitter> secure RDS and peer-to-peer VPN... router to router
13:44 <@dazo> hyper_ch: https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
13:44 <@vpnHelper> Title: DeprecatedOptions – OpenVPN Community (at community.openvpn.net)
13:45 <+hyper_ch> dazo: that would be way too simple
13:45 <@dazo> :)
13:46 <+hyper_ch> and what do you mean by --comp-lzo being deprecated? oO
13:46 <@dazo> hyper_ch: this: https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#a--comp-lzo
13:46 <@vpnHelper> Title: DeprecatedOptions – OpenVPN Community (at community.openvpn.net)
13:46 <+hyper_ch> reading there
13:46 <+hyper_ch> I don't recall having given permission for that ;)
13:47 <@dazo> oh, we don't ask users ... we just decide and follow through! ;-)
13:47 <+hyper_ch> *veto*
13:47 <@dazo> kinda like the Trumpish approach
13:47 <+hyper_ch> make openvpn great again?
13:47 <@dazo> yeah!  It's about time, you don't think!? ;-)
13:47 <+hyper_ch> the "again" would imply that it's not great anymore
13:48 <@dazo> Was America not great at some point? ;-)
13:48 <+hyper_ch> yes
13:48 <@dazo> blasphemy!
13:49 <+hyper_ch> well, I'm off
13:49 <+hyper_ch> hard day tomorrow
13:49 <@dazo> :)
13:49 < rob0> !redirect
13:49 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
13:49 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
13:49 <+hyper_ch> states attorney wants to imprison my client for 4 years... lets see if I can get more ouf of this ;)
13:50 < rob0> you want MORE than 4 years?
13:50 <+hyper_ch> isn't more better? ;)
13:50 <+hyper_ch> you'd rather have $ 1000 or $5000?
13:50 <+hyper_ch> see, more is better;)
14:00 < havoc> 838 provisioned vpn clients, ~1,000 to go
14:45 -!- dionysus70 is now known as dionysus69
14:48 < doteater> !welcome
14:48 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
14:48 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
14:49 < doteater> !goal
14:49 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:54 < doteater> !tap
14:54 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the
14:54 <@vpnHelper> protocol uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
15:06 < doteater> I would like the client to stop trying to connect after no-push-reply rather then reconnecting.
15:14 < mike309> Hi all. Any ideas why an openvpn client config would work in an identical guest OS in virtualbox, but not in the host OS?
15:36 < dcarmich> !welcome
15:36 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
15:36 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
15:38 < dcarmich> !1925
15:38 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
15:41 < erik> !def1
15:41 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
16:29 -!- remirol is now known as lorimer
18:46 <@ordex> morning
18:51 < havoc> morning (not here)
18:54 <@ordex> :)
18:59 < abenz> morning :)
19:26 <@ordex> havoc: it's always morning somewhere ;P
19:34 < cyclonis> im trying to install openvpn on the centos 6 server and im getting the following error missing Last login: Tue Sep 26 18:17:56 on console
19:34 < havoc> it's always Beer'O'Clock Somewhere
19:34 < cyclonis> [unixgeek]757labs
19:34 < cyclonis> Connected to users.757.org! Serving 757 since NetBSD 1.4.
19:34 < cyclonis> bwell@users.757.org's password:
19:34 < cyclonis> Last login: Mon Sep 25 20:27:42 2017 from 70.174.182.101
19:34 < cyclonis> +-[2017-08-11/Sean]_----------------------------------------------------------+
19:35 < cyclonis> ; The totally-not-worried-about-not-being-evil-anymore company is blocking all;
19:35 < cyclonis> ; messages from users.  This looks to be the result of a bunch of folks just  ;
19:35 < cyclonis> ; blindly forwarding their mail, spam and all, to Gmail.  It's a pain.  Please;
19:35 < cyclonis> ; run your messages through Spamassassin, and/or have Gmail fetch over POP (or;
19:35 < cyclonis> ; IMAP) if you don't want to use users.                                       ;
19:35 < cyclonis> ; If you have questions, please email me.  sean@757.org.                      ;
19:35 < cyclonis> +-[2017-03-13/Ethan]----------------------------------------------------------+
19:35 < cyclonis> : HUGE DOWNTIME! Sorry about the downtime, but there was some sort of disk    :
19:35 < cyclonis> : error that caused the root system to crash, taking the virtual machines     :
19:35 < cyclonis> : with it. I was
20:29 < cyclonis> good evening im trying to install openvpn but when installing im getting the following error on centos 6 Error: Package: openvpn-2.4.3-1.el6.x86_64 (epel) Requires: liblzo2.so.2()(64bit)
20:29 < cyclonis> anyone seen this error on centos 6
20:47 <@ordex> cyclonis: do you have that dep installed?
20:47 <@ordex> probably dazo can help you with centos but he is not around now
21:23 < memo1> can someone explain how to do a ovpn file
21:36 <@ordex> !howto
21:36 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
21:37 <@ordex> memo1: ^^ in the howto linked above you find several example of config files
21:38 < dimestop> !welcome
21:38 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
21:38 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
21:39 < dimestop> !goal
21:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:39 < dimestop> I want to set up a point to point VPN, and am getting 'Authenticate/Decrypt packet error: packet HMAC authentication failed'
21:40 < dimestop> peer to peer* ?
21:41 < dimestop> does anyone know what could cause that?
23:29 -!- s7r_ [~s7r@openvpn/user/s7r] has joined #openvpn
23:29 -!- mode/#openvpn [+v s7r_] by ChanServ
23:30 -!- pekster_ [~rewt@openvpn/community/developer/pekster] has joined #openvpn
23:30 -!- mode/#openvpn [+o pekster_] by ChanServ
23:31 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
23:31 -!- mode/#openvpn [+o krzie] by ChanServ
23:35 -!- Netsplit *.net <-> *.split quits: +s7r, @krzee, @pekster
23:35 -!- s7r_ is now known as s7r
23:51 < vishesh92> Hi. I have setup google authenticator with openvpn. But my internet is flaky sometimes and a disconnection for few seconds results in asking for the code again from the authenticator which is troublesome. Is there any way I can solve this?
--- Day changed Wed Sep 27 2017
00:35 < Dimtree> Question: if I'm running OpenVPN on UDP 443, is there anything stopping me from running something else, eg. SSH or Nginx, on TCP 443?
00:35 < Dimtree> Technically it would work I believe. But is it considered a bad idea?
00:41 <@ordex> Dimtree: no. it will just work
01:53 -!- ikonia_ is now known as ikonia
03:28 < Boomerang> My local network and the VPN I want to connect to share the same IP address ranges (and even have the same gateway IP as far as I can tell). Is there any way I can make that work?
03:33 <@ordex> Boomerang: I see two options (but there might be more). One is to use on your VPN a subset of your local network (but you have to be careful with adjusting the routes properly), another is to use tap and bridge the VPN with the LAN
03:34 <@ordex> but that gives you other drawbacks intrinsic of tap mode
03:36 < Boomerang> I am very new to all this VPN stuff. Where can I find more information to implement either solution?
03:37 < Boomerang> The current temporary setup that I found in order to ssh into one computer in the VPN is to first ssh into a VPS and then open the VPN from there. I obviously don't get the benefits of a real VPN... :/
03:39 <+hyper_ch> Boomerang: you could add all lan devices as vpn client (running openvpn on them)
03:41 <@ordex> hyper_ch: why do you like so muhc this solution :D
03:41 <@ordex> *much
03:41 <+hyper_ch> because it's the simplest one :)
03:41 <@ordex> hehe
03:43 <+hyper_ch> ordex: and this is so much more complex to understand:  https://community.openvpn.net/openvpn/wiki/RoutedLans
03:43 <@vpnHelper> Title: RoutedLans – OpenVPN Community (at community.openvpn.net)
03:43 <@ordex> hyper_ch: are you trying to convince me that a person that decides to go for "all devices inthe VPN" i understanding what he is doing? :P
03:44 <@ordex> *is
03:44 < Boomerang> Thanks for your suggestions, I'll look into them! :)
03:44 <+hyper_ch> it's more easy to understand than getting whole routed setup
03:44 <+hyper_ch> package routing is very advanced automagic
03:44 <@ordex> well, there is no magic. But I agree it can be harder to understand for the average jow
03:44 <@ordex> joe
03:45 <@ordex> buuuuut all the client sin the VPN works as far as you don't have anything special configured
03:45 <+hyper_ch> there's tons of magic
03:45 <@ordex> :D
03:45 <+hyper_ch> any sufficiently advanced magic is indistinguishable from technology :)
03:45 <@ordex> come on, routing is really basic, there no magic
03:45 <@ordex> lol
03:45 <@ordex> *there's
03:45 <@ordex> :P
03:46 <+hyper_ch> I don't recall which Doctor said this
03:46 <@ordex> anyway, I just believe that suggesting a "convenient" but technically wrong solution at the first glance is not entirely correct
03:46 <@ordex> it is ok when a person is showing problems understanding or he is unwilling to understand
03:46 <@ordex> imho eh
03:46 <+hyper_ch> it was the 7th doctor
03:46 <@ordex> 7th doctor?
03:46 <@ordex> :D
03:47 <+hyper_ch> doctor who
03:47 <@ordex> ah
03:47  * ordex hasn't seen it
03:47 <+hyper_ch> inversing Clarke's Law
03:47 <+hyper_ch> Clarke's 3rd Law
03:48 <+hyper_ch> I assume you know that one
03:49 <@ordex> mh nopw
03:49 <@ordex> missed that too :(
03:49 <@ordex> who's that ?
03:50 <@ordex> fiction writer
03:50 <@ordex> mh ok, not my domain :P
03:53 <+hyper_ch> awww
04:17 < azarus> I've just setup openvpn on my server. Now, when I try to connect using a client on my Android, I get "MGMT: Got unrecognized command>FATAL:Error: private key password verification failed" even though I made sure to set no client challenge response password.
04:17 < azarus> Any tips?
04:20 -!- Kryczek_ is now known as Kryczek
04:23 <+hyper_ch> how did you create client cert?
04:23 < azarus> hyper_ch: EasyRSA
04:23 <+hyper_ch> which version?
04:24 <+hyper_ch> or what guide did you follow?
04:24 < azarus> hyper_ch: https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts
04:24 <@vpnHelper> Title: Create a Public Key Infrastructure Using the easy-rsa Scripts - Gentoo Wiki (at wiki.gentoo.org)
04:25 < azarus> I'm using EasyRSA 3.0.1.
04:25 < azarus> From the gentoo repos.
04:25 <+hyper_ch> so you used   ./easyrsa build-client-full <client name> nopass     ?
04:25 < azarus> Yup.,
04:25 <+hyper_ch> then it should not have a password
04:25 <+hyper_ch> !configs
04:25 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
04:26 < azarus> Okay, I'll paste the configs.
04:26 < azarus> !paste
04:26 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
04:26 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
04:28 < azarus> Here's my server config: https://gist.github.com/e99b5a18abc2dc8b4b3a58816feab2bb
04:28 <@vpnHelper> Title: stdin · GitHub (at gist.github.com)
04:29 <+hyper_ch> seems fine
04:31 <+hyper_ch> well, no idea
04:31 <+hyper_ch> still seems like you might have omitted the "nopass" option
04:31 <+hyper_ch> can you check your history?
04:32 < azarus> I can confirm that I have set nopass.
04:32 <+hyper_ch> well, don't know then
04:32 < nbastin> ordex: I finally got my crazy tun-in-namespace thing to work by hand
04:33 <@ordex> nbastin: :D cool
04:33 <+hyper_ch> azarus: you could try to integrate all key and certs into the client config
04:33 <+hyper_ch> and try to load that
04:33 < Kryczek> nbastin: how did you do it? :)
04:33 < nbastin> ordex: when you move the tun interface into another namespace it apparently loses its IP info, so I have to capture it and then reconfigure it
04:33 <@ordex> nbastin: do you still have hair on your head? ;P
04:33 <@ordex> nbastin: is that enough ?
04:33 <+hyper_ch> tun-in-namespace?
04:33 < nbastin> ordex: well, and up it again - it seems to lose all state
04:33 <@ordex> will it keep the link to the process creating it? (i.e. the socket is still valid?)
04:34 < nbastin> ordex: it does, yes, the socket handle is still the same
04:34 <@ordex> cool
04:34 < nbastin> ordex: so my fire tablet is now passing packets into my separate namespace
04:34 <@ordex> hyper_ch: moving tunX into a non-root namespace after it was created
04:34 < azarus> hyper_ch: Will it help to paste my client config?
04:34 <@ordex> nbastin: nice :)
04:34 <+hyper_ch> azarus: nah, no need... but as said, maybe try to include cers and keys into the client config
04:34 <+hyper_ch> and then load that
04:34 <@ordex> nbastin: how about your vacation? :P
04:35 < nbastin> ordex: the reconfiguring-everything will be annoying for the orchestrator, btu I can make it work.. :-)
04:35 < azarus> hyper_ch: Certs and client configs are included in the client config.
04:35 <@ordex> nbastin: maybe that can be done via a openvpn-script ?
04:35 <+hyper_ch> no idea then
04:35 <+hyper_ch> azarus: best to ask ordex ;)
04:35  * ordex hides
04:35 <+hyper_ch> gotta go anyway soon
04:35 < nbastin> ordex: hrm, maybe...we mostly don't use the scripts at all so there's nothing the orchestrator doesn't see, but that might be ok
04:36 <@ordex> nbastin: well, yeah, it is still a very local openvpn problem, so handling it in there might be reasonable. but you know the infrastructure better :)
04:36 < nbastin> ordex: is there a script hook that happens after it creates the tun interface, but before it addresses it?
04:37 <@ordex> mh
04:37 <@ordex> nbastin: should read the man :P
04:37 <@ordex> not sure there is something "in between"
04:37 <+hyper_ch> what's the benefit of moving tun out of root namespace?
04:37 < nbastin> ordex: oh nevermind that wouldnt' work anyhow
04:37 < nbastin> ordex: if I moved it the ifconfig/ip link commands won't work
04:37 < nbastin> hyper_ch: we have isolated customer topologies, so I need to connect the tun to the right customer topology
04:37 <@ordex> nbastin: well, you can tell openvpn to use another command instead of the plain "ip"
04:38 <@ordex> like a wrapper script specifying the namespace
04:38 <@ordex> wouldn't that help ?
04:38 <+hyper_ch> nbastin: that sounds all so complicated :)
04:38 < nbastin> ordex: oh instead of "ifconfig" of whatever?  that would work
04:38 <@ordex> nbastin: yup
04:38 < nbastin> ordex: I will look into this. :-)
04:38 <@ordex> nbastin: I speak in terms of "ip" because I always build with --enable-iproute2 :P
04:38 <@ordex> hyper_ch: you can suggest to connect everybody to the vpn :P :P :P
04:38 < nbastin> hyper_ch: I mean generally from my perspective it's not complicated, because I don't know anything about the customer topo, except from openvpn tun perspective, now I have to integrate this weird L3 interface.. :-)
04:39 <@ordex> nbastin: check "--iproute" in the man
04:39 < nbastin> ordex: yeah, that will come...
04:39 < nbastin> ordex: obviously ifconfig doesn't know anything about namespaces anyhow, so we'll have to build with --enable-iproute2 first
04:39 < azarus> Well, if anybody has a clue regarding my problem, feel free to ping me anytime...
04:39 <@ordex> nbastin: the world doe snot know anything about ifconfig since 2.2 :-P
04:39 <+hyper_ch> ordex: yeah, let's make a inter-vp-net
04:40 <+hyper_ch> where the whole world can connect to the same vpn
04:40 < nbastin> ordex: well we use netlink sockets for everything else we do.. :-)
04:40 <@ordex> azarus: are you sure you specified "nopass" when creating the cert ?
04:40 < azarus> ordex: Yes.
04:40 <@ordex> nbastin: ;)
04:41 < azarus> Created it twice to make sure.
04:41 <@ordex> nbastin: ah I rebased my sitnl branch in case you want to have fun
04:41 <@ordex> nbastin: patch to extend the code with NS arguments are welcome ;)
04:41 <@ordex> azarus: mh ok
04:41 < nbastin> ordex: ok, I will get a chance to look at that tonight I think
04:42 <+hyper_ch> (are you using the correct config with the included nopass cert)
04:42 < nbastin> ordex: I'll look at some of this other script stuff before I actualyl roll these commands into the orchestrator
04:42 <+hyper_ch> what app are you using for the vpn on your droid?
04:42 < azarus> hyper_ch: openvpn_ics
04:42 < Kryczek> azarus: could it be that you have another private key in your Android client? Perhaps in the keystore?
04:42 <+hyper_ch> ics? icecream sandwich?
04:43 < azarus> Kryczek: Specified private key manually, it's in the config.
04:43 <@ordex> the keystore in theory should be poked only if no key/cert/ca is specified in the config
04:43 <@ordex> hyper_ch: bleah
04:43 < azarus> It's this client: OpenVPN for Android
04:43 < azarus> It's just another name for it.
04:44 <+hyper_ch> there's multiple openvpn clients
04:44 <@ordex> azarus: if you run on your linux box: "openssl rsa -in path_to_private_key.key -text" what do you get ?
04:44 <@ordex> hyper_ch: openvpn-ics is the codename for the Opensource openvpn written by plaisthos
04:44 <+hyper_ch> openvpn for android should work fine
04:44 < azarus> ordex: private key used in the client?
04:44 <@ordex> azarus: yap
04:45 <@ordex> if the key is password protected, this command should ask for it too (or throw a related error - can't remember exactly)
04:45 < azarus> ordex: unable to load Private Key
04:45 < azarus> 3069437324:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
04:45 <@ordex> uhm
04:45 <@ordex> azarus: what's the first line of your key ?
04:46 <@ordex> don't you have something like: -----BEGIN PRIVATE KEY-----
04:46 <@ordex> ?
04:46 < Kryczek> I was going to ask if it has -----BEGIN :)
04:46 <@ordex> :)
04:46 < azarus> Hmm... It says # 2048 bit OpenVPN static key
04:46 < Kryczek> oh
04:46 < azarus> Even though I specified 4096 bit.
04:47 < Kryczek> that's for symmetric keys
04:47 <@ordex> well, that's not a key generated with easyrsa
04:47 <@ordex> that is a static key generated with openvpn
04:47 <+hyper_ch> that's probably the dh key
04:47 < azarus> That might very well be!
04:47 <@ordex> that can be either used with static-key setup or for tls-auth/tls-crypt
04:47 <@ordex> or dh
04:47 <@ordex> butnot a private key
04:47 <@ordex> *but not
04:47 < azarus> Diffie-Hellman?
04:47 <@ordex> azarus: yes, that is required only on the server
04:47 <@ordex> just saying that this is a key generated with openvpn and is for other purposes
04:48 <@ordex> it is not a private key generated with easyrsa
04:48 < azarus> Ah, okay. I'll regen the private key with easyrsa and copy it back over.
04:48 < Kryczek> azarus: ideally you should regen that static key too if it was not supposed to leave the server
04:48 <@ordex> azarus: maybe the old one is still there .... (if you haven't deleted it)
04:49 <@ordex> easyrsa3 will normally put private keys into the private/ subfolder
04:49 <@ordex> and certs in issued/
04:49 <@ordex> you need both
04:49 <+hyper_ch> ordex: server config was generated just fine:  https://gist.github.com/anonymous/e99b5a18abc2dc8b4b3a58816feab2bb
04:49 <@vpnHelper> Title: stdin · GitHub (at gist.github.com)
04:50 < nbastin> blah, of course I need the android client to intercept all DNS requests to make my particular case work, but I'll leave that problem to each user.. :-)
04:50 <@ordex> assuming each contains what it is supposed to :D
04:51 <+hyper_ch> I wrote myself a few bash scripts for config generation   https://github.com/sjau/sipGenVPN  :)
04:51 <@vpnHelper> Title: GitHub - sjau/sipGenVPN: Small collection of bash scripts to create client config files for SIP hard- and softphones (at github.com)
04:51 <+hyper_ch> mainly I was annoyed at the sip phones and how you have to package and name things exactely... then I extended it ;)
04:51 <@ordex> :)
04:51 <@ordex> and this script connects everybody to the sam vpn?
04:51 <@ordex> :P
04:51 <@ordex> *same
04:51 <+hyper_ch> of course )
04:51 <@ordex> :D
04:51 <+hyper_ch> sharing is caring
04:52 <+hyper_ch> my office gigabit line got activated today
04:52 <+hyper_ch> but I need to go to court this afternoon :( so can't set it up
04:52 <@ordex> hyper_ch: how long have you been waiting for that ?
04:52 <+hyper_ch> well, in my home I got the fiber about 2 years ago
04:53 <+hyper_ch> then in april I got info that in my office they will also convert to fiber
04:53 <+hyper_ch> the town decided to deploy its own fiber network
04:53 < Kryczek> nice
04:53 <+hyper_ch> so, end of april I had fiber
04:53 <@ordex> oh I see
04:53 <+hyper_ch> then I look what provider I could use and saw Init7 offers gigabit for CHF 777/y
04:53 <@ordex> ah not bad
04:53 <+hyper_ch> ok, checked with my OTO-plug id for home and yes, it works
04:54 <+hyper_ch> so end I cancelled both internet contracts (home and office) to end of may
04:54 <+hyper_ch> unfortunately I wasn't aware, that they relase the newly installed fiber only when the whole block is ugpraded
04:54 <+hyper_ch> so I had to use LTE meanwhile at work... no big deal though
04:54 < azarus> 2017-09-27 11:47:33 TLS Error: Unroutable control packet received from [AF_INET]172.104.143.237:12112 (si=3 op=P_ACK_V1)
04:54 <+hyper_ch> LTE is good.. get around 60/30mbit
04:54 < azarus> This is what I'm getting now.
04:55 <+hyper_ch> and now on the 22nd of september the fiber at the office was finally released
04:55 <+hyper_ch> and this morning I noticed that the line is active now
04:55 <@ordex> mah here they sell 10Gbps, but I am not sure what people would do with that at home
04:55 <+hyper_ch> ordex: CHF 777/y = $800/y
04:55 < Kryczek> hyper_ch: out of curiosity, why do you write your tests with [[ ]] instead of just [ ] ?
04:56 <@ordex> 4K streaming in every room?
04:56 < azarus> Ooh, CHF? My currency :p
04:56 <@ordex> hyper_ch: yeah, that's why I said it's a reasonable price, I believe
04:56 <+hyper_ch> it's not really easy to bring gigabit to fll edge
04:56 <+hyper_ch> ordex: netflix recommends for 4k streaming to have 25mbit
04:56 <@ordex> yeah, I can't imagine 10 :D
04:56 <+hyper_ch> so you need to have many rooms ;)
04:57 <@ordex> right, which is not common here :D
04:57 <+hyper_ch> azarus: also swiss?
04:57 < azarus> Yup
04:57 <+hyper_ch> SG here
04:57 < azarus> BE here
04:57 <+hyper_ch> born in SO
04:57 < Kryczek> ah it's a bashism
04:57 <+hyper_ch> family originally from the Bärnder Oberland
04:57 <+hyper_ch> -d
04:58 <+hyper_ch> azarus: very happy with Init7 this far
04:58 <+hyper_ch> anyway, gotta go to court now
04:58 <@ordex> bye
04:58 < azarus> C ya
05:00 < azarus> Hmm. Now, I have TLS handshake errors.
05:01 <@ordex> azarus: do you have tls-auth/crypt enabled ?
05:01 <@ordex> azarus: btw running the server with --verb 4 may help understanding a bit more
05:01 <@ordex> (not always)
05:01 <@ordex> azarus: is the CA on the client and the server the same ?
05:02 < azarus> Well, I have the same ca.cert on both
05:04 < azarus> ca.crt*
05:06 <@ordex> yeah, that's a good start :)
05:06 <@ordex> how about tls-aut/tls-crypt ?
05:06 <@ordex> do you have it enabled?
05:06 <@ordex> tls-auth*
05:07 <@ordex> either one
05:07 < azarus> VERIFY X509NAME ERROR: C=<country>, ST=<province>, L=<city>D, O=<username>, OU=<username>, CN=<servername>, emailAddress=<email>, must be domain.com
05:07 < azarus> This is probably the cause
05:11 < azarus> Yup, was able to connect.
05:11 < xinobi> Hi what should be the appropriate encryption cipher?
05:11 < azarus> (after disabling tls verifying)
05:11 < azarus> When I enable the vpn now, I can't reach the internet.
05:13 < Kryczek> xinobi: depends how much processing power and bandwidth you can spare :)
05:13 <@ordex> azarus: you better keep the tls verification enabled and create menaingful certificates :P
05:13 <@ordex> azarus: the only required thing should be the common name
05:14 <@ordex> you have to set a different one for each client as openvpn uses that to identify users
05:14 < azarus> So delete all the certificate again?
05:14 < azarus> certificates*
05:14 < xinobi> Kryczek: I've small bandwidth +/- 4Mb but I would like to have a fairly secure connection
05:14 <@ordex> azarus: likely
05:14 < azarus> Also, seems my routing is all wrong.
05:14 <@ordex> azarus: also the server must have its own
05:15 <@ordex> xinobi: if you have a decent cpu, aes-gcm is usually a good choice as it can exploit hw acceleration and has little overhead
05:15 < xinobi> Kryczek: I'm using default encryption TLS but the logs are complain that is weak...
05:15 < xinobi> ordex: I've a RT-AC66U
05:15 < azarus> So the common name should match my domain?
05:16 <@ordex> xinobi: no clue what that is - sorry :(
05:16 < azarus> ordex: That's a router
05:16 <@ordex> azarus: no. the common name is a unique identifier for the user of that certificate
05:16 < xinobi> ordex: an ASUS router :D
05:16 <@ordex> azarus: can be "server" for the server, then user1 user2 chachacha
05:16 < Kryczek> xinobi: try "tls-cipher HIGH" and "cipher AES-128-GCM"
05:16 <@ordex> you can append the domain name if you want
05:17 < azarus> ordex: but openvpn complained that it must be domain.com...?
05:17 <@ordex> I think that's because of the other values being <something>
05:18 <@ordex> I'd fill them with some values, to avoid triggering any sanity check
05:18 <@ordex> can be fake values
05:18 < azarus> I'll try again with easyrsa.
05:19 <@ordex> azarus: it should ask you for all those values during the creation
05:20 < xinobi> Kryczek: not available in router options https://postimg.org/image/6qsdfuuet/
05:20 <@vpnHelper> Title: Screen Shot 2017-09-27 at 11.12.38 — Postimage.org (at postimg.org)
05:20 < azarus> So common name must be: domain.com
05:20 < azarus> (when I do easyrsa build-ca)
05:21 <@ordex> azarus: common name is the unique name identifying the user of the certificate
05:21 <@ordex> xinobi: probably using an older version of openvpn
05:22 <@ordex> xinobi: then AES-256-CBC might be a valid alternative, but can't tell about the performance
05:23 < xinobi> ordex: not sure the router firmware is not an old release and they keep it updated...
05:24 <@ordex> xinobi: then either the GUI is not up-to-date with the newer options, or they preferred to stick to openvpn 2.3 instead of moving to openvpn 2.4
05:24 <@ordex> openvpn 2.3 is still maintained, so it can still be a valid choice
05:26 -!- ordex changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire /topic || Current Release:2.4.4 (26 September 2017) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || Your problem is probably firewall. Really || TAP/bridging is almost always a bad idea || Vulninfo: !heartbleed !poodle !ovpnuke !sweet32 || EasyRSA v3.0.3 Released!
05:35 < azarus> Sheesh. Generating 4096-bit dh params takes forever
05:37 < nbastin> azarus: yes, like weeks
05:38 < nbastin> I mean if you have a really great random source it only takes hours
05:38 < azarus> I had it done in a couple minutes before...?
05:38 < azarus> Only now after doing it a couple of times it's really slow
05:39 < nbastin> for 4096 bits without using -dsaparam?
05:39 < nbastin> maybe you had a lot of good entropy.. :-)
05:39 < azarus> Dunno, did ./easyrsa gen-dh
05:39 < azarus> Can I just skip it for the time being?
05:40 < nbastin> you need dhparams on the host somewhere to generate your CA
05:41 < nbastin> you can do the probably-equally-secure so I'm told by my crypto guys, but I don't really know, method of openssl dhparam -dsaparam -out dh4096.pem 4096
05:41 < nbastin> which will take a little time, but not much
05:42 < Kryczek> xinobi: AES-128-CBC then, but why is it saying "Client" ? :)
05:43 < xinobi> Kryczek: because it is the client configuration ;)
05:43 < xinobi> Kryczek: I've also added cipher AES-256-CBC to server config
05:44 < xinobi> Kryczek: and enabled compression
05:47 < Kryczek> xinobi: how much bandwidth do you have?
05:48 < xinobi> ordex: it's not complain about anything now ;) I wonder if default which must be bowlfish is not good enough ?
05:48 < xinobi> Kryczek: ~4Mb
05:48 < azarus> Okay, I can connect now.
05:48 < azarus> Now, the problem is that I can't reach the Internet.
05:49 < Kryczek> xinobi: ah... I was going to say the compression on such limited hardware might reduce your bandwidth... But with 4Mbps it's worth a try
05:49 < Kryczek> xinobi: try various combinations and speedtest each?
05:50 < xinobi> Kryczek: I'm doing that now ;)
05:50 < azarus> I can't wrap my head around routing :s
05:50 < Kryczek> xinobi: by the way AES-128 is plenty good enough already, AES-256 is stronger but more of an unnecessary "cherry on top" with your limitations
05:51 < xinobi> Kryczek: lol that might be true just trying several scenarios
05:51 < azarus> I have a server with a static, public IPv4 address, and I set the tun device to 10.100.0.1, and I'm pushing the route "192.168.1.0 255.255.255.0"
05:53 < Kryczek> xinobi: note that not all contents can be compressed, typically encrypted traffic (HTTPS, SSH) and already-compressed video (Netflix, YouTube) will not get any faster with the OpenVPN compression :)
05:54 < xinobi> Kryczek: nice to know about that
05:57 < azarus> Hm... is there any recommendation for the tun device address?
05:58 < Kryczek> azarus: something not likely to conflict with other networks you might connect from
05:58 < azarus> Yup. I don't use any 10.x.x.x networks so I picked that.
05:59 < Kryczek> azarus: for example if you make your tun addresses in the 192.168.0.x range and then you go to a hotel or something with the same range for the local network, it will be problematic
05:59 < Kryczek> azarus: yes but there are many public WiFi networks that use 10.x.x.x
05:59 < azarus> I don't really use public WiFi.
05:59 < azarus> I use my mobile connection, which separates me in a /32 network
05:59 < azarus> So it shouldn't matter that much.
06:00 < Kryczek> azarus: I use 172.x.y.0/24 where x has to be between 16 and 31, preferably not 16
06:00 < Kryczek> I mean x and y random
06:00 < Kryczek> for example 172.29.143.0/24 is pretty unique
06:00 < azarus> Yup, makes sense.
06:01 < azarus> If I can't reach the internet from my VPN, might that mean the default route of the tun interface is wrong?
06:01 < Kryczek> have you enabled forwarding and NAT'ing on your VPN gateway?
06:01 < azarus> Not manually :o
06:02 < Kryczek> you need that, otherwise your packets reach the gateway but then the gateway doesn't push them forward
06:02 < azarus> How do I enable both?
06:03 < Kryczek> try this: cat /proc/sys/net/ipv4/ip_forward
06:03 < Kryczek> if it says 0 it means the gateway is not acting as a router
06:03 < azarus> Yup, says 0
06:03 < Kryczek> so you can temporarily enable it by doing, as root: echo 1 > /proc/sys/net/ipv4/ip_forward
06:04 < azarus> And then try again?
06:04 < Kryczek> later on, to make it permanent across reboots, you can edit /etc/sysctl.conf to have a line that says "net.ipv4.ip_forward = 1"
06:04 < Kryczek> no not yet, that's half of it
06:04 < Kryczek> this is sufficient for routing, but!
06:04 < azarus> Okay, I'll edit syctl.conf
06:05 < azarus> Done.
06:05 < Kryczek> your gateway will now be sending packets to your Internet modem or wherever onwards, with source IPs still that of your tun settings
06:05 < Kryczek> so you need the gateway to translate this address to its own first: Network Address Translation
06:06 < azarus> Yup. So it translates the source address.
06:06 < Kryczek> a quick and dirty way to do it is to run, as root: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE (if eth0 is the device packets come out of, to go to the Internet)
06:07 < azarus> Okay, donel.
06:07 < Kryczek> this is also only temporary, and you don't want to make firewall rules permanent just yet in case you make a mistake: it's good to have the option to reboot
06:07 < azarus> done*
06:07 < Kryczek> try now?
06:07 < azarus> Sure.
06:07 < azarus> I'll be offline for a moment.
06:10 < azarus> Yo, that worked, thank you very much!
06:10 < azarus> Now I'll make the iptables rule permanent.
06:16 < Kryczek> :)
06:16 < michalrus> Kryczek: oy mate
06:16 < Kryczek> azarus: an easy way to do that is to install the "iptables-persistent" package
06:17 < michalrus> Polska, k××va!
06:17 < Kryczek> hah
06:17 < Kryczek> I am not Polish :D
06:17 < michalrus> Uh =(
06:17 < Kryczek> but oy mate to you too still! :D
06:18 < michalrus> ♥
06:29 < azarus> Great, I can connect now and have internet from my VPN.
06:29 < azarus> Is anybody using sslh here?
08:06 < kishmesh> in tunnel options, --mode : what is the difference between "p2p" and "server"? is this a server side only settings? Where can I find more information on this?
08:08 < kishmesh> ah I just saw the "server" section in the manual
08:10 < rob0> p2p is peer-to-peer, only two peer endpoints, can't add in other clients
08:21 < kishmesh> rob0: yeah thx, I understand now. I just got a little confused only reading the --mode explanation. Maybe it would be good if there was a link/pointer to the main "Server/Client" sections further down below.
08:29 < qwerkus> hello, quick question: can the openvpn client for windows be configured to access an ssl fortigate server ?
08:35 < rob0> fortigate is not openvpn, right?  You have to use other client software to access non-openvpn VPNs.
08:37 < gfot> I run an OpenVPN client on a linux (Ubuntu) machine and works fine. Users connects to internet and his IP seems like the one obtained from VPN. Is it possible to run two OpenVPN clients one for userA and the other for userB of the same system? So traffic from first user goes through the OpenVPN1 interface and the other user's traffic through OpenVPN2 interface?
08:38 < rob0> um, if you mean multiple openvpn clients behind a single NAT router, sure, that's doable, albeit ugly.
08:39 < rob0> If you mean something else, be more specific.
08:39 < DArqueBishop> rob0: I believe he means on the same physical system. As in, user A and user B on PC 1.
08:39 < rob0> oh, yuck
08:40 < gfot> I think I mean the first one . yes @DarqueBishop
08:40 < DArqueBishop> Yeah, that's not really doable.
08:40 < DArqueBishop> ... at least, not without some SERIOUSLY ugly hackery.
08:40 < rob0> what would be the point of this?  It would not be easy to do, if doable at all.
08:40 < qwerkus> rob0: thanks for your reply. Fortinet seems to offer ipsec and ssl based vpn services. As openvpn is also an ssl based vpn service, I was wondering if it is possible to conifigure it to access an ssl fortigate
08:41 < gfot> I want to run specific application using different Ips
08:41 < DArqueBishop> qwerkus: just because it's SSL based doesn't mean it's the same underlying technology.
08:41 < rob0> qwerkus, does the fortigate documentation mention anything about compatibility with openvpn?  If not, I'd bet it is not.
08:42 < qwerkus> pffff. Shame we have to use this proprietary fortinet; now I also have to use a proprietary client. At least on linux there is an openfortissl client that seems to work
08:43 < rob0> gfot, probably the best bet is to use a VM for one or both VPN connections, and then still, it's not going to be easy.
08:43 < rob0> !lartc
08:43 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux, or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
08:46 <@ordex> gfot: you could do that with some fwmarking, iptables and policy routing. but you need to study yourself. or do what rob0 is subbesting
08:53 < gfot> @rob0 that's why I asked because I have a guest Ubuntu on a host Mac, I run the openvpn on mac and gets a new ip, then i run openvpn on guest and gets new ip and all work nicely. Since virtualbox is a process on the same system, why isnt possible to do per process without loading new vm each time?
08:54 < rob0> per-process routing on Mac, I would have no clue at all.  I do have some familiarity with these features in Linux.
08:54 < gfot> I do some testing locally but the real machine has linux
08:56 <@ordex> gfot: these are really low level things. what works on mac won't work on linux
08:56 <@ordex> different tools, different kernels, different routing mechanisms
08:56 <@ordex> on linux this can be done imho with iptables+fwmark and policy routing
08:56 <@ordex> because iptables can firlter by user and pid, but I never tried it
08:57 <@ordex> on mac i also have no clue
08:57 < gfot> @ordex i agree what i wanted to check is if the openvpn that runs inside vm and the openvpn that runs on host machine work nicely, which they do. The real usage would be one linux machine, N users each one has openvpn client intsance , and so they get different ip from vpn each time they connect
08:58 <@ordex> I see
08:58 <@ordex> gfot: different IP you mean different public IP? or different VPN IP ?
08:58 < gfot> is this doable or not because i dont know much about networking :(
08:58 < gfot> vpn ip
08:59 < rob0> VMs on Linux, yes, it's doable, but going to take you a long time to learn enough to do it (or a lot of money to hire someone!)
08:59 <@ordex> gfot: you could probably do that with one vpn process only. you can then have an entire subnet and assign one IP per user
08:59 <@ordex> the question is how to ensure each user uses only that IP
09:00 <@ordex> you need to dig a bit :)
09:00 < gfot> @rob0 with vms i think it's straight to do it, i was wandering without
09:00 < rob0> ordex, note that we don't know much about the actual goal; I was assuming there might be some reason that the second VPN had to go somewhere else.
09:00 <@ordex> rob0: right, but he said " < gfot> vpn ip"
09:01 <@ordex> so "I guess" they connect to the same server and get different client IPs
09:01 < rob0> gfot, you could help yourself a bit by clarifying that
09:03 < DArqueBishop> !xy
09:03 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
09:03 < gfot> @ordex what you mean to ensure each user that uses only that ip? here what i have understood : openvpn creates a new logical network interface 'tunX' through which all traffic goes to vpn server and from there to internet thus a web server may sees a request from user A as having an IP different from the one that his PC usually has (its the VPN ip). The i wander if two users can ran separately on same system 2 instances of openvpn with different confs to
09:03 < gfot>  point ot different vpn servers will get different vpn ips. For the time will execute a test the ips will be that. so 2 openvpn => 2 tunX interfaces somehow i have to do some changes on routing .. anyway i dont know much about networking probably i will not be able to do it.. about the VMs i think will work but has overhead
09:05 <@ordex> rob0: you were right, I got it wrong :P
09:05 <@ordex> gfot: yeah, forget about my suggestion of doing everything with one instance
09:06 < gfot> so from what i understood its a difficult non-trivial task..
09:09 <@ordex> gfot: yes. it is unrelated to openvpn
09:09 <@ordex> you could also have 10 Ethernet cards and you want each user to use 1 different card each
09:09 <@ordex> as I said, iptables+fwmark and policy routing might be one way to go
09:10 <@ordex> but it is not trivial unless you find some script of somebody who has done that before
09:10 < rob0> as suggested by DArqueBishop, this could be a case of XY.
09:11 < gfot> @ordex when you said before about VPN IPs you mean the IP that openvpn client has in its configuration to reach a VPN server or 2) the IP that VPN assigns to system (what is visible then to his requests)?
09:11 <@ordex> gfot: 1). that is why I said I misunderstood
09:11 <@ordex> rob0: also :P
09:11 <@ordex> gfot: what is your final goal?
09:11 <@ordex> regardless of this particular step
09:13 < gfot> What i want to achieve is the following: 1 system(PC) that runs several applications which each one is behind a VPN IP (option 2 as i described above) to run some tests on a web server
09:13 < gfot> each test application sends requests to web server
09:13 < gfot> so when web server logs the requests finds different client IP for each app although they run on same system
09:14 <@ordex> gfot: does the "testing app" support binding on a given local IP? many do
09:14 <@ordex> then you could easily bind to a specific IP (i.e. IP from VPN 1, so that you go out VPN1)
09:14 < gfot> i suppose it can be done to run them on specific local ip
09:14 <@ordex> many tools support that. but not sure what you are using
09:15 < gfot> you mean i can bind test app to a local IP (i.e. 192.168.1.14) and then what? :)
09:15 < rob0> so the real goal is to "test web server"
09:16 < gfot> yes
09:16 <@ordex> each tun interface has an IP..you can bind to the specific IP to use that VPN
09:16 < rob0> and these tests require simultaneous access from different IP addresses from different VPN providers?
09:17 < gfot> Oh, so i can run several instances of vpn client to create several tunX interfaces and then directly bind the test apps to each of tun ip?
09:17 < rob0> I'd consider buying 2-3 VPS systems and do the test from those rather than from a single Mac.
09:18 < gfot> @rob0 require different IPs not necessary vpn ips but since i do not own the VPS systems i was wandering if could be done by using many ips that provide the vpns
09:20 <@ordex> gfot: however, not sure what you want to measure, but if it is performance, consider that each VPN will come with its own latency, mtu limitations and bandwidth capability..
09:21 < gfot> anyway guys thanks for trying to undertand what i wanted to say (english is not primary language) and for your time, i will try right now the idea of binding directly to tunX interface IP otherwise i will abandon this technique and maybe will follow @rob0 advice for obtaining 2-3 VPSs.. Thanks again!
09:21 < rob0> gfot, yw, that's definitely cheaper.
09:37 < gfot> Ok i did a test: one system (Ubuntu), one user, runs openvpn 2 instances like this `sudo systemctl start openvpn@0001` and `sudo systemctl start openvpn@0002` , where 0001.ovpn, 0002.ovpn 2 configuration files that contain info about a vpn server (different) to connect to. The result of `ifconfig` shows two `tunX` interfaces created => tun0, tun1. I created a quick test app that hits `icanhazip.com` and when the localAddress for the request is set to
09:37 < gfot>  `tun0` IP is successfully executed but when i switch to localAddress of tun1 interface then there is an error: connect ETIMEDOUT. So something makes difficult to communicate to internet using tun1..
09:45 -!- badpixel_ is now known as badpixel
09:51 < gfot> I found this page: https://openvpn.net/index.php/open-source/faq/79-client/283-can-i-run-multiple-openvpn-tunnels-on-a-single-machine.html  while searching for an answer.. but i dont understand the sentense: "Make sure each TUN/TAP adapter has a unique, non-overlapping subnet using server, server-bridge, or ifconfig." How can i check that each TUN has a unique, non-overlapping subnet?
09:51 <@vpnHelper> Title: Can I run multiple OpenVPN tunnels on a single machine? (at openvpn.net)
09:53 < rob0> running multiple tunnels (multiple openvpn instances) is not the problem at all.  Gateway redirection IS the problem.  And as ordex pointed out, that's not an openvpn problem.
09:53 < nbastin> is there a preferred openvpn client for ios?
09:53 < rob0> !notovpn
09:53 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn.
09:54 < rob0> gfot, I've had machines running with 6 openvpn instances.  But none of those used --redirect-gateway; they were merely for site-to-site secure connections.
09:55 <@ordex> gfot: you definitely need policy routing if you have multiple default routes. but as said several times, this is a routing problem that does not directly relates to openvpn
09:55 <@ordex> you could imagine to have two uplink
09:56 < gfot> can you please explain me why the second tun interface does not work? what is the gateway redirection problem?
09:57 < rob0> hmm, you really need a better understanding of basic network routing before you venture into advanced routing.  Do you not understand what a gateway is, and what it means to "redirect" it?
09:57 < rob0> !redirect
09:57 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
09:57 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
09:58 < rob0> You said you wanted traffic from one process to use one VPN IP, and another process to use another VPN IP.  This means you're having to redirect your default gateway and use alternate routing rules.
09:59 < gfot> A gateway is the device that allows me to connect to internet right? so the problem with 2 tun interfaces is like i have two router devices on same line?
09:59 < rob0> go ahead and play with it and start up 2, 3, 4 and more instances of openvpn.
10:03 < gfot> weird.. when i instantiate more openvpn isntances there are no more tun interfaces created.. with `ifconfig` ican see only tun0, tun1 but i have instantiated 4 openvpn instances..
10:04 < gfot> no just now appeared one more: tun2 .. @rob0 what do i need to do to undestand using your paradigm of spawning many openvpn instances?
10:11 < rob0> Each openvpn instance is like installing a NIC in a physical computer.  Each NIC can connect to a different network.  But the system can only have one default gateway.
10:14 < kishmesh> now my openvpn server works nicely with multiple clients. wondering, if one of these clients is hosting a service, let's say https, how do I get the traffic to route properly? i assume that is a question of the NAT/firewall?
10:14 < kishmesh> so I need a static ip for one of the clients?
10:16 < gfot> @rob0 thanks good analogy to describe the problem. And you say that this can be handled by doing correct gateway redirection right?
10:17 < rob0> gfot, no, I did not say it can be handled at all.  Policy routing and possibly fwmark rules.  No, this idea is not feasible, as we already told you before you googled up that page.
10:18 < gfot> i see, thx
10:27 < kishmesh> or should i get another public ip and start another openvpn server instance for the serving client_
10:27 < kishmesh> ?
10:29 < kishmesh> actually, it could just run over the same public ip, but incoming traffic for port 443 is routed to another subnetwork
10:32 <@ordex> kishmesh: there is a bit of confusion i think. ports are not "routed"
10:33 <@ordex> and I haven't fully understood what you are trying to achieve
10:33 < kishmesh> ordex: ok let me explain
10:33 <@ordex> who is supposed to reach the https server? from where?
10:33 <@ordex> good idea :)
10:35 < kishmesh> openvpn server A, vpn clients X, Y, Z ... Z is hosting https. Now I want https requests (and other services) ariving at A to be routed and handled by Z
10:36 < kishmesh> ordex: makes sense? ;-)
10:37 < kishmesh> to make it even more clear X, Y and Z have simultanious VPN connections to A
10:37 <@ordex> kishmesh: yeah makes sense
10:38 <@ordex> it is the same you'd have in a LAN where a device  is hosting a service and you want people from outside to reach it
10:38 <@ordex> you only need port forwarding. but to setup port forwarding the destination has to have a known IP, so you have to make it static, yes
10:38 <@ordex> unless you add the port forwarding rule in a openvpn script that can get the IP via env variable
10:38 <@ordex> and add the rule
10:42 < kishmesh> ordex: that's what I thought. But how do give a VPN client a static ip? software I'm using something like --server 10.8.0.0 255.255.255.0  on A, connecting clients dynamically get an ip from subnetwork 10.8.0.0
10:42 <@ordex> !ccd
10:42 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
10:42 < kishmesh> s/software/sofar ;-)
10:43 <@ordex> in here you can use the --ifconfig statement to assign an IP
10:47 < kishmesh> ordex: great! and how do I make sure the ip i'm assigning is not accidently used by the other clients as well?
10:47 <@ordex> kishmesh: I believe that's openvpn duty. he keeps track of IP assigned to clients
10:47 <@ordex> after all the ip will still be assigned by openvpn, you are just telling it what to assign
10:48 < kishmesh> ah ok. good to know. thank you very much!
10:48 < kishmesh> all I then have to do is to configure the firewall/NAT. Should be easy (pf.conf/OpenBSD :-)
10:49 <@ordex> :)
11:04  * nbastin may never get to this namespace stuff if he continues to smash his head against xmpp
11:43 < scryptophyte> is it possible to chain proxies when communicating with 2 exact IP but to chain others for all other packets?
11:54 < scryptophyte> by proxies I meant network
11:55 < rob0> is that somehow related to openvpn?
11:55 < nbastin> yeah this question confuses me, even where s/proxies/networks/
11:55 < scryptophyte> First, can we chain VPN with OpenVPN?
11:56 < rob0> yeah, the fact that I have no idea about what the question meant was going to come up next :)
11:56 < nbastin> scryptophyte: sure
11:56 < nbastin> client - server - server you mean?
11:56 < rob0> you mean a VPN through a VPN?
11:57 < nbastin> right, so define chain.. :-)
11:57 < nbastin> (vpn in a vpn I call tunnel.. :))
11:57 < scryptophyte> Ok now can we cofigure OpenVPN to use 3 VPN provider for all trafic but when accessing a certain web page to use 3 other VPN provider?
11:57 < rob0> wow, you're way over my head, sorry
11:57  * rob0 grabs for the aspirin
11:58 < scryptophyte> can we use a different configuration of VPN for different IP
11:58 < nbastin> scryptophyte: yes, but that's a routing question not a vpn one
11:58 < rob0> You can run as many openvpn instances as your system will allow.
11:59 < scryptophyte> in one openvpn instance can we tell for which IP (website, OpenSSH or others) we want to use the VPN provider?
12:00 < nbastin> no, you need to use routing for that on your client system
12:00 < rob0> "website"?  Routing is done by IP address, not by DNS hostnames.
12:00 < nbastin> but a standard route table can handle per-IP destination choosing
12:00 < nbastin> whether you can configure that as you want on your client is a different question
12:00 < rob0> so getting back to the original question, maybe you DO want a proxy
12:00 < nbastin> and whether doing it by IP really works is yet anohter.. :-)
12:01 < scryptophyte> I just want to use a VPN for all traffic but a different VPN when connecting to my remote server.
12:01 < rob0> I'd suggest that if you step back from your determined "solution", and describe the original problem and goal, you'd get better answers.
12:02 < nbastin> scryptophyte: putting aside things like you said "3 vpn" in various places, that sounds like you want one vpn to be your default route (0.0.0.0/0), and one to be a specific route (x.x.x.x/24 or something)
12:02 < nbastin> scryptophyte: in the case of one vpn to "the internet" and one vpn to "my private net" that is not that difficult
12:03 < nbastin> in the case of 6 vpns to weird places, that's much more involved.. :-)
12:04 < scryptophyte> thank you
12:07 -!- r00t^2_ is now known as r00t^2
12:23 < TyrfingMjolnir> I would like to let the server sign the certs for the users using EasyRSA
12:23 < TyrfingMjolnir> What is best practice?
12:24 < TyrfingMjolnir> I would like to have a script that reads from psql which users need a new cert then I would let the script run EasyRSA and put the keys in the user's admin folder in IMAP
12:25 < rob0> ~
12:27 < TyrfingMjolnir> No good?
12:27 < TyrfingMjolnir> Or what does home symbol mean?
12:40 < bachler> Hi all, I am trying to disable ipv6 for my tap interface when connecting. I have added script-security 2 to my config file to be able to use the 'up "/sbin/sysctl net.ipv6.conf.tap1.disable_ipv6=1"' directive to disable ipv6. i have a dev tap1 near the top of the config. the problem i am running into is that openvpn seems to pass MTU and other options after my command, eg. '/sbin/sysctl
12:40 < bachler> net.ipv6.conf.tap1.disable_ipv6=1 tap1 1500 1585 <IP> 255.255.255.0 init' which makes sysctl fail and then everything fails. (sysctl>openvpn>systemd). can i stop openvpn from passing theese parameters to this command?
12:41 < nbastin> TyrfingMjolnir: honestly if you're going to write a script, just write a script to use openssl instead of easyrsa
13:00 <+hyper_ch> so, back again
13:03 <@ordex> hyper_ch: the court let you out ?
13:05 <+hyper_ch> of course
13:05 <@ordex> :P
13:06 <+hyper_ch> but didn't go so well for my client
13:09 <+hyper_ch> client has "won" 18 months of state paide, sieved, vacation
13:15 <+hyper_ch> the states attorney even wanted to give 48 months of state paid, sieved vacation
13:15 < DArqueBishop> What was he charged with?
13:16 <+hyper_ch> attempted homicide
13:16 <+hyper_ch> well, of course we'll appeal :)
13:16 <+hyper_ch> almost always on appeal the punishment gets lowered
13:17 <+hyper_ch> well, attempted homicide while heavily intoxicated (blood alcohol level was 2.71 ‰)
13:18 <+hyper_ch> which lowered the punishment quite a bit...
13:20 <+hyper_ch> DArqueBishop: why do you ask?
13:32 < baconology> hi
13:32 <+hyper_ch> hi
13:32 < baconology> i would love 1 good guide on how to actually deploy ovenvpn on debian 9
13:32 < baconology> i followed the digital ocean one and i am failing spectacularly
13:32 < baconology> if you have any recommended reading
13:33 <+hyper_ch> sudo apt-get install openvpn
13:33 <+hyper_ch> create certs/keys
13:33 <+hyper_ch> start it with systemd
13:33 < baconology> yeah it isn't starting up
13:33 < baconology> i think its the guide i used
13:33 <+hyper_ch> !howto
13:33 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
13:33 <+hyper_ch> !easyrsa
13:33 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA, or (#4) Source checkouts available from the github project.
13:33 < baconology> this is probably a good place to start i suppose
13:33 < baconology> i was using htis
13:34 < baconology> this
13:34 < baconology> https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8
13:34 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Debian 8 | DigitalOcean (at www.digitalocean.com)
13:34 -!- ghoti_ is now known as ghoti
13:34 <+hyper_ch> look at the above links
13:34 < baconology> yup i will
13:34 < baconology> just for context
13:34 < baconology> sharing is caring etc
13:34 < baconology> now im scared i have a bad install and have no idea how to rip it out and restart
13:35 < baconology> anyway thanks
13:35 <+hyper_ch> create ca/certs/keys
13:35 <+hyper_ch> create config
13:36 <+hyper_ch> copy config to /etc/openvpn/xxx.conf
13:36 < baconology> yeah i followed this other guide step by step
13:36 <+hyper_ch> enable it with sytemd:   systemctl start openvpn@xxx
13:36 <+hyper_ch> start it with systemd:   systemctl start openvpn@xxx
13:36 <+hyper_ch> first should be "enable"
13:37 <+hyper_ch> and dazo is going to hit me soon I guess
13:37 < baconology> :)
13:37 <+hyper_ch> enable ip forwarding
13:37 <+hyper_ch> !ipforward
13:37 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
13:37 < baconology> yup ive done all this
13:37 <+hyper_ch> and configure your firewall
13:37 < baconology> done done done
13:37 <+hyper_ch> !configs
13:37 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
13:37 <+hyper_ch> and logs needed
13:38 < baconology> ill read your guide first before coming back for help
13:39 <+hyper_ch> it's not my guide...
13:39 <+hyper_ch> people way smarter wrote it
13:42 -!- mundus2018 is now known as mundus
13:45 < baconology> i wish i followed it first
13:45 < baconology> big shout out to bachler and hyper_ch for your time today
13:45 < baconology> thank you gents/ladies/cis
13:56 < DArqueBishop> Always remember...
13:56 < DArqueBishop> !blog
13:56 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
14:18 <+hyper_ch> geez, they already plan usb 3.2 when I still have no usb 3.1 device or port
15:01 < DooGY> Hi everybody
15:02 < DooGY> i need some help please
15:02 < DooGY> :)
15:04 < DooGY> !goal
15:04 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:05 < DooGY> !welcome
15:05 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
15:05 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
15:08 < DooGY> i would like to update the openvpn client installer which is currently stored on the server https://vpn.xxx.xxx/config/YXppei5oYW1pZGRvdWNoX0FVVE9MT0dJTg==/X19OT05FX18=/Z0FyXmewHLX1/openvpn-connect-2.1.3.110.msi
15:09 < DooGY> and i would like to replace this version openvpn-connect-2.1.3.110.msi by the latest msi (for example openvpn-connect-2.4.4.msi or another fresh version)
15:09 < DooGY> thanks for your help :)
15:12 < vectr0n> DooGY, openvpn-as?
15:12 < DooGY> Hi vectr0n
15:13 < vectr0n> if yes
15:13 < vectr0n> !as
15:13 < DooGY> what do you mean by openvpn-as please ?
15:13 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
15:13 < DooGY> ah ok AS stands for Access Server right ?
15:13 < vectr0n> correct
15:13 < DooGY> ty ;)
15:13 < vectr0n> np :)
15:13 < DooGY> :)
15:13 < DooGY> indeed
15:14 < DooGY> how can i get this info please vectr0n?
15:14 < vectr0n>  /join #openvpn-as
15:14 < DooGY> ty vectr0n
15:21 < DooGY> vectr0n ?
15:21 < DooGY> are you around ?
15:21 < vectr0n> yup
15:22 < DooGY> my request is the same one as the topic which was opened on this link
15:22 < DooGY> https://forums.openvpn.net/viewtopic.php?t=23927
15:22 <@vpnHelper> Title: Upgrade windows client download from server - OpenVPN Support Forum (at forums.openvpn.net)
15:22 < DooGY> probably you can help me :)
15:23 < vectr0n> only the #openvpn-as chan can assist, i dont use it, i use only the open source, ask in #openvpn-as and wait patiently for a reply, sorry cant be of any help
15:23 < DooGY> don't be sorry vectr0n
15:23 < vectr0n> access server and open source differ
15:23 < DooGY> i really appreciate your help
15:23 < DooGY> :)
17:30 < oe1skw> Hello, is it possible to let openvpn monitor if a client connects and disconnects and write this to te log file like user 1 logged in at .. and logged off at ...
17:31 < oe1skw> !welcome
17:31 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
17:31 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
20:32 -!- baconology is now known as mope
20:34 -!- mope is now known as canadaOK
23:07 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has quit [Ping timeout: 246 seconds]
23:13 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
23:13 -!- mode/#openvpn [+v hyper_ch] by ChanServ
23:44 -!- mundus is now known as sudnum
23:45 -!- sudnum is now known as mundus
--- Day changed Thu Sep 28 2017
02:03 -!- abenz_ is now known as abenz
02:03 <+hyper_ch> wohoo, gigabit internet@office :)
02:06 <@ordex> @_
02:06 <@ordex> :)
03:44 -!- zedde is now known as Varazir
08:56 < twk> anyway to have an openvpn client register its hostname with your dns?  "Register_dns request sent to service" doesnt seem to be doing it
09:00 -!- NotSecwitter is now known as NonSecwitter
09:24 < rob0> Lots of ways, sure.  See --up and --down and the various variables used in scripting.  From that point your question is specific to your DNS implementation.  For BIND, you could run nsupdate.
11:12 <+hyper_ch> how can I get 1gbit real speed on wifi?
11:18 <@ecrist> you won't see that
11:19 <+hyper_ch> ecrist: well, I got now also gigabit in the office
11:19 <+hyper_ch> and now wifi only gets like 260MBit
11:19 <+hyper_ch> which is 1/4 :(
11:20 <+hyper_ch> this is so unfair :(
11:20 <@ecrist> hyper_ch: gigabit tends to be best utilized by a group, not a single user
11:20 <+hyper_ch> I, me and myself? already 3 users
11:21 <+hyper_ch> and yes, it's hard to fully use gigabit
11:42 < twk> hrmm interesting rob0.  now to figure out how to implement that with pfsense :)
15:41 < nbastin> hyper_ch: you can get 1gbps on a wide variety of narrow field (usually point to point, but sometimes a little bit bigger) wireless
15:42 < nbastin> also some MIMO wifi units if you have no interference and are the only user
15:43 < nbastin> and the moon is in the right position in the sky, and the stars are properly aligned
16:38 < Leo`_> Hey. I'm testing a very simple OpenVPN setup between two machines with basically the same configuration as shown here: https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux (first two commands under ‶Standard setup″), and the server log is flooded with ‶packet HMAC authentication failed″ errors.
16:38 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net)
16:38 < Leo`_> Does anyone know what that means?
16:39 < Leo`_> Pinging works. The client is not showing the errors.
16:52 < Leo`_> Huh, turns out I had another badly configured client that I forgot to kill and which was causing those errors...
17:46 < |Mike|> re!
19:48 < kishmesh> how can i make sure all traffic goes through vpn tunnel? firewall?
19:48 <@ordex> !redirect
19:48 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
19:48 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
19:50 < kishmesh> ordex: i do have this in place. still I have the suspision that it is not working for some reason. inspecting packets on openvpn server side reveal public home WAN ip
19:51 <@ordex> well, I guess those are the packets going to your VPN server ?
19:51 <@ordex> "outside" the tunnel
19:53 < kishmesh> yes. inspecting with wireshark on vpn client side I can also clearly see "outside" communiction with vpn server
19:56 < kishmesh> i mean, if I make a http request (say with curl) it should first enter the tun device, where it gets wrappe in a udp packed, send via the external interface. or?
19:59 < kishmesh> :-/
20:00 < kishmesh> I really have the suspisiion that there is something wrong with the routes
20:02 < kishmesh> here are my routes on vpn client side http://ix.io/ArV
20:02 < kishmesh> the remote ip of the vpn server is x-ed out
20:04 < kishmesh> which is routed to default local gateway 192.168.178.1, which is routed to 0.0.0.0.
20:05 < kishmesh> how come there are two default gateways? 10.8.0.9 with mask 128.0.0.0 on tun0, 192.168.178.1 with mask 0.0.0.0 on wlps20
20:14 <@ordex> kishmesh: it's the way the "def1" flag for redirect-gateway works
20:15 <@ordex> it's ok
20:15 <@ordex> kishmesh: I have not understood your statement above
20:15 < kishmesh> ordex: which statement?
20:15 <@ordex> what I was trying to say is that, when you send a VPN packet, such packet is sent to the VPN server using your standard uplink connection, which means it uses your WAN IP
20:15 <@ordex> that is normal as that is the only way to talk to the server
20:15 <@ordex> but your IP will only hit the server
20:16 <@ordex> drom there the packet "inside" the tunnel is routed to the rest of the Internet
20:16 <@ordex> if this is not what is happening, then you should clarify what you are seeing
20:18 < kishmesh> ordex: you are right. I am still quite confused to be hosted. Is the communication between the client and the server encrypted? since I set it to udp, it should only be udp packets leaving the WAN device?
20:19 <@ordex> right
20:20 <@ordex> well, you may have also other packets directed to other hosts within your local network. that may depend on your setup
20:20 <@ordex> but you should have no packets going to "remote" destinations other than the UDP VPN packets
20:20 <@ordex> kishmesh: you may still have lots of local IPv6 packets going out or ARP and other stuff
20:21 <@ordex> there is local traffic that will still go out. but again it depends on your setup
20:21 <@ordex> just saying that there is no sharp answer. it depends on your setup :)
20:21 <@ordex> if you see "something else", then I'd focus on that something else and try to undersand what it is and where it is going. you may find out that it is ok
20:22 < kishmesh> i'm currenly capturing wireshare on my wireless interface. When I load a webpage, I see no packets at all. When I capture on tun device, I see all the requests.
20:23 <@ordex> kishmesh: on the wlan interface you should see at least the VPN packets, I guess?
20:23 <@ordex> how do you talk to the vpn server otherwise?
20:26 < kishmesh> ok this is very strange, let me explain:
20:27 < kishmesh> so I'm capturing my wireless device. When I browse normal webpages, I see no traffic.
20:27 < kishmesh> when I browse the domain of my openvpn server I also see nothing
20:28 < kishmesh> when browse the ip of my openvpn server, I see traffic
20:28 < kishmesh> when I curl the ip of my openvpn server, I see traffic
20:28 < kishmesh> when I curl the domain of my openvpn server, I see traffic
20:28 < kishmesh> when I browse domain in private mode, I see traffic
20:29 <@ordex> maybe your browser is caching ?
20:29 < kishmesh> all of the traffic has destination port 80
20:29 < kishmesh> ok forget about the browser
20:29  * ordex forgets
20:30 < kishmesh> fact is, when I curl a normal domain, I see no traffic, when I curl ip/domain of vpn server, I do see traffic
20:31 <@ordex> kishmesh: same with ping I guess
20:31 <@ordex> kishmesh: can you paste the output of "ip route" ?
20:31 <@ordex> without restarting the VPN or anything ?
20:31 <@ordex> I'll be back in 10 minutes
20:32 < kishmesh> sure
20:39 < kishmesh> ordex: http://ix.io/Asg
20:42 < kishmesh> ordex: inspecting with wireshark wireless interface, curl some-server.org, I see udp traffic vpn desitnation port, curl my-vpn-server, i see plain http tcp traffic
20:45 <@ordex> kishmesh: makes sense
20:45 <@ordex> kishmesh: traffic to the Internet -> goes over the VPN
20:46 <@ordex> kishmesh: traffic to the *public* IP of your VPN server -> goes over plain internet
20:46 <@ordex> kishmesh: if you want to go over the tunnel when talking to the server, you must use its VPN IP
20:46 <@ordex> VPN IP == IP over tun
20:46 <@ordex> kishmesh: what you see is ok
20:47 <@ordex> there is no leakage for general traffic as you have seen
20:52 < kishmesh> hmmm ok .. but why is that? is there away around it? maybe add entry to /etc/hosts?
20:53 < kishmesh> ordex: why is traffic to public IP of VPN excluded from being tunneled?
20:58 <@ordex> kishmesh: because you need to be able to send traffic over the internet to your VPN server, otherwise how can the VPN work?
20:58 <@ordex> routing is IP based, not port based
20:58 <@ordex> so there is a route saying "traffic to IP X has to go to my 'normal' gateway"
20:58 <@ordex> this way the VPN traffic has a way to reach the VPN server
20:58 <@ordex> kishmesh: makes sense?
20:59 <@ordex> if you reach your VPN server via a hostname
20:59 <@ordex> then sure: you can force the hostname to resolve to the internal VPN IP so that requests will use that IP and go over the tunnel
20:59 <@ordex> for that you can use /etc/hosts
21:02 < kishmesh> ordex: yes that makes perfect sense now. ok I just did that, works very well. Thank for clearing up that confusion.
21:02 <@ordex> np
21:02 <@ordex> it all boils down to very elementary routing steps in the end
21:02 < kishmesh> maybe I could make a script that adds this resolving only when vpn is started?
21:03 <@ordex> nomagic involved, despite hyper_ch wouldn't agree :P
21:03 <@ordex> kishmesh: sure. you could add that to the --up script of your VPN
21:04 <@ordex> and something in --down to clear that up (beware of permissions to access the hosts file)
21:05 < kishmesh> ordex: hmm. what would be a good "tool" to add/remove these entries to/from /etc/hosts? have no experiences with such scirpts
21:06 <@ordex> kishmesh: mhh need some research
21:06 <@ordex> I have always done that manually
21:06 <@ordex> in the worst case you can do that "manually" too with grep/sed/awk/something-like-that
21:06 < kishmesh> I'm allready using an up and down script for updating /etc/resolv.conf ...
21:07 < kishmesh> ok cool
21:07 < kishmesh> anothing puzzle piece learned
21:07 < kishmesh> ordex: thanks a lot again!
21:07 <@ordex> np
21:09 < kishmesh> while I understand that it is an edge case, it alters that claim that "all traffic" is tunneled. Now that I know it makes perfect sense though that traffic to public IP of VPN server is not tunneled.
21:10 < kishmesh> normally this shouldnt be a probably if tls is used
21:10 < kishmesh> but I do prefer to tunnel all the way ;-)
21:12 < kishmesh> ordex: https://gist.github.com/irazasyed/a7b0a079e7727a4315b9
21:12 <@vpnHelper> Title: Bash Script to Manage /etc/hosts file for adding/removing hostnames. · GitHub (at gist.github.com)
21:13 <@ordex> yeah it's all done manually
21:13 <@ordex> there is no "toolt"
21:13 <@ordex> *tool
21:21 -!- Vercas_ is now known as Vercas
21:22 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 240 seconds]
21:25 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
21:25 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Day changed Fri Sep 29 2017
00:13 -!- abenz_ is now known as abenz
03:17 < hexhaxtron> I'm using Debian. Can someone help me configure OpenVPN with Let's Encrypt and PAM?
03:31 <@ordex> hexhaxtron: how do you want to configure let's encrypt and openvpn ?
03:32 < hexhaxtron> ordex: can we just do it with PAM?
03:32 < hexhaxtron> I tried to configure it but when I do ps aux|grep -i openvpn nothing shows up...
03:33 <@ordex> sorry i never used PAM :(
03:33  * ordex feels useless today
03:33 <@ordex> :P
04:52 < |Mike|> hexhaxtron: topic ^^
05:00 < Kryczek> hexhaxtron: have you read all the answers you were given in ##security ? What you are trying to do is not a good idea
05:02 < Kryczek> (providing SSH and VPN access to his server to strangers while being self-admittedly "not very knowledgeable")
05:26 -!- abenz_ is now known as abenz
05:31 <@ordex> Kryczek: not a good idea from a law perspective I guess:(
06:55 < egonsen> hi! i am running an openvpn server on my raspi, which works quite well. vpn clients can access my local notebook (which is not connected via vpn but directly to the router). the problem is that my local notebook can't ping or otherwise access vpn clients. i already added a route in my router for 10.199.10.0 (vpn network) to 192.168.123.2 (raspi). i guess i have to configure raspi to handle packets going to 10.199.10.0 via the tunnel a
07:02 < MikeDebian> egonsen, check your configurations where you are pushing routes
07:03 < MikeDebian> you 1) should push a route to your vpn clients regarding your local network behind the VPN and 2) you must have "client-to-client" parameter uncommented
07:05 < MikeDebian> for instance, if your VPN server is running on 192.168.240.0/24 you should have a push route like this: push "route 192.168.240.0 255.255.255.0"
07:06 < MikeDebian> push "route 10.199.10.0 255.255.255.0"
07:06 < MikeDebian> this is what you should have in the config plus client-to-client parameter
07:07 < egonsen> thanks! the problem was a different one: an iptables rule rejected icmp packets with icmp-port-unreachable. i deleted that rule and now ping works. i'll verify that other stuff like samba shares are working, too, and i'll come back of those do not work
07:08 < egonsen> i already had those routes and client-to-client parameters in my config
07:08 < MikeDebian> ok, great
07:31 < revolve> The systemd unit file for openvpn on ubuntu service invokes `/bin/true` instead of `/sbin/openvpn`.
07:31 < revolve> `service openvpn start` works fine and exits immediately as you can image.
07:32 < revolve> `service openvpn start` works fine and exits immediately as you can imagine.
07:36 < egonsen> hi! i am running an openvpn server on raspi. my mobile phone is connected via mobile data connection (internet) to the vpn server. my notebook is in the same network as the raspi is (192.168.123.0). the notebook has ip 192.168.123.26. i am able to ping my mobile phone (10.199.10.6) from my notebook and i can ping my notebook from the mobile phone. but when i connect my notebook via vpn (which gets ip 10.199.10.10), i cannot ping the n
07:36 < egonsen> but i still can ping the mobile phone from the laptop. how can i find out why?
07:41 < egonsen> oh, i just noticed that even the server cannot ping my notebook via 10.199.10.10 when it's connected through vpn
07:43 < rob0> First thing, note that the web IRC gateway truncates your long lines, I think around 512 characters or so.
07:44 < rob0> Second, /topic wins again, it's almost certainly one or more of your firewalls.
07:44 < MacGyver> s/the web IRC gateway/IRC/
07:45 < rob0> well, yes, but better clients know this and make multiple lines.
07:49 < egonsen> sorry, my last message is wrong. i was not connected to the vpn server with my notebook, thus ping couldn't work. the vpn server is now able to ping my notebook but the mobile phone is not
08:11 -!- egonsen is now known as egonsen__
08:11 -!- egonsen_ is now known as egonsen
08:43 <@dazo> hexhaxtron: Do NOT use Let's Encrypt certificates for VPNs.  That makes it incredibly easy to mount a MITM attack between any client and your server without anyone noticing at all.  It is effectively removing one security element from OpenVPN. It is completely unsupported here.
08:45 < egonsen> hi! how can i set the openvpn tunnel adapter network type to private? google didn't help much
08:46 < rob0> what does that mean?
08:46 <@dazo> smells like Windows terminology
08:47 <@dazo> hexhaxtron: In fact, it is the most reliable way of harvesting usernames and password ... the attackers MITM server just needs to have a --auth-user-pass-verify script which always returns "success", and then connect to your server and use the same credentials collected.  Plus the "benefit" of now also having full access to your VPN network simultaneously
08:48 < rob0> virtual public network ;)
08:48 <@dazo> lol
08:49 < rob0> it puts the "open" in openvpn!
08:49 < egonsen> i cannot ping my notebook running windows from my phone when both are connected via vpn. running ubuntu on the notebook (it's dual-boot), i can ping it from the phone
08:49  * dazo senses rob0 is in a Friday mood :)
08:49 < egonsen> i think it's because windows sets the adapter's network type to "public"
08:50 < rob0> For help with the Windows firewall, a Windows forum or channel might be better than here.
08:51 <@dazo> egonsen: I'm no Windows user (haven't been for 15 years or so), I'd encourage you to use Linux ;-) ... but there are some attributes you can change in the network control panel (or whatever its real name is in Windows), on the TAP device directly
08:51 < egonsen> unfortunately i cannot change anything in the network control panel for that device
08:52 <@dazo> well, then you have no choice than to accept the current settings
08:53 < egonsen> i'm sure there is some kind of registry key or stuff like that for setting the network type
08:53 < egonsen> but i can't find it
08:53 <@dazo> !systemd
08:53 <@vpnHelper> "systemd" is (#1) Most systemd based distros package the upstream OpenVPN openvpn-server@.service and openvpn-client@.service unit files. Use those instead of the distro provided ones (openvpn.service, openvpn@.service), as they too often work poorly., or (#2) Unfortunately, Debian have added some weird OpenVPN systemd integration trying to simulate how things worked before systemd arrived. These
08:53 <@vpnHelper> approaches often causes more confusion, so _do_ consider #1 carefully.
08:53 <@dazo> revolve: ^^^
08:55 < revolve> dazo: is it not possible to use a shell script in /etc/init.d instead?
08:55 < revolve> would it work if I removed the systemd unit files and created a shell script in /etc/init.d?
08:55 < egonsen> i'll try. thanks for now
08:56 <@dazo> revolve: forget about init.d script in the systemd world ... that's a workaround until all those sys-v oriented scripts have been migrated fully to systemd
08:56 < revolve> ok np and thanks
08:57 <@dazo> revolve: trust me, openvpn will work far better with openvpn-{client,server}@.service unit files than the init.d scripts .... each tunnel are managed independently, and with the latest 2.4.4 release the server process will even restart automatically if the openvpn process dies unexpectedly
08:57 < eugenmayer> is it possible to put an openvpn client into a docker container and share its connection with the docker host ( the one running the engine ) ?
08:58 <@dazo> eugenmayer: yes, I believe so ... I recently read a blog post doing that ... there are some details there which are not so good (easy-rsa related, don't have that on your VPN server at all) ... but except of that it looked nice
08:59  * dazo digs up the url
08:59 < eugenmayer> dazo: nice. That could be quiet a thing in my scenario. There is a real reason behind that, not running it on the host, but it is far to complicated / unneeding to explain
09:00 < eugenmayer> if that would be possible, it would make quiet some thing easier to deal with
09:00 <@dazo> revolve: More systemd info related to openvpn ... https://src.fedoraproject.org/rpms/openvpn/blob/master/f/README.systemd
09:00 <@vpnHelper> Title: Tree - rpms/openvpn - Pagure (at src.fedoraproject.org)
09:00 < eugenmayer> dazo: my google research did not give me anything on that
09:00 <@dazo> eugenmayer: https://twitter.com/ruipmarinho/status/911354743758491655
09:01 < eugenmayer> thats a server
09:01 < eugenmayer> i am talking about the client
09:02 <@dazo> eugenmayer: well, what differs between server and client is basically the config file you provide
09:03 < eugenmayer> no, not really right. The docker based server does not need to share its network with the underlying host
09:03 <@dazo> But I see a less use case for this on the client side .... remember, containers are not security features
09:03 < eugenmayer> it provides a network for all the clients connecting. A client would be different if the host should be using it also
09:03 < eugenmayer> putting openvpn into that container is not a security POV at all
09:04 < eugenmayer> encapsulation / management / deployment are much more the key points here
09:05 <@dazo> well, deployment is one thing ... but you'll get the updates/deployments in far simpler approaches by using your own package repos (or even the distro or openvpn upstream package repos)
09:05 <@dazo> the deployment otherwise is just a single config file which can also carry everything (including key/cert/ca and tls-auth/tls-crypt keys)
09:17 -!- abenz_ is now known as abenz
09:26 < revolve> dazo: currently gotten it working by modifying the necessary unit files
09:26 < revolve> dazo: thanks for your help
09:31 <@dazo> revolve: please ... don't hack your own unit files ... use what we provide from upstream (openvpn-client@/openvpn-server@) ... in the long run that gives you better stability and security, as we improve them regularly
09:31 <@dazo> if you want to roll your own unit files, do ensure you know exactly what we do and consider strongly why you would deviate from that
09:32 < rob0> Professional stunt driver on a closed track.  Kids, don't try this at home.
09:33 < rob0> oops, there goes more of that Fridayism
09:33 <@dazo> (rolling your own $THING sounds cool, but it is a road filled with traps)
09:34 < rob0> Use or rebroadcast without the express written consent of Major League Baseball is strictly prohibited.
09:34 <@dazo> heh
09:53 <+hyper_ch> still no news from krzee?
09:54 <@ordex> nop :/
09:54 <+hyper_ch> there's people actually watching Major League Baseball?
10:04 <@dazo> hyper_ch: nah, such statements are just to make people believe they're still relevant and important! :-P
10:05 <+Dougy> hi dazo
10:13 <@dazo> hey!
10:15 <+Dougy> sup
10:58 -!- SerusWor1 is now known as SerusWork
11:16 <+Dougy> [10:48] <+hyper_ch> still no news from krzee?
11:17 <+Dougy> oh $)(^
11:17 <+Dougy> he's on the islands isnt he
11:29 < rob0> That was the theory.  No word from him since Irma.
11:30 < rob0> !seen krzee
11:30 <@vpnHelper> krzee was last seen in #openvpn 8 weeks, 2 days, 18 hours, 37 minutes, and 47 seconds ago: <krzee> !route_outside_ovpn
11:30 < rob0> hmm, maybe he is routed outside #openvpn
11:58 -!- CheckYourSix is now known as CheckYourSnek
12:02 < twk> hrmm so only common-name gets passed from client-connect script? no way to get it to send hostname?
12:38 < styler2go> Hey everyone. I am trying to set up my first openvpn server/client and i am running into some problems. I used the easy-rsa folde rto create my certs etc. but i run into this problem when i try to connect to my server now: : TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
12:43 < zoredache> Have you checked your network connectivity? Are you sure the server is listening on the port you expect, are you sure it is the same port configured in the client.  Have you opened the firewall for the port you are using?  Can the client ping the server, can you see the client traffic attempting to reach the server in tcpdump/wireshark, can you see reply traffic?
12:43 < styler2go> Seems like it worked now.. i commented out some line in the server setting
12:43 < styler2go> At least i got an ip in the vpn.. so it SHOULD work i guess
12:43 < styler2go> I commented out this line in server config: #auth-user-pass-verify "C:\\Program Files\\OpenVPN\\config\\auth.bat" via-env
12:53 < twk> so is there anyway to get the local interface ip of a client connecting? seems you cant get the hostname from it
12:55 < styler2go> Now i do get Fri Sep 29 19:49:56 2017 htpc/185.17.206.126 Authenticate/Decrypt packet error: cipher final failed on server and client side
13:17 <@dazo> !logs
13:17 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
13:17 <@dazo> !configs
13:17 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
13:18 <@dazo> styler2go: ^^^^
13:32 < selby> Is anyone around to help fix access to the admin pages?  It was working last night, but now I can’t seem to connect to the vpn (Failed to obtain session ID) or the admin pages (timeout)
13:39 < selby> I think it’s a change I made to the config.  Can anyone at least help me find the config files so I can see if I can find my changes?
13:41 < rob0> "the admin pages"?
13:43 < DArqueBishop> selby: are you running Access Server?
13:43 < rob0> yeah, that was going to be my guess as well
13:45 < selby> Yeah, the admin pages at port 943.  I didn’t set it up, but I believe we’re just using https://aws.amazon.com/marketplace/pp/B00MI40CAE/ref=mkt_wir_openvpn_byol
13:45 <@vpnHelper> Title: AWS Marketplace: OpenVPN Access Server (at aws.amazon.com)
13:45 < rob0> !as
13:45 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
13:46 < selby> I don’t see the config files in /etc and /var/log/openvpnas.log gives nothing useful
13:46 < selby> Ah, thank you
14:04 <+hyper_ch> syzzer: are you familiar with full disk encryption?
16:39 -!- dionysus70 is now known as dionysus69
17:28 -!- abenz_ is now known as abenz
18:12 -!- abenz_ is now known as abenz
19:00 -!- CheckYourSnek is now known as CheckYourSix
19:56 <@ordex> aloha
--- Day changed Sat Sep 30 2017
02:32 -!- abenz__ is now known as abenz
08:30 < Assid> hi
08:31 < Assid> so i am able to connect to openvpn and ping the server ip .. however the client gets a gateway like 10.100.40.9  instead of 10.100.40.1 in which case the gateway is not reachable
08:55 < rob0> sounds like
08:55 < rob0> !/30
08:55 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
08:55 < Assid> hmm.. thanks.. let me check it out..
09:13 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
09:16 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
09:16 -!- mode/#openvpn [+v RBecker] by ChanServ
09:24 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
09:30 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
09:30 -!- mode/#openvpn [+v RBecker] by ChanServ
10:26 < styler2go> I am trying to set up a vpn between me and a friend but we can't ping each other. We both have IPs. Any ideas? Client config: https://p.styler2go.de/7176503 Server config: https://p.styler2go.de/6535480
10:28 < styler2go> https://p.styler2go.de/7387251 windows show's it as "unidentified network" but it has an ip: https://p.styler2go.de/1777795
10:36 < rob0> and thus connect LAN-to-LAN, or what is the goal?
10:36 < rob0> !goal
10:36 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:37 < styler2go> yes, we want to play some old game via "LAN" connection and i want to make sure that the connection works by pinging
10:37 < rob0> so just connect these two, not LAN access
10:37 < styler2go> I think so, yes. But i am using a middle-man as server
10:37 < rob0> did you turn off firewalls?
10:37 < styler2go> So, my root server is playing the server while we both are clients
10:38 < styler2go> Yes, i did disable the firewall for testing purpose
10:41 < rob0> the "root server" is an openvpn server?  And the machines you want to connect are both clients of that?
10:42 < styler2go> one is a "real server" with the server config i pasted above, the both clients have the same client config except for certs of course
10:42 < styler2go> But all of them are in the internet, not connected by lan
10:45 < rob0> !client-to-client
10:45 <@vpnHelper> "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other
10:45 <@vpnHelper> clients
10:48 < styler2go> interesting
10:48 < styler2go> i thought this would be default
10:48 < styler2go> how do i enable it
10:49 < rob0> it's a server option
10:49 < styler2go> Ah i see
10:49 < rob0> --client-to-client on the command line or without the -- in the config file
10:50 < styler2go> Omg it works.. at least pinging
10:50 < styler2go> thank you so much!
10:51 < styler2go> But just for my understnding: Isn't this client-to-client option the usual reason why poeple use vpn?
10:51 < rob0> so the problem was the server's firewall; --client-to-client bypassed that
10:53 < rob0> look again at !goal; no, I think --redirect-gateway is the most common reason asked about here.
10:53 < styler2go> Ah ok, thanks a lot :-)
10:54 < rob0> my own usage is generally to provide secure access to a server-side LAN for remote users
10:56 < styler2go> Isn't that also client-to-client in that case? Or do you solve that by firewall?
10:59 < rob0> Clients can access other clients without --client-to-client if the server will route the packets appropriately.
11:00 < styler2go> Ok.. now i can ping but we can't see our lobby ingame. I remember with windows 7 i had to change the priority of network adapters but that option is gone in win10.. i've set TAP to metric 10 and the eth port to metric 20 on both clients
12:35 < ke4nhw> Question: is it possible to run openvpn with TCP over a routed IP (dev tun) client/server connection?
12:37 < ke4nhw> And will that resolve the Samba/OpenVPN broadcast-capable interface issue, or is the only solution to go bridging (dev tap)?
12:54 < rob0> I'm not sure what that issue is.
12:54 < rob0> If you're talking about a tunnel in a tunnel, sure, you can do that.
13:02 < ke4nhw> Problem is that I want to use 'bind interfaces only = yes' and 'interfaces = 10.0.0.1/24' (the VPN subnet), but samba cannot bind to an interface that is not broadcast-capable
13:05 < rob0> oh
13:06 < rob0> I think you can disable the old legacy broadcast junk in Samba, but I haven't touched Samba in many years.
13:06 < rob0> Modern Windows clients do not need it and only use it as a last resort fallback.
13:07 < rob0> TCP transport won't make a tun interface broadcast-capable.  Yes, only tap is broadcast-capable.
13:08 < ke4nhw> Hmmm, that's worth looking at; even the samba docs say it needs it... I'll check out the newest man smb.conf to see if I can disable that. Otherwise it's either my hack or tap interfaces.
13:15 < rob0> what hack?
13:16 < rob0> also, is that "10.0.0.1/24" correct?  Shouldn't it be 0.24?
13:16 < rob0> err, 0.0/24
13:17 < ke4nhw> You're right, I type-o'd here,it's correct in the config
13:17 < rob0> if you want to match anything in that /24, I mean
13:18 < rob0> Samba used to have a nifty HTMLified smb.conf manual which was nice with SWAT
13:18 < rob0> one click away from the documentation and examples, for any setting
13:19 < rob0> I really liked the Samba project, but I don't miss the SMB/CIFS mess of protocols. :)
13:20 < ke4nhw> My hack is to use 'hosts allow = 10.0.0.0/24' and 'hosts deny=192.168.0.0/24' as well as configuring the firewall to the same effect: allow only the vpn subnet to those ports, block all others to that port. I might add one more rule allowing lo interface to those ports in the firewall if I start experiencing problems.
13:22 < ke4nhw> I still like samba; it allows me to use my CentOS 7 server to serve as a central file server, allowing multiple users access to folders appropriate and permitted to them. It integrates easily, but you're right, the config can get to be a bit annoying.
13:24 < rob0> oh I didn't say that ... I liked Samba and still would, but I just don't like supporting Windows clients.
13:26 < ke4nhw> It means that multiple users can have access to a common file point regardless if they're linux or windows, it means they don't have to choke up their personal hard drives with all those files leaving it clearer for just OS and application files, and it allows me to tightly control who can and cannot have access to any particular folder, and what level of access they will have.
13:29 < ke4nhw> Hmm, no need for an additional rule for lo, I already have one that allows lo complete access prior to the firewall statements that control access to the samba ports.
13:31 < rob0> 'disable netbios = yes' in your smb.conf <-- is what el Goog suggests
13:31 < ke4nhw> And I can see the thing about not liking supporting windows clients, but that's exactly what we have here. My wife doesn't like linux so she uses Windows, and I have quite expensive software that I must have access to (they're for emergency management) that will not run on Windows or Wine, so I have a Windows machine with dual-boot capability (as well as a clean-os bootable centos 7 usb stick)
13:33 < ke4nhw> Hmm I'll try it, I'll disable any other statements and firewall rules that may skew the results. interesting find, thank you...
13:45 < ke4nhw> still same effect, putting my hack back in place
13:52 < ke4nhw> I've got the desired behavior so I'm good...
13:52 < ke4nhw> And I didn't have to go to bridging (which would likely make things way more complicated)
15:40 < polprog> im getting a terrible packet loss on the server
15:40 < polprog> https://puu.sh/xMPdI/fde694659c.png
15:40 < polprog> is this normal?
15:41 < BtbN> If you have a bad connection, sure
15:41 < polprog> i don't
15:42 < polprog> im testing mtr via normal net and it's at 1%
15:43 < BtbN> to the same box?
15:43 < polprog> same box is one hop away. via vpn it's 2 hops
15:44 < polprog> no loss at all. it's on the lan
15:45 < BtbN> you must have badly misconfigured your openvpn then.
15:45 < polprog> what should i look  for?
15:45 < BtbN> no idea
15:45 < polprog> :/
15:49 < polprog> some SO answer suggets mtu setting
15:49 < polprog> i remember correcting that, it didnt work at all before
15:56 < rob0> y
16:07 < polprog> huh. voodoo
--- Day changed Sun Oct 01 2017
00:04 -!- vectr0n_ is now known as vectr0n
01:39 < Pilfers> hi
01:39 < Pilfers> https://technofaq.org/posts/2017/08/a-to-z-of-a-secure-hardened-vanilla-openvpn-setup-for-debian-stretch-gnulinux/
01:39 <@vpnHelper> Title: A to Z of a secure, hardened vanilla OpenVPN server on Debian Stretch GNU+Linux | Techno FAQ (at technofaq.org)
01:39 < Pilfers> can someone look this over, is this a good writeup?
01:40 < Pilfers> technically correct?
01:41 < Pilfers> if theres any issues with it, can someone tell me , thx, pm me if you can , thx
04:06 < Kryczek> Pilfers: why /home/cipher and not /home/openvpn ? :)
04:13 < rudi_s> Pilfers: I don't like the introduction which suggests that you're "anonymous" with this setup without describing any constraints (like your ISP sees your traffic, any local attacker can still see your IP and whois your servers IP/hostname to get your namme, etc.). Why not use the stock version in Debian? It gets security updates and is stable. Why proto udp4 (later explained for IPv6, but that's = ...
04:13 < Kryczek> Pilfers: I wouldn't use duplicate-cn in the name of security: "It allows multiple clients to share the same client cert/key for authentication, making it harder for the server to identify an individual client." but it's still pretty easy for the server to differentiate them inside their tunnels, and not using duplicate-cn makes it easier to detect if someone has copied a client key of yours (you'd get
04:13 < rudi_s> ...not correct, udp4 only controls the outer layer which works just fine over IPv6 even if you tunnel only IPv4)? Why the txquelen,sndbuf,rcbuf changes? Did anyone performance test that? Same for the next option block (I don't find them "self-explanatory"). The chrooting setup looks a little weird, why in /home, why a separate user? Why ufw as firewall? iptables works just fine (and is later used in = ...
04:13 < Kryczek> disconnected)
04:13 < rudi_s> ...an example). Why iptables-persistent when using ufv? Why drop FORWARD traffic (hint: reject instead)? I've never used easyrsa so can't comment on that. Permissions in /home/cipher for private keys look wrong (owner? root?). "mute-replay-warnings", why? No comments regarding the options, explicit-exit-notify 3, why? no user/group, runs as root in example config. IPv6 setup is incomplete (client = ...
04:13 < rudi_s> ...IPv6, client isolation). No blackholing of non-VPN traffic on the client means it leaks data when the VPN is down.
04:13 < rudi_s> TL;DR I don't think it's a good article and is many (subtle) issues.
04:14 < rudi_s> (That's from just a quick read, didn't check everything in detail.)
04:15 < Kryczek> I wouldn't say it's a bad article but yeah, I agree, many issues :)
04:16 < Kryczek> keys don't have to be in the chroot by the way, I have mine under /etc/openvpn/ and then the process gets chroot'ed in /chroot/openvpn/ which is entirely empty except for a tmp/ in it
04:17 < Kryczek> also, if you want it to be really from "A to Z" you'd have to at least mention SELinux and the setcon option that I added :P
04:31 < rudi_s> Kryczek: I think the client config must be in the chroot.
04:33 < Kryczek> rudi_s: mine isn't, and it's been working for years so, maybe I'm just lucky :D
04:33 < rudi_s> Kryczek: With client-specific config? Does Openvpn load all client config before chrooting?
04:34 < Kryczek> ah sorry I misunderstood (I also use the chroot option in client configs)
04:35 < Kryczek> I don't use client-specific configs... good question :) I don't know sorry
04:35 < Kryczek> but you're probably right
05:50 < buscon> hi
05:51 < buscon> i just followed this guide to configure openvpn on Ubuntu
05:51 < buscon> I am on Mint 18.2, the connection does not work though.
05:51 < buscon> (here is the guide) https://support.purevpn.com/openvpn-configuration-guide-for-ubuntu
05:51 < buscon> how can i debug the connection? is there a log file?
12:35 <+hyper_ch> hmmm, zfs is interesting
13:53 < hays> what things can i do to optimize my openvpn config for speed? I am trying to get near 1Gbit thru a connection from US to Europe on a small VPS
13:54 <+hyper_ch> can the cpu handle that data stream?
13:54 <+hyper_ch> or rather the encryption of it
13:55 < hays> well, i'm suspecting it may be challenged by it
13:55 <+hyper_ch> use a weaker cipher (or none at all)
13:55 <+hyper_ch> if the cpu is the bottleneck
13:55 < hays> the gig connection will be in place tonight so I plan to test it out--but right now I don't think i saturate even my 150Mbit
13:56 <+hyper_ch> you could try jumbo frames but those usually don't work over the internet
13:57 <+hyper_ch> --tun-mtu 9000 --fragment 0 --mssfix 0
13:58 <+hyper_ch> been wondering myself as well how to speed things up... got now gigabit at home and the office
13:58 <+hyper_ch> and I do backups from office to home and home to office
14:01 < hays> yeah.. its an area im a bit weak in, in terms of finding bottlenecks
14:03 < hays> 13 megabit and 6% CPU
14:03 < hays> 20megabit and 10% CPU
14:04 < hays> so right now im getting about 1/5 of total
14:04 < hays> so throughput must be limited by something else
14:06 <+hyper_ch> how about just scping a file through normal internet, not openvpn
14:06 <+hyper_ch> what speed do you get?
14:07 < hays> 120-150 Mbit thru speedtest.net
14:07 < hays> and then on the server end its gigabit or faster
14:07 < rob0> nc to nc, removes any software/encryption overhead
14:10 <+hyper_ch> only real pros can handle nc :)
14:11 < hays> server speedtest i get 800Mbit/s, client is at 120Mbit/s (soon to be upgraded) but with openvpn its 15-20Mbit/s
14:11 <+hyper_ch> or use iperf ?
14:12 <+hyper_ch> if you find out how to optimize gigabit openvpn, let me know
14:12 < hays> hmm this is interesting... speedtest from client to the speedtest server in EU..  9Mbit/s
14:13 <+hyper_ch> use iperf.... it's more reliable than speedtest imho
14:15 < hays> yeah.. guess i can do that.  i gotta open a port
14:17 <+hyper_ch> non-vpn iperf gives me:
14:17 <+hyper_ch> [  3] local 10.10.10.3 port 42820 connected with 81.6.36.254 port 5001
14:17 <+hyper_ch> [ ID] Interval       Transfer     Bandwidth
14:17 <+hyper_ch> [  3]  0.0-10.0 sec   829 MBytes   695 Mbits/sec
14:18 <+hyper_ch> openvpn gives me:
14:18 <+hyper_ch> [  3] local 10.10.11.3 port 44592 connected with 10.10.11.91 port 5001
14:18 <+hyper_ch> [ ID] Interval       Transfer     Bandwidth
14:18 <+hyper_ch> [  3]  0.0-10.0 sec   106 MBytes  89.1 Mbits/sec
14:18 <+hyper_ch> it's a tad slower
14:20 < polprog> what should i look for in the config which could cause huge packet loss on the server?
14:23 < rob0> --packet-loss="huge"
14:24 < polprog> hahaha
14:25 < hays> hmm.. i bet my ISP is being a dick
14:26 <+hyper_ch> need to play with --tun-mtu etc...
14:26 < hays> from my place its 20Mbit/s, from DC in new jersey its 80Mbit/s
14:26 <+hyper_ch> wanna check iperf speed to me?
14:27 < hays> sure
14:27 < hays> where are you
14:27 <+hyper_ch> switzerland
14:27 < hays> throw me an ip and i'll iperf ya
14:27 <+hyper_ch> 81.6.36.254
14:28 <+hyper_ch> not too bad
14:28 < hays> one more
14:28 <+hyper_ch> sure
14:28 <+hyper_ch> that's way worse
14:28 < hays> i think we found the issue
14:29 <+hyper_ch> your isp in the US?
14:29 < hays> yep
14:29 <+hyper_ch> time to move to canada ;)
14:29 < hays> can you run iperf on port 443
14:29 <+hyper_ch> I can, let me open the firewall
14:31 <+hyper_ch> ok
14:31 < hays> hm. wow.
14:31 <+hyper_ch> pretty much same speed
14:32 < hays> how do you feel about 80 ? :)
14:32 < hays> im getting same results to .nl btw
14:33 <+hyper_ch> ok, shoot
14:33 < hays> wow so they must be throttling based on dpi
14:33 <+hyper_ch> not getting more than 20.x Mbit
14:33 < hays> yep confirmed here too
14:34 <+hyper_ch> so seems your isp is to blame
14:34 < hays> let me think about this though
14:34 < hays> this could just be that my upload is constrained
14:35 < hays> asymmetric
14:35 <+hyper_ch> still issue of your isp :)
14:36 < hays> if i am receiving things via openvpn, does the directionality of traffic reflect that?
14:36 < hays> seems like it should
14:36 <+hyper_ch> not sure what you mean
14:37 < hays> well if I am downloading at 1GBit without openvpn all traffic is basically coming one way.. over vpn tunnel, this might change to some extent
14:37 < hays> due to protocol talk
14:37 < hays> but im guessing its still going to be mostly coming one way
14:37 <+hyper_ch> there's overhead with openvpn.... so it will be slower
14:38 < hays> im going to run a test
14:39 < polprog> in general, should i make the mtu higher than default or lower? it's at 1350 and higher mtus caused ssh to freeze
14:40 < hays> hrm. im going to rerun tests once my connection is upgraded
14:40 <+hyper_ch> polprog: no idea about that stuff
14:40 < hays> iperf was great tip though
14:41 < hays> ill let you know if i learn anything
14:41 < polprog> okay, i guess i wont touch it
14:41 < polprog> you probably know that tool, but i suggest checking out mtr
14:43 < hays> hyper_ch: really i should be testing UDP also
15:57 < pvl1> hi everyone, why is it recommended to run easy-rsa on a separate machine
16:02 < BtbN> So your PKI is isolated.
16:02 < BtbN> You ideally do it on a machine with no internet connection.
16:09 < pvl1> tahts what i was thinking
16:09 < pvl1> that theres a chance you can reproduce enof ca's on a machine to start matching things
16:10 < pvl1> but then, that means, that everytime i want to add a client, i have to get the machine up and running?
16:26 < ke4nhw> Yep. I'd recommend a minimal install VM that has all networking turned off to that VM
16:27 < ke4nhw> Minimal boot time, isolation, keeps things simple
16:30 < BtbN> well, if the host it's on still has no special protection, that VM is kinda pointless
16:30 < rob0> well, the problem with a VM is lack of entropy
16:30 < rob0> and that ^^ too
16:31 < BtbN> might as well just put easyrsa in some encrypted volume, and only mount with passphrase when needed
16:31 < BtbN> would be more secure than a VM
16:31 < pvl1> im tihnking my rpi wont be enof entropy either
16:31 < rob0> But your paranoia level is up to you.  Lots of howtos out there show people running easyrsa as root and on the openvpn server.
16:31 < pvl1> well most do that
16:32 < BtbN> Doesn't LetsEncrypt do crazy things, like the signing machine being isolated and only communicating with the online servers via some serial link?
16:32 < pvl1> thats what i was thinking, but that didnt work well for stuxnet
16:33 < pvl1> i wonder if my htc G1 can run easy-rca lol
16:33 < pvl1> although, its ssl libs would be far too outdated
16:33 < BtbN> phones have tons of sensors
16:33 < BtbN> good for entropy
16:33 < BtbN> And what stops you from putting any static openssl binary on there?
16:36 < pvl1> time
16:37 < pvl1> ima try it
16:54 < BtbN> I wonder how well integrated all the sensors are into the entropy pool though
17:14 < pvl1> its more so because i probably wont ever connect that to the internet
17:31 < |Mike|> Mwah, I have my PKI on a VM with ssh access, no password, just keys :)
17:31 < |Mike|> no services. :)
17:34 < |Mike|> pvl1: https://www.berthon.eu/2015/installing-linux-on-raspberry-pi-the-easy-way/ rngd++
17:34 <@vpnHelper> Title: Installing Linux on Raspberry Pi The Easy Way | Ice and Fire by J‑C Berthon (at www.berthon.eu)
17:38 < pvl1> oo i know, ihave some blackarch or archassult or something installed on some netbook i rarely use
17:47 < pvl1> archstrike
17:47 < pvl1> whatever
18:53 < hays> hrm. something seems to have happened where i can no longer get to the internet via openvpn. I think it might be a firewall issue
18:53 < hays> here are my rules https://bpaste.net/show/0a6661392773
18:54 < hays> i can get to the internet from the server
18:54 < hays> but not the client
19:07 < hays> hm. interesting. firewall off. same issue
19:10 < hays> ok reboot fixed. interesting
19:10 < |Mike|> pretty funky
19:13 < hays_> |Mike|: yeah I think whatever virtualization solution that container runs in it sometimes gets weird
19:14 < hays_> i run unattended-upgrades on it so maybe a kernel thing happened
19:15 < hays_> whats weird is the only thing i changed was the firewall
19:15 < hays_> and.. it was still connecting
19:16 < hays_> and.. i could see the other vpn devices.. just not internet.
19:23 < |Mike|> kernel upgrade might have screwed you over.
19:35 < hays_> yep--except it went out today, and kernel update didn't happen.. hmm maybe it did and i didn't realize it
19:37 -!- hays_ is now known as hays
19:53 < |Mike|> hays: might be a good plan to check logfiles
--- Day changed Mon Oct 02 2017
04:14 < AquaL1te> the cipher and tls-cipher settings should manipulate the data and control channels right? my android device only connects with aes-256-gcm (data channel), whatever i put in my config (aes-128-gcm as cipher and TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 as the only cipher in the cipher list, both server and client). how can i enforce aes-128-gcm for both the control and data channel?
04:21 < ntz> hello
04:22 < ntz> I've found a weird thing and I'd like to request explanation if you can provide that
04:23 < ntz> I have a server with openvpn and I can connect to that server also using ssh ... when I need an X forward via ssh to machine behind vpn I can do:
04:24 < ntz> a) connect via openvpn and then connect to target machine `directly' (through vpn trunk) with ssh -X
04:24 < ntz> b) connect via ssh to server with -L $local:1.2.3.4:$remote and then with ssh -X to my localhost at $local port
04:25 < ntz> my question is now -> I've found, that when I connect via openvpn I'm getting _considerably_ slower connection to machine behind ovpn server than when I tunnel that via ssh
04:25 < ntz> in logs is nothing, nobody from openvpn users complains about performnance, wtf
04:26 < ntz> openvpn seems working completely fine .... and it's udp
05:01 -!- peder_ is now known as peder
05:03 < Kryczek> ntz: have you tried forwarding X through OpenVPN without SSH?
05:04 < ntz> o.O
05:04 < ntz> Kryczek: how ??? I need to run some X app from remote computer ... say firefox
05:05 < BtbN> X forwarding is always going to be slow, if it works at all.
05:05 < Kryczek> ntz: X11 existed long before SSH, `ssh -X` is a nice feature but it's not the only way :)
05:05 < Kryczek> BtbN: not true, it's often faster than VNC at least
05:05 < ntz> Kryczek: oh, this .... nope, let's say that I'd like to use this to know, why it's so slow via vpn
05:06 < BtbN> If you have a classic application that does not use any direct rendering, maybe
05:06 < BtbN> And Browsers certainly use a lot of it
05:06 < ntz> BtbN: well, my question is really about why it is considerably slower when tunneled via openvpn than when tunneled via ssh
05:07 < BtbN> Because there is an entire other layer of encryption around it
05:07 < ntz> BtbN: what ? I can show ya:
05:08 < Kryczek> ntz: first it helps to understand something: X11 comes from the days when computers were typically a single mainframe in a basement somewhere, and people "used" this single computer from a terminal on their desk; in the beginning it would have been text-based (that's where all the VT100 stuff in xterm comes from for example) but later on it was the same idea with graphical displays
05:08 < BtbN> ssh over openvpn is always going to be slower than just ssh. Unless you turn of encryption on openvpn, which is not a good idea.
05:08 < ntz> ssh $server -L 12345:$remote_client:22; ssh localhost -X -p 12345
05:09 < ntz> ^^ this is much faster than connecting via openvpn first and then `ssh $remote_client -X' directly
05:09 < Kryczek> ntz: so the display on the desk of each of those people was an X11 *server* and the programs they had running in the mainframe were X11 *clients*
05:09 < ntz> hmm
05:09 < ntz> okay, I feel I need to reread several times what you've said
05:11 < Kryczek> ntz: in your case the programs that you want to launch remotely are the X11 clients, and if you want to have them displayed on the monitor in front of you that has to be the X11 server
05:11 < Kryczek> ntz: when you use `ssh -X` OpenSSH configures all of that automatically
05:13 < Kryczek> ntz: for example if you run the `env` command in a terminal locally you will see a variable called "DISPLAY" containing the ":0" or ":0.0" value which refers to the first monitor (your local one)
05:13 < Kryczek> ntz: if you run the same command through `ssh` but not `ssh -X` there should not be a DISPLAY variable
05:14 < Kryczek> ntz: if you run the same command through `ssh -X` you will see it has a value like ":10.0" (likely to change every time) which corresponds to a link that OpenSSH automatically sets up
05:15 < Kryczek> basically it tricks the X11 client into thinking that there is a (10th in this case) monitor connected to the server, when in fact that is just piped back into your own monitor where you are sittig
05:15 < Kryczek> sitting*
05:22 < Kryczek> ntz: all this to say: you could for example run `export DISPLAY=10.0.0.7:0.0` (assuming your local computer's address in the tunnel is 10.0.0.7) in the remote command line, and then commands like `xcalc &` will start appearing on your local display
05:23 < Kryczek> ntz: provided that you configure your local display to listen on the network of course (now by default they don't), and it would be best to make it only listen on the VPN IP (10.0.0.7) for security
05:24 < Kryczek> ntz: of if that IP does not exist before your display starts (which is probably the case unless your VPN is on 24/7), you can let it listen on all interfaces (0.0.0.0) but then make sure to add firewall rules
06:13 < ntz> Kryczek: my big apologize, as far as I'm supposed to be IT pro (having all those fancy certs like CLP and RHCE) I originally asked what could cause that X via openvpn tunnel are much slower than X via ssh tunnel ... I can do with my xserver all tricks you describe
06:13 < ntz> let's leave this]
06:14 < ntz> thanks anyway for support and input
07:01 -!- abenz_ is now known as abenz
07:46 <+hyper_ch> hmmm, dazo, online?
07:46 <+hyper_ch> or ecrist
07:47 <+hyper_ch> on the vpn server I get this:  https://paste.simplylinux.ch/view/raw/dc051793   this looks all fine to me but why is the snom hardphone telling me there's an vpn error
07:53 <@dazo> hyper_ch: yeah?
07:54 <+hyper_ch> see the link above... why does the hardphone say there's a vpn error
07:54 <@dazo> I don't see any errors ....?
07:55 < rob0> ++
07:55 <@dazo> I see a warning ... which is related to using the blowfish cipher
07:55 <+hyper_ch> the hardphone on the display says:  VPN: Error
07:55 <+hyper_ch> but according from the log all should be fine
07:55 <@dazo> yeah
07:56 <@dazo> other than that ... hard to say why .... are able to extract logs from the phone?
07:56 < rob0> can you ping the phone across the VPN?
07:57 <+hyper_ch> dazo: nothing vpn related in the log
07:57 <+hyper_ch> rob0: good idea
07:57 <+hyper_ch> yeah, ping is fine
07:58 <@ecrist> hyper_ch: what's up?
07:58 <@dazo> hyper_ch: is this phone running krzie's firmware?
07:58 <+hyper_ch> no, it's running snom's openvpn firmware
07:59 <@dazo> then it's even harder to say what's wrong .... somehow, I'd trust krzie firmware more :)
07:59 <+hyper_ch> he doesn't have firmware
07:59 <+hyper_ch> for the snom I think
07:59 <@dazo> Ahh, he might not have completed the building .... I know he was working on it
08:00 <+hyper_ch> thx
08:01 <+hyper_ch> I think I may have found the problem
08:01 <+hyper_ch> on the other phones I run an older firmware
08:01 <+hyper_ch> maybe I should try that one
08:01 <@dazo> hmmm
08:01 <+hyper_ch> but I didn't see anything altered with regard to openvpn
08:02 <@dazo> I do recall krzee complaining about some oddities with openvpn on the snom firmware, but I didn't care enough at that time to fully understand what
08:02 <@dazo> what kind of phones do you use?
08:02 <+hyper_ch> they removed openvpn at some point and release a special firmware with openvpn
08:02 <+hyper_ch> yealink t48g and 2x snom 370 (and now another snom 370)
08:02 <@dazo> ahh
08:02 <@ecrist> OpenVPN has never been a part of the core Snom firmware -it's always been a special build.
08:03 <+hyper_ch> the yealink is nice though
08:03 <+hyper_ch> ecrist: "Since Firmware version 8.7.5.15 and 8.9.3.5 the VPN feature is no longer shipped with the default firmware due to security considerations."
08:03 <+hyper_ch> which implies before it was shipped by default
08:03 <+hyper_ch> http://wiki.snom.com/VPN_Support
08:03 <@vpnHelper> Title: VPN Support - Snom User Wiki (at wiki.snom.com)
08:05 <+hyper_ch> lets see what the older firmware does
08:05 <+hyper_ch> only need openvpn on the phones to get around nat and stuff easily
08:08 <@dazo> darn ... I don't really need such a deskphone ... but seeing the yealink makes me want one! :-P
08:09 <+hyper_ch> I got the yealink from a client ;)
08:09 <+hyper_ch> shiny touch screen
08:09 <@dazo> :)
08:10 <@dazo> it costs more than what I paid for my new "temporary" mobile phone (moto g5) :-P
08:10 <@dazo> (Had a G3 which I bought last summer, which I managed to break the display on ... cheap, good performing despite not being top-notch spec'd)
08:11 <+hyper_ch> dazo: I also got a moto g5... put LineageOS on it
08:15 <@dazo> hyper_ch: you did?  I haven't seen any builds for it yet .... working well?
08:15 <@dazo> hyper_ch: I'm not too fond of the current very google-infected android ... that's the biggest drawback from the g3
08:17 <+hyper_ch> dazo: there's an inoffical build for it
08:17 <+hyper_ch> but the challenge was to get twrp running
08:17 <+hyper_ch> first you had to remove that lock thingy through motorla (really annoying and leaves now with annoying boot up message)
08:18 <@dazo> right, I remember that from the g3 as well
08:18  * rob0 is planning to put LOS on a Moto G4 Play
08:18 <+hyper_ch> http://www.android.gs/unlock-the-moto-g5-plus-bootloader/
08:18 <@vpnHelper> Title: How to Unlock the Moto G5 Plus Bootloader (at www.android.gs)
08:18 <@dazo> I read on xda that there were issues with BT voice
08:19 < rob0> problem is, that phone is our only Internet connection, and the downtime will suck
08:19 <@dazo> on the g5 ... which is not good for me, as I use it fairly often in the car
08:19 <@dazo> rob0: that is actually kinda cool :) (using mobile for connectivity)
08:20 <@dazo> rob0: the g4's are also not so expensive, could have two with different networks ... if one fails, you can have failover :-P
08:20 <@dazo> (I considered G4 .... but the price gap to the G5 was so small, it opted for the latest one)
08:27 <+hyper_ch> dazo: https://forum.xda-developers.com/g5/development/7-1-x-lineageos-14-1-moto-g5-t3611973   that's what I use
08:27 <@vpnHelper> Title: [7.1.x] LineageOS 14.1 for Moto G5 [cedric][ | Moto G5 (at forum.xda-developers.com)
08:46 <@ordex> moto g5 ?
08:55 <+hyper_ch> I think I might know where the problem is
08:55 <+hyper_ch> snom might not like that I provided a seperate name for the tun device
08:55 <+hyper_ch> testing this now
08:58 <+hyper_ch> yep, that was the problem :)
09:19 < revolve> is it possible to have multiple servers in the same vpn so that if one goes offline the vpn can still be joined via different server node?
09:22 < rob0> sort of.  You'd give the servers different networks (address pools), but if routing works among them it will be the same for end users.
09:33 <@dazo> hyper_ch: thx!
09:33 <+hyper_ch> what for?
09:34 <@dazo> hyper_ch: LOS pointer ... much better than what I found :)
09:35 <@dazo> ahh, I was looking at LOS 15, I think
09:35 <+hyper_ch> ah
09:35 <+hyper_ch> well, that one works
09:35  * dazo gets confused by the LOS/CM versioning vs the android version numbers
09:35 <+hyper_ch> but I recall having had issues with getting twrp to run
09:35  * dazo can barely wait to do this flash :)
09:35 <+hyper_ch> I think I sideloaded it
09:36 <+hyper_ch> from adb shell I somehow put it on there
09:36 <+hyper_ch> don't really recall
09:36 <@dazo> no worries, I have some vague memories from the g3's too it wasn't too straight forward
09:36 <@dazo> btw ... do you have Exchange Active Sync working?
09:37 <@dazo> it really pissed me off that disabling GMail removed ActiveSync too
09:38 <@dazo> (DAVDroid works, but is not as efficient as ActiveSync ... plus lacking the MDM feature)
09:38 <+hyper_ch> I remember now
09:38 <+hyper_ch> in ADB I did:   fastboot boot twrp-3.1.0.0-cedric.img     then it booted it... and then I was able to sideload the twrp
09:39 <@dazo> right ... that does sound very familiar
09:40 <@dazo> hyper_ch: btw ... any good recommendations on backup tools? which backs up _everything_ (including all data)?
09:40 <+hyper_ch> I use titanium backup pro
09:40 <@dazo> I've tried helium with a mixed success .... some apps it managed wonderfully.  But others failed completely
09:40 <+hyper_ch> and syncthing to sync stuff to my homeserver
09:40 <@dazo> hmmmmmm
09:40  * dazo like that
09:41 <+hyper_ch> there's always nandroid with twrp ;)
09:43 <@dazo> I obviously haven't studied twrp too well :)
09:48 -!- SerusWor1 is now known as SerusWork
09:51 < Kitty> Hi
09:51 < Kitty> I have openvpn running on a pfsense box, and a linux laptop
09:51 < Kitty> when IPv4 only, it works fine, nice and reliable
09:51 < Kitty> when I enable IPv6, it times out after 60 seconds and reconnects 60 seconds later
09:52 < Kitty> I'm guessing this is something to do with the timeout/keep alive stuff
10:02 <@dazo> Kitty: enable IPv6 ... on the link between the OpenVPN client/server ... or inside the tunnel?
10:04 < Kitty> on the server
10:05 <@dazo> that didn't answer the question
10:05 < Kitty> inside the tunnel
10:05 < Kitty> soryr
10:05 < Kitty> sorry
10:05 < canadaOK> any advice on how to find easyRSA3 in any of the repos?  ubuntu/debian?
10:05 < canadaOK> im getting "easy-rsa is already the newest version (2.2.2-2)."
10:05 <@dazo> canadaOK: you might need to get in touch with the openvpn package maintainers for deb/ubu
10:05 < canadaOK> when i apt-get install easy-rsa
10:06 <@dazo> or rather, the easy-rsa package maintainer
10:06 < canadaOK> fair enough, wasn't sure if there was something really obvious I am missing
10:06 < canadaOK> [11:00] * You were kicked from #easy-rsa by ChanServ (Invite only channel)
10:06 < canadaOK> lol
10:06 -!- canadaOK is now known as baconology
10:07 <@dazo> we have little to with distro packaging .... I just coincidently ended up becoming the Fedora/EPEL package maintainer for OpenVPN ... but except of that ...
10:07 <+hyper_ch> dazo: problem with nandroid - you need to boot into twrp ;)
10:07 <@dazo> hyper_ch: nah, I can live with that if it works :)
10:07 < Kitty> dazo: how does the keepalive packet work within openvpn?
10:07 <+hyper_ch> it's making a system image
10:07 <@dazo> Kitty: it is done on the control channel (not the data channel where the tunnelled network traffic goes)
10:09 < Kitty> right
10:10 < Kitty> is there any reason why turning ipv6 on would cause it to stop working ?
10:11 <@dazo> Kitty: There shouldn't be any reasons why enabling IPv6 inside the tunnel would cause any timeouts .... if anything, it might be related to bad MTU values when IPv6 traffic hits the tunnel .... but I do struggle fully believing this is the real issue
10:12 < Kitty> the only change is with enabling ipv6
10:12 < Kitty> that's all I changed
10:15 <@dazo> yeah, I don't doubt IPv6 enabling causes issues ... just the MTU being part of the issue
10:15 <@dazo> hmmm .... do you route everything over IPv6?
10:15 <@dazo> and is your OpenVPN server IPv6 enabled?
10:16 < Kitty> yes
10:16 < Kitty> ipv6 works fine on the server
10:17 <@dazo> okay ... and client have IPv6 connectivity too?
10:18 < Kitty> yep
10:18 <@dazo> or that's not really needed .... if the hostname you put in --remote resolves to both IPv4 and IPv6 ... then funny things may happen unless you add an IPv6 route routing the traffic to your OpenVPN server outside the tunnel
10:19 <@dazo> try enforcing the client to use IPv4 only
10:19 < Kitty> no AAAA record for the vpn server
10:19 <@dazo> meh ...
10:19 <@dazo> !logs
10:19 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
10:20 < n35xdxb0> how do i route everything to 127.0.0.1 unless its going through my vpn tunnel? on linux. thanks for any help
10:21 < Kitty> I have to wait 15 mins to get the server logs. They are currently set to 1, and I can't restart the server until 1730 (15 mins time)
10:22 <@dazo> n35xdxb0: ehm ....!?? the quickest solution ... ifdown all your network adapters  (because your question really doesn't make sense)
10:23 <@dazo> Kitty: no worries ... if I'm not around, others are here on this channel too
10:23 < n35xdxb0> dazo: ok, essentially, how do i ensure my computer is only connected to the internet when i'm using my vpn?
10:24 <+Dougy> what
10:24 <+Dougy> [11:15] <n35xdxb0> how do i route everything to 127.0.0.1 unless its going through my vpn tunnel? on linux. thanks for any help
10:24 <@dazo> n35xdxb0: by using firewalls
10:24 <+Dougy> do you mean just force all traffic through the vpn?
10:24 < rob0> n35xdxb0, and this computer is a VPN client?
10:24 <+hyper_ch> hmm, I can't access the openvpn.net homepage with useragent googlebot
10:25 < n35xdxb0> i mean i don't want my vpn to go down, which it sometimes does, and end up leaking my actual ip address. pretty sure i'm not the only one who has this concern.
10:25 <@dazo> heh .... mattock: ^^^^ see hyper_ch's comment
10:25 < n35xdxb0> and this is the openvpn channel right?
10:25 < rob0> "leaking" how, to whom?
10:26 < n35xdxb0> rob0: really? you have no idea what i'm talking about?
10:26 < rob0> sigh
10:26 < n35xdxb0> rob0: what do you use vpn for?
10:26 <+hyper_ch> googlebot useragent is a nice way around paywall annoyance popups
10:26 < baconology> i found a typo at https://openvpn.net/index.php/open-source/documentation/howto.html#quick
10:26 <@dazo> n35xdxb0: you resolve that by configuring your firewall to only allow traffic on physical interfaces to your VPN server + DNS servers (unless you don't depend on hostnames and use IP addresses directly)
10:26 <@vpnHelper> Title: HOWTO (at openvpn.net)
10:27 <@dazo> n35xdxb0: and no need to get nasty .... rob0 knows very well when and how to use VPNs
10:27 <@dazo> as well does Dougy too
10:27 < rob0> n35xdxb0, I use VPNs for other purposes.  I don't assume that everyone has the same wants/needs.
10:27 < baconology> googlebot useragent is a nice way around paywall annoyance popups <--- interesting
10:28 <@dazo> +1
10:30 < n35xdxb0> rob0: what are those other purposes? some highly elevated specialised thing that makes you out to be a connoisseur? when you know very well tht the majority of ppl use vpn to bypass geoblocking
10:32 <@ordex> I am not sure about that
10:32  * ordex hides again - this was not important
10:33 <@dazo> n35xdxb0: like just having access to an office LAN from a remote location
10:33 < n35xdxb0> dazo: ssh?
10:33 <@dazo> n35xdxb0: or having more office sites and connect them together and make them be in the same logical network
10:34 <@dazo> n35xdxb0: samba/windows shares, intranet services, printers, DNS, database servers, etc, etc ... anything TCP/IP related most commonly (but not necessarily strictly that)
10:35 <@dazo> you can even have SIP running over the VPNs too
10:36 < n35xdxb0> dazo: and does your vpn connection ever fail?
10:37 <@dazo> n35xdxb0: on bad connectivity, yes ... otherwise I've never experienced that openvpn just dies by itself
10:37 <@ordex> dazo: if pesistent-tun is used, do the ip/routes survive? or do they get reset anyway?
10:37 < n35xdxb0> dazo: alright and when it dies, wouldn't it be nice to be able to set it to try to reconnect to the vpn, instead of trying to connect to something else?
10:38 <@dazo> n35xdxb0: I have 2x tunnels running 24/7, where I have front http/https caching reverse proxies and smtp gateways pushing data to/from servers behind VPNs and requires 24/7 connectivity
10:39 < rob0> n35xdxb0, your original question has been answered.  Perhaps you missed that?
10:39 <@dazo> ordex: if persistent-tun is used ... I've never experienced getting a different VPN IP address .... but I have also safe guarded my server VPN clients to have fixed IP addresses ... and I've never really exhausted the VPN IP address pool
10:39 <@ordex> dazo: yeah, but I meant: during the reconnection time, is the tun interface deconfigured?
10:40 <@dazo> ordex: not with --persist-tun
10:40 <@dazo> without ... openvpn needs to run with root privileges and it will tear-down and build up again the tun adapter, iirc
10:41 <@ordex> dazo: yup, with --persisten-tun
10:41 <@ordex> I wasn't sure if only the interface would stay up or if the entire configuration would survive too
10:41 < n35xdxb0> rob0: ye the firewall answer. thanks. but thought i'd make a point. don't like the way newbies are treated in some quarters. you can easily tell when joining a new channel, what type of atmosphere prevails
10:42 <@dazo> n35xdxb0: I don't understand your last question .... what should try to connect to what?  If the openvpn process dies, it dies.  It doesn't try to reconnect, as it have died.
10:42 < n35xdxb0> dazo: i give up mate. you know very well what i mean. but anyway
10:42 < n35xdxb0> i bow to your superior knowledge
10:42 < rob0> n35xdxb0, then we are even, as I do not like incomplete questions from rude, entitled clueless people.
10:42 <@dazo> n35xdxb0: if the connection itself dies, OpenVPN should by default try to reconnect to the same VPN server
10:42 < Kitty> ok, this is bizaar.
10:43 < Kitty> when did openvpn start logging in binary log files?
10:43 <@dazo> n35xdxb0: if you add more --remote options ... it will go through each of them until it have a connection
10:43 <@ordex> Kitty: never, but 'less' may think that perhaps. I have experienced that with other files
10:43 <@dazo> Kitty: !?!?  it never does that ... what do you mean?
10:43 < n35xdxb0> rob0: 'rude, entitled, clueless people' ???
10:44 < Kitty> [2.3.4-RELEASE][root@pfsense.localdomain]/var/log: less openvpn.log
10:44 < Kitty> "openvpn.log" may be a binary file.  See it anyway?
10:45 < Kitty> ok, apparently I have to use clog
10:45 < Kitty> some weird circular log format
10:45 < n35xdxb0> rob0: check my original questions. i rephrased it twice. ye, i don't know that much. but tht's the whole point of asking the question. really no need for snide remarks
10:45 <@dazo> n35xdxb0: hey, calm down .... you have been treated with respect here.  Your questions have not been too informing and you think we understand your questions better than we really are capable of
10:51 < n35xdxb0> okay basically, i use a vpn provider to hide my real public ip address when i browse the internet. it occassionally goes down. by 'goes down' i mean tht i end up connected to my wifi network without the vpn masking my ip address. i just wish it wouldn't do that. that's all. thanks for the help
10:52 <@dazo> n35xdxb0: and if your VPN client is configured correctly, it should reconnect automatically ... and to avoid any leakage, you need to configure the firewall
10:52 < Kitty> hurrah, I have useful logging enabled
10:54 < rob0> Also, by encouraging users to phrase questions better and to provide all necessary information, those users might begin to understand their issues better.  Offer void where taxed or prohibited, or where fragile feelings lead to fuss.
10:54 < n35xdxb0> dazo: ok, just realised my firewall was off. switched it on. what firewall do you use? ufw?
10:54 < Kitty> MULTI: bad source address from client [192.168.43.78], packet dropped
10:55 <@dazo> n35xdxb0: I despise ufw .... I use firewalld (not on gateways, with multiple interfaces) or iptables directly
10:55 <@dazo> ufw is the opposite of "user friendly" in my opinion
10:57 < n35xdxb0> dazo: ok thanks :0
10:57 < Kitty> does anyone know of a useful guide to how to fix the bad source address from client problem ?
10:57 < n35xdxb0> :)
10:57 <@dazo> Kitty: routing client LAN for the server side LAN to access?
10:57 <@dazo> most commonly, you need --iroute in a CCD file
10:58 <@dazo> !iroute
10:58 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
10:58 < Kitty> I don't get it
10:59 <@dazo> Kitty: bad source address means that the OpenVPN server doesn't know which VPN client the IP address belongs to.  So --iroute is a way to tell OpenVPN that "this IP range belongs to $this VPN client"
10:59 <@dazo> otherwise, when OpenVPN gets a packet it doesn't know where belongs, it just drops it
10:59 < Kitty> but why should it even be ending up near the openvpn server?
11:00 < Kitty> the only IP that the openvpn should know about is my client's IP ?
11:00 <@dazo> Kitty: depends on the configuration and routing setup
11:00 < Kitty> right, so I have 2 openvpn configs on the server, 1 uses udp and has ipv4 enabled.
11:00 < Kitty> right, so I have 2 openvpn configs on the server, 1 uses udp and has ipv6 enabled.
11:00 < Kitty> even
11:01 < Kitty> the other uses tcp, and doesn't have ipv6 enabled
11:01 < Kitty> the tcp one works fine
11:01 < Kitty> the udp one drops packets for a minute, works for a minute, drops packets for a minute, and so on
11:01 <@dazo> okay, that begins to smell like either MTU or just a crappy ISP somewhere which treats UDP packets poorly
11:02 < Kitty> I've tried it with different MTU's, with different ISP's and different clients
11:02 < Kitty> windows and linux both have it
11:02 < Kitty> tho my colleagues linux box is fine
11:03 <@dazo> smells more like your local side link then ... could be a router issue too ... but I don't have that much experience in this area of troubleshooting
11:05 < Kitty> right, I'm going to relocate to home so I can poke things from that network
11:05 < Kitty> thank you all for your help. Will do some more testing this evening
11:28 < baconology> actualyl the howto is full of mistakes
11:28 < baconology> it tells you to make a copy of /openvpn but it really means to make a copy of /easy-rsa
11:29 < baconology> in the sectoin where it talks about modifying 'vars'
11:29 < baconology> i believe
11:41 <+hyper_ch> baconology: where is a mistake?
11:47 < baconology> hyper_ch there are two
11:47 < baconology> 1) "For PKI management, we will use easy-rsa 2, "... is repeated twice
11:47 < baconology> for no reason
11:47 < baconology> and 2)
11:48 < baconology> If you are using Linux, BSD, or a unix-like OS, open a shell and cd to the easy-rsa subdirectory. If you installed OpenVPN from an RPM or DEB file, the easy-rsa directory can usually be found in /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn (it's best to copy this directory to another location such as /etc/openvpn,
11:48 < baconology> this should reference copying easy-rsa since this is where VARS is
11:48 < baconology> isnt it?
11:48 < baconology> i think it should be saying (it's best to cp -pr /usr/share/easy-rsa /etc/easy-rsa)
11:49 < baconology> i am saying this based on having gone through like 6 tutorials now on installing openvpn, each of which is somewhat confusing, including this official howto one
11:49 < baconology> please pass on my thanks and suggestions to the documentation team
11:53 < baconology> also please let me knwo if I am correct onthis one
11:53 < baconology> just so i can keep going with the tutorial
11:57 < baconology> (especially because thsi section of the readme deals with generating certificates)
11:57 < baconology> starts to make me wonder if anyone who recommends these guides has actually followed them to any degree before telling people to RTFM
12:02 < Eugene> baconology - the HowTo is correct for the version it was written for, when easy-rsa was a part of the openvpn source tree. It is now a separate project
12:02 < rob0> I wouldn't put easyrsa in /etc/ ... I would make a non-privileged CA manager user and put it in that user's $HOME
12:02 < Eugene> Your patches are of curse welcome to improve documentation; senseless whining is not
12:04 < baconology> well it isn't senseless
12:04 < baconology> my whining makes sense
12:04 < Eugene> You may not feel that way, but remember that IRC lacks Emotion tags
12:04 < baconology> this is not accurate for v 2.2
12:04 < baconology> there is no vars in /openvpn
12:05 < baconology> i would suggest someone update this
12:05 < baconology> i'd do it myself but all i can do is whine about it, i guess
12:05 < baconology> thanks rob0
12:05 < Eugene> ( ͡°( ͡° ͜ʖ( ͡° ͜ʖ ͡°)ʖ ͡°) ͡°)
12:06 < baconology> i appreciate the help, even if my constructive criticism falls on deaf ears
12:06 <@dazo> baconology: at least getting a trac ticket about it would help us beware of these issues ... and someone who have the interest (or privileges if it is web-pages related) can do something about it
12:06 < baconology> dazo - love to, let me know where i can help
12:06 <@dazo> we won't remember wining ... we'll just complain about winers
12:06 < baconology> hey im just saying, you're confusing noobs.
12:07 < baconology> put yourself in the other person's shoes
12:07 <@dazo> baconology: and I won't be the first one to acknowledge that being a serious issue :)
12:07 < baconology> i know Eugene's feet may not fit...
12:07 < baconology> where can i submit a bugtrak?
12:08 < baconology> ill email the webmaster for you guys :)
12:08 <@dazo> https://community.openvpn.net/openvpn/  ... sign-up for an account if you don't have one (forum uses the same credentials) ... and click the "New Ticket" button on the menu
12:08 <@vpnHelper> Title: OpenVPN Community (at community.openvpn.net)
12:09 < baconology> cheers
12:09 <@dazo> baconology: provide URLs to where this misleading info is .... if it is on the wiki, you should have the privileges (once signed in) to make changes yourself, feel free to fix things there
12:09 < baconology> i'll just copy/paste email to webmaster@
12:10 < baconology> its sad to see someone coming down on me for reporting this stuff but i guess i'll deal with being the squeaky wheel
12:10 <@dazo> that won't help .... non of the community members who are most likely to do something don't have access to webmaster@
12:10 <@novaflash> hey guys
12:10 <@novaflash> do i hear someone talking shit about me?
12:10 <@dazo> ahh, novaflash have some privileges to do more stuff too :)
12:10 < Eugene> Your mother was a hamster and your father smelt of elderberries
12:11 <@dazo> novaflash: always when we don't think you pay attention!
12:11 <@novaflash> Eugene: you know a lot about my family history, very impressive
12:12 <@novaflash> so what's this about bad stuff on openvpn.net?
12:13 < baconology> not bad but inaccurate
12:13 < baconology> please scroll up to 12:41
12:13 <@dazo> baconology: url?
12:13 < baconology> ill email you
12:13 < baconology> pls msg email
12:13 < baconology> all the logs are there
12:14 < baconology> https://openvpn.net/index.php/open-source/documentation/howto.html
12:14 <@vpnHelper> Title: HOWTO (at openvpn.net)
12:14 < baconology> 1) "For PKI management, we will use easy-rsa 2, "... is repeated twice <-- issue #1
12:14 < baconology> ill msg u novaflash
12:15 <@dazo> novaflash: could we get that URL to redirect here ... https://community.openvpn.net/openvpn/wiki/HOWTO ?  Then we could get more community members to maintain it
12:15 <@vpnHelper> Title: HOWTO – OpenVPN Community (at community.openvpn.net)
12:16 <@dazo> baconology: funny .... that section have been improved in the community maintained howto
12:16 <@dazo> "For PKI management, we will use ​easy-rsa 2, a set of scripts which is bundled with OpenVPN 2.2.x and earlier. If you're using OpenVPN 2.3.x, you may need to download easy-rsa 2 separately from the ​easy-rsa-old project page. An easy-rsa 2 package is also available for Debian and Ubuntu in the OpenVPN software repos. On *NIX platforms you should look into using ​easy-rsa 3 instead; refer to its own documentation for details."
12:16 <@dazo> but that also should get updated
12:17 < baconology> i dont see that "
12:17 < baconology> "new ticket" at the community.openvpn.net/openvpn
12:17 < baconology> great i will use this HOWTO
12:17 < baconology> thanks
12:18 <@novaflash> dazo: yes, we can redirect  https://openvpn.net/index.php/open-source/documentation/howto.html to  https://community.openvpn.net/openvpn/wiki/HOWTO
12:18 <@vpnHelper> Title: HOWTO (at openvpn.net)
12:18 <@dazo> baconology: you need to sign-in to see the New ticket button ... we don't allow anonymous reports, as it gets tedious to get in touch with people when we have questions
12:18 <@novaflash> i will bring it up with andrew and see what he says
12:18 <@dazo> and then people complain about us closing tickets due to lack of responses
12:19 <@dazo> novaflash: thx!
12:20 <@dazo> baconology: have you seen the Getting Started HOWTO?  I wrote that as a more guided approach for configuring openvpn ... https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
12:20 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net)
12:20 < baconology> gotcha, logged in
12:20 < baconology> thanks
12:20 < baconology> i did dazo
12:21 < baconology> i dont htink ith as enough information for me to deploy from nothing
12:21 < baconology> as a layperon
12:21 < baconology> having modified vars a number of times, it is good though
12:21 <@novaflash> baconology: well for easy deployment there's access server
12:21 <@dazo> baconology: what kind of information is lacking?
12:21 <@novaflash> i'm going to bring this up with Samuli, he apaprently manages the open source pages on the official www.openvpn.net website.
12:21 <@novaflash> dazo ^
12:22 <@dazo> novaflash: thx .... I believe I've already discussed this with him ... but probably ended up in a void somewhere between tasks
12:22 < baconology> dazo - i read it, then i ended up on the howto because I needed help from like.. time 0
12:23 < baconology> this is a good reference but i needed a little more handholding
12:23 < baconology> actually its very good
12:23 < baconology> let me re-read it before i judge it
12:24 < baconology> !howto
12:24 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
12:24 <@novaflash> is baconology a religion i can join?
12:24 <@dazo> okay :)  I tried the hand-holding approach, which I felt lacked in the old howto :)
12:24 < baconology> novaflash - it is more of a philosophy
12:24 < baconology> dazo - let me try again with it buddy
12:24 <@dazo> thx!
12:24 <@novaflash> no bacon sacrificies?
12:24 <@novaflash> sacrifices *
12:24 < baconology> novaflash - i am the director of baconology, at the institute of the same name
12:25 < baconology> i am the world's first Doctor of Baconology
12:25 < baconology> i should sell fake degrees online
12:25 <@novaflash> " Convert, and bacon will lead you to salivation"?
12:25 < baconology> lol irl
12:25 < baconology> i just cooked 6 pounds of it yesterday
12:25 <@dazo> "Convert and bacon will never leave you hungry"
12:25 < baconology> it is all now par-cooked and frozen, ready for microwaving or pizzas
12:26 < baconology> dazo see this doesn'ts seem to have anything in it about copying easy-rsa
12:26 < baconology> but i see you've linked to v3 setup
12:26 < baconology> which maybe is a smart thing today
12:26 < baconology> to do
12:27  * baconology rubs hands together and gets started
12:27 < baconology> thanks all
12:28 <@novaflash> have fun
12:38 < baconology> dazo, my first issue as a noob is finding where apt installed openvpn so that i can ./openvpn on it
12:38 < baconology> so i've had to go to the other howto
12:42 <@dazo> ahh! getting the package installed .... okay, that's reasonable to include
12:42 <+hyper_ch> if you install it by apt, then it will be in your $PATH
12:42 <@dazo> or at least point at a page "How to get OpenVPN installed"
12:42 <+hyper_ch> so no need to ./openvpn
12:42 <@dazo> yeah
12:42 < baconology> ah
12:43 < baconology> root@server:/etc/easy-rsa# echo $PATH
12:43 <+hyper_ch> dazo: not touching freeswitch for almost 4 years and now I have everything forgotten :(
12:43 < baconology> ./usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
12:43 < baconology> thats echo $PATH with a . infront cuz irc
12:44 <@dazo> baconology: you generally only need './' whenever you want to access something in your current directory
12:44 < baconology> sorry i meant to say, i dont know the directory where openvpn is installed
12:45 < baconology> so im not sure how to run it
12:45 <+hyper_ch> baconology: which openvpn
12:45 <+hyper_ch> run that command
12:45 <@dazo> baconology: how did you install openvpn?  apt install openvpn ?
12:45 < baconology>    # openvpn --config myvpn.conf
12:45 < baconology>     # openvpn myvpn.conf
12:45 <@dazo> baconology: has hyper_ch says ... just do:  openvpn --version
12:45 < baconology> that section ^^^
12:45 < baconology> ah, it will work?
12:45 <@dazo> that doesn't say ./ at all ;-)
12:45 < baconology> right it doesnt
12:45 <@dazo> you can do:  which openvpn
12:46 < baconology> openvpn straight up works
12:46 < baconology> oh ive been using locate
12:46 < n35xdxb0> sudo apt-get install network-manager-openvpn
12:46 < baconology> much better
12:46 < n35xdxb0> for baconology
12:46 < baconology> what's that do buddy?
12:46 < baconology> ill check it out
12:46 <@dazo> n35xdxb0: that's for clients ... if configuring a server, that won't fly
12:46 <+hyper_ch> baconology: locate uses a fixed database... if you added new stuff, you'll first need to manually udpated it using    updatedb    or wait till cron does that
12:47 < baconology> thanks gents/ladies
12:47 < n35xdxb0> dazo: how come you're being nice to him, and weren't being nice to me? :)
12:47 <@novaflash> shit man baconology has got so much help now there's no way he can succeed now
12:47 <@dazo> and `which` tells you which location is used for the binary
12:47 <@novaflash> n35xdxb0: dazo is evil
12:47 <+hyper_ch> n35xdxb0: dazo usually rolls a dice
12:47 -!- n35xdxb0 was kicked from #openvpn by dazo [This is being not nice]
12:47 <+hyper_ch> n35xdxb0: on a 6 he is nice to the person
12:47 < baconology> you can be mean to me
12:47 <@novaflash> haha
12:47 <@novaflash> fantastic
12:47 < baconology> lol i've seriously done this 6 times
12:47  * ecrist considers /kick *
12:47 -!- mode/#openvpn [+o Eugene] by ChanServ
12:47 -!- ecrist was kicked from #openvpn by Eugene [*]
--- Log closed Mon Oct 02 12:47:59 2017
--- Log opened Mon Oct 02 12:48:09 2017
12:48 -!- Irssi: #openvpn: Total of 305 nicks [9 ops, 0 halfops, 5 voices, 291 normal]
12:48 -!- mode/#openvpn [+o ecrist] by ChanServ
12:48 -!- Irssi: Join to #openvpn was synced in 4 secs
12:48 <@dazo> lol
12:48 <@novaflash> well
12:48 < baconology> this is why i cant spot mistakes in howtos :P
12:48 <+hyper_ch> still no news from krzee?
12:48 < baconology> until i find one i can't spot lol
12:48 <@novaflash> it's the good old days of 1989 all over again
12:48 <@novaflash> no idea, haven't heard from that krzee sob in a long time
12:48 < n35xdxb0> dazo: ok. i think you made your point :)
12:49 <@novaflash> n35xdxb0: maybe you'll get lucky when he rolls his "niceness" dice again now
12:49 <@ecrist> Eugene: .
12:49 < Eugene> OpenVPN & Dragons?
12:49  * Eugene ecrist 
12:49 <@novaflash> Tunnels and Dragons
12:49 < Eugene> I cast AES-GCM-256
12:49 < n35xdxb0> novaflash: i'd rather not risk it. i'm just going to stick to reading. until i can surpass dazo in knowledge. become a moderator, and proceed to kick him myself. :D
12:50 -!- mode/#openvpn [+o n35xdxb0] by ecrist
12:50 <@novaflash> hm it is not effective, it is not in the allowed ciphers list, you connection is denied
12:50 <@novaflash> your *
12:50  * ecrist waits for it
12:50 <@dazo> ecrist plays with fire
12:51 -!- dazo was kicked from #openvpn by ecrist [watch it burn!]
12:51 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
12:51 -!- mode/#openvpn [+o dazo] by ChanServ
12:51 <@novaflash> oh oh
12:51 <@n35xdxb0> hahah
12:51 <@novaflash> that reminds me ecrist
12:51 <@novaflash> i found a dns entry for 'forum.openvpn.net'
12:51 <@novaflash> which goes nowhere
12:51 <@ecrist> novaflash: iirc, that should have been a CNAME for forums.openvpn.net
12:51 <@novaflash> wanna set it up so it goes to forums.openvpn.net server and redirects you automatically?
12:51 <@novaflash> should have but isn't, i think
12:52 <@novaflash> points to a different ip and doesn't respond to anything there
12:52 -!- mode/#openvpn [-o n35xdxb0] by ecrist
12:52 < n35xdxb0> ecrist: novaflash  so mods can actually kick eachother? surely tht's a recipe for disaster
12:53 <@novaflash> n35xdxb0: oh yeah they can kick the shit out of each other
12:53 <@ecrist> see?
12:53 -!- novaflash was kicked from #openvpn by ecrist [novaflash]
12:53 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
12:53 -!- mode/#openvpn [+o novaflash] by ChanServ
12:54  * novaflash rubs my painful butt
12:54 <@dazo> did we loose baconology's attention now?
12:54 <@novaflash> not the steel toed boots
12:54 <@novaflash> congratulations; you have confused the enemy
12:54 <@ecrist> I was just wondering if your feelings were hurt, dazo. :)
12:54 < baconology> sorry i am following the howto
12:54 <@novaflash> he doesn't have feelings to hurt
12:55 <@novaflash> he's a vulcan
12:55 <+hyper_ch> oh damn.... I think I should install the FreeSWITCH server completely anew
12:55 <@novaflash> hyper_ch: keeps you busy
12:55 <@dazo> ecrist: every time anyone speaks to me ....!
12:55 <+hyper_ch> I installed that like 6 years ago
12:55 <+hyper_ch> haven't touched it for like 4 years
12:55 <@novaflash> ecrist: want me to set forum.openvpn.net to redirect to same ip as forumS.openvpn.net? i'm in the control panel now
12:55 <+hyper_ch> now I have no clue anymore what to do :)
12:55 < n35xdxb0> baconology is following the howto. i think he's been succesfully converted
12:56 <+hyper_ch> Trust the Howto
12:56 <@novaflash> more like successfully lead astray
12:56 <@dazo> the question is ... which how-to!?
12:56 <+hyper_ch> dazo: there's more than one out there?
12:57 <@dazo> hyper_ch: we discovered there is a difference between the ones on openvpn.net and community.openvpn.net (the latter one being more up-to-date)
12:57 <@dazo> plus, there is my reboot of a how-to too
12:57 <@dazo> !howto
12:57 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
12:57 <@dazo> ahh, *that* needs to be updated
12:58 <@novaflash> yeah need to get samuli to update that page or something
12:58 <@ecrist> novaflash: yes.  we may need to do some vhost changes, but I can do that, unless you want to handle it?
12:58 <+hyper_ch> dazo: how about doing this:  anyone who updates the howto will get a free copy of the openvpn community software package?
12:58 <@novaflash> ecrist; i can handle the dns if you can handle the vhosts redirection shit?
12:58 <@dazo> hyper_ch: lol!
12:58 <@ecrist> sure
12:58  * n35xdxb0 is thinking more kicking is about to occur
12:58 <@novaflash> okay done
12:58 -!- novaflash was kicked from #openvpn by novaflash [novaflash]
12:58 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
12:59 -!- mode/#openvpn [+o novaflash] by ChanServ
12:59 <+hyper_ch> giving stuff away for free is a good incentive :)
12:59 -!- n35xdxb0 was kicked from #openvpn by dazo [as requested]
12:59 <@novaflash> you're too nice dazo
12:59 <@dazo> well, you asked for some more kicks
12:59 <@dazo> All I did was to comply!
12:59 <+hyper_ch> still can't access openvpn.net with GoogleBot as UA
13:00 <+hyper_ch> I thought google punishes sites that show different versions for enduser and bot
13:00 <+hyper_ch> "
13:00 <+hyper_ch> Sorry, you have been blocked
13:00 <+hyper_ch> You are unable to access openvpn.net
13:00 <@novaflash> huh
13:01 <+hyper_ch> set your useragent to googlebot, go to openvpn.net ;)
13:01 <@novaflash> that may be cloudflare doing that tbh
13:01 <@novaflash> y tho i dunno
13:02 <@ecrist> novaflash: I've updated/HUPped apache
13:02 <@dazo> !forget howto *
13:02 <@dazo> !learn howto as OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO
13:02 <@dazo>  PLEASE READ IT!
13:02 <@dazo> !learn howto as  Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
13:02 <@vpnHelper> Joo got it.
13:02 <@vpnHelper> Joo got it.
13:02 <@vpnHelper> Joo got it.
13:02 <@dazo> !howto
13:02 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
13:02 <@dazo> meh
13:02 <@novaflash> ecrist: hurray
13:02 <@ecrist> what was howto?
13:02 <@dazo> !forget howto *
13:02 <@dazo> !learn howto as OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO  PLEASE READ IT!
13:02 <@dazo> !learn howto as  Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
13:02 <@vpnHelper> Joo got it.
13:02 <@vpnHelper> Joo got it.
13:02 <@vpnHelper> Joo got it.
13:02 <@novaflash> ecrist; works
13:02 <@novaflash> coolio
13:02 <@dazo> !howto
13:02 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
13:02 <@ecrist> novaflash: I've earned my pay today, I guess.
13:02 <@dazo> bloody hell
13:02 <@novaflash> stop spamming dazo, geez
13:03 < n35xdxb0> novaflash: i know right?
13:03 <@novaflash> ecrist: yes, you deserve a beer
13:03 <@dazo> !forget howto *
13:03 <@vpnHelper> Joo got it.
13:03 <@dazo> !learn howto as OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO  PLEASE READ IT!
13:03 <@vpnHelper> Joo got it.
13:03 <@dazo> !learn howto as  Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
13:03 <@vpnHelper> Joo got it.
13:03  * hyper_ch steals ecrist's pay
13:03 <@dazo> !howto
13:03 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
13:03 <@dazo> better
13:03 <@dazo> ecrist: it pointed at the how-to on openvpn.net .... which was outdated + your mirror of it, which was even older
13:04 <@ecrist> ahh
13:04 <+hyper_ch> nah, it's not outdated
13:04 <@dazo> so it turns out we have 3 different versions :)
13:04 <+hyper_ch> it's to make sure people don't just simply copy'n'paste but also do think about what they're doing ;)
13:04 <@dazo> lol
13:04 <@dazo> hyper_ch: I so _wish_ that was true :)
13:04  * n35xdxb0 is thinking it should be changed to "why follow a howto when you can just ask @dazo?"
13:04 <+hyper_ch> and understand things
13:04 <@novaflash> it's not outdated, it's just aged. aged documentation is tastier.
13:05 <@novaflash> n35xdxb0: i will write a how-to. how-to ask dazo?
13:05 <+hyper_ch> +1
13:05 < n35xdxb0> novaflash: haha
13:05 < n35xdxb0> novaflash: "how-to ask dazo... without getting kicked"
13:05 <@novaflash> step 1; do not ask to be kicked. do not tempt him into kicking you. do not mention the word kick. do not think it. oops no... there you went. bad start. try again.
13:06 <@dazo> novaflash: oh .... you probably need a lifetime to complete it ... to ensure you cover all my various quirks
13:06 <@novaflash> actually i just use a short cut
13:06 <@dazo> "Don't try to ask dazo"?
13:06 <@novaflash> crate of beer if you point me to the right page in the docs
13:06 <@novaflash> did it work?
13:07 <+hyper_ch> 1.
13:07 <+hyper_ch> 1. Rule about Dazo: Do not talk about Dazo
13:07 <@novaflash> oh kick club
13:07 <@dazo> 2. Dazo does not exist
13:07 <@dazo> 3. If you think you see Dazo .... see #2
13:08 <+hyper_ch> it's been a long time since I last saw Fight Club
13:27 -!- mode/#openvpn [+o rob0] by ChanServ
13:27 -!- rob0 was kicked from #openvpn by rob0 [duh]
13:43 < kishmesh> so in order to harden my openvpn client I can a) run it as unprivileged user (user,group setting), b) use chroot ... which one is better? would it be possible to combine both?
13:44 < n35xdxb0> will rob0 ever find his way back?
13:46 < kishmesh> "unprivieleged chroot" is probably hard to combine. "unprivileged" needs sudo, how to get that into chrooted environment?
14:04 -!- dionysus70 is now known as dionysus69
14:17 < rudi_s> kishmesh: Normally you run as root and openvpn drops privs to configured user, this can be combined with chroot (it chroots first, drops privs second).
14:21 < kishmesh> rudi_s: ok, but doesn't it try to add/del when in unprivileged state?
14:28 < rudi_s> kishmesh: add/del?
14:29 <@dazo> kishmesh: if you use systemd ... use openvpn-client@CONFIGNAME + --user/--group with openvpn and --chroot
14:30 <@dazo> kishmesh: and ensure you have --persist-tun in config too
14:30 < onitlikesonic> Hi all, i have a case where my client connections are duplicating
14:30 <@dazo> the systemd openvpn-{server,client}@.service unit files adds a few more hardening details, removing capabilities it really does not need
14:31 < onitlikesonic> well in fact they keep increasing in number... all i see in logs is Mon Oct  2 19:24:25 2017 TCP: connect to [AF_INET]10.10.10.10:443 failed, will try again in 5 seconds: Connection timed out
14:31 < onitlikesonic> i purposedly cut the connection to the server to reproduce this growth in connections
14:31 < onitlikesonic> how can i avoid the process list growing liek crazy when the client is not able to communicate with the server ?
14:32 < onitlikesonic> is it a known problem ?
14:32 <@dazo> onitlikesonic: such a problem does not exist in openvpn itself ... it never "duplicates" itself
14:34 < onitlikesonic> strange, i'm observing justthat
14:34 <@dazo> (I understand "duplicate" as the number connections to a server multiplies, as if more clients gets started)
14:34 < onitlikesonic> yeah i have multiple processes running
14:34 < onitlikesonic> o nthe client
14:34 <@dazo> which distro?
14:34 < onitlikesonic> ubuntu 14.04
14:35 <@dazo> smells like you have some monitoring tool kicking off things for you
14:35 <@dazo> and this is the client side where this happens?
14:35 < onitlikesonic> dazo: that is a possibility
14:35 < onitlikesonic> client side yes
14:36 <@dazo> there is a re-connect logic which OpenVPN makes use of ... so if the connection fails, it will try to reconnect at some intervals ... but never like it spawns of more processes; that needs to happen outside of openvpn
14:36 <@dazo> spawns *off* more processes
14:40 < kishmesh> rudi_s: yes, for example, when I ctrl-c my running vpn client, I see messages like "Linux route delete command failed: external program exited with error status: 2; /bin/ip route del 192.168.178.128/25; RTNETLINK answers: Operation not permitted"
14:40 < kishmesh> dazo: using openrc here
14:41 < onitlikesonic> dazo: i have monit keeping an eye on openvpn for me
14:41 < kishmesh> dazo: "persist tun" has been enabled
14:42 < onitlikesonic> that might be  the cause yes but end of the day its just using the openvpn init scripts to start and stop
14:42 < onitlikesonic> so it should not "pile up" ...
14:46 < onitlikesonic> dazo: is there a way i can set the number of retries it makes before openvpn giving up ? Then it would kill its process and monit could take over
14:46 <@ecrist> --retry
14:48 < onitlikesonic> ecrist: what would that look like on the .conf file? just "retry 2" for example ?
14:48 < onitlikesonic> dont see it in docu
14:56 < baconology> whats the best way to list al lthe keys in the db?
14:57 < baconology> for example if i ./build-key alradyExists and try to sign it fails with error #2
14:57 < baconology> is there an easy way to revoke this for example
14:57 < baconology> this is more of an easy-rsa question i guess but that chan is invite only
15:26 < baconology> also when it comes to client.conf pointing to the key files, if these are going to be windows clients, then I assume that path in the client.conf needs to be a windows path to the .crt and .key files on the client machine?
15:30 < Eugene> Yes, but if you're going to be handing-out a .ovpn config file consider using the inline syntax, <cert>
15:31 < Eugene> I typically do my user-facing rollouts with just a CA+tls-auth(hmac) key, and require users to do auth-user-pass. It works OK in the Windows GUI, and NetworkManager isn't too pants-on-head about it
15:33 < baconology> found this on revoking: https://openvpn.net/index.php/open-source/documentation/howto.html#revoke
15:33 <@vpnHelper> Title: HOWTO (at openvpn.net)
15:37 < azarus> I'm using an openvpn client on linux, and it's leaking DNS. How can I prevent this?
15:38 < azarus> I tried manually adjusting /etc/resolv.conf, to no avail.
15:38 < onitlikesonic> seems one of these solved my problem remap-usr1 SIGTERM / connect-retry-max 2 / single-session / tls-exit
15:38 < onitlikesonic> now just need to find which
15:39 < Eugene> !resolvconf
15:39 < Eugene> !dns
15:39 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns
15:39 < Eugene> !pushdns
15:39 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for
15:39 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option
15:39 < Eugene> Set up pull-resolv-conf script mentioned, usually does what you want
15:54 < azarus> Thank you, Eugene.
15:56 < baconology> Mon Oct  2 16:49:45 2017 IFCONFIG POOL LIST
15:56 < baconology> Mon Oct  2 16:49:45 2017 Initialization Sequence Completed
15:56 < baconology> WOO HOO
15:56 < baconology> BOYS i think it started.
15:56  * baconology rubs hands together
16:06 < baconology> weird my .crt files have 0 bytes
16:06 < baconology> wonder what i've done wrong
16:09 < kishmesh> to establish a vpn connect, does it require icmp?
16:09 < Eugene> No, but it is certainly helpful to have ICMP enabled on any IP-connected device for troubleshooting and anybody who disables it without proper technical justification should be liquidated
16:11 < R1220> hi!
16:11 < R1220> I could use some help
16:11 < Eugene> !help
16:11 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
16:11 < Eugene> !welcome
16:11 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
16:11 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
16:12 < baconology> Mon Oct 02 17:05:52 2017 read UDP: Unknown error (code=10054) on the client side
16:12 < baconology> any idea what this means?
16:13 < Eugene> IIRC that is a timeout/reset error code?
16:13 < Eugene> What's the server log say
16:19 < baconology> i've got my log file at https://pastebin.com/DgLaj9vM
16:19 < baconology> if anyone has any ideas about this 10054 on windows
19:19 -!- abenz_ is now known as abenz
20:08 < kishmesh> does anybody know if there is an "update-resolv" script for openvpn client on debian? couldn't really find anything on the net.
20:08 < kishmesh> :-/
20:57 < rob0> what is the problem/need?
20:57 < rob0> If it's "can't use ISP resolvers through a redirected gateway," just don't use ISP resolvers at all.
20:58 < rob0> "echo 'nameserver 8.8.8.8'> /etc/resolv.conf", and configure your DHCP client to leave resolv.conf alone.
20:59 < rob0> If it's "need to resolve internal/VPN names while connected," see:
20:59 < rob0> !dnsmasq
20:59 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
21:00 < rob0> Anyway, to answer your question as posed, although it's the wrong question: there is nothing specific to openvpn nor Debian in that, and the package name is "resolvconf".
--- Day changed Tue Oct 03 2017
00:00 < Eugene> !pushdns
00:00 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for
00:00 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option
00:00 < Eugene> kishmesh ^
03:39 < Kitty> well this is fun
03:39 < Kitty> a fully working config I had yesterday
03:39 < Kitty> today
03:39 < Kitty> doesn't work
03:39 < Kitty> 100% packet loss...
03:57 -!- |Mike| [~mike@178.255.49.239] has quit [Ping timeout: 252 seconds]
03:59 -!- |Mike| [~mike@178.255.49.239] has joined #openvpn
06:17 -!- abenz__ is now known as abenz
06:38 < |Mike|> Kitty: logs!
06:38 < |Mike|> and configs
06:40 < Kitty> my pfsense box has locked up, am waiting for 1730 to reboot it
06:40 < Kitty> then I will see what I can do with logs
06:41 <+hyper_ch> hmmm, ZFS compression doesn't seem to work well on vido files
06:43 -!- abenz__ is now known as abenz
06:59 <+hyper_ch> krzie: https://freedom-to-tinker.com/2017/09/28/i-never-signed-up-for-this-privacy-implications-of-email-tracking/
07:03 < oriceon> Hi there.
07:03 < oriceon> What this notice means? "UDP link local: (not bound)"
07:03 <+hyper_ch> hi
07:04 < oriceon> And another little question :) How can i increase openvpn speed. I connected to our vpn and have 13 Mbps download / upload
07:04 < oriceon> isn`t slowly?
07:05 <+hyper_ch> is it internet or intranet?
07:06 < oriceon> internet
07:07 <+hyper_ch> get better provider
07:07 <+hyper_ch> make sure the cpu can handel all the encryption
07:08 <+hyper_ch> use proper mtu size
07:08 < oriceon> as equipment we build lede with openvpn on a TP-Link 1043 v4
07:08 < oriceon> it should be ok as a router?
07:09 < oriceon> to support more than 13 Mbps ?
07:09 <+hyper_ch> no idea what lede is
07:09 <+hyper_ch> no idea what tp-link 1043
07:09 < oriceon> Lede is old OpenWrt or somethin
07:09 <+hyper_ch> no idea what cpu it has
07:09 <+hyper_ch> does it support aes-ni? that improves speed by a lot
07:10 < oriceon> https://lede-project.org/toh/hwdata/tp-link/tp-link_tl-wr1043nd_v4
07:10 < oriceon> CPU MHz: 750
07:10 < oriceon> Qualcomm Atheros QCA9563
07:10 <+hyper_ch> no idea how much that can handle
07:11 <+hyper_ch> try for testing openvpn without encryption cipher
07:12 < oriceon> also is it a problem that i use dh4096 ?
07:12 < oriceon> the bigest one
07:12 <+hyper_ch> that's only for initical connection I think
07:13 <+hyper_ch> but not really sure
07:13 <+hyper_ch> as said, try without any cipher and see what speeds you get
07:13 < oriceon> let me try, one sec
07:13 <+hyper_ch> cipher none
07:13 <+hyper_ch> and then use something like iperf through the tunnel
07:14 <+hyper_ch> and also test without tunnel what speed you get
07:14 <+hyper_ch> if they're about the same, then it's the encryption
07:15 < oriceon> so in openvpn config i commented  option cipher 'AES-256-CBC'
07:15 < oriceon> and in local config also
07:15 < oriceon> i restarted openvpn and same
07:15 < oriceon> 13 ping
07:15 < oriceon> 13 Mbps up/down
07:16 < oriceon> or to set cipher none ?
07:16 <+hyper_ch> cipher none
07:16 < oriceon> only in local-client config?
07:16 <+hyper_ch> both
07:17 < oriceon> WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1574'
07:17 < oriceon> WARNING: 'cipher' is used inconsistently, local='cipher [null-cipher]', remote='cipher BF-CBC'
07:17 < oriceon> WARNING: 'keysize' is used inconsistently, local='keysize 0', remote='keysize 128'
07:18 < oriceon> after i connected i receive that
07:18 < oriceon> and speed is same
07:18 <+hyper_ch> then you have not cipher none in both
07:18 < oriceon> let me check again
07:18 <+hyper_ch> what speeds do you get by direct connection - not through the tunnel?
07:18 <+hyper_ch> from where to where do you send thata? is it two clients
07:18 <+hyper_ch> or client to server
07:19 < oriceon> https://pastebin.com/mqRjbwCb
07:19 < oriceon> can you have a look at server config
07:19 < oriceon> ?
07:19 <+hyper_ch> server and client config
07:20 < oriceon> one sec, i`ll paste client too
07:20 <+hyper_ch> !tunortap
07:20 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
07:20 <@vpnHelper> rooted/jailbroken) support only tun
07:20 < oriceon> https://pastebin.com/rnQHAL1P client config
07:20 <+hyper_ch> why is there everything prefixed with option?
07:21 < oriceon> maybe to appear on luci-app-openvpn ?
07:21 < oriceon> not sure
07:21 <+hyper_ch> omnia turris?
07:21 <+hyper_ch> turris omnia I mean
07:22 <+hyper_ch> and I still don't know what your speed with directly to the server - not through the tunnel
07:22 <+hyper_ch> server config has comp-lzo no
07:22 <+hyper_ch> but client has it activated
07:23 < oriceon> i specified now  option cipher none and warnings dissapear
07:23 < oriceon> but same speed :)
07:23 <+hyper_ch> use tun, not tap
07:23 <+hyper_ch> and I still don't know what your speed with directly to the server - not through the tunnel
07:23 <+hyper_ch> how do you even measure the speed? do you use iperf?
07:24 < oriceon> with speedtest
07:24 <+hyper_ch> forget speed test
07:24 <+hyper_ch> use iperf
07:24 < oriceon> one sec
07:24 < oriceon> if i want all trafic from my pc to be over the vpn is not ok to use tap ?
07:25 <+hyper_ch> !tunortap
07:25 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
07:25 <@vpnHelper> rooted/jailbroken) support only tun
07:28 < oriceon> ERROR: --dev tun also requires --ifconfig
07:29 <+hyper_ch> still waiting for iperf speed with and without vpn tunnel
07:29 < oriceon> can you tell me a cmd example ?
07:31 < kevr> hello.
07:32 < kevr> My openvpn server is configured to create a tun interface, as is my client-side configuration. This works great. But I'd also like to create a connected tap interface to the tun. I don't have access to the server side, so I can't set it to 'tap' mode
07:32 < kevr> Is there a guide I can use to manually create a tap interface and attach it to the openvpn's tun interface?
07:32 <+hyper_ch> oriceon: on server:   iperf -s      on client:    iperf -c IP    --> uses by default tcp 5001
07:33 <+hyper_ch> !tunortap kevr
07:33 <+hyper_ch> !tunortap
07:33 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
07:33 <@vpnHelper> rooted/jailbroken) support only tun
07:33 <+hyper_ch> you sure you want tap?
07:34 < kevr> hyper_ch: I need to connect VMs to my vpn network, I don't necessarily care if the transport between server and client is tun
07:34 < kevr> I'm using tun right now for my transport.
07:34 <+hyper_ch> kevr: then setup openvpn for them as well
07:35 < kevr> I don't have access to the server.
07:35 < kevr> So I can't set it to tap mode.
07:35 < kevr> I can only configure my client side.
07:35 <@ecrist> kevr: we can't really help you then.
07:35 <+hyper_ch> make the VMs clients as well
07:35 <@ecrist> You should talk to the server owner.
07:35 < kevr> So, hold on
07:35 < nbastin> kevr: you would have to NAT the VMs into your tunnel, since you need your side to make them all look like one host
07:35 < nbastin> (not an openvpn question at this point)
07:36 < kevr> I should be able to forward these packets over, should I not? tun completely loses all of the ethernet frames, aye
07:36 < kevr> that's why i can't do it?
07:36 < kevr> nbastin: yeah, that's what i'm trying to do
07:36 < nbastin> kevr: you certainly can, but that's a local host configuration issue, nothing to do with openvpn
07:36 < kevr> gotcha. no one has replied in #networking about it, so i thought i'd give it a shot here.
07:36 < kevr> thanks.
07:37 < nbastin> I can jump over there to try to help you.. :-)
07:37 < oriceon> hyper_ch: from client unable to connect to server: Connection refused
07:37 <+hyper_ch> tcp 5001
07:37 < oriceon> i installed and started on server with operf -s
07:37 < oriceon> and is ok
07:37 <+hyper_ch> that's the port
07:38 <+hyper_ch> and it's iperf -s
07:38 <+hyper_ch> is that port open?
07:38 < oriceon> iperf3 -c IP -p 5001
07:38 < oriceon> is ok? from client..
07:38 < oriceon> Server listening on TCP port 5001
07:38 <+hyper_ch> -p 5001 can be omitted
07:39 <+hyper_ch> can you give me the ip of the server?
07:39 < oriceon> [4] local SERVER IP port 5001 connected with CLIENT port 50263 (peer 86.24940.25966-unk)
07:39 < oriceon> [4]  0.0- 0.0 sec  37.0 Bytes  32.5 Kbits/sec
07:39 < oriceon> on server
07:40 < oriceon> even if on client told me that unable to connect
07:40 <+hyper_ch> so port is not open
07:40 <+hyper_ch> there's a firewall
07:40 < oriceon> ok, one sec
07:40 < oriceon> to cut it
07:42 < oriceon> i should add a trafic rule
07:42 < oriceon> but is complicated
07:43 < oriceon> [ ID] Interval       Transfer     Bandwidth
07:43 < oriceon> [  4]  0.0- 0.0 sec  37.0 Bytes  50.9 Kbits/sec
07:43 < oriceon> without connection
07:45 < oriceon> iperf3: error - received an unknown control message
07:45 < oriceon> but on client still cry with error :)
07:45 <+hyper_ch> unable to connect
07:45 <+hyper_ch> connection refused
07:45 <+hyper_ch> so please fix that first
07:46 <+hyper_ch> check what actual speeds you get between you and your server
07:46 < oriceon> Any tcp, udp
07:46 < oriceon> From any host in wan
07:46 < oriceon> To any router IP at port 5001 on this device
07:46 <+hyper_ch> and then check waht actual speeds you get through the tunnel
07:46 < oriceon> seems to be ok as a opened port
07:47 < oriceon> here where i am i have gigabyte connection
07:47 < oriceon> and server is in other location
07:47 < oriceon> with 500 Mbps connection
07:50 < oriceon> wait a little to try to fix with the connection
07:50 < oriceon> to google a little
07:50 <+hyper_ch> I get this on my gigabit home -> gigabit office (same isp):
07:50 <+hyper_ch> Client connecting to 10.10.11.1, TCP port 5001
07:50 <+hyper_ch> TCP window size: 45.0 KByte (default)
07:50 <+hyper_ch> ------------------------------------------------------------
07:50 <+hyper_ch> [  3] local 10.10.11.91 port 50552 connected with 10.10.11.1 port 5001
07:50 <+hyper_ch> [ ID] Interval       Transfer     Bandwidth
07:50 <+hyper_ch> [  3]  0.0-10.0 sec   758 MBytes   635 Mbits/sec
07:52 < oriceon> hmm
07:52 <+hyper_ch> however, performance drops a lot if I connect to a vm in the vpn that's hosted by the vpn server
07:52 <+hyper_ch> Client connecting to 10.10.11.5, TCP port 5001
07:52 <+hyper_ch> TCP window size: 45.0 KByte (default)
07:52 <+hyper_ch> ------------------------------------------------------------
07:52 <+hyper_ch> [  3] local 10.10.11.91 port 40318 connected with 10.10.11.5 port 5001
07:52 <+hyper_ch> [ ID] Interval       Transfer     Bandwidth
07:52 <+hyper_ch> [  3]  0.0-10.0 sec   112 MBytes  94.3 Mbits/se
07:52 < oriceon> 112 is enought for what i need
07:52 < oriceon> is more that 13 ..
07:52 < oriceon> :)
07:52 < oriceon> but i guess this depends the cpu and router
07:52 < oriceon> ...
07:52 < oriceon> :(
07:53 <+hyper_ch> and that's not running vpn on a router
07:53 <+hyper_ch> but actual computers
07:53 <+hyper_ch> forwarding the traffic taxes the server a lot more so performance drops
07:53 <+hyper_ch> so, test first your speed without tunnel
07:53 <+hyper_ch> then with tunnel but no cipher
07:53 <+hyper_ch> and finally test ciphers
07:57 <+hyper_ch> and I still haven't optimized mtu size
07:58 < oriceon> ya, but still i`m in connection refused
07:58 < oriceon> let me see on router how can i open dam 5001 port :)
07:59 <+hyper_ch> fix your firewall
07:59 <+hyper_ch> please don't query anymore
07:59 <+hyper_ch> it's annyoing as it takes focus away
07:59 <+hyper_ch> and still: connection refused
07:59 <+hyper_ch> fix your firewall
08:26 < Fenikkusu> I wonder if someone might point me in the right direction here. I've already got ovpn set up on one of the computers in my house. This works well enough for me to remotely join my network. However, I've also considered setting up my router to use an outgoing VPN for general internet usage. The problem is, understandably, that the second I enable my routers vpn, I no longer can make the full connection to ov
08:26 < Fenikkusu> pn. I'm wondering if anyone has any suggestions on how to properly handle this setup.
08:59 < baconology> attention everyone: openvpn works!!!!!!!!!!!!
08:59 < baconology> thank you hyper_ch
08:59 < baconology> and novaflash
08:59 < baconology> and all you other wonderful patient people
08:59 <@novaflash> payment in bacon or beer please
08:59 <@novaflash> ;)
08:59 < baconology> i got a pic for you hold on
09:00 <@novaflash> pls don't let it be a dick pic
09:00 < baconology> https://puu.sh/xP17p/f2f20949ed.png
09:01 <@novaflash> http://i.imgur.com/Dr7Hk5h.jpg
09:01 <@novaflash> close enough?
09:27 -!- eb0t is now known as dddd
09:27 -!- eblip is now known as eb0t
09:27 -!- dddd is now known as eblip
09:57 < baconology> not enough bacon
09:57 < baconology> lol @ dick pics
09:57 < baconology> i didnt think you guys talked like that on freenode
09:58 <@novaflash> i'm an alien
10:04 < baconology> same
10:07 < nickwebha> I have a strange issue. When I run the command `sudo openvpn /etc/openvpn/thing.conf` it works. When I enable the service (damn you, systemd) I get "Control process exited, code=exited status=1" and "Failed to kill control group /user/1000.user/11.session/lxc/hostname/system.slice/system-openvpn.slice/openvpn@thing.service, ignoring: Invalid argume
10:07 < nickwebha> nt". This is running inside an LXC container on Xenial with the OpenVPN ppa and, thus, the latest version of OpenVPN (v2.4.4).
10:08 < nickwebha> This is a TAP device (I use it to play old IPX games with my friends who no longer live near me).
10:24 <@ecrist> nickwebha: there's something in the unit file that is passing additional arguments to openvpn it seems.
10:24 <@ecrist> You'd need to look there.
10:26 < nickwebha> Thank you. I will check into that.
10:31 < baconology> what's the fundamental differnce with TAP/TUN deviecs?
10:31 < baconology> er setup
10:32 < skyroveRR> @tap
10:32 < skyroveRR> @tun
10:32 < skyroveRR> !tun
10:32 < skyroveRR> o.o
10:32 < skyroveRR> !interface
10:32 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6), or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn', or (#4) For
10:32 <@vpnHelper> Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes)
10:32 < skyroveRR> !tunnel
10:33 < baconology> i know tun means tunnel
10:33 < skyroveRR> ...
10:33 < baconology> but in reading nickwebha's comment, it makes me wonder if i want TAP?
10:34 < nickwebha> TUN is almost always what you want.
10:34 < baconology> im trying to provide access to company network resources
10:34 < nickwebha> In short, TUN is Ethernet traffic. TAP is like a real adapter (can do IPX, for example).
10:34 < baconology> AH
10:34 < baconology> so why does TUN not work for your legacy games?
10:35 < baconology> it is all ethernet frames isnt it?
10:35 < nickwebha> There are other important differences but that is what most people need to know. Also that TAP is a bitch to get working right, if at all.
10:36 < nickwebha> IPX uses different framing. The concepts of packets and sliding windows and ACKs are all different, if existent at all.
10:36 < nickwebha> Also it is not routable.
10:36 < baconology> i see
10:36 < baconology> i interpreted IPx as "internet protocol * "
10:36 < baconology> like x as in wildcard
10:37 < nickwebha> Company resources like e-mail, network shares (CIFS, NFS, ect) and printers all only need a TUN adapter.
10:37 < nickwebha> Check out https://en.wikipedia.org/wiki/Internetwork_Packet_Exchange .
10:37 < baconology> great
10:37 <@vpnHelper> Title: Internetwork Packet Exchange - Wikipedia (at en.wikipedia.org)
10:37 < baconology> oh ipx is different
10:37 < baconology> i was thinking netBEUI or something
10:37 < baconology> netbooy
10:37 < nickwebha> Oh, man. I have not heard that name in a long time. :-P
10:38 < baconology> i love nerds
10:38  * baconology cheers nickwebha
10:39 < baconology> ahhhhhhhhh ipx/spx
10:40 < baconology> yes yes, like playing DOOM
10:40 < baconology> we were on novell networks as a kid
10:40 <@ecrist> !tunortap
10:40 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
10:40 <@vpnHelper> rooted/jailbroken) support only tun
10:40 < nickwebha> Tubby?1 Oh, yes. tubby.
10:40 < baconology> so if I'm using samba instead of windows shares..
10:40 < nickwebha> I am using it to play Atomic Bomberman. The new Switch version got me craving the old one.
10:41 <@ecrist> baconology: samba == windows shares, it's the protocol
10:41 < nickwebha> Samba is just the Linux implementation of the Windows shares (CIFS).
10:41 <@ecrist> and really, people are mostly expecting NETBIOS auto discovery
10:41 <@ecrist> CIFS and SMB work just fine without being on the same broadcast domain
10:41 < baconology> so i should go with TAP then
10:41 < baconology> based on vpnHelper output?
10:42 <@ecrist> baconology: almost nobody needs tap
10:42 < baconology> right ok sorry that bot resp[onse was confusing
10:42 <@ecrist> also note that the tap device is not supported on any mobile devices
10:42 < baconology> i thought the I fit use case #2
10:42 < nickwebha> Go TUN unless you have a specific reason to need TAP.
10:42 < baconology> just trying to work out if i have specific reason :p
10:42 < baconology> i'm a noob
10:42 <@ecrist> usually, if you're using tap, you don't know what you're doing
10:42 < baconology> i also want to do LDAP
10:43 < nickwebha> LDAP is TCP (UDP?) based. TUN is fine for that.
10:43 < baconology> well i have 3 employees who have no idea what they are doing
10:43 <@ecrist> tcp/udp doesn't matter
10:43 <@ecrist> baconology: s/3/4/  ftfy
10:44 < nickwebha> I have to run. Just got my replacement motherboard in for my backup server and I need to get it built so I can ship it off-site again.
10:44 < nickwebha> Thanks for the help, ecrist. If I can not figure it out I will be back... or in a systemd channel... I do not know... bye!
10:50 < alphor> !goal
10:50 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:41 < twk> so "cn" is supposed to come from the CN of the x509 certificate for my auth+TLS, and not the username correct?
11:42 < twk> i gave up on trying to get my openvpn to register my clients hostname to dns and went back to creating CERTS per host to connect.  Im using ldap auth, so i was really hoping to stay away from having to use multiple usernames to have CSO's for each host
12:38 < ikla> if my server crt expires, can I renew or extend it?
12:45 < ikla> I created a new cert and the client says it has expired
12:50 < eldowan> !goal
12:50 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:52 < eldowan> Can I setup openVPN to act as a full pertino / cradlepoint ECM replacement? I'm needing a mix of site-LAN remote-LAN remote-remote and remote(1 client multiple IPs for routing)-LAN
12:53 < eldowan> I'm pretty sure OpenVPN will do everything I need, with the exception of the one client to multiple IPs. I have many 3g/4g modems in the field with identical LAN side configurations, and will be needing IPs routed to specific LAN side IPs behind the modem. Currently the cradlepoint/ECM system does this well, and need that to work as well.
13:06 <@dazo> ikla: the process is to re-issue a new certificate based on the csr you used the previous time.  If you don't have that handy, it can be recreated using the openssl command line tool
13:39 -!- dionysus70 is now known as dionysus69
16:29 < ikla> dazo, I tried recreating it and restarted the server and the .crt says the date is valid but clients say VERIFY ERROR: depth=1, error=certificate has expired
16:39 <@dazo> ikla: hmmm .... depth=1, that indicates the CA certificate
16:40 <@dazo> ikla: so you need to re-issue a new CA certificate and deploy that to clients and server
17:24 <@ecrist> yup
17:31 < Kitty> quicky question, the openvpn control channel, is that in the same UDP stream as my data?
17:31 < Kitty> or is it a seperate connection?
17:37 < rob0> yes, all in one port
17:37 < Kitty> ok
17:39 <@dazo> Kitty: the very first byte in each OpenVPN packet carries some bits which we typically call an OPCODE.  That OPCODE declares if the rest of the data stream is a control or data channel packet
17:40 < Kitty> how frequent is control traffic sent ?
17:42 <@dazo> it depends on configurations ... if you use --keepalive, the ping packets (not ICMP) are sent over the control channel
17:42 < Kitty> ok
17:42 <@dazo> otherwise, anything related to authentication and session key exchange happens over the control channel
17:43 <@dazo> the data channel is symmetrically encrypted, based on a session key
17:44 < Kitty> but there isn't a simple x numbe rof data packets, then a control packet
17:44 <@dazo> nope
17:48 < Kitty> it's almost 1am, I'm going to call it a night. will post logs from the office tomorrow
17:48 < Kitty> if I stare at these tcpdumpds much longer I'll fall asleep
17:48 <@dazo> Kitty: https://gitlab.com/openvpn/openvpn/blob/master/src/openvpn/ssl.h#L55
17:48 <@vpnHelper> Title: src/openvpn/ssl.h · master · OpenVPN / openvpn · GitLab (at gitlab.com)
17:48 <@dazo> here's the various opcodes ... some of them aren't really in use though
17:49 < Kitty> are they encrypted ?
17:49 <@dazo> nope
17:49 < Kitty> excellent
17:49 <@dazo> it's the very first byte of each packet
17:49 < Kitty> ok
17:49 < Kitty> I shall investigate in the morning
17:50 < Kitty> thank you for your help.
17:50 <@dazo> but see line 52 and 53
17:51 <@dazo> (key-id is used to identify which session key is used; to allow seamless key rotation)
17:51 < Kitty> is this little endian or big endian ?
17:51 <@dazo> good question!
17:51 <@dazo> I honestly don't remember
17:52 <@dazo> (it's getting late here too :))
17:53 < Kitty> waht's your tz?
17:54 <@dazo> CEST
17:54 <@dazo> utc+2
17:55 < Kitty> same
17:55 < Kitty> Amsterdam
17:56 < Kitty> and on that note. To bed!
17:56 < Kitty> thanks everyone for your help
19:00 -!- abenz_ is now known as abenz
19:12 < ikla> dazo, :( I don't have access to them
23:04 -!- krzie [~k@openvpn/community/support/krzee] has quit [Ping timeout: 248 seconds]
23:14 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
23:14 -!- mode/#openvpn [+o krzee] by ChanServ
--- Day changed Wed Oct 04 2017
01:10 -!- nocaberi is now known as Bock
01:32 < oriceon> hyper_ch
01:33 < oriceon> i came back with some results of tests
01:33 < oriceon> i found what was wrong with iperf .. :)
01:33 < oriceon> the version of them ! on server i had v2 and on client v3 ..
01:33 < oriceon> now both are v2..
01:33 <@ordex> argh
01:33 < oriceon> and tests without vpn connection told me 0.0-10.0 sec   106 MBytes  88.9 Mbits/sec
01:33 < oriceon> and with connection
01:33 < oriceon> 0.0-10.0 sec   100 MBytes  84.1 Mbits/sec
01:34 <+hyper_ch> and is that with encryption or without encryption?
01:34 < oriceon> with cipher activated when i was connected
01:34 < oriceon> now, should i deactivate chiper and see without
01:34 <+hyper_ch> so problem is not your vpn tunnel but what happens after it leaves your vpn server
01:35 <+hyper_ch> no need to deactivate the cipher
01:35 < oriceon> ok
01:35 <+hyper_ch> if you have 88Mb with direct connection and 84Mb through vpn
01:35 < oriceon> yes
01:35 <+hyper_ch> those 4Mb are probably just overhead
01:35 < oriceon> and why speed test told me only 13 Mb ?
01:36 <+hyper_ch> that's what happens after it leaves the vpn server
01:36 < oriceon> and a real test download
01:36 < oriceon> is seems to have right ..
01:36 <+hyper_ch> forget speedtest
01:36 < oriceon> 1Mb /s
01:36 <+hyper_ch> the vpn tunnel is fine
01:36 <+hyper_ch> it's what happens afterwards that's the problem
01:36 < oriceon> ok and what about that afterwards
01:36 <+hyper_ch> no idea
01:36 <+hyper_ch> this is #openvpn
01:37 <+hyper_ch> there is no problem with speeds for your openvpn
01:37 < oriceon> just asked you guys maybe someone has some experience with that
01:37 < oriceon> and could find a solution for that anoying stuff
01:37 <+hyper_ch> the vpn is fine
01:37 <+hyper_ch> so nothing wrong here
01:37 < oriceon> yes and thank you for teaching me to test it
01:38 <+hyper_ch> another test you could do is have a second client in your lan and check the speed from your computer -> vpn server -> second client in lan
01:39 < oriceon> to put ipref on second client and route x port to that one?
01:39 < oriceon> and run it as a server
01:39 < oriceon> right?
01:45 <+hyper_ch> the reason is when the cpu on the vpn server hits the bottleneck, then the throughput will sink drastically.... so far from your client to openvpn server does not hit the bottleneck
01:45 <+hyper_ch> but not sure what happens if the openvpn server then has to send out the data again to another client
01:45 <+hyper_ch> maybe bottleneck is hit then
03:16 < gmshk> Hi all
03:17 < gmshk> I try to route some traffic from my ovpn server to a subnet that is hosted by a ovpn client.
03:17 < gmshk> But it doesn't seems to work.
03:17 < gmshk> If I ping a client side device from the ovpn server:
03:17 < gmshk> -I can see the ping going to TUN0 at serverside.
03:17 < gmshk> -I see nothing coming from TUN0 at clientside.
03:18 < gmshk> I disabled firewalling on both sides with iptables -F ; iptables -X ; iptables -t nat -F ; iptables -t nat -X ; iptables -t mangle -F ; iptables -t mangle -X ; iptables -P INPUT ACCEPT ; iptables -P FORWARD ACCEPT ; iptables -P OUTPUT ACCEPT
03:18 < gmshk> I enabled routing on both sides in /etc/sysctl.conf
03:18 < gmshk> I configured routing in ovpn conf files
03:18 < gmshk> You can find them here: https://zerobin.net/?0e85c524f89e6f5c#EQtIauqsKjOnAUFwbEwjJWhsvwfpDrmanuIqnkSiIZM=
03:18 <@vpnHelper> Title: ZeroBin (at zerobin.net)
03:18 < gmshk> Could you tell me what is wrong with this setup?
03:36 < gmshk> Hello?
04:16 < Pat2_> hello. i am coming here i don't know how to configure an openvpn server on windows ? i ve configured one, but how is it about multiple users for one file configuration on the server ?
04:17 < Pat2_> the file configuration is ok, it functions on one client
04:17 < Pat2_> but i tryied a second client and it fails
04:17 < Pat2_> (second client is on mac)
04:18 < Pat2_> (i user tunnelblick, all is ok for others servers, i know using it)
04:44 <@novaflash> Pat2_: wrong channel, #openvpn-as is for that
04:49 < abenz> !AS
04:49 <@vpnHelper> "AS" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
04:51 <@ordex> not sure Pat2_ is using A ?
04:51 <@ordex> AS*
05:05 < Pat2_> what is A or AS ?
05:09 <@ordex> it stands for Access Server. it is a commercial OpenVPN server product
05:26 < Pat2_> ok. how to know if the soft is AS ? if it is server, it is then AS ?
05:42 <@ordex> Pat2_: no, if it is AS you have probably bought it as it is commercial software
05:59 < careta> can anyone help me do some quick debugging?
06:00 < careta> on my openvpn server I can ping two addresses in two separate subnets, 192.168.70.0/24 and 192.168.111.0/24
06:00 < careta> I'm pushing the routes via openvpn to my openvpn client
06:00 < careta> from there I can ping 111 but not 70
06:00 < careta> I've got masquerade rules for both, and they share a common interface on the server
06:01 < careta> how can I debug this? tracerouting from the client shows routing to 111 is sucessful but to 70 it just dies after it hits the openvpn server
06:01 < careta> I can also route successfully to 192.168.68.0/24, which goes over another interface in the server, and this route is also pushed to the client via openvpn
06:13 <@dazo> careta: don't masquerade internally ... that's a tin can filled of problematic worms  (even though it smells nice at first) ... use tcpdump and listen to the various interfaces on the various VPN clients, VPN servers and destination servers .... and see where packets disappear
06:13 <@dazo> most likely it's either missing routes or firewalling
06:14 < careta> dazo, there are some hosts on those subnets for which i dont control routing
06:14 <@dazo> ugh
06:15 < careta> it's a network filled with black box devices for experiments
06:15 <@dazo> anyhow ... debugging is still the same
06:16 <@dazo> the masquerading can just complicate things in a longer run ... tcpdump should give clues in the meantime
06:19 < careta> dazo, but what kind of sniffing should I do? running tcpdump on the server just shows me that pinging from the server works, but from the client doesn't. I'm listening on the interface that's connected to those two subnets
06:21 < careta> aha found a clue
06:21 <@dazo> careta: run ping on the side where it doesn't work .... and work your way forward .... if ping on the client doesn't work, run ping there then listen for icmp packets on the tun interface on the client, if packets arrive there - go to the server side tun, does it appear there?
06:21 <@dazo> and so on
06:22 <@dazo> (doing the "binary search approach" can also make things quicker .... check first client side, then check "in the middle" of where it fails ... then go towards the half where it should have arrived but doesn't, always "dividing" the challenge in two
06:22 <@dazo> )
06:23 < careta> dazo, seems that when I ping from the server, it pings with the 70 and 111 networks with a 111 Ip and that works
06:23 < careta> but when I ping from the client, it pings from a 70 Ip and that fails
06:23 < careta> so there's something wrong with my setup
06:23 <@dazo> it's seldom problem with OpenVPN itself in these scenarios ;-)
06:24 <@dazo> it is always misconfiguration somewhere .... most commonly routing and firewalling
06:24 < gmshk> Hi all
06:24 < gmshk> I try to route some traffic from my ovpn server to a subnet that is hosted by a ovpn client.
06:24 < gmshk> But it doesn't seems to work.
06:24 < gmshk> If I ping a client side device from the ovpn server:
06:24 <@dazo> !clientlan
06:24 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
06:24 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
06:24 < gmshk> -I can see the ping going to TUN0 at serverside.
06:25 < gmshk> -I see nothing coming from TUN0 at clientside.
06:25 < gmshk> I disabled firewalling on both sides with iptables -F ; iptables -X ; iptables -t nat -F ; iptables -t nat -X ; iptables -t mangle -F ; iptables -t mangle -X ; iptables -P INPUT ACCEPT ; iptables -P FORWARD ACCEPT ; iptables -P OUTPUT ACCEPT
06:25 < gmshk> I enabled routing on both sides in /etc/sysctl.conf
06:25 < careta> dazo, I know, never implied it was openvpn itself! But I'm a noob at this, I'm not surprised my config is wrong
06:25 <@dazo> gmshk: see !clientlan
06:25 < gmshk> I configured routing in ovpn conf files
06:25 < gmshk> You can find them here: https://zerobin.net/?0e85c524f89e6f5c#EQtIauqsKjOnAUFwbEwjJWhsvwfpDrmanuIqnkSiIZM=
06:25 <@vpnHelper> Title: ZeroBin (at zerobin.net)
06:25 < gmshk> Could you tell me what is wrong with this setup?
06:25 <@dazo> gmshk: see !clientlan
06:25 <@dazo> !clientlan
06:25 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
06:25 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
06:26 < gmshk> !route_outside_openvpn
06:26 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
06:27 < gmshk> I think all of theabove is done properly
06:27 < gmshk> I may be wrong, but I checked 2 times
06:28 <@dazo> gmshk: and you use iroute?
06:28 < gmshk> In the ccd file
06:28 < gmshk> My config is there https://zerobin.net/?0e85c524f89e6f5c#EQtIauqsKjOnAUFwbEwjJWhsvwfpDrmanuIqnkSiIZM=
06:28 <@vpnHelper> Title: ZeroBin (at zerobin.net)
06:29 < gmshk> with the serrver, client en ccd files
06:29 <@dazo> server 1.1.1.0 255.255.255.224
06:29 <@dazo> *that* is a bad idea
06:29 <@dazo> 1.1.1.10/27 is a public IP range
06:29 < gmshk> Yes, but it's only for the lab purpose
06:30 < gmshk> at the moment. i'll change it later
06:31 <@dazo> Don't postpone this error.
06:31 < gmshk> I was using 169.254.254.0/24 at first time. But when I had the issue, I tried with something else since APIPA cannot be routed and that it could have been the issue I was facing
06:32 < gmshk> But the issue still there
06:32 <@dazo> !1918
06:32 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#3) See !5737 for addresses to use for examples and documentation, or (#4) See !conflict for common conflicting address spaces.
06:32 <@dazo> 169.254.254.0/24 is equally bad
06:33 <@dazo> and then start using tcpdump and see where the packets disappear
06:33 < gmshk> Anyway, it doesn't explain why a ping from the server goes to the tunnel and doesn't exit from the tunnel at client side
06:34 <@dazo> can probably start by looking at the VPN client .... first tun adapter, and if the ICMP echo request appears there, then look at the eth side
06:34 < gmshk> This was seen using tcpdump -i tun0 icmp
06:35 <@dazo> gmshk: increase to --verb 4 and provide server logs
06:35 <@dazo> gmshk: either route and/or iroute is wrong there
06:35 <@dazo> which IP do you ping from server lan?
06:35 <@dazo> (or server itself, for that matter)
06:39 < gmshk> https://zerobin.net/?8e4b20aedffe86b3#qS2eyr3kpVw3qklhmD15W2Wt//O9bGCGzaKMrMWZV54=
06:39 <@vpnHelper> Title: ZeroBin (at zerobin.net)
06:40 < gmshk> 11:36:01.233182 IP 1.1.1.1 > 172.16.32.8: ICMP echo request, id 688, seq 16, length 64
06:40 < gmshk> So 1.1.1.1, the ip of tun0
06:42 <@dazo> you have enabled IP forwarding?
06:42 <@dazo> sysctl net.ipv4.ip_forward
06:42 <@novaflash> and implemented it with either a reboot or something like..what was that command again.. sysctl -p ?
06:42 < gmshk> net.ipv4.ip_forward = 1 on both sides
06:43 < gmshk> sysctl -p, yes
06:43 <@dazo> that tcpdump line ... that's on the VPN server or VPN client?
06:44 < gmshk> Server side
06:44 <@dazo> and on the client side?
06:44 < gmshk> client doesnt see the icmp comming from tun0
06:44 <@dazo> so tun0 is silent?
06:44 <@dazo> on the client?
06:44 < gmshk> no, I remote to the client via the ovpn
06:45 < gmshk> so tun0 pass traffic
06:45 <@dazo> okay
06:45 < gmshk> but the traffic for 172.16.32.0/23 doesn't exit at client side
06:46 <@dazo> I am missing some "MULTI: Learn:" log lines on the server side which relates to  172.16.32.0/23
06:46 <@dazo> It smells like the server doesn't pick up the ccd file
06:46 < gmshk> mhh
06:46 <@ordex> does the server have an iroute for that subnet? (sorry for jumping in :P)
06:46 <@ordex> dazo: the status should report those?
06:46 <@dazo> ordex: it should :)
06:47 <@dazo> ordex: and yes, it should :)
06:47 <@ordex> :D
06:47 <@ordex> [tm]
06:47 <@dazo> :)
06:47 < gmshk> I can find this info in openvpn.status.log?
06:47 <@dazo> if --status-version is high enough
06:48 <@dazo> there should be ROUTING_TABLE entries for the iroutes, iirc
06:48 < gmshk> https://zerobin.net/?3cff2f303bc4ad4d#GbAUf2lsZjz25D/BN/nq661XLeAETOIwE5ldMZWk6VM=
06:48 <@vpnHelper> Title: ZeroBin (at zerobin.net)
06:48 <@dazo> at least with --status-version 2
06:49 <@ordex> why does zerobin require me to enabled javascript? :S
06:49 < gmshk> To uncrypt the data
06:50 <@ordex> oh it is encrypted
06:50 <@dazo> gmshk: that does smell like CCD file not being read .... try increasing the --verb higher on the server side and reconnect the client
06:50 <@ordex> nice
06:50 <@ordex> didn't know
06:50 < gmshk> I can use any other paste website if you want. Just give me an url
06:50 <@ordex> gmshk: no it's fine, sorry for the distraction
06:53 < gmshk> verb 6
06:53 < gmshk> https://zerobin.net/?0c0dfd4792d8ecff#RQBkTP8AMYTC9oKCqSeJ+Ova90ysosEeKf3Nr80Nhzs=
06:53 <@vpnHelper> Title: ZeroBin (at zerobin.net)
06:55 <@ordex> gmshk: I am just curious: what's the name of the ccd file ?
06:55 < gmshk> I just saw the error...
06:55 < gmshk> the filename yes
06:56 < gmshk> a single caracter is wrong...
06:56 < gmshk> let me try again
06:57 <@ordex> gmshk: where was the error? btw all the indications point towards what dazo was saying: ccd file not being read
06:57 <@ordex> so if the filename was wrong, that's likely the issue :_
06:57 <@ordex> :)
06:57 < gmshk> OMG
06:57 < gmshk> I'm so sorry to had bother you with something so stupid
06:57 < gmshk> Yes
06:58 <@ordex> pebkac?
06:58 <@ordex> :D
06:58 < gmshk> Layer 8
06:58 < zx2c4> ordex: heh, had to +q hiya in #wireguard. i hear he was +b'd here?
06:58 <@ordex> mh dunno
06:58 < gmshk> SO the error was I mistyped the ccd filename
06:58 <@dazo> zx2c4: he is banned here
06:58 <@ordex> apparentlyyes
06:58 <@ordex> apparently *yes
06:58 < gmshk> clinet0 insetad of client0
06:59 <@ordex> zx2c4: did I miss something? :D
06:59 < gmshk> Thanks for your help and support guys
06:59 < zx2c4> dazo: that makes sense
06:59 < zx2c4> so alright i shouldnt feel as bad about +q'ing him
06:59 <@dazo> zx2c4: hiya was behaving like an expert giving ill advised suggestions which in many cases was just plain wrong ... and not willing to accept he was wrong
06:59 < zx2c4> hah, okay. that corresponds with what i saw in #wireguard
07:00 <@dazo> zx2c4: not at all ... he tried starting his own vpn channel too ... I observed it for a little while and left .... didn't have time for that kind of "fun"
07:00 < zx2c4> yea...
07:01 < zx2c4> *shrug* oh well
07:01 < zx2c4> another day on the internet
07:05 <@ordex> syzzer: to extract a certificate in pem format from a mbedtls_x509_crt, must I fill a mbedtls_x509write_crt object ? can't I do that directly from the mbedtls_x509_crt? if you know
07:06 < gmshk> By all
07:06 < gmshk> *Bye
07:06 <@ordex> bye!
07:11 <@ordex> syzzer: apparently the answer is yes, unless I want to simply print the pubkey (for that there is another function that works directly on mbedtls_pk_context)
07:22 < Pat2_> ordex: ok. no i downloaded it on the openvpn.net website ...
07:22 <@ordex> Pat2_: yeah I think you are using the community edition
07:52 < Kitty> does anyone have a recommended paste bin to use for log files?
07:57 <+hyper_ch> I use mine
07:57 <+hyper_ch> pastebin.com is horrible
07:57 <+hyper_ch> lots of people like gist
07:58 < Kitty> stuck it on my personal webserver, tis simpler
07:59 < Kitty> http://photos.quixotic.eu/misc/openvpn/
07:59 <@vpnHelper> Title: Index of /misc/openvpn (at photos.quixotic.eu)
07:59 < Kitty> have removed IP's and names
07:59 < Kitty> but it has all the rest of the info and the redaction is consistent
07:59 < Kitty> so, this is server conf, client conf, and logs on both ends
07:59 < Kitty> can anyone suggest why it works for a minuted, dies for a minute, repeat ?
08:22 <@ordex> Kitty: can it be your provider is choking the connection?
08:28 < Kitty> ordex: no, this happens on multiple isp's
08:29 <@ordex> oky
08:33 < Kitty> including on on connection that is a 1GB fibre link
08:33 < Kitty> we have the same symptoms on windows and linux
08:56 < jKaideN> Hey guys, new to OpenVPN. Anyone know which version i should be looking at? 2.4.4 or 2.3.18  ?
08:56 < jKaideN> not sure if 2.4.4 is x64 or not
08:57 < rob0> huh?  Of course it is, why would a newer version drop 64-bit support?
08:59 < jKaideN> i dunno it looked sketchy when the older version has x64 / x86 in the name and the newer one didn't ¯\_(ツ)_/¯
08:59 < DArqueBishop> If anything, it'd mean that 32 bit support was dropped.
09:01 < rob0> what are you looking at, your distro's binary package of openvpn?
09:02 < rob0> This channel is for support of the upstream openvpn project, we can't tell you what your [unnamed] distributor has or has not done to it.
09:03 < rob0> but I think most x86_64 GNU/Linux distributions and *BSD variants probably provide openvpn among their packages.
09:04 < rob0> Kitty, one thing, it seems the time is not in synch on server & client. :)
09:04 < jKaideN> oh, i'm on Win 10 i recently got a VPN service which can be hooked up with OpenVPN.
09:04 < rob0> I doubt that's the problem, but time synch is a Good Thing.
09:04 < jKaideN> Wasn't too sure which version, anyway i got 2.4.4
09:06 < rob0> I suppose as DArqueBishop suggested, 32-bit support was dropped.
09:06 < rob0> <-- not a Windows user, can't help, won't look it up for you
09:07 < Kitty> ntp is now configured
09:08 < Kitty> seems to be in sink
09:08 < jKaideN> that's all good, thanks for the help anyway.
09:09 < rob0> Kitty, the client log is not using what you showed as client config
09:09 < rob0> it's TCP
09:09 < Kitty> scroll down, it's got a tcp then a udp
09:09 < rob0> ah, it's easier if you narrow it down to a single try
09:10 < Kitty> it's reconnecting every 2 minutes.
09:10 < Kitty> hence including the full span
09:10 < Kitty> Oct  3 22:55:45 Rock systemd[1]: Starting OpenVPN connection to julia-laptop...
09:10 < Kitty> tha'ts where the udp connection starts
09:11 < Kitty> note: tcp works fine, udp does the 1 minute thing, then minutes silence, then reconnects
09:13 < rob0> I'd guess there's a stupid firewall somewhere that doesn't like sustained UDP streams.
09:14 < Kitty> but it happens on multiple isp, and multiple systems
09:16 < DArqueBishop> Kitty: it doesn't help if the problem is at the server's ISP's end.
09:16 < rob0> from the laptop to the SAME server, right?
09:16 < rob0> ^^ what DArqueBishop said
09:17 < Kitty> hmm
09:17 < Kitty> why does it only effect some of our users ?
09:19 < rob0> hmm, that's strange indeed
09:21 < Kitty> I'm almost at the stage of cycling the 20k to one of the users who's not effected, to see what happens with my laptop there...
10:11 < jKaideN> Anyone know how to configure a network kill switch when OpenVPN suddenly goes down (Windows)
10:13 < rob0> Perhaps what you're wanting is to ensure that no traffic goes out other than via the VPN?
10:14 < rob0> If that's so, the typical approach would be to prevent by firewall any traffic other than the tunnel itself, via the default gateway.
10:14 < rob0> If using DNS for the --remote name, this might also mean allowing DNS.
10:15 < jKaideN> i'm using block-outside-dns
10:15 < jKaideN> and have disabled ipv6 as well, ps this for Windows OS
10:20 < ikla> error 10 at 1 depth lookup:certificate has expired
10:20 < ikla> anyway to get my clients back online without provding a new ca.crt?
10:36 < DArqueBishop> ikla: if the CA cert has expired, then no.
10:58 -!- dionysus70 is now known as dionysus69
15:29 < badloop> so from what i'm reading/seeing, its impossible to keep an openvpn access server session open for more than around 24 hours.  is this an imposed limitation or am i just not informed of what needs to be done to keep the session alive indefinitely?
15:30 < Eugene> !as
15:30 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
15:30 < Eugene> badloop ^
15:30 < badloop> ah ok thanks
18:27 < Hashirama> Hello, I am using TunnelBlick to connect to a VPN which we are using to hop to other nodes. However, I am unable to see hostnames when trying to ssh. I type in the prefix, press TAB but do not see any options and have to currently manually type out the entire hostnames. Is it not possible for me to get the hostnames? Previously I leverages SSH config but we have opted to remove those in favour of a VPN.
18:27 < Hashirama> Our OPS developer told me its possible and that he has it working, but I could not find the time to sync up w/ him.
21:07 -!- |Mike| [~mike@178.255.49.239] has quit [Ping timeout: 240 seconds]
21:09 -!- |Mike| [~mike@178.255.49.239] has joined #openvpn
21:38 < Eugene> !ping
21:38 <@vpnHelper> pong
--- Day changed Thu Oct 05 2017
03:06 < Pat2_> ordex: yep it is the community edition. in a linux server, i can edit multiple file configurations and there's no problems... but in the windows server, i don't know how to launch multiples files configurations... and when i use a second oVPN users to this Wserver it cut the connexion after 2 minutes...
03:07 <+hyper_ch> so, switched from mdadm raid1 -> luks/dm-crypt -> ext4   now to    encrypted root ZFS   and that freed like 40GB.... yey :)
03:12 < oswin> Hello, can someone tell me what means from the server side the error: Connection reset, restarting [-1]?
03:18 <@ordex> Pat2_: why do you need multiple openvpn daemons to be running?
03:18 <@ordex> you don't want to handle multiple clients with one instance only?
03:18 <@ordex> oswin: alone means nothing..more log is required
03:18 <@ordex> !logs
03:18 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
03:19 < oswin> Ok the think is that I have only server side logs, not the client... :-(
03:19 < Pat2_> ordex: cause i want multiple access for clients, they are 4 clients
03:20 <@ordex> oswin: it's already something..although both would be better
03:20 <@ordex> Pat2_: you can handle multiple clients with one OpenVPN instance  only. no need to spawn one per client
03:20 <@ordex> bbl
03:20 <+hyper_ch> and if you don't want clients to talk to each other, you can also do that
03:20 <+hyper_ch> (with just 1 intance)
03:22 < Pat2_> ok. it is what i did, but one client (on win) is ok, but the other on mac can connect, but after 2 minutes it disconnect... maybe it is something about the mac tunnelblick configuration and not openvpn ?
03:23 <+hyper_ch> Pat2_: never had a mac connect to my vpns :) but I tend to think its rather that mac's configuration or maybe your configuration in general
03:24 < oswin> https://paste.pound-python.org/show/tAHViLFjD7wZZ3EdyDZW/
03:24 < Pat2_> hyper_ch: i don't think it be the configuration in general, cause it is ok in a win client
03:24 < Pat2_> hyper_ch: or i miss something
03:24 < oswin> this are the logs server side
03:25 <+hyper_ch> Pat2_: no experience with macs/tunnelblick... so I can't say.... well, maybe enable server log and and client logs for the mac to more verbosity and see what's going on
03:26 <+hyper_ch> oswin: no idea
03:30 < oswin> ok, same for me... I will ask for the client logs to check what heppen from there. Anyway thanks
03:33 <+hyper_ch> oswin: set verbosity to 5 or maybe even higher if 5 doesn't yield results
07:05 <+hyper_ch> zx2c4: how secure is wireguard? there's still that disclaimer on the homepage :)
07:08 < havoc> still no krzee
07:09 <+hyper_ch> :(
07:09 <+hyper_ch> but the nick changed from krzie to krzee
07:14 < adac> Guys, when I stop openvpn client with "service openvpn stop" the tun interfaces are still there
07:14 < adac> and the connection is still htere but the service is stopped
07:14 < adac> any ideas?
07:17 <+hyper_ch> are you sure that command stops it?
07:17 <+hyper_ch> I thought everyting is systemctl nowadays
07:20 <+hyper_ch> havoc: you seem like you're a ZFS guru
07:21 < havoc> nope, never used it
07:21 <+hyper_ch> too bad
07:22 < havoc> only ever used ext<n> on disk
07:22 < havoc> on my personal stuff
07:22 < havoc> I'm sure other devices I've touch have had other FSen, but I don't know any specifics
07:22 <+hyper_ch> just migrating from ext4 to zfs now
07:22 <+hyper_ch> on my notebook
07:23 < adac> hyper_ch, not sure. I now did killall openvpn
07:23 < adac> that did the trick :D
07:23 < adac> now also the stop works again as expected
07:41 < zx2c4> hyper_ch: quite secure
07:41 < zx2c4> why do you ask?
07:41 < zx2c4> thinking of switching to it?
07:41 <+hyper_ch> can't
07:42 <+hyper_ch> well, just wondering becasue of your notice ;)
07:45 <+hyper_ch> zx2c4: someone mentioned that vpn throughput with wireguard is really good
07:49 < zx2c4> hyper_ch: it is quite good
07:49 < zx2c4> latency too
07:49 <+hyper_ch> but it's so complicted to setup... :)
07:50 < zx2c4> haha
07:50 < zx2c4> also easier than openvpn to setup
07:50 <+hyper_ch> nah, problem is can't use it with my hardphones
07:50 <+hyper_ch> openvpn is easy to setup
07:50 < zx2c4> hardphones have ovppn built in to them?
07:50 <+hyper_ch> snom 370 and yealink
07:50 <+hyper_ch> t48g
07:51 <+hyper_ch> you just need easyrsa, create certs and then I have a bunch of shell script that makes configs out of it... then just copy the configs where you need them ;)
07:51 <+hyper_ch> but right now I'm tinkering with ZFS
07:51 < zx2c4> i think most people who use wireguard find its even simpler than easyrsa
07:51 < zx2c4> but to each his own
07:52 < zx2c4> openvpn has its place of course
07:52 <+hyper_ch> easyrsa is simple
07:52 <+hyper_ch> just copy'n'paste the commands ;)
07:52 < zx2c4> haha
07:57 <+hyper_ch> but once I figured all that ZFS stuff out I migth give it a try
07:57 <+hyper_ch> could be nice for backups between home and office
07:58 <+hyper_ch> also noticed that wireguard is already in nixos though
08:00 <+hyper_ch> zx2c4: do you know zfs well?
08:01 <@ordex> hyper_ch: what is nixos?
08:02 <+hyper_ch> ordex: the distro I use... system is setup in a declarative way and has atomic upgrades... so if updates fail, you just boot up in an earlier generation
08:02 <+hyper_ch> but that declarative way and atomic upgrades lead to other things that are a bit unusual
08:02 <@ordex> based on linux ?
08:02 <+hyper_ch> it is linux
08:02 <@ordex> ok
08:04 <+hyper_ch> ordex: that's how I setup my system  https://github.com/sjau/nixos/blob/master/configuration.nix
08:04 <@vpnHelper> Title: nixos/configuration.nix at master · sjau/nixos · GitHub (at github.com)
08:05 <+hyper_ch> (also needs this though:  https://github.com/sjau/nixos/blob/master/hardware-configuration.nix  )
08:05 <@vpnHelper> Title: nixos/hardware-configuration.nix at master · sjau/nixos · GitHub (at github.com)
08:06 <+hyper_ch> ordex: so all programs you "install" end up in /nix/store/[hash]/......
08:06 <+hyper_ch> from there, depending it will by symlinked to /run/current-system/   etc
08:06 <+hyper_ch> which is then in your PATH
08:07 <+hyper_ch> https://paste.simplylinux.ch/view/raw/6f522fce
08:07 <+hyper_ch> that allows you have to even multiple versions of a package/software installed
08:07 <+hyper_ch> (still basic user though)
08:08 <@ordex> but what problem is it solving that other distros would not?
08:08 <+hyper_ch> atomic updates
08:08 <@ordex> it sounds a bit "different" and "complex" so i guess there is a gain
08:08 <+hyper_ch> easy to rebuild/port
08:08 <@ordex> mh meaning exactly?
08:08 <+hyper_ch> boot a live usb stick
08:08 <@ordex> (the atomic upgrades_
08:08 <+hyper_ch> partitoon and mount your hardware as you want
08:09 <+hyper_ch> generated default configurations (mostly needed for your hardware configuration file)
08:09 <+hyper_ch> copy back your configuration nix
08:09 <+hyper_ch> let it build :)
08:09 <+hyper_ch> some people are even too lazy to manually partition:    https://github.com/cleverca22/nix-tests/blob/master/kexec/justdoit.nix
08:09 <@vpnHelper> Title: nix-tests/justdoit.nix at master · cleverca22/nix-tests · GitHub (at github.com)
08:11 <@ordex> I see
08:11  * ordex loves gentoo
08:11 <@ordex> :D
08:11 <@ordex> what do you mean with atomic updates?
08:11 <+hyper_ch> then you should love nixos :)
08:11 <+hyper_ch> I alter my configuration
08:11 <@ordex> also in gentoo you update in a sandbox and only when it is all ok it gets copied over to root
08:11 <+hyper_ch> or new versions have been put to the channel
08:11 <+hyper_ch> so I rebuild the system
08:12 <+hyper_ch> every build is seperate
08:12 <+hyper_ch> so once the building succeeds
08:12 <@ordex> the entire system ?
08:12 <+hyper_ch> (only the things that changed)
08:12 <+hyper_ch> I can reboot and chose if I want to boot into latest version or any previous builds that I made
08:13 <+hyper_ch> ordex: https://nixos.org/~eelco/pubs/atomic-hotswup2008-submitted.pdf  :)
08:13 <@ordex> but isn't /run/current-system/ fixed? or you have one per "image" to boot?
08:14 <+hyper_ch> it's not an image
08:14 <@ordex> it's a configuration file, no?
08:14 <+hyper_ch> it loads the stuff into /run/current-system/ from the "generation" you boot into
08:14 <@ordex> ah
08:14 <@ordex> at every boot?
08:14 <+hyper_ch> yes
08:14 <@ordex> is it fast at booting?
08:14 <+hyper_ch> if a packages has changed
08:14 <+hyper_ch> it gets put into /nixos/store/[hash]
08:15 <+hyper_ch> and some magic keeps track which builds requires which of those store entries
08:15 <+hyper_ch> and then upon booting symlinks them to /run/current-system/  (or something like that)
08:16 <+hyper_ch> no idea... it takes me longer to put in my (old luks/dm-crypt / new encrypted zfs) password than to boot up
08:18 <+hyper_ch> also, nixos makes it quite simple to create your own modified usb boot stick :)
08:19 <@ordex> I see :)
08:19 <@ordex> cool
08:19 <+hyper_ch> https://nixos.wiki/wiki/Creating_a_NixOS_live_CD
08:19 <@vpnHelper> Title: Creating a NixOS live CD - NixOS Wiki (at nixos.wiki)
08:19 <@ordex> but not sure i'd need all of this on my laptop
08:19 <@ordex> gentoo is my loved one :P
08:20 <+hyper_ch> love comes; love goes   ;)
08:21 <+hyper_ch> you could test it in a vm
08:21 <+hyper_ch> gentoo people love to test new things ;)
08:40 <+hyper_ch> hmmmm, what could be the cause that I get Input/output error when trying to do a md5sum on a 50GB file?
08:41 <@ordex> disk failure? :P
08:42 <+hyper_ch> rsync doesn't complain... I just can't md5sum it
09:01 < rob0> maybe /tmp is full?  Not sure if md5sum would write to /tmp, but check it anyway :)
09:04 < eworm> Or you have a 32bit Implementation that can't handle large files?
09:04 < eworm> You could try 'openssl md5'
09:08 <@ordex> or you need to get a beer first ?
09:08 < rob0> beer++
09:08 <@ordex> ;)
09:11 <+hyper_ch> also, cat, pv and dd end in input/output errors
09:13 <+hyper_ch> this doesn't look good:  https://paste.simplylinux.ch/view/raw/cb543445
11:00 < Frod> hello all good mornin
11:00 < Frod> morning
11:01 < Frod> is there a openvpn manager web ui to i can monitor who is conected to the server ?
12:49 < Tony-Caffe> !welcome
12:49 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
12:49 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
12:50 < Tony-Caffe> !goal install openvpn 2.3.18 via EPEL
12:53 < Tony-Caffe> !howto
12:53 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
12:55 < Tony-Caffe> Hi...does anyone here know why OpenVPN Community Edition 2.3.15 - 2.3.18 are not in EPEL Repo for CentOS 6? It appears it stopped with 2.3.14 (Which I am currently running) and now only gives the option of 2.4.3.
12:56 < Tony-Caffe> I posted in Forums asking the same thing: https://forums.openvpn.net/viewtopic.php?f=5&t=24979
12:56 <@vpnHelper> Title: OpenVPN 2.3.18 for EPEL - CentOS 6 - OpenVPN Support Forum (at forums.openvpn.net)
14:20 < dijital1> Is there tuning required with 2.4 to get the same performance of 2.3?
14:22 <+hyper_ch> you don't get same performance?
14:23 < dijital1> it's worse. like much worse
14:23 < dijital1> I mean more for internet access. On 2.3, I was consistently getting 350 - 400Mb/s over the tunnel. Now it's like 80
14:23 <+hyper_ch> you sure?
14:23 < dijital1> positive
14:23 <+hyper_ch> how did you measure?
14:26 < dijital1_> yep
14:27 < dijital1_> sorry. was testing a different parameter. same issue
14:27 <+hyper_ch> did you do iperf between client and server with and without vpn?
14:35 <+hyper_ch> dazo: ecrist: krzee: ordex:  https://twitter.com/felix_schwarz/status/915851372217683970
14:45 < dijital1> hyper_ch: yes. Just did some more testing. Not sure if there are parameters that I can tune to get the performance back to where it used to be
14:45 <+hyper_ch> can you share the iperf results?
14:48 < dijital1> I'll have to install it hyper_ch. I've been using a browser based speed test. speedtest.att.com. With the VPN down, I get 930Mb/s.  Before upgrading to 2.4 on the same server I was getting 350 - 400. Now I'm seeing 70 - 80
15:41 < Tony-Caffe> Hi...connection timed out...anyone know why OpenVPN 2.3.15 to 2.3.18 was not released to EPEL for CentOS 6? Seems odd a branch with continued support and releases was removed from EPEL all together. Now you can only install 2.4.3.
15:41 < Tony-Caffe> I started a post in the forums to try to figure this out: https://forums.openvpn.net/viewtopic.php?f=5&t=24979
15:41 <@vpnHelper> Title: OpenVPN 2.3.18 for EPEL - CentOS 6 - OpenVPN Support Forum (at forums.openvpn.net)
15:42 < Tony-Caffe> Any help would be greatly appreciated. I would like to stay with 2.3.x branch. Company is hesitant to let me migrate to 2.4.3.
15:42 <@dazo> Tony-Caffe: because 2.4 is in EPEL-6
15:42 < BtbN> Shouldn't you rather ask your distribution about this, and not openvpn, since they are not involved with what CentOS puts into its repos
15:42  * dazo is the Fedora/EPEL package maintainer
15:43 < Tony-Caffe> Does dazo have a channel or a better place to ask this?
15:43 < Tony-Caffe> Sorry this is all new to me about missing packages in a 3rd party repo
15:44 <@dazo> Tony-Caffe: nah, this is fine for me ....
15:44 <@dazo> Tony-Caffe: what is the issue of upgrading from 2.3 to 2.4?
15:44 < Tony-Caffe> Getting higher ups to approve a change and more time in moving to another release version
15:45 < Tony-Caffe> Kind of explains why we are still on CentOS 6 instead of 7 lol
15:45 <@dazo> I don't follow that .... as EPEL isn't CentOS
15:45 <@dazo> that's comparing apples and oranges
15:46 <@dazo> EPEL is Fedora packages built for RHEL/CentOS ... not necessarily providing the same life cycle
15:46 < Tony-Caffe> I just mean our company doesnt like to jump to newer versions of OS or software and its hard to get them to approve this change but with security releases its a must. We currently have OpenVPN 2.3.14 installed
15:47 <@dazo> but sure, if you're willing to step in and maintain an openvpn23 package in EPEL ... I'll sure support that, but I don't have time to do that, so I move forward as 2.4 is basically compatible with 2.3 (but with some massive enhacnements on the security side)
15:47 < Tony-Caffe> So your saying there is little risk in version upgrading?
15:48 < Tony-Caffe> How compatible would you say 2.4.3 is with 2.3.14?
15:48 <@dazo> there are a few quirks you should beware of ... like CRLs are now parsed primarily by the SSL libraries, which are far more conservative than the built OpenVPN parser ever was
15:49 <@dazo> so with 2.4, the CRLs must be issued by the same CA which is in --ca .... and the expiry dates do matter now
15:49 <@dazo> btw ... openvpn-2.4.4-1.el[67] is on the way out too
15:49 <@dazo> Tony-Caffe: this provides a fairly good overview of things you should beware of ... https://github.com/OpenVPN/openvpn/blob/v2.4.4/Changes.rst
15:49 <@vpnHelper> Title: openvpn/Changes.rst at v2.4.4 · OpenVPN/openvpn · GitHub (at github.com)
15:51 < Tony-Caffe> I heard the improvements to 2.4.4 are much needed...would it be advised to wait?
15:51 <@dazo> another quirk which is also considered an improvement .... --proto udp/tcp is now properly implementing dual stack handling ... so it will first try IPv6 addresses and then IPv4  (based on what the resolver in your OS prioritises) .... in v2.3, udp/tcp was strictly IPv4 and udp6/tcp6 was something in between
15:52 <@dazo> Tony-Caffe: unless you still deploy the option which was deprecated 12 years ago (--key-method 1) ... then no need to stress
15:53 < Tony-Caffe> So a /etc/openvpn/ backup and then a yum update would be the way to upgrade since they should be compatible and I dont use key-method?
15:54 <@dazo> you won't even need to backup /etc/openvpn .... the package does not modify that directory at all (it just owns it)
15:54 < Tony-Caffe> interesting
15:54 <@dazo> rpm -ql openvpn
15:54 < Tony-Caffe> Do you mind looking at my server.conf and letting me know if you notice anything out of the blue?
15:55 <@dazo> sure, no guarantees though ... but I sure can look at it
15:55 < Tony-Caffe> I understand
15:55 < Tony-Caffe> server.conf
15:55 < Tony-Caffe> cat /etc/openvpn/server.conf 	port 1194 	proto udp 	dev tun 	ca ca.crt             cert server.crt             key server.key 	dh dh2048.pem 	#  Custom Range 	server 10.10.108.0 255.255.255.0 	ifconfig-pool-persist ipp.txt             #***Add local IP Address range used here - eth1***             push "route 10.108.139.0 255.255.255.0" 	client-to-client 	keepalive 10 120             tls-auth ta.key 0             cipher aes-256-c
15:55 <@dazo> !pastebin
15:55 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site, or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups, or (#3) If you're pasting config files, see !configs for grep syntax to remove comments, or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#5) <bibble> termbin is good.
15:55 <@vpnHelper> just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
15:56 < Tony-Caffe> ok
15:57 < Tony-Caffe> https://gist.github.com/tony-caffe/1998b720a24a43e254444b352343bfdc
15:57 <@vpnHelper> Title: server.conf output · GitHub (at gist.github.com)
15:58 < Tony-Caffe> Sorry for the verbose output...IRC is new to me too
15:58 <@dazo>  inactive 1800  ... this is a very odd option to have in a server config
15:59 < Tony-Caffe> Would that be a client option?
15:59 <@dazo> yeah
16:00 < Tony-Caffe> good to know! Trying to learn OpenVPN and use best practices and security recommendations
16:00 <@dazo> 	verb 9  .... that is also way to high for a production environment ... max --verb 4, most commonly --verb 3 is good enough
16:00 < Tony-Caffe> ok
16:00 < Tony-Caffe> I heard v2.4 uses new compression
16:01 <@dazo> ifconfig-pool-persist ipp.txt ... you are aware that this does not guarantee fixed client addresses; it is only a best-efforts solution
16:01 < Tony-Caffe> I was not
16:01 <@dazo> yeah, --comp-lzo is deprecated in favour of --compress ... which can enable lz4 which is faster and somewhat better compression .... *but* there are security considerations in regards to using compression too
16:03 <@dazo> to have a guaranteed VPN IP address ... you need to use --client-config-dir $SOME_DIR .... and inside that $SOME_DIR directory have a file matching client's CN ... there you can use --ifconfig-push with the fixed IP address
16:03 <@dazo> (or you can script it, and provide a similar experience using --client-connect)
16:04 < Tony-Caffe> So I would have to change that setting of comp-lzo to compress, remove ifconfig setting (since its probably not worth doing), lower verb to 3 and remove inactive 1800 from server.conf
16:04 <@dazo> other than this .... this looks fairly straight forward ... unless your certs are screwed up with too ancient cert parameters (like MD5 based signatures), I think you'll be just fine
16:05 < Tony-Caffe> I recently remade this OpenVPN and all its certs a few months ago.
16:05 <@dazo> just beware if your VPN servers hostname resolves to both IPv4 *and* IPv6 addresses ... that may be a challenge on the client side unless you allow OpenVPN to be used via IPv6 on the server side too (in your setup, that would most likely be a firewall update)
16:06 <@dazo> Tony-Caffe: this is my usual rant ... I hope you didn't save the CA private key on your VPN server ....
16:06 < Tony-Caffe> For the CRL, currently its using the easy-rsa setup and I issue CRL with ./revoke-full
16:07 <@dazo> you haven't configured CRL in your server config ... so currently that won't be read
16:07 < Tony-Caffe> I dont want IPv6, how would I remove this from the get go?
16:07 < Tony-Caffe> Really? Oh man...how do I add CRL to server.conf to be read then?
16:07 <@dazo> easiest thing to do ... don't have your VPN servers hostname resolve to an IPv6 address
16:08 <@dazo> That's the --crl option
16:08 < Tony-Caffe> I dont use a hostname just an IPv4 address
16:08 <@dazo> ahh, then you won't have any issues at all
16:08 <@dazo> (in regards to IPv4 vs IPv6)
16:09 < Tony-Caffe> So once I make this CA Private key, I should store it on a different server? We dont really have a Key Store or anything
16:09 <@dazo> So I recommend you to read through the Changes.rst ... and pay especially close attention to the "Deprecated features" and "User-visible changes" sections
16:09 < Tony-Caffe> ok
16:09 < xtuh> Hi, need some help with openvpn@pfsense ... i want to connect 3 locations (all pfsense ), where 1 is the server, 2 and 3 is clients. now i have working 2 locations with key auth, IPv4 Tunnel Network 10.0.0.0/29  IPv4 Remote network(s) 10.1.1.0/24. Should i use 1 key for all 3 sides? what is the right netmask for tunnel network?
16:12 <@dazo> Tony-Caffe: CA private key ... keep the easy-rsa data/CA directory stored on an offline medium, only to be activated when you need to issue new certificates ... that's a fairly safe solution
16:13 < Tony-Caffe> Good idea
16:13 < Tony-Caffe> Thank you
16:13 <@dazo> and "offline" can be understood quite broadly ... can even be an encrypted disk-image on a server, which needs to be activate before it can be mounted ... but keep it on a server which is not directly connected to the Internet
16:14 < Tony-Caffe> I will look into a best practice for our use case since we use 100% Hosting of linux cloud servers
16:15 < Tony-Caffe> So to source the --crl option in server.conf, I just do 'crl /path/to/file' ?
16:15 <@dazo> fair enough .... there's many solutions to this challenge, all with different security levels
16:16 <@dazo> --crl /path/to/file
16:16 <@dazo> Tony-Caffe: you could consider to look into using --chroot .... if so, then the CRL file must be accessible inside the chroot
16:17 < Tony-Caffe> ok
16:17 <@dazo> IIRC, I recently added /var/lib/openvpn as a directory owned by the openvpn package .... so this directory can be used for such things
16:17 < Tony-Caffe> For my setup, I dont need the '--' for compress in the server.conf though right?
16:17 <@dazo> !--
16:17 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
16:18 < AABatteries> !goal
16:18 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:18 < AABatteries> !ovpnuke
16:18 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
16:18 < Tony-Caffe> This bot is helpful lol
16:18 <@dazo> I generally use --some-option ... to emphasize that it is an option
16:18 < AABatteries> !heartbleed
16:18 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl, or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised., or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected., or (#4)
16:18 < Tony-Caffe> Since its omitted its fine to leave...thanks
16:18 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed, or (#5) http://xkcd.com/1354/
16:19 <@dazo> !redirect
16:19 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
16:19 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
16:19 <@dazo> AABatteries: ^^^
16:19 < AABatteries> Oh sorry guys, first timer here
16:20 <@dazo> no worries :)
16:20 <@dazo> your question is so common, we have !redirect to help us answer with less typing ;-)
16:20 < Tony-Caffe> Dazo...does the crl file get generated automatically?
16:20 < Kitty> so to update you all on the vpn issues I had
16:21 < Kitty> discovered a spare test laptop at work was connecting the same openvpn account info
16:21 < Kitty> and that was causing my laptop to get disconnected every minute
16:21 < Kitty> unplug the old laptop
16:21 <@dazo> Tony-Caffe: nope, you need to generate it whenever needed ... have a look at the openssl.cnf file which is used by openssl via easy-rsa ... you can set the lifetime of the crl there
16:21 < Kitty> everything works
16:21 <@dazo> Kitty: smells like --duplicate-cn
16:21 < Kitty> now I have to debug the issue I have with my colleagues voip calls being crap over the vpn...
16:21 < Kitty> dazo: yep.
16:22 <@dazo> Kitty: to be more clear, add that option to your server config ;-)
16:22 < Kitty> easier to shoot the test laptop
16:24 < Tony-Caffe> Dazo thanks for your help. I will spin up a new server and test the upgrade process to 2.4.
16:24 < AABatteries> I do have a question though. I've been enjoying OpenVPN for a month now, and it's been a pleasure. However I'm trying to access my LAN from a remote connection, and while it usually worked fine, I'm currently connected to a router with the same 192.168.1.1 address so I cannot access my other (on VPN LAN) router... I probably should have configured my gateways beforehand. Can I fix this working remotely? I can ssh into the OpenVPN
16:24 < AABatteries> machine
16:25 <@dazo> cool and good luck, Tony-Caffe!
16:26 <@dazo> AABatteries: you need to renumber one of the LANs to not conflict
16:26 < Tony-Caffe> Oh to make config clearer for 2.4, 'prot udp' should be 'proto udp4' to just use IPv4 correct?
16:26 <@dazo> AABatteries: there is a hack in openvpn which can be used, though ... --client-nat ... see the man page for details
16:26 <@dazo> !man
16:26 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
16:26 <@dazo> Tony-Caffe: correct
16:28 < Tony-Caffe> Looking over the changes file...I have 'cipher aes-256-cbc' in server.conf, Should I just use 'tls-cipher' in place of it?
16:29 <@dazo> nope, --cipher and --tls-cipher are two different options covering different aspects of the tunnel
16:29 <@dazo> I'd recommend you to leave --tls-cipher untouched, the defaults nowadays (in 2.4 at least) are fairly sane and good
16:30 < Tony-Caffe> Should I leave defaults for '--cipher' as well or keep it to what I have in config to work along with the defaults of --tls-cipher ?
16:31 <@dazo> Hmmm ... actually, that should be set.  The default (which we can't currently easily switch without breaking existing setups) is Blowfish/BF-CBC ... which is insecure these days
16:31 < AABatteries> dazo, thanks, I'm gonna go read about how to renumber one of the LANs - what term should I google? "renumbering lan" doesnt return much
16:31 <@dazo> Tony-Caffe: I'd recommend you to use --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
16:31 < Tony-Caffe> So setting --cipher aes-256-cbc is a good security setting?
16:31 < Tony-Caffe> ok
16:32 <@dazo> Tony-Caffe: in v2.4 ... --cipher can be negotiated if both sides is running v2.4; it will then upgrade to AES-256-GCM by default
16:32 < Tony-Caffe> so what is ncp then?
16:32 <@dazo> Tony-Caffe: but as you have a deployment with AES-256-CBC .... the --ncp-ciphers will actually allow v2.3 clients (and older) to use any of the ciphers enlisted in --ncp-ciphers
16:33 < Tony-Caffe> Its negotiated list
16:33 < Tony-Caffe> Oh nice
16:33 < Tony-Caffe> So backwards compatible
16:33 <@dazo> NCP = Negotiable Crypto Parameters
16:33 <@dazo> yeah, exactly
16:34 <@dazo> in Fedora 27 I've added this by default, including BF-CBC ... to allow a seamless upgrade for older clients to better ciphers on a one-by-one approach ... once all clients have upgraded, they can just add a new --ncp-ciphers without BF-CBC and they're done
16:36 < Tony-Caffe> Nice
16:37 < Tony-Caffe> Dazo how do these changes look to the server.conf to be higher security with best practices of 2.4? https://gist.githubusercontent.com/tony-caffe/1998b720a24a43e254444b352343bfdc/raw/7e5fbea09d228372ece2d68e2f5792f8753b4adc/server.conf
16:38 < Tony-Caffe> I left changes of old commented to remember the change made from what we talked about
16:38 <@dazo> Tony-Caffe: you need to remove the --tls-cipher line
16:38 < Tony-Caffe> Its enabled by default?
16:39 <@dazo> --tls-cipher expects a list of ciphers .... if you don't provide it, it uses a default list
16:39 < Tony-Caffe> gotcha
16:39 <@dazo> --tls-cipher is implicit when using --tls-server/--tls-client
16:39 < Tony-Caffe> ok cool
16:39 <@dazo> btw ... you don't need to add --tls-server when you use --server .... --server is kinda like a macro, doing more things in one go
16:39 < Tony-Caffe> Any options you think are worth adding for security?
16:40 <@dazo> nah, it begins to look like my own configs .... so can't say that :)  You could consider --chroot
16:40 < Tony-Caffe> I will research that
16:41 < Tony-Caffe> So my setting 'server 10.10.108.0 255.255.255.0' is set and thats why I dont need 'tls-server' set too?
16:41 <@dazo> The --chroot dir needs a tmp dir which needs to be writeable for the openvpn user.  And the same with the --crl file ... and that's basically it ...
16:41 <@dazo> correct
16:41 < Tony-Caffe> Can they use /tmp/ ?
16:41 <@dazo> see the man page for the --server option, and you'll see the "macro" explained
16:41 < Tony-Caffe> Or does it need to be secured?
16:42 <@dazo> the chroot?
16:42 < Tony-Caffe> yes
16:43 <@dazo> not sure what you mean by secured ... the nobody/nogroup uid/gid needs to have access to the chroot directory (+x) ... and rwx to the the tmp dir inside it ... and rr- on the CRL file
16:43 <@dazo> oh, you could consider to allocate a separate nologin user for openvpn, instead of using nobody:nogroup
16:43 < Tony-Caffe> Sorry I meant can the temp directory be /tmp/ itself?
16:44 <@dazo> Tony-Caffe: if you use --chroot, the chroot directory must have a tmp dir too
16:45 <@dazo> as then openvpn process won't have access to anything outside the chroot (unless it manages to break out from it - which means if it happens it is a security flaw in openvpn)
16:45 < Tony-Caffe> hmmm....ok I will read up on it
16:45 < Tony-Caffe> Do you think 'explicit-exit-notify 1' is a good option for prod to have?
16:46 <@dazo> that's a client option as well, and it is only relevant for UDP
16:46 <@dazo> but there it makes a lot of sense
16:46 < Tony-Caffe> I have udp so I should add to server and client
16:46 <@dazo> TCP is stateful while UDP is stateless .... so when the client disconnects TCP will implicitly tell the client it closes the connection while --explicit-exit-notify simulates that behaviour for UDP
16:47 <@dazo> only client
16:47 < scj643> Though VPN over TCP is a bad idea™
16:47 <@dazo> yes, TCP is a bad idea
16:47 <@dazo> but sometimes it might be no other way around it than using just that
16:48 < Tony-Caffe> ok and since the default for that setting is already set to 1 should I just leave the option as 'explicit-exit-notify' instead of 'explicit-exit-notify 1' in both server and client conf
16:48 < scj643> TCP over TCP the horrors
16:48 < Tony-Caffe> Yes I agree no tcp
16:48 < dijital1> Have you guys played with the UDP Fast I/O setting when running openvpn on fbsd?
16:48 < scj643> I manage a PFSense firewall and man OpenVPN on that is easy as hell
16:48 <@dazo> dijital1: nope ... the BSD users here are somewhat scarce compared to Linux users
16:48 < scj643> Doesn't PFSense use BSD?
16:49 < dijital1> yes
16:49 < scj643> I like how PFSense abstracts all the config stuff
16:50 <@dazo> almost sounds like "I like how Windows abstracts the command line through GUI tools"
16:50 < dijital1> not even the same thing :-)
16:50 <@dazo> not directly :)
16:51 < scj643> Yeah but PFSense is fully POSIX compliant
16:52 < scj643> I wish my college wasn't a pita to the computer science club
16:52 < scj643> We have to have our own internet connection
16:52 < scj643> I wanted to have OpenVPN exposed on the college lan so we can VPN in and get past a lot of latency
16:52 < scj643> L
16:54 < Tony-Caffe> So when using Tunnel Options, they have to be placed in both server and client conf files? Then the Server options are only in server conf and client options in client conf?
16:57 <@dazo> Tony-Caffe: "Tunnel Options"?
16:57 <@dazo> you mean the sections in the man page?
16:58 < Tony-Caffe> yes
16:58 <@dazo> yeah, that sounds correct
16:58 < scj643> Windows server SMB doesn't like me over OpenVPN
16:58 < scj643> The host machine is the one with the SMB share
16:59 < scj643> I can access other stuff over the VPN
17:00 < Tony-Caffe> Dazo...can you look over my Client Conf that I have to go along with server conf and let me know if I am doing that correctly? https://gist.githubusercontent.com/tony-caffe/1998b720a24a43e254444b352343bfdc/raw/3272a5560f3a3d0c9c611b62418ac1681dbeb127/server.conf
17:01 < Tony-Caffe> Since I changed cipher and added ncp-cipher to server conf...should I also make the same setting change to client conf?
17:03 <@dazo> Tony-Caffe: the clients can use --cipher AES-256-CBC (then you don't need to worry about the version of the client)
17:04 <@dazo> AES-256-GCM is only supported in v2.4 ... and the same with --ncp-ciphers
17:04 <@dazo> Tony-Caffe: --ns-cert-type is replaced with --remote-cert-tls
17:04 < Tony-Caffe> So to make this config ready for 2.4 I would make it match --cipher AES-256-GCM
17:05 <@dazo> No, you can just leave it with AES-256-CBC ... and when server and client realises they both support GCM, they will upgrade on their own
17:05 < Tony-Caffe> Or should I just leave it on the client to default and have the server negotiate
17:06 < scj643> . .
17:06 <@dazo> verb 3 script-security 2 system  .... these are two lines, cannot be put on a single line
17:06 <@dazo> and --script-secrity 2 system is deprecated .... 'system' can be removed
17:06 < Tony-Caffe> Cool!
17:07 <@dazo> (the 'system' support was even removed in v2.3 ... but v2.4 will complain loudly about its usage)
17:07 < Tony-Caffe> Ok...most of this client config was there when I took over and was on 2.2
17:07 <@dazo> otherwise, client config looks nice
17:07 < Tony-Caffe> I have been trying to learn OpenVPN well enough to not reuse anything anymore
17:08 <@dazo> !book
17:08 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) Troubleshooting OpenVPN (April, 2017) by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
17:09 <@dazo> Tony-Caffe: I can recommend those books .... Eric Crist is ecrist on this channel .... I've done the tech review on #1 and JJK is another guru, mostly active on the mailing lists
17:10 < Tony-Caffe> Which is the most up to date? Perhaps 2.4 examples?
17:11 <@dazo> they should all be fairly up-to-date ... "Mastering OpenVPN" might be a good one for learning OpenVPN ... the Cookbook consists of concrete and functional examples
17:11 <@dazo> ecrist: you need to get Packt retiring the "OpenVPN: Building and Integrating VPN" book ... I mean, that's based on OpenVPN 2.0 .....
17:11 <@dazo> They offer a bundle "Troubleshoot" plus that old relic of an ovpn book
17:12 < Tony-Caffe> Wow tough choice to start with then
17:13 <@dazo> Tony-Caffe: the cookbook have recently come in a second edition .... it should cover v2.4 aspects too
17:14 < Tony-Caffe> I will have work order those!
17:14 <@dazo> makes sense :)
17:15 < Tony-Caffe> So many things to learn when your the only non dev in the company and have to learn systems, dbs, networks, vpns etc lol
17:16 < Tony-Caffe> So looking in man page on remote-cert-tls client, would that be put in the server conf then? I added remote-cert-tls server into my client conf
17:16 <@dazo> correct
17:17 < Tony-Caffe> That will help server not be taken by mitm atack
17:17 < Tony-Caffe> attack*
17:18 <@dazo> you can also consider adding --verify-x509-name ... and --verify-hash too to further tighten things ... the --verify-x509-name is more typically a client side detail
17:18 < Tony-Caffe> ok
17:18 < Tony-Caffe> Dazo you help develop OpenVPN correct
17:18 <@dazo> I'm one of the core developers
17:19 < Tony-Caffe> I have always wondered why OpenVPN was not a mutlithreaded application
17:19 <@dazo> even working for OpenVPN, Inc ;-)
17:19 <@dazo> heh
17:19 < Tony-Caffe> Not sure if it would help since I dont know the underlying tech liek you
17:19 < Tony-Caffe> like*
17:19 <@dazo> remember that OpenVPN stems back to early 2000 ... where SMP systems where few and insanely expensive
17:20 <@dazo> so it was developed as a single-threaded app ... as that is where most users would deploy it
17:20 <@dazo> plus, having more threads than CPU cores actually hits badly on the performance too
17:20 < Tony-Caffe> So if I have a multi core server, all extra cpus will help with decryption essentially then right
17:21 <@dazo> not in OpenVPN 2 .... we've looked at multi-threading .... but it requires a massive overhaul, which most likely will not happen
17:21 < Tony-Caffe> I was hoping version 2 would have an option to enable more cores lol
17:21 < Tony-Caffe> make sense
17:22 <@dazo> and that's because there's lots of work on a brand new implementation (being 2.x compatible) ... named OpenVPN 3
17:22 < Tony-Caffe> oh ok
17:22 <@dazo> That's written from scratch in C++ ... and multi-threading is part of it
17:22 < Tony-Caffe> Wow thats exciting
17:23 < Tony-Caffe> So whats the biggest client base you have seen OpenVPN support where single thread didnt get in the way or performance?
17:23 <@dazo> I'm actually developing a brand new new Linux client .... as OpenVPN 3 is designed like a software library instead of a native application .... so all the OpenVPN Connect products is using the OpenVPN 3 library already
17:24 < Tony-Caffe> Interesting...wonder if Tunnelblick will implement that too
17:24 <@dazo> 6-8 years ago ... it was commonly experienced that 150 active clients on a single OpenVPN process began to be quite noticable
17:25 <@dazo> There are works on the pipe providing OpenVPN Connect to macOS too .... but the Connect series won't be fully open source .... the OpenVPN 3 Core library is GPLv3 and will stay open, as well as the Linux client
17:25 < Tony-Caffe> cool
17:25 <@dazo> but the Linux client will be quite different from openvpn 2 ... making use of D-Bus, to easier allow unprivileged users to start and manage tunnels
17:25 < Tony-Caffe> So community users wont get those features?
17:26 <@dazo> The Linux client will be fully open source too ... but not the Connect product range
17:26 <@dazo> Connect is essentially just a specific GUI on top of the core
17:26 < Tony-Caffe> oh ok
17:27 <@dazo> so that isn't as crucial as the core library is
17:27 < Tony-Caffe> oh good
17:29 <@dazo> Once we have the clients out ... then we'll start poking at an OpenVPN 3 based server ... but that's much longer into the future
17:29 < Tony-Caffe> That is good to hear.
17:30 <@dazo> but beware ... there won't be any openvpn 3 based stuff for CentOS 6 ... you'll need 7 or newer (whenever that arrives) :)
17:30 <@dazo> (compilers are generally too old)
17:30 < Tony-Caffe> I know...
17:30 < Tony-Caffe> Love CentOS over Ubuntu but hate that there are no rolling releases lol
17:31 <@dazo> anyhow .... openvpn 2.x will still live and prosper along side for quite some time ... so you won't be kept in a limbo :)
17:31 < Tony-Caffe> :)
17:31 < Tony-Caffe> Ok so config for both server and client should be good now: https://gist.githubusercontent.com/tony-caffe/1998b720a24a43e254444b352343bfdc/raw/ce4da483e010fc153079523eaa9a6aae50281817/server.conf
17:32 < Tony-Caffe> Thanks for all your help! I will get my head into those books so I dont have to take time away from you all here lol
17:32 <@dazo> :)
17:33 <@dazo> yeah, looks good ... in theory at least :)
17:35 < Tony-Caffe> Oh can I make a suggestion for your Changelog file? https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst Where is says the release version, like 4.4.4, can you include the date here as well so I dont have to jump over to the other changelog file to see dates: https://github.com/OpenVPN/openvpn/blob/release/2.4/ChangeLog
17:35 <@vpnHelper> Title: openvpn/Changes.rst at release/2.4 · OpenVPN/openvpn · GitHub (at github.com)
17:36 < Tony-Caffe> Changes.rst has a nice and easier to read layout than Changelog :)
17:45 <@dazo> Tony-Caffe: Changes.rst is release oriented .... so the one you pointed at here is covering 2.4.0 up to 2.4.4
17:45 <@dazo> and it is a summary of important changes
17:45 <@dazo> ChangeLog is just a dump of the commit history
17:46 <@dazo> So the "first half" of Changes.rst covers all important changes ... and then there are version specific changes coming later on
17:46 <@dazo> but we are discussing how to make things even better in Changes.rst
17:49 < Tony-Caffe> It was just an idea...I like how Ansible handles their changelog. The change probably only affects me but thanks for replying
17:50 <@dazo> Nice tip!  I'll check out the ansible changelog and see if we can get inspired :)
17:50 < Tony-Caffe> https://github.com/ansible/ansible/blob/devel/CHANGELOG.md
17:50 <@vpnHelper> Title: ansible/CHANGELOG.md at devel · ansible/ansible · GitHub (at github.com)
17:51 < Tony-Caffe> Funny how Changelog is so different for every company. I have to say PhpMyAdmin is one of the worst hehe
17:51 <@dazo> heh ... well, we're on a good way getting Changes.rst into a similar format to their ChangeLog :)
17:51 < Tony-Caffe> I agree
17:52 <@dazo> In the future, Changes.rst will be the "changelog" most users will want to look at.  ChangeLog are more for those needing the gory details
17:53 <@dazo> and we need to hit a sweet-spot between having something which doesn't require too much maintenance while being understandable for non-developers
17:53 < Tony-Caffe> Ya I only look there to get the date of the change and pretend I understand all the gory details lol
17:53 <@dazo> :)
17:54 < Tony-Caffe> Your GH log is better than the openvpn site log
17:54 <@dazo> probably, yeah
17:55 <@dazo> We started the Changes.rst file quite late in the v2.4 dev cycle ... so we're still trying to find a way how to use that bettter
17:56 < Tony-Caffe> Well its a good start for sure. I like when we understand when a change is a bug fix and a security fix with its CVE. Yours has that
17:56 <@dazo> The "trouble" with Changes.rst is that we need to edit and write it manually ... ChangeLog (including the openvpn.net changes page) are automatically generated via git
17:57 <@dazo> "git shortlog v2.4.3..v2.4.4" ... copy-paste that into the ChangeLog file and we're done :)
17:57 < Tony-Caffe> To make it pretty for non-developers I can see it requiring more work that could be spent elsewhere
17:58 <@dazo> yeah
17:58 <@dazo> so we need to find an approach which scales well and doesn't need too much extra work
17:58 < Tony-Caffe> Not sure how big you all are compared to Red Hat (Ansible) so the extra dude to just update Changelog as a sole job is overkill lol
17:59 < |Mike|> moin
18:00 <@dazo> Tony-Caffe: as an ex-Red Hatter ... OpenVPN, Inc is like a mosquito compared to an elephant :)
18:00 < Tony-Caffe> hahaha
18:00 <@dazo> Red Hat is something like 10.000 employees world wide .... OpenVPN, Inc is something like 20
18:01 <@dazo> but ... we both depend heavily on help from a community
18:01 <@dazo> most of the openvpn 2.x development nowadays happens by the community
18:03 < Tony-Caffe> oh wow
18:03 < Tony-Caffe> Wish I was a dev that can help more...my open source scripts are in Bash and not good enough to actively promote :(
18:04 <@dazo> we can use lots of more help than just development
18:04 <@dazo> support, forums, documentation (including reviewing/editorial work), design ... etc, etc
18:04 < |Mike|> Like I'm doing on LinkedIn :-)
18:04 < Tony-Caffe> So if I have this setting in server.conf 'crl-verify /etc/openvpn/crl.pem' and I update the pem with ./revoke-full, do I have to restart OpenVPN to read that list or will it refresh every so often?
18:05 <@dazo> Tony-Caffe: as of v2.4, OpenVPN will automatically pick up the changes
18:05 <@dazo> without restart
18:05 < Tony-Caffe> Where can I sign up? Not sure what I can do but it would be nice to contribute
18:05 < Tony-Caffe> Oh cool!
18:05 <@dazo> Tony-Caffe: a good starting point is to start hanging out here on IRC ... and then sign up for an account for our Trac/Forums (same user account)
18:06 <@dazo> with the Trac/Forums account ... you can start editing our wikis
18:07 <@dazo> and then if you have ideas ... chime in here on IRC, mailing lists  or forums .... and we'll get an understanding why your idea is great and we'll figure out how to really make it happen
18:07 < Tony-Caffe> ok
18:08 <@dazo> many users here on IRC lurks around for a while, then once feeling confident they have the right answer, they start helping people here
18:09 <@dazo> and I remember back in the old days, when we were amazed this channel reached 50 users .... now we're over 300 :)
18:09 < Tony-Caffe> lol
18:09 < Tony-Caffe> ok
18:10 <@dazo> the most important rule in this channel ... is to be clear when you don't know something; saying "that I don't know" gains respect here.
18:11 <@dazo> otherwise, let your self loose :)
18:11 < Tony-Caffe> :)
18:11 < Tony-Caffe> https://www.amazon.com/Mastering-OpenVPN-Eric-F-Crist/dp/1783553138/ref=mt_paperback?_encoding=UTF8&me=
18:12 < Tony-Caffe> Does this book have enough Linux application of OpenVPN Server?
18:12 < Tony-Caffe> or https://www.amazon.com/gp/product/1786463121/ref=ox_sc_act_title_1?smid=ATVPDKIKX0DER&psc=1
18:12 <@dazo> ecrist can probably answer that much better than me
18:12 < Tony-Caffe> I dont want something Windows Focused
18:12 <@dazo> but I think they're not too much platform specific
18:13 < Tony-Caffe> I have a hard time finding books with Linux focus
18:13 <@dazo> :)
18:13 <@dazo> ecrist is a hard core BSD buy :)
18:13 < Tony-Caffe> Even MySQL books I find talk about Windows lol and how to admin there...like WTF
18:14 <@dazo> that tells something about how much Windows admins likes to be hand-held, right?
18:14 < Tony-Caffe> ya but its also something Linux Community suffers, is lack of introductory help for ones not trained in the field
18:14 <@dazo> The Cookbook is definitely fairly platform neutral, but have a slight focus on Linux on the server side ... with some Windows examples and explainations
18:15 < Tony-Caffe> I am self taught from reading books and just messing with things in Linux and use to be a Win Admin...6 years later and still feel you havent learned anything lol ;-)
18:16 < Tony-Caffe> The Mastering one the reviews said its a Windows Focused...seems more of a book I need than the CookBook 2nd Edition
18:16 <@dazo> Just skimmed through the TOC on the Mastering book ... it seems to be mostly OpenVPN focused :)
18:17 <@dazo> it goes more into the depths of the various aspects of OpenVPN .... while the Cookbook gives you a bunch of examples which should work out-of-the-box
18:17 <@dazo> and explaining those examples fairly well
18:18 < Tony-Caffe> So I could learn more probably from the Cookbook and examples than reading thru the other one
18:18 <@dazo> yeah, with the Mastering you need to have some understanding of VPNs and what OpenVPN can do
18:22 <@dazo> (even though, it do have some introductory chapters too)
18:22 < Tony-Caffe> I will buy both since Work is buying and it helps support you all in some way but I guess I will try to read the Mastering one first. Thanks
18:22 <@dazo> yw!
18:23 -!- vectr0n_ is now known as vectr0n
21:11 -!- albech1 is now known as albech
21:11 < enrh> Not possible to use verify-x509-name with subject alternate names
21:12 < enrh> ?
21:18 -!- dakar- is now known as dakar
21:30 < fa0> Hello
21:33 < fa0> I'm trying to use openresolv with openvpn, 'update-resolv.conf', not sure this is the right channel, but it's openvpn related. On an older box I had wicd running, then I stopped it from running at startup and installed the NetworkManager and when running openvpn form the CLI resolvconf updated resolv.conf with the VPN DNS, on a new box I tried this on, I only installed the NetworkManger and it's not working, the NetworkManager shows has generating
21:33 < fa0> resolv.conf and I can't seem to get resolvconf to change it...
21:44 <@ordex> hyper_ch: LOL
23:43 <+hyper_ch> ordex: that's very considerate from Apple for users that tend to forget their password, right?
23:46 <@ordex> well
23:46 <@ordex> that's all what people are looking for :D
23:46 <@ordex> a meaningful hint!
23:46 <@ordex> hyper_ch: you always get up this early?
23:47 <+hyper_ch> it's 06:30
23:47 <@ordex> yeah
23:47 <+hyper_ch> that's normal
23:47 <@ordex> middle of the night for me :D
23:47 <@ordex> hehe
23:48 <+hyper_ch> hwo so?
23:51 <+hyper_ch> ordex: if you do business you ahve to be up at business hours
23:52 <@ordex> yeah I guess it also depends on the habits of the place. not sure at 6:30 am there is business everywhere :P
23:52 <+hyper_ch> get up
23:52 <+hyper_ch> you need to get coffe, take a shower, eat breakfast, get to work
23:53 <+hyper_ch> so you're at work at 08:00
23:53 <@ordex> oh I see
23:53 <@ordex> so normally you start at 8?
23:53 <+hyper_ch> like everyone else
23:53 <@ordex> well, everyone else in your area
23:54 <@ordex> that is what I was trying to  say
23:54 <@ordex> :P
23:54 <+hyper_ch> as I said, like everyone else :)
23:54 <@ordex> hehe
23:55 <@ordex> it's fun to observe all the different habits in different places :) and every person, obviously, consider normal his own behaviour
23:55 <@ordex> which is when you understand that there is no such thing as normal
23:55 <@ordex> hehe
23:55 <@ordex> :)
23:55 <+hyper_ch> since I'm the center of all the multiverses, my behaviour is the one from which everything else derives ;)
23:56 <@ordex> ah right, I just forgot that
23:56 <@ordex> :D
23:56 <+hyper_ch> there was actually that cool video about maths
23:56 <+hyper_ch> and how not so clear that seems to be
--- Day changed Fri Oct 06 2017
00:01 <+hyper_ch> damn, can't find it anymore
02:05 < elricsfate> Hey guys
02:05 < elricsfate> Any sort of tool to vonfig kde for OpenVPN
02:05 < elricsfate> NM doesn't seem to be working
03:52 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 264 seconds]
03:53 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
03:53 -!- mode/#openvpn [+o syzzer] by ChanServ
04:18 < elricsfate> Alright
04:18 < elricsfate> So I managed to get connected with the CLI
04:19 < elricsfate> CANNOT get NM to work
04:48 < fs0ciety> vim ~/.Xresources
04:48 < fs0ciety> woopsy
05:00 <@ordex> elricsfate: I use the nm-applet here with the nm-openvpn plugin and it works
05:00 <@ordex> I imported my .conf file and it was fine
06:06 -!- allizom1 is now known as allizom
06:38 -!- allizom1 is now known as allizom
06:50 -!- eb0t is now known as def_jam
06:50 -!- eblip is now known as eb0t
07:11 <@dazo> elricsfate: you need networkmanager-openvpn and networkmanager-openvpn-gnome (or kde, if that's what you use)
07:20 < |Mike|> krzee: <3
07:20 <@ordex> is he here ?
07:20 < |Mike|> Nope
07:20 <@dazo> not since Irma :/
07:20 <@ordex> ah ok
07:20 <@ordex> yeah
07:20 <@ordex> :/
07:20 <@dazo> getting really concerned
07:21 <@ordex> well, he might have moved somewhere and he's busy dealing with more important issues
07:21 < |Mike|> Same here, he's either way r.i.p or hiding for the NSA :-/
07:21 <@dazo> yeah
07:21 <@ordex> dazo: do you know his real name ?
07:21 <@dazo> nope
07:21 < |Mike|> nobody does.
07:22 <@dazo> krzee is an inspiration to stay hidden on the net
07:22 < |Mike|> no fb, no ig, no twitter, no ...
07:22 <@ordex> good
07:22 <@dazo> he even avoids e-mail ....
07:24 <@ordex> he never contributed to any git?
07:24 <@dazo> he usually passes his stuff via other people :p
07:25 <@dazo> "contribution by proxy" ;-)
07:25 < |Mike|> haha
07:25 <@ordex> hehe
07:25 <@ordex> I see
07:29 <@ecrist> what did I do?
07:30 < |Mike|> ecrist: you wrote a book.
07:30 <@dazo> hid krzee?
07:32 < havoc> 1426 ovpn clients connected, yay
07:32 < havoc> ~350 to go :(
07:33 < havoc> ...this month
07:33 < |Mike|> to 1 ovpn server havoc ?
07:33 < |Mike|> No failover? ;-)
07:33 < havoc> yes, and "not yet"
07:33 < |Mike|> I forsee faillurrrreee
07:34 < havoc> actually, this is the DR site, Prod site hasn't been setup yet
07:34 < |Mike|> oic!
07:34 < havoc> still waiting on some build-out, and gear, at the production site
07:35 < havoc> the only thing I'll have to rsync between sites are the client keys and ccd dirs
07:35 < havoc> otherwise they're on diff subnets
07:36 < havoc> a diff /20 for clients for each site
07:36 < havoc> just using dns to handle the "failover" by changing the CNAME
07:38 < havoc> a shitload of bash/dos/vbs/ps1/perl
07:39 < havoc> but mostly bash and dos, trying to keep it simple for whomever may take it over eventually
07:40 < havoc> perl and ps1 are for when I need more complex data structures, and the vbs is to interface w/ some of our legacy crap :(
07:41 < havoc> also use perl when speed is required
07:41 <@ecrist> heh
07:41 < havoc> even with keeping as much as possible in-process in bash, perl is still much faster
07:42 < havoc> that's the difference between direct sys calls, and calling something that calls something that makes sys calls
07:42 <@ecrist> dazo: the reviews talk about Windows being a focus, but I don't think it was.  We posed examples from FreeBSD, Linux, and Windows.  In particular, we posted Windows firewalling examples, because I/we felt it was under-represented.
07:43 < havoc> also, iftop -F is very nice
07:43 <@ecrist> The chapter about installing/building even has an example on how to build openvpn with embedTSL on RPi.
07:44 < havoc> e.g. "iftop -F 172.28.0.0/20" shows me all traffic to/from the vpn clients, which are on 17 TUNs, all under 172.28.0.0/20
07:45 < wallbroken_> hi
07:45 < wallbroken_> can you well me how diffie helman could be useful in openvpn?
07:49 < |Mike|> referring to ECDH wallbroken_ ?
07:49 < wallbroken_> dh.pen
07:49 < wallbroken_> *dh.pem
07:52 < |Mike|> OpenVPN uses a TLS handshake for each new client, and the DH parameters are used by the server (and sent to the client) during that handshake..
08:07 < BtbN> DH is the go-to algorithm for forward secrecy
08:11 < |Mike|> don't we all love random questions? ;)
08:36 < masin> hello! what is the best practice to route between two VPNs served by the same server?
08:42 < scj643> masin: what os?
08:42 < masin> linux, debian
08:43 < masin> debian 8, to be precise
08:43 < scj643> Look up routing
08:43 < masin> OpenVPN routing or IP routing?
08:43 < scj643> It would most likely be done on the machine using whatever the OS uses
08:45 < masin> Just to be sure I understand correctly: OpenVPN serving a VPN does not know about the other VPN it is serving? Thus I need to route outside of OpenVPN?
08:48 < scj643> Just bridge the subnets I would think
09:08 <@ecrist> correct
09:08 <@ecrist> masin: the two processes don't route for eachother, that would hit the kernel.
09:09 <@ecrist> Unless you have a single openvpn server, then it can do the routing with route statements and iroute for networks behind clients
09:09 <@ecrist> !iroute
09:09 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
09:17 -!- ptx0_ is now known as ptx0
09:50 < masin> ecrist, scj643: thank you. somehow it is working
10:45 < thnee> Sorry if this is OT, but: When searching for "how to force all traffic through vpn" the common suggestion seems to be to remove the default gw and add a new one. What I don't understand is how can the VPN still function if doing so?
10:46 <@ordex> thnee: because there is a step in between which is: add a route towards the VPN server passing through your original GW
10:46 <@ordex> !redirect
10:46 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
10:46 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
10:46 <@ordex> check the manpage for --redirect-gateway
10:46 <@ordex> it does it for you and describes the entire procedure
10:46 < thnee> thank you very much =)
10:47 <@ordex> np
10:48 < havoc> server load is nominal, with ~1,450 ovpn clients connected
10:48 < havoc> 8 vCores, 8GB RAM
10:49 < havoc> ~1mbps baseline traffic to/from ovpn clients, which is mostly AD/LDAP
10:49 < thnee> !def1
10:49 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
10:50 < thnee> !ipforward
10:50 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
12:24 < Frod> has any one heard or read about softether
12:24 < Frod> that seems to have openvpn compatibility ?
12:28 <@ordex> wikipedia says that the server can also speak openvpn
12:28 <@ordex> but i don't know more
12:29 < skyroveRR> Heya ordex
12:30 <@ordex> heya
13:52 < twodh> Does CVE-2017-12166 affect OpenVPN server, client, or both?
13:53 < invisiblek> "Note that 'key-method 1' has been replaced by 'key method 2' as the default
13:53 < invisiblek> in OpenVPN 2.0 (released on 2005-04-17), and explicitly deprecated in 2.4
13:53 < invisiblek> and marked for removal in 2.5. This should limit the amount of users
13:53 < invisiblek> impacted by this issue."
13:53 < invisiblek> fwiw
13:57 < twodh> Thanks, invisiblek. I did find that in researching, but unfortunately, it didn't clear things up for me
13:59 < invisiblek> well, you're probably not affected unless you explicitly have key-method 1 enabled
14:04 < twodh> We're using RouterOS (MikroTik), and I don't see a place in the server config for that
14:05 < twodh> Before I reach out to their support, I want to see whether the vulnerability affects the server at all
14:06 < invisiblek> i'd just point them at the CVE and tell them to look in to it
14:14 < twodh> Yeah, I'll just do that. Thanks
14:19 <@dazo> twodh: --key-method 1 would need to be provided on both server and client side .... otherwise they would not derive the right key, and things would stop working
14:19 <@dazo> twodh: if you don't see --key-method in any configs (client or server), then you are not affected at all
14:21 < twodh> Thank you dazo.
16:54 < wallbroken_> |Mike|, are you here?
17:24 < wallbroken_> why easyrsa on windows does not find openssl?
17:41 < Bothrops> hello
17:41 < Bothrops> anyone in here?
17:44 < Bothrops> I keep getting Inactivity timeout
17:44 < Bothrops> !welcome
17:44 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
17:44 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
17:48 < Bothrops> !howto
17:48 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
17:56 < Protected> Good evening. I've been trying to improve how fast I can send data out from my computer (openvpn client) to my server (openvpn server). Is there anyone around who could spare some time to help me with this procedure? I tried messing around with tcp windows and mtus as recommended by various instructions I found online but nothing seems to result in any significant improvement, so far
17:57 < Protected> Although I can make it worse, if I make big enough changes in either direction
17:57 < Protected> Currently I can use 25mbps out of my 100mbps over openvpn
17:57 < |Mike|> wallbroken_: not always ;)
17:59 < |Mike|> Protected: we need more info, see topic
17:59 < |Mike|> configs ^^
17:59 < |Mike|> Bothrops: keepalive
17:59 < |Mike|> !keepalive
17:59 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected., or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode, or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive, or (#4) Also beware of --auth-nocache for automated reconnects
17:59 < |Mike|> Bothrops: ^^
18:00 < Protected> Sure, |Mike|
18:00 < Protected> What do you think would be the best method to try first?
18:01 < |Mike|> are you using a wired connection/wifi?
18:01 < Protected> Everything is wired
18:01 < Protected> All the hardware is 1gbps
18:01 < Protected> The server is 1gbps
18:01 < Protected> I'm about 45ms away from the server
18:01 < |Mike|> and what kind of key strenght are you using? 4096bits?
18:01 < Protected> Correct
18:02 < |Mike|> https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
18:02 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net)
18:02 < baconology> lets say i want to use the windows vpn client, will that work easily with openvpn?
18:02 < Bothrops> Thanks @Mike I have keepalive 10 60
18:02 < wallbroken_> |Mike|, i have a pair of private key and public key for each client, do i need DH.pem the same?
18:03 < |Mike|> baconology: yep
18:03 < |Mike|> !dh
18:03 <@vpnHelper> "dh" is (#1) build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN, or (#2) openssl gendh [numbits]
18:03 < wallbroken_> but what do i need to negotiate?
18:03 < wallbroken_> i already have certificates
18:04 < |Mike|> Bothrops: before you came here or now?
18:04 < wallbroken_> maybe it's not clear what dh does
18:04 < |Mike|> tls
18:04 < |Mike|> !tls
18:04 < Protected> |Mike|, I already went through that one, but it doesn't help. I only have 100mbps out from here, so the numbers don't match, and following that method exhaustively doesn't really yield any changes
18:06 < Protected> I can't exceed 25mbps, so when I read about a difference between 150mbps and 500mbps I'm not sure it's the same problem
18:07 < |Mike|> what kind of speed are you getting via http or some non-encrypted channel?
18:08 < Protected> Outside the vpn?
18:08 < |Mike|> y
18:08 < Protected> Nearly 100mbps
18:08 < Bothrops> @Mike before i came here
18:09 < Protected> If I grab a file over a direct ssh connection filezilla will report >10MB/s, if not capped
18:09 < |Mike|> Bothrops: and your clients reconnect/disconnect every hour?
18:10 < Bothrops> every 5 minutes
18:11 < Bothrops> should i use the topology subnet option?
18:13 < |Mike|> Bothrops: what numbers are you using?
18:14 < |Mike|> keepalive 10 120 <== smt like that?
18:14 < Bothrops> keepalive 10 60
18:14 < |Mike|> Protected: could you post your server config? edit the ip/whatever you feel that isn't needed
18:14 < |Mike|> !config
18:14 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
18:14 < |Mike|> !configs
18:14 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
18:15 < |Mike|> wallbroken_: TLS => handshake and that's what dh.pem is for
18:17 < |Mike|> https://security.stackexchange.com/questions/72287/in-openvpn-is-the-dh1024-pem-file-dependent-on-the-ca
18:17 <@vpnHelper> Title: diffie hellman - In OpenVPN, is the dh1024.pem file dependent on the CA? - Information Security Stack Exchange (at security.stackexchange.com)
18:21 < |Mike|> it's 01:14 atm; been working for 11 hours straight and I'm not having a tech job like 99% of the idlers here ;-)
18:25 < Bothrops> @Mike in the howto doesnt mention persist-key and persist-tun is this necesary?
18:27 < |Mike|> configs please
18:29 < Protected> Sorry |Mike|, I certainly can, give me a few minutes
18:33 < wallbroken_> |Mike|
18:33 < wallbroken_> i installed easyRSA 3
18:33 < wallbroken_> on windows
18:34 < wallbroken_> but Easy-RSA error:
18:34 < wallbroken_> Missing or invalid OpenSSL
18:34 < wallbroken_> Expected to find openssl command at: openssl
18:36 < Protected> https://pastebin.com/emf7NZUW
18:38 < |Mike|> wallbroken_: why are you installing easyrsa on the client? :)
18:39 < Protected> Client config: https://pastebin.com/f3ZbA6cy
18:39 < Protected> That is, server-side client config
18:39 < |Mike|> which cipher are you using? ;)
18:40 < Protected> Client-side config: https://pastebin.com/dw4VwZ6B
18:40 < Protected> Blowfish, I assume
18:43 < |Mike|> have you tried a different cipher? Ain; cipher AES-128-CBC?
18:43 < |Mike|> asin*
18:50 < Protected> Actually, no, I haven't
18:50 < Protected> According to the webpage you linked I should have been able to get up to 500 on blowfish, so I didn't try
18:50 < Protected> I mean, assuming my connection was that fast, which of course it isn't
18:51 < Protected> This may disconnect me
18:53 -!- CheckYourSix_ is now known as CheckYourSix
18:54 < Protected> |Mike|: That seems to have worked? Let me run a few more tests
18:55 < wallbroken_> |Mike|, it's not the client
18:57 < |Mike|> wallbroken_: then install openssl on the windows machine. The question arrises; why windows all in a sudden?
18:58 < |Mike|> (assuming that you were using linux )
18:59 < wallbroken_> |Mike|, i use also liux
18:59 < wallbroken_> *linux
18:59 < wallbroken_> but the server/client is defined by ovpn config file
19:04 < Protected> |Mike|: The speed on iperf swings up and down a lot but I can reliably get >60mbps now. Still not perfect, but much better. Any other ideas? Do you think there was a hardware chokepoint causing the slowness with blowfish?
19:04 < Protected> Best tcp window seems to be 2m
19:11 < wallbroken_> openssl is not distribuited with openvpn package?
19:32 < wallbroken_> nobody?
20:53 < wallbroken_> penssl is not distribuited with openvpn package?
20:53 < fa0> Hello
20:54 < fa0> is it ok to talk about resolvconf? Because I can't get it to update my resolv.conf when using the update-resolv-conf with openvpn
20:54 < fa0> I've had this working just fine in the past on other boxes, but the one I'm on, for some reason I can't get it working like before...
21:46 < Grobo> I thought in the past, when I used build-key that it created the name from the parameter on the command line. For some reason, when I used it this time, the name (CN) was something else and I can't figure out why.
21:46 < fa0> brb
21:47 < Grobo> am I misunderstanding how to use that script?
21:52 < wallbroken_> guys
21:53 < wallbroken_> do you remember how generate new certificates from a previous setup?
21:53 < wallbroken_> i have init-pki directory
21:53 < wallbroken_> *i have pki directory
21:53 < wallbroken_> it's enough?
22:05 < Grobo> how do I delete a client from the database?
22:17 < Grobo> I see a pem, an entry in index.txt, the csr/crt/key files
--- Day changed Sat Oct 07 2017
00:43 < abenz> Grobo: easyrsa revoke ?
00:53 < Grobo> abenz: I tried it but it didn't work. Maybe I missed something or did something wrong, though.
01:04 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 252 seconds]
02:00 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
02:01 -!- mode/#openvpn [+v s7r] by ChanServ
06:21 < rob0> Grobo, a nice simple way to have server-side access control with TLS cert authentication is with --ccd-exclusive
06:21 < rob0> !ccd
06:21 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
06:21 < rob0> just touch a file with the commonName in the CCD when you issue a new cert
06:22 < rob0> rm that file if you want to block that client
09:26 <+hyper_ch> been pondering to go back to FF... but read just now that FF bundels together with Burda tracking under "Cliqz"
09:54 -!- abenz_ is now known as abenz
10:12 < |Mike|> ok
13:13 < vpndude> I'm working on a opensource OpenVPN managment backend
13:13 < vpndude> what should I consider?
13:14 < vpndude> !sweet32
13:14 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32
13:39 <+hyper_ch> what do you understand as opevpn amangement backend?
14:09 < mattabolism> hi
14:10 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has left #openvpn ["Konversation terminated!"]
14:10 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
14:10 -!- mode/#openvpn [+v hyper_ch] by ChanServ
16:29 < web_dev> hi
16:29 < web_dev> openvpn windows installer does not contain openssl ?
16:47 < BtbN> pretty sure it does. Without it openvpn would be mostly non-functional
17:06 < web_dev> BtbN, looks likenot
17:07 < BtbN> what makes you think so?
17:07 < web_dev> easyRSA 3 does not find it
17:07 < BtbN> easyRSA uses the cli utility.
17:07 < BtbN> not the libs
17:07 < BtbN> so it does not work with what openvpn ships
17:08 < web_dev> i don't care, i care that i can't create certificates because easyrsa does not look for openssl
17:08 < BtbN> so install it then
17:08 < web_dev> Missing or invalid OpenSSL
17:08 < web_dev> Expected to find openssl command at: openssl
17:09 < web_dev> so, openvpn does not come with openssl.exe bult in
17:10 < web_dev> but i see openssl.exe in openvpn foler
17:10 < web_dev> older
17:11 < BtbN> point your easyrsa to it then, and see if it works
17:35 < web_dev> BtbN, dh.pem is needed?
17:35 < web_dev> i created two pair of certificates
17:35 < web_dev> public-private
17:35 < BtbN> those are the DH parameters.
17:35 < BtbN> The server needs them
17:35 < web_dev> can you explain to me how they used?
17:35 < BtbN> https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
17:35 <@vpnHelper> Title: Diffie–Hellman key exchange - Wikipedia (at en.wikipedia.org)
17:36 < web_dev> "key exchange" ?
17:36 < BtbN> well...
17:36 < web_dev> i don't need to exchange anything
17:36 < BtbN> it's for exchanging keys
17:36 < BtbN> yes you do
17:36 < web_dev> i copied with a pen drive the keys on every host
17:36 < BtbN> those are for authentication
17:36 < BtbN> not for encryption
17:37 < web_dev> and the keys i created are not used for authentication?
17:37 < BtbN> that's their entire point
17:38 < BtbN> to prove the authenticity of the client to the server
17:38 < web_dev> you mean MITM attack?
17:39 < BtbN> well, that's what certificates prevent
17:39 < web_dev> ok, now i try to read wikipedia to understand how it works
17:40 < BtbN> The cert on the client is only needed to allow access
17:40 < BtbN> not to securely encrypt. Your Browser also manages that without anything of that
17:45 < web_dev> BtbN, you mean ta.key?
17:46 < BtbN> the filename is arbitrary
17:46 < web_dev> i have client.crt and client.key
17:47 < web_dev> ca.crt
17:47 < web_dev> and ta.key
17:47 < web_dev> ta.key is for tls-auth
17:47 < web_dev> so ta.key is related to dh.pen ?
17:48 < BtbN> dh.pem is not "related" to anything. It's the parameters for the DH exchange
19:38 < web_dev> guys
19:38 < web_dev> if i do use DH parameters, why should i also certificates for each client?
22:49 < Algernop> !obfsproxy
22:49 <@vpnHelper> "obfsproxy" is (#1) For a writeup on using obfsproxy with OpenVPN see https://syria.hacktivist.me/?p=148, or (#2) See also !obfs. The link to TrafficObfuscation also contains a setup example
22:51 <@ordex> https://syria.hacktivist.me/?p=148 does not work :(
22:51 <@ordex> !obfs
22:51 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols, or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation, or (#3) in client/server mode an admin can know that openvpn is being used.
22:51 <@vpnHelper> in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
22:51 < web_dev> !blog
22:51 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto
--- Day changed Sun Oct 08 2017
02:16 < rudi_s> !forwardsecurity
02:16 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can not decrypt past traffic, or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured
03:10 < web_dev> does openvpn windows installer provide openssl?
03:10 <@ordex> I am not entirely sure, but I definitely believe so
03:11 < web_dev> ordex, i remember that in older version, during the install, you can choose openssl
03:11 < web_dev> but now
03:11 < web_dev> i don't see that option anymore
03:19 <@ordex> maybe it is installed by default (?)
03:24 < web_dev> IDK
03:24 < web_dev> in PATH there is not
03:42 <@ordex> that's not required for openvpn
03:42 <@ordex> it is possible that the library is just statically linked
03:44 < web_dev> for sure, easyrsa doesn't reach that
03:44 < web_dev> it's telling me that no openssl was found
03:44 < web_dev> maybe i need to include the binary folder in system PATH
04:16 < DrBunsen> Hello, I am trying to setup an OpenVPN server, I have got the config and keys all set up, no errors in syslog and service openvpn status shows it is up, but I am having issues connection to it. I get an ECONNREFUSED code = 111 error, eventhough I set my firewall to let the traffic pass. I opened the port on my router, even tried to connect to the vpn server locally(it is in the same network). Here is the output of ufw status and a snipp
04:16 < DrBunsen> et of my server.conf https://paste.debian.net/989576/. Can anyone make sense out of this?
04:18 <@ordex> DrBunsen: having a look at the logs might be helpful
04:18 <@ordex> !logs
04:18 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
04:18 <@ordex> and possible also at the config..
04:18 <@ordex> !configs
04:18 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
04:19 < DrBunsen> give me a second
04:29 < DrBunsen> The openVPN log https://paste.debian.net/989582/ client log https://paste.debian.net/989583/ server config https://paste.debian.net/989584/
04:31 < DrBunsen> My openVPN server is on a raspberry pi with raspbian, and my client runs on android 8
05:34 <@ordex> DrBunsen: that is the systemd log on the server, not the openvpnlog
05:34 <@ordex> *openvpn log
05:35 <@ordex> !logfile
05:35 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
05:51 -!- abenz_ is now known as abenz
05:51 <@ordex> DrBunsen: and why there is a '+' here: 19+2.168.0.152:1194
05:51 < abenz> hi ordex
05:58 < crackpotmark> Is there a way to apply iptable rules ONLY when tun0 exists?
05:59 < crackpotmark> i.e when I stop the openvpn client, all iptable rules are ignored
06:05 < abenz> crackpotmark: use up <script/command>
06:07 < abenz> you also need to enable scripts/exec: script-security 2
06:12 < DrBunsen> ordex: That is a typo, I quickly wrote the log on my phone in debian.paste. But the server conf says it will log in /var/sys/log if I didn't specify a log location?
06:14 <@ordex> DrBunsen: if started as daemon, yeah. haven't you specified any "--log" directive in the config file? what you showed does not have any openvpn output
06:14 < DrBunsen> I have specified a log file now, I will upload it
06:16 < DrBunsen> ordex: Hmm, this is a problem https://paste.debian.net/989599/
06:17 <@ordex> DrBunsen: looks like the server never started then?
06:19 < DrBunsen> this is the result of the service status https://paste.debian.net/989600/ the link I added is a link that says it would work if it says exited
06:21 <@ordex> sorry, I am not familiar with systemd :/ but from the log you showed the openvpn server is clearly not starting
06:21 <@ordex> if you run "ps aux | grep openvpn" do you see any process?
06:22 <@ordex> but this https://paste.debian.net/989599/ was quite clear
06:22 < DrBunsen> I changed the keys in the conjfig
06:22 <@ordex> ok, so now the log is different?
06:22 <@ordex> but you still get connection refused on the client ?
06:22 < DrBunsen> it looks ok now
06:22 < DrBunsen> it works
06:22 < DrBunsen> hehe
06:22 < DrBunsen> thanks
06:22 <@ordex> ah ok:)
06:22 <@ordex> np
06:23 <@ordex> hi abenz
06:26 < |Mike|> loving those self fixing problems <3
06:39 < davidebeatrici> Hello
06:40 < davidebeatrici> I have a VPS on which I have an OpenVPN server
06:40 < davidebeatrici> With the IPv4 forwarding enabled and some iptables rules I can connect to it with the internet traffic redirected successfully
06:41 < davidebeatrici> I would like to use Private Internet Access on the VPS, without redirecting its internet traffic
06:41 < davidebeatrici> Basically, what I would like to achieve is:
06:42 < davidebeatrici> Me -> VPS -> PIA
06:42 < BtbN> Whatever "Private Internet Access" is
06:43 < davidebeatrici> Private Internet Access is a VPN provider
06:43 < crackpotmark> why do you want to have a double vpn?
06:44 < davidebeatrici> Because the VPS has a German IP
06:44 < davidebeatrici> I would like to have an Italian one, since I'm in Italy
06:44 < crackpotmark> hmm
06:45 < crackpotmark> maybe reverse server and client?
06:45 < crackpotmark> have the vps connect via your home
06:45 < abenz> ordex: say you have SiteA, with static key setup, you setup siteB and all works fine.. Now you can't adjust config on SiteA anymore, but you want to add SiteC, D,..
06:46 < abenz> the communication is only between siteA and connecting sites (eg siteB and C dont need to communicate)
06:46 < davidebeatrici> crackpotmark: I can't, because my home connection is horrible
06:46 < davidebeatrici> The VPN to my VPS will be used via LTE
06:46 < crackpotmark> no vpn will change your home connection
06:46 < abenz> so my question, can I set up a static key based setup that can accept multiple clients but without adjusting siteA further?
06:47 < crackpotmark> it will only degrade further with a second tunnel
06:48 < davidebeatrici> I will not use my home connection, which is a ADSL2+, with my VPN
06:48 < crackpotmark> ah okay
06:49 < davidebeatrici> On the VPS I have tun0 and tun1 when I'm connected to PIA
06:50 < davidebeatrici> With "tun0" being the server and "tun1" the client
06:50 < davidebeatrici> The problem is that "tun1" redirects all the traffic on "eth0", the main VPS interface
06:51 < crackpotmark> what iptable rules do you have atm?
06:51 < davidebeatrici> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
06:52 < davidebeatrici> iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
06:52 < davidebeatrici> iptables -t nat -I POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
06:52 < davidebeatrici> Nothing more
06:52 < crackpotmark> so you will need to use a different ip range for each
06:52 < crackpotmark> I'm not sure what PIA supplys
06:54 < davidebeatrici> 10.52.10.6
06:55 < davidebeatrici> I guess the netmask is 10.52.10.0
06:57 < davidebeatrici> crackpotmark: As it is now, it works
06:57 < davidebeatrici> But the VPS should retain its original IP
06:57 < davidebeatrici> Instead of using the VPN one
06:57 < crackpotmark> I don't follow?
06:58 < crackpotmark> you want two pipes yes?
06:58 < davidebeatrici> Yep
06:59 < crackpotmark> home -> vps -> PIA
06:59 < davidebeatrici> Exactly
06:59 < crackpotmark> which one works
06:59 < davidebeatrici> Home -> VPS works
06:59 < crackpotmark> so your home has a german IP?
06:59 < davidebeatrici> Exactly
07:00 < davidebeatrici> Home -> VPS -> PIA doesn't work, because the VPS doesn't have its IP anymore
07:00 < crackpotmark> the vps still has an IP?
07:00 < crackpotmark> wget -q -O - checkip.dyndns.org|sed -e 's/.*Current IP Address: //' -e 's/<.*$//'
07:00 < crackpotmark> run that
07:00 < crackpotmark> thats what your vps has for an IP
07:01 < crackpotmark> (run on the vps)
07:02 < crackpotmark> why are you running a forward route?
07:02 < crackpotmark> afaik you only need the first entry you said in chat
07:06 < crackpotmark> hmm you need a route that will send only outbound traffic to PIA via tun1
07:06 < davidebeatrici> Exactly
07:06 < crackpotmark> it might not be possible to distiguish incomming from outgoing
07:07 < davidebeatrici> The VPS still has an IP, but its the PIA one
07:12 < crackpotmark> do you have serial access to the vps?
07:12 < crackpotmark> (a none ssh access method)
07:13 < davidebeatrici> Yes, I do
07:13 < crackpotmark> try these
07:13 < crackpotmark> https://paste.debian.net/hidden/4c433938/
07:14 < crackpotmark> but you might loose access if I'm wrong :P
07:14 < davidebeatrici> No problem, don't worry :)
07:14 < crackpotmark> also remove the other two you already have
07:15 < crackpotmark> we don't really want anything sent to eht0
07:15 < davidebeatrici> To be sure I rebooted the VPS
07:17 < nbastin> is there a knob to get openvpn to not log that it can't access the TUN/TAP device?
07:18 < nbastin> openvpn[22531]: message repeated 36478 times: [ read from TUN/TAP : File descriptor in bad state (code=77)]
07:19 < nbastin> not really what I need every 2 seconds.. :-)
07:20 < crackpotmark> yeah at the bottom off the server.conf
07:20 < crackpotmark> uncomment the mute 20
07:28 <+hyper_ch> dazo: ecrist: ordex:  https://www.youtube.com/watch?v=xMtbGy3BThc
07:29 < davidebeatrici> crackpotmark: On the VPS I can ping
07:29 < davidebeatrici> But your line to check the IP doesn't return anything
07:30 < davidebeatrici> I can't ping the server from home
07:30 < davidebeatrici> Its probably using the PIA IP
07:31 < davidebeatrici> Do you want to see the OVPN content?
07:31 < crackpotmark> sudo iptables -A INPUT -i tun0 -p icmp -j ACCEPT
07:31 < crackpotmark> you will need that for ping
07:31 < crackpotmark> otherwise it drops the pings :)
07:33 < davidebeatrici> crackpotmark: Still doesn't work :(
07:34 < crackpotmark> is the first tunnel still up?
07:34 < crackpotmark> you have a german ip
07:34 < crackpotmark> and internet
07:35 < davidebeatrici> The first tunnel is up, but I can't connect to it, since the German IP is unpingable
07:36 < crackpotmark> you don't need ping to connect
07:36 < crackpotmark> whats the errors on the client log?
07:36 < davidebeatrici> I'm using Network Manager on KDE
07:36 < davidebeatrici> How can I check?
07:37 < crackpotmark> oh right
07:37 < crackpotmark> I have no idea :P
07:37 < crackpotmark> I use the openvpn client
07:39 < crackpotmark> look in the syslog maybe
07:39 < davidebeatrici> On the serial console sometimes I see "nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead."
07:40 < davidebeatrici> crackpotmark: Sun Oct  8 14:33:27 2017 Attempting to establish TCP connection with [AF_INET]x.x.x.x:53 [nonblock]
07:40 < davidebeatrici> It stops here
07:41 < davidebeatrici> No more logs
07:42 < crackpotmark> was that the ip of your vps?
07:42 < crackpotmark> not usually vpn on port 53
07:42 < crackpotmark> anything earlier?
07:45 -!- zvirbliukas1 is now known as zvirbliukas
07:58 < |Mike|> !networkmanager
07:59 < |Mike|> !netman
07:59 <@vpnHelper> "netman" is (#1) NetworkManager usually works fine, but can have some challenges in som env, or (#2) Ensure you run a reasonably recent NM version, or (#3) NM is aimed at client configurations and requires a logged in user session and is sensitive to instable unstable networks, or (#4) If OpenVPN works from the command line but not NM, go to #nm or https://wiki.gnome.org/Projects/NetworkManager
07:59 < |Mike|> crackpotmark: ^
08:01 < davidebeatrici> crackpotmark: No, I censored the IP
08:01 < davidebeatrici> I'm obliged to use the VPS on port 53 TCP, for carrier requirements
08:01 < davidebeatrici> *VPN
08:08 < crackpotmark> you should try the openvpn client to rule out networkMangager as the fault
08:08 < davidebeatrici> crackpotmark: I did
08:09 < davidebeatrici> The output above is from the terminal client
08:09 < davidebeatrici> I just realized that on the VPS I can ping 8.8.8.8, but not google.com
08:09 < davidebeatrici> DNS issue?
08:09 <@ordex> abenz_: I think no
08:09 <@ordex> abenz_: static key is p2p mode
08:10 < crackpotmark> davidebeatrici: looks likely
08:11 < davidebeatrici> crackpotmark: In any case, the main problem remains
08:11 < davidebeatrici> It's still using PIA's IP, since I can't access it
08:11 < crackpotmark> how can you be sure?
08:11 < davidebeatrici> I can't access it
08:11 < davidebeatrici> Using its public IP
08:11 < crackpotmark> it will still accept connections on its local ip
08:12 < crackpotmark> *if the firewall is correct
08:12 < crackpotmark> a vpn applys to outbound traffic
08:13 < crackpotmark> sudo iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
08:13 < crackpotmark> try that
08:13 < crackpotmark> we can fix dns later
08:13 < abenz_> ordex: roger, thanks. So I guess it has to use PKI, and allowing multiple connection from same CN (then using same key for different sites), is that the right approach?
08:14 <@ordex> that's an option
08:14 <@ordex> why not using multiple certs, one per site?
08:14 <@ordex> I think you can also not use certificates and just user and pass, if you want
08:14 < davidebeatrici> crackpotmark: Still inaccessible
08:15 < crackpotmark> does the vpn handshake take place over tun? I dunno
08:17 < davidebeatrici> crackpotmark: No
08:17 < davidebeatrici> Because the VPS is inaccessible externally
08:20 < davidebeatrici> crackpotmark: I thought it was a simple thing to do
08:20 < davidebeatrici> Me -> VPS -> VPN
08:21 < crackpotmark> only if you can work out the correct routing
08:21 < davidebeatrici> VPS -> Internet (no VPN)
08:21 < davidebeatrici> crackpotmark: How can I flush the iptables rules without rebooting?
08:21 < crackpotmark> sudo iptables -F
08:22 < crackpotmark> check "sudo iptables-save" after
08:22 < crackpotmark> there should only be headings
08:22 < davidebeatrici> OK, now the table is empty
08:22 < davidebeatrici> I checked with iptables -L
08:22 < crackpotmark> cool
08:22 < crackpotmark> that only shows one table btw ;)
08:23 < crackpotmark> iptables -t nat -L
08:23 < crackpotmark> check that one too
08:23 < davidebeatrici> MASQUERADE  all  --  anywhere             anywhere
08:23 < davidebeatrici> Under Chain POSTROUTING
08:23 < davidebeatrici> iptables nat -F?
08:24 < crackpotmark> -t nat -F
08:24 < bartzy> Hello everyone - I have an existing OpenVPN setup, and am trying to enable clients to choose if they want all traffic to pass through the VPN, or only what the server pushed. Is it possible?
08:24 < davidebeatrici> I still can't ping websites
08:25 < davidebeatrici> crackpotmark: Now even IPs
08:25 < crackpotmark> is your PIA vpn still on?
08:25 < bartzy> if I push a default gateway from the server, can clients “avoid” using it if they want to ?
08:25 < davidebeatrici> No, it isn't
08:25 < DArqueBishop> bartzy:
08:25 < DArqueBishop> !nopull
08:25 <@vpnHelper> "nopull" is "route-nopull" is If you want to accept pushed options from the server but not apply the routes (including --redirect-gateway) you can use --route-nopull to ignore all pushed routes
08:25 < bartzy> I don’t want to ignore all pushed routes
08:26 < DArqueBishop> Yeah, as soon as I saw it I realized it was the wrong factoid.
08:26 < bartzy> just to send to users (clients) two configs - one where only pushed routes (to servers etc) are through the VPN, and a 2nd config where everything goes through the VPN.
08:26 < crackpotmark> davidebeatrici: I dunno what causes that actually. I had that one time too. I think the NIC crashes or something
08:26 < crackpotmark> best reboot sorry
08:26 < davidebeatrici> No problem :)
08:27 < bartzy> DArqueBishop: two configs for clients is just the way I thought of doing it, if there’s a better, more idiomatic way it would be great to know
08:27 < rob0> bartzy, perhaps simplest would be ^^ yes, two server configs
08:27 < DArqueBishop> bartzy: in that case, you can put the redirect-gateway command on one of the configuration.
08:27 < DArqueBishop> It doesn’t have to be pushed.
08:27 < bartzy> @DArqueBishop: I can put redirect-gateway on the client config only? Cool
08:28 < rob0> yeah, that too
08:28 < bartzy> rob0: Why do I need two server configs though?
08:28 < bartzy> I will need to add a POSTROUTING rule on iptables on the server as well, correct?
08:28 < bartzy> to actually route traffic
08:28 < DArqueBishop> Correct.
08:29 < rob0> SNAT
08:29 < DArqueBishop> !linnat
08:29 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
08:30 < DArqueBishop> Welcome to 2017, where you can do IRC tech support from your phone while waiting for your car to be finished at the shop. ;-)
08:30 < bartzy> :)
08:30 < bartzy> thanks!
08:30 < bartzy> what’s the difference between the SNAT option and the first one?
08:31 < rob0> the factoid explains it in part
08:31 < bartzy> to choose the IP by myself, instead of just going through the default ip for thaht interfacE?
08:31 < rob0> MASQ uses the default IP, yes
08:32 < bartzy> I see
08:34 < rob0> DArqueBishop, a shop open on Sunday?
08:37 <@ordex> rob0: in some country it does not matter what day it is :P
08:37 <@ordex> *countries
08:37 <@ordex> or time :D
08:37 < davidebeatrici> crackpotmark: Weird
08:37 < davidebeatrici> I connected to PIA and managed to ping google.com
08:37 < davidebeatrici> Then I tried to ping google.it and it didn't work
08:38 < davidebeatrici> Now I can't ping anything if I'm connected to the VPN
08:44 < crackpotmark> can you ping IPs?
08:44 < davidebeatrici> No, I couldn't
08:44 < davidebeatrici> Now I rebooted
08:49 < davidebeatrici> crackpotmark: Doesn't work
08:49 < davidebeatrici> At least I can ping IPs now
08:49 < crackpotmark> which part?
08:49 < davidebeatrici> OK, let's leave the DNS part out for now
08:49 < davidebeatrici> Because I can ping 8.8.8.8
08:50 < davidebeatrici> The server is inaccessible from the outside if I'm connecting to PIA on it
08:50 < davidebeatrici> What should I do?
08:50 < crackpotmark> I'm not sure if thats expected tbh
08:51 < davidebeatrici> I think it is
08:51 < rob0> of course it is
08:51 < crackpotmark> why?
08:51 < davidebeatrici> Because all of the server's internet traffic is routed to PIA
08:51 <@ordex> davidebeatrici: you need some policy routing
08:51 < davidebeatrici> ordex: I think so
08:51 <@ordex> that's because the server is sending replies to the incoming requests over the PIA tunnel
08:51 <@ordex> (where you have the default)
08:51 < crackpotmark> oh so it accepting incomming, but replys go to PIA
08:52 <@ordex> you need to setup policy routing so that packets generated by your local IP go over the local default route and not over PIA
08:52 < davidebeatrici> I never worked with iptables or complex routing, I need some help :)
08:52 < crackpotmark> thats obvious
08:52 < crackpotmark> sorry :P
08:52 <@ordex> you can verify that by tcpdumping on the uplink interface
08:52 < rob0> !lartc
08:52 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux, or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
08:52 < davidebeatrici> ordex: How can I do it?
08:53 <@ordex> davidebeatrici: the topic rob0 pulled up is for you ^^
08:54 < davidebeatrici> Thank you :)
08:54 <@ordex> np
08:54 < davidebeatrici> ip route add 127.0.0.1/8 dev eth0
08:54 < davidebeatrici> ip route add 10.8.0.0/24 dev tun1
08:55 < davidebeatrici> tun1 is PIA's interface
08:55 < davidebeatrici> tun0 is the VPN's one
08:55 < davidebeatrici> eth0 is the VPS' one
08:55 < davidebeatrici> Is that right?
08:55 <@ordex> did you read the guide already? that was fast :)
08:55 <@ordex> nope. it's wrong
08:55 < davidebeatrici> I didn't read the entire guide, I looked at 4.2.1
08:55 < davidebeatrici> "Split access"
08:56 < davidebeatrici> Oh, right
08:56 < davidebeatrici> ip route add default via eth0
08:56 <@ordex> davidebeatrici: and consider that this is not a openvpn problem anymore. this is just advanced linux routing
08:57 < davidebeatrici> ordex: Should I go to a specific IRC channel?
08:57 <@ordex> davidebeatrici: honestly I don't know
08:58 <@ordex> this is something you should learn and apply to your specific setup
08:58 <@ordex> this is why rob0 gave you some links to read from
08:58 < rob0> It's on topic in #Netfilter but no one there is likely to walk you through it all.
08:58 < nbastin> you could try ##networking, that's a bit hit or miss
08:58 < rob0> by definition it's not simple stuff
09:00 < bartzy> rob0: Regarding iptables, can I specify that only packets to a specific network (x.y.z.w/v) will be routed with SNAT?
09:00 < nbastin> davidebeatrici: I'll be back in like 2 hours if you're still around and need help
09:00 < davidebeatrici> nbastin: OK, thank you :)
09:00 < rob0> bartzy, see "-d" in iptables(8) man page
09:00 < bartzy> thanks. It works directly on the SNAT rule?
09:00 < rob0> and that sounds strange
09:00 < bartzy> rob0: Why?
09:01 < rob0> NAT is for RFC 1918 networks to communicate with Internet hosts.
09:01 < bartzy> rob0: I have an IP range that I manage, with HTTP services. Some service have a restricted area that I would like to restrict only to VPN users.
09:01 < bartzy> some services*
09:02 < rob0> sounds like you'd want to do your filtering in the filter table
09:02 <@ordex> yeah, probably those packets should not reach the outgoing interface at all
09:02 < bartzy> the web services check for the user’s IP and based on that allow or restrict further access
09:02 <@ordex> not doing SNAT means that packets will still go out, but with the wrong IP
09:03 < bartzy> rob0, ordex: I didn’t quite get what you mean
09:03 <@ordex> ah I may have understood your setup now
09:04 <@ordex> so you want outgoing packets to have SNAT'd IP only when reaching a certain service, but go out with their original IP in the other cases?
09:04 < bartzy> hmmm, not exactly.
09:05 <@ordex> ok, then I haven't understood the scenario :P
09:05 < bartzy> I have a bunch of servers. Some web services are listening on a public internet IP address. I have an admin panel on that service which restricts access based on a manual list of IPs that I specify.
09:05 < bartzy> I also have OpenVPN access into the internal network of the servers.
09:06 < bartzy> I want to specify some IP of the VPN (or of the public IP of the VPN), on my web service, so when I connect to the VPN, I can access the admin panel.
09:06 < bartzy> perhaps I should have made the admin panel service listen on an internal network IP, but I didn’t for now… and want to get it to work
09:09 <@ordex> bartzy: information is not complete
09:09 < bartzy> ordex: OK. What else do you need to know?
09:09 <@ordex> are openvpn and the admin panel running on different servers?
09:09 < bartzy> Yes
09:09 < bartzy> on the same internal network
09:09 <@ordex> do all the servers share the same private network ?
09:10 < bartzy> yes, they do. Some of them also have a public (internet) interface. Some don’t. according to need
09:10 <@ordex> ok, so you want that a VPN client can connect to the admin panel using the internal IP of the OPENVPN server ?
09:10 <@ordex> ok
09:10 < bartzy> basically right now the web service (which includes the admin panel), only listens on a public address
09:11 <@ordex> ok. and when the VPN server tries to talk to the public IP of the panel, where do packets normally go? through the internal network?
09:11 < bartzy> I want the users of the VPN (the clients) to be able to connect to the VPN, and then just use the admin panel.
09:11 <@ordex> or to they go all the way on the internet?
09:11 <@ordex> *do they
09:11 < bartzy> they will go all the way to the internet, I think.
09:11 <@ordex> mh thi sis important
09:12 < bartzy> I mean, they will go to the gateway and then just come right back because it’s the same gateway for both.
09:12 <@ordex> because if the vpn server has an internal route for that specific public ip, traffic may go internally
09:12 < bartzy> but since the web service only listens on the public IP, it will go “out” and “back in"
09:12 <@ordex> ok
09:12 < bartzy> oh I see. No it doesn’t have a route for that specific public IP. That’s another option to get what I need though, I guess/
09:13 < bartzy> that was supposed to be a question mark
09:13 <@ordex> and right now the OpenVPN server is not acting as default GW for the vpn clients?
09:13 < bartzy> no, it only pushes a route for the internal network (so clients could SSH into servers, etc)
09:13 <@ordex> ok
09:14 <@ordex> well, first of all those VPN clients need a route for the IP of the panel through the VPN
09:14 <@ordex> otherwise they will never send any traffic for the panel over the vpn
09:14 <@ordex> step by step .. you need to make sure the full path works as expected
09:15 <@ordex> then the VPN server needs to allow forwarding of traffic for the VPN clients going to that public IP
09:15 <@ordex> then masquerading/snat must be in place
09:18 < bartzy> maybe I can avoid having the SNAT part by just having a route from the VPN server to the web server?
09:18 < davidebeatrici> ordex: https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway
09:18 <@vpnHelper> Title: IgnoreRedirectGateway – OpenVPN Community (at community.openvpn.net)
09:18 <@ordex> snat is needed to ensure that outgoing packets have as source address the one of the host doing snat
09:18 < davidebeatrici> With the four lines the VPS' internet traffic is not redirected anymore
09:19 <@ordex> davidebeatrici: so you're not using the PIA interface anymore?
09:19 < davidebeatrici> ordex: Exactly
09:19 <@ordex> is that what you wanted?
09:19 <@ordex> why do you establish the connection to PIA then ?
09:20 < davidebeatrici> Now I just need to route tun0 through tun1
09:20 < davidebeatrici> Basically, I want to be through PIA when I connect to my VPS via VPN
09:21 < bartzy> ordex: Yes but I already have a general SNAT rule for letting the VPN clients access the internal network
09:22 <@ordex> bartzy: it depends how it is shaped. because the destination will be the public IP where the panel is running. is that matched by the rule?
09:22 < rob0> SNAT into an internal network does not make sense.
09:23 <@ordex> rob0: I think he can't advertise the VPN subnet to the other hosts in the private network (?)
09:23 < bartzy> ordex: Correct
09:23 <@ordex> although you could configure that on the GW only
09:23 < bartzy> ordex: I mean, I can, I guess. But I didn’t so I have that SNAT rule
09:37 < davidebeatrici> ordex: Even better
09:37 < davidebeatrici> --route-nopull
09:38 <@ordex> davidebeatrici: yeah I know those options, but at this point I have poor understanding of your goal
09:38 < davidebeatrici> ordex: I'm obliged to use a VPN with the port 53 TCP, for carrier requirements
09:38 < davidebeatrici> Only AirVPN provides a VPN on this port, but it doesn't have a server in Italy
09:39 <@ordex> ok
09:39 < davidebeatrici> So, I decided to use my VPS, which is in Germany
09:39 < davidebeatrici> The problem is that it has a German IP, I would like to have an Italian one
09:39 <@ordex> ok, makes sense
09:39 < davidebeatrici> Which is why I want to route tun0 (VPN server) through tun1 (PIA) :)
09:40 <@ordex> then why route-nopull if you *want to route* the traffic ?
09:40 < davidebeatrici> Because without that option it routes all of the server traffic
09:40 <@ordex> sure
09:40 <@ordex> with that option it routes none at all :P
09:41 < davidebeatrici> Indeed :P
09:41 < davidebeatrici> I need to add the route manually
09:41 <@ordex> so the problem is still that incomign connections to the server do not work?
09:41 <@ordex> we gave a solution for this, no?
09:42 < davidebeatrici> Yes, by not routing the server's traffic
09:42 < davidebeatrici> Now I can connect to the server's VPN, but I can't access internet
09:43 <@ordex> "now" means with route-nopull ?
09:43 < davidebeatrici> To be able to access it (with the German IP) I had to enable the IPv4 forwarding and add 3 iptables rules
09:43 < davidebeatrici> ordex: Yes
09:43 <@ordex> davidebeatrici: I woul advise against using that options and using the policy routing solution
09:43 < davidebeatrici> Against the IPv4 forwarding and iptables rules?
09:44 <@ordex> against using route-nopull
09:44 <@ordex> ipv4 forwarding is still required for your routing
09:44 <@ordex> the iptables rule I don't know what they are
09:44 <@ordex> but you said that you were able to access intenret with PIA before, no?
09:44 <@ordex> *internet
09:46 < davidebeatrici> Only on the server
09:46 < davidebeatrici> Because I couldn't access it from the outside to connect to its VPN
09:47 < davidebeatrici> The rules were:
09:47 < davidebeatrici> -A FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -j ACCEPT
09:47 < davidebeatrici> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
09:48 < davidebeatrici> Theoretically "-A FORWARD -i tun0 -o tun1 -s 10.8.0.0/24 -j ACCEPT" should work
09:50 < davidebeatrici> ordex: Is it the correct way?
09:50 <@ordex> well accepting packets to be forwarded is needed, but if you need this rule or not depends on your default policy
09:51 <@ordex> you still to have NAt working on the server, because it will be your GW towards PIA anyway
09:51 <@ordex> bu you need PIA to be your default GW anyway, otherwise how can you send traffic to it ?
09:51 <@ordex> *but
09:52 < davidebeatrici> So, I need to remove the "route-nopull" option and then use policy routing?
09:53 < DArqueBishop> rob0: it's an oil change shop, but I had it there for a mandatory state inspection required for registration renewal.
10:05 < AHemlocksLie> If I set up my home server to connect to a VPN with OpenVPN, will that interfere with connecting through the normal home IP? My router is configured to port forward my SSH connection to the server, so I imagine it should still be fine, but I'm far from home, so trial and error is not an attractive option lol
10:14 < davidebeatrici> ordex: Can you help me?
11:28 < dvds> hello world
11:30 <+hyper_ch> hello dvds
11:38 < dvds> it looks like my "new" android 7 phone is very keen on killing openvpn connect as soon as I look away, even though I took it out of the "battery optimizations"... is anyone familiar with the issue?
11:42 <+hyper_ch> no
11:44 < BtbN> doze mode will kill pretty much anything running in the background
11:44 < BtbN> and there's nothing to do about it
11:46 < dvds> BtbN: doze mode? is that something that can be tweaked? or not even? :-/
11:46 < BtbN> It's the phone pretty much going into hybernation when it's left alone for long enough
12:10 < davidebeatrici> nbastin: Are you here?
12:23 < dvds> BtbN: Ok... great. Thanks
13:00 < nbastin> davidebeatrici: I am sortof, mashing my face against my own ios problem, but hopefully will be ready in a few
13:01 < davidebeatrici> nbastin: OK, thank you :)
13:01 < nbastin> I really do need to patch openvpn to support namespaces, my namespace hack only works if you don't reload the config
13:01 < nbastin> because while it says it doesn't reattach to the TUN/TAP device in the docs, that seems to be a lie
13:10 < nbastin> davidebeatrici: ok, I'm around... :-)  I don't have any context for your problem, so you probably need to go over it again, or if you have any pastes that describe it that might help
13:11 < nbastin> davidebeatrici: also we should probably jump over to #networking as it's slightly off-topic here
19:25 < g33kdad> Hello. I was hoping to set up an openvpn server on a VPS and have a device on my home network "dial out" to it and then connect to it via remote clients and access resources on my home network.
19:26 < g33kdad> I use AT&T for internet and it seems they won't let me pinhole my firewall
19:27 < g33kdad> I know if I use openvpn access server I can do this but only with 2 clients unless i buy a license. is it possible to achieve this using just openVPN?
19:27 < g33kdad> !welcome
19:27 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
19:27 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
19:30 < g33kdad> !howto
19:30 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
21:11 < rob0> of course, you don't need AS for a simple site-to-site VPN.
21:12 < rob0> In fact the benefits of AS are mostly about ease of account management, nothing at all related to routing.
21:13 < rob0> !serverlan
21:13 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
21:13 < rob0> ^^ flowchart to check your work against
21:38 < web_dev> rob0 you know if newer version of openvpn installer for windows still have openssl built in?
23:01 -!- abenz__ is now known as abenz
23:12 < g33kdad> thanks, @rob0
23:14 < g33kdad> i'm kind of a noob at routing... so i'm not sure i'll get it going without help... but i'll be back :)
--- Day changed Mon Oct 09 2017
02:08 < jer0me> hey there, how would you best integrate openvpn/ssh so that ssh is only available through the openvpn interface on linux? I guess I can set sshd to listen on the correct ip and set openvpn "up" script to something like "systemctn restart ssh.service" but it feels a bit hacky.
02:09 < jer0me> otoh, changing systemd service files is annoying since they change upon upgrades
02:11 < adminseodwn> !welcome
02:11 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
02:11 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
02:11 <@vpnHelper> you
02:11 < adminseodwn> !goal
02:11 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
02:14 < jer0me> "I'd like sshd to listen on the vpn interface only, at boot and after every openvpn restarts, on linux."
02:15 <@ordex> jer0me: what you said sounds reasonable to me
02:35 < jer0me> ok, done. Thanks ordex
02:36 <@ordex> np
04:51 -!- zvirbliukas1 is now known as zvirbliukas
05:02 -!- zvirbliukas1 is now known as zvirbliukas
05:21 -!- zvirbliukas1 is now known as zvirbliukas
09:56 < srg> Hi. I have a openvpn config that uses tun. I am trying to setup a iptables firewall to block all traffic except VPN traffic. I set rules to allow connections to my remote VPN server and I can connect, but once connected, I still have no internet access
09:59 < srg> Do I need to add iptables rules to allow all traffic over the tun0 interface? Will this do what I want, or will it leak any traffic outside the VPN?
10:05 -!- xuumno is now known as PhantomDruid
10:37 < MacGyver> srg: Did you remember that the remote server needs to act as a router for this, and configure it accordingly?
10:45 < srg> I think that's what I forgot
10:45 < srg> Thanks MacGyver
10:45 < srg> I'm learning as I go, heh
10:47 < rob0> yeah, I mentioned that in #Netfilter as well, "if the server will forward your traffic"
10:47 < MacGyver> Sometimes needs to be made more explicit.
10:50 < havoc> I've been doing this for 25+ yrs, and even I get caught every now and then forgetting to verify ipforwarding
10:50 < Eugene> !redirect
10:50 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
10:50 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
10:50 < Eugene> srg - flowchart ^
10:52 < Eugene> Specifics of iptables rule design is out-of-scope for this channel, but the general principle is that you need to allow FORWARD coming from tun0 and out eth0, and enable MASQUERADE/SNAT
11:27 < |Mike|> aloha!
12:07 < zvirbliukas> !welcome
12:07 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
12:07 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
12:07 <@vpnHelper> you
12:19 < |Mike|> i smell clones
12:35 <+hyper_ch> is krzee back?
12:36 < rob0> krzeen't
12:36 < rob0> !seen krzee
12:36 <@vpnHelper> krzee was last seen in #openvpn 9 weeks, 5 days, 19 hours, 44 minutes, and 6 seconds ago: <krzee> !route_outside_ovpn
12:36  * hyper_ch is worried
12:41 < AABatteries> I'm trying to set up openvpn on my raspberry pi to accept connections from two different ports (I want to add VPN over port 443 to unblock access from my uni, since my original port is blocked) but have failed to find a way. I have added a separate config file on my OpenVPN server that is basically a copy of the original config but with the only change being the port number
12:41 < AABatteries> I restarted openvpn and it doesnt seem to work
12:42 < AABatteries> I have described this issue in a bit more detail in the issue tracker on pivpn's githyb, but noone has responded with a solution yet
12:42 < AABatteries> so I thought you guys might be able to help
12:42 < AABatteries> here's the link: https://github.com/pivpn/pivpn/issues/352
12:42 <@vpnHelper> Title: Is it possible to run two separate instances of OpenVPN on one Pi? · Issue #352 · pivpn/pivpn · GitHub (at github.com)
12:45 < rob0> To use two separate server instances, you'd need separate VPN netblocks for each.
13:20 < AABatteries> rob0, sorry I got disconnected. How do I set up separate VPN netblocks? Can I find this in the documentation?
13:22 <@ecrist> You would just set something different in the --server line for each, then make sure they can route to each other.
13:26 < AABatteries> frankly, I have no idea how to search for this, can you point me to a relevant part in the docs/provide any suitable links that I can read?
13:27 <@ecrist> AABatteries: You're aware of our manual on the openvpn website?
13:28 < AABatteries> yes, and I'm going thru it right now, but I'm not 100% sure how to search for this topic
13:28 <@ecrist> control-F, type in --server
13:28 <@ecrist> pretty straight forward
13:28 < rob0> use the !howto to help set up the first server instance, then change the "server" line and "proto" line in the second instance
14:49 < jb> has anyone had success running a group of openvpn servers behind a TCP load balancer (like an AWS ELB, etc)?
14:49 < BtbN> You don't want to run OpenVPN via TCP
14:50 < jb> any reasons in particular?
14:54 < jb> I haven't seen any issues in my [very] limited tests.
14:54 < jb> I did see this.. which makes sense:  http://sites.inka.de/bigred/devel/tcp-tcp.html
14:54 <@vpnHelper> Title: Why TCP Over TCP Is A Bad Idea (at sites.inka.de)
14:54 < jb> any thing else?
16:09 < Eugene> !tcp
16:09 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay
16:10 < Eugene> TCP-in-TCP works OK when everything is "normal", but things go to shit quickly with a full pipe, packet loss, jitter, etc because both levels of TCP attempt to deal with the failure, which just results in hilarious toe-stepping
16:10 < Eugene> Its a bit of parroted wisdom from years of running VPN services, that actually happens to be true and useful
16:10 < Eugene> Unlike nonsense such as "block ICMP for security"
16:20 < MacGyver> Yeah. You should block ICMP because you hate your users.
16:20 < MacGyver> Not for security.
16:49 < nadio> Hello I have a small issue, I am connected to a VPN server with Openvpn, everything seems to be alright expect I cant route any traffic thrue it, and it doesnt seem to give me a an default gateway...
16:50 < nadio> I get an IP but thats about it
16:53 < rob0> do you control the server?
16:54 < nadio> rob0: no
16:57 < rob0> you're going to have to ask them, then
17:41 -!- abenz_ is now known as abenz
18:21 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 240 seconds]
18:25 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
18:25 -!- mode/#openvpn [+o syzzer] by ChanServ
18:52 -!- r00t^2 is now known as jth4n
18:52 -!- jth4n is now known as r00t^2
19:22 <@ordex> morning
19:35 <+Dougy> ordex: you in AU/NZ
19:35 <+Dougy> ?
19:35 <+Dougy> or eastern asia?
19:35 <@ordex> somewhere around that
19:35 <@ordex> yeah
19:35 <+Dougy> word
19:35 <+Dougy> has anyone heard from krzee yet
19:35 <@ordex> nope :(
19:36 <+Dougy> jeez.
19:36 <+Dougy> i hope he is ok
19:36 <@ordex> yeah :/
19:38 <+Dougy> i dont even know what island he is on
19:38 <+Dougy> lol
19:38 <+Dougy> hopefully he went back state side before it hit, but, then again, if he did i would expect to have heard from him
19:43 <@ordex> yeah
19:43 <@ordex> :/
20:15 < zzyyxxcc> Hi I have been using openvpn for many years, thanks for all the work. Now the question : I would like to pre-create a tap device to be used by an openvpn client. So say tap5 exists before I start openvpn client and will just attach to that device and use it. Is this possible ?
20:23 <@ordex> zzyyxxcc: yes
20:23 <@ordex> zzyyxxcc: check the --mktun argument in the manpage
20:24 < zzyyxxcc> Ok I did look at that but it looked like it was for something else, will look closer, thx
21:06 < zzyyxxcc> thx I am able to make it work the way I wanted now
21:44 < moffa> Hi, is there a way to check for compression support (lz4-v2) like --show-ciphers?
--- Day changed Tue Oct 10 2017
00:43 < MrHooper> !welcome
00:43 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
00:43 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
00:47 < MrHooper> !/30
00:47 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
00:47 < MrHooper> !topology
00:47 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
00:47 < MrHooper> !redirect
00:47 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
00:47 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
00:48 < MrHooper> !dns
00:48 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns
00:48 < MrHooper> !mitm
00:48 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: remote-cert-tls server in the client config
03:44 < MaxFrames> hello
03:45 < MaxFrames> I've set up my server to use AES-256-CBC as the cipher to avoid SWEET32 exploits, but I've noticed that clients whose config has not been updated (thus still using the default cipher) are still allowed to connect
03:46 < MaxFrames> how do I make sure that only clients using the same cipher are allowed to connect?
03:59 <@ordex> what version are you using on client and server ?
03:59 <@ordex> and
03:59 <@ordex> !configs
03:59 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
04:11 < MaxFrames> the client (for windows) is the latest, 2.4.4-i601
04:13 < MaxFrames> the server (on debian) is 2.2.1
04:17 < MaxFrames> when I updated the client on win, I started seeing the warnings about sweet32 so I added a "cipher AES-256-CBC" directive to the server config and to the client config, and the warnings disappeared
04:17 < MaxFrames> but I also tried with the old client config, and the result in this case is that the cipher requested by the client prevails, and the server obeys; it does not force aes-256-cbc which is what I expected
04:19 <@ordex> to be frank, I have no clue what openvpn-2.2 is doing. that is really ancient
04:24 < Virtual> I'm using 10.8.0.0/24 subnet to assign local IP's to clients when they connect. They seem to be assigned in order, like .2,.3,.4 etc
04:24 < Virtual> anyway to randomize that?
04:56 < MaxFrames> ordex: what would one do to enforce a cipher in the current version then? maybe it backports
04:56 <@ordex> what you did
04:56 <@ordex> specify *only* cipher $something
04:57 < MaxFrames> it's what I did, indeed
04:57 <@ordex> if you show your server config we can check if there is something else that may be interfereing
04:57 <@ordex> although i doubt
04:57 < MaxFrames> ok, gimme a few minutes
04:57 <@ordex> sure
05:23 < MaxFrames> sorry phone
05:24 < MaxFrames> this is the server config https://pastebin.com/rqVJqkCt
05:24 < MaxFrames> edited to protect the innocent
05:25 < MaxFrames> pretty basic as you can see
05:26 <@ordex> yeah
05:26 <@ordex> are you sure clients are connecting with the old cipher? I am wondering if they are getting upgraded (if they are 2.4.x), ut that should work only against a 2.4.x server I believe
05:29 < MaxFrames> what I did was first add the cipher directive to the server config; then I tried to connect from my own windows client without editing the client config, just to see what would happen
05:29 < MaxFrames> I got the same warnings I was getting before I added the cipher directive to the server
05:30 < MaxFrames> i.e. 'using a vulnerable cipher' and then a couple of automatically applied workarounds to mitigate the impact
05:30 < MaxFrames> sorry I can't paste those warnings now
05:30 < MaxFrames> to all intents and purposes, it looked like the client requested the default cipher and the server did not reject the connection
05:37 <@ordex> MaxFrames: I see..honestly I don't really know how 2.2 handled these cases, but I would guess it should not work. I know it's stupid, but did you restart the server? and are you sure it is connecting to the right instance? can you provide the log of the server with verb 4 ?
05:37 <@ordex> (from startup to client connect with BF-CBC)
05:37 < MaxFrames> I did restart the server and I am sure it's connecting to the right instance
05:38 <@ordex> oky, then the log is what can help at this point
05:38 <@ordex> other than upgrading to something more recent to be sure of what it is doing
05:38 < MaxFrames> ok, I may have to come back another time for this
05:38 < MaxFrames> thanks for now
05:38 <@ordex> np
05:57 < MaxFrames> ordex: if you can help, I am looking at the log generated yesterday, when I purposedly tried to connect with the old client settings
05:57 < MaxFrames> the most relevant entry is this:
05:58 < MaxFrames> Mon Oct  9 21:45:20 2017 x.x.x.x:1413 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
05:58 <@ordex> yeah, but in theory they should not downgrade
05:59 < MaxFrames> followed by this:
05:59 <@ordex> can you paste the entire log around that connection ?
05:59 < MaxFrames> Mon Oct  9 21:45:20 2017 x.x.x.x:1413 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
05:59 <@ordex> yeah, the two exhanged the option string and they found the differences
06:00 <@ordex> actually, was the client working after the connection was "established"?
06:00 < MaxFrames> I will paste the entire log, but can I paste one last line first?
06:00 <@ordex> sure
06:01 < MaxFrames> actually three
06:01 < MaxFrames> they may already be sufficient
06:02 < MaxFrames> Mon Oct  9 21:45:30 2017 ghost-1/x.x.x.x:1413 Authenticate/Decrypt packet error: cipher final failed
06:02 < MaxFrames> Mon Oct  9 21:45:30 2017 ghost-1/x.x.x.x:1413 Fatal decryption error (process_incoming_link), restarting
06:02 < MaxFrames> Mon Oct  9 21:45:30 2017 ghost-1/x.x.x.x:1413 SIGUSR1[soft,decryption-error] received, client-instance restarting
06:03 < MaxFrames> the client openvpn gui gave me the "green light" so I assumed the connection was established, but based on these lines, maybe it was not
06:05 <@ordex> yeah
06:05 <@ordex> likely
06:08 < MaxFrames> here is the complete connection log
06:09 < MaxFrames> https://pastebin.com/GPfXiSqM
06:10 <@ordex> MaxFrames: it is very likely that the client was not working
06:10 <@ordex> these lines look pretty much so
06:10 <@ordex> probably the GUI needed some time to timeout as this will likely fail due to missing ping
06:10 < MaxFrames> ok, red herring then
06:11 <@ordex> :)
06:11 < MaxFrames> while we are at it; by looking at the logs I've noticed that the CA email address is an old one about to be decommissioned
06:11 < MaxFrames> if I change that in the server config, will I break anything?
06:14 <@ordex> well, I guess you need to regenerate the CA, no?
06:14 <@ordex> that means new CA so old certs not valid
06:14 <@ordex> not sure if you can keep the CA while only changing the email...I think you need to redistribute the new CA to everybody at least
06:15 <@ordex> if the old user certs can be kept valid with some trick..dunno
06:17 < MaxFrames> let's reverse the question: apart from the obvious not being able to be contacted on that address, will it be a problem when the email address will cease existing?
06:17 <@ordex> nope
06:17 <@ordex> it's just text
06:17 < MaxFrames> ok
06:17 <@ordex> people even use random data there
06:18 < MaxFrames> the most unfortunate thing looking at the logs is that there are a lot of breaking attempts
06:19 < MaxFrames> I had to use a well known tcp port (https) because our roaming clients were sometimes severely restricted outbound depending on the network they connected to (hotels, airports...)
06:20 < MaxFrames> this means the server is exposed to port scans (but it should be protected by tls-auth)
06:21 <@ordex> yeah
06:21 <@ordex> https is continuosly scanned
06:22 < MaxFrames> we started with udp on a "strange" port, but they often could not connect
06:23 < MaxFrames> so we had to do this, which has another downside with the mtu so it may be slower
07:31 < nbastin> As long as the SubjectName and public key of two certs are the same, they are the same cert
07:32 < nbastin> you can reissue the CA cert with new extensions/email/etc. as long as it has the same SN and public key
08:35 -!- zvirbliukas1 is now known as zvirbliukas
08:51 < StigmaGr> hello there
08:52 < StigmaGr> is there anyway to block specific website folders for openvpn clients for e.g block access to mysite.com/chat
08:52 < StigmaGr> ?
08:55 <@ordex> StigmaGr: openvpn work a much lower layer. it does not do packet inspection, therefore it can't see what's being transported
08:56 <@ordex> *works
08:57 < StigmaGr> so I can't really do anything?
08:58 <@ordex> not at the openvpn layer
08:58 < StigmaGr> iptables?
08:59 <@ordex> you can check. not sure if it does http protocol matching. but maybe with the "string" matcher you can match the URL in the packet
08:59 <@ordex> of course this won't work for https
08:59 <@ordex> another alternative might be to install a transparent proxy, but won't be really transparent to https clients again
09:00 < rob0> no
09:01 < rob0> you really can't count on seeing that string at all, e.g., with https
09:01 < rob0> oh, yeah, like ordex said :)
09:02 < rob0> As for "can't really do anything," we can't answer that, because we don't know why you want to do this.
09:07 < StigmaGr> rob0
09:07 < StigmaGr> i am running the openvpn server an a small company
09:08 < StigmaGr> and many members of that company go and visit various chat sites that should not
09:08 < StigmaGr> from the company network
09:08 < StigmaGr> i wish to deny this sites
09:08 <+hyper_ch> then blacklist those ips of those chat site
09:08 < StigmaGr> the problem is that i dont want the full site to be blacklisted
09:09 < StigmaGr> e.g if i blacklist the ip for www.example.com that is not desirable
09:09 < StigmaGr> i only wish to block members.example.com/chat for example
09:09 < StigmaGr> or chat.example.com
09:09 < rob0> that's only going to be enforceable through a proxy
09:09 < rob0> well, you were typing while I was
09:09 < DArqueBishop> StigmaGr: you need a transparent proxy, then.
09:10 < DArqueBishop> Or a proxy, period.
09:10 < rob0> hostname.example/chat <-- proxy
09:10 < StigmaGr> can't do that because some sites completely block access from proxies
09:10 < rob0> chat.example <-- could be done via DNS possible
09:10 < DArqueBishop> ... no.
09:11 < DArqueBishop> We're talking about putting a proxy server in your local network.
09:11 < rob0> then you are out of luck
09:11 < StigmaGr> DArqueBishop: what do you mean no i have tried proxy before installing openvpn
09:11 < StigmaGr> and sites blocked access because of the proxy
09:11 < StigmaGr> rob0: so there is no other option?
09:11 < rob0> there's no magical way to get what you want
09:11 < DArqueBishop> StigmaGr: you used someone else's proxy server or you used one in your own network?
09:12 < StigmaGr> tried both my own squid implementation with various setups and also used other proxies that company paid for
09:12 < StigmaGr> for all of them in some websites access was blocked
09:13 < DArqueBishop> I find that difficult to believe in the case of the Squid ones, but whatever.
09:13 < rob0> if squid is blocked by sites your users need to reach, sad day for you
09:13 < DArqueBishop> The point is that what you are asking for is ONLY enforcable via a local proxy server.
09:14  * DArqueBishop has NEVER had issues with websites blocking traffic from corporate networks simply because the networks relayed traffic through an on-site proxy server.
09:15 <+hyper_ch> how would the find even figure out that it goes through an on-site proxy...
09:15 <+hyper_ch> s/the/the websites/
09:15 < rob0> Even blocking a whole HTTP site is tricky without a proxy.  You'd have to hijack the DNS for the domain name.  And also redirect your users' DNS lookups to your nameserver.
09:15 < DArqueBishop> hyper_ch: that's what I'm wondering, too.
09:15 < StigmaGr> betting websites that needs to be accessed from always detect and block the proxies
09:15 <@ordex> maybe via user agent? if the proxy is no relaying what it gets from the client
09:16 < rob0> user agent, yes
09:16 < StigmaGr> no in the setups i used i altered the user agent
09:16 < DArqueBishop> "Betting websites"?
09:16 < StigmaGr> yes
09:16 <@ordex> but i could relay the UA of the client (if it was smart enough)
09:16 < StigmaGr> for example bet365.com
09:16 < DArqueBishop> Where the hell do you work that betting websites are explicitly allowed?
09:16 <@ordex> at a betting agency!!
09:16 <@ordex> :D
09:16 < StigmaGr> I am not working there i simply set the server lol
09:16 < DArqueBishop> ordex: ask a stupid question...
09:17 < rob0> hehe, gambling but no chat
09:17 < StigmaGr> but ye its a betting agency
09:17 <+hyper_ch> maybe it's game fixing
09:17 < StigmaGr> they do not gamble the set the various odds etc
09:17 < DArqueBishop> That seems stupid to me.
09:17 < rob0> This all boils down to an attempt to fix a political problem with technology.
09:18 < StigmaGr> i dont know man but the problem is  i used various squid implementations and tested them for with various sources that they where not detectable
09:18 <+hyper_ch> well, some people gamble with cards, others with company shares :)
09:18 < StigmaGr> and the betting sites simply blocked them
09:18 < DArqueBishop> rob0: agreed.
09:18 <@ordex> technology was made to fight politic :>
09:18 < StigmaGr> haha
09:19 <@ordex> StigmaGr: have you been able to understand how it could be blocked? you said the UA was altered?
09:19 < StigmaGr> I am simply at a loss here openvpn was working very good until some labs there simply started to chat there hearts out with various betting site employess lol
09:19 < DArqueBishop> StigmaGr: have you contacted any of those sites and talked to them about it?
09:19 < DArqueBishop> "some labs there simply started to chat there hearts out with various betting site employes"
09:19 < StigmaGr> yes i did the answer from them is that our policy is to deny proxy connections
09:20 < StigmaGr> and didnt give more feedback as to how they detect it lol
09:20 < StigmaGr> DArqueBishop: lads*
09:20 < DArqueBishop> I would suggest to you, then, that you have a much more fundamental problem.
09:20 < DArqueBishop> Perhaps instead of fighting the symptoms, you need to treat the actual root cause.
09:21 < StigmaGr> you mean the employess?
09:21 < StigmaGr> :p
09:21 < DArqueBishop> Make use of those sites, especially to contact betting room employees, a firable offense.
09:21 < StigmaGr> something like ptables -A INPUT -m string --string 'badstring' -j DROP would not work right?
09:22 < rob0> huh?
09:22 < rob0> Again, you cannot see into HTTPS packets.
09:22 < StigmaGr> what if the site's chat is not https
09:22 < StigmaGr> that would work?
09:23 < StigmaGr> most of them are https though but still some are not
09:23 < rob0> Second, that ^^ is insanity unless you limit by protocol and port.
09:23 < DArqueBishop> StigmaGr: again, as rob0 pointed out, you're attempting to apply a technical solution where a procedural one is needed.
09:23 < DArqueBishop> Keep it simple. Apply a policy that says that use of those sites is punishable by termination.
09:24 < rob0> also, see the iptables(8) manual to find out what the INPUT chain will see
09:25 < DArqueBishop> Also, I don't know if you tried it, but Squid does allow for direct connections for certain sites.
09:25 < DArqueBishop> I don't know if it'll work, though.
09:26 < rob0> If you're going to have any hope of doing this as the boss wants (and the boss is dictating technical issues which are not properly understood) you will proceed with squid.
09:27 < rob0> You might need to gain the cooperation of the remote betting sites, also.
09:27 < DArqueBishop> And either way, you need to make it known through policy that the use of those chat sites is strictly forbidden.
09:29 < DArqueBishop> The betting sites should be able to whitelist IP addresses.
09:45 < DArqueBishop> Well, that was someone who needed a strong understanding of networking and security.
09:46 < DArqueBishop> s/strong/stronger/
09:48 < rob0> yes, took a job he wasn't ready to do
09:49 <+hyper_ch> since when is it a requirement to know what you do for getting a job?
09:50 < rob0> heh
10:16 <@ecrist> !logs
10:16 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
10:16 <@ecrist> that was for me.
10:16 <@ecrist> !configs
10:16 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
10:16 <@ecrist> so was that
10:17 <+hyper_ch> !krzee
10:17 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20, or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg, or (#3) location: moon base where he smokes moonajuana, or (#4) takes bonghits on the freeswitch teleconference
10:20 <@ordex> his bnc says auto-away since Oct 3rd
10:20 <@ordex> did it disconnect ?
10:20 < DArqueBishop> [krzee] idle 155:05:26, signon: Tue Oct  3 23:08:38
10:23 < rob0> he was krzie awhile
10:38 < hummerpaskaa> Hi. I am running openvpn on a raspberry and about every day or two or so it seems to lose its ability to resolve DNS records. If I restart the connection, it works well again for another day or two. How can I fix this?
10:40 <@ordex> hummerpaskaa: it depends on what the problem is. it may well be that something is changing your DNS after a day or two and thus it stops working, while resetting your vpn is fixing things
10:41 <@ordex> if I were you I'd try to understand why dns resolution does not work in tha tmoment
10:45 < hummerpaskaa> http://pastebin.centos.org/355286/ thats what my client.log says when it breaks
10:46 <@ordex> hummerpaskaa: you already have the connection that broke because no packets were passing through
10:47 <@ordex> so it does not look like 'just dns' no?
10:47 <@ordex> what do you do to fix it ?
10:47 < hummerpaskaa> I restart the entire openvpn service
10:49 < hummerpaskaa> it might not be the DNS, I might have misunderstood the error messages
11:00 <@ordex> hummerpaskaa: you restart the service on the client?
11:00 < skyroveRR> Heya ordex
11:00 <@ordex> heya!
11:00 < skyroveRR> :D
11:00 < skyroveRR> ordex: I see you're a batman user :)
11:01 <@ordex> skyroveRR: yup. been a maintainer for several years
11:01 < skyroveRR> ordex: can I have a talk with you pm?
11:01 < skyroveRR> * in pm?
11:02 < skyroveRR> ordex:
11:03 <@ordex> ah
11:03 <@ordex> sure
11:03 <+hyper_ch> ordex: in other words, you're stuck being on the maintainer level? :)
11:03 <@ordex> hyper_ch: I basically 'retired'
11:03 <@ordex> I lacked motivation so I dropped my position
11:04 <+hyper_ch> you're taking all the fun out of it :(
11:04 <@ordex> I answer questions every now and then, but I haven't sent a patch in ages..
11:37 < neutr0n> Does anyone have workaround for Egypt blocking openvpn? - https://www.reddit.com/r/VPN/comments/73zc61/openvpn_got_blocked_in_egypt_yesterday_night_and/
11:37 <@vpnHelper> Title: OpenVPN got blocked in Egypt yesterday night, and it was the last protocol working there. : VPN (at www.reddit.com)
11:52 < sla3k> would I go about doing the registry thing, any help would be appreciated, thanks
11:53 < rob0> what registry thing would that be?  This is #openvpn BTW.
11:53 < sla3k> Hi, after upgrading from Windows 7 to windows 10, I am not able to connect to my OpenVPN server. Error being logged in the log file suggests that there is no TAP installed. I searched online and found this: https://social.technet.microsoft.com/Forums/en-US/261392a2-3914-4518-acb4-065a0a635f58/build-10049-breaks-openvpn-there-are-no-tapwindows-adapters-on-this-system?forum=WinPreview2014General Not sure how
11:53 <@vpnHelper> Title: build 10049 breaks openvpn: "There are no TAP-Windows adapters on this system" (at social.technet.microsoft.com)
11:53 < sla3k> would I go about doing the registry thing, any help would be appreciated, thanks
11:55 < sla3k> rob0: keys are messed up here on the keyboard, instead of copying the whole thing, it just copied second line..
11:55 < rob0> np
12:03 < masterkorp> hello
13:33 -!- dionysus70 is now known as dionysus69
16:01 < hehehe> hi
16:01 < hehehe> is there anyway to route only some apps traffic via openvpn
16:01 < hehehe> or ?
16:01 < DArqueBishop> !routebyapp
16:01 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination., or (#2) Alternatively, read up about Policy Routing to make routing decisions based on
16:01 <@vpnHelper> defined policies you set. For Linux, read about !lartc
16:04 < hehehe> !artc
16:07 < hehehe> !artc
16:15 < seanrdev> Im attempting to use openvpn server on my dlink dsr 250 router to access my network and inet connection remotely. When setting up the server there is a section where you place your CA. Upon reading how a CA works its my understanding that best practice you create a root ca and intermediate ca's. When using intermediate ca's a root CA server must be available to verify the intermediate ca. My question is can i just use my r
16:18 < seanrdev> Umm got disconnected...
17:58 < DarkMat> Hi, I am having what I think is common problem, that is I can access to the server but not to the LAN behind the server. I have tried all the solutions I have found on the Internet, but is not working. I have installed the OpenVPN server on Windows 2012 Server R2
18:00 < rob0> !serverlan
18:01 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
18:01 < rob0> ^^ flowchart will help you find the problem
18:04 < DarkMat> thanks, rob0, now I have something else to check.
18:04 < DarkMat> !serverlan
18:04 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
18:05 < DarkMat> !ipforward
18:05 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
18:07 < DarkMat> !winipforward
18:07 <@vpnHelper> "winipforward" is (#1) reboot after enabling it, or (#2) https://support.microsoft.com/EN-US/kb/230082 to enable ip forwarding on windows
18:10 < DarkMat> !route_outside_openvpn
18:10 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
18:11 < DarkMat> !route
18:11 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
18:21 -!- pekster_ is now known as pekster
21:10 -!- nb_ is now known as nb
22:54 < FurousGeorge> hey all
22:57 < FurousGeorge> i want to start a VM backup on a different physical LAN, but have it be reachable on the original LAN.  Both server and client LANs are /24.  In order to accomplish this (and so that it would scale to multiple client subnets) I set up static routes and gateways via the TAP interfaces
22:58 < FurousGeorge> The problem I'm having is that when I restart my router/dhcp client, the routes are not available.  To make it work again I have to enter my routers settings (BSD/pfsense distro) and refresh the gateway that goes through that TAP iface IP.
22:58 < FurousGeorge> I'm asking why this is the case in my router's support forum:  https://forum.pfsense.org/index.php?topic=117489.msg753739#msg753739
22:59 < FurousGeorge> but either the people responding to me are not understanding me, or I am not understanding them.
22:59 < FurousGeorge> Is there some way I can have the VPN client/server set up these routes to my specification?
23:00 < FurousGeorge> If you follow that link, the configs are dumped in  the 5th post down
--- Day changed Wed Oct 11 2017
01:04 < DarkMat> !welcome
01:04 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
01:04 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
01:05 < DarkMat> !goal I want to access my computers behind vpn server
01:09 <@ordex> !serverlan
01:09 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
01:09 <@ordex> DarkMat: ^^
01:16 < DarkMat> thx, sorry, I was not sure y the result was dropped here, now I know it
01:23 <+hyper_ch> zx2c4: is it possible with wireguard to only route special thraffic through the vpn? e.g. everything on port xxx or certain protocolls?
01:29 <@ordex> hyper_ch: I am pretty sure you can do that with iptables and policy routing in combination with what wireguard already sets up on its own
01:29 <@ordex> that's mostly unrelated to wireguard per se
01:38 <+hyper_ch> ordex: you can also do it with openvpn - https://paste.simplylinux.ch/view/45d694fe  if you remember :)
01:39 <@ordex> ah I told you already :D
01:39 <+hyper_ch> I just wondered if wireguard had such an inbuilt function.... I can think of a few cases where you just want e.g. all http(s) traffic to go through the vpn
01:39 <+hyper_ch> or through a specific vpn
01:42 <+hyper_ch> also I need to replace my notebook... there's some hardware defect but I can't figure out what it is :(
01:42 <@ordex> wireguard just takes care of creating a tun interface..it does not care about what you throw in. unless the external script has such helper functionality (but then it would be helpful to make it generic so it can be used in every scenarios)
01:42  * ordex just did the same
01:42 <@ordex> :P
01:42 <+hyper_ch> well, all runs fine
01:42 <+hyper_ch> here
01:42 <+hyper_ch> but when I switch from ext4 to zfs and rsync all the data back, I do get tons of corruption
01:42 <@ordex> I got some main failure. when unplugging the power once or twice it would eventually get mad and throw io errors
01:42 <@ordex> mh
01:42 <@ordex> maybe just the disk?
01:42 <+hyper_ch> so, I thought maybe the ssd is bad.... I tested with  badblocks -w   -- but no errors
01:43 <+hyper_ch> I put windows on it and installed samsung magician
01:43 <+hyper_ch> no error
01:43 <+hyper_ch> even smartctl said eveything is fine
01:43 <+hyper_ch> ok, then I learnt that zfs uses ram more heavy... so I run memtest86+
01:43 <+hyper_ch> the multi mode failed and in failsafe mode no errors were detected
01:43 <+hyper_ch> I then put the ssd into an old notebook tried ssd again - no corruption
01:44 <+hyper_ch> s/tried ssd/tried zfs/
01:44 <+hyper_ch> something is wrong with the notebook but I can't pinpoint it
01:44 <+hyper_ch> someone suggested it might be power supply
01:44 <@ordex> mh
01:44 <+hyper_ch> or that the cpu/cooler paste is dried
01:44 <@ordex> interesting
01:45 <@ordex> hw now is just made to last not too long :P
01:45 <+hyper_ch> so, I can spend countless more hours or just get a new notebook
01:45 <+hyper_ch> currently pondering for a lenovo e570
01:46 <+hyper_ch> can be upgraded to 16gb ram, has a 180gb ssd already in there (not sure if it's m.2 or nvme) and has a bay for a second ssd - like my samsung 850pro
01:46 <+hyper_ch> only intel chip... don't need strong gpu here...
01:49 <+hyper_ch> ok, it's pcie with is the same as nvme right?
01:49 <@ordex> mh not sure
01:49 <@ordex> mine has nvme and has a different driver too
01:49 <@ordex> so I guess ther must be some difference
01:49 <@ordex> about lenovo: I always recommend thinkpad
01:50 <@ordex> series T and X being my favourite
01:50 <+hyper_ch> https://youtu.be/fJCHx7mZEKo?t=287
01:50 <+hyper_ch> the m.2 has two "indents" while nvme only has one
01:51 <+hyper_ch> https://youtu.be/P55IZ-XvnHM?t=180 and here you can see (very badly) that is only has 1 "indent"
01:51 <@ordex> ah speaking about the plug?
01:51 <@ordex> yeah, they are physically different
01:52 <@ordex> 550MB/s vs 2100+MB/s :D
01:52 <@ordex> wow
01:53  * ordex believes he can fly
01:53 <+hyper_ch> yeah, but 1TB nvme costs a tiny bit more than 1tb sata ;)
01:54 <@ordex> I know
01:55 <@ordex> :P
01:55 <+hyper_ch> but having two of those babies in raid1....
01:56 <+hyper_ch> samsung 960 pro 2TB is only like $1200 here
01:57 <+hyper_ch> read 3500MB/s / write 2100MB/s
01:57 <@ordex> hehe
01:57 <@ordex> then you fly for real
01:57 <+hyper_ch> remember back in the day with those 240mb ide hdds? :)
01:57 <@ordex> haha
01:57 <@ordex> when i started playing with PCs we already had 0.5gb
01:57 <@ordex> :P
01:58 <+hyper_ch> oh
01:58 <@ordex> probably the year after what you are talking about
01:58 <@ordex> :D
01:58 <+hyper_ch> well, my first computers as a 086, 12mhz, black/green cga screen, dual 5 1/4 floppy, 512kb ram piece
01:59 <+hyper_ch> then I got upgraded to i486, 4mb ram, vga screen, 3 1/2 floppy, 240mb hdd
01:59 <@ordex> hehe
01:59 <@ordex> supa!
02:00 <+hyper_ch> well, I think that Lenovo E570 looks nice...
02:00 <+hyper_ch> $800 + $60 for another 8gb ram
02:12 <+hyper_ch> I'm really pondering to get that notebook
02:13 <+hyper_ch> https://www.digitec.ch/en/s1/product/lenovo-e570-156-full-hd-intel-core-i5-7200u-8gb-ssd-notebooks-6134925?tagIds=614
02:13 <@vpnHelper> Title: Lenovo E570 (15.6", Full HD, Intel Core i5-7200U, 8GB, SSD) - digitec (at www.digitec.ch)
02:13 <@ordex> go for the X1!
02:13 <@ordex> :D
02:14 <+hyper_ch> the only thing is that in the "basic" version the total ram is limited to 16gb while the "pro" version has max 32gb... but pro version has nvidia which I have no use for and uses a 256gb ssd which I have no use for either at cost of $300 more
02:14 <+hyper_ch> ordex: got a link for the x1?
02:15 <@ordex> nope. you better have a look on lenovo.com. configurations differ from country to country often
02:16 <+hyper_ch> the x1 is more than double the price ;)
02:16 <@ordex> well
02:16 <@ordex> for half the weight and double the power ;)
02:16 <@ordex> hehe
02:16 <@ordex> but yeah
02:16 <@ordex> quite costly
02:24 <+hyper_ch> well, the lenovo weights 1kg more than my current :(
02:27 <@ordex> the Exx?
02:30 <+hyper_ch> yeah... the E570 is like 2.4kg and mine is currently 1.5kg
02:32 <@ordex> yeah 2.4 it's a lot
02:33 <+hyper_ch> got a hp probook g430
02:35 <+hyper_ch> ordex: what notebook do you currently have - if any?
02:36 <+hyper_ch> the probook is 13" and the leenovo would be 15".. it also has a dvd drive that I don't need
02:37 <@ordex> hyper_ch: right now? I just bought a Lenovo X1 Carbon 5th Gen
02:37 <+hyper_ch> :)
02:38 <+hyper_ch> and then you run out of money for a 2 TB samsung 960 pro? ;)
02:41 <@ordex> well, I am good with 1TB only :P
02:41 <@ordex> and hopefully I'll be good for the next 5 years
02:42 <+hyper_ch> I usually expect a notebook to run for 3years
02:42 <@ordex> my last notebook exploded after 3.5years, because of the failure i told you about, but could live longer
02:43 <+hyper_ch> :)
02:43 <@ordex> the previous one lived for 4 years +something, but got stolen :P
02:43 <+hyper_ch> I hope it was encrypted
02:43 <@ordex> I didnot have anything critical on that one
02:43 <+hyper_ch> is that reason to not use encryption?
02:43 <@ordex> but i can tell you the HP I had for a bit while doing the PhD was not going to last more than 2 years
02:43 <@ordex> nope. that is a reason to not worry after it got stolen :P
02:44 <+hyper_ch> the probook here has been rather robust... feel down multiple times...
02:44 <@ordex> :D
02:44 <@ordex> that's a good test
02:48 <+hyper_ch> once it fell onto the corner  https://images.sjau.ch/img/e514eeb9.jpg  https://images.sjau.ch/img/a9326e2d.jpg
02:48 <+hyper_ch> that was like 9 months ago :)
02:49 < tx> why did you keep the sticker
02:49 < tx> ya goof
02:49 <+hyper_ch> why not?
02:49 < tx> looks bad :(
02:49 <+hyper_ch> taking it off requires effort
02:51 <@ordex> lol
02:52 <+hyper_ch> and usually the lid is closed anyway... having external hdmi and vga attached
02:52 <+hyper_ch> 2x24" at home and office
02:54 <@ordex> hehe
02:54 <@ordex> amovie theather
02:54 <@ordex> why do you move it around then :P
02:55 <+hyper_ch> for work
02:55 <+hyper_ch> it's my work notebook
03:12 < P4k3> Stickers are removed before the pc is even turned on the first time :P
03:13 <+hyper_ch> P4k3: why?
03:13 < P4k3> They are ugly?!
03:14 <@dazo> but in this case .... the "Aluminium Reinforced Chasis" on the sticker can easily be confirmed by the damage :-P
03:14 <@dazo> "It survived!"
03:15 <@dazo> (but I agree most stickers a re ugly)
03:15 <+hyper_ch> notebook lid is closed for me roughly 95% of the time ;9
03:16 <@dazo> The stickers which most commonly survives on my laptops is the Intel CPU sticker ... others, and especially particular Windows stickers, are removed with prejudice :-P
03:24 <+hyper_ch> windows one gets removed obviously...
03:24 <+hyper_ch> don't wanna give false impressions
03:30 <@dazo> :)
05:37 -!- abenz_ is now known as abenz
07:29 < Joost> I have a fairly technical question and it may be a bit of a long shot, but I figured there's no harm in trying;
07:30 < Joost> I'm trying to implement an alternative method for providing RSA signatures by modifying ssl_polarssl.c and supplying a different set of functions to ssl_set_own_cert_alt
07:30 < Joost> so far so good; my rsa_sign function gets called at the right moment
07:30 < Joost> however, when I provide a signature, the connection is not succesfully established, and it eventually dies on a generic "TLS key negotiation failed to occur within 60 seconds"
07:31 < Joost> I suspect I may be messing up the format of my RSA signature somehow.. I tried replicating what the management interface RSA-SIGN command does, of which I found some docs at https://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html
07:31 <@vpnHelper> Title: Management Interface (at openvpn.net)
07:32 < Joost> it seems to point to openssl's RSA_sign(..), which seems to give similar output to what I'm providing (i.e. 256 bytes of RSA2048 signature)
07:33 < Joost> perhaps someone more familiar with PolarSSL recognizes these symptoms? any ideas on how to debug?
07:45 < jasonbassett> Hello All
07:45 < jasonbassett> Having a bit of bother with using a .ovpn file with certificates/keys inline.
07:46 < jasonbassett> If I point the .ovpn file to the key and cert files using for example: ca /etc/openvpn/keys/ca.crt
07:46 < jasonbassett> All is well, connects.
07:47 < jasonbassett> If I embed the key/certs inline, I get an error:
07:47 < jasonbassett> "Error: private key password verification failed"
07:47 < jasonbassett> I have successfully does this in the past and appear to be doing exactly the same procedure.
07:47 < jasonbassett> ANy ideas?  No password was created at build-key time.
07:48 < jasonbassett> I get asled for no password in the working configuration.
07:48 < jasonbassett> I want inline to i can easily import into openvpn-connect on the iPad.
07:49 < jasonbassett> asked
08:06 < Joost> related problem: does anyone have a working example that makes use of the management interface for rsa signatures? turns out I'm getting the same error there
10:27 < metaloxide> Salutations
10:27 < zx2c4> hyper_ch: yes it certainly is. super easy to do. wireguard has some special tricks that make that particularly easy actually
10:27 < metaloxide> I am trying to get Linux to use the dns of the vpn server I am connecting to but is not updating to dns servers of the vpn, I read I need a update-conf up/down script to do so..
10:30 < rob0> !dnsmasq
10:30 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
10:30 < rob0> ^^ much better than messing with resolv.conf
10:30 <+hyper_ch> zx2c4: really? how?
10:33 < metaloxide> rob0: Can it be configured to only use the dns servers of that respected vpn connection when it is us and use default otherwise?
10:47 < rob0> why would you care?
10:48 < rob0> (yes, I know, /quit)
10:50 < Dani-hp> Hey Guys, is there a way to stop/take down the vpn connection when closing the terminal window? without having to kill after..
11:02 < Kryczek> Dani-hp: Ctrl+c ?
11:02 < Dani-hp> Ye that's clear
11:02 < Dani-hp> but what if it's closed accidently?
11:02 < Dani-hp> befor hitting ctrl c
11:03 < Kryczek> oh
11:03 < rob0> see --daemon in the manual; if not using --daemon it stays in the foreground.
11:04 < Kryczek> Dani-hp: Ctrl+c is converted to a SIGINT signal, so you can always send that signal yourself too, e.g. with `kill -INT 1234` where 1234 is OpenVPN's process ID, or `pkill -INT openvpn` if you have pkill
11:05 < Kryczek> (note that the latter would send the signal to all processes called "openvpn", in case you have several)
11:05 < Dani-hp> Yeah kill is always an option.. but isn't there a way to directly start the openvpn client with an options that it always quit's when closing the terminal?
11:06 < Kryczek> ah
11:06 < Kryczek> Dani-hp: what rob0 said
11:06 < Dani-hp> but daemon options always backgrounds the vpn no?
11:06 < Dani-hp> as i read in the man
11:07 < Kryczek> what are you trying to achieve?
11:08 < rob0> If you run without --daemon it will close when the spawning shell exits.
11:08 < Dani-hp> for example: /usr/sbin/openvpn --client --config /etc/openvpn/vpn1.ovpn
11:08 < Dani-hp> then i close the terminal without pressing ctrl+c
11:08 < Dani-hp> and the vpn stays open
11:08 < Dani-hp> and doesn't close
11:08 < rob0> If you need that shell for other things you can run openvpn in the background, and still, it will exit with the shell.
11:09 < rob0> We can't see into your config file to see if it includes a "daemon" line.  I bet it does, though.
11:10 < Kryczek> hopefully it includes options like "user", "group" and "chroot" too
11:12 < rob0> --daemon does not actually background the process; it detaches the process from the terminal.
11:13 < Dani-hp> hm ok
11:13 < Dani-hp> i'll take a look at it tomorrow
11:13 < rob0> So when detached, you must send openvpn a signal if you want it to close.
11:13 < Dani-hp> thanks for the hints
11:13 < rob0> yw
11:25 <+hyper_ch> zx2c4: how to do that with wireguard?
12:13 -!- zvirbliukas1 is now known as zvirbliukas
12:23 -!- xemdetia_ is now known as xemdetia
12:39 < halt1> Hi All, I just setup my oVPN server, but yet it's not perfect, I did kind of managed to narrow down the error to the iptable rules on the server, but can't really crack it yet what is really missing ...
12:40 < rob0> we can't either.  Perhaps you should say what you are hoping to do with it?
12:41 < rob0> !goal
12:41 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:41 < halt1> I have a single interface box, and I want to route traffic across the server instead of grant access to inside resources
12:41 < halt1> sorry slow typer, it was on the way, I guess that is my goal, to route my traffic across this ovpn server out to the internet
12:42 < rob0> okay,
12:42 < rob0> !redirect
12:42 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
12:42 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
12:42 < rob0> ^^ flowchart will help you figure out what you need
12:46 < halt1> nice one, ok the redirect gateway tik, but the MASQUERADE is the one missing, just need to figure that one out, and should be golden
12:47 < rob0> !linnat
12:47 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
12:49 < halt1> I got that, just need to convert it back to my iptables rule engine, ( uif ) , once I got that will be back
12:54 < metaloxide> salutations
12:56 < rob0> metaloxide, the point of dnsmasq is that you can always leave resolv.conf alone.  You can have it change its upstream servers if you like.  Or, just stick with 8.8.8.8
12:57 < metaloxide> rob0: can it somehow change the dns servers only when a certain vpn connection is active?
13:03 < rob0> why do you want this?
13:05 < metaloxide> when I connect to company network there are resources that are used that I do not know the IP for.
13:05 < metaloxide> company dns resolves for their id's
13:05 < rob0> "server=8.8.8.8" in dnsmasq.conf will work pretty much anywhere, and if you don't like el Goog, you could run your own resolver on an alternate more on 127.0.0.1
13:06 < metaloxide> example is my workstation at work is mtn-wo-08
13:06 < rob0> okay, did you read the link I gave you?
13:06 < metaloxide> I seen the examples just not sure how I go about doing it all :(
13:07 < rob0> DNS deals in fully-qualified names, not mtn-wo-08
13:07 < metaloxide> Im pretty new to Linux, trying to make the switch 100% from windows
13:08 < metaloxide> when I check on the local at work it also has mtn-wor-08.***.com
13:08 < metaloxide> so full name
13:25 < metaloxide> !dnsmasq
13:25 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
14:00 < goofy__> hi
14:01 < goofy__> i want that openvpn starts at system boot
14:01 < goofy__> how to give pass certificate automatically?
14:02 <+hyper_ch> !auth
14:02 <+hyper_ch> !auth.tx
14:02 <+hyper_ch> !auth.txt
14:02 <+hyper_ch> hmmm
14:03 <+hyper_ch> the certificate is password protected?
14:03 < goofy__> yes
14:03 < goofy__> everytime i connect i need to write password
14:04 <+hyper_ch> just password and not username/password?
14:04 <+hyper_ch> you could remove password from cert though
14:06 < goofy__> hyper_ch is there a way to put cert password automatically?
14:06 <+hyper_ch> never used passwords on certs
14:06 <+hyper_ch> fail to see the reason
14:09 < goofy__> maybe somebody other could answer in a better way
14:12 < metaloxide> rob0: Still around?
14:16 <+hyper_ch> remove password from cert - problem solved
14:31 < rob0> metaloxide, sometimes, but:
14:32 < rob0> !ask
14:32 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
14:33 < goofy__> rob0, can you help me? scroll up to see my issue
14:34 < rob0> goofy__, as hyper_ch said, I would not use a password-protected key if I needed it to start at boot.
14:36 < rob0> Your question would be better dealt with in #your-distro-here, as maybe they can tell you if you can have something give a password to a process in their boot sequence.
14:36 < goofy__> ok
14:37 < rob0> Personally I don't see the point.  If they can read your encrypted key, they can also read the file that feeds the password to it.
14:39 < Kryczek> ideally you would have the private key protected by a Hardware Security Module such as the TPM, a smartcard or a Nitrokey for example
14:53 < metaloxide> rob0: I seen within Network Manager an area to put in DNS addresses for the vpn connection but don't think its actually using them..
14:54 < goofy__> rob0, another strange thing happened:
14:55 < goofy__> i was connected trough ssh to the client i was setting up vpn configuration
14:55 < goofy__> and i stated that when i put this directive, i cannot connect to the ssh again:
14:55 < goofy__> route 192.168.10.0 255.255.255.0
14:56 < rob0> metaloxide, I don't use NM, can't help with it.  I suspect it has some base assumptions that go against my dnsmasq idea, though.
14:56 < rob0> GNU/Linux administration is like perl, in that TMTOWTDI
14:57 < metaloxide> rob0: Im not opposed to dmasq, just not sure how to have it do what I want it to do.
15:03 <@dazo> metaloxide: NM do use the DNS settings provided in the GUI .... but not sure of the order, but I believe they go before the pushed ones
15:03 <@dazo> metaloxide: but there might be other connections having a higher priority which gets set even before the VPN
15:41 < bulle> Im connecting to an openvpn server running openvr, from an android phone running openvpn client. Im geting logs filled with TUN write error: write_some: Invalid argument.
15:41 < bulle> lookin on the internet the common problems seems to be compression being enabled on one side and not ont he other, or having missmatch with tun/tap on either side
15:41 < bulle> but i dont have that, i have tun on both sides and compression enabled on both sides. So what do i look at next
19:05 < tyman001> !welcome
19:05 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
19:05 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
19:05 < tyman001> !route
19:05 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
19:06 < tyman001> !clientlan
19:06 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route
19:06 <@vpnHelper> for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
20:38 < tyman001> !serverlan
20:38 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
20:39 < tyman001> !ipforward
20:39 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
22:12 <@ordex> hi
23:27 < k_sze[work]> Is openvpn time-dependent?
23:27 < k_sze[work]> I mean, do both client and server need to agree about the current time within a certain degree of accuracy?
23:31 <@ordex> k_sze[work]: nope. I think th eonly constraint is that time is used to check if a certificate hasnot expired yet
23:32 <@ordex> so if you are way in the future, you may reject a server certificate because it looks expired, I guess
23:33 < k_sze[work]> ordex: right, but as far as the handshake and key exchange is concerned, I guess the time is not used.
23:34 <@ordex> k_sze[work]: think so too
--- Day changed Thu Oct 12 2017
02:42 <+hyper_ch> !shotgun
02:42 <@vpnHelper> "shotgun" is (#1) the most effective form of physical security, or (#2) <hyper_ch> shotgun security? <EugeneKay> If you try to physically attack my network, I chase you with a shotgun.
04:55 < Buoy172> hello
04:56 < Buoy172> I have OpenVPN on my android device. While it's active, I cannot access a local server on my PC. What can I do?
04:57 < Buoy172> How can I access the local server when the OpenVPN is active?
04:59 < BtbN> if this is a redirecting VPN, you can't do much. Try adding an explicit route for that server on your LAN interface.
05:00 < Buoy172> I have a .ovpn file that OpenVPN uses. Should I edit that?
05:00 < Buoy172> I don't know if it's a redirecting VPN
05:05 < Buoy172> This is what my ovpn file looks like: https://pastebin.com/BBY1Uq2d
05:05 < Buoy172> I've replaced sensitive data with ########
05:05 < Buoy172> Should I edit this file to be able to access a server on my local PC?
05:34 <@dazo> BtbN: just a tip ... at least in "OpenVPN for Android", under "Routing" in a VPN profile, you can select "Bypass VPN for local networks"
06:41 < dob1> hi, if I want to redirect just the traffic to some host via the vpn how can I do this?  for example let's say I want to redirect the traffic to google.com via the vpn, I am using: push "route google.com 255.255.255.0"  but it doesn't work
06:42 <+hyper_ch> zx2c4: *ping* :)
06:44 <+hyper_ch> hmm, this looks interesting - but I wonder what speeds you can get out of it https://www.kickstarter.com/projects/sonnet/sonnet-decentralized-mobile-communication/description
06:44 <@vpnHelper> Title: Sonnet: World's Most Advanced Off-Grid Mobile Mesh Network by Sonnet Kickstarter (at www.kickstarter.com)
06:49 < Kryczek> hyper_ch: awesome! Hopefully they deliver for real :)
06:50 < Kryczek> hyper_ch: seeing that they say it can be used to transmit "voice recordings" rather than "calls" I'd say it's less than 8kbps, maybe even less than 5k
06:51 < Kryczek> still pretty cool for IoT projects
06:54 < havoc> I thought original cell service was only 4k?
06:55 < havoc> ....for comparison
06:56 <+hyper_ch> 4k?
06:56 < havoc> bandwidth/spectrum for voice calls
06:56 < havoc> kbps
06:57 <+hyper_ch> no idea what bandwidth/spectrum they use...
06:57 <+hyper_ch> but if it had decent speed it would be quite nice
06:57 < havoc> none, anymore, I think everything is up around 8kbps now
06:57 < havoc> or higher
06:58 < havoc> a T1 was/is what, 24 64k channels?
06:59 < havoc> w/ 56k for data/voice, and 8k signalling?
06:59 <+hyper_ch> that sounds slow :=
06:59 < havoc> just mentioning it for comparison, as a lot of businesses still use T1's for phones
07:00 <+hyper_ch> poor them
07:00 < havoc> we may even have one or two of them left at some of our offices, somewhere
07:00 < havoc> were a lot of them still, a decade ago
07:00 < havoc> mostly SIP now
07:01 <+hyper_ch> :)
07:02 < havoc> the point is that an old landline was 56k for voice, and original cellular voice was 4k or so
07:02 < Kryczek> havoc: apparently the original https://en.wikipedia.org/wiki/Full_Rate was 13kbps but since then reduced bandwidth while keeping/increasing quality with 4.75kbps to 12.2kbps: https://en.wikipedia.org/wiki/Adaptive_Multi-Rate_audio_codec
07:02 <@vpnHelper> Title: Full Rate - Wikipedia (at en.wikipedia.org)
07:03 < havoc> (assiming I'm not in error about that 4k memory)
07:03 < havoc> Kryczek: ok, so I was "close"? I'm remembering back a few decades here ;)
07:03 < Kryczek> havoc: hehe me too ;)
07:04 < havoc> a lot has changed though; we now have the compact computing power to use higher/better compression codecs
07:06 < Kryczek> I guess it would be nitpicking anyway now that sadly developers do not care for kbps anymore, I've seen some shamelessly ask for 4Mbps (almost as much as HD video) for a simple GUI that was hammering the database server like crazy to check if there was anything new, instead of properly tiered design
07:06 < havoc> no one cares about resource usage anymore :(
07:06 < Kryczek> sorry forgot to type: 4Mbps per client
07:07 < havoc> it's the primary reason I got out of Production (development), and moved into Infrastructure
07:07 < havoc> the worled has Moved On :(
07:07 < Kryczek> :/
07:08 <+hyper_ch> actually, the world circles just around.. it doesn't move on :)
07:08 < Kryczek> haha
07:08 < havoc> me and the other "IT Guy" are always fixing the devs' screwups too
07:08 < Kryczek> hyper_ch: depends on your referential :P
07:08 <+hyper_ch> two IT guys... sounds like The It-Crowd
07:09 <@novaflash> +1 for IT crowd
07:09 < Kryczek> managed by Jen because she knows clicking, double clicking, sending emails, receiving emails...
07:09 < havoc> heh
07:09 <@novaflash> she knows her stuff
07:09 < havoc> never actually watched it, just caught clips here and there online
07:09 <@novaflash> it's pretty funny
07:09 <+hyper_ch> havoc: what do you mean by you never watched it? oO
07:10 < havoc> too much work :(
07:10 < Kryczek> havoc: well worth buying the box set, or it might even be on Netflix
07:12 < havoc> we have hulu/netflix/amazon, it's probably on one of them
07:12 <@novaflash> just eat a harddisk with the episodes on it
07:13 < havoc> working >85hrs/wk right now, going on 5wks now :(
07:13 <@novaflash> then you're enjoying it the way it was meant to be enjoyed
07:13 < havoc> managing this deployment, the one that uses >2,000 ovpn clients
07:15 <+hyper_ch> havoc: and by work you mean  https://xkcd.com/303/  ?
07:15 <@vpnHelper> Title: xkcd: Compiling (at xkcd.com)
07:16 < havoc> no
07:16 < havoc> on the phone >10hrs/day helping people do their jobs out in the field :(
07:16 < havoc> and wrting lots of code (bash/perl/dos/ps1)
07:17 <+hyper_ch> havoc: you mean stuff like that https://github.com/NARKOZ/hacker-scripts  ?
07:17 <@vpnHelper> Title: GitHub - NARKOZ/hacker-scripts: Based on a true story (at github.com)
07:18 < havoc> this system uses UBNT routers as the vpn client, with a NUC, IP printer, and 3 IP cams behind it
07:18 < havoc> vpn is for AD connectivity
07:18 < havoc> scripts handle ovpn provisioning, from the base image I built
07:18 < havoc> "un-provisioned" use duplicate-cn
07:19 < havoc> "provisioned" are all on one of 16 /25's, statically assigned via ccd
07:19 < havoc> everything is as automated as I can make it
07:20 < havoc> this week is a lot of data collection stuff
07:20 <+hyper_ch> then shouldn't your work day be more like 1-2h?
07:20 <@novaflash> he spends a lot of time whining on the phone
07:20 < havoc> hyper_ch: it should be like maybe 6hrs top of coding, but I'm also fielding calls non-stop
07:20 <@novaflash> ;)
07:20 < havoc> and They keep dumping more work on me
07:21 < havoc> "It'd be nice if we could get all the printer ports in use from every machine in the field"
07:21 < havoc> as our field/install techs were NOT properly trained, if they were trained at all, most are temps
07:21 < havoc> so they've been doing the majority of the installs wrong
07:22 < havoc> gah, and the clients are Windows 10, embedded
07:22 < havoc> i.e. our own build
07:23 < havoc> oh, and there are 2+ printers, one is some sort of label printer, but Win 10, by default, "manages" printers, and your Default Printer is the last one used
07:24 < havoc> which is problematic because no one knew about that "feature", and the machine is locked-down; the shell is our app
07:24 < havoc> which assumes a specific default printer
07:24 < havoc> blah blah blah, this is what I've been dealing with :(
07:25 < havoc> but mu vpn setup is working perfectly :)
07:26 < havoc> and that was really my only responsibility on this project
07:27 < havoc> I should have really used perl instead of bash, but the provisioning stuff only needed to run once per client
08:10 < goofy_> hi
08:11 < tyman00> This is probably a stretch, but has anyone set up a VPN using an Asus router and a Gli Mini Router using their built in interfaces for OVPN? I'm getting a connection, the client router and devices to it can see the server lan, but I can only ping the client router and nothing behind it. Not sure if it's the routing on the server side or client side.
08:12 < goofy_> do you know how diffie hellman is involved in openvpn?
08:18 < goofy_> and also, if i do use .conf file, network manager openvpn will ignore that?
08:43 <@dazo> goofy_: DH is used as part of the TLS session setup for the control channel in OpenVPN .... pretty much standard SSL/TLS library implementation
08:44 <@dazo> goofy_: I don't think NM would reject .conf files ... but NM gets cranky if not all the nm-openvpn packages are available .... I have nm-openvpn and -nm-openvpn-gnome packages to have a fully functional integration
09:19 < goofy_> dazo, so, i cannot use .conf files in nm?
09:20 <@dazo> goofy_: you *can* use .conf files in nm ... but you need to import it
09:28 < goofy_> dazo, how?
09:31 <@dazo> goofy_: https://is.gd/TjFWcI
09:31 <@vpnHelper> Title: Let Me DuckDuckGo That For You - LMDDGTFY (at is.gd)
09:32 <@dazo> NM shouldn't care whether the config is .conf or .ovpn ... if it does, rename the file
09:35 < goofy_> dazo, plus, it's not clear how diffie helman is used in openvpn context
09:35 < goofy_> is used to reduce traffic?
09:35 <@dazo> !??!
09:36 <@dazo> You know what the Diffie Hellman algorithm is used for, right?
09:36 < goofy_> generally, with TLS, you sign the firt tls message, and use a less complex key
09:36 <@dazo> no.
09:36 <@dazo> DH is used to derive a shared secret without sending the secret over a public network
09:38 < goofy_> dazo, wait, let me explain to you how i know it works please:
09:38 < goofy_> i have two hosts, one client and one server, each host has a pair of keys, one public and one private
09:39 < goofy_> each host sends its own public key to the other host
09:39 <@dazo> stop.
09:39 <@dazo> https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
09:39 <@vpnHelper> Title: Diffie–Hellman key exchange - Wikipedia (at en.wikipedia.org)
09:39 < goofy_> i know what DH does
09:39 < goofy_> but in this context is not clear
09:40 < goofy_> every host of my vpn already have what is needed, why should i use DH?
09:40 <@dazo> it does *exactly* the same as any SSL/TLS implementation does when a DH/DHE based algorithm is used
09:40 <@dazo> Because you *must*
09:40 <@dazo> An OpenVPN server will not start unless you provide --dh
09:41 <@dazo> actually even httpd or nginx will also use DH ... but in those implementations, if you don't provide your own DH it will use a pre-generated one ... which is what led to the logjam attacks a while ago
09:41 < goofy_> dazo, i don't like to use things randomly, i prefeered to understand how is involved
09:42 <@dazo> so OpenVPN is by default stricter and safer, as it requires you to generate your own DH parameters
09:42 < goofy_> i was explaining you the logic, but you stopped me, and IDK why
09:42 <@dazo> I know quite well how DH works
09:43 < goofy_> dazo, plus, there is another file called ta.key
09:43 < goofy_> WTF it is?
09:43 <@dazo> look up --tls-auth and --tls-crypt in the man page .... both of them can use the ta.key
09:43 <@dazo> (it is generated by: openvpn --secret ta.key --genkey  ..... and it must be identical on both client and server side)
09:46 < goofy_> dazo, to make openvpn client automatically start on boot, i need to use certificates without password?
09:46 <@dazo> yes
09:47 <@dazo> unless you want to enter passwords when booting
09:47 < goofy_> ok, and when i generate server certificates?
09:47 < goofy_> it's the same?
09:48 <@dazo> you can easily remove passwords from any password protected key file .... or vice-versa .... openssl rsa -in $key
09:51 < goofy_> ok
09:51 < goofy_> it's a strange thing where i can't ping an host when i'm over openvpn
09:52 < goofy_> maybe it's a firewall configuration
09:52 < goofy_> it denies pings reply to certain IP
10:10 < tommaso> hey, do you know any VPN service free of charge that I can use with openvpn?
10:10 <@dazo> tommaso: that sounds counter intuitive ... and basically most of the free services really s**k
10:11 <@dazo> nobody gives anything for free, especially not bandwidth and CPU resources
10:12 <@dazo> (meaning: a free service is doing *something* with the data you pass over their so-called free service ... but what they do, that is impossible to guess)
10:13 < tommaso> dazo: atm sg I'd be hapopy with sg that suck
10:13 < tommaso> my data too
10:14 <@dazo> generally, we don't keep an overview over such things here .... this is probably the best VPN overview available though: https://thatoneprivacysite.net/vpn-comparison-chart/
10:14 <@vpnHelper> Title: That One Privacy Site | Detailed VPN Comparison Chart (at thatoneprivacysite.net)
10:15 <@dazo> tommaso: https://www.privatetunnel.com/home/pricing/ ... if this can fit your bill
10:15 <@vpnHelper> Title: Pricing | Private Tunnel (at www.privatetunnel.com)
10:16 < tommaso> dazo: thanks
10:40 -!- gthank is now known as gthank_away
10:40 -!- gthank_away is now known as gthank
11:03 < goofy_> dazo, some providers, like google, gives all for free
11:08 < oajs> Where would I start looking for issues when I see a packet come in on tun10 with tcpdump but my first iptables INPUT rule (no prerouting rules) is to log all packets on tun10 and I don't see it there?
11:08 <@dazo> goofy_: nope .... they harvest and process your data for all their services
11:08 < DArqueBishop> <goofy_> dazo, some providers, like google, gives all for free
11:09 <@dazo> you pay *something* regardless .... I prefer paying with money, others prefer to give away their preferences
11:09 < DArqueBishop> Nothing is free. As the old saying goes, "If you're not the customer, you're the product."
11:09 <@dazo> +1
11:17 <@ordex> 'if you are not paying for a service, you are the product being sold' so true
11:17 <@ordex> :)
11:17 <@ordex> bigG model ;)
11:39 < palate> hello
11:39 < palate> :-)
11:39 <@ecrist> https://samj.files.wordpress.com/2011/11/fremium-model2.jpg
11:39 <@ecrist> !free
11:39 <@vpnHelper> "free" is (#1) http://lifehacker.com/5697167/if-youre-not-paying-for-it-youre-the-product, or (#2) PrivateTunnel does up to 2GB for free... And is operated by OpenVPN Technologies... For what that's worth...
11:40 <@ecrist> !learn free as Nothing is truly free: https://samj.files.wordpress.com/2011/11/fremium-model2.jpg
11:40 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
11:40 <@ecrist> gah, fuck you vpnHelper 
11:40 < palate> :D
11:40 < palate> Do you guys have experience running openvpn in a docker network?
11:41 <@ecrist> !learn free as Nothing is truly free: https://samj.files.wordpress.com/2011/11/fremium-model2.jpg
11:41 <@vpnHelper> Joo got it.
11:42 < palate> I am playing with that. Basically, I want a remote machine to access a docker network. I have an openvpn docker container running, and if I don't change the docker network, then my remote machine can connect (meaning that the setup is fine, somehow)
11:42 < palate> However, when running in a docker network (docker-compose is creating it), then it doesn't work anymore.
11:44 < palate> Ok, let me try to make it more specific ^^
11:47 < palate> So in my server conf file, I set `server 172.30.0.0 255.255.0.0`. And then I have a corresponding iptables rule.
11:48 < palate> When running with docker without a specific network, my container gets ip 172.17.0.3, and here everything works.
11:48 < palate> But when running with docker-compose, which is doing some network setup, my container gets ip 172.20.0.4, and here it doesn't work anymore
11:48 < palate> So what are the things I need to check to understand what is going wrong?
11:49 < palate> For instance, the `serve 172.30.0.0 255.255.0.0` is just setting the ip of the virtual interface, so it could be anything, as long as it doesn't collide with the dhcp server, right?
11:52 < palate> well, I'm not sure I can actually get help with this :-(
11:53 < palate> it has to be a small detail somewhere, but I don't know where to look
11:57 < palate> Is there somebody who could help me debug a simple openvpn server? I really spent time documenting myself on it, but I don't know what to check to see if a vpn server is correctly setup or not (i.e. I don't have experience in debugging that)
14:51 -!- dionysus70 is now known as dionysus69
15:04 < tyman00> !goal
15:04 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:05 < tyman00> !goal I would like to access the lan behind the client
15:09 <+Dougy> you need a vpn for that then
15:09 <+Dougy> wait
15:09  * Dougy re-reads
15:09 < tyman00> I thought the goal command actually had more tidbits like !welcome  :)
15:09 <+Dougy> tyman00: you're saying you want to have a desktop pc, for example, connect and then access the subnet its on?
15:10 <+Dougy> while you're elsewhere
15:11 < tyman00> I have an Asus Router as my OVPN server. I then have a Gli-Net mini router runing Luci as my client and it attaches to switch. Any device on the client LAN can ping and access on the Server LAN.
15:12 < tyman00> However, I cannot ping or access anything on the client lan from the server lan. I'm sure it has to do with routing, but letting these routers use their own OVPN interfaces are tripping me up.
15:19 < DArqueBishop> !clientlan
15:19 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see
15:20 <@vpnHelper> !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
15:25 < tyman00> Thanks. Looks like I'll be hitting the command line.
16:00 <@dazo> tyman00: What you can't do on a command line isn't worth doing
16:05 < tyman00> dazo: I don't disagree. I was just hoping it would be a point and click setup. I'm feeling lazy. Especially since I like to blow the client router back to defaults for testing and proof of concepts with mini routers at work.
16:07 <@dazo> tyman00: heh ... well, that's what you use scripting for, right? ;-)
16:07 < tyman00> psh... you and your logic :)
16:07 <@dazo> :-D
16:09 < tyman00> Honestly, at this point I don't need to access the client lan. I was just being stubborn.
16:10 < |Mike|> lol
16:13 < tyman00> If I am going to really learn OVPN and truly trying this all out, I also need to study up better on routing and I should consider using something a little less consumer grade than a stock Asus RT-AC66U. I'm still not certain the router isn't just stuffing the traffic to the default route or dropping it.
16:18 < |Mike|> what's the router running?
16:18 < |Mike|> dd wrt is available for it ;-)
16:19 < |Mike|> https://www.dd-wrt.com/wiki/index.php/Asus_RT-AC66U
16:19 <@vpnHelper> Title: Asus RT-AC66U - DD-WRT Wiki (at www.dd-wrt.com)
16:19 <@dazo> eeeek
16:19 <@dazo> !dd-wrt
16:19 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN, or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783, or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536, or (#4) And the
16:19 <@vpnHelper> security focus still seems to need improvements: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=279467 (hint: dd-wrt company does not do this effort + no reference to any security fixes)
16:21 < |Mike|> ai! wasn't aware of that!
16:21 < tyman00> I considered it on the Asus. The client router is running GLI's own interface over LuCI on OpenWRT
16:24 < nbastin> ultimately the best option is to get an AP that is just an AP (not a router), and then route it with something more powerful
16:24 < nbastin> dd-wrt doesn't generally support fast-path forwarding even on chipsets that would have firewalling support
16:24 < nbastin> (because they don't have the docs to implement the ACL features, which is not their fault, just a fact of life)
16:25 < tyman00> nbastin: That is the plan. Honestly, I only use the 5ghz on the Asus for devices in the basement. I use some Ubiquiti  equipment for a 2.4ghz AP already.
16:26 < nbastin> tyman00: then you're already pretty well set.. :-)
16:26 < nbastin> I mean can you use the asus as just a bridge?
16:26 < nbastin> then you could still use it, but just as an AP and not as anything more fancy
16:26 < tyman00> I bought their Mini Router to travel with so I can have my own WiFi in hotels and VPN back home to encrypt all my internet traffic. I have that all working, but I couldn't leave well enough alone and decided I wanted to see if I could use something like this to send out to family so I can get into their networks for "support"
16:28 <@dazo> I've actually configured a couple of TP-Link routers to behave like that .... with OpenWRT/LEDE .... just bridge LAN and WLAN, stop DHCP, DNS and all other networking crap (except dropbear/ssh) and don't use the WAN port
16:28 < tyman00> nbastin: I could. I honestly want to forklift it all and start over, but I'll have to wait. I blew my budget on a NAS and VM Server for home.
16:28 < nbastin> tyman00: your VM server can host a router.. :-P
16:28 <@dazo> tyman00: unless you need top-notch speed ... have a look at Onion Omega2
16:29 < nbastin> tyman00: but I feel your pain with family and stuff, I sent them some jetways I had from various funded projects that were left over, but even they are a little pricey
16:29 < tyman00> nbastin: I was waiting for that. I guess I could just do that on the VM and bridge to the Asus for the 5ghz bands.
16:30 < nbastin> tyman00: I mean you could even do a namespace on the vm server with quagga, it's pretty straightforward and a few veths and you'll be set.. :-)
16:31 < nbastin> if it's vmware you'd have to do a vm, which is a little heavy, but it depends on your hardware NIC setup
16:31 < tyman00> nbastin: What are you running? Do you have dedicated hardware or are you running it in a VM?
16:32 < tyman00> dazo: That Omega2 looks like a fun little toy.
16:32 < nbastin> tyman00: my router is running on a C2758 box, but I am running a ton of stuff on it
16:33 < nbastin> it's got 2x10G, 4x1G with a few separate networks running through it
16:33 <@dazo> tyman00: I've actually used it as a portable router with VPN .... it even have to WLAN radios, so it can be wireless client and an access point :)
16:33 <@dazo> *it even has two
16:33  * dazo need to log out :-P
16:33 < nbastin> $ ip link|wc -l
16:33 < nbastin> 82
16:34 < nbastin> tyman00: so, a lot of junk...
16:35 < tyman00> nbastin: Nice. I'm just trying to debate if I should run separate hardware for the firewall/routing and if I should go with something commercially available, like Ubiquiti's Edgerouter
16:35 < nbastin> my parents are using an N2930 which is routing plus openvpn plus privoxy
16:35 < nbastin> wouldn't want to do a lot more, but it handles it fine
16:36 < tyman00> dazo: Nice. That's pretty much what I am doing with the GL-AR150 https://gl-inet.com/ar150/  Again, I just couldn't leave well enough alone.
16:36 <@vpnHelper> Title: GL-AR150 GLI (at gl-inet.com)
16:36 < DArqueBishop> I've considered replacing my Netgear router running LEDE with a Ubiquiti EdgeRouter, but Ubiquiti doesn't support OpenVPN for remote user access without doing adding a json via the command line.
16:37 < tyman00> Good to know. I hadn't researched their VPN options.
16:38 < DArqueBishop> They support OpenVPN, but only for site-to-site connections.
16:39 < nbastin> that sortof makes sense, for their user base
16:39 < DArqueBishop> While my Netgear router is a wireless router, I turned off the wifi and set up a Ubiquiti AP. :-)
16:40 < tyman00> nbastin: Now you really got me thinking. Maybe I should load up something in a VM. Just when I was going to be content with what I had until I really had a need. Thanks a lot ;)
16:42 < nbastin> tyman00: I aim to please.. :-)
16:42 < nbastin> tyman00: I mean if you just need static routing a bare linux vm will do what you want, add tap/tun interfaces for openvpn, blah blah
16:43 < tyman00> Would it be worth my while to run something like pfSense and work from there?
16:44 < nbastin> tyman00: maybe, it can do a lot from the web interface and nice UI, but also a whole new mess if you need to do something it can't do from the UI
16:47 < tyman00> Go ahead and say it.... tyman00: Don't be so lazy
16:47 < nbastin> lol
16:47 < nbastin> allocating one's time is one's own business.. :-)
16:48 < nbastin> doing it by hand is great, but if that's not what you do and you don't have time to do it, it won't get done right
16:48 < nbastin> so do it the way that maximizes your outcome and your available input
16:49 < tyman00> Understood and agreed.
16:50 < nbastin> also https://www.udoo.org/ looks marginally interesting for routers on sticks
16:50 <@vpnHelper> Title: All-You-Need Mini PC Android + Linux + Arduino | UDOO (at www.udoo.org)
16:50 < nbastin> I want someone to make something with that CPU, 2 NICs, ram and flash, no extra crap
16:51 < nbastin> but in the meantime, that looks interesting
16:53 < tyman00> It does look interesting. I get a kick out of their $50 water level sensor. Not overkill at all. https://www.udoo.org/coffee-machine-water-level-detection-udoo-iot-cloud/
16:53 <@vpnHelper> Title: Coffee Machine Water Level Detection with UDOO IoT CLOUD - UDOO (at www.udoo.org)
16:53 < nbastin> lol
16:55 < |Mike|> hahaha
16:55 < nbastin> I do need a bunch of water level sensors, but I need more range than that, so I was just putting floating magnets in tubes with reed switches...
17:03 < tyman00> Gotta roll. Thanks for the insight and chat all.
18:55 < ch1pp0> !welcome
18:55 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
18:55 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
18:58 < ch1pp0> I'm trying to understand the configuration properly. Is the keepalive config directive only necessary to set that on the server-side?
19:30 < ch1pp0> found the manual... :)
20:26 < a1fa> hello.. which setting causes openvpn to "re-ask" for username password?
20:27 < a1fa> renegotiating data channel key?
20:30 <@ordex> hi hi
20:32 <@ordex> a1fa: I believe the pass is asked upon key renegotiation
20:33 <@ordex> a1fa: if you use --auth-nocache it will be re-asked every time
20:37 < a1fa> how does this work with radius+otp?
20:37 < a1fa> set reneg-sec to 0 in this case?
20:41 < a1fa> trying with "reneg-sec 0" on the client side
20:47 <@ordex> that will prevent the renogotiation at all, which is not really good
20:48 < a1fa> what other options would i have withen radius+otp is used?
20:48 < a1fa> s/withen/when/
21:21 <@ordex> I personally don't know much as I haven't played with those
21:22 < a1fa> thanks. i'll know in 15 minutes if this fixes the problem
21:41 < a1fa> dat did it
21:43 <@ordex> a1fa: yeah, but at the cost of not perfmorning any renegotiation at all
21:43 <@ordex> aka using always the same key until disconnection
21:43 <@ordex> that should be fixable without going down that path
21:52 < a1fa> ;) i am all ears ordex
21:53 <@ordex> hehe we should ask dazo
21:56 < a1fa> dazo:
22:00 < a1fa> thoughts
22:06 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Quit: ZNC - http://znc.in]
22:17 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:17 -!- mode/#openvpn [+o syzzer] by ChanServ
23:45 < FuriousGeorge> hey all
23:46 < FuriousGeorge> where is it that i should be informing the server of the client subnet in order to expose client lan to server lan?
23:47 < FuriousGeorge> this is a tap vpn
23:50 <+hyper_ch> why even use tap?
23:54 < FuriousGeorge> hyper_ch: just playing around with it
23:54 < FuriousGeorge> hyper_ch: basically i want to push a route to the server
23:54 <+hyper_ch> !tunortap
23:54 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
23:54 <@vpnHelper> rooted/jailbroken) support only tun
23:55 < FuriousGeorge> hyper_ch: i know the difference.  i want to use tap here
--- Day changed Fri Oct 13 2017
00:01 < FuriousGeorge> ...
00:02 < FuriousGeorge> can this be done?
00:02 < FuriousGeorge> im pinging the server and I see that it is replying out to the wan.  i know i can increase the netmask /24 -> /8 (or would that be a decrease?)...
00:03 < FuriousGeorge> but I don't want to either statically create the routes or increase the netmask, if there is a way to push the route from the client to the server
01:13 < ponky> what could cause tun-interface to drain tons of power (cause lot of interrupts)? i have multiple openvpn tunnels on my laptop and, for some reason, one of them is using around 5-7W of battery (according to powertop)
01:14 < ponky> keepalive is 1800, tried no data goes through the tunnel, stracing the pid does not show much either
02:22 <+hyper_ch> zx2c4: https://lists.zx2c4.com/pipermail/wireguard/2016-August/000371.html  :)
02:22 <@vpnHelper> Title: [WireGuard] NixOS WireGuard Integration (at lists.zx2c4.com)
03:00 -!- dionysus70 is now known as dionysus69
03:42 <+hyper_ch> zx2c4: can you updated the wireguard documentation? it's wrong for nixos
03:45 <@ordex> ponky: I'd check the log for that tun and see if there is something looping or eating cpu
03:45 <@ordex> if the log does not say much you can try to increase verb
03:45 <@ordex> ponky: you can also first have a look at the traffic with tcpdump to see if there are loops or anything cpu consuming
04:43 < kishmesh> hi. I'm running my openvpn client in the terminal. Usually when coming back from a suspend to ram state the vpn connection is "broken" and doesn't recover. When I try to "kill --signal SIGUSR1" it doesn't reconnect either. All I see is something like "UDP link local: (not bound)". What is the problem? How can I fix this? Preferably I'd like to reconnect without killing the entire process. Cheers.
04:48 <@dazo> a1fa: just saw the scrollback ... if you have --reneg-sec enabled (default is 1 hour), you will be prompted to re-authenticate if you're using --auth-nocache.  If the user/password auth requires OTP, then things gets more complicated
04:48 <@dazo> a1fa: ideally, the authentication plug-in should be improved to generate a session token which is pushed to your client.   If that is not possible, you can consider to use --auth-gen-token on the server side
04:49 <@dazo> a1fa: that will make the openvpn process generate such a token and send it to the client. The downside of this approach is that the auth plug-in will not see any of the re-authentications at all
04:50 <@dazo> a1fa: so if your auth scheme requires to validate each user on each tunnel re-negotiation, --auth-gen-token is not the solution
04:51 <@dazo> a1fa: and the last is resort is to disable tunnel re-negotiation, by setting --reneg-sec 0 ... but the server may override this too, by the server side triggering the re-negotiation and not the client side
04:52 <@dazo> a1fa: and the "cost" of disabling re-negotiation is that the data channel will use a more static session (encryption) key.  With re-negotiation the data channel will get a new session key on defined intervals
04:55 <@dazo> ponky: is the tunnel draining power a tun or tap device?
04:59 < ponky> dazo: tun
05:00 <@dazo> okay, so we can rule out broadcast traffic
05:00 < ponky> i dont see anything going through the tunnel
05:00 < ponky> unless i cause traffic myself, like icmp
05:01 <@dazo> ponky: you've done tcpdump on the tun interface?
05:01 < ponky> yup
05:01 <@dazo> and if you stop this single tunnel and leave the rest running .... the power consumption drops instantly?
05:01 < ponky> yeah
05:01 <@dazo> interesting
05:02 <@dazo> ponky: have you tried starting just this tunnel and disconnect the others?
05:02 < ponky> hm, nope. i can try that
05:03 < ponky> need to wait for the flight to land first though
05:03 <@dazo> just to try to figure out if it is the something on the openvpn side, or something on the tun driver side when more tunnels are running
05:03 <@dazo> sure
06:39 < michchap> hello. I'm trying to follow some instructions for setting up a virtual switch appliance, and it mentions I should run 'sudo openvpn --mktun --dev mytap0' but I'm getting the following error in response: 'I don't recognize device mytap0 as a tun or tap device'. Am i missing something obvious?
06:48 < |Mike|> michchap: yep!
06:48 < |Mike|> !howto
06:48 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
06:50 <@dazo> michchap: --dev-type
06:50 <@dazo> btw ... avoid dev-type tap ... prefer tun if you can
06:51 < michchap> dazo: thanks!
06:53 < michchap> dazo: is that now a required parameter for mktun?
07:16 < a1fa> dazo: how bad is the fact that the session will not renegotiatie data keys every hour?
07:16 < a1fa> my max session is set to 1d
07:17 < a1fa> how much can theoretically be recovered in 24h?
07:54 <@dazo> michchap: you need --dev-type when --dev does not start with tun or tap
07:54 -!- abenz_ is now known as abenz
07:55 <@dazo> a1fa: if someone is capable of retrieving the session encryption key, it can decrypt any packets transmitted within the lifespan of that particular time window .... so if you have --reneg-sec set to 86400 (1 day), anything transmitted within that day can be decrypted
07:56 <@dazo> a1fa: which is why it's recommended to have more frequent renegotiations
07:59 < a1fa> heh... im stuck between a rock and hardplace
07:59 <@dazo> :)
07:59 <@dazo> a1fa: do you manage the server?
08:00 < a1fa> yeah -- but it's built into mikrotik.. very limited setting changes
08:00 < a1fa> mikrotik <> radius w/ otp
08:00 <@dazo> eww ... okay .... so, it is most likely not an openvpn 2.4 server running on it, right?
08:00 < a1fa> the reneg-sec 0 worked on the client
08:00 < a1fa> dazo: probabl something in 2.x.x
08:01 < a1fa> i can check their release notes
08:01 < a1fa> you dont get access to the config at all
08:01 < a1fa> you basically get to set cipher, and auth, and ip pool and thats it
08:01 <@dazo> alright ... that's bad
08:02 < a1fa> it's not ideal
08:02 < a1fa> and on radius side there is no caching
08:02 < a1fa> i mean on mikrotik to radius.. there is no caching
08:02 <@dazo> the --auth-gen-token could otherwise have been a good way for you
08:02 <@dazo> right
08:03 < a1fa> i think i am going to have to redesign this
08:03 < a1fa> in favor of web based authentication, that generates access tokens for mikrotik  <> openvpn; and then drops them when someone logs out
08:04 < a1fa> so i could do ouath2+mfa
08:05 < a1fa> always compromises ;)
08:05 <@dazo> or you could move the openvpn server to a box where you can fully manage the config ;-)
08:06 <@dazo> (have it in a dmz or so)
08:08 < a1fa> more machines to manage, i suppose
08:38 < a1fa> dazo: radius plugin does not get bundled with openvpn server?
08:39 <@dazo> a1fa: nope
08:39 < a1fa> didnt think so
08:39 < a1fa> the ldap is the only official plugin, right?
08:39 <@dazo> a1fa: and there exists several versions of it on the net .... even not sure which one they would ship, or if they even use one of those
08:39 <@dazo> nope, neither that one
08:40 < a1fa> ah
08:40 <@dazo> we are starting a process to review both radius and ldap plugins and put them under our "umbrella" .... but we've just recently started digging into that
08:41 < a1fa> ya; the access-server; does it -auth-gen-tokens or?
08:41 < a1fa> does its otp plugin actually work?
08:41 <@dazo> access server .... hmmm good question ... novaflash ^^^
08:41 <@dazo> I haven't tested AS myself, but novaflash is the official AS support guy ;-)
08:42 < a1fa> coo'
08:51 < zx2c4> hyper_ch: what do you mean?
08:52 <+hyper_ch> zx2c4: it needs to be    config.boot.kernelPackages.wireguard   and not     cf.boot.kernelPackages.wireguard
08:52 <+hyper_ch> zx2c4: it needs to be    config.boot.kernelPackages.wireguard   and not     cfg.boot.kernelPackages.wireguard
08:52 < zx2c4> oh thanks!
08:52 < zx2c4> cfg-->config
08:52 < zx2c4> okay
08:53 < zx2c4> fixed.
08:54 <+hyper_ch> so, could I route all http/s traffic through wireguard?
08:55 < zx2c4> sure no problem
08:55 <+hyper_ch> how? with wireguard or iptables?
08:55 < zx2c4> both?
08:55 < zx2c4> bunch of different setups possible for this
08:56 <+hyper_ch> how would I do it?
08:56 < zx2c4> you can simply use network namespaces and put your web browser in  the wg one
08:56 < zx2c4> you can also use ip-rule and fwmark with iptables to set those marks
08:57 <+hyper_ch> network namespaces?
08:58 <+hyper_ch> **google**
08:58 < |Mike|> it's friday hyper_ch, relaaaaaaaaaaaaaaax :-)
08:59 <+hyper_ch> that's time to hurry :) so that things run on the weekend ;)
08:59 <+hyper_ch> reading now up on network namespaces
09:03 <@novaflash> dazo?
09:04 <@dazo> novaflash:
09:04 <@dazo> <a1fa> ya; the access-server; does it -auth-gen-tokens or?
09:04 <@dazo> <a1fa> does its otp plugin actually work?
09:04 <@novaflash> i have to look up with --auth-gen-tokens does
09:04 < zx2c4> hyper_ch: https://www.wireguard.com/netns/
09:04 <@vpnHelper> Title: Routing & Network Namespaces - WireGuard (at www.wireguard.com)
09:04 <@dazo> novaflash: actually, when I think about it .... that's a v2.4 feature
09:05 <@novaflash> well then obviously it wouldn't support it ;)
09:05 <@dazo> not currently :)
09:06 <@novaflash> not until the next release is out, indeed
09:06 <+hyper_ch> zx2c4: nice example, thx
09:06 <+hyper_ch> back to getting rt-ps to run on nixox
09:08 <@dazo> novaflash: but AS supports OTP based authentications, right?  RADIUS integration?
09:08 <@dazo> (a1fa might appear later on and then he'll get a few answers :))
09:10 <@novaflash> i think so yeah but that's handled through radius protocol
09:12 <@dazo> oh, that was two questions actually :)
09:14 <@novaflash> sorry, i'm all out of answers
09:14 <@novaflash> so access server supports OTP through challenge/response
09:14 <@novaflash> one example of this is the built in support for google authenticator
09:14 <@novaflash> but any system can be added by programming a post_auth python script
09:19 <@novaflash> for example there's duo security
09:19 <@novaflash> they work with text messages, an app, tokens, and so on
09:19 <@novaflash> they have a script that loads into access server that takes care of that stuff and drives the challenge/response
09:52 < a1fa> novaflash: how does access-server handle otp reauth?
09:52 < a1fa> novaflash: does the server config do auth-gen-token? or is there some other mechanism
09:53 < a1fa> i've had the 1 user thing working with access server; ldap+otp
09:53 < a1fa> dont remember it disconnecting or asking for username+password every hour
09:54 <@novaflash> no auth-gen-token is apparently an openvpn 2.4 feature which is not implemented in access server just yet
09:54 <@novaflash> otp reauth isn't handled at all at the moment as far as i know
09:54 <@novaflash> authentication is only at the sign in phase
09:55 <@novaflash> after initial authentication is approved, you are given a session token
09:55 < a1fa> hm.. so if you are using otp with access-server; does it set reneg-sec to 0
09:55 <@novaflash> the session token has a limited lifetime. usually 24 hours. this can be adjusted.
09:55 <@novaflash> that's another setting entirely
09:55 < a1fa> but the encryption key stays the same?
09:55 <@novaflash> that's the refresh of the tls key used for encryption.
09:55 <@novaflash> that's something entirely different from an otp
09:55 < a1fa> i understand - here is my problem
09:56 <@novaflash> the encryption key on access server by default refreshes every 6 hours
09:56 < a1fa> if i use openvpn+radius, when reneg comes to happen, i am asked for username+password
09:56 < a1fa> novaflash: and; do you get asked for username+otp after 6hours? or is there some backend magic that makes it work?
09:57 <@novaflash> by default when you connect, you are asked for authentication. once you get through authentication, you are given a session token instead. it is valid for 24 hours by default.
09:57 <@novaflash> every 6 hours the encryption key gets refreshed. to do the refresh, the session token is presented.
09:57 <@novaflash> these values are adjustable
09:57 < a1fa> ok.. so its kind of like "auth-gen-token" from 2.4
09:58 <@novaflash> i don't know, it's a function i am not yet familiar with
09:59 <@dazo> <novaflash> after initial authentication is approved, you are given a session token
10:00 <@novaflash> yes i said that
10:00 <@dazo> novaflash: a1fa ^^^ That is the alternative to --auth-gen-token .... so AS don't need --auth-gen-token then
10:00 <@novaflash> so is that what that feature is but then for open source?
10:00 <@novaflash> ah i see. okay.
10:00 <@novaflash> very good
10:00 < a1fa> yep
10:00 < a1fa> got it
10:01 <@novaflash> dazo, may i kill all humans now? i've been a good AI haven't I?
10:01 <@dazo> so that means re-negotiations will work as it should, no need to re-authenticate
10:02 <@dazo> novaflash: nah, you'll get bored by the uniformity
10:02 <@novaflash> you never let me do anything
10:02 <@dazo> lol
10:04 < a1fa> i think mikrotik uses 2.3.11
10:06 < a1fa> i am going to try regen-sec 30 and remove auth-nocache
10:06 < a1fa> lets see what happens with that
10:08 < a1fa> 30s :) let's see what happens
10:09 <@novaflash> kaboom
10:09 < a1fa> whats worse? chaching creds in memory *if it even works* or not rekeying?
10:09 <@novaflash> depends a bit on how long the sessions last and what cipher is used
10:10 <@novaflash> but yeah normally you would rekey regularly
10:10 < a1fa> aes-256-cbc/sha1
10:11 <@novaflash> and is this on 24/7? or does it only last a few hours?
10:11 < a1fa> max session time is 24h
10:11 < a1fa> so nothing happened with #auth-no-cache and -regen-sec 30
10:11 < a1fa> session is still up
10:12 <@novaflash> well then i'd say you're reasonably secure and not rekeying isn't THAT much of a big deal. it would be a"nice to have" thing in my opinion.
10:12 < a1fa> does rekey make a log entry by default?
10:12 <@novaflash> i think it does, yes
10:12 <@novaflash> you could check it on the server side too
10:13 <@novaflash> by the way
10:13 <@novaflash> isn't it reneg-sec ?
10:13 <@novaflash> as in, renegotiate
10:13 <@novaflash> not regen-sec an in regenerate
10:13 <@novaflash> as in *
10:13 < a1fa> renegotiate
10:14 <@novaflash> right so if you have --regen-sec 30
10:14 <@novaflash> that won't actually do anything right?
10:14 < a1fa> its supposed to renegotiate after 30s
10:14 <@novaflash> reGeN-sec
10:14 <@novaflash> vs
10:14 <@novaflash> reNeG-sec
10:14 < a1fa> --reneg-sec n
10:14 < a1fa> Renegotiate data channel key after n seconds (default=3600).
10:15 <@novaflash> yes
10:15 <@novaflash> but you wrote: -regen-sec 30
10:15 < a1fa> typo
10:15 < a1fa> only in this window*
10:15 <@novaflash> ok just checking
10:15 < a1fa> reneg-sec
10:16 < a1fa> just checked the config.. i'll go bump the verbosity to 5
10:16 < a1fa> nothing happened, nothing got logged
10:16 < a1fa> does the server set minimum window?
10:17 < a1fa> so if i set 30, and server has 3600 *default*; do i default to 3600?
10:17 <@novaflash> some options can be pushed from the server to the client
10:18 <@novaflash> so it's possible that it's being overwritten i suppose
10:18 <@novaflash> i always change settings for access server within access server
10:18 <@novaflash> not at the client side
10:18 <@novaflash> it's in the Advanced VPN page
10:19 <@novaflash> i think there's also a way to not implement certain things pushed by a server
10:19 <@novaflash> --pull-filter accept|ignore|reject text
10:19 <@novaflash> Filter options received from the server if the option starts with text.
10:19 <@novaflash> i think is it
10:20 <@novaflash> but i think that's a 2.4 feature only
10:22 < a1fa> yeah - i have very limited access to openvpn config
10:22 < a1fa> its pretty much - change cipher and auth, and thats it
10:23 <@novaflash> ? don't you have openvpn access server then?
10:23 < a1fa> *had*
10:23 <@novaflash> ah
10:23 < a1fa> could not afford the champgne on a miller light budget
10:24 <@novaflash> like making love in a canoe
10:24 <@dazo> it is --reneg-sec X
10:24 < a1fa> yeah - it's set in config
10:24 <@novaflash> yes dazo, dear, we know
10:24 <@dazo> I just saw --regen-sec soooo many times here  now :)
10:25 <@novaflash> yeah he typed it in the chat too ;)
10:25 < a1fa> < baddie
10:25 <@novaflash> hence the whole discussion but it was just a brain fart on his side here in the chat
10:25 <@dazo> ahh, that's the smell I noticed
10:25 < a1fa> im using two separate computers
10:26 < a1fa> so flipping between the two w/o copy and paste
10:26 <@novaflash> you make a horrible clipboard
10:26 < a1fa> ;X job failz
10:26 <@dazo> and yes, --pull-filter (and --push-remove) are v2.4 specific
10:26 < a1fa> you had one job!!! copy & paste! and you failed at both
10:26 <@novaflash> :-D
10:26 <@novaflash> it's okay
10:26 <@novaflash> my brain fails me all the time
10:26 < a1fa> so nothing happened
10:27 < a1fa> reneg-sec 30; #auth-nocache commented out
10:27 < a1fa> i need to increase verbosity; or wait an hour to see this thing fail
10:27 < a1fa> which one is lesser of two evils?
10:27 < a1fa> i think leaving creds in memory is bad
10:27 < a1fa> more bad than renegotiating tls
10:27 <@dazo> with --reneg-sec 30 .... you should have had several renegs by now
10:28 < a1fa> or "moar baddeh"
10:28 <@dazo> but I'd recommend 1 hour generally
10:28 <@novaflash> yeah. dazo, i wonder, if the server pushed another reneg-sec value, would that override the client's set value?
10:28 < a1fa> let me --auth-nocache --reneg-sec 30
10:28 < a1fa> lets see if that breaks it
10:28 <@novaflash> and perhaps the value is too low. try 5 minutes
10:28 <@novaflash> so 300 seconds
10:28 <@dazo> novaflash: I believe both will be active
10:28 < a1fa> i am just trying to expedite breakage
10:28 < a1fa> ^
10:28 <@novaflash> dazo: i thought the same myself but seeing his results.. hm.
10:29 <@dazo> --reneg-{sec,bytes,packets} should trigger the SIGUSR1 signal locally
10:29  * dazo double checks some log files of his own
10:30 < a1fa> ok auth-nocache set, verb 5; reneg-sec 30
10:31 < a1fa> it broke within 30s
10:31 <@dazo> okay, so the radius plug-ins allows reusing the otp token from the initial auth
10:33 < a1fa> yep
10:33 < a1fa> looks like it
10:33 < a1fa> authrrrrr
10:33 <@dazo> --reneg-* options are _not_ pushed ... and they cannot be extracted from the OCC packets AFAIR .... so both sides have their own individual counters
10:33 < a1fa> so here is the latest
10:33 <@novaflash> no need to yell at us chewbacca
10:33 < a1fa> #auth-nocache; verb 5; reneg-sec 30
10:33 < a1fa> i see renegotiations happening every 30s
10:33 <@novaflash> dazo: ah cool thanks for clarifying that
10:33 < a1fa> so there you go
10:34 < a1fa>  work around at the expense of memorizing password
10:34 < a1fa> which is more evil? not rekeying, or leaving the password in memory?
10:34 <@dazo> not rekeying is far worse
10:34 <@dazo> memory cached passwords are only available in the memory of your own client
10:35 < a1fa> unless malware scrapes memory :X
10:35 <@dazo> using the same encryption key over an insecure network is visible to anyone who can sniff the packets
10:35 <@novaflash> so in essence your client would have to be compromised already to get the stored password
10:35 <@novaflash> but then the data is compromised already
10:35 <@dazo> exactly
10:35 < a1fa> ;) well thank you gentlemen
10:35 < a1fa> or maybe ladies
10:36 < a1fa> hard to tell over irc
10:36 <@novaflash> i mean why infiltrate a system to read the password of an encryption stream... when you can just read the unencrypted data directly lol
10:36 < a1fa> :X
10:36 <@dazo> :)
10:36 <@novaflash> i am a very large fat ugly bearded woman
10:36 < a1fa> hot
10:36 <@novaflash> and i am triggered that you would assume my gender
10:36 <@novaflash> omg
10:36 <@novaflash> j/k take care
10:36 < a1fa> just kidding ;)
10:36 < a1fa> of course.. keeping it professional :)
10:37 < a1fa> well this will make me sleep better at night :)
10:37 <@novaflash> wham bam thank you ma'am here's 50 dollars?
10:37 < a1fa> tip jar?
10:37 <@novaflash> just the tip
10:37 <@novaflash> okay enough bantering i got things to do :)
10:37 < a1fa> oh-btw, i am the guy thats using openbsd openvpn client in a different routing domain
10:38  * dazo vaguely remembers some patches ages ago .... which needs to re-surface at some point
10:39 < a1fa> the trick is to start it rdomain 0
10:40 < a1fa> in rdomain 0; but configure tun device in a different domain ;)
10:40 < a1fa> brb meeting
11:51 < kixa> Hiya, I just upgraded my server and clients to v2.4.4 from the stock Ubuntu version, but now when any of my static clients connect, I get this in the logs: `Error: ??? prefix is expected rather than "174.30.0.X/-1`, which follows `/sbin/ip addr add dev tun0 174.30.0.X/-1 broadcast 255.255.255.253`
11:52 < kixa> (Where X is the IP assigned in ccd to the client cert)
11:53 < kixa> I figure it must be related to ifconfig-push since it's fine if I default back to an ip pool, so has the syntax changed? -1 doesn't seem too great as a CIDR prefix
12:31 -!- mack-- is now known as mack-
13:10 < Gajasurve> anbody there?
13:24 <@dazo> Perhaps we should reject users using web/freenode/ again .....
13:24 < rob0> heh
13:28 < PermaNull> !welcome
13:28 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
13:28 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
13:36 < PermaNull> I know this isn't the windows specific chat but is there any known fix for Windows/Openvpn server not assigning the tap adapter an IP (169.xx.xx.xx), I've tried adding route-method exe and a route-delay I don't see any errors in logs besides a warning about the gateway not being routeable I'm assuming due to the interface not getting the appropriate IP.
13:56 < vasundhar> In case I want to use remote-random directive, along with dhcp-option directive on client configuration, Do I have option to tie a specific DNS for set of remote servers and seperate DNS for other set ?
14:13 < PermaNull> bah no idea why but chaning it from tun to tap solved my issue....
14:13 < PermaNull> after adding static routes to my firewall for the vpn subnet I can communicate with other devices as well.
14:14 < PermaNull> !1925
14:14 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
14:14 < PermaNull> !tap
14:14 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the
14:14 <@vpnHelper> protocol uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
14:14 < PermaNull> !tunortap
14:14 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
14:14 <@vpnHelper> rooted/jailbroken) support only tun
14:41 < PermaNull> ehh, I still don't get why tap works vs tun in my configuration.
14:41 < PermaNull> I get how the routing works, watched shit with wireshark... traffic just wouldn't route properly until I used tap.
15:13 < kishmesh> hi. how to properly get openvpn client to reconnect upon waking up machine from sleep? I'm sending "SIGUSR1" ... but reconnect does not really happen, instead I see "UDP link local: (not bound)"
18:03 < franky-> haha. my problem is absolutely a firewall.
18:37 < |Mike|> Morning!
19:43 < Eugene> !beer
19:43 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
20:34 < sunrunner20> how do I change what fields openVPN sends to RADIUS?
21:09 < kishmesh> openvpn --mktun creates a persitent tunnel. how can I verify who the owner (user/group) of the tunnel is?
22:06 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:17 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:17 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Day changed Sat Oct 14 2017
07:02 -!- dionysus70 is now known as dionysus69
07:31 -!- zvirbliukas1 is now known as zvirbliukas
08:06 -!- zvirbliukas1 is now known as zvirbliukas
12:02 -!- zvirbliukas1 is now known as zvirbliukas
12:50 -!- dionysus70 is now known as dionysus69
15:13 -!- nocaberi is now known as Bock
17:11 < rad1928> hi
17:11 < rad1928> can i get some help on routing
17:12 < rad1928> i have a point to point working
17:12 < rad1928> but i'm having some issue accessing the private vlan in the back
17:12 < rad1928> so i'm having issue understanding how to properly expand the server subnet
17:12 < rad1928> to allow access from openvpn clients
17:13 < rad1928> if i want to access say a server on the server subnet in the 192.x.x space, what types of routes do i need to add to the server side
17:27 < Kryczek> rad1928: there are two ways of doing it:
17:28 < Kryczek> rad1928: either you have your VPN gateway impersonate all your clients, like a NAT but towards your internal network, in which case you do not need to tell the destination servers about the clients
17:29 < Kryczek> rad1928: or you have to configure routes on the destination servers so that they know that, to repond to packets they have received from your VPN clients (through the VPN gateway), they have to send the responses towards the VPN gateway
17:30 < Kryczek> (well actually there is a third way, but it's tricky: making VPN clients appear as though they are physically in the LAN, e.g. with 192.168.x.x addresses in your example)
17:42 < KookyMan> Have what may be a simple question.  The initial certificate with a given bit size.  Is that key used for inital connection, and then uses a different key for the ongoing communication, or is that keylength used for all communication?
18:20 < dvds> hello world
18:22 < dvds> A couple of days ago I had a question
18:22 < dvds> 18:32 < dvds> it looks like my "new" android 7 phone is very keen on killing openvpn connect as soon as I look away, even though I took it out of the "battery optimizations"... is anyone familiar with the issue?
18:22 < dvds> So, just in case someone is keeping and searching logs around here...
18:23 < dvds> The answer is to look for the "protected apps"
18:23 < dvds> So install openvpn connect, go into battery -> battery optimization -> disable for openvpn, and then configure it as protected app
18:23  * dvds is happily having a working tunnel now
18:58 < KookyMan> dvds - I never had a problem with it on 7.
19:14 < dvds> KookyMan: ok, mine kept getting killed, and didn't restart with the phone... it was weird
19:15 < dvds> I guess it's good that it was a glitch, and not some systematic problem
19:18 < KookyMan> now I'm on Oreo, but have a battery issue
19:21 < dvds> I see...
19:21 < dvds> good luck :-)
20:09 < catbeard> hey duders
20:11 < catbeard> so need some advice on how to setup redundant employee access vpns across the pond with routes into both networks via push "route" and iroute
20:12 < catbeard> or would that be more -as
20:14 < catbeard> basically the goal is to filter the ssh gateways we have to vpn subnets, and be able to ssh from either location to private lans in either datacenter
21:51 <@ordex> aloha
--- Day changed Sun Oct 15 2017
03:39 -!- zvirbliukas1 is now known as zvirbliukas
04:45 -!- zvirbliukas1 is now known as zvirbliukas
05:28 -!- dionysus70 is now known as dionysus69
06:05 -!- zvirbliukas1 is now known as zvirbliukas
14:36 < user321az> is there a way.. i can get the openvpn gui to change config file servers, every x minutes?
15:00 < Poster> That would be more of an OS question, you'd probably be better off keeping a lot TTL updating DNS pointing to your target systems periodically
15:01 < Poster> but ahead of all that, what is it you're actually trying to accomplish?
15:01 < user321az> i want my openvpn gui to incrementily<sp> switch between openvpn config files
15:01 < user321az> thus changing ip's
15:01 < Poster> no that is a solution to something else, what is the problem?
15:03 < user321az> i want my openvpn to switch config files in order to rotate ips on my vpn
15:03 < Poster> what is it you want to accomplish by rotating IP addresses?
15:03 < Poster> do you want load balancing?
15:04 < user321az> different ip
15:04 < Poster> what does the different IP get you?
15:04 < user321az> a different ip
15:04 < Poster> ok nevermind, best of luck
15:04 < user321az> I put it rather simple!
20:40 < s3nd1v0g1us> Is there a way to force openvpn to stay open. Every hour my connect fails and then reconnects.
20:42 < s3nd1v0g1us> Is it a config issue?
20:42 < s3nd1v0g1us> Or because my host clock differs from my ip location?
21:02 <@ordex> s3nd1v0g1us: there can be tons of reasons
21:02 <@ordex> a good starting point is to look at the logs
21:02 <@ordex> !logs
21:02 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
21:14 < s3nd1v0g1us> I think it might have been my firewall. Im makimg sure now before posting the log next.
21:16 < s3nd1v0g1us> Hmm. Now im hetting tomeout issues.
21:16 < s3nd1v0g1us> Getting
22:22 < s3nd1v0g1us> It asks me every hour to reauthorize the user/pass. Why? Is there a way to circumvent it?
22:41 < s3nd1v0g1us> Will keepalive and reneg-sec fox rhe issue?
22:41 < s3nd1v0g1us> Fix the*
22:45 < s3nd1v0g1us> Do i need to create a certificate?
22:59 -!- abenz__ is now known as abenz
--- Day changed Mon Oct 16 2017
00:21 < SimpleName> good afternoon
00:23 <@ordex> s3nd1v0g1us: usage of certs does not exclude the use of a password
00:24 <@ordex> s3nd1v0g1us: if you use auth-nocache the user/pwd is wiped and thus re-asked everytime
00:36 <+hyper_ch> ha, https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
00:36 <@vpnHelper> Title: Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping | Ars Technica (at arstechnica.com)
00:36 <+hyper_ch> another reason to use use vpns everything
00:42  * ordex is waiting for the official announcement
00:43 <@ordex> they will disclose more details today
00:44 <+hyper_ch> are we all gonna die?
00:44 <@ordex> nah
00:44 <@ordex> can't be worse than what we had so far :D
00:44 <@ordex> wifi has always been broken :P
00:44 <+hyper_ch> but we're all constantly dying... roughly at a speed of 1s/s
00:45 <@ordex> :D
00:45 <+hyper_ch> although, there are some reports from dudes a few years back somewhere in the middle-east that came back after dying...
00:45 <+hyper_ch> but maybe that's just fake news
00:46 <@ordex> you never know
00:50 <+hyper_ch> so gotte get to work now
00:51 <+hyper_ch> and then I can test wireguard's speed
03:04 -!- SerusWor1 is now known as SerusWork
06:48 < erm3nda> Hi. I am becoming crazy to put openvpn to work as i expected
06:48 < erm3nda> i can import ovpn file, then everything is tunnelled, internet works. but
06:48 < erm3nda> i want only to create the network, not to tunnel. I have been tried lot of configs at client, but no one worked
06:49 < erm3nda> i am using openvpn at android, using "OpenVPN for Android" software. I used others and worked for internet, but i can't hit the key for make it only for private network
06:50 < erm3nda> i tried exception, custom routes, etc
06:50 < erm3nda> i won't change server config, just to configure a client to don't tunnel all traffic to vpn
06:50 < erm3nda> any help higlhy appreciate. thanks
07:01 < erm3nda> HI :-/
07:01 < erm3nda> need help to disable internet redirect through openvpn tunnel
07:05 <+hyper_ch> !def1 > erm3nda
07:05 <+hyper_ch> !def1
07:05 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
07:08 < erm3nda> hyper you mean to edit server cnfig option push "redirect-gateway def1"
07:08 < erm3nda> i wont touch server cnfig
07:09 < erm3nda> i made it "work" once using custom route, but the connection doesnt work so much, and i can't only get the return once i modify again the config
07:09 < erm3nda> hyper_ch,
07:09 < erm3nda> i have added custom route adding the IP given by openvpn server
07:10 < erm3nda> and i think this should be the ok config, but the connection (using a browser and a proxy) never returns, unless i change it back
07:10 < erm3nda> route 10.8.0.0/0 to 0.0.0.0/0
07:11 < erm3nda>  using push "redirect-gateway def1" client will pull config and will tunnel my internet, which is the opposite
07:11 < erm3nda> i just wanna use 10.8.0.0/0 for internal use, no internet
07:11 < erm3nda> on "this" client
07:12 < erm3nda> also tried to use dev tap, but android client doesnt support it
07:14 <+hyper_ch> I gave you the reason why it's doing that... so you know how to undo it
07:14 < erm3nda> but is not working as espected
07:14 < erm3nda> i don't know what i am missing
07:15 < erm3nda> it used to "do" it, but that time network doesnt respond. when i restart it, i got THE RETURN expected, but only when i restart it
07:15 < erm3nda> i think there's something bad, some bug or other ...
07:16 < erm3nda> actually i am playing with vpn_gateway and net_gateway untill i reach something that works
07:17 < erm3nda> acutuall, used nopull, then added the custom route and exception route manually
07:17 < erm3nda> and when i tried to connect with browser stays always WAINTING
07:17 < erm3nda> in the very moment i do reset connection it will return what i do need
07:18 < rob0> !ccd
07:18 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
07:18 < rob0> You actually do have to change the server config if you hope to change the server's behavior.
07:19 < erm3nda> really?
07:19 < erm3nda> so, adding a cusomt file for this client, but at server
07:19 < erm3nda> ok, ill try
07:19 < erm3nda> thx
07:36 < rob0> erm3nda, did that do it?
07:37 < erm3nda> i am trying to don't touch server, so i will be trying different configs for a while before use the ccd
07:37 < erm3nda> thank you
07:38 < rob0> purely on the client side, there's --route-no-pull
07:38 < rob0> or, manually (or in a script) manipulate your routes
07:45 < rob0> oh, this might help somewhat (the flowchart):
07:45 < rob0> !serverlan
07:45 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
07:45 < thumbs> !rob0
07:45 <@vpnHelper> "rob0" is is actually /dev/rob0 (because 0>5). Rumor has it that he is an AI project by google, but nobody can confirm.
07:46 <@dazo> lol
07:46 < rob0> wow, I've made it!  I didn't know I had that factoid.
07:47  * ecrist wonders who added that
07:48 <@ecrist> ah, krzee 
07:48 <@dazo> sounded like krzee :)
07:48 <@ecrist> May 23, 2017
07:49 < erm3nda> rob0 i used the --route-no-pull option many times, with and without custom routes, but even if it starts, the connection throug configured proxy at 10.0.0.1 hangs
07:49 < erm3nda> that's the current problem. I'll try at computer too in order to discard things
07:50 < erm3nda> vpnHelper, serverlan i a tunnel too?
07:50 <@dazo> !vpnHelper
07:50 <@vpnHelper> "vpnHelper" is "bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
07:51 < erm3nda> i do wrote by mistake to vpnEtc bot ... :D
07:53 < erm3nda> rob0, i have other vpn client/server option if i can't do that at all
07:53 < erm3nda> i wanted the commodities of the openvpn gui...
07:54 <+_FBi> good morning everyone
07:59 < erm3nda> rob0, seems i made that even more complicated
07:59 < erm3nda> using no-pull it works from the point of view of client browser, it gets the ip at wifi, not the vpn, so i cna say its working
08:00 < erm3nda> now, i set a proxy server at client too, and i am trying to connect from server using 10.0.0.2 ip, and that one is being tunneled back to server
08:00 < erm3nda> technically, i need to create custom route for 10.0.0.0/0 to skip it too.
08:00 < erm3nda> right?
08:01 < erm3nda> i've ensured that the connection is going to client proxy server ,and serverd back from server. basically, i am using client for nothing :-( unless i can route it properly
08:04 <@ordex> "i am trying to connect from server using 10.0.0.2 ip" << can you clarify this ?
08:04 <@ordex> you are on the VPN server and you are trying to connect to 10.0.0.2 ?
08:12 < erm3nda> yep
08:12 < erm3nda> and it dies
08:12 < erm3nda> does
08:12 < erm3nda> but when the connection reachs the client proxy, it comes back to server via vpn...
08:12 < erm3nda> client is working, i can tunnel everything or nothing at client browser
08:12 < erm3nda> but not at client proxy server
08:12 < rob0> erm3nda, "10.0.0.0/0" is not a valid CIDR expression.  Perhaps you meant /8?  Or some lower value?
08:13 < erm3nda> 10.0.0.2 is my client
08:13 < erm3nda> sure /0 is not valid CIDR?
08:13 < erm3nda> shouldn't vpn client advert or fail?
08:13 < erm3nda> i tried few times with /24 too
08:15 < rob0> 0.0.0.0/0 is valid CIDR, referring to the entire IPv4 Internet and all special-use networks therein.
08:16 < erm3nda> i thought that /0 means any of them
08:16 < erm3nda> for any given ip ranges
08:16 < erm3nda> i am seeing that the openvpn configurator i am using does some nasty config when setting routes
08:17 < erm3nda> but it may be that i am noob and not understanding anything :-/
08:17 < erm3nda> anyway, thanj you so much, i must leave right now
08:17 < erm3nda> thx
08:17 < erm3nda> client is a phone, battery 0% no charger :D....
08:17 < rob0> read up on CIDR and subnetting
08:17 < erm3nda> ill do
08:19 < erm3nda> okay, this is the one i want 10.8.0.0/16
08:19 < erm3nda> because i have other 10.0.0.1 vpn at time, so i won't make them clash
08:19 < erm3nda> thx
08:30 < xPatsy> Hey all, dumb question ... I have a VPS I'm using for my VPN Server. I'd like to leverage the hosts blacklisting that I've set up on that box via dnsmasq and some adblock scripts. As it is now, requests from clients to/from those blacklisted domains still goes through. I do have the push redirect gateway on, not sure what else may be needed
08:31 < DArqueBishop> You need to push the DNS settings as well.
08:32 < DArqueBishop> !pushdns
08:32 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like
08:32 <@vpnHelper> OpenVPN for Android and OpenVPN Connect will happily accept push dhcp-option
08:34 < rob0> !dnsmasq
08:34 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
08:34 < rob0> ^^ that might help since you're already using dnsmasq
08:38 < xPatsy> Much appreciated, I'll read through those
09:18 < s3nd1v0g1us> How do i stop openvpn frm reconnecting every hour?
09:19 < s3nd1v0g1us> Reconnect/reauthorize
09:19 < rob0> The answer to that would vary with the reason why it's doing that.
09:19 < s3nd1v0g1us> No kidding
09:20 < s3nd1v0g1us> Its a longstanding problem with ovpn
09:20 < s3nd1v0g1us> Is there a solution?
09:20 < rob0> no idea
09:21 < s3nd1v0g1us> Then let someone else respond
09:21 < rob0> read the /topic
09:21 < s3nd1v0g1us> If you don't know the answer then why are you responding at all?
09:21 < s3nd1v0g1us>  I'm asking the admins.
09:21 < rob0> you're wasting everyone's time by asking a half-baked question which would never be answerable
09:22 < rob0> I am an admin
09:22 < s3nd1v0g1us> That you don't have an answer doesn't mean that there isn't one.
09:22 < s3nd1v0g1us>  my question is both a reasonable and one that's been asked before.
09:24 < s3nd1v0g1us> How do I stop openvpn from reconnecting reauthorizing every hour?
09:27 <@ordex> s3nd1v0g1us: I think rob0 was quite basically right when he said "< rob0> The answer to that would vary with the reason why it's doing that."
09:27 <@ordex> it depends first what you technically mean with reconnecting/reauthorizing
09:27 <@ordex> and then you need to understand why it wants to do that
09:28 <@ordex> usually it all depends on how the service is configured
09:30 <@ordex> it is normal to reperform the handshake upon key renegotiation and if you have configured the service with user and pass but without cache it will need to re-ask for them
09:30 <@ordex> but actually I also answered this question earlier, haven't I?
09:31 <@dazo> !man
09:31 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
09:31 <@ordex> !superman
09:31 <@ordex> ah no :(
09:31 <@dazo> s3nd1v0g1us: ^^^ ... look for --reneg-* options
09:32 <@dazo> s3nd1v0g1us: and do realise that the renegotiation *is* a security feature, not an annoyance.
09:32 <@ordex> check also --auth-nocache in case it is set
09:32 <@ordex> which by itself is correct
10:08 < s3nd1v0g1us> Reneg can only be reset on the client side unfortunately.
10:09 < s3nd1v0g1us> This is alomgstandding problem with ovpn that has gone unreaolved.
10:10 < s3nd1v0g1us> So if i remove auth-no cache will that resolve?
10:10 < s3nd1v0g1us> Ordex
10:11 < s3nd1v0g1us> Is auth-no cache why it trus to reneg/reauth every hour?
10:15 <@ordex> no
10:15 <@ordex> auth-nocache is why it *asks* for the pass everytime
10:16 <@ordex> why it renegotiate is defined bythe --reneg-* options
10:16 <@ordex> but if you remove auth-nocache it will store the pass in memory and not ask you anymore
10:22 < s3nd1v0g1us> Will it continue to attempt a reconnect each hour?
10:23 < s3nd1v0g1us> Its hard to use tor when my tunnel fails every hour.
10:24 <@ordex> s3nd1v0g1us: reconnection is different from renegotiation
10:24 <@ordex> these are two different problems
10:25 <@ordex> you may want to show your logs about when the problem happens to see why it is happening
10:25 <@ordex> verb 4 would be better
10:25 < s3nd1v0g1us> When will ovpn change the reneg-sec on the server side? Thats whats needed.
10:25 < s3nd1v0g1us> Its reneg-sec on ovpns side.
10:25 <@ordex> s3nd1v0g1us: renegotiation does not kill the tunnel
10:26 <@ordex> it just reperforms the key renegotiations
10:26 <@ordex> but hte tunnel stays up
10:26 < s3nd1v0g1us> I can change regsec in the client side, but not on yours.
10:26 <@ordex> did you read what I wrote above? ^^
10:26 < s3nd1v0g1us> Yes.
10:28 < s3nd1v0g1us> Posting as periwinkle
10:29 < s3nd1v0g1us> Damn cant
10:33 < patr0clus> ordex....
10:34 <@ordex> yeah?
10:34 < patr0clus> https://zerobin.net/?4cf87697b6680a75#nTRj5nPzPA5I1phA+t3oFPamLfxkFQnHvFFAtk3s/vg=
10:34 <@vpnHelper> Title: ZeroBin (at zerobin.net)
10:35 < patr0clus> this is my log
10:35 < patr0clus> (that sounds dirty)
10:35 <@ordex> whne does the disconnection happens?
10:35 <@ordex> was openvpn configured with verb 4 ?
10:36 <@ordex> *when
10:36 < patr0clus> https://zerobin.net/?005107980dc0fba7#kOWHeIJ8x61kbCEU5aLANlzbJakcBxepm/yiWNVSBwk=
10:36 <@vpnHelper> Title: ZeroBin (at zerobin.net)
10:36 < patr0clus> this is my config
10:36 <@ordex> oh at 11:00
10:36 < patr0clus> verb3?
10:37 <@ordex> ?
10:37 <@ordex> this is verb 3 ?
10:37 < patr0clus> i think my config is set to verb3
10:37 <@ordex> yes the config says so
10:37 <@ordex> by the way
10:37 <@ordex> I see the management asking for the pwd at 11:00
10:37 < patr0clus> yes
10:37 < patr0clus> every hour it asks
10:37 <@ordex> and you have auth-nocache
10:37 <@ordex> so?
10:38 < patr0clus> so how can i keep the tunnel up so that it doesnt reneg every hour. its hard using tor when my vpn fails every 60 mins.
10:38 < patr0clus> (i use whonix, but openvpn is the tunnel on my host.)
10:39 < patr0clus> thank you for your guidance btw.
10:39 <@ordex> let me copy/paste what I said before
10:39 <@ordex> [2309.18] <@ordex> auth-nocache is why it *asks* for the pass everytime
10:40 <@ordex> so it does not 'reconnect'
10:40 <@ordex> but tries to renegotiate the key
10:40 <@ordex> and it needs the pwd for that
10:40 <@ordex> if you remove auth-nocache, then the pwd will be stored in memory so that it does not need to ask it again and again
10:40 <@ordex> you can check the manpage for that if you want to read more
10:41 <@ordex> patr0clus: ?
10:42 < patr0clus> so if i remove auth-no cache then it wont reneg every hour?
10:42 <+hyper_ch> dazo: ecrist: ordex: https://arstechnica.com/tech-policy/2017/10/supreme-court-to-decide-if-us-has-right-to-data-on-worlds-servers/
10:42 <@vpnHelper> Title: Supreme Court to decide if US has right to data on world’s servers | Ars Technica (at arstechnica.com)
10:42 <@ordex> the title is already funny
10:42 <@dazo> s3nd1v0g1us: no, --reneg-* can be set on both server and client side
10:43 < patr0clus> i dont have access to server side
10:43 <@ordex> patr0clus: yes it will still reneg every hour, but won't ask the user/pass again, because it is kept it memory after the first time
10:43 < patr0clus> but if it renegs evcery hour then the problem is the same. that my tunnel renegs each hour forcing tor offline.
10:43 <@ordex> patr0clus: NO
10:43 <@ordex> renegotiation does not take down the tunnel
10:43 <@ordex> I wrote that many times above
10:44 <@ordex> it's an internal process that does not effect the connectivity
10:44 < patr0clus> i see. ill try removing auth-no cache then and see what happens.
10:44 < patr0clus> do my other setting seem correct otherwise?
10:44 <@dazo> patr0clus: --reneg-* and --auth-nocache are very different .... read !man
10:44 <@dazo> !man
10:44 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
10:45 < patr0clus> i know they are different. i was only wondering if they are contigent on one aother
10:45 <@dazo> and it is pretty impossible for us to say if a client config looks reasonable without having a chance to compare it with the server side
10:45 <@dazo> nope they are not
10:45 < patr0clus> fair enough.
10:46 < patr0clus> im just trying to keep the tunnel up and instactr while im using tor. otherwise, openvpn isnt the right choice for me.
10:46 < patr0clus> but if its just the auth-no cache, then i might be ok.
10:46 < patr0clus> ill tryu it
10:50 < patr0clus> is there any virtue to using another vpn tunnel on whonix gateway in addition to the tunnel on my host? or would that actually negatively impact?
10:50  * ordex has no clue what whonix is
10:51 < patr0clus> im also looking at setting up a series of vpns on a number of vms in order to create a nested vpn scenario.
10:51 < patr0clus> https://www.whonix.org/
10:51 <@vpnHelper> Title: Whonix (at www.whonix.org)
10:53 < patr0clus> i use whonix on a vm
11:10 < bryanfrommacau> !welcome
11:10 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
11:11 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
11:11 <@vpnHelper> you
11:12 < bryanfrommacau> !goal
11:12 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:12 < bryanfrommacau> !howto
11:12 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
11:14 -!- xemdetia_ is now known as xemdetia
11:14 < bryanfrommacau> I would like to set up openVPN on a VPS, and configure it in a way which would be least detectable to the GFT (Great Firewall of China)
11:14 < bryanfrommacau> I can't read the howto at openvpn.net as it's blocked here :/
11:16 < bryanfrommacau> I would like to access the internet over my openVPN which is running on a VPS, but first I would like to secure it with ssl (I think)
11:16 < skyroveRR> Where are you, bryanfrommacau ?
11:16 < bryanfrommacau> I'm in China
11:16 < skyroveRR> Hence.
11:16 < DArqueBishop> !obfs
11:16 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols, or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation, or (#3) in client/server mode an admin can know that openvpn is being
11:17 <@vpnHelper> used. in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
11:17 < bryanfrommacau> !forwardsecurity
11:17 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can not decrypt past traffic, or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured
11:18 < bryanfrommacau> ok, I'll look at those resources
11:18 < bryanfrommacau> thanks!
11:21 <@ordex> bryanfrommacau: you can also take a ferry to HK, might be easier :P
11:21 <@ordex> :D
11:21  * ordex was teasing
11:23 < bryanfrommacau> If it comes to it... :)
11:41 <@dazo> bryanfrommacau: you could also consider testing out PrivateTunnel ... it got an obfs mode built into it ... not sure how that'll work from a laptop though, or how hard it is to configure .... with Android/iOS apps, it's just a matter of "clicks" in the configs
13:06 < havoc> heh, definitely gotta re-write all these ovpn management scripts in perl, vs. bash
13:06 < havoc> *roughly* an order of ten speed increase, or less resources, depening on point of view
13:21 < fahmad> hey
13:28 < fahmad> https://pastebin.com/u7HDAFRU can someone give me answer to this ?
13:30 < Kryczek> fahmad: LAN6 is OpenVPN?
13:30 < fahmad> yes its client
13:30 < fahmad> all are openvpn
13:30 < Kryczek> ah
13:32 < Kryczek> LAN1 is openvpn too?
13:32 < fahmad> LAN1 have OpenVPN Server
13:32 < DArqueBishop> !clienlan
13:32 < DArqueBishop> !clientlan
13:32 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see
13:32 <@vpnHelper> !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
13:33 < fahmad> DArqueBishop: i have already pushed the routes they are working client can access eachother but always getting vpn ip in the logs
13:33 < DArqueBishop> Then that's an iptables/firewall issue.
13:34 < fahmad> hmm
13:34 < fahmad> i am not using iptables or firewall :)
13:35 < DArqueBishop> Incorrect.
13:36 < fahmad> hmm
13:36 < fahmad> i have enabled port forwarding only
13:36 < DArqueBishop> There has to be a firewall involved for SNAT to be in play.
13:36 < fahmad> hold lemme paste config
13:36 < fahmad> the problem is
13:37 < fahmad> clients are also pushing routes using iroute
14:58 -!- eblip is now known as eb0t
15:55 < a1fa> does anyone know if tunnelblick supports embedded <ca></ca> certificates in ovpn files?
15:59 < a1fa> well never mind
15:59 < a1fa> it loos like it "does"
21:44 < SimpleName> can I run two client in same machine?
21:49 <@ordex> SimpleName: sure why not
21:49 <@ordex> just make sure they do not conflict with each other
21:50 < SimpleName> I try it and get error: Socket bind failed on local address [AF_INET][undef]:1194: Address already in use
21:50 <@ordex> well, that's what I meant
21:51 <@ordex> two sockets cannot be bound to the same port
21:51 <@ordex> despite them being openvpn sockets or not
21:51 <@ordex> thus, let the clients use different local ports
21:52 < SimpleName> how to set local port
21:52 < SimpleName> I can only set server ports
21:54 <@ordex> I think --lport
21:54 <@ordex> !man
21:54 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
21:55 <@ordex> SimpleName: or you can use nobind
21:55 <@ordex> --nobind
21:55 <@ordex> check the man as well
21:55 <@ordex> it will allocate a random port for the client, so you don't need to specify it
21:57 < SimpleName> ok
22:12 < jcadduono> building openvpn from master and having trouble with $OPENSSL_LIBS, it seems to link to system ssl and crypto then adds that on after it, cancelling out whatever's in $OPENSSL_LIBS
22:12 < jcadduono> is there something else i should be setting to prevent that from happening
22:18 <@ordex> jcadduono: how do you come to that conclusion? do you have any log with error/warning/something ?
22:20 < jcadduono> it was in the make output let me see if i can find it
22:21 <@ordex> jcadduono: you mean you saw the OPENSSL_LIBS not being respected in the compile command ?
22:22 < jcadduono> ok nevermind i was wrong
22:22 < jcadduono> i think i just need to use -Wl,-rpath=/usr/local/ssl/lib
22:23 <@ordex> ah
22:23 <@ordex> so the problem was at runtime
22:23 <@ordex> yeah
22:24 <@ordex> or override LD_LIBRARY_PATH
22:24 < jcadduono> yay all good export OPENSSL_LIBS="-Wl,-rpath=/usr/local/ssl/lib -L/usr/local/ssl/lib -lssl -lcrypto" worked
22:30 < SimpleName> when I force clean tun device that openvpn created, openvpn will write log file quickly to report the error. now how to close itself if openvpn can’t find the tun device anymore
22:32 <@ordex> SimpleName: I don't understand
22:32 <@ordex> openvpn will destroy the tun interface in its own (if it created it)
22:32 <@ordex> are you manually creating the tun interface?
22:33 < SimpleName> When I destroy tun interface mannually, openvpn will report error to log file repeat, and the log file will increase to very very big
22:34 < SimpleName> I know openvpn close it, but in my project, it may be happened that tun close independly
22:35 < SimpleName> it will let my linux server have no space
22:36 < SimpleName> because the log file very big size
22:36 < SimpleName> or is there any way limit the log file size ?
22:37 <@ordex> you can log to syslog and then let syslog deal with the logsize if you want
22:37 <@ordex> ah he's gone
--- Day changed Tue Oct 17 2017
00:25 < SimpleName> ordex: I know with mutiple —remote I can make redundancy, but the different remote server must have same server key/cert. how can I make it work even remote servers have different key/cert
00:30 < SimpleName> maybe use <connection> <connnection/>
00:30 < SimpleName> can solve it :)
00:36 <@ordex> SimpleName: about the logsize: you can log to syslog and then let syslog deal with the logsize if you want
00:36 <@ordex> SimpleName: yes, use the connection block
00:40 <+hyper_ch> what are connection blocks?
00:44 < SimpleName> <connection> </connection> hyper_ch
00:44 < SimpleName> https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
00:44 <@vpnHelper> Title: Openvpn24ManPage – OpenVPN Community (at community.openvpn.net)
00:44 <+hyper_ch> never used those
00:46 < SimpleName> hyper_ch: I use it for redundancy
00:47 < SimpleName> ordex: not works as my expect: Options error: option 'ca' cannot be used in this context ([CONNECTION-OPTIONS]
00:56 < SimpleName> bind, connect-retry, connect-retry-max, connect-timeout, explicit-exit-notify, float, fragment, http-proxy, http-proxy-option, link-mtu, local, lport, mssfix, mtu-disc, nobind, port, proto, remote, rport, socks-proxy, tun-mtu and tun-mtu-extra
00:56 < SimpleName> only those options may be used inside of a <connection> block
00:56 < SimpleName> ca can’t
01:07 <@ordex> yeah
01:09 < SimpleName> ordex: now, how to solve the problem: set mutiple remote(or connection), and every connection use different ca.crt/client.crt/client.key
01:09 <@ordex> well, I don't think that is supported
01:09 <@ordex> unless you can add multiple CAs in the <ca></ca> block ? never tried
01:10 <@ordex> but then you have the problem with cert/key. I don't think this can be done
01:10 <@ordex> also because it does not make really a lot of sense from the deployment perspective
01:11 <@ordex> one file is supposed to be for one service, so you expect all the servers behind that service to be able to authenticate you and not to have their own PKI
01:13 < SimpleName> so the correct way is use mutiple client config file, right ?
01:13 <@ordex> yes
01:13 <@ordex> or
01:13 <@ordex> to fix your deployment so that all servers can accept the same user certificates
01:15 < SimpleName> in our company, different vpn server, use diffrent ca & server.crt
01:17 <@ordex> why not one CA only ?
01:18 <@ordex> anyway, that is something you can think about :)
01:19 < SimpleName> even use one CA only, we still use different server.key/crt
01:20 <@ordex> that's ok
01:20 <@ordex> the client does not need to have the server cert beforehand
01:29 < SimpleName> ordex you mean: with only one CA, if I generate three group server crt/key: A B C, and generate three group client A_C, B_C, C_C, all client crt/key can auth with all server crt/key?
01:30 <@ordex> I haven't fully understood the group thing .. but if all certs are generated by the same CA you should be able to access any of those servers
01:31 <@ordex> because both clients and servers will be able to use the same CA to verify the validity of the various certs
01:33 < SimpleName> ok, thank you :)
01:37 -!- abenz_ is now known as abenz
05:04 -!- abenz_ is now known as abenz
05:49 -!- zvirbliukas1 is now known as zvirbliukas
06:01 < TheSilentLink> hello I have changed my protocol do I need to restart the server and regenerate .opvn?
06:04 <+hyper_ch> clients and server need to be restarted if protocol has changed
06:04 <+hyper_ch> and you need to ensure that each config is changed
06:06 < TheSilentLink> hyper_ch: sorry for the stupid question but now would one do about restarting the server? do I kill the process and restart it?
06:07 <+hyper_ch> depends
06:13 < Kryczek> TheSilentLink: usually `/etc/init.d/openvpn restart`
06:22 < kryl> hi, I have 2 groups of people and 2 different LAN in my company. I'm wondering if it's possible to restrict first group to only one LAN and the second group will have access to everything or just second LAN ? The limitations must be based on their client keys.
06:25 <+hyper_ch> TheSilentLink: systemctl restart openvpn@xxx
06:25 <+hyper_ch> or /etc/init.d/openvpn restart
06:25 <+hyper_ch> depends on what system you're using
06:39 < adac> I revoked a certificate and then re-created one that uses the same ip. In ccd I have
06:39 < adac> ifconfig-push ​50.1.0.28 255.255.255.0
06:40 < adac> however on the client it uses IP 50.1.0.30
06:40 < adac> *50.1.0.3
06:40 < adac> any ideas?
06:42 < adac> Do I have to restart the openvpn server?
07:00 < chmd> hi
07:01 < chmd> Quick question: I am not native english speaker so I may be missing a culture reference
07:01 < chmd> but why does the doc for ccd/iroute has a host named "thelonious"?
07:02 < chmd> I noticed that sslh had the same name in their doc https://github.com/yrutschle/sslh/blob/0929d39a34a78e77703486e762a3891a65b9d69c/example.cfg#L25
07:02 <@vpnHelper> Title: sslh/example.cfg at 0929d39a34a78e77703486e762a3891a65b9d69c · yrutschle/sslh · GitHub (at github.com)
07:03 < chmd> at that point I am thinking that "thelonious" is some kind of reference that I don't get
07:16 -!- abenz_ is now known as abenz
07:19 < chmd> also seeing references in distcc https://github.com/distcc/distcc/issues/59#issuecomment-109492584
07:19 <@vpnHelper> Title: Hosts found by Zeroconf do not have ,cpp,lzo options when listing with distcc --show-hosts · Issue #59 · distcc/distcc · GitHub (at github.com)
07:27 < dedondesta> hello, i have a vpn connection and i can access PC within that network, but sometimes i want to access internet through another PC withing that openvpn network, what are my options?
07:30 -!- NotSecwitter is now known as NonSecwitter
07:36 <+hyper_ch> dazo: ecrist: krzee: ordex:  security done right  https://www.reuters.com/article/us-microsoft-cyber-insight/microsoft-responded-quietly-after-detecting-secret-database-hack-in-2013-idUSKBN1CM0D0
07:36 <@vpnHelper> Title: Microsoft responded quietly after detecting secret database hack in 2013 | Reuters (at www.reuters.com)
09:14 < mack-> chmd: Probably whoever started that documentation was a jazz fan or just liked the name
09:43 < chmd> mack-: it's not only openvpn
09:47 < mack-> Thelonious Monk is pretty famous worldwide
09:53 < chmd> as I was saying, the docs of sslh and distcc are also referring to such a hostname
09:58 < rob0> maybe written by the same person?  Or by another jazz fan?
09:59 < rob0> As a native English speaker, Monk is the only "Thelonious" reference I know.
10:05 < havoc> also, Monk is the first google hit for "thelonious", at least for me
10:05 < mack-> People like the name. It's sonorous. Plenty of garage bands have it in their names
10:05 < chmd> http://mung.net/
10:05 <@vpnHelper> Title: Welcome to Thelonious.Mung.net (at mung.net)
10:07 < chmd> I guess you are right, it must be the same guy
10:07 < mack-> chmd: as far as hostnames go, it's sort of similar if someone didn't know Dune and wondered why atreides.example.com was named so.
10:08 < mack-> and why someone named something Atreides in some software manual :)
10:08 < chmd> this is exactly what I am trying to understand yes :-)
10:09 <@novaflash> kwisatz haderach
10:09 < mack-> your initial statements are true :) It was just a reference you didn't get. I pointed you to jazz and figured that was enough
10:09 < chmd> functionally I understand tutorials mentionning this host name, but I was wondering whether there was some kind of clever reference that I would be missing
10:10 < havoc> nope, just a cool name
10:10 < mack-> nothing clever, as far as I can tell
10:10 < chmd> like thelonious would host stuff in some book
10:10 < chmd> anyway
10:14 < chmd> thanks!
10:44 < m00n_urn> hey
10:45 <@ordex> uhey
10:46 < m00n_urn> in order to fix a dns leak would adding a block-outside-dns option on a new line undvr .ovpn work? coz it shows an 'unrcognized option or missing parameter' for me
10:47 < m00n_urn> openvpn --version 2.3.4
10:50 < rob0> Did you read about --block-outside-dns in the manual?  Chances are, that explains why it's unknown.
10:52 < m00n_urn> rob0: it says it works on windows alone im guessing? how do i stop dns leaks on a linux machine? or any device connecting to my vpn access point?
10:53 <@ordex> iptables?
10:53 < rob0> describe your leak
10:53 <@novaflash> rob0; you're getting awfully personal here...
10:53 < rob0> haha
10:53 < rob0> simplest thing is to run your own resolver
10:54 < rob0> it will always use your default route; when that's the VPN, that's how queries go out.
10:56 < m00n_urn> resolver? as in change the nameservers inside /etc/rsolv.conf?
10:57 < rob0> "nameserver 127.0.0.1" and run named or unbound
11:27 < exedore6> Is there a way, using an ovpn config file to tell the client (in this case an ios device), when connected to the vpn, to use a proxy server for http/https? I do not want to connect TO my openvpn server through a proxy. I want to be able to connect to a proxy server once connected.
11:33 < BtbN> On clients this might be possible with a bunch of scripting, but on IOS I highly doubt it
11:34 < BtbN> +desktop
11:35 <+hyper_ch> why not route all traffic through the openvpn server?
11:37 < Eugene> exedore6 - nope; you'd have to do it in an --up script of your own devising
11:51 < exedore6> That was my hunch, thanks to the fact that ios binds proxy settings to the interface (and I can’t get to the openvpn interface for that). I’ll deal with it on the network end (force all traffic through the proxy using some redirects). Thanks anyway.
12:11 < goofy_> hi
12:11 < goofy_> what does easyrsa3 uses to encrypt private key with password?
12:11 < goofy_> aes256?
12:12 < BtbN> look in the encrypted file.
12:12 < BtbN> It just uses openssl, it does not do its own crypto.
12:14 -!- zvirbliukas1 is now known as zvirbliukas
12:15 < goofy_> BtbN, in the encripted file is not written anything
12:16 < BtbN> There should be a line on top about the algorithm
12:16 < goofy_> -----BEGIN ENCRYPTED PRIVATE KEY-----
12:45 < goofy_> nobody here?
13:05 < rob0> goofy_, figure out the openssl command line used, if you can, and then check openssl documentation.
13:06 < rob0> It's probably using whatever openssl uses by default.
13:06 < goofy_> rob0, i need to know which algorithm is used by easyrsa
13:07 < goofy_> aes256, des3 ?
13:07 < goofy_> which one?
13:07 < rob0> yes, again, easyrsa is a set of scripts which run openssl
13:07 < goofy_> yes, and how to discover which one uses?
13:13 < fahmad> DArqueBishop: can you me example for SNAT with my senario
13:15 < fahmad> https://pastebin.com/u7HDAFRU
13:25 <@dazo> goofy_: man rsa    <<<-- there's your answer, when you correlate that with the easy-rsa script
13:26 <@dazo> we generally don't spoon-feed people here.  you need to put some efforts into things when you're given some clues
13:27 < fahmad> dazo: hey
13:28 <@dazo> fahmad: man iptables-extensions
13:30 < fahmad> i know SNAT
13:30 < fahmad> but its kinda confusing
13:30 < fahmad> setting too many hosts as for SNAT rules
13:30 < goofy_> dazo, you are right, i don't need to be spoon feeded, i learned by myself how to manage certificates with openssl, but easyrsa it's something different
13:30 < goofy_> i'm talking about easy-rsa, and not rsa
13:30 < fahmad> goofy_: its easy :-)
13:31 < goofy_> i just asked which script is used when you use easyrsa to create private keys with password
13:31 < fahmad> its using same openssl command
13:31 < goofy_> in the way of i can use the same algorithm when i manage them with openssl command
13:32 < goofy_> i need to get the answer by some operato
13:32 < goofy_> *r
13:32 < fahmad> ahh
13:32 < fahmad> can not you open the script and see by yourself ?
13:33 <@dazo> goofy_: easy-rsa is a shell script which uses openssl under the hood.  To handle private keys, easy-rsa executes openssl with the rsa sub-command
13:33 < fahmad> goofy_ happey
13:34 < goofy_> dazo, i know, and where is this command?
13:34 < fahmad> h/happey/happy
13:34 < fahmad> i am out
13:34 <@dazo> goofy_: I'm not going to learn you how to use grep and the "search" feature in editors
13:51 < goofy_> if you don't specify any encription algorithm, openssl will not ecrypt
14:06 < goofy_> dazo, this is the script: https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/easyrsa
14:06 <@vpnHelper> Title: easy-rsa/easyrsa at master · OpenVPN/easy-rsa · GitHub (at github.com)
14:07 < goofy_> but is nothing about which algorithm is used to encrypt
14:08 <@dazo> goofy_: you probably need to wash your glasses or see an eye doctor .... look a the set_pass() function .... this really isn't rocket science
14:12 < goofy_> ok, there are $key_type and $crypto
14:12 < goofy_> but what is its default value?
14:13 <@dazo> seriously!?  You need to see an eye doctor quite soon ..... https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/easyrsa#L897  <<--- the same URL you pointed me at, in plain sight
14:13 <@vpnHelper> Title: easy-rsa/easyrsa at master · OpenVPN/easy-rsa · GitHub (at github.com)
14:14 <+hyper_ch> dazo, still awake?
14:15 <@dazo> hyper_ch: yeah
14:15 <+hyper_ch> does linux by default use tpm for anything?
14:15 <@dazo> hyper_ch: not by default
14:15 <+hyper_ch> because https://www.bleepingcomputer.com/news/security/tpm-chipsets-generate-insecure-rsa-keys-multiple-vendors-affected/
14:15 <@vpnHelper> Title: TPM Chipsets Generate Insecure RSA Keys. Multiple Vendors Affected (at www.bleepingcomputer.com)
14:16 <@dazo> hyper_ch: yeah, noticed that one .... well, I can't speak for all Linux distros ... but Fedora, RHEL (including CentOS + Scientific Linux) does not use TPM for anything out-of-the-box ... you need to configure that yourself
14:16 < goofy_> dazo, lol, thank you
14:17 <+hyper_ch> dazo: thx :)
14:17 < goofy_> idk why but my searching function of the browser was no not matching it
14:17 <@dazo> hyper_ch: that said, I'm a bit uncertain how it affects secure boot though ... but I don't think TPM is used for that signing stuff
14:17 <+hyper_ch> I wonder if android uses tpm
14:18 <@dazo> hmmm ... do mobile devices have TPM of that kind?
14:18 <+hyper_ch> since it has file based encryption on by default now and uses a store to keep the encryption key etc....
14:18 <+hyper_ch> I don't know
14:18 <+hyper_ch> nxios seems to have special tpm-luks if one wants it
14:18 <@dazo> There is a storage somehow, but I think it is on a protected area of the flash
14:18 <+hyper_ch> no idea
14:19 <@dazo> yeah, you can add TPM in most Linux distros ... but it is quite a process getting it to work properly
14:19 < DArqueBishop> About the only thing I remember seeing TPM used for off the top of my head is BitLocker.
14:19 <+hyper_ch> https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/security/tpm-luks/default.nix
14:19 <@vpnHelper> Title: nixpkgs/default.nix at master · NixOS/nixpkgs · GitHub (at github.com)
14:19 <+hyper_ch> that seems just to store luks key in tpm nvram
14:20 <+hyper_ch> no /dev/tpmX on my machine
14:20 <@dazo> you need some kernel drivers loaded for it, iirc
14:20 <+hyper_ch> so no kernel module loaded :) good :)
14:21 <@dazo> but, yeah ... tpm is only used to keep keys stored securely .... tpm is essentially just a variant of PKCS#11 smart cards
14:21 <+hyper_ch> :)
14:21 <+hyper_ch> bitlocker uses tpm
14:22 <@dazo> just tied harder into the BIOS/UEFI stuff ... so if you try to boot you the real encryption keys are (normally) quite well protected and if too many failed attempts happens, the machine can go into a serious lock-down mode
14:22 <+hyper_ch> https://technet.microsoft.com/en-us/library/cc766200(v=ws.10).aspx#BKMK_TPMChipSupport
14:23 <+hyper_ch> so, the bed is headed for me now
14:24 <+hyper_ch> good night
16:07 < palate> Hello!
16:08 < palate> Is there a way to have only a user/password to connect to an openvpn server (not in point-to-point mode, as the server doesn't know the ip of the client)
16:08 < palate> ?
16:10 < mete> you can use certificates together with user/pass, but I never used that... but this is possible I know
16:10 < mete> or to clarify, I used it, but never configured it
16:16 < palate> mete: so I don't have a way to make it such that the client and the server don't have to share anything for the client to be able to connect?
16:17 < palate> In my use-case, I actually don't care about security *at all*. I just want an interface to a remote network, actually :-)
16:19 < rob0> OpenVPN in client/server mode does require TLS certificates.  I think your answer then is "no".
16:20 < palate> rob0: that's what I thought ^^. Thanks for the confirmation!
16:20 < mete> maybe something like: openvpn --ifconfig 10.200.0.1 10.200.0.2 --dev tun -–auth none
16:20 < mete> but never used something like that
16:21 < mete> http://n0p.net/presentations/openvpn/plaintext_tunnel.html   after a quick google..
16:21 <@vpnHelper> Title: Plaintext Tunnel (at n0p.net)
16:22 < mete> but yeah, that's ptp...
16:45 < Kryczek> palate: ssh -D ?
16:47 < palate> mete: I don't want the point-to-point, as I don't know the ip of the client
16:48 < palate> mete: wait, actually any client will be able to connect to the ptp thing, right?
16:49 < palate> Kryczek: I did not know that. Does it have the same effect as a vpn (except for encryption)?
16:49 < palate> Kryczek: My use-case is that I want to connect to a docker network from a remote machine, for debugging purposes
16:49 < palate> Kryczek: so everybody have to believe that the remote machine is actually in the docker network :)
16:51 < Kryczek> palate: sounds like you don't have remote access permission from your company, and you also want to add a huge security flaw by not using proper security?
16:52 < palate> Kryczek: I think ssh -D is only forwarding from my machine to the remote network, but I am not sure then the tunnel is open on the other way
16:52 < palate> Kryczek: not at all. I would setup a proper vpn if that was the case, right? :-)
16:53 < palate> Kryczek: I have containers running on a drone, actually. I want to debug them from my computer because I want to plot some stuff (ROS stuff). So I want to have a way to plug my computer into this network when debugging
16:53 < mete> palate, yeah, any client
16:54 < palate> mete: but only one at a time?
16:54 < palate> mete: I am not sure what "point-to-point" means =/
16:55 < mete> yeah, only one client concurrently
16:55 < palate> mete: ok, sounded like this :-)
16:55 < Kryczek> palate: have you tried this very easy setup? https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
16:55 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
16:56 < mete> always if you have a client/server setup, only one side has to know the ip of the other side... like if you browse with your browser...
16:56 < DArqueBishop> "This" network?
16:57 < palate> Kryczek: well, it requires a key and it is point-to-point. I thought that for the point-to-point connection, both sides had to know the ip of the other side, and my drone doesn't know my ip before I connect. But maybe I'm wrong and the ptp works
16:57 < rob0> even p2p mode, only one needs to know how to find the other
16:57 < Kryczek> palate: no you make the drone the server and it doesn't have to know the client IP :)
16:58 < Kryczek> palate: maybe you are confused by the "ifconfig" line? That's IP addresses inside the VPN, regardless of what the "real" IP addresses area
16:58 < Kryczek> are*
16:58 < palate> I'll try the easy plaintext ptp one, then
16:58 < palate> Kryczek: yeah, that was exactly that, the ifconfig line
16:58 < palate> Clearer now :-)
16:58 < Kryczek> palate: seriously, do this one: https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
16:58 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
16:58 < Kryczek> plaintext is madness.
17:00 < palate> Kryczek: why? I'm connecting over USB to my drone that is setup in debug mode by myself. Is it still bad? :D
17:01 < Kryczek> palate: ah you didn't say... well, if someone else can connect in USB... anyway, the mini howto takes literally 5mins, the plaintext one is probably harder
17:01 < palate> I find it funny that I had more trouble setting up an unsecure vpn than a secure one xD. Which makes sense in some way
17:02 < palate> Kryczek: I'll try the howto as well, just to learn!
17:03 < mete> have a good night, I go to sleep sorry ;)
17:03 < Kryczek> mete: thanks, you too!
17:04 < palate> mete: good night!
17:04 < palate> mete: And thanks a lot :-)
17:10 < palate> Kryczek: hmm, that's probably not for this channel, but when I run `openvpn --ifconfig 10.200.0.1 10.200.0.2 --dev tun`, I get a 'ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)'
17:10 < palate> Thing is that I am running as root (in an alpine docker container)
17:12 < Kryczek> palate: I've never tried to run with just these options... Try with the couple more lines it take to do the full mini howto config? :P
17:13 < Kryczek> palate: `dmesg` might give you more information though
17:14 < Kryczek> palate: https://stackoverflow.com/questions/30547484/calling-openconnect-vpn-client-in-docker-container-shows-tunsetiff-failed-opera
17:14 <@vpnHelper> Title: Calling OpenConnect VPN client in docker container shows TUNSETIFF failed: Operation not permitted - Stack Overflow (at stackoverflow.com)
17:16 < palate> Kryczek: I was focusing on ioctl =/. The container requires privileged mode. Thanks again :-)
17:19 < Kryczek> :)
17:21 < palate> ptp is easy!
17:21 < palate> Anyway, I'm glad I learnt the real way, but my script will be much simpler with ptp
17:37 < palate> Kryczek: I find it weird: if I don't set --ifconfig on the client but on the server, the client says that it is inconsistent and shows me the rule on the server side. Meaning that it could actually use the --ifconfig from the server, but it doesn't :D
17:38 < Kryczek> palate: interesting... but yeah you're supposed to have it on both sides, just with the IPs swapped
17:43 < palate> Kryczek: Yeah, it works like this. I was just trying to minimize the client side
18:04 < palate> Kryczek: do you have experience with pushing routes from the server?
18:05 < palate> (it is a rhetorical question asking if you mind helping me with that :D)
18:06 < palate> `openvpn --ifconfig 10.0.0.1 10.0.0.2 --dev tun --auth none --push "route 172.21.0.0. 255.255.255.0"`
18:06 < palate> It doesn't push the route to the client. Adding the very same route as a --route ... from the client works, though
18:10 < Kryczek> palate: I do but it's probably not what you want
18:10 < palate> :)
18:10 < Kryczek> palate: you would have to get all the other docker VMs to also learn the route to your clients
18:10 < palate> you mean, the way I try to do it?
18:11 < Kryczek> palate: add something like `iptables -t nat -A POSTROUTING --src 10.0.0.2 -j MASQUERADE` on your server
18:11 < Kryczek> and ip_forward to 1, either in /etc/sysctl.conf or /proc/sys/net/ipv4
18:12 < palate> Kryczek: oh, I can do it. I just thought I had to push the route to the client
18:12 < palate> but then adding this iptables rule on the server will push it to the client?
18:14 < palate> I am very bad with iptables, I should really learn how this works -_-'
18:16 < palate> Kryczek: It doesn't work either: it doesn't create a route on the client side
18:17 < Kryczek> ah yes sorry you still need a route on the client side, the iptables was just to avoid doing the server side as well
18:17 < Kryczek> I mean, all the other machines
18:18 < palate> But without your iptables rule, if I do --route 172.21.0.0 255.255.255.0 on the client, it seems to work already
18:19 < palate> maybe because of docker's configuration. The tutorial says "(only necessary if the OpenVPN server machine is not also the gateway for the server-side LAN)". I could imagine it is the case on my docker network :)
18:20 < palate> Kryczek: but then, does it mean I cannot push the route to the client from the server?
18:33 < Kryczek> palate: oh do your other VMs have the VPN server as their default gateway?
18:34 < Kryczek> palate: you can push the route from the server to the client if you want, or you can simply add a "route" line in the client config directly
18:34 < Kryczek> the second option is probably more robust
18:35 < palate> I'd rather push it from the server
18:36 < palate> but it doesn't work. The connection is made, but the route is not pushed. And I don't see anything in the log
18:36 < palate> Does the push work in ptp mode?
18:45 < Kryczek> palate: add a "pull" line in the client config
18:48 < palate> Kryczek: "Options error: Parameter --pull can only be specified in TLS-mode,"
18:48 < palate> That answers my question, unfortunately :(
18:50 < palate> So I'll go with the TLS server mode, because pulling the routes is more important for me. I don't want the client to have to create the routes on its side. Better share a key file.
18:50 < Kryczek> palate: the IP range of the VMs changes a lot?
18:51 < palate> It is automatically created by docker-compose
18:51 < palate> So it depends on the host
18:51 < palate> In other words: yes, it will change
18:52 < palate> Well, I'll go for the TLS mode. It's not so bad. Just a more complex setup, but that's how it is, I guess
18:53 < Kryczek> ah ok
18:53 < Kryczek> yeah TLS mode is just a bit more complicated but not so bad, as you say :)
18:53 < Kryczek> wait
18:54 < Kryczek> palate: why not tell the client to use the VPN server as the default gateway? Then you don't need static routes
18:54 < palate> hmm
18:54 < Kryczek> palate: does the client need to access other networks at the same time?
18:54 < Kryczek> like WiFi and stuff
18:54 < palate> yes :-)
18:54 < Kryczek> ah :(
18:54 < Kryczek> otherwise it would have been as easy as adding "redirect-gateway def1" to the client config
18:54 < palate> those will be developers trying to debug the drone. They will definitely need stackoverflow ;-)
18:55 < Kryczek> lol
18:55 < palate> oh wait
18:55 < Kryczek> lemme know where they're flying it, so I know when to duck :P
18:55 < palate> haha
18:55 < palate> no but with the docker thing, I am just wondering if I cannot abuse the network a bit
18:56 < palate> I connect to the server on 192.168.7.2:1194, which is exposed and goes into this 172.x.x.x that I don't necessarily know
18:56 < palate> but maybe the route to 192.168.7.2 is enough
18:57 < palate> I bet it won't work :D
18:58 < Kryczek> the clients need to know that they need to route through 10.0.0.1 for packets going to 172.x.x.x
18:58 < palate> yeah obviously it doesn't
18:59 < palate> Kryczek: yeah, just realized that looking at the new `ip route show` output xD
18:59 < palate> I'll go for the TLS one tomorrow!
18:59 < Kryczek> and your VMs need to know that to reply to 10.0.0.2 they need to route through... the 172.x.x.x IP of the VPN server
18:59 < palate> Thanks a lot for your help. Getting late here, I need to sleep =)
18:59 < palate> (2am here)
19:00 < palate> So good night, and again, thanks for your help :-)
21:40 < SimpleName> ordex: I use udp, now openvpn client connect openvpn server well, then I kill openvpn server. ping-start will start work, then process restart, after restart, client will try connect action. does these step that I think is correct ?
21:40 <@ordex> it should
21:51 < SimpleName> ordex: I write one script to start openvpn client, now if openvpn client restart, the script how to know, I have one silly way check the sysout with interval, and I can found restart string appear.
21:51 <@ordex> yeah
21:51 < SimpleName> ordex: do you have any better way
21:51 <@ordex> maybe the status file has something more deterministic to check
21:52 <@ordex> but I'm not sure
21:52 < SimpleName> I checked it, no something useful
21:56 <@ordex> I see
21:56 <@ordex> not sure what else to check
22:02 < SimpleName> : ) thanks, just use silly way, I don’t think it’s too bad
--- Day changed Wed Oct 18 2017
02:14 <+hyper_ch> I have to say, wireguard brings good speed for gigabit internet and it's fairly simple to setup....
03:35 -!- sunrunner20_ is now known as sunrunner20
03:49 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 255 seconds]
03:54 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
03:54 -!- mode/#openvpn [+o dazo] by ChanServ
05:45 < ch1pp0> hey, is there a way to see some statistics or info from the openvpn client about which processes are using the tunnel and how much data they are sending through?
05:45 < BtbN> no
05:46 < BtbN> You can run something like iftop on the openvpn interface on the client if you want to find out.
05:46 < BtbN> But that only shows destinations iirc, not processes
05:48 <@dazo> ch1pp0: that's not really possible without a DPI of each packet passing over the tunnel .... for example, http (normally port 80) can be run on any other ports .... and I never configure my hosts to use port 22 for ssh
05:51 -!- abenz__ is now known as abenz
05:56 < fahmad> Hello can soomeone help me with this https://pastebin.com/3JpQYkJg ?
06:04 < fahmad> this one includes vpn server configuration https://pastebin.com/PdwrUqv2
06:21 < fahmad> anyone ?
06:23 < Conino> Hi all! I've recently installed a second router/modem acting as my gateway infront of my existing router acting as my dhcp server and providing the wifi. All my ports are forwarded correctly and my client device can connect to openvpn server while using an external connection. However, I cannot connect to the server from the same client while trying via the local network.
06:23 < Conino> any ideas why this could be?
06:31 < Case_Of> hi
06:32 < Case_Of> how to choose which program instance to connect through openvpn connection and which program using directly the network without going through openvpn?
06:58 <@dazo> !notovpn
06:58 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn.
06:59 <@dazo> fahmad: ^^^ .... I would probably check out #netfilter, as what you're describing basically iptables related
07:00 <@dazo> Case_Of: it is hard to understand your question .... are you asking how you can make some programs go via the tunnel and not everything?
07:02 <@dazo> Conino: can you try to draw and pastebin an ascii-art of your network setting, providing the various interface names and their IP and subnet addresses?  ... here's a nice tool to get you quickly started: http://asciiflow.com/
07:02 <@vpnHelper> Title: ASCIIFlow Infinity (at asciiflow.com)
07:03 <@dazo> (I generally find words confusing, pictures can tell a lot more :) )
07:04 < Conino> dazo, thanks for getting back to me. I just found out my network is double NATed hence the issue. Nothing to do with openvpn itself :)
07:05 <@dazo> fair enough.  Yeah, NAT can really be annoying
07:06 < Conino> as i've come to find out, yes :)
07:06 < havoc> people who don't understand NAT can be really annoying :(
07:06 < havoc> I've been dealing with it a lot with that monster deployment I've been working on :(
07:07 <@dazo> havoc: hahaha .... well, I'd probably say "even more annoying" ;-)
07:07 < havoc> a lot of customers saying it can't work, "that's double NAT!"
07:07 < havoc> no, no it isn't
07:08 < havoc> and it's working at over 1,700 locations, exactly the same way
07:09 < havoc> but the fault really lies with my superiors, for failure to manage customer expecations, and train them
07:09 < Case_Of> dazo: yeah that is what i tried to ask
07:10 < havoc> currently, 1665 ovpn clients connected, getting closer!
07:10 < Case_Of> dazo: how to make some programs use the tunnel and others not.
07:10 <+hyper_ch> congrats?
07:11 < havoc> 1741 provisioned, just not all online at the moment
07:11 <+hyper_ch> 80 people didn't come to work then
07:11 < havoc> hyper_ch: nah, not all turned on for the day yet
07:12 <+hyper_ch> so, what do you do with so many customers?
07:12 < havoc> different business get rolling at slightly different times
07:12 < havoc> hyper_ch: the VPN is for access to our equipment, all locked down stuff
07:12 < havoc> automotive industry gear
07:13 <@dazo> !routebyapp
07:13 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination., or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
07:13 <@vpnHelper> policies you set. For Linux, read about !lartc
07:13 <@dazo> Case_Of: ^^^
07:13 <+hyper_ch> still no idea wha you do :)
07:13 <@dazo> smells like Tesla :-P
07:14 <+hyper_ch> but e-cars don't smell...
07:14 < havoc> hyper_ch: mostly I/M industry stuff, "Inspection / Maintenance", basically "emissions testing" for cars
07:14 < Case_Of> dazo: ok
07:15 <@dazo> IIRC, Tesla cars use OpenVPN, where each car (client) connects to "skynet" :) .... I've also heard that it's a Ubuntu spin running in those cars too
07:15 < Case_Of> !lartc
07:15 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux, or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
07:15 <+hyper_ch> havoc: so you were the guys that did do those false testings?
07:15 <+hyper_ch> or help cheating the emissions tests
07:15 < havoc> hyper_ch: no, we just sell the stuff to the guys that do/did it ;)
07:15 <+hyper_ch> how many did you sell to tesla? *ggg*
07:15 < havoc> </sarcasm>
07:16 < havoc> we do the systems for the states/governments to do it
07:16 <+hyper_ch> but why do they need vpn access to you?
07:16 < havoc> we're the contractor running the program for the state
07:16 <+hyper_ch> ah ok
07:17 < havoc> the vpn is so we have contact with all the gear
07:17 <+hyper_ch> cool
07:17 < havoc> there are also IP cameras, which we run over the vpn
07:17 < havoc> this allows us control, AD access, etc...
07:17 < havoc> also upgrades, maintenance, auditing, etc...
07:18 < havoc> been rewriting a lot of my bash scripts in perl, *significant* speed increase
07:19 <+hyper_ch> why would you rewrite to perl? oO
07:19 < havoc> hyper_ch: cuz it's *at leats* and order of ten faster
07:19 <+hyper_ch> but it's perl
07:19 < havoc> fortunately none of this stuff has to run very often
07:19 < havoc> hyper_ch: ah, you mean vs. python, or something?
07:20 < havoc> I try to target the lowest common denominator
07:20 <+hyper_ch> I'd stick to bash
07:20 <+hyper_ch> python... iieeks
07:20 < havoc> I write more windows stuff in DOS than PS1 too, for the same reason
07:20 <+hyper_ch> but you have now bash on windows
07:20 < havoc> I, unfortunately, rarely control the machines this stuff will run on :(
07:21 < havoc> so I have to target the minimum I can expect the client to have
07:21 -!- abenz_ is now known as abenz
07:22 < havoc> so even when I do it in perl, I use zero modules/pragmas, beyond what's part of a base/core install
07:23 < havoc> but as a general rule, it's bash for *nix clients, DOS for Windows clients, with perl/ps1 being an "upgrade" for nix/win, if it's assured to be available
07:24 < havoc> the [sad] reality is that I have no control over the client side; I can't have them install/configure anything, I have to write stuff that "just works"
07:35 < fahmad> dazo: there is confusion
07:35 < fahmad> i know iptables i can work on it without issue
07:36 < fahmad> but problem is could not understand SNAT because rules will be applied on server side right
07:57 < rob0> !clientlan
07:57 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
07:57 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
07:57 < rob0> fahmad, ^^ flowchart
07:58 < fahmad> rob0: ?
07:59 < fahmad> rob0: you want me to make diagram ?
08:01 < rob0> Did I?  No, I just thought you wanted help to reach your client LANs.
08:01 < fahmad> well i can reach them
08:01 < fahmad> the problem is in the logs it showing VPN IP
08:02 < rob0> oh, so maybe the SNAT is being done on the client?
08:02 < fahmad> i want to get rid of that VPN IP and i want to get real client ip e.g. 192.168.1.100 connects to 192.168.80.10 its showing in the logs that connection was made from 172.16.100.1
08:02 < fahmad> got it ?
08:02 < fahmad> i want it should give connection was made from 192.168.1.100
08:02 < fahmad> instead of 172.16.100.1
08:09 < palate> Hello!
08:10 < fahmad> rob0: any idea ?
08:11 < palate> I am running openvpn in a docker container. I have a docker image that works perfectly well if I run the original container. But if I run another container that just extends the first one (so it should be the same, except maybe for the network ip), I get a VERIFY_ERROR from the client
08:11 <+Dougy> same certs?
08:11 < palate> yes
08:11 < palate> exactly the same Dockerfile
08:12 < palate> Well, let me rebuild everything from scratch just to be sure
08:12 < fahmad> my senario is not applicable ?
08:14 < rob0> fahmad, did you trace through the flowchart?
08:14 -!- mode/#openvpn [+o ordex] by ChanServ
08:14 < palate> Ok. If somebody comes to you with a docker issue, *always* ask them to rebuild the image from scratch with --no-cache before they start struggling with a problem. Just solved mine -_-'
08:15 < palate> Docker is supposed to make a diff when you build, and rebuild only what's necessary. But it really seems like sometimes you need to force it to throw everything away
08:17 < fahmad> i do not want to logged the ip of openvpn tunnel
08:17 < fahmad> i just want user actual ip
08:25 < ch1pp0> dazo: any tips for doing dpi before tha packet gets encrypted by the openvpn client?
08:29 <@ordex> just do it on tun0 :P
08:29 <@ordex> btw, you may not need to do DPI, unless you really need to know what's inside the packet
08:30 <+hyper_ch> dazo: you're a systemd guru or was it ecrist?
08:32 < ch1pp0> ordex: I'd like to know what's inside every packet :)
08:33 <@ordex> ah ok
08:33 <@ordex> I thought you wanted to know which process is sending the packet, not what's inside, sorry :P
08:34 < fahmad> ecrist i think
08:35 < ch1pp0> ordex: well yeah, I need to know which process is sending the packet but I'd like to know what's inside them
08:36 < palate> is there a way to push a DNS to the client? From inside my network, I can `ping machine`. Can I make is such that a client connecting through the vpn could `ping machine` as well? I tried --dhcp-option DNS <dns_server>, but it doesn't seem to work. Is that the right way to do it?
08:37 < palate> And do I have a way to visualize that on the client? For instance the routes are visible in `ip route show`, but I have no clue how it works for hostnames =/
08:37 < palate> (probably I just need keywords, I can google the rest)
08:38 < rob0> well, "machine" is an unqualified hostname, and DNS deals in fully-qualified names (like machine.site.example.com.)
08:39 < rob0> Generally get out of the habit of relying on search domains; but then yes, it's easy to rig up multi-site internal DNS:
08:40 < rob0> !dnsmasq
08:40 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
08:40 < fahmad> my senario is not applicable ?
08:41 < palate> rob0: do you mean it is a better practice to use static ips?
08:41 < rob0> not sure where you got that?
08:42 < palate> rob0: "get out of the habit of relying on search domains"
08:42 < palate> rob0: not sure I understood that, which is why I asked :D
08:42 < rob0> my multi-site DNS example does not use static IPs
08:43 < palate> rob0: yeah the dnsmasq page seems to answer my question, I'm reading that :-).
08:43 < palate> rob0: but I wanted to understand the good practice about the search domains, too
08:43 < rob0> "search" is a resolver(5) feature which appends a .domain to unqualified hostnames and repeats a DNS query
08:45 < palate> rob0: oh, so "generally get out of the habit of using "machine" instead of "machine.site.example.com". That's what you were saying?
08:46 < palate> rob0: I use search names just because it is a bit black magic for me. If you tell me I can understand it better by reading the man page of revolver(5), I'm happy to do it :-)
08:46 < palate> rob0: Except that I cannot find the manpage =/
08:47 < rob0> resolv.conf(5) maybe
08:48 < rob0> and yes, that's what I was saying
08:48 < palate> rob0: thx!
08:49 < palate> oh, resolver, not revolver :D. That's completely different on google xD
08:50 < rob0> "man 5 resolver" brings up the resolv.conf(5) manual on my GNU/Linux
09:00 < palate> rob0: So on your own machine, you don't have /etc/resolv.conf but use dnsmasq instead?
09:03 < rob0> um, to use a local nameserver you'd put "nameserver 127.0.0.1" in resolv.conf
09:04 < rob0> on my laptop I've not been able to do that, because sometimes I go to wacky captive portals which require you to use their nameserver
09:04 < rob0> on servers I generally do have "nameserver 127.0.0.1"
09:06 < palate> rob0: hmm, but docker has its own dns server (in resolv.conf: "nameserver 127.0.0.11")
09:07 < rob0> I don't use docker, can't advise on that
09:08 < palate> I'm trying to understand the system. Say that I have a client with vpn ip 10.0.0.6 connected through its tun interface to 10.0.0.5. The client gets an ip route from the server, so it can ping 172.20.0.x through 10.0.0.5.
09:09 < rob0> well, you're using /30, don't.
09:09 < rob0> !/30
09:09 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
09:10 < palate> The vpn server can ping 10.0.0.6. I assume it updated its own routes since it got the connection from the client. But the other people in the network cannot ping 10.0.0.6.
09:11 < palate> Is there a way to inform everybody that a client joined the network, or should I manually add a rule like `iptables -t nat -A POSTROUTING --src 10.0.0.6 -j MASQUERADE`?
09:12 < DArqueBishop> palate: if the VPN server is not the default gateway for the server LAN, you need to tell the default gateway to route traffic for the VPN subnet to the VPN server.
09:12 < DArqueBishop> !route-outside-ovpn
09:12 < DArqueBishop> !routeoutsideovpn
09:12 < palate> !topology
09:13 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
09:13 < DArqueBishop> !factoids
09:13 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
09:13 < palate> !route-outside-ovpn
09:13 < DArqueBishop> Ah!
09:13 < DArqueBishop> !route_outside_ovpn
09:13 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
09:14 < palate> Thanks DArqueBishop, reading that!
09:17 < DArqueBishop> For example, back in the day, my router/firewall was 192.168.1.1 and the VPN server's LAN address was 192.168.1.5. I had to put a special route in the router/firewall that said traffic for 10.8.0.0/24 (my VPN subnet) had to be sent to 192.168.1.5.
09:18 < DArqueBishop> (Network subnets changed to protect the innocent. ;-) )
09:20 < palate> DArqueBishop: but how do I put this route in the default gateway? route add -net ... gw ... is setting that on the route table of the machine on which I run it, not on the default gateway, right?
09:21 < palate> !route
09:21 < DArqueBishop> You have to log into the actual machine that is the default gateway and add it.
09:21 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
09:22 < DArqueBishop> I can't answer the question specifically because I don't know what kind of machine you use for your default gateway. A Netgear wireless router is going to have different commands/procedures than a Cisco router, for example.
09:26 < palate> DArqueBishop: I was hoping I could push this route from any machine in the network :)
09:27 < palate> DArqueBishop: I am in a docker network. And the gateway is the host, I think. Which is not very practical. But I'm trying to do this right now, just to see if it works
09:29 < palate> DArqueBishop: It works when I set it on the host, apparently
09:29 < DArqueBishop> I have little to no experience with Docker containers, so I can't answer that specifically.
09:31 < palate> DArqueBishop: yeah it's allright. It seems like network experts don't really like docker :D
09:34 < palate> Is there a way to see the routes of the gateway from another machine in the network? Or do I need to log on the gateway and run `ip route show`?
09:34 <@ordex> palate: yeah, routes are locally configured
09:36 < palate> ordex: ok
10:05 < palate> Yeah it is a bit annoying actually. Docker containers run behind a bridge ("bridge0"). So they are in their own subnetwork, and their gateway is the host. Which means that a docker container can connect to the internet through the host. Now, if I run a docker container as a vpn server, I need to inform the containers of the network of the new route. For this, I have to set a rule on the gateway, which is the
10:05 < palate> host. Funny thing is that the host doesn't know the ip of the container running the vpn server before it is created :)
10:06 < palate> So as a result, I need to first run my containers, then look for the ip of the vpn server, and finally create the route on the host (which is the gateway).
10:09 < palate> What does make a system a gateway? I mean, can I just install a linux machine (let's call it A), tell all the machines of the network that their gateway is A, and then give a default route to A?
10:09 < palate> In other words, what is the process taking care of those routes, in a gateway?
10:14 <@dazo> hyper_ch: I'm the systemd guy .... ecrist is less than happy with it, I think :)
10:14 <+hyper_ch> well, I think I already got helped in #systemd
10:14 <+hyper_ch> I need to run a script when powering down and never written a unit file before
10:16 <+hyper_ch> dazo: that's what I came up with https://paste.simplylinux.ch/view/raw/60bf9ac4
10:19 <@dazo> hyper_ch: yeah, #systemd is a reasonable place to ask :) .... never done that approach before .... a probably even better approach would be to have the unit starting it to not use fork() but run in the "foreground"  (systemd tracks it and lets the other stuff continue) ... then you can join these two things into a single unit
10:20 <+hyper_ch> those two things?
10:20 <+hyper_ch> ah, you're also in #systemd
10:20 <+hyper_ch> the reason for cron is
10:20 <+hyper_ch> I boot up the notebook
10:21 <+hyper_ch> usb not attached (and not recognized anyway becasue I don't have modules in the initrd)
10:21 <+hyper_ch> so at one point I plug the usb drive in
10:21 <@dazo> hyper_ch: I'm in #systemd to learn, primarily ;-) .... since this service have started, it had to be started somehow - I'd recommend doing the start-up in the same unit as the shutdown
10:21 <+hyper_ch> and then it should reattach it to the pool for mirroring
10:21 <+hyper_ch> that's why I use cron every 5 minutes to check if usb is now attached to the system
10:22 <+hyper_ch> so there's no startup actaully
10:22 <@dazo> ahh ... this can also be done by systemd I believe, there are some triggers you can use .... or even udev.rules
10:22 <+hyper_ch> dazo: or I just use system cron:  https://paste.simplylinux.ch/view/raw/401e8ea8
10:23 <@dazo> that's quite hackish ... with udev.rules, you can run a script when a specific event (like a device) is added
10:24 <+hyper_ch> that sounds hackkish :)
10:24 <+hyper_ch> I've had tons of issues with udev.rules back on *buntu
10:24 <@dazo> that's how modern linux'es is designed to work ... udev is handling hardware integration and hot-plug
10:24 <+hyper_ch> or let just cron do it's thing
10:25 <@dazo> it's your system .... I wouldn't do it like that, but it's your call
10:25 <@dazo> have a look at man systemd.device
10:26 <+hyper_ch> man pages are too complicated for me
10:26 <@dazo> gee .... I'm tempted to kick you for trolling! :-P
10:26 < rob0> you think those are complicated, just try woman pages!
10:27 <+hyper_ch> I wouldn't even dream of trying to do that
10:30 <+hyper_ch> dazo: do you happen to use zfs?
10:33 <@dazo> hyper_ch: nope .... I avoid non-native fs
10:34 <+hyper_ch> but it's zfs on linux :) sounds pretty native to me
10:34  * DArqueBishop once trolled a homophobic coworker by telling him that the perfect command for him to look up help files in Linux was "find man".
10:34 <@dazo> hyper_ch: isn't that fuse based?
10:34 <+hyper_ch> no
10:34 <+hyper_ch> well, there's a fuse variant
10:36 <@dazo> I generally also prefer whatever FS is shipped in official CentOS/Scientific Linux kernels (hence, supported by RH) ... so I mostly use XFS with LVM + mdraid .... that mostly gives me all the features I need
10:36 <+hyper_ch> so you know centos :)
10:37 <@dazo> I'm belonging to the RPM camp ;-)
10:39  * DArqueBishop is also a CentOS/RH person.
10:39 <+hyper_ch> good to know
10:39 < DArqueBishop> (Though, I only moved to CentOS for my personal servers a couple of years back. Before that it was Slackware.)
10:39 <@dazo> I see a lot have happened in the zfsonlinux side since last time I checked (about a year ago) ... but nah, I'm extremely conservative when it comes to file systems ... I don't want to waste time recovering files due to FS issues
10:40 < DArqueBishop> I only started "learning" Ubunbtu a couple of years ago because the company I was working for supported Ubuntu and CentOS/Red Hat systems.
10:42 <@dazo> When I took my RHCE (on RHEL5) ages ago ... what saved me most of all was probably all the debugging stuff and challenges Slackware and Gentoo had thrown at me over the years :-P
10:42 <+hyper_ch> when I run yum update on a centos, I get this:
10:42 <+hyper_ch> Transaction Check Error:
10:42 <+hyper_ch>   package kernel-2.6.32-642.15.1.el6.x86_64 (which is newer than kernel-2.6.32-642.13.1.el6.x86_64) is already installed
10:42 <+hyper_ch> how to fix?
10:42 <@dazo> Run yum-complete-transaction
10:42 <@dazo> (from yum-utils, iirc)
10:43 <@dazo> a yum update probably got interrupted when cleaning up
10:43 <+hyper_ch> no unfinished transactions left
10:43 <@dazo> and running yum update now?
10:44 <+hyper_ch> Transaction Check Error:
10:44 <+hyper_ch>   package kernel-2.6.32-642.15.1.el6.x86_64 (which is newer than kernel-2.6.32-642.13.1.el6.x86_64) is already installed
10:44 <+hyper_ch> still the same
10:44 <@dazo> try: yum erase kernel-2.6.32-642.13.1.el6.x86_64 ; yum reinstall  kernel-2.6.32-642.15.1.el6.x86_64
10:46 <+hyper_ch> no luck
10:46 <+hyper_ch> https://paste.simplylinux.ch/view/fde0e70d
10:46 <+hyper_ch> running yum update again same error
10:46 < DArqueBishop> Maybe you need to rebuild the yum database?
10:46 < DArqueBishop> Try running this:
10:47 < DArqueBishop> yum clean all ;  yum update
10:47 <+hyper_ch> rebuilding db according to https://www.centoshowtos.org/package-management/rebuild-corrupted-yum-database/
10:47 <@vpnHelper> Title: Configuration / Package Management / Rebuild Corrupted Yum Database | CentOS HowTos (at www.centoshowtos.org)
10:48 <+hyper_ch> downloading packages again
10:50 <+hyper_ch> Transaction Check Error:
10:50 <+hyper_ch>   package kernel-2.6.32-642.15.1.el6.x86_64 (which is newer than kernel-2.6.32-642.13.1.el6.x86_64) is already installed
10:52 < DArqueBishop> Is that CentOS 6?
10:52 < DArqueBishop> Yes, it is.
10:52 <+hyper_ch> no idea
10:52 < DArqueBishop> (I would have known had I looked at the version number first. ;-) )
10:53 <@dazo> yeah, that does look like corrupted databases
10:53 < DArqueBishop> Uhm.
10:53 < DArqueBishop> Wow.
10:53 <+hyper_ch> I just removed the whole db according to that website above
10:53 < DArqueBishop> If that's the kernel version that comes up, your system is all kinds of FUBARed.
10:54 <+hyper_ch> DArqueBishop: why?
10:54 <@dazo> hyper_ch: don't reboot until you've rebuilt the databases
10:54 <+hyper_ch> dazo: I already did
10:54 <+hyper_ch> still error persists
10:54 < DArqueBishop> I just checked a CentOS 6 box I maintain, and the version that came up for the latest kernel is 696.13.2.el6.
10:55 <@dazo> rpm -qi kernel-2.6.32-642.15.1.el6.x86_64 ... what does that give?
10:55 <+hyper_ch> https://paste.simplylinux.ch/view/raw/bf1bfead
10:55 < DArqueBishop> That release is from February.
10:57 <+hyper_ch> how to update?
10:57 < DArqueBishop> That's the problem. A working yum database/cache would have updated you already.
10:57 <@dazo> I'm guessing this is due to a repository with some test/preliminary/additional repo got disabled
10:57 < DArqueBishop> What dazo said, too.
10:57 <+hyper_ch> that means?
10:58 < DArqueBishop> Something's misconfigured in your yum repos.
10:58 <+hyper_ch> just assume I have no clue about centos :)
10:58 <+hyper_ch> or yum
10:58 <+hyper_ch> apt is nice to work with
10:58 <@dazo> you got this kernel when another repo was enabled/active ... then that repo got removed (or that kernel version got removed from an existing repo) ... which removes the knowledge about this newer version from yum
10:59 <@dazo> check out on some centos channels what happened with that kernel ... this is very centos specific
10:59 <@dazo> my Scientific Linux 6 mirror does not carry that kernel version at all
10:59 < DArqueBishop> I'd check /etc/yum.repos.d.
11:00 <@dazo> this is the latest one I have: mirrors/SL/6.9/x86_64/updates/security/kernel-2.6.32-696.13.2.el6.x86_64.rpm
11:00 < DArqueBishop> Same, dazo.
11:01 <+hyper_ch> http://vault.centos.org/6.8/updates/x86_64/Packages/
11:01 <@vpnHelper> Title: Index of /6.8/updates/x86_64/PackagesCentOS Mirror (at vault.centos.org)
11:01 <+hyper_ch> here's that kernel I think
11:01 < DArqueBishop> hyper_ch: what are the contents of /etc/yum.repos.d/CentOS-Base.repo?
11:01 < DArqueBishop> Also, what does /etc/yum.repos.d contain?
11:02 <+hyper_ch> https://paste.simplylinux.ch/view/raw/31200247
11:03 <+hyper_ch> Centos-Base.repo  epel.repo  epel-testing.repo
11:03 < DArqueBishop> I think I see a possible problem.
11:03 < DArqueBishop> In CentOS-Base.repo, comment out the baseurl lines and uncomment the mirrorlist lines.
11:04 < DArqueBishop> Then run "yum clean all", followed by "yum update".
11:05 <+hyper_ch> 1,2 gb to download
11:05 <+hyper_ch> done
11:05 <+hyper_ch> same error
11:06 <+hyper_ch> can't I just force remove kernel-2.6.32-642.15.1.el6.x86_64 and install the other?
11:07 < DArqueBishop> Sure, if you want to risk making your system unbootable.
11:08 <+hyper_ch> awww
11:08 <+hyper_ch> can't I just force install the new one then?
11:08 < DArqueBishop> You COULD... but the fact that you're still getting that area is seriously problematic.
11:09 < DArqueBishop> s/area/error/
11:09 < DArqueBishop> Do me a favor. Run "rpm -q openssh" and tell me what it says.
11:10 <+hyper_ch> openssh-5.3p1-118.1.el6_8.x86_64
11:10  * dazo heads for a meeting
11:10 <+hyper_ch> nice bailout ;)
11:10 < DArqueBishop> What happens when you run "yum update openssh"?
11:11 < DArqueBishop> Or, better, "yum update openssh-server"?
11:11 <+hyper_ch> without a glitch https://paste.simplylinux.ch/view/raw/7bf8be39
11:12 < DArqueBishop> Run "yum history sync".
11:13 <+hyper_ch> yum has all kinds of commands :)
11:13 <+hyper_ch> done
11:14 <+hyper_ch> history sync
11:15 <+hyper_ch> yum update again?
11:15 < DArqueBishop> Now run "yum update".
11:16 <+hyper_ch> still same
11:16 <+hyper_ch> https://paste.simplylinux.ch/view/raw/94fedf31
11:17 <+hyper_ch> this is better:  https://paste.simplylinux.ch/view/raw/fe5f00b9
11:17 <+hyper_ch> it seems that "kernel" entry is a problem
11:18 < DArqueBishop> Wait what?
11:18 <+hyper_ch> in the latest pastebin
11:19 <+hyper_ch> can I update the rest and skip the kernel?
11:19 < DArqueBishop> That doesn't look right at ALL.
11:20 < DArqueBishop> The update repo should be called "updates", not "updates-release-x86_64".
11:21 <+hyper_ch> trying to update all the rest meanwhile
11:21 <+hyper_ch> yum update a*
11:21 <+hyper_ch> b* ... etc
11:22 < DArqueBishop> What are the contents of epel.repo and epel-testing.repo?
11:23 <+hyper_ch> https://paste.simplylinux.ch/view/raw/b40f4941
11:26 <+hyper_ch> I was able to update osme kernel using k* but then it failed on other kernel with *l   https://paste.simplylinux.ch/view/raw/ef8e0af6
11:37 < DArqueBishop> Something is seriously wrong with your box.
11:38 < DArqueBishop> Unless it's defined in /etc/yum.conf, you don't have a updates-released-x86_64 repo configured.
11:38 < DArqueBishop> That almost tells me the box is compromised.
11:39 < DArqueBishop> updates-released-x86_64 is where it's trying to pull that bad kernel release from, but you don't have it in your repo files and it's not a default repo.
11:40 < DArqueBishop> So, it's either configured in /etc/yum.conf or your yum binary has been altered.
11:40 < DArqueBishop> (Or you're not using the right yum binary; "which yum" should come back as /usr/bin/yum.)
11:41 < DArqueBishop> I'd go on, but I have to run and get lunch for my wife who's home sick. I'll be back in an hour and a half.
11:41 < DArqueBishop> Check the aforementioned files; like I said, you may be compromised or misconfigured.
11:41 <+hyper_ch> box can't be compromised
11:42 < DArqueBishop> Anyway, AFK.
11:42 <+hyper_ch> thx
13:29 < DArqueBishop> Back.
13:30 < DArqueBishop> I'm always skeptical when I hear any variation of "unhackable".
13:41 < DArqueBishop> hyper_ch: in any event, like I said, the yum binary on that server is not acting like it should, because unless that "updates-released-x86_64" is in /etc/yum.conf, you have a phantom repo being referenced.
13:41 <+hyper_ch> DArqueBishop: it's ok, killed and re-setup vm
13:42 <+hyper_ch> took me like an hour
13:42 <+hyper_ch> although, still need to reconfigure postfix
13:58 < hum77> hi, is there a way to change dns server after openvpn connects? to tell the softwares on linux (debian) to use x.x.x.x for dns for example, and not the one provided by the ovpn file?
13:59 < hum77> the one provided by ovpn file doesn't work, but connection is fine
13:59 < hum77> only no application can do any nslookup after ovpn connects
14:01 <+hyper_ch> !pushdns
14:01 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN
14:01 <@vpnHelper> for Android and OpenVPN Connect will happily accept push dhcp-option
14:04 < hum77> thank you, pushdns is for server right?
14:04 < hum77> i can't use it on my client?
14:05 < hum77> cause the server isn't mine
14:07 < hum77> also I tried push "dhcp-option DNS 8.8.8.8" line in my .ovpn file it is still not working
14:08 < hum77> no nslookup is done, firefox can't go to google
14:48 < rob0> --dhcp-option is for Windows only
14:51 < rob0> You can do all sorts of hacks to change resolv.conf, or you can do what I do: create internal name resolution that works whether on VPN or not.
14:51 < rob0> !dnsmasq
14:51 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
15:00 < hum77> I got the proxy (socks) to handle dns, I already have a dns server thanks anyways, seems impossible direct dns
15:00 < rob0> what does "direct dns" mean?
15:03 < hum77> i mean dns lookup on openvpn = direct dns
15:04 < hum77> it doesn't work
15:04 < hum77> ;(
15:04 < rob0> still not clear
15:08 < DArqueBishop> Have you talked to your VPN provider?
15:08 < BtbN> Configure your client to reject the dhcp option push?
15:09 < rob0> oh "the server isn't mine," yes, a provider is involved
15:10 < rob0> The simplest way to make DNS work whether redirected gateway or not, "echo 'nameserver 8.8.8.8' > /etc/resolv.conf".
15:10 < rob0> you'll hit 8.8.8.8 via your ISP or via your VPN, depending on the route table at the time.
17:35 < |Mike|> re.
18:09 -!- krzie [ba060e9e@openvpn/community/support/krzee] has joined #openvpn
18:09 -!- mode/#openvpn [+o krzie] by ChanServ
18:14 -!- krzie [ba060e9e@openvpn/community/support/krzee] has quit [Quit: Page closed]
--- Day changed Thu Oct 19 2017
01:50 -!- Bock is now known as LocaMocha
06:41 < Phrk_> Hello, is it possible to launch iptables script inside the up and down openvpn script ?
06:44 < |Mike|> yep!
06:47 <@dazo> Phrk_: yes ... but you need to consider which script hooks you use and the privileges they run under.
06:48 <+hyper_ch> dazo: what about editing /etc/default/openvpn and add --script-security 2; --up /path/to/script   to the OPTARGS?
06:48 <+hyper_ch> not a good idea?
06:49 < Phrk_> dazo, well since iptables is root only, and systemd run openvpn with root no ?
06:49 < Phrk_> hyper_ch, that's what i did
06:49 <@dazo> hyper_ch: that's something to discuss with the Debian package maintainer .... that's not a file we ship in upstream openvpn ;-)
06:50 <+hyper_ch> :)
06:50 <@dazo> Phrk_: I dunno if this is server or client ... but if server side, and you use --client-connect and --user/--group ... then the script will be run with the privileges of --user/--group
06:50 < Kryczek> Phrk_: maybe the rules can be written so that they're there even when the VPN is down, but they only apply when it is up?
06:50 < Kryczek> (that's how I do mine)
06:51 < Kryczek> granted, it's a bit weird to write iptables rules for interface that do not (yet) exist
06:51 < Phrk_> Kryczek, yes for client but when i exec, i got could not execute external program
06:51 <@dazo> Kryczek: depends a lot on how things are configured ;-) .... in my eurephia project, I do dynamic firewall updates based on which client who connects
06:52 <@dazo> (but that's server side)
06:52 < Kryczek> dazo: ah you mean clients get dynamic IP so then you update rules with the IP they get? :)
06:52 < Phrk_> ye i only want to do client side
06:52 < Kryczek> Phrk_: what kind of filtering are you trying to do?
06:53 < Phrk_> Kryczek, just basic leaks dns and connections leaks
06:53 <@dazo> Kryczek: yeah
06:53 < Kryczek> Phrk_: and the system can also access all the internet when the VPN is down, or you want it to only access the Internet through the VPN forever?
06:53 <@dazo> Phrk_: then you can use --up ... that should run *before*  openvpn drops privileges
06:53 < Phrk_> sometimes i forgot to chattr my resolv.conf and got leaks cause i'm dumb
06:54 < Phrk_> my down rules is ok, he get rid of the firewall
06:54 < Phrk_> my up rules doesn't work
06:55 <@dazo> Phrk_: *but* if you also want to run something when openvpn stops running .... then you need to use --plugin with the downroot.so plugin ... as --down is run with non-root privileges, downroot.so resolves that
06:55 < Kryczek> Phrk_: how do you launch the openvpn client?
06:55 < Phrk_> systemd
06:55 <@dazo> and you need --script-security 2
06:55 < Kryczek> ah
06:56 < Kryczek> Phrk_: you mean like `/etc/init.d/openvpn start thevpn` ?
06:56 < Phrk_> systemd is like systemctl start openvpn-client@configfile
06:56 < Kryczek> Phrk_: yeah, I mean, from the command line :)
06:57 < Phrk_> what else ?
06:57 < Kryczek> NetworkManager or I don't know
06:57 < Kryczek> but no worries, I have an easy solution:
06:57 < Phrk_> Networkbuggshithole
06:57 < Phrk_> sorry
06:57 < Kryczek> Phrk_: write a start-vpn.sh file adding all iptables rules and then `systemctl start openvpn-client@configfile`
06:58 < Kryczek> Phrk_: then a stop-vpn.sh file doing `systemctl stop openvpn-client@configfile` and removing all the iptables rules
06:58 < Kryczek> now you can just `sudo ./start-vpn.sh` or `sudo ./stop-vpn.sh` and that's it! :)
06:58 < Kryczek> no need for lowering security with --script-security etc
06:58 < Phrk_> oh yeah good idea
06:58 < Phrk_> but
06:59 < Phrk_> why up /path/startvpn.sh doesn't work
06:59 < Phrk_> privilege problem ?
07:00 < Kryczek> Phrk_: yeah as you can see in `man openvpn` at the --script-security section, by default openvpn doesn't allow scripts
07:00 < Kryczek> because it's dangerous
07:00 < Phrk_> i know but i can put it to 2
07:00 < Kryczek> Phrk_: you can, but it's increasing your risk for no reason at all, when you can run the same script just before calling openvpn
07:00 < Kryczek> then let openvpn run with minimum privileges as it should be :)
07:02 < Phrk_> Yes but since i'm already using an external script, i taught let just upgrade this script
07:03 < Kryczek> ah
07:03 < Kryczek> what does your external script do?
07:05 < Phrk_> it force to update dns
07:05 < Phrk_> since openvpn doesn't want to
07:05 < Phrk_> (never found the time to understand why)
07:09 < Kryczek> maybe your openvpn client config is missing a "client" or "pull" line to accept the push options from the server?
07:14 < Phrk_> maybe need to check that
07:58 < CptLuxx> so simple question.. how can i disable that openvpn writes a log to the windows eventlog?
08:01 < Kryczek> log /dev/null
08:01 < Kryczek> xD
08:02 < Kryczek> or more seriously, to a file :)
08:02 < CptLuxx> im talking about windows
08:02 < Kryczek> I know
08:02 < CptLuxx> in the old version it has written to the log file
08:02 < CptLuxx> but now.. everything is in the eventlog
08:02 < Kryczek> ah maybe it's a bug
08:03 <+hyper_ch> decrease verbosity?
08:04 < Kryczek> hyper_ch: "verb" and "mute" don't get rid of everything unfortunately, I ended up doing `log /dev/null` because of the spam I was getting from all port scans on my TCP instance
08:04 < Kryczek> WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
08:04 < CptLuxx> im absolutly fine if its in the log file but.. retarded customer checks the eventlog form his server and notices "UHH OPENVPN STUFF"
08:04 < CptLuxx> ...
08:05 < Kryczek> those messages
08:06 < Kryczek> CptLuxx: did the customer agree to you vpn'ing into their server? :)
08:10 < CptLuxx> yes...
08:10 < CptLuxx> he is a retard
08:10 < CptLuxx> and he is even using it ..
08:51 -!- abenz__ is now known as abenz
08:54 < apus> hi, is it possible to use dns srv records for openvpn?
08:56 < rob0> I don't think openvpn has any means to look them up, natively.  There's no "srv" in the manual.  But you could script something outside openvpn to set a variable in the environment.
08:59 <@ecrist> OpenVPN doesn't have any current support for SRV records.
08:59 < apus> good to know, thank you both!
08:59 <@ecrist> I suspect putting your VPN servers in SRV records is less than ideal.
09:06 <+hyper_ch> what are srv records?
09:06 <@ecrist> hyper_ch: try google
09:06 <+hyper_ch> google hates me
09:06 < ExtraSteve> I'm following this guide on setting up openvpn on centos7 using easyrsa, but it keeps generating a 0 byte client.crt file: https://www.howtoforge.com/tutorial/how-to-install-openvpn-on-centos-7/
09:06 <@vpnHelper> Title: How to install OpenVPN Server and Client on CentOS 7 (at www.howtoforge.com)
09:06 < ExtraSteve> Is this a common issue? The only reports of this I could find were like, 5+ years ago and the fixes... don't fix it
09:07 < DArqueBishop> ExtraSteve:
09:07 < DArqueBishop> !howto
09:07 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
09:07 < rob0> hyper_ch, SRV is a DNS record type
09:07 < ExtraSteve> Thanks DArqueBishop - I'll read now :)
09:11 -!- zvirbliukas1 is now known as zvirbliukas
09:40 < |TheWolf|> Hi! I have kind of a weird problem: I have a web server, which I need to act as a VPN client, connecting to some VPN server (another server of mine). However, whenever I have the client connect, I lose my SSH connection and the machine seems to stop listening on all ports in general. I feel like I'm missing something super obvious here...
09:40 < |TheWolf|> both servers are rented from DC providers, so I don't have physical access to either of them
09:41 < rob0> I guess the client config has (or pulls) --redirect-gateway
09:42 < rob0> don't do that if you don't want to redirect the gateway
09:43 < |TheWolf|> oops
09:43 < |TheWolf|> that makes sense
09:43 < |TheWolf|> can I override that push in the client config? I kind of need the push for the other clients
09:43 < |TheWolf|> or do I need to add it in all other client configs then?
09:44 < rob0> !ccd
09:44 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
09:45 < |TheWolf|> okay, but I have to add a ccd file for each client apart from the one webserver, right?
09:46 < DArqueBishop> |TheWolf|: create one entry called DEFAULT that has the redirect-gateway line, and then create one for your webserver that's empty.
09:46 < |TheWolf|> oh nice, I didn't know about DEFAULT
09:46 < |TheWolf|> thanks!
09:47 < DArqueBishop> That's what I do. I have two clients that I can't have DNS changes pushed to, so I have the DNS push in DEFAULT and the ccd files for the aforementioned two clients are empty.
09:47 < rob0> well, you can use DEFAULT if you want, but personally I like having a bit of server-side access control,
09:47 < rob0> !ccd-exclusive
09:48 < rob0> !factoids search ccd
09:48 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
09:48 < rob0> hmm
09:48 < rob0> !factoids search exclusive
09:48 <@vpnHelper> No keys matched that query.
09:54 < |TheWolf|> thanks rob0 and DArqueBishop, I will try your suggestions!
10:11 < palate> re
10:11 < palate> Do you know what kind of performance difference I should expect from running a plaintext ptp vpn versus running a "normal" TLS one?
10:13 < palate> In other words, is the encryption costly? I would guess it is not, but I am streaming a heavy video through the vpn and it is quite slow (3 Hz vs 15 Hz on the machine running the camera)
10:13 <@novaflash> encryption is costly, and decryption too
10:13 <@novaflash> there's obviously a huge difference
10:13 <+hyper_ch> and then it also depends on what encryption you use
10:13 <@novaflash> ya
10:13 < palate> TLS
10:13 <@novaflash> haha
10:13 <@novaflash> funny
10:14 <@novaflash> well like, what cipher though?
10:14 < palate> sorry :)
10:14 <@novaflash> aes-256? bf? etc
10:14 <+hyper_ch> if running aes, does your vpn server have aes-ni support?
10:15 < palate> rsa?
10:15 < palate> my key.pem is generated through rsa
10:15 <+hyper_ch> how many bits
10:15 < palate> Is it then the encryption I'm using?
10:15 < palate> 2048
10:16 < rob0> you'd probably have to benchmark it yourself.
10:16 < palate> What is the smallest rsa key I could use?
10:16 < palate> (I don't mind about the security in this use-case)
10:17 < rob0> But if the system isn't overloaded, you'll just be using more CPU time, it shouldn't make much difference in throughput.
10:17 <+hyper_ch> what system are you actually running?
10:17 < rob0> You could also try an ipip or gre tunnel.
10:18 < palate> rob0: I have to look at ipip and gre, I don't know what that is
10:18 <+hyper_ch> or try wireguard... I get good throughput performance with wireguard on gigabit internet
10:18 < palate> hyper_ch: an Intel Aero drone. I just want to visualize what it is computing internally (basically an occupancy grid from a depth camera)
10:19 <+hyper_ch> no idea what that is
10:19 < palate> xD
10:19 < palate> robotics
10:20 < rob0> ipip is RFC 2003, http://rob0.nodns4.us/Linux-ipip-tunnels
10:21 < rob0> gre would be configured similarly, with "ip tun ..."
10:21 < palate> but to answer rob0, the system is actually overloaded :-).
10:21 < palate> rob0: But would ipip or gre be faster than a plaintext ptp openvpn?
10:22 < rob0> I have no way to know, but since it's in kernel space, I suspect it would be.
10:24 < palate> From your link, it seems ipip is actually very close to a plaintext ptp vpn, right?
10:25 < rob0> it does no encryption
10:26 < palate> same as a plaintext ptp :)
10:29 < rob0> The difference is no userspace software, and on a multicore system, any core can handle the ipip/gre.  Openvpn on multicore is stuck on a single designated CPU.
10:33 < palate> rob0: Your article is very nice.
10:34 < palate> rob0: However, I am still not completely sure it does what I want. Do it means I can connect a remote machine to a local machine and get the local machine to access the remote network as if it was in it, right?
10:35 < palate> rob0: So I could set a default route in my gateway so that all the machines can communicate with the remote machine. In effect, this is a plaintext p2p vpn setup. Right?
10:35 < palate> (in terms of usage)
10:55 < palate> If you guys are interested, I just tried a plaintext ptp vpn instead of the normal TLS using a 2048-bits RSA key. My performance went up from ~3Hz to ~4.5Hz. The speed on the drone itself it ~15Hz.
10:56 < palate> So it suggests that what makes the streaming slow is mainly the network (through USB, though), and not the encryption itself. Right?
10:56 <+hyper_ch> fail to see how Hz reflect speed
10:56 < palate> hyper_ch: frequency, sorry :)
10:56 < palate> I thought I did not know the english word, but I actually do xD
10:57 <+hyper_ch> still fail to see how frequency is related to speeds
10:57 < palate> Well, if I stream a video at 3Hz, it means I get 3 frames per second, right?
10:58 < palate> If I stream at 15Hz, I get 15 frames per second
10:58 <+hyper_ch> and if I have a throughput of 250MBs... how many herz is that?
10:58 < palate> So sending the very same set of frames, the latter will send the whole set 5 times faster
10:58 <+hyper_ch> Mbps
10:59 <@novaflash> hyper_ch: it hertz when i stream :-P
10:59 < palate> well, that's a vocabulary issue, right :)
11:00 <+hyper_ch> you might want to try wireguard
11:01 < palate> You're saying that the factor of 5 in frequency I lose going through openvpn is due to openvpn itself, but not the encryption?
11:02 < palate> I'd like to try ipip, rob0's suggestion, actually. But I fear get the same frequency in the end because it is a network issue
11:02 < palate> Just for learning, I'll try to play with ipip
11:02 <+hyper_ch> no idea
11:02 < palate> hyper_ch: oh, wireguard is GPLv2, actually. Might be interesting to know as well :)
11:03 <+hyper_ch> from what I know is that wireguard is kernel module while openvpn runs in userland..... and that this increases throughput performance for package routing... but don't really know
11:04 < palate> hyper_ch: that's already very interesting to know! Thanks :-)
11:04 <+hyper_ch> as said, I don't really know about that stuff
11:04 <+hyper_ch> but I do get better throughput with wireguard on gigabit than I do with openvpn
11:04 <+hyper_ch> and someone explained it like that
11:05 < rob0> Regarding the routing questions, as with any VPN, it routes what you tell it to route.
11:06 <+hyper_ch> rob0: <amdj>     hyper_ch: that's expected since openvpn is userland and forwarding back out of it would be 4 context switches and at least 4 data copies
11:08 <+hyper_ch> rob0: no idea if that's true... just what I'm being told :)
11:23 <@ordex> hola
11:45 <+Dougy> o wow, new fedex website
13:21 -!- dionysus70 is now known as dionysus69
14:14 < bigredradio> I have found info on revoke-full, but I think my index.txt is incorrect and the some of the pen files removed manually. Is there a way to list the certificates straight from the database?
14:15 < bigredradio> s/pen/pem/
14:15 < bigredradio> I would like to revoke old certs, but I am not sure what is even in the DB
14:18 < DArqueBishop> bigredradio: if you need to revoke old certs but your signing environment is FUBARed, it might just be safer to build out a whole new CA.
14:19 < bigredradio> DArqueBishop, true, but I would still like to know if I an query the db directly.
14:34 <@ecrist> bigredradio: you cannot list certificates straight from the database
14:36 < bigredradio> Can the index file be rebuilt from the database?
14:39 <@ecrist> what's wrong with your index file?
14:39 < bigredradio> ecrist, Entries were removed using a text editor thinking that would revoke certs.
14:40 < bigredradio> So not sure what certs are even in the db at this point. About to clear them all out, but would like to see what is even there.
14:41 < bigredradio> Where is the db anyway?
14:42 < bigredradio> ecrist, Sorry, I am new to this and may be way off.
14:42 <@ecrist> bigredradio: there is no database, other than the index file
14:43 <@ecrist> you have a backup of that file?
14:43 <@ecrist> if you don't have a lot of certs, it's probably easier to just create a new CA
14:43 < bigredradio> ecrist, Ah, thought there was a binary database somewhere.
14:44 < bigredradio> ls
15:32 < apus> hi, does anyone have a script that helps me configure an openvpn profile for ios? i found this one here: https://github.com/iphoting/ovpnmcgen.rb but it only supports one server.
15:32 <@vpnHelper> Title: GitHub - iphoting/ovpnmcgen.rb: An OpenVPN iOS Configuration Profile (.mobileconfig) Utility—Configures OpenVPN for use with VPN-on-Demand that are not exposed through the Apple Configurator or the iPhone Configuration Utility. (at github.com)
19:19 -!- upbeta_______ is now known as upbeta
--- Day changed Fri Oct 20 2017
02:02 < dynek> hello!
02:03 < dynek> is there a way to lower the time it takes for openvpn tcp server to notice a client vanished, disconnect without further notice?
02:04 < dynek> tried to lower keepalive (10 30) but it doesn't seem to help so far
02:30 < dynek> ok finally ping, ping-exit and inactivity seem to do what I want :-)
05:31 < fredcwbr_> !welcome
05:31 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
05:31 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
05:33 < fredcwbr_> !goal Using easy-rsa to TSA and software signing
05:33 < fredcwbr_> !goal
05:33 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:34 < fredcwbr_> !goal I would like to use easy-rsa to TSA and software signing
05:34 < Kryczek> what is TSA?
05:37 < Kryczek> ...apart from Transport Security Administration
05:37 < fredcwbr_> TSA - Time Signing with openssl ... -- Easy-RSA does wrap openssl in a variety of ways simplifying the CAs tasks. I've been following this for some time now, and have quite some questions about how to use it ,.. 'cause it seems tha pkitool didn't implement it yet. I was looking form some poiters/direction.,k
05:38 < fredcwbr_> there is some references here, http://openssl.cs.utah.edu/docs/apps/ts.html.. although on direct handling with openssl,
05:38 < Kryczek> Time Stamping Authority ?
05:38 < fredcwbr_> Did get it to work with a handfulll of scripts, but  was quick and dirty, ... Was looking for a better solution.
05:39 < fredcwbr_> yep...  TSA --- Time Stamping .,
05:39 < Kryczek> sounds like something for a blockchain :)
05:39 < fredcwbr_> sorry for the mistake,
05:41 < Kryczek> well looking at https://en.wikipedia.org/wiki/File:Trusted_timestamping.svg it seems definitely feasible
05:41 <@vpnHelper> Title: File:Trusted timestamping.svg - Wikipedia (at en.wikipedia.org)
05:42 < Kryczek> but I think it's outside of the scope of what Easy-RSA does: it just helps you create your PKI, then it's up to you or some other software to use this PKI
05:42 < fredcwbr_> yep, ...already looked after that, ... exactly what I want,.,   wondering if easy-rsa already implemented it..
05:43 < Kryczek> unless they want to for some reason, I think it's outside of their scope
05:43 < fredcwbr_> Followed this http://pki-tutorial.readthedocs.io/en/latest/advanced/index.html ..,   and got it to work ...,, but its a great deal of things.,
05:43 <@vpnHelper> Title: Advanced PKI OpenSSL PKI Tutorial (at pki-tutorial.readthedocs.io)
05:45 < fredcwbr_> Yeah,... ...did it all,... that's why I was wondering if it woul be incorporated on easy-rsa,  .. ....
05:45 < fredcwbr_> Easy-RSA is really neat, ..  gets the hassle out of the way.,.
05:45 < Kryczek> fredcwbr_: maybe you can use something like https://github.com/disig/TimeStampClient and https://github.com/jan-zajic/tsa-server
05:45 <@vpnHelper> Title: GitHub - disig/TimeStampClient: .NET RFC 3161 time-stamping client library and application (at github.com)
05:46 < fredcwbr_> Interesting, didn't know about them yet,....
05:46 < fredcwbr_> taking a peek .................
05:46 < Kryczek> "easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms, this means to create a root certificate authority, and request and sign certificates, including sub-CAs and certificate revocation lists (CRL)."
05:47 < Kryczek> TSA is networking stuff, beyond building and managing a PKI... Otherwise you could say why not make SSH, HTTPS, etc services inside Easy-RSA :)
05:48 < fredcwbr_> I can see your point., ;;;
05:53 < fredcwbr_> When you look on TSA at a whole, it SURE IS network stuff, ...  Think I'm  misleading to think that wicheed to incorporate all stuff to easy-rsa, ...  Not what I was aming;; .. was willing to have easy-rsa generate/sing  the TS certificates, ... and manage singning and delivering PKI stuff only..  ;; something like    >> build-TS-certificate ...
05:54 < fredcwbr_> not lthe whole round trip..
05:55 < fredcwbr_> And yes., suppose it is outside the scope,. ,, ... asking doesn't hirt.,
05:56 < fredcwbr_> Anyway, ... got good pointers here, ... Thanks Kryzek for the TimeStampClient and tsa-server, ... gonna dig them. ,
07:43 < ch1pp0> hi guys, just want to be absolutely sure my calculations are correct. The openvpn keepalive is 97 bytes (on the wire) so the monthly (30days) network usage for that is 97*60*60*24*30=25142400 bytes (~25mb/month)
07:43 < ch1pp0> that is 25 megabytes upload and download
07:51 <@ordex> ch1pp0: only if there is no data traffic
07:52 < ch1pp0> ah yes, that is the absolute minimum
07:52 < Apostata> isn't the default ping every ten seconds?
07:52 < ch1pp0> yeah apostata, forgot to take the 0 from the first 60 ;)
07:53 <@ecrist> iirc, there is no default
07:54 <@ordex> ch1pp0: the ping is sent only if there is no data traffic, that's what i meant
07:55 <@ordex> so if you have data, the ping is not sent
07:57 < ch1pp0> ordex: yeah I know. So unless you're sending and receiving data that's less then 53bytes the 25mbytes are a minum :)
07:57 <@ecrist> and really, 97 bytes?
08:01 < ch1pp0> 97bytes in the wire I believe
08:30 < pacmanfan> i wish to set up tunnels for my clients to use for DVR access over the WAN. some of these clients are behind verizon's NAT firewall and/or double NAT, so i can't easily turn up a VPN server at the DVR location.
08:31 < pacmanfan> i'm thinking i could set up an OVPN client on a little embedded device on their LAN, that reaches out to an OVPN server somewhere on the WAN
08:31 < pacmanfan> my client would dial in to the same server on the WAN, when they want to connect to their DVR
08:32 < pacmanfan> any thoughts on this setup?
08:43 <@novaflash> that works
08:44 <@novaflash> outgoing connections are usually not blocked, so openvpn can pass through from the on-site location to your central vpn server just fine, in almost all cases, unless they're a very painfully strict firewall in use
08:45 <@novaflash> and once the tunnel is active, traffic can go in both directions over that tunnel
08:46 <@novaflash> you can use the open source version of openvpn for this, but you may also want to check out access server, which lets you create groups which are by default separated from one another. so users in one group can't connect to users in other groups, which may help if you want to separate the traffic and handle multiple such situations on one server.
08:47 < pacmanfan> yeah, at this point i have between 5 and 10 clients i need to set this up for
08:48 <@novaflash> if you install access server on a system without buying a license key for it, you can connect 2 devices to it. just enough to see if your embedded device can connect, and if your client computer can connect, and see if they can communicate
08:48 < pacmanfan> i'll probably be selling it as a monthly service, dunno if it would pay for Access Server or not
08:48 <@novaflash> you could also use open source version
08:48 <@novaflash> then you have a little more work to do
08:48 <@novaflash> but it's perfectly possible and free
08:50 < pacmanfan> hmm, looks like Access Server is included on an AWS instance?
08:50 <@novaflash> you can run it on aws or your own server, whatever you want. see docs.openvpn.net for information
08:51 < pacmanfan> i run a VM server and have bandwidth to spare, so it seems silly to pay for AWS unless the cost would be minimal and it saves me significant time
08:51 <@novaflash> well access server is also available on microsoft azure and cloudsigma, but that doesn't mean you HAVE to use them
08:51 <@novaflash> it's available as a program for a number of major linux os-es
08:52 <@novaflash> OS's?
08:52 <@novaflash> OSsss
08:52 < pacmanfan> i'd go with OS's ;)
08:52 < pacmanfan> yeah, i can just spin up a new ubuntu server vm very easily
08:52 < pacmanfan> at no cost to me
08:52 <@novaflash> there's also an appliance for vmware and hyperv around
08:52 <@novaflash> but it's super simply to install AS
08:52 <@novaflash> simple *
08:53 < pacmanfan> i once tried to set up an ovpn server on mikrotik, and failed miserably
08:53 <@novaflash> aw.
08:53 < pacmanfan> i'm not very experienced working with certs.... i think i was hitting a bug in mikrotik, because it kept crashing my router
08:54 <@novaflash> that.... yeah that sounds like a bug
08:54 < pacmanfan> but it was pushing my limits of what i know how to do with certs anyway
08:54 <@novaflash> keep pushing until your head explodes and then you will have learned something :-D
08:55 < pacmanfan> so my clients mostly want to use ios and android
08:55 < pacmanfan> looks like there's an openvpn client for ios, and i'm sure for android as well
08:55 <@novaflash> fortunately openvpn connect for android and ios exists and can connect to AS
08:55 <@novaflash> there's even an import from access server function in those clients
08:55 < pacmanfan> oh, handy
08:56 < pacmanfan> does it support persistent connections?
08:56 < pacmanfan> like, it will always attempt to stay connected?
08:56 <@novaflash> yeah but obviously not when the device is in sleep mode
08:56 <@novaflash> but it will attempt reconnection after you power the device up again
08:56 < pacmanfan> cool
08:56 <@novaflash> by itself
08:57 <@novaflash> i would advise using autologin type profiles for that, and not profiles that are user-locked and require you to enter username/password each time to connect. although even then you can choose to remember username/password so i guess it's kind of moot on ios and android.
08:57 < pacmanfan> and i would just send a route from AS, so all the user's traffic doesn't go over it, but just traffic intended for hosts also on the VPN
08:58 <@novaflash> yeah you don't want to mess with their internet traffic if you don't need to
08:58 <@novaflash> presumably you'll just be pushing one route; for the dvr system
08:58 < pacmanfan> so what do AS licenses cost?
08:59 < pacmanfan> and how is it licensed? by client connection?
09:02 < pacmanfan> nvm, i see the pricing page now
09:02 < pacmanfan> heh
09:05 -!- albech1 is now known as albech
09:39 < ch1pp0> ordex: is the keepalive ping done from both client and server?
09:40 <@ordex> honestly ... I don't know :D
09:42 < ch1pp0> ordex: oh okay.Looking at the networkdump I have it looks like there are 97 bytes going in both directions every 10 seconds so it looks like the traffic is actually 25mbytes upload and 25mbytes download for a month
09:42 <@ordex> might be
09:43 <@ordex> ch1pp0: what's the purpose of counting those?
09:43 <@ordex> just curious here :)
09:44 < ch1pp0> client is complaining that our solution is using up to much bandwidth so I'm investigating and counting up the known factors :)
09:44 < rob0> perhaps the client needs to upgrade their connection :)
10:03 < ch1pp0> rob0: ah, poorly worded on my part. They're using too much data
10:04 <@novaflash> perhaps the client needs to upgrade their connection :)
10:05 <@novaflash> okay sorry that was lame
10:06 <@novaflash> still, 25 megabytes too much data. hm. alright why don't you adjust the keepalive?
10:06 <@novaflash> so it sends less often and waits for longer
10:11 < ch1pp0> novaflash: well, 25megabytes upload and 25megabytes download is actually 50megabytes. But yeah I´ve recommended that the keepalive will be adjusted
10:12 < ch1pp0> also there are other services using data so it all counts
10:21 <@novaflash> i assume you're using gprs or sim cards or such, otherwise such little use of data would not be really relevant
10:21 < nejni-marji> what does OU stand for in KEY_OU?
10:22 <@novaflash> organizational unit perhaps, not sure
10:43 < ch1pp0> novaflash: correct. It's a mobile connection.
11:20 < Mhrok> hello guys
11:21 < Mhrok> hello guysi have a problem with connecting to my OpenVPN server behind NAT - my port forwards looks ok, but they appear to do nothing
11:22 < Mhrok> What is the best and simpliest method of checking my firewall configs?
11:34 < f31n> hi i do have a question :) i've got a openvpn server up and running, connecting my macbook with my homenetwork. Now i do have a gitlab server at home and i want when i'm not at home to be able to use my macbook as gitlab runner. So my infrastructure would be macbook (ovpn client) -> (ovpn server) (gitlab server), am i right that i theoretically just need to add a route from the gitlab server through the ovpn server to my client? (the othe
11:38 < DArqueBishop> f31n:
11:38 < DArqueBishop> !serverlan
11:38 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
11:40 < f31n> DArqueBishop: i answer everything with yes, but thats not my issue, i need the server in the lan (not the ovpn server) to be able to ping my client
11:42 < DArqueBishop> f31n: it IS your issue, actually. If the client can talk to systems in the server LAN, then systems in the server LAN can talk to the client. If they can't, it's not an OpenVPN issue.
11:44 < DArqueBishop> To be more specific, if the client can talk to systems in the server LAN but systems in the server LAN can't talk to the client, then the problem isn't an OpenVPN issue. It's more likely a firewall issue on the client.
11:44 < f31n> you're right i guess its not an openvpn issue, its a routing issue, as far as i know, because i can ping the second server, but the second server doesn't know the clients ip, how should it if i didn't tell it where to find it, because the ovpn server is not my router
11:45 < DArqueBishop> f31n: the only way your scenario would work is if you're using NAT on the OpenVPN server.
11:46 < DArqueBishop> !route_outside_ovpn
11:46 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
11:48 < DArqueBishop> Essentially, if your router doesn't know to send traffic for the VPN subnet to your VPN server, then the only way your VPN clients would be able to access systems on the server LAN is if the VPN server was using NAT to masquerade traffic from the VPN subnet as being from itself.
11:48 < f31n> yes thats what im looking for
11:49 < DArqueBishop> What you would want/need to do is to turn off that NAT (however you turned it on) and add a route in your router to send traffic for the VPN subnet to the VPN server.
11:52 < f31n> i added the rule via iptables
11:54 < f31n> okay, i guess i now know where to go, thanks for your help!
11:54 < DArqueBishop> You're welcome. :-)
12:00 -!- zvirbliukas1 is now known as zvirbliukas
14:29 < simonwyd1> what's the recommended approach to set up multiple site to site links? one root CA and one intermediate CA per client-server combo?
14:29 < simonwyd1> bad phrasing: so one root CA, period
14:30 < simonwyd1> and then one intermediate per client-server combo?
14:44 < nejni-marji> Is there a reason all my vpn clients are getting IPs of 10.8.0.x where x is always a multiple of 4?
14:46 < simonwyd1> nejni-marji: that's the topology used I think
14:46 < nejni-marji> is it safe to manually assign, say 10.8.0.3?
14:46 < invisiblek> no
14:46 < nejni-marji> okay
14:47 < simonwyd1> nejni-marji: https://community.openvpn.net/openvpn/wiki/Topology#Topologysubnet
14:47 <@vpnHelper> Title: Topology – OpenVPN Community (at community.openvpn.net)
14:47 < simonwyd1> I think you want to switch to that if I understand your question correctly
16:15 <@dazo> nejni-marji: using --topology subnet is normally considered far better
16:16 <@dazo> nejni-marji: if we could have changed the default to be subnet, we'd probably do that.  But it would break a lot of already existing configurations, so we're stuck with --topology net30 as the default
16:16 < nejni-marji> okay
19:45 < brianx> i'm having trouble adding another lan on an openvpn client.  in the server config, i added route 192.168.0.0 255.255.255.0 and push "route 192.168.0.0 255.255.255.0".  in the client config i added iroute 192.168.0.0 255.255.255.  the client's routing table includes  is able to ping a host on the 192.168.0.0 255.255.255.0 and the server's routing table includes 192.168.0.0 255.255.255 with the openvpn ip as
19:45 < brianx> the gateway and the tun as the interface but ping and traceroute get nowhere.
19:45 < brianx> i know that http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing doesn't quite show this config so i tried to extrapolate, unsuccessfully.
19:45 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net)
19:46 < brianx> is there a signal that forces the client to reload config?  the pid didn't change when it reconnected.
20:20 -!- zvirbliukas1 is now known as zvirbliukas
--- Day changed Sat Oct 21 2017
01:02 < brianx> manually restarting showed that iroute 192.168.0.0 255.255.255.0 isn't allowed in the client so i moved it to the ccd file for that client on the server.  there are now 2 iroute entries there.  the route and push route lines are still in the server's config.
01:04 < brianx> the server side routing table still shows: 192.168.0.0     192.168.102.2   255.255.255.0   UG    0      0        0 tun21 and the client has that network on eth1:1 and is able to ping a host on that network.
11:32 -!- abenz__ is now known as abenz
12:00 < TheSilentLink> Hi I am try to connect but I am getting TSL error is that my network issue? also to connect on linux I use openvpn name.ovpn right?
12:45 < TheSilentLink> solved it!
12:59 < TheSilentLink> Hi I have connected but it seems that I can't access local devices
13:00 < TheSilentLink> my external ip has changed but if I go to 192.168.1.254 I don't get my vpn router but the router for the network I'm actually connected too. Anyone know why?
13:01 < TheSilentLink> I got this Sat Oct 21 18:49:10 2017 ERROR: Linux route add command failed: external program exited with error status: 2
13:01 < TheSilentLink> and /usr/bin/ip addr add dev tun0 10.8.0.4/24 broadcast 10.8.0.255
13:01 < TheSilentLink> RTNETLINK answers: File exists
14:53 < brianx> my problem was the host at the far end getting no default route.  unfortunately it can't be changed so i'll try a snat rule in iptables to make the traffic appear to be local.
17:13 < zamba> anyone tried softether vpn?
19:22 -!- albech1 is now known as albech
19:30 < icasdri> Does anyone know the cause of "TCP/UDP packet too large on write to" errors (on the server)? These happen every now and then and the connection (from the client's perspective) stops responding for a while unless I disconnect and let it "sit" for like five minutes.
20:03 < Kryczek> icasdri: sounds like a MTU problem
20:03 < Kryczek> icasdri: are you dropping ICMP by any chance?
20:06 < icasdri> Kryczek: I can ping my server from the VPN IP and public IP if that answers your ICMP question
20:06 < Kryczek> not entirely but I guess yes :)
23:12 < vpndude> So
23:12 < vpndude> I need some assistance understanding the managment interface
23:12 < vpndude> So assuming I have the server running with: management-query-passwords
23:13 < vpndude> When I go to connect
23:13 < vpndude> The OpenVPN server will request username / password auth
23:14 < vpndude> So the client side GUI using the managment interface will recieve: PASSWORD:Need 'Auth' username/password
23:14 < vpndude> So from the client side I would reply: username "Auth" foo password "Auth" bar
23:15 < vpndude> Then the server side managment interface would recieve the same message
23:16 < vpndude> So effectively acting like a tunnel
23:16 < vpndude> Then I can do: PASSWORD:Verification Failed: 'custom server-generated string'
23:16 < vpndude>  for failure with a custom message
23:17 < vpndude> and I assume as it's not documented: PASSWORD:Verification Success
23:17 < vpndude> to tell the client it's clear to connect?
23:20 < vpndude> this is really badly documented.
--- Day changed Sun Oct 22 2017
00:46 < hummerpaskaa> What am I doing wrong when my resolv.conf doesnt get updated on connection? it keeps its old settings
01:17 -!- zvirbliukas1 is now known as zvirbliukas
06:22 -!- eb0t_ is now known as eb0t
07:08 -!- dionysus70 is now known as dionysus69
11:42 -!- mundus2018 is now known as mundus
11:47 < apus> hi, does anyone know if it is possible to have multiple ondemand profiles switch on automatically, depending on which currently has matching rules? using the official openvpn ios app here. i seem to have to select them manually at the moment
11:53 <@ordex> apus: I know you can create a .mobileprofile for that, but there is no doc from apple
11:53 <@ordex> but that should be supported by the app itself
11:53 <@ordex> it is so called VoD = VPN on Demand
11:53 <@ordex> based on domains/hosts it will enable a given profile
11:53 <@ordex> but really...apple doc is terrible as of how to create such configuration files
12:39 < apus> ordex: i already created an ondemand .mobileconfig with two vpn connections included. both with their own ondemandrules - they are per vpn connection. however, i have to choose which one is active of them in openvpn app. it doesn't decide appropriately according to the rules
13:41 < lungaro> Hello
13:41 < lungaro> fairly confused about getting my routing right and verifying what routes are pushed out by the server
13:42 < lungaro> i've experimented with push "route 192.168.7.0 255.255.255.0" to have clients get a route to 192.168.7.0/24
13:42 < lungaro> the vpn server is 192.168.7.1 --- the client route tables are all messed up though
13:43 < lungaro> I have point to point connectivity only for client->server so the VPN is working
13:45 < lungaro> maybe client-config-dir overrides any other config?
13:49 < BtbN> You don't need to push a route for a directly connected network.
13:51 < lungaro> Its not directly connected..
13:51 < lungaro> i guess I wasn't clear on the vpn server, its a VPS node
13:51 < BtbN> So 192.168.7.0/24 is not the VPN network?
13:51 < lungaro> 192.168.7.0/24 IS the VPN network
13:52 < BtbN> So it is directly connected
13:52 < lungaro> i think i fixed it, something was just screwy. after restarting everything it works
13:52 < lungaro> perhaps there is a terminology issue here. The clients connecting are not in 192.168.7.0/24
13:54 < BtbN> But you just said it's your VPN network?
13:55 < lungaro> its the address block I create for the point-to-point connections, its the address block clients use
13:56 < lungaro> perhaps that's the issue, i'm using that network for more than 1 thing
13:56 < BtbN> If it has an interface in that network, there is no need for an explicit route.
13:56 < lungaro> I am fabricating that netblock
13:56 < lungaro> it is not assigned to an interface!
13:57 < BtbN> what?
13:57 < lungaro> anyways, nvm
13:57 < lungaro> somehow we can't understand each other, must be my fault
13:57 < BtbN> You should learn some basic networking
13:57 < lungaro> lol
13:58 < lungaro> Thanks for advice
13:58 < BtbN> A VPN interface is also an interface, the network stack does not care
14:54 < gallcobair> !welcome
14:54 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
14:54 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
14:56 < gallcobair> !goal
14:56 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:56 < gallcobair> !ask
14:56 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
14:57 < gallcobair> !howto
14:57 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
19:08 < BenderRodriguez> is it possible to set up OpenVPN on port 80
19:08 < BenderRodriguez> as my workplace blocks 1194
19:08 < BenderRodriguez> so I need a well known port to piggy back off of
19:08 < BenderRodriguez> in order to sidestep the corporate firewall
19:27 <@ordex> BenderRodriguez: you can configure it on the port you like
19:27 <@ordex> check the manpage for --port
20:22 < SimpleName> ordex: does the -ping option can be millisecond
20:22 <@ordex> I don't think so
20:22 <@ordex> it's seconds
20:22 <@ordex> why would you want such fine granularity ?
20:22 <@ordex> it is not meant to be that precise
20:33 < SimpleName> ordex: I just want to client find server disconnect quickly
20:34 <@ordex> SimpleName: check --explicit-exit-notify
20:34 <@ordex> in the manpage
20:43 < SimpleName> ok, but this option is work only the network that between client and server is ok :)
20:43 < SimpleName> of course, I think -ping 1 second is enough :)
20:45 <@ordex> SimpleName: yes, it works when the packets can be sent
20:45 <@ordex> when the server or the client decides to stop
20:46 <@ordex> if you want a reliability test, then the ping is what you need
20:50 < SimpleName> yeah, I think so : )
23:42 < watom> is the "remote-cert-tls server" still required and help safety?
23:42 < watom> in the howto i see is related to clients that try to be a fake server. what if i don't have other users except me?
23:43 < watom> if there was half line to add openssl was not an issue. but like that is a bit advanced
23:47 <@ordex> watom: have you checked the manpage already?
23:47 <@ordex> watom: I think that's pretty specific. you can have a look and come back with questions if not clear
23:48 < watom> is that available in windows
23:48 < watom> the config relate to the howto
23:48 < watom> and it's what i read
23:55 <@ordex> yes, that option is also available on windows
23:55 <@ordex> the manpage does not mention anything being OS specific
23:56 <@ordex> it's just a check against a certificate attribute
--- Day changed Mon Oct 23 2017
02:53 -!- SerusWor1 is now known as SerusWork
03:18 < styler2go> Hi, i have a problem with my vpn. client-to-client connections are working but i cannot access my openvpn server, is there anything i need to set in my server setting?
03:19 < styler2go> I just realized that the VPN and my local network have the same ip ranges.. maybe that's the problem
03:29 < styler2go> I have client-to-client in my sevrer config, do i also need to add something like "client-to-server"?
03:50 < styler2go> Anyone?
03:52 < BtbN> You need to not use the same network twice.
03:52 < styler2go> Already changed that
03:53 < BtbN> And you cannot reach the server itself, but other clients?
03:53 < styler2go> Yes
03:53 < BtbN> That makes no sense, you must be using the wrong IP.
03:55 < styler2go> No
03:55 < styler2go> Server: https://p.styler2go.de/6898002 Client: https://p.styler2go.de/2759291
03:55 < styler2go> route: https://p.styler2go.de/5764229
04:00 <@ordex> firewall issue then ?
04:01 < styler2go> I tried disabling it for a short time
04:06 < BtbN> Your Server is Windows?
04:31 < styler2go> BtbN, yes
04:31 < styler2go> Everythin is windows
04:31 < BtbN> I'm not surprised then that stuff doesn't work. Windows does weird stuff and is likely not well tested as a server. I also have no idea how to debug it, so, good luck.
04:33 <@ordex> styler2go: basically from the openvpn perspective there is nothing preventing the server from being reached on the VPN IP, must be something on the server itself (i.e. firewall or other settings)
04:33 < styler2go> So there are no settings (like the client-to-client) which i have to set in my server settings?
04:33 < BtbN> I know that Windows very often just does not feel like responding to pings
04:34 <+hyper_ch> upgrade windows server to linux?
04:34 <@ordex> styler2go: no
04:35 < styler2go> ordex, that's odd.. strange is that client-to-client works perfectly fine.. but client-to-server never worked. i might check some more rules..
04:35 <@ordex> styler2go: exactly: odd. that exactly means that openvpn is letting the traffic through as expected
04:35 <@ordex> are you trying to ping the VPN IP of the server ? or its internal one ?
04:36 < styler2go> ordex, i'll ask in ##windows-server and might check what the TAP device does
04:36 < styler2go> ordex, the vpn ip
04:36 <@ordex> ok
04:36 <@ordex> yeah
04:36 < styler2go> it's 10.100.0.1, tracert and ping go into nothing
04:37 <@ordex> yeah
04:37 <@ordex> you can check with wireshark on the server if there is incomin traffic, but there should be
04:38 < BtbN> Well, does not pinging work?
04:38 < BtbN> Windows sometimes just doesn't respond, but everything else works.
04:41 < styler2go> no, nothing works so far
05:03 < styler2go> Network Bridging didn't help to
05:36 < starship_trooper> How do I have to use tls-crypt option in openvpn?
05:51 <@ordex> starship_trooper: what do you mean ?
05:51 <@ordex> starship_trooper: you can have a look at the manpage about how to use --tls-crypt
05:53 < starship_trooper> I wanted to know what i needed to add in the client configs
05:54 < starship_trooper> I have added tls-crypt /path/to/keyfile in the server.conf file
05:54 <@ordex> yeah, then the manpage should have all the details
05:55 <@ordex> there is no mention about differences between client and server configuration
05:55 < starship_trooper> When I add the same to the client it gives me an error
05:55 <@ordex> if you could paste that somewhere it would be helpful
05:56 <@ordex> can't read minds yet :P
05:56 < starship_trooper> Options error: Unrecognized option or missing or extra parameter(s) in pizero.ovpn:17: <tls-crypt> (2.4.4)
05:56 < starship_trooper> Line 17: <tls-crypt> /home/manan/Documents/Misc/ta.key
05:57 < starship_trooper> It now shows: Options error: --tls-auth and --tls-crypt are mutually exclusive
05:57 <@ordex> <option></option> is used for inline arguments
05:57 <@ordex> you have to use tls-crypt as is when specifying a filename
05:57 <@ordex> tls-crypt filename
05:58 < starship_trooper> yeah I fixed that
05:58 <@ordex> ok
05:58 < starship_trooper> But now it shows: Options error: --tls-auth and --tls-crypt are mutually exclusive
05:58 <@ordex> yeah, they are mutually exclusive, can't use both
05:58 <@ordex> either one
05:59 < starship_trooper> So I shoudl remove 'tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0' from server.conf right?
06:00 <@ordex> right
06:00 <+hyper_ch> tls-crypt has tls-auth integreated
06:00 <@ordex> also the server should not start if you have both
--- Log opened Mon Oct 23 06:55:25 2017
06:55 -!- Irssi: #openvpn: Total of 316 nicks [8 ops, 0 halfops, 5 voices, 303 normal]
06:55 -!- Irssi: Join to #openvpn was synced in 1 secs
06:55 -!- mode/#openvpn [+o ecrist] by ChanServ
06:55 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
06:55 -!- mode/#openvpn [+o vpnHelper] by ChanServ
08:03 < watom> hey. i have compress lz4-v2 and push "compress lz4-v2" server side since sounds like a good idea. but in log i get: "'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'" i'm confused
08:03 < BtbN> I doubt you can push that setting.
08:04 < watom> it's an example in default config
08:04 < watom> https://pastebin.com/raw/QPyRw0GW
08:04 < BtbN> The pushed happen after the VPN connection is already established. The compression needs to be agreed on before
08:04 < watom> i don't know man.
08:05 < BtbN> Not sure if compression can be pushed like that. Where is that example from?
08:05 < watom> based on the example config comp-lzo is a legacy way to do that
08:05 < watom> from the Examples folder
08:05 < watom> when you install openvpn you get a sample-config
08:06 < watom> here you go https://pastebin.com/raw/SDXYvksy
08:07 < BtbN> Do both server and client have 2.4+?
08:07 < watom> sure
08:07 < watom> well i guess i will set that manually on the client
08:07 < BtbN> And there is no stray comp-lzo somewhere?
08:07 < watom> no
08:08 < watom> it's co mmented client side
08:08 < watom> there is a #comp-lzo in the client example confi
08:10 < watom> in the client i get instead "comp-lzo" is present in remote but not in local
08:10 < watom> the issue there is that i don't have anywhere comp-lzo but just the new lz4-v2
08:10 < BtbN> I'd guess pushing it does not work then, weird that it's in the example.
08:11 < watom> apparently lz4-v2 is not. since it say that the server is using lzo
08:11 < watom> let me try to include that line in the client too
08:14 < watom> working
08:14 < watom> i get ,compress lz4-v2, in some part of the log
08:17 < watom> really nice to have lz4 :)
08:20 < BtbN> Compression is mostly pointless and usually makes things slower due to the higher CPU load
08:20 < watom> that's why we have lz4
08:20 < watom> check the benchmarks https://github.com/lz4/lz4
08:20 <@vpnHelper> Title: GitHub - lz4/lz4: Extremely Fast Compression algorithm (at github.com)
08:20 < watom> is not pointless if you want to save data
08:21 < watom> or you're on a slow network
08:23 < BtbN> The absolutely vast majority of internet traffic already is compressed, or encrypted
08:23 < BtbN> both does not compress well
08:24 < watom> why you assume a vpn is used to surf the web?
08:24 < watom> i use it to connect my machines
08:24 < watom> i share files as example. and doc and txt and stuff
08:24 < watom> compress really well with lz4
08:24 < BtbN> And the protocols you use for that don't compress?
08:24 < watom> i don't think samba is using compression
08:25 < watom> and to be honest if i remember right even ssh not compress by default
08:25 < BtbN> Both samba and ssh send encrypted data. Encrypted data looks perfectly random and does not compress at all
08:25 < brianx> openssh can but does not by default.
08:25 < watom> well the lz4 is a new feature
08:26 < watom> so openvpn team believe it's usefull to give modern compression methods
08:26 < watom> samba encrypted? *surprised*
08:26 < BtbN> Unless you are on a _really_ slow connection, you will reduce your performance with compression, not increase it
08:26 < BtbN> And even then I doubt it makes a noticeable difference
08:27 < brianx> i can't get more than 0.5mbps upstream here.
08:27 < watom> in my country most of people
08:27 < watom> still upload at 100 KB/s
08:27 < watom> just to give you an hint
08:27 < BtbN> That's not too terrible
08:27 < brianx> ^^^
08:27 < watom> most likely 50
08:27 < BtbN> With really slow I mean like dial-up modem levels of slow
08:28 < watom> lz4 is easy on cpu
08:28 < watom> is fine
08:28 < BtbN> So, like 4~5kB/s
08:28 < watom> the protocol you're using is probably slower
08:28 < brianx> dialup already compresses.
08:28 < watom> than the compression lol
08:28 < BtbN> Unlikely
08:59 < Plouescat> !welcome
08:59 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
08:59 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
09:00 < Plouescat> !goal
09:00 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:01 < Plouescat> !goal I would like to access all my devices over a VPN
09:25 -!- tyman001 is now known as tyman00
09:28 < DArqueBishop> Plouescat:
09:28 < DArqueBishop> !serverlan
09:28 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
10:12 < Koopz> say i've got this .ovpn file over here which i've been using on my windows PC for ages now... i just tried using it to connect an ubuntu server here to that vpn network and i'm getting Options error: Unrecognized option or missing parameter(s) in foo.ovpn:1: ip-win32 (2.3.2)
10:12 < Koopz> thing is... ip-win32 is the first line
10:17 < Koopz> ...did i seriously just ask this? win32? on linux?
11:11 < jer0me> hey there. Using openvpn on debian stable for 5 machines, I noticed today that some clients assigned ip changed. For some reason, /etc/opensc/ipp.txt show ".4" for my current machine but /etc/openvpn/cccd/mymachine shows "push .10" (it should be .6). Any hint of where to look at for this inconsistency?
11:11 < jer0me> I shortened ip to their last element btw
11:12 < jer0me> s/opensc/openvpn damn completion
11:18 < rob0> assuming "cccd" is the name of your ccd, and "mymachine" is your client cert commonName, it would seem that the CCD is not being used.
11:19 < rob0> !ccd
11:19 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
11:25 < jer0me> rob0: sorry for the typos. It seems to be used since I am tracking messages from the logs which states "reading specific client options from: /etc/openvpn/ccd/mymachine" where my machines is the client CN
11:37 < jer0me> I can't remember setting those myself. Maybe I don't remember as clearly as I'd like.
12:49 < apus> hi, can i somehow push a route only to some clients based on their real ip address?
13:30 <@ecrist> yes
13:30 <@ecrist> look at --up
13:30 <@ecrist> sorry
13:30 <@ecrist> look at --client-connect
14:03 < apus> ecrist: thank you, that looks exactly like what i'm looking for. however, on my pfsense installation, where the openvpn server is running, they already have a default script in place for client-connect, which handles the freeradius integration - from what i could find -, so is it possible to add a second script where i can add data with >> $1 ?
14:12 < apus> i found this here with an overview of scripts which can be called. is something there which could be used as an alternative and which also allows push route?
14:13 < apus> https://superuser.com/questions/505012/how-to-execute-multiple-scripts-when-openvpn-establishes
14:13 <@vpnHelper> Title: vpn - How to execute multiple scripts when openvpn establishes? - Super User (at superuser.com)
14:30 < das_j> Hello, I have a openvpn 2.4.3/2.4.4 and I have compression configured on the server side with "compress lz4" and the appropiate push command. I don't have anything compression-like configured in the client. However, when connecting, I get "WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'". Why is it trying to use lzo when I configured lz4?
14:33 < apus> or is it possible to use the client ip address when it's connecting in freeradius? if so, which attribute contains the ip address?
17:22 < dStruct> hey guys, i'm having a weird UFW issue with my OVPN.  I have a very spartan UFW ruleset basically opening a port for the vpn, and I'm not using UFW limit rules anywhere, yet I'm getting UFW BLOCK messages in syslog for traffic coming in the main iface eth0 destined for it's IP from a website I'm browsing from a VPN client
17:23 < dStruct> it's not blocking traffic entirely but my browser gets really slow and laggy and my latency pinging just about anything will be 1-3+ seconds, yet on the vpn server I can ping anything sub 0.2ms
17:23 < dStruct> am I missing something here, I'm almost certain it's configured correctly and functions fine 95% of the time
17:26 < sudormrf> is there a support, pre-sales and pre-sales engineering team for openvpn access server?
17:26 < sudormrf> nvm
17:26 < sudormrf> joining the as channel :D
17:26 < dStruct> dmesg shows: [1764760.975738] TCP: request_sock_TCP: Possible SYN flooding on port <my vpn port>. Sending cookies.  Check SNMP counters.
17:26 < dStruct> then I get 10 UFW BLOCK messages
17:29 < dStruct> oh I think I finally answered my own question after much googling.  If anyone cares it looks like adjusting the net.ipv4.tcp_max_syn_backlog sysctl appears to help, I guess I'll give it a shot, looks like it may be completely not OVPN related :D
22:23 -!- upbeta_______ is now known as upbeta01
22:23 -!- upbeta01 is now known as upbeta
--- Day changed Tue Oct 24 2017
05:11 -!- zvirbliukas1 is now known as zvirbliukas
06:42 < wallbroken> hello
06:42 < wallbroken> Tue Oct 24 12:04:39 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
06:42 < wallbroken> Tue Oct 24 12:04:39 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
06:42 < wallbroken> Tue Oct 24 12:04:39 2017 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
06:43 < wallbroken> why?
06:53 < natewin> !welcome
06:53 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
06:53 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
06:54 < natewin> !goal I cannot create shortcuts in Android 8
06:55 <+hyper_ch> shortcuts?
06:55 < natewin> hi.  thanks.
06:55 < natewin> Android has the option to create shortcuts on the home screen for connect and disconnect
06:56 < natewin> it worked in Android 7, but stopped working in Android 8
06:56 <+hyper_ch> well, then you'd need to ask the app developer
07:01 < natewin> I've asked in the OpenVPN support forum for Android.  Thought I'd try here as well.
07:02 -!- zvirbliukas1 is now known as zvirbliukas
07:04 <+hyper_ch> there's two openvpn apps IIRC... I think for one the dev is sometimes in here
07:06 -!- zvirbliukas1 is now known as zvirbliukas
07:47 -!- zvirbliukas1 is now known as zvirbliukas
08:04 < wallbroken> Tue Oct 24 15:04:06 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
08:04 < wallbroken> Tue Oct 24 15:04:06 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
08:04 < wallbroken> Tue Oct 24 15:04:06 2017 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
08:04 < wallbroken> what is this?
08:23 <+Dougy> wallbroken: use a more secure cipher
08:23 < wallbroken> what?
08:23 < wallbroken> i used easyrsa
08:23 <+Dougy> !configs
08:23 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
08:25 < wallbroken> !paste
08:25 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2)
08:25 <@vpnHelper> paste.ee is also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
08:28 < wallbroken> Dougy: https://pastebin.com/raw/wX6NW3UV
08:33 < rob0> The logs you pasted here told you what you need to do.
08:33 < rob0> !cipher
08:34 < rob0> see --cipher in the manual
08:34 < rob0> !sweet32
08:34 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32
08:34 < wallbroken> rob0, is something related to easyrsa?
08:35 < rob0> easyrsa is an openssl frontend for CA management.  It's not related to --cipher
08:35 < wallbroken> in chort, what do i need to do?
08:35 < wallbroken> *shord
08:35 < wallbroken> *short
08:36 < wallbroken> i don't want to read any long documentation to know what it is, i just want to fix that message and stop
08:36 < rob0> Mitigate by using a --cipher with a larger block size, e.g. AES-256-CBC
08:36 < wallbroken> migrate what?
08:37 < rob0> Unladen African swallows.
08:38 < wallbroken> and is it the right season?
08:39 < rob0> "Mitigate" means "to lessen the effects of [a problem]."
08:40 < wallbroken> rob0, i want to know PRACTICALLY what do i need to do
08:42 < rob0> do you know how to edit a text file?
08:44 < wallbroken> no
08:44 < wallbroken> i want to know what i need to add in that file
08:52 < wallbroken> i just need to add: "cipher AES-256-CBC" in both server and client openvpn configs?
08:58 < wallbroken> anyone alive?
09:14 < brianx> just a few billion people.
09:49 < wallbroken> looks like nobody is answering me
09:54 < brianx> yeah.  you're asking people who know to rewrite the existing docs on that error in language you understand.  not an easy task when they don't know you.
09:55 < brianx> i for one don't know and have not been able to follow the existing docs yet too.
09:57 < DArqueBishop> <wallbroken> i just need to add: "cipher AES-256-CBC" in both server and client openvpn configs?
09:57 < DArqueBishop> Yes.
09:57 < brianx> my solution was easy.  erase everything and start over from a new set of instructions on how to do openvpn.  the 2nd blog i followed didn't have the problem...
09:59 < wallbroken> DArqueBishop, did work
09:59 < wallbroken> i added cipher AES-256-CBC
09:59 < wallbroken> in both server.conf and client.con
09:59 < wallbroken> f
10:20 < AlmightyOatmeal> When a OVPN server has Google Auth MFA setup and static challenge/response, is it possible for the clientt to send the challenge response via contents of a text file or by executing an application? I'm hoping for something similar to storing a password in a text file on a host container.
10:23 < AlmightyOatmeal> Or is it possible to send the password AND static-challenge in one string?
10:30 -!- Dougy [~dougy@openvpn/community/support/Dougy] has quit [Ping timeout: 260 seconds]
10:31 < wallbroken> all gone to sleep
10:42 < wallbroken> Tue Oct 24 17:42:45 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
10:42 < wallbroken> Tue Oct 24 17:42:45 2017 Connection reset, restarting [0]
10:42 < wallbroken> Tue Oct 24 17:42:48 2017 SIGUSR1[soft,connection-reset] received, process restarting
10:43 < wallbroken> this is if i add cipher AES-256-CBC in client.cofn
11:24 -!- Dougy [~dougy@openvpn/community/support/Dougy] has joined #openvpn
11:26 < wallbroken> if somebody is reading, please, help me fixing the issue
11:39 <@ordex> wallbroken: did you also add cipher on the server ?
11:41 < wallbroken> ordex, sure
11:41 <@ordex> then I'd suggest to provide logs and configs
11:41 <@ordex> !logs
11:41 <@ordex> !configs
11:41 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
11:41 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
11:42 < wallbroken> ordex, already did
11:42 < wallbroken> just scroll back the chat
11:43 <@ordex> oh ok
11:45 < wallbroken> ordex i simply added "cipher AES-256-CBC" in both client and server configurations
11:46 <@ordex> wallbroken: I can't find the log
11:46 <@ordex> could you please repaste the link ?
11:46 < wallbroken> ordex, i directly pasted it on the channel
11:46 < wallbroken> 3 lines
11:46 <@ordex> and if possible use verb 4 please
11:46 <@ordex> well then you need to enable verb 4
11:46 < wallbroken> ok
11:46 <@ordex> to get all the meaningful warnings
11:46 <@ordex> please do that on both client and server
11:46 < wallbroken> could we begin only with client side log?
11:46 <@ordex> and paste the logs
11:46 <@ordex> yeah
11:46 < wallbroken> server side is on another place
11:47 <@ordex> but both are preferrable
11:47 < wallbroken> and i need time to phisically go
11:47 <@ordex> still..we might find something
11:47 <@ordex> ah k
11:47 <@ordex> well, let's start with the client ,sure
11:48 < wallbroken> ordex: https://pastebin.com/9QfPi3b7
11:49 < wallbroken> this is in raw format: https://pastebin.com/raw/9QfPi3b7
11:49 < wallbroken> Tue Oct 24 18:47:51 2017 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher AES-256-CBC'
11:49 < wallbroken> what?
11:50 < wallbroken> i added it in remote config and then i did /etc/init.d/openvpn restart
11:50 <@ordex> yeah not only that
11:50 <@ordex> looks like also the other settings are off
11:50 <@ordex> weird
11:50 <@ordex> are you connecting tot he right instance?
11:51 <@ordex> the server log might help at this point
11:51 < wallbroken> ordex, if i remove cipher directive
11:51 < wallbroken> all works fine
11:51 <@ordex> I guess the other settings are tolerable
11:52 <@ordex> if you remove the cipher from the client only you mean ?
11:52 <@ordex> or from both ?
11:52 < wallbroken> from client only
11:52 < wallbroken> this means that server hasn't got the changement about the ceapher?
11:53 <@ordex> sounds so
11:53 <@ordex> or you are not changing the config the server is using at all
11:53 <@ordex> something is off on the server I'd say
11:53 < wallbroken> yeah that's possible
11:53 < wallbroken> it's openwrt
11:54 <@ordex> that shouldn't be a problem
11:55 < wallbroken> openwrt uses its own structure to load config
11:56 <@ordex> yeah
11:56 < wallbroken> oh no, it's right, i demanded it to the right config file
11:56 < wallbroken> config openvpn 'myvpn'
11:56 < wallbroken>         option enabled '1'
11:56 < wallbroken>         option config '/etc/openvpn/server.conf'
11:56 < wallbroken> let me try rebooting the server, brb
11:56 <@ordex> but you can also just specify the config
11:56 <@ordex> right
11:56 <@ordex> ok
11:56 <@ordex> shouldn't be needed, but ok :)
11:58 < wallbroken> same error
11:59 < sunrunner20> how do I set reneg-sec to infinity?
11:59 < sunrunner20> 0 or just put in some very large value
12:01 < wallbroken> ok, solved
12:02 < wallbroken> i had 2 .conf file
12:02 < wallbroken> and i was changing the wrong one
12:06 < wallbroken> ordex, if i do no use the cipher directive on the other clients, i will not connect?
12:07 <@ordex> wallbroken: must match on server and client. unless you use 2.4 on the server with ncp and it provides some negotiation mechanism, but I don't remember how it behaves with old clients
12:07 <@ordex> still that should be helpful to make the "migration"
12:07 <@ordex> sunrunner20: 0 will disable it
12:07 < sunrunner20> thanks ordex
12:07 <@ordex> np
12:07 < wallbroken> ordex, i have a iphone client
12:08 <@ordex> sunrunner20: but that's probably the wrong thing to do :)
12:08 < wallbroken> and shows "connected"
12:08 < wallbroken> but i can't ping
12:08 < sunrunner20> I've got 2fa enabled for this connection and I don't want to be bothered by it after I connected
12:08 < sunrunner20> if there's a happy medium I'd love to hear it
12:08 <@ordex> sunrunner20: you may want to use the auth token in combination with something else (I don't remmeber exactly the full solution but this got solved)
12:08 <@ordex> wallbroken: likely because of that
12:08 <@ordex> you can check the log
12:09 < sunrunner20> problem is I don't have much control over the openvpn and the radius server ordex
12:09 <@ordex> ah ok
12:09 < sunrunner20> its a PFsense box
12:09  * ordex has no clue
12:09 < sunrunner20> I'm working on adding calling-station-ID
12:09 < wallbroken> ordex, and what about the other warnings? i ignore them?
12:10 < sunrunner20> but lookign through the code it goes through the work of setting the varibles up then passes radius an empty set >_<
12:10 <@ordex> wallbroken: well..something is weird. what version are you running on the server ?
12:11 <@ordex> (and the client?)
12:11 -!- abenz_ is now known as abenz
12:11 < wallbroken> ordex: OpenVPN 2.2.2 mips-openwrt-linux [SSL] [LZO2] [EPOLL] built on Mar 14 2013
12:11 <@ordex> wow
12:12 <@ordex> that's why you get all those warnings
12:12 <@ordex> that version comes from the iron age
12:12 <@ordex> :p you better upgrade to something newer
12:12 <@ordex> openwrt ships the latest openvpn too
12:12 < wallbroken> ordex, che cipher warning dependend of the version too?
12:13 <@ordex> I am not entirely sure
12:13 <@ordex> debugging such an old server is not a good idea
12:13 <@ordex> I have no clue about what the 2.2 version does
12:14 < wallbroken> unfortunately, my openwrt version is EOL, so its repository comes with an old version openvpn
12:18 < wallbroken> maybe there is somebody else could know?
12:19 <+hyper_ch> update your openwrt
12:19 < wallbroken> hyper_ch, i can't, my router doesn't support any newer version
12:19 <+hyper_ch> compile current openvpn on your own for your openwrt version
12:20 < wallbroken> hyper_ch, i already did for apache, it's a pain
12:20 <+hyper_ch> update the router
12:20 <@ordex> yeah, you can get the buildroot and recompile the entire thing
12:20 <@ordex> :D
12:20 < wallbroken> you need to fix variable environment
12:20 < wallbroken> hyper_ch, i'm poor
12:21 <+hyper_ch> why even run openvpn on the router?
12:21 < wallbroken> what the openwrt stuff suggested me is to puy an rs232 ttl, connect to the router and read with minicom any bootloader message to figure out why does not bot with newer vrsions
12:22 < wallbroken> hyper_ch, because a router is always connected machine, and plus, is optimized to do "routing"
12:23 -!- thnee1 is now known as thnee
12:24 < AlmightyOatmeal> Is it possible to send the password AND static-challenge in one string?
12:25 <+hyper_ch> otoh an old computer has a more power cpu and maybe even aes-ni support and hence increasing making better performance
12:25 <+hyper_ch> using a lightweight distro and custom compile the kernel to the things needed could it even make better
12:26 < wallbroken> hyper_ch, a router drains 10 watt, an old pc drains 100 watt
12:27 <+hyper_ch> well, I've given you plenty of alternatives
12:27 <+hyper_ch> pick one that you like
12:27 <+hyper_ch> s/alternatives/options/
12:27 < wallbroken> now i'd like to figure out if the cipher warning is an old version related problem, or is for all...
12:40 < wallbroken> plus, if somebody wants, could explain to me the function of dh.pem ? is not clear at all
12:40 <+hyper_ch> !dh
12:40 <@vpnHelper> "dh" is (#1) build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN, or (#2) openssl gendh [numbits]
12:42 < wallbroken> "which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel"
12:43 < wallbroken> what d i need to negotiate?
12:43 < wallbroken> i have my own private key and public key for each client/server
12:44 < BtbN> the session key.
12:44 < BtbN> The keypair you make is for authentication, not for transport protection
12:45 <+hyper_ch> https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
12:45 <@vpnHelper> Title: Diffie–Hellman key exchange - Wikipedia (at en.wikipedia.org)
12:46 < wallbroken> please, could you explain to me with a little example?
12:46 < wallbroken> try as you want to explain to your child
12:47 <+hyper_ch> go to https://www.google.com
12:47 <@vpnHelper> Title: Google (at www.google.com)
12:48 <+hyper_ch> in the input field box enter:     diffie-hellman
12:48 <+hyper_ch> press enter
12:50 < wallbroken> tried tons and tons of links
12:50 < wallbroken> but are explaining in an harder way
12:51 < wallbroken> for example:
12:51 < wallbroken> i want to talk with you over the internet
12:51 < wallbroken> the first that you need to know is " you are really you?"
12:51 < wallbroken> and the reverse
12:51 < wallbroken> so you got my public key
12:52 < wallbroken> and ask the trust authority
12:52 < wallbroken> this certificate really belongs to him?
12:52 < wallbroken> when he said yes you could start encrypting data and send to me
14:09 < apus> hi, is there any way i can make multicast work with a remote access tun connection (ios) ? i'd like to use airprint mdns discovery
14:21 <@ecrist> no
14:23 < apus> hm, i read that using tap would open another "can of worms". could someone perhaps give me a few keywords i could search for to understand the problems i'd be facing?
14:24 <@ecrist> well, for one, tap isn't available on mobile devices
14:24 <@ecrist> !tunortap
14:24 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
14:24 <@vpnHelper> rooted/jailbroken) support only tun
14:25 < apus> so the other option would then be to manually add the appropriate records to a dns server zone i guess. perhaps i'll look into it another day.
14:25 < apus> ecrist: thank you for your help!
14:25 <@ecrist> no problem.
14:36 < wallbroken> now i'd like to figure out if the cipher warning is an old version related problem, or is for all...
14:51 < wallbroken> nobody?
15:26 < sunrunner20> i forget, does SMB perform better on TCP or UDP tunnels?
15:29 < sunrunner20> UDP
15:29 < sunrunner20> which is what i'm using, but still getting a paultry 1/6th my bandwidth (60mbit)
15:33 < Celmor> can I have fix static ips for client so I can work with it in iptables (different rules for different client/groups) or would I rather want multiple openvpn server for each rule set so I apply the rules to the tun interface it uses?
15:34 < sunrunner20> I don't know the answer to your question Celmor, but I went with the seperate VPN tunnel for each option
15:35 < sunrunner20> if they need to talk to eachother I _think_ you can do it on the router
15:35 < sunrunner20> or concatenater
15:39 < Celmor> from what I've seen, once a client connects it is assigned a static IP, don't know if I can rely on that IP for future connects though or if I can even configure one for each client (don't have many)
15:41 -!- CptLuxx is now known as ExplodingSheep
15:41 -!- ExplodingSheep is now known as CptLuxx
16:59 < rob0> sunrunner20, nothing is ever "better" with a TCP-based VPN.  The only reason ever to choose TCP is when dealing with stupid firewalls you don't control, which might not allow udp/1194 out.
16:59 < sunrunner20> k
16:59 < rob0> !ccd
16:59 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
17:00 < rob0> !static
17:00 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder, or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range, or (#5) See also: !addressing
17:00 < rob0> Celmor, ^^
17:29 < Celmor> thanks
18:37 < sunrunner20> where can I find at what logging level openVPN starts logging connection attempts?
18:48 < sunrunner20> better question
18:48 < sunrunner20> why does openVPN log client connected
18:48 < sunrunner20> if it doesn't tell you what client?
18:52 < Kryczek> sunrunner20: it does, on the "Peer Connection Initiated" line for example
18:53 < sunrunner20> sweet
18:53 < sunrunner20> thanks Kryczek
18:53 < sunrunner20> is there one for connection denied?
18:56 < sunrunner20> hrm
18:56 < sunrunner20> doesn't appear to display what IP the connection came from
18:57 < sunrunner20> oh nm
18:57 < sunrunner20> they both are
20:58 < nOOb__>  /topic
20:58 -!- nOOb__ is now known as nOOb
21:00 -!- nOOb is now known as LargePrime
21:03 <@ordex> !vpnHelper
21:03 <@vpnHelper> "vpnHelper" is "bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
21:36 -!- _Catatronic is now known as Catatronic
--- Day changed Wed Oct 25 2017
03:23 < aib> !welcome
03:23 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind
03:23 <@vpnHelper> openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
03:24 < aib> !goal I would like to change my cipher
03:25 < aib> !goal
03:25 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
03:26 <@ordex> !manpage
03:27 <@ordex> !man
03:27 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
03:27 <@ordex> aib: check --cipher in the manpage
03:28 < aib> thanks, I am currently checking it out, but I'm not sure how the cipher is negotiated, nor what exactly to use
03:28 < aib> apparently the new default is going to be AES-256-GCM, so I should probably use that
03:30 < aib> I'm not sure what version my clients are -- nor how adding --cipher AES-256-GCM
03:32 <@ordex> aib: GCM should be supported on >=2.4.0 only
03:32 <@ordex> iirc
03:32 <@ordex> and yes, that's going to be the preferred cipher for now
03:33 < adac> hi there
03:34 < adac> Is it possible to setup a vpn server so that not all traffic is running over the vpn server itself but directly between the nodes that are connected? If yes what is the flag to enable that?
03:34 < aib> I'm currently trying to figure out how the weak cipher is negotiated.. Ah, my server is 2.3 apparently
03:35 <@ordex> aib: there is no negotiation at all for <2.4
03:35 <@ordex> only the --cipher setting matters
03:35 <@ordex> adac: what do youmean with "but directly between the nodes that are connected" ?
03:37 < adac> ordex, I mean isn't it like that that with openvpn if I have a server all traffic is running trough that server? Lets say I have two vpn nodes A and B where I send a file from A to B, doesn't that traffic go trough the VPN server?
03:37 <@ordex> adac: all traffic runs over the server only if you configure your routing table as such
03:37 <@ordex> and the routing table can be automatically set for that by openvpn if you specify the redirect-gateway option
03:38 <@ordex> but it's really just a matter of routing
03:38 < aib> Oh, AES-256-GCM doesn't exist in 2.3. Can you recommend an alternative?
03:38 < aib> CBC:
03:38 <@ordex> aib: AES-256-CBC I'd say
03:38 < aib> okies
03:38 < aib> s/:/?
03:38 <@ordex> you can check others if you want. but many cpus have aes acceleration
03:41 < aib> WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
03:41 < aib> Okay, I have to upgrade the server I think
03:41 < adac> ordex, actually this is my current server config file: https://gist.github.com/anonymous/c904885e4af6f0a10b8683df7aec7c47 Since here is not redirect-gateway option in it, what does it actually do? is there a default behaviour?
03:41 <@vpnHelper> Title: gist:c904885e4af6f0a10b8683df7aec7c47 · GitHub (at gist.github.com)
03:42 <@ordex> adac: default is to not redirect everything over the server
03:42 <@ordex> adac: however you have to check the client config too
03:42 <@ordex> the client may have it
03:46 < adac> ordex, ok I see checking the client
03:50 < aib> Okay, upgrading the server to 2.4 enabled cipher negotiation and I've upgraded to AES-256 without changing any configuration
03:54 < aib> One more thing, can anyone confirm that the fingerprint of the OpenVPN apt repo signing key is 30EB F4E7 3CCE 63EE E124  DD27 8E6D A8B4 E158 C569? (apt-key finger | grep 30EB)
03:54 <@ordex> I think it's on the community.openvpn.net website somewhere
03:54 <@ordex> maybe somebody else can confirm though
03:59 < aib> it's not in ddg's or google's index. oh well, my government prefers the nuclear 'block completely' option to the hacking option, anyway
04:09 -!- JasonO- is now known as JasonO
04:20 < adac> ordex, actually on client side I only have these settings: https://gist.github.com/anonymous/21c47ec9fc345ab8b757510e9fe41d2d
04:20 <@vpnHelper> Title: gist:21c47ec9fc345ab8b757510e9fe41d2d · GitHub (at gist.github.com)
04:26 < aib> adac: can you restate what you are trying to do? If you have clients A, B and server S, traffic between A and B go through S. This is the definition of VPN.
04:28 < adac> aib, hmm so all traffic goes trough the server, no matter what? There can never be a transmission from A directly to B or?
04:28 < aib> how is A connected to B?
04:30 < aib> Also be careful saying "all traffic". Do you also mean traffic intended for, say, Wikipedia?
04:31 < aib> A to W can be A-W or A-S-W
04:31 < aib> A-W meaning A can access wikipedia directly using the internet connection she is already using to connect to S
04:32 < aib> (assuming A connects to S over the internet... do you see how much we have to assume when you don't specify these things?)
04:33 < adac> aib, yes lets say a file transfer from node A to B. In VPN it never goes directly from A to B but trough the Server S always or?
04:33 < aib> VPN means we have S where A and B can connect through S
04:36 < aib> whether they can connect to eachother directly outside VPN is something the VPN does not care about
04:59 -!- |Mike| [~mike@178.255.49.239] has quit [Ping timeout: 248 seconds]
05:00 -!- |Mike| [~mike@178.255.49.239] has joined #openvpn
05:02 < inviz> hi. has anyone tried openvpn client to disable windows network adapters automatically? just as I am researching at the moment wonder what are my chances to find such information.
05:14 <@ordex> adac: it seems there is no redirect on the client
05:15 <@ordex> so i guess internet traffic is still going out through your default gw
06:03 < adac> kk I see
06:03 < adac> thanks guys
06:49 < freenoodle> Hi, I want to convert my openvpn from tun to tap so that all devices are on the same subnet. Ideally, clients should get their IP adresses not from the OpenVPN server but from the same router that serves local clients. Do I have to make any special provisions in the server config file for this to happen? Would a local router respond to a dhcp request coming via the TAP device of the OpenVPN server?
08:06 < rob0> What benefit do you expect from having all devices on the same subnet?  With tun and proper routing, VPN clients and LAN devices won't have any trouble communicating.
08:07 < rob0> Yes, a bridged openvpn passes DHCP broadcasts over the VPN.
08:18 < havoc> using DHCP is the main advantage to tap
08:18 < rob0> FSVO "advantage", of course
08:18 < havoc> for a small/home network, it is an Advantage, period
08:20 < havoc> but there are ways around everything, just depends on need, and skill level
08:20 < havoc> ...and determination
08:23 < havoc> I don't think I run TAP anywhere anymore, but will likely set up a TAP segment in a couple months, for 6-9 months
08:23 < havoc> just to put a temp office space in our building on our network, extend our network/LAN, for the few months that we have the additional storage space
08:24 < havoc> it all depends on which unit they lease, and for how long
08:25 < havoc> e.g. Next Door/Adjoining? WiFi bridge is good enough
08:26 < havoc> just need a single router, inventory workstation, and SIP phone, AFAIK
08:30 < DArqueBishop> The only advantage to tao is that it supports broadcasting. Otherwise, it's much easier to use tun.
08:30 < DArqueBishop> s/tao/tap/
08:31 < DArqueBishop> !tunortap
08:31 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
08:31 <@vpnHelper> rooted/jailbroken) support only tun
08:32 < rob0> And here I was hoping we'd be discussing Eastern spiritualism.
08:42 < LargePrime> greetings.  i just updated to lubuntu 17.10 and openvpn stopped conncting for me.  can you show me how o figgure out what is broken?
08:42 < LargePrime> lease ping if you reply
08:51 < DArqueBishop> LargePrime:
08:51 < DArqueBishop> !logs
08:51 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
08:51 < LargePrime> !logfile
08:51 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
08:53 < LargePrime> DArqueBishop, lubuntu 17.10.  dont have server logs, just client.  looking on how to set verb to 4 and pastebin it now
08:54 < DArqueBishop> LargePrime: you don't have admin access to the server?
08:54 < LargePrime> DArqueBishop, nope.  i just connect to my vpn provider
08:55 < DArqueBishop> You should be talking to their tech support first.
08:55 < LargePrime> ok.  i assumed it was a problem on my side after os upgrade. DArqueBishop
08:56 < rob0> could be, you might find a clue in the client logs
08:56 < DArqueBishop> It might be but support in here is really geared towards people who control both ends of the connection. I mean, we can look, but if it turns out to be server-side you'll end up needing to talk to them anyway.
08:57 < LargePrime> sure.  but i cant see how there end would change in the window of a few hours of a distro upgrade
08:57 < LargePrime> i mean, besides my luck
08:57 < LargePrime> DArqueBishop,
09:57 -!- albech1 is now known as albech
11:25 -!- abenz_ is now known as abenz
12:57 -!- albech1 is now known as albech
13:14 < wallbroken> 192.168.56.103
13:14 < wallbroken> ops
13:14 < wallbroken> service openvpn start
13:14 < wallbroken> is the right way to start openvpn?
13:15 < Catatronic> https://it.slashdot.org/story/17/10/25/0047224/duhk-crypto-attack-recovers-encryption-keys-exposes-vpn-connections
13:15 <@vpnHelper> Title: DUHK Crypto Attack Recovers Encryption Keys, Exposes VPN Connections - Slashdot (at it.slashdot.org)
13:19 <@ordex> 'when hardware vendors use a hardcoded "seed key"'
13:19 <@ordex> omg
13:19 <@ordex> whyyy
13:27 < wallbroken> ordex, can you help me
13:27 < wallbroken> ?
13:27 < wallbroken> i'm tryign to start openvpn on a new machine
13:27 < Catatronic> yeah really. talk not being clear on the concept.
13:42 <@dazo> wallbroken: that completely depends on which distro and version of it you're using
13:42 < wallbroken> dazo, debian 9
13:42 <@dazo> wallbroken: using 'service' is a very common way on RHEL/CentOS 6 and older as well as Fedora 15 and older
13:43 < wallbroken> the problem is that i do not see any log
13:43 <@dazo> wallbroken: Deb9 is using systemd ... so I'd rather recommend using 'systemctl start openvpn-{client,server}@CONFIGNAME instead
13:43 < wallbroken> root@debian:/etc/openvpn/server# /etc/init.d/openvpn start
13:43 < wallbroken> [ ok ] Starting openvpn (via systemctl): openvpn.service.
13:43 <@dazo> but that requires configs to be located under /etc/openvpn/{client,server}
13:44 < wallbroken> dazo, i did
13:44 < wallbroken> but if i do: ps aux | grep vpn
13:44 < wallbroken> i don't see it
13:44 <@dazo> wallbroken: yeah, that's Debians way how to not completely break things when upgrading from non-systemd to systemd .... but for OpenVPN at least, that is not so ideal
13:44 <@dazo> wallbroken: systemctl status openvpn-{client,server}@CONFIGNAME ?
13:44 < wallbroken> the config name is server.conf
13:45 <@dazo> wallbroken: as well as .... jounralctl --since today -u openvpn-{client,server}@CONFIGNAME
13:45 < wallbroken> and is it in /etc/openvpn/server/
13:45 <@dazo> okay, then the unit file should be:  openvpn-server@server
13:45 <@dazo> I often rename the config name to the --dev name in the config .... so I have openvpn-server@tun0
13:46 < wallbroken> comand not ound
13:46 <@dazo> which command?
13:46 < wallbroken> root@debian:/etc/openvpn/server# jounralctl --since today -u openvpn-server@server
13:46 <@dazo> journalctl :)
13:46 < wallbroken> "no entries"
13:46 < wallbroken> WTF
13:46 <@dazo> if you use --log in your config .... journalctl might not be that useful ....
13:47 < wallbroken> is that hard to start openvpn?
13:47 <@dazo> nope, there's something wrong in your config
13:47 <@dazo> can you pastebin the config?
13:47 <@dazo> or remove --log/--log-append from your config .... and try to restart it?
13:48 <@dazo> (then you'll get log extracts to 'systemctl status' as well as journalctl starts working
13:48 <@dazo> )
13:48 < wallbroken> https://pastebin.com/raw/bDbmgpWD
13:48 < wallbroken> this is my config
13:48 <@dazo> log /etc/openvpn/server/log.log  ... this is broken on many levels .... log files should never be under /etc
13:49 <@dazo>  /etc should be fairly static and contain system/service configurations
13:49 < wallbroken> dazo, yes, but what cares at this time?
13:49 <@dazo> it might be security modules denying access, as well as write access
13:50 < wallbroken> i try /home/user/log ?
13:50 < wallbroken> i don't like /var/log
13:50 <@dazo> (If you try that on RHEL/CentOS/Fedora .... it will not be able to start, because SELinux would prevent it to write data to /etc)
13:50 <@dazo> don't use --log then ... then you'll get it all in the systemd journal ... which is fairly powerful too
13:51 <@dazo> but /var/log is exactly the place where log files should go
13:51 <@dazo> (and it has been the default place for log files for at least 40 years or so)
13:52 < wallbroken> dazo, nothing
13:53 < wallbroken> i commented "log" line
13:53 < wallbroken> but does not start
13:53 <@dazo> what does 'systemctl status openvpn-server@server' say now?
13:54 < wallbroken> root@debian:/etc/openvpn/server# systemctl status openvpn-server@server
13:54 < wallbroken> ● openvpn-server@server.service - OpenVPN service for server
13:54 < wallbroken>    Loaded: loaded (/lib/systemd/system/openvpn-server@.service; disabled; vendor preset: enabled)
13:54 <@dazo> it should say much more than that
13:54 < kvoz> When I do service openvpn start on my command line, it starts just fine. But if I try to start it through a cronjob, I just get "Starting virtual private network daemon: client failed!" without any other info. How can I find out why it wont work?
13:54 < wallbroken> just some support lin
13:54 < wallbroken> oh yes
13:54 < wallbroken>   Active: inactive (dead)
13:55 <@dazo> and what does 'journalctl --since today -u openvpn-server@server' say?
13:55 < wallbroken> same
13:56 < wallbroken> no entries
13:56 <@dazo> oh ... I'd recommend to remove the --status line too .... by default you will get that file under /run/openvpn-server/status-server.log
13:56 <@dazo> the /run directory is most commonly a tmpfs (read: ramdisk) on most systemd systems .... so it keeps things clean there during boots and so
13:57 < wallbroken> same
13:57 < wallbroken> dazo, i maked that config in 2013 following the openvpn howto
13:57 < wallbroken> now thing has changed?
13:58 < wallbroken> openvpn OFFICIAL howto
13:58 <@dazo> using /etc for --status and --log has never been our recommendations at all
13:58 < wallbroken> yes
13:58 < wallbroken> but using them yes,
13:58 < wallbroken> status and log
13:58 < Haris> hello all
13:58 < wallbroken> why now you say, do not use "--log and --status" ?
13:59 <@dazo> well, a lot of things have happened in the Linux world since 2013 ...
13:59 < Haris> is there a vid or a tutorial or an article with screenshot(s) or anything useful for the first time config of both server/client ends of openvpn ?
13:59 <@dazo> wallbroken: because it is handled by default in the new systemd unit files which arrived with openvpn 2.4
14:01 <@dazo> and no, using --status and --log in /etc have not been explicitly recommended ... it might have been happening indirectly due to some distros adding --cd /etc/openvpn when starting it via init scripts (we also use a similar thing with systemd)
14:01 <@dazo> https://community.openvpn.net/openvpn/wiki/HOWTO  (the current location of the old howto)
14:01 <@vpnHelper> Title: HOWTO – OpenVPN Community (at community.openvpn.net)
14:01 < wallbroken> dazo, ok
14:02 < wallbroken> now, can we figure out why I can't make the server start?
14:02 < wallbroken> i'd like to read some log to know what's the problem
14:02 <@dazo> try to start openvpn from the command line directly .... /usr/sbin/openvpn --config /etc/openvpn/server/server.conf .... what happens now?
14:02 <@dazo> (without --log, openvpn will now spit that out to stdout)
14:02 < Haris> I haven't succeeded in configuring it before. going to try configuring it with pfsense for server/client ends
14:03 < wallbroken> dazo, all works well
14:03 <@dazo> Haris: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
14:03 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net)
14:04 < wallbroken> Wed Oct 25 21:02:57 2017 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1559', remote='link-mtu 1543'
14:04 < wallbroken> Wed Oct 25 21:02:57 2017 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
14:04 < wallbroken> Wed Oct 25 21:02:57 2017 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
14:05 <@dazo> wallbroken: uhm ... that looks like a client config starting
14:05 < wallbroken> dazo, i have in the client: "cipher AES-256-CBC"
14:05 < wallbroken> is wrong?
14:05 < Haris> does openvpn have client or is it available in client on windows, without license
14:05 < Haris> ..client role+..
14:05 < wallbroken> dazo, yes, i tied to connect from my client
14:06 <@dazo> Haris: https://openvpn.net/index.php/open-source/downloads.html
14:06 <@vpnHelper> Title: Downloads (at openvpn.net)
14:06 < Haris> I'v only used openvpn once, in a licensed/paid env
14:06 <@dazo> Haris: no license needed for the open source server/client
14:06 < Haris> that was back in 2012
14:06 <+hyper_ch> so, finally managed to get root encrypted zfs on debian to wrok
14:06 <@dazo> Haris: that is still the same
14:07 <@dazo> wallbroken: okay, lets take that issue after we've gotten systemd working .... that's another very different topic
14:07 < wallbroken> ok
14:07 <@dazo> wallbroken: can you please pastebin the complete output when you started the openvpn server?
14:08 < wallbroken> dazo, is there some sensible information in the log that i can't paste over the internet?
14:08 <@dazo> wallbroken: no, not really ... there's no keying material or such things being provided in the logs
14:09 <@dazo> (and if it occasionally might print some key details when having quite higher --verb levels ... those are invalid after the client disconnects)
14:10 < wallbroken> dazo: https://pastebin.com/raw/zg7e6Vzu
14:12 <@dazo> wallbroken: can you pastebin this file too?  /lib/systemd/system/openvpn-server@.service
14:16 < wallbroken> http://sprunge.us/jNEY
14:19 <@dazo> wallbroken: can you please ensure you have the latest openvpn version installed? .... this unit file you have, is missing some important issues - which can much likely be the result of your systemd unit files not managing to start openvpn
14:19 < wallbroken> dazo, i installed it 20 minutes ago
14:21 <@dazo> wallbroken: this is the latest upstream systemd unit file: https://paste.fedoraproject.org/paste/IHFIw4jkl6RdyGQ~sVhxXQ/raw  ... you can put that under /etc/systemd/system/openvpn-server@.service .. and then run:  systemctl daemon-reload
14:21 <@dazo> then try to start openvpn again ... systemctl start openvpn-server@server
14:22 <@dazo> oh ... that's not enough actually
14:22 < wallbroken> dazo, is there a way to try to update openvpn?
14:22  * dazo finds the tmpfiles.d config
14:22 < wallbroken> i dit apt-get update
14:22 < wallbroken> it's enough?
14:22 < wallbroken> *did
14:23 <@dazo> wallbroken: I don't know which patches the openvpn package maintainer in Debian have added ... I see your version is 2.4.0 (which will be like that for years, during the deb 9 life cycle), but it doesn't indicate which patches have been added from since the last releases we've done
14:23 <@dazo> our upstream version is now openvpn-2.4.4
14:24  * dazo finds the missing tmpfiles.d stuff too
14:25 < wallbroken> dazo, what about "cipher" warning?
14:26 < DArqueBishop> wallbroken: you need to have the same cipher entry on the client and server configs.
14:26 <@dazo> DArqueBishop: we're getting there ;-)
14:26 < freenoodle> rob0, if you still read this: Local name resolution. Local clients cannot find openvpn clients by name.
14:26 <@dazo> DArqueBishop: just need to get the server running properly first
14:27 <@dazo> put this ( https://paste.fedoraproject.org/paste/iKJs29y7o7pkYxrg9Rgh-g/raw ) into /etc/tmpfiles.d/openvpn.conf ... then run systemd-tmpfiles --create
14:27 < wallbroken> "cipher AES-256-CBC" is in the client because on the old server, we was using that to fix a warning
14:28 < wallbroken> but right now, with the new server
14:28 < wallbroken> i need to remove that from the client?
14:28 <@dazo> wallbroken: I'll explain this a bit later on
14:28 <@dazo> wallbroken: no, not at all ... but we're getting there
14:28 <@dazo> one thing at a time
14:28 < wallbroken> dazo, are you still thinking on the systemd problem?
14:28 <@dazo> yeah
14:28 < wallbroken> i tried restarting the machine
14:28 <@dazo> and?
14:29 <@dazo> you need the tmpfiles.d stuff with the new systemd unit I pasted a bit earlier
14:29 < wallbroken> no luck
14:29 < wallbroken> dazo, on my old debian 6, i did simply: /etc/init.d/openvpn start
14:30 < wallbroken> and all worked fine
14:30 < wallbroken> now, what's happened?
14:30 < wallbroken> debian staff broke things?
14:30 < DArqueBishop> Debian moved to systemd.
14:30 <@dazo> debian 6 is not using systemd
14:30 < wallbroken> and there is some way to uninstall systemd and set initd?
14:30 <@dazo> so ...  https://paste.fedoraproject.org/paste/iKJs29y7o7pkYxrg9Rgh-g/raw  -> /etc/tmpfiles.d/openvpn.conf  .... and put  https://paste.fedoraproject.org/paste/IHFIw4jkl6RdyGQ~sVhxXQ/raw  into  /etc/systemd/system/openvpn-server@.service
14:30 <@dazo> nope
14:31 < xemdetia> it was a wholesale platform change
14:31 < xemdetia> and you missed the vote
14:31 <@dazo> systemd is WAY better than the old way, once you get to know it
14:31 < wallbroken> but as you can see, we encoutering problems
14:31 < wallbroken> hard to fix
14:32 <@dazo> with those two files in place:  run  systemctl daemon-reload    and   systemd-tmpfiles --create
14:32 < DArqueBishop> Yeah, I was pretty leery about systemd, but experience has shown me that it's actually better to work with.
14:32 <@dazo> and ensure you have /run/openvpn-{client,server}
14:32 < wallbroken> chich files?
14:32 < xemdetia> did anyone ever actual release a good book on it? That's really my biggest pet peeve. I looked 6 months or so ago of just a good comprehensive o'reilly style thing
14:32 < wallbroken> *which
14:32 <@dazo> wallbroken:  https://paste.fedoraproject.org/paste/iKJs29y7o7pkYxrg9Rgh-g/raw  -> /etc/tmpfiles.d/openvpn.conf  .... and put  https://paste.fedoraproject.org/paste/IHFIw4jkl6RdyGQ~sVhxXQ/raw  into  /etc/systemd/system/openvpn-server@.service
14:34 < DArqueBishop> xemdetia: yeah, that would be nice.
14:35 < wallbroken> root@debian:/home/claudio# systemd-tmpfiles
14:35 < wallbroken> You need to specify at least one of --clean, --create or --remove.
14:35 < wallbroken> .
14:35 <@dazo> xemdetia: it would basically be to print https://www.freedesktop.org/wiki/Software/systemd/#thesystemdforadministratorsblogseries
14:36 <@vpnHelper> Title: systemd (at www.freedesktop.org)
14:36 <@dazo> as well as some of the other links on that web page .... plus Lennarts other systemd blog posts
14:37 <@dazo> wallbroken: I thought I said  'systemd-tmpfiles --create'
14:37 < wallbroken> sorry
14:37 < wallbroken> ok
14:37 < wallbroken> donne
14:37 < wallbroken> *doe
14:38 < wallbroken> ...
14:38 < wallbroken> *done
14:38 <@dazo> :)
14:38 <@dazo> now try to start openvpn .... systemctl start openvpn-server@server
14:39 < wallbroken> ok, started
14:39 < wallbroken> thanks
14:39 < wallbroken> and the problem was?
14:39 <@dazo> great! ... so:  systemctl status openvpn-server@server ... should be quite more informative
14:40 <@dazo> most likely that the debian package maintainer for the openvpn package have not added some important patches fixing systemd integration issues
14:40 <@dazo> now you are using the latest systemd unit file setup from openvpn v2.4.4
14:41 <@dazo> and ... journalctl --since today -u openvpn-server@server ... should also provide far more stuff too
14:42 <@dazo> wallbroken: okay ... so then, connect your client ... and we'll poke at the warnings in your logs
14:43 < wallbroken> ok
14:43 < wallbroken> 3 lines, i'll paste here:
14:44 < wallbroken> Wed Oct 25 21:38:59 2017 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1559', remote='link-mtu 1543'
14:44 < wallbroken> Wed Oct 25 21:38:59 2017 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
14:44 < wallbroken> Wed Oct 25 21:38:59 2017 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
14:44 < wallbroken> i guess the cipher warning is because on the old server, there was an openvpn 2.2.2
14:44 <@dazo> wallbroken: okay, so the link-mtu and keysize lines are probably related to --cipher
14:44 < wallbroken> and i did get warning about lower bits
14:44 < wallbroken> so i added cipher AES-256-CBC in client and server config
14:44 < wallbroken> right now cipher AES-256-CBC there is only on the client
14:45 <@dazo> wallbroken: that's good ... BF-CBC should be avoided .... and if your clients also runs openvpn 2.4.x ... then the cipher gets automatically updated to AES-256-GCM
14:45 <@dazo> how many clients do you have?
14:45 <@dazo> and which version of openvpn do they run?
14:46 <@dazo> I'm going to help you migrate over to better ciphers, without breaking old clients now
14:47 < wallbroken> dazo, so, i have openvpn connect which is a iOS client
14:47 < wallbroken> i have a windows client
14:47 < wallbroken> every client has a default cipher version depending on the version?
14:48 <@dazo> the default is BF-CBC .... but some client versions can automatically upgrade the cipher
14:49 < wallbroken> based on what?
14:49 < wallbroken> on the server side?
14:49 <@dazo> I don't recall now how the iOS client behaves .... (we're working on an updated iOS OpenVPN Connect client, going through QA now ... which should support cipher upgrading)
14:49 <@dazo> on the client and server side
14:49 <@dazo> since openvpn 2.4.0, we support what is called Negotiable Crypto Parameteres (NCP)
14:49 < wallbroken> in the sense that the client calls the server and asks: which cipher are you using? and basing on the answer,, it updates?
14:50 <@dazo> almost
14:50 < wallbroken> dazo, is better to specify the cipher? or not?
14:51 <@dazo> the client says to the server:  "I'm version x.y.z and I want to use cipher FOOBAR" .... if the server is configured to allow FOOBAR cipher, it says okay .... if the version is new enough, the cipher may rather say: "Use AES-256-GCM instead"
14:51 <@dazo> wallbroken: I'm coming there
14:51 <@dazo> wallbroken: which version is your Windows client?  openvpn 2.4?  or older?
14:51 <@dazo> and what is your clients using for --cipher?
14:52 < wallbroken> OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
14:52 <@dazo> great
14:52 < wallbroken> cipher AES-256-CBC
14:53 <@dazo> okay ... so then in your server config use:  --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-256-CBC
14:53 < rob0> freenoodle, that's definitely NOT a reason to choose tap/bridging.
14:54 < wallbroken> dazo, or is better to do not specify anything?
14:54 <@dazo> no
14:54 <@dazo> The default is --cipher BF-CBC .... and that is horrendous, and you would need to change your clients which does not support NCP
14:56 <@dazo> so my suggestion gives you the todays best cipher (AES-256-GCM) but supports clients using AES-256-CBC (which you already use)
14:56 < wallbroken> dazo, and this config works also for old servers?
14:57 < wallbroken> and also, why if i use AES-256-CBC only on client side and not on server, it is connecting anyway?
14:57 <@dazo> no, this works only for v2.4 servers
14:58 <@dazo> yes, clients using --cipher AES-256-CBC will be able to connect because they tell the server they are configured to use that ... and --ncp-ciphers AES-256-GCM:AES-256-CBC allows the AES-256-CBC cipher
14:58 <@dazo> --ncp-ciphers defines which ciphers are acceptable by the server
14:59 < wallbroken> ncp-ciphers it was not set on my server
14:59 < wallbroken> and connection happened the same
15:00 <@dazo> the Windows client is v2.4.4 .... so it will upgrade to --cipher AES-256-GCM by default when the server sees it supports NCP
15:01 <@dazo> (as the default --ncp-ciphers list is:  AES-256-GCM:AES-128-GCM)
15:02 <@dazo> the server will typically pick the first cipher from the --ncp-ciphers list when the client is running openvpn v2.4.x
15:02 < wallbroken> wait, is not cclear, server needs to know which cipher the client uses. if it does not match, what happens?
15:02 < wallbroken> i did not used ncp-ciphers, neither in the client nor in the server
15:03 <@dazo> --ncp-ciphers is by default AES-256-GCM:AES-128-GCM
15:03 <@dazo> in openvpn v2.4.x
15:03 < wallbroken> ok
15:03 <@dazo> when the client is also openvpn v2.4.x .... it will upgrade the cipher automatically to AES-256-GCM
15:04 < wallbroken> in my case, both the client and the server are 2.4.x
15:04 < wallbroken> but i did get a warning
15:04 <@dazo> If the client says:  I want to use AES-256-CBC ... and the server does *NOT* have that cipher in --ncp-ciphers and the client is v2.3 (or does not support NCP) - connection will fail
15:04 <@dazo> v2.3 or older
15:05 <@dazo> if you use --ncp-ciphers  AES-256-GCM:AES-128-GCM:AES-256-CBC   (adding the AES-256-CBC cipher) ... then that client can connect, because the server allows that cipher
15:06 < wallbroken> and the case of the warning, is this last one?
15:06 <@dazo> each client connecting which does not have a matching --cipher will produce that warning .... so that's an indication of clients needing a config update .... but if you look a little bit later in the logs, you'll see that the cipher has changed
15:07 <@dazo> typically after the PUSH_REPLY on the server
15:07 < xemdetia> dazo, I have found that blog series slightly lacking for esoteric things and more advanced stuff like the device forwarding and the nspawn things
15:07 < xemdetia> it's not really a fault but it's just not as comprehensive as I end up needing
15:07 < wallbroken> what PUSH_REPLY did?
15:07 < wallbroken> changed the cipher on the client?
15:08 <@dazo> xemdetia: fair enough
15:09 <@dazo> wallbroken: PUSH_REPLY is when the server pushes the VPN IP address, routes, etc to the client ... and as of OpenVPN v2.4.x, --cipher can be pushed (but can currently only be changed by the process - not via CCD files)
15:09 < wallbroken> and is what happened in my case?
15:10 < wallbroken> server pushed a new cipher to the client
15:11 <@dazo> yes, and then you will see a log line "Data Channel: using negotiated cipher $CIPHER"
15:12 < wallbroken> so ncp-chipers, are a list of allowed cipher?
15:12 <@dazo> yes
15:13 <@dazo> if your server uses --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC  .... and you change your client to use --cipher AES-256-GCM ... you will not see this "negotiation" and also no WARNING log line due to different ciphers
15:13 <@dazo> but clients using --cipher AES-256-CBC will still be able to connect
15:13 <@dazo> (and will produce the "negotiatied cipher" and WARNING log lines)
15:14 < wallbroken> and why you specify the same cipher both in ncp and in "cipher" ?
15:14 <@dazo> because --cipher is the default cipher .... --ncp-ciphers is "allowed ciphers" ... if you don't add the --cipher to --ncp-cipher, then things gets complicated
15:16 < wallbroken> ok
15:16 < wallbroken> and what about the "related warnings" ?
15:17 <@dazo> they are caused by the --cipher differences between client and server ... --keysize is depending on the cipher, so the default is BF-CBC with --keysize 128 ... if the client uses --cipher AES-256-CBC, --keysize is implicit set to 256 ... so by adding the --cipher/--ncp-ciphers stuff we've discussed, that should disappear
15:19 <@dazo> the --link-mtu stuff is more complicated ... as that value is calculated based on the --cipher as well.  So if client --cipher is different than server --cipher AES-256-GCM, it will still occur - but will not have an impact because the server will fix that later on (as long as it allows the client cipher)
15:19 <@dazo> if the client moves to AES-256-GCM, then that warning will also disappear
15:29 < wallbroken> dazo
15:29 < wallbroken> on old openvpn, i can use any cipher?
15:29 <@dazo> yeah?
15:29 <@dazo> wallbroken: you can use any cipher enlisted in --ncp-ciphers
15:29 <@dazo> (well, not the GCM ciphers, as they're not supported in v2.3 and older)
15:33 < wallbroken> AES-256-GCM provides more security?
15:34 <@dazo> it is faster and gives more throughput than AES-256-CBC
15:34 <@dazo> GCM ciphers does encryption + authentication in one crypto operation .... with non-GCM encryption and authentication happens in two operations
15:35 <@dazo> plus, with non-GCM each packet between client and server gets slightly larger (iirc, 20 bytes with --auth SHA1 - which is the default)
15:36 <@dazo> and on more modern hardware, AES crypto operations (including GCM) is hardware accelerated in the CPU
15:36 < wallbroken> dazo, can I ask you something about "diffie helman" ?
15:36 < wallbroken> or it's off topic?
15:36 <@dazo> sure :)
15:36 <@dazo> no, it is definitely related
15:36 < wallbroken> it's theory, not anything openvpn related
15:37 < wallbroken> each host in my openvpn network hare a public key and private key pair
15:37 <@dazo> okay, I'm not the best crypto expert here ... but I have a laymen's understanding of it
15:37 <@dazo> right
15:37 < wallbroken> each host needs to send its public key to the server, right?
15:38 <@dazo> right
15:38 < wallbroken> and server needs to send its public key to each client
15:38 < wallbroken> ok, in this operation there is nothing unsecure
15:38 < wallbroken> all is fine
15:38 <@dazo> absolutely true
15:38 < wallbroken> each host when need to encrypt data to send to the server, simply encripts using the server's public key and sends data
15:39 <@dazo> correct
15:39 < wallbroken> then the server will unencrypt with its own private key
15:39 <@dazo> yupp
15:39 < wallbroken> in all of this process, how diffie hellman comes?
15:39 < wallbroken> its' absolutely unclear for me
15:39 <@dazo> okay, so there are a few layers here in the SSL/TLS protocols
15:40 <@dazo> first, asymmetric encryption (PKI - public/private key crypto) is quite slow ... and symmetric is quite fast
15:41 <@dazo> but with symmetric crypto, both sides needs to use the same key
15:42 < wallbroken> symmetric key what does it mean?
15:42 <@dazo> encryption key
15:42 <@dazo> that means that to be able to decrypt a message, you must use the same key as the encryption key
15:42 < wallbroken> there is one pair of public and private key used on both ends?
15:42 <@dazo> okay ... let me try again
15:43 <@dazo> server and client wants to use symmetric encryption, due to the speed and efficiency ... so they use PKI to negotiate a symmetric key
15:43 <@dazo> and this is where DH comes into play
15:43 < wallbroken> stop
15:43 <@dazo> I'm not quite sure of the history how it ended up with DH  (I've forgotten it, I read good book about it by Eric Rescorla) ... but I believe it was related to the cost of generating a random key
15:44 < wallbroken> why "speed and efficiencty?
15:44 <@dazo> because PKI (asymmetric public/private crypto)  is very slow compared to symmetric crypto
15:45 <@dazo> you wouldn't be able to stream multimedia just using PKI, as the latency for each packet would be too large
15:45 < wallbroken> PKI is what i explained erlier?
15:46 <@dazo> so with DH both client and server generates some random data, passes that over the link together with some additional data ... and they derive a shared symmetric key they will use
15:46 <@dazo> PKI (public key infrastructure, essentially public/private key crypto ... AKA asymmetric crypto)
15:46 < wallbroken> so, yes, what i explained before
15:46 <@dazo> PKI also adds the concept of CAs too
15:47 < wallbroken> so, with a DH, you have a symmetric key link over the internet, right?
15:47 <@dazo> right, which is hard to crack, because it depends on some smaller random data generated on both client and server side which have never been transported over the Internet
15:48 <@dazo> well, it is hard to crack if your DH parameters file (which is public, by the way) is large enough
15:48 < wallbroken> dazo, and then, pki ?
15:48 <@dazo> the DH parameters is basically a large prime number which is shared between client and server .... and that is transported in clear text over the Internet
15:48 < wallbroken> how is involved?
15:50 <@dazo> this is a fairly advanced topic ... and I'm very rusty on the details ... I learnt the basics from this book: https://www.amazon.com/SSL-TLS-Designing-Building-Systems/dp/0201615983?SubscriptionId=AKIAILSHYYTFIVPWUY6Q&tag=duckduckgo-d-20&linkCode=xm2&camp=2025&creative=165953&creativeASIN=0201615983
15:50 <@dazo> the SSL/TLS protocol is fairly complex, and there the whole handshake between client and server tries to make everything happen in as few round-trips as possible
15:51 <@dazo> and without trying to provide too much clues as clear text
15:51 < wallbroken> so, you don't remember how PKI is introduced after DH session?
15:52 <@dazo> I don't have the book handy to refresh my memory
15:52 <@dazo> it isn't something I really need to know on a daily basis, just that DH parameters are very important to provide a secure ephemeral symmetric key used after the key exchange
15:55 < wallbroken> key exhange happens once a time?
15:56 <@dazo> in openvpn context, yes ... as the renegotiation openvpn does tears down the TLS channel and does a full reconnection
15:57 <@dazo> the SSL/TLS protocol does allow for key renegotiation too, but we've not made use of that (and that's been a good decisions as several issues have been discovered here over the years)
15:57 <@dazo> Part of the TLS 1.2 handshake ... https://tools.ietf.org/html/rfc5246#section-7.4.3
15:57 <@vpnHelper> Title: RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2 (at tools.ietf.org)
15:57 < wallbroken> "cipher" is something related to this?
15:58 <@dazo> no, not really.  Because OpenVPN does add its own key exchange on top of TLS/SSL
15:58 <@dazo> The OpenVPN wire protocol consists of two channels: Data Channel and Control Channel
15:58 < wallbroken> cipher is the algorithm used to encrypt ?
15:59 <@dazo> the Data Channel is where the tunnelled network traffic goes.  The encryption used on the data channel is controlled via the --cipher option
15:59 <@dazo> the Control Channel implements the SSL/TLS protocol and it uses pretty much a default set of ciphers, which can be modified by --tls-cipher
15:59 <@dazo> but it is generally not recommended to modify --tls-cipher at all
16:00 <@dazo> (the default is pretty much safe and secure for the vast majority of users)
16:01 <@dazo> so OpenVPN uses the control channel to do a key exchange and uses that key as a symmetric key with the configured (or negotiated) --cipher
16:02 <@dazo> and on each --reneg-* event (--reneg-sec is 1 hour by default) ... that symmetric key used on the data channel is rotated
16:02 <@dazo> (and with "rotated" I mean, replaced with a new key)
16:04 < wallbroken> dazo, in my case, it was openvpn itself that suggeste me to set the cipher
16:05 <@dazo> --cipher is fine to change ... and using --cipher AES-256-{GCM,CBC} is generally recommended
16:05 <@dazo> but --tls-cipher is something different
16:05 <@dazo> --cipher tackles the Data Channel in the OpenVPN protocol .... --tls-cipher tackles the Control channel in the OpenVPN protocol
16:07 < wallbroken> so is not clear the function of --cipher
16:08 <@dazo> to establish an OpenVPN connection, the client connects to a server where the SSL/TLS protocol is used (which goes over the control channel in the OpenVPN protocol)
16:09 <@dazo> this communication is pretty much like any SSL/TLS connection ... certificates are exchanged, authenticated and the control channel goes encrypted using a shared symmetric key
16:10 <@dazo> Then the server and client starts negotiating a new symmetric encryption key over the encrypted control channel (which is SSL/TLS)
16:10 <@dazo> in addition, the lots of other stuff is communicated ... like the PUSH_REPLY stuff and lots of other things
16:11 <@dazo> once that is done, the new symmetric key is "installed" on the data channel, as well as the --cipher.  Whenever the tun/tap device gets a network packet, OpenVPN encrypts that packet using the symmetric data channel encryption key and passes that to the remote side
16:12 < wallbroken> very complicated
16:12 < wallbroken> there are also other stuff in my case
16:12 < wallbroken> like ta.key
16:12 <@dazo> the remote side receives that packet, authenticates and decrypts it and puts it on the tun/tap device
16:12 <@dazo> the ta.key is related to another security layer
16:13 <@dazo> When --tls-auth (or --tls-crypt) is added ... each control channel packet in the OpenVPN protocol sent over the Internet gets a "unique signature", which is calculated using the ta.key
16:14 <@dazo> when the remote side receives that packet, it first authenticates the "signature" using its own ta.key ... and if it matches, the packet is sent to the SSL/TLS library to be decrypted
16:14 <@dazo> if it does not match, OpenVPN will just drop the packet
16:15 <@dazo> --tls-auth/--tls-crypt encapsulates the SSL/TLS data with an additional security layer ... so if a flaw new is found in the SSL/TLS protocol, only those having a copy of your ta.key can manage to attack your VPN server or client
16:16 < wallbroken> ta.key was suggested to me here by some operator when my openssl version was intacted by some important bug
16:16 < wallbroken> to prevent botnet attack they said to me to add ta.key
16:16 <@dazo> using --tls-auth makes a lot of sense
16:16 <@dazo> yeah, absolutely true
16:17 <@dazo> and if you use --proto udp .... port scanners will not even see your OpenVPN UDP port at all
16:17 < wallbroken> why? UDP for stateless reason?
16:18 <@dazo> !tcp
16:18 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay
16:18 < wallbroken> i'm quite expert in TCP/UDP
16:18 <@dazo> in most cases, UDP will give better performance
16:18 < wallbroken> the problem i think is the fact that congestion control algorithms
16:18 <@dazo> nope, TCP over TCP is far worse
16:18 < wallbroken> if you put into each other, maybe some strange effect will produced
16:19 < wallbroken> yes, and the reason is what i said, the congestion control algorithm used in TCP
16:21 <@dazo> ahh, I thought of the Nagle algorithm
16:22 < wallbroken> https://en.wikipedia.org/wiki/TCP_congestion_control
16:22 <@vpnHelper> Title: TCP congestion control - Wikipedia (at en.wikipedia.org)
16:31 < wallbroken> dazo, maybe, i'm looking for o some google website about DH and PKI correlation
16:35 <@dazo> wallbroken: the SSL/TLS specifications are probably the best source ... like this: https://tools.ietf.org/html/rfc5246#section-8.1
16:35 <@vpnHelper> Title: RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2 (at tools.ietf.org)
16:36 <@dazo> but to get a full understanding of the TLS 1.2 protocol, you might need to dive in the previous versions .... or grab the book by Eric Rescorla ;-)
16:37 < wallbroken> understanding a book is not a fast work
16:37 < wallbroken> i just need an answer to my question :P
16:37 <@dazo> well, understanding the TLS/SSL protocol is also not fast work ;-)
16:38 < wallbroken> <squib0> wallbroken, DH means the encryption key for transport is derived from knowing the peer's public key
16:38 < wallbroken> the encryption/session key is not sent over the transport
16:38 <@dazo> that is very coarsely said ... and not strictly true ... as that would give the same key each time, so there is more to it ... but very much related
16:39 <@dazo> DH is an algorithm to exchange a secret over an insecure network
16:41 < wallbroken> <squib0> wallbroken, the relationship between DH and PKI is that the public keys is used by DH to generate a secret encryption key
16:42 <@dazo> that is true, but there is some randomness and the DH parameters added into the mix too ... so still a bit too course
16:43 <@dazo> basically it runs down to deriving a pre-master and master key ... and how bits of them (but not entirely) are exchanged over the network, again building on the PKI
16:43 <@dazo>        master_secret = PRF(pre_master_secret, "master secret",
16:43 <@dazo>                            ClientHello.random + ServerHello.random)
16:44 <@dazo> PRF --- https://en.wikipedia.org/wiki/Pseudorandom_function_family
16:44 <@vpnHelper> Title: Pseudorandom function family - Wikipedia (at en.wikipedia.org)
16:45 < wallbroken> dazo, they explained me
16:45 < wallbroken> [23:43:44] <wallbroken> then the server will unencrypt with its own private key
16:45 < wallbroken> [23:43:49] <squib0> that's where you have it wrong
16:45 < wallbroken> [23:44:13] <squib0> the public/private key pair is not used for the actual data
16:45 < wallbroken> [23:44:26] <squib0> it is only used to protect negotiations
16:45 < wallbroken> [23:44:39] <meyou> the pairs are used to create a key that they'll use for encryption
16:45 < wallbroken> sorry for the paste
16:46 <@dazo> that is correct
16:46 < wallbroken> [23:44:52] <squib0> asymmetric keys are too slow and inefficient to process a large amount o fdata
16:49  * dazo heads home ... getting late here
16:50 < wallbroken> ok, where do you come from?
16:50 <@dazo> .no
16:51 < wallbroken> that's a domain
22:25 -!- abenz_ is now known as abenz
--- Day changed Thu Oct 26 2017
06:16 <@dazo> !learn duhk as OpenVPN is not vulnerable to DUHK. It does not use any hard coded keys, neither OpenSSL nor mbed TLS touches the broken ANSI X9.31 algorithm and both libraries does re-seeding on regular intervals. More details on DUHK: https://duhkattack.com/
06:16 <@vpnHelper> Joo got it.
06:16 <@dazo> !duhk
06:16 <@vpnHelper> "duhk" is OpenVPN is not vulnerable to DUHK. It does not use any hard coded keys, neither OpenSSL nor mbed TLS touches the broken ANSI X9.31 algorithm and both libraries does re-seeding on regular intervals. More details on DUHK: https://duhkattack.com/
06:17 <@dazo> !learn vulninfo as See these factoids for more info about specific vulnerabilities: !heartbleed !poodle !ovpnuke !sweet32 !duhk
06:17 <@vpnHelper> Joo got it.
06:18 -!- dazo changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire /topic || Current Release:2.4.4 (26 September 2017) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || Your problem is probably firewall. Really || TAP/bridging is almost always a bad idea || Vulninfo: see !vulninfo || EasyRSA v3.0.3 Released!
06:18 <@dazo> !!vulninfo
06:18 <@dazo> !vulninfo
06:18 <@vpnHelper> "vulninfo" is See these factoids for more info about specific vulnerabilities: !heartbleed !poodle !ovpnuke !sweet32 !duhk
07:33 <@dazo> !forget duhk
07:33 <@vpnHelper> Joo got it.
07:33 <@dazo> !learn duhk as OpenVPN is not vulnerable to DUHK. It does not use any hard coded keys, neither OpenSSL nor mbed TLS touches the broken ANSI X9.31 algorithm and both libraries does re-seeding on regular intervals. More details on DUHK: https://community.openvpn.net/openvpn/wiki/DUHKattack https://duhkattack.com/
07:33 <@vpnHelper> Joo got it.
07:33 <@dazo> !duhk
07:33 <@vpnHelper> "duhk" is OpenVPN is not vulnerable to DUHK. It does not use any hard coded keys, neither OpenSSL nor mbed TLS touches the broken ANSI X9.31 algorithm and both libraries does re-seeding on regular intervals. More details on DUHK: https://community.openvpn.net/openvpn/wiki/DUHKattack https://duhkattack.com/
07:55 <@novaflash> fuck a duhk
07:59 < rob0> quahk
08:31 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 246 seconds]
08:51 < LargePrime> its getting hkot in hkere
09:21 < TheWhisper> Hi, I'm trying to split tunnel on a macOS client. I want to connect to my IRC bouncer on my VPS through the tunnel, but all other traffic on the client should not be routed through the tunnel.
09:22 < TheWhisper> I've added a line in my client config: `route add <VPS IP> 192.168.2.9 255.255.255.0`, which I believed should redirect any traffic to the VPS IP through the VPN
09:24 < TheWhisper> If I run `ifconfig` while the VPN is connected, I see: `utun1: inet 192.168.2.10 --> 192.168.2.9 netmask`
09:25 < TheWhisper> Do I have my `route add` command set properly based on the `ifconfig` output?
09:29 < DArqueBishop> TheWhisper: Is your VPS the OpenVPN server?
09:31 < TheWhisper> No
09:32 < TheWhisper> I've changed the route in my client config to be `route <VPS IP>` and I think it's working now
09:34 < TheWhisper> DArqueBishop, yeah, updating the `route` command in the client config seems to have done it
09:38 < TheWhisper> Thanks :)
10:45 -!- dazo [~meme@openvpn/corp/developer/dazo] has joined #openvpn
10:45 -!- mode/#openvpn [+o dazo] by ChanServ
11:35 < a1fa> hello.. is there an option to stop openvpn from retrying to connect after X failures?
11:35 < a1fa> openvpn-client
11:36 < a1fa> connect-retry-max ?
11:42 < a1fa> dang
11:42 < a1fa> auth-retry interact is what i need
11:42 < a1fa> but it does not work
11:42 < a1fa> because the openvp server is not sending back AUTH_FAILED
11:43 < a1fa> instead, SIGUSR1
11:43 < a1fa> anyway to prompt users to reauth on connection reset?
11:49 <@dazo> a1fa: look at --single-session
11:50 <@dazo> --auth-retry will only work if you're using --auth-user-pass and you have an established connection to the server
11:50 <@dazo> --tls-exit might also be related
11:51 <@dazo> --resolv-retry  is also a good candidate
11:52 <@dazo> --connect-retry is the proper option .... which takes one or two arguments
11:52 <@dazo> duh
11:52 <@dazo> --connect-retry-max is there, I'm blind
11:53 <@dazo> but it all runs down to which state OpenVPN is in when the reconnection happens .... as that there are various options for these various states
12:20 < a1fa> let me check tls-exit
12:21 < a1fa> tls-exit would be good.. but it sucks on windows
12:21 < a1fa> because window goes away and people dont know if they connected or not
12:21 < a1fa> i really need auth-retry tls :X
12:22 < a1fa> re-enter creds on tls retry
12:22 < a1fa> because of OTP
12:23 < a1fa> so -- basically what is happening is i am getting "Connection reset, restarting [0]" if auth is  bad
12:23 < a1fa> SIGUSR1[soft,connection-reset]
12:26 < a1fa> man. remap-usr1
12:26 < a1fa> so close
12:32 < a1fa> i would need auth-retry always
12:35 < a1fa> hey it worked on windows client
12:35 < a1fa> -auth-user-pass -auth-retry interact -remap-usr1 SIGHUP
12:35 < a1fa> it didnt work on openbsd client
12:35 < a1fa> but its ok
12:37 < a1fa> openbsd client bug?
12:41 < a1fa> so; happy with those results
12:42 < a1fa> openbsd people can deal w/ it. :X
12:42 < a1fa> but i should still submit a bug for it? no
13:48 < m00n_urn> !def1
13:48 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
13:49 < a1fa> !;x'
14:58 -!- dazo [~meme@openvpn/corp/developer/dazo] has quit [Quit: Leaving]
17:41 < |Mike|> morning!
19:09 -!- m0nkey__ is now known as m0nkey_
21:12 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 260 seconds]
--- Day changed Fri Oct 27 2017
01:59 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
01:59 -!- mode/#openvpn [+o novaflash] by ChanServ
03:19 <+hyper_ch> damn, dazo isn't here
03:34 -!- pekster [~rewt@openvpn/community/developer/pekster] has quit [Ping timeout: 260 seconds]
03:40 -!- pekster [~rewt@openvpn/community/developer/pekster] has joined #openvpn
03:40 -!- mode/#openvpn [+o pekster] by ChanServ
04:03 -!- abenz_ is now known as abenz
05:41 <+hyper_ch> ecrist: krzee: ordex: https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20with%20Linux.pdf
06:37 -!- dazo [~meme@openvpn/corp/developer/dazo] has joined #openvpn
06:37 -!- mode/#openvpn [+o dazo] by ChanServ
07:19 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: by bye]
07:19 <@ordex> hyper_ch: 404
07:19 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
07:19 -!- mode/#openvpn [+v s7r] by ChanServ
07:20 <+hyper_ch> ordex: loads fine here
07:20 <@ordex> ah here too actually :P
07:21 <+hyper_ch> YOU MADE ME OPEN IT TWICE!!!
07:21 <@ordex> :O
07:21 <@novaflash> hyper_ch: are you sure it's working?
07:21 <@novaflash> better check again
07:21 <+hyper_ch> novaflash: nah, I told them to block you
07:22 <@novaflash> that's actually a very good idea
07:22 <+hyper_ch> blocking you or replacing miserable UEFI with linux?
07:28 <@novaflash> both
07:29 <+hyper_ch> :)
07:29 <+hyper_ch> novaflash: you don't happen to understand german?
07:29 <@novaflash> i can get about 70% of a conversation, about 95% of written text
07:34 <+hyper_ch> https://www.golem.de/news/freie-linux-firmware-google-will-server-ohne-intel-me-und-uefi-1710-130840.html
07:34 <@vpnHelper> Title: Freie Linux Firmware: Google will Server ohne Intel ME und UEFI - Golem.de (at www.golem.de)
07:37 < havoc> very interesting, the NERF thing
07:37 <@novaflash> well to be fair it's a good idea to not have that intel me shit in there
07:37 <@novaflash> and uefi is just a pain in the ass
07:39 <+hyper_ch> dunno about intel ME stuff... is that like "Millennium Edition"?
07:39 <+hyper_ch> but uefi is really pita
07:39 <@novaflash> no it's a management engine
07:40 <+hyper_ch> don't remember windows ME? :)
07:40 <@novaflash> you know iLO and DRAC and IPMI and such?
07:40 <@novaflash> unfortunately i do
07:40 <+hyper_ch> see, Intel ME :)
07:40 <@novaflash> you want me to intel you?
07:40  * novaflash jams a CPU up your bumhole
07:40 <+hyper_ch> from the article I gathere it's good to not have any ME
07:40 <@novaflash> damn straight
07:40 <+hyper_ch> lets see if znapzend works for me
07:40 <@novaflash> you don't want that shit
07:40 <@novaflash> especially since intel has an option to disable it
07:41 <@novaflash> but in some versions it was bugged
07:41 <@novaflash> and it would still work
07:41 <+hyper_ch> how do I find out if I'm Intel ME contaminated?
07:41 <@novaflash> at startup you'll see messages about Intel Management Interface
07:41 <@novaflash> and in devmgmt.msc on Windows you'll likely see a serial interface device or SOL device as well
07:41 <+hyper_ch> I don't have devmgmt.msc
07:41 <@novaflash> you can also look up specs on your mainboard to see if Intel ME is supported
07:42 <@novaflash> yeah well you're on the cheap version of Windows then aren't you? what's it called again
07:42 <+hyper_ch> :)
07:42 <@novaflash> Lunix or something
07:42 <+hyper_ch> yes
07:42 <+hyper_ch> doesn't everyone run linux nowadays?
07:42 <@novaflash> well then you don't have devmgmt.msc
07:42 <@novaflash> i still run human v1.0
07:42 <@novaflash> amd windows let in some light here
07:43 <@novaflash> anyways, intel management stuff is like remote network KVM, so full control of a computer
07:43 <@novaflash> afaik they use the VNC protocol for it
07:44 <+hyper_ch> reason I go for intel usually is because their stuff just works on linux.. ethernet, wifi, video
07:45 <@novaflash> intel is great, i love their shit
07:45 <@novaflash> just not that thing
07:45 <+hyper_ch> although I heard that the new amd cpus give equal bang for less buck
07:46 <@novaflash> this must upset the whores at intel HQ
07:47 <+hyper_ch> well, don't really know
07:47 < rob0> I actually hit a few bugs with my Intel stuff and a 3.12.x kernel (Slackware64 14.1.)  But a kernel upgrade took care of it.  And now with 4.9.52, it's all good.
07:49 < rob0> My wifi didn't work, and my Ethernet had intermittent bugs preventing suspend.
07:49 < rob0> rmmod e1000 ; pm-suspend
07:58 <@novaflash> rob0; stop breaking things
08:02 < rob0> what's the fun in that?
08:10 <@novaflash> good point. rob0; keep breaking things. you're doing god's work.
08:20 < |Mike|> haha
09:02 < a1fa> ;X
09:02 < a1fa> looks like tunnelblick is also broke
09:02 < a1fa> and openbsd openvpn client ;X someone feex it
09:14 < a1fa> can anyone test something for me on a linux openvpn client 2.4.4?
09:14 < a1fa> -auth-user-pass -auth-retry interact -remap-usr1 SIGHUP
09:14 < a1fa> send sighup to the process, see if it asks you for a password
09:15 < rob0> if you're using --daemon, there would be no terminal upon which to ask/get a password.
09:16 < a1fa> interactive session
09:16 < a1fa> please
09:20 -!- nb_ is now known as nb
10:47 < a1fa> bueller?
12:21 < BSoff3n> Hello, i want to add cipher to my VPN server, can i add this line to my config without change any other things? or i must create new certificates after?
12:27 <@dazo> BSoff3n: You can change --cipher without doing much more .... but generally speaking, you need to change it on both sides
12:27 < BSoff3n> of course
12:27 < BSoff3n> thank you
12:27 <@dazo> BSoff3n: if both client and server is OpenVPN 2.4 .... then you can do more fancy stuff, allowing clients to use different ciphers
12:28 <@dazo> sorry, if *server* is OpenVPN 2.4
12:28 <@dazo> if both server and client are 2.4, then they will most commonly upgrade automatically to AES-256-GCM
12:28 <@dazo> (read about -ncp-ciphers in the 2.4 man page for more details)
12:29 < BSoff3n> i think i must update my server, my Version is 2.2
12:30 <@dazo> eek ... yeah, that is completely outdated
12:30 <@dazo> we haven't done any official version updates on 2.2 for a loooong time
12:30 <@dazo> the oldest we do keep in shape nowadays is 2.3
12:30 <@dazo> but only bug and security fixes
12:32 < BSoff3n> okay, i will update it quick ^^
13:15 <@dazo> !man
13:15 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
13:15 <@dazo> BSoff3n: ^^^
13:16 <@dazo> don't ask such simple questions in PMs
13:16 < BSoff3n> sorry
13:19 < BSoff3n> exist a manual for updating?
13:20 <@dazo> updating what?
13:21 < BSoff3n> openvpn 2.2 to 2.4
13:21 <@dazo> ahh
13:22 <@dazo> I'd recommend you to read through this one: https://gitlab.com/openvpn/openvpn/blob/1f458322cdaffed02184df8c638bde69256a840a/Changes.rst
13:22 <@vpnHelper> Title: Changes.rst · 1f458322cdaffed02184df8c638bde69256a840a · OpenVPN / openvpn · GitLab (at gitlab.com)
13:23 <@dazo> That file contains most of the user visible changes
13:24 <@dazo> but there does not exist a "script" of what you must change .... it will most likely work out-of-the-box, unless the exceptions are listed in Changes.rst
13:24 <@dazo> unless features you are using are listed in that file, I mean
13:25 <@dazo> read the whole file too .... as we haven't found a good way to organize it properly
13:26 < BSoff3n> okay thank you
13:26 <@dazo> oh, and this one is also good to beware of:  https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
13:26 <@vpnHelper> Title: DeprecatedOptions – OpenVPN Community (at community.openvpn.net)
13:34 -!- dazo [~meme@openvpn/corp/developer/dazo] has quit [Quit: Leaving]
14:26 < DF3D2> how do I stop it from using "preserving recently used remote address" since that IP is wrong and has been changed in my config ?
14:26 < DF3D2> windows client
15:09 < DF3D2> hi, I have set a dns in my .ovpn file but it still tries to use my local dns and the VPN subnet before the "set" DNS that I need to use
15:09 < DF3D2> nvm i fixed it
16:25 < baconology> hi
16:26 -!- albech1 is now known as albech
16:26 < baconology> i have openvpn running and clients can successfully connect to it.   the TUN adapter has an address of 10.8.x.x, and my client machines show a default gateway of 10.8.0.5 and i am getting an ip of 10.8.0.6
16:26 < baconology> but how the hell do i get to my samba share that is setup on eth0 with ip 192.168.0.35
16:27 < baconology> what am i missing fundamentally here?
16:27 < baconology> or even an FAQ for some additional reading would be wonderful
16:42 < baconology> i need this openvpn to route between my work internal IP and itself, and send that data to the remote clients
16:42 < baconology> i have no idea where to go from here but feel like i must be missing something very obvious
16:44 < baconology> i can get to the samba share by goign to the vpn interface IP while connected
16:44 < baconology> which is great
16:44 < baconology> but how do I make this machine route 192.168 to 10.8 ??
16:46 < rob0> you want to access services on LAN machines local to the server?
16:46 < rob0> if so,
16:47 < rob0> !serverlan
16:47 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
16:47 < rob0> and see also:
16:47 < rob0> !/30
16:47 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
16:48 < boritek> hello, I am trying to connect to openvpn on my router from my android phone but it keeps timing out. First I thought it is firewall issue and the phone does not get any response, but I made a tcpdump, and there is some kind of feedback, check this screenshot: https://pasteboard.co/GQVie6i.jpg
16:49 < boritek> what is the P_ACK_V1 exactly? I guess it is some kind of acknoledge, confirmation, but that is the last messeage in the session
16:49 < baconology> the machine that is the openvpn server is also the samba server
16:49 < boritek> thereafter a new session begins with the same lines
16:49 < baconology> oo !ipforward
16:49 < boritek> and thereafter it times out
16:49 < baconology> !ipforward
16:49 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
16:49 < baconology> !route
16:49 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
16:50 < baconology> !topology
16:50 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
16:50 < baconology> thanks for the reading
16:50 < baconology> i will investigate and return with results, cheers rob0
16:50 < rob0> yw
16:51 < rob0> !welcome
16:51 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
16:51 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
16:51 < rob0> #8 applies
16:52 < boritek> rob0: are you sending it for me?
16:55 < baconology> !topology was not helpful in this circumstance
16:55 < baconology> too difficult to understand this, im dumb
16:55 < baconology> ahh i need ipforward
16:55 < baconology> !linipforward
16:55 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
16:55 < baconology> oh jesus christ
16:55 < baconology> lol!!
16:56 < baconology> ill google linux ip forwarding
16:58 < baconology> so i need to modify sysctl.conf for perm solution, question is, how do i specify to ubuntu WHICH interfaces to forward
16:58 < baconology> i can go set net.ipv4.ip_forward = 1 in sysctl.conf , but do i need to do anything else?
17:46 < baconology> sysctl: /sbin/sysctl /etc/sysctl.conf /etc/sysctl.d /usr/share/man/man8/sysctl.8.gz /usr/share/man/man2/sysctl.2.gz
17:46 < baconology> which one do i want
18:36 < |Mike|> all. I want it all!!!!!!! :-D
18:36 < |Mike|> baconology: how many active interfaces do you have?
18:37 < |Mike|> baconology: you could also bind samba to 10.8.0.1 ;-) Or add... some routes :-p
18:38 < |Mike|> or... -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE for example
18:39 < |Mike|> orrrrrrrr !def1
18:39  * |Mike| out &
--- Day changed Sat Oct 28 2017
00:08 -!- abenz_ is now known as abenz
02:19 -!- albech1 is now known as albech
03:05 -!- abenz__ is now known as abenz
03:14 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Quit: foo!]
03:15 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
03:15 -!- mode/#openvpn [+o plaisthos] by ChanServ
07:46 < kishmesh> hi. after updating openvpn server to version 2.4.4., connecting with openvpn 2.4.4. client, I'm having very slow download speeds, while the upload performance is normal. Any idea what could be the issue?
08:04 <@ordex> kishmesh: never heard of a speed regression when upgrading to 2.4.4
08:04 <@ordex> do you have any special setting in your setup ?
08:04 <@ordex> mtu, other tunnel, etc ?
08:05 <@ordex> kishmesh: to (dis)prove the problem you could go back now to the old version and try again. actually, what was the previous version ?
11:11 < alice|wl> hello, i m failing to turn of redirect-gateway option. I dont have redirect-gateway in server or client config but get an additional default route anyway
11:43 < alice|wl> oh, dhcpcd gave me the route
12:50 < redrabbit> i have an issue with openvpn connect on android marshmallow
12:50 < redrabbit> it doesnt seem to get the "push dhcp-option" for dns servers
12:50 < redrabbit> worked fine on android 4.X
12:51 < redrabbit> maybe i have to add the dns line in the .ovpn file
13:05 < redrabbit> yep. its a dns pushing issue
13:06 < redrabbit> setprop net.dns1 80.80.80.80 solves it
13:06 < redrabbit> would be good to find a way to do it from the .ovpn though
13:12 < kishmesh> Hi. I updated my vpn server from version 2.4.1 amd64 to version 2.4.4 .. when downloading with vpn client 2.4.4 speed is <10KB/s while upload works fine. What could be the issue?
13:14 < redrabbit> https://www.codeword.xyz/2016/09/08/solving-openvpn-dns-issues-on-android-clients/ < looks like its a known issue
13:14 <@vpnHelper> Title: Solving OpenVPN DNS Issues on Android Clients (at www.codeword.xyz)
13:16 < kishmesh> looking at both client/server logs with --verb 5 I cannot see anything wrong
14:38 < a1fa> openvpn linux client does not even recognize SIGHUP signal
14:38 < a1fa> pretty much ignores it
14:41 < rob0> maybe you did something wrong?
14:56 -!- flying_sausages_ is now known as flying_sausages
15:32 -!- abenz__ is now known as abenz
15:39 < apus> hi, has anyone here an idea what might be different for an older iphone4 with ios 7.1.2 compared to ios 9 that the same vpn profile leads to the ability to query dns, ping local network hosts, ping the internet, etc. but for 7.1.2 neither surfing the web, nor accessing imap servers, etc. works. the gateway seems to be set just fine, otherwise traceroute would fail
15:40 < apus> i can't honestly figure out why i can't get to google.com via safari, if i can ping it.
15:55 < apus> nevermind
16:09 < redrabbit> i have the same issue
16:09 < redrabbit> :|
16:30 < kishmesh> my download speed view openvpn 2.4.4 is extremely low (< 10 KB/s) ... could it be an MTU issue? How do I know I have to adjust this?
17:51 < hmmwhatsthisdo> Not sure if this should be directed to #openvpn-windows: is there a way to have an oVPN client disconnect automatically when a host is on a specific network?
17:55 < hmmwhatsthisdo> I have two clients (one Mint, one Windows) that have tunnels open to an external oVPN server provided by a club I'm working with, so that the windows client (my laptop) can talk to the mint client (my dev VM) when I'm out of the house - however, it doesn't make much sense for the tunnel to be active on my laptop when I'm at home
18:19 < kishmesh> hi. could somebody help me to understand why I'm seeing this error message on my server side? https://openvpn.net/index.php/open-source/faq/79-client/317-qmulti-bad-source-address-from-client--packet-droppedq-or-qget-inst-by-virt-failedq.html
18:19 <@vpnHelper> Title: "MULTI: bad source address from client , packet dropped" or "GET INST BY VIRT: [failed]"? (at openvpn.net)
18:25 < redrabbit> ah. found a solution
18:25 < redrabbit> i run dnsmasq along the openvpn server and push that as a dns server
18:25 < redrabbit> so its forced to use the tunnel to use it
18:25 < redrabbit> and it works on marshmallow now
19:07 < HazWard> !welcome
19:07 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
19:07 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
19:09 < HazWard> !goal I would like to be able to make my OpenVPN server connect to a OpenVPN client like PIA to make my existing clients have their traffic routed to PIA
19:58 < DArqueBishop> HazWard: you might want to check your PIA user agreement. I would be surprised if they didn't frown on such things.
23:24 -!- esde [a5e37d5b@openvpn/user/esde] has joined #openvpn
23:24 -!- mode/#openvpn [+v esde] by ChanServ
--- Day changed Sun Oct 29 2017
04:43 -!- dionysus70 is now known as dionysus69
06:12 -!- zvirbliukas1 is now known as zvirbliukas
07:06 < kishmesh> exit
08:33 -!- zvirbliukas1 is now known as zvirbliukas
13:19 < xaviergmail> Say I want clients to translate a WAN subnet to its LAN counterpart eg clients trying to connect to 100.100.100.0/16 instead connect to 10.0.0.0/16 how would I achieve that?
13:24 < xaviergmail> I essentially want requests to a specific IP range behind to appear to come from my openvpn lan when a client is connected to avoid needing 2 dns entries per ip
13:40 -!- _Catatronic is now known as Catatronic
15:52 < andrew-ii53> !welcome
15:52 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
15:52 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
15:52 <@vpnHelper> you
15:53 < andrew-ii53> !route
15:53 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
16:09 < andrew-ii53> !topology
16:09 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
16:09 < andrew-ii53> !interface
16:09 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6), or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn', or (#4) For
16:09 <@vpnHelper> Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes)
16:10 < andrew-ii53> !goal
16:10 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:11 < andrew-ii53> I would like to connect to a VLAN behind the OpenVPN server. My client is Windows 10, OpenVPN is served on a remote machine under 10.8.0.0/24. The same machine hosting OpenVPN also hosts MAAS which controls a number of subnets on other VLANs, like 10.100.0.0/16 VLAN ID 100.
16:14 < andrew-ii53> It looks like the MAAS subnets are unreachable from 10.8.0.0/24. For example, MAAS runs 10.100.0.0/16 from a gateway address of 10.100.0.1 on dev bond0. OpenVPN runs 10.8.0.0/24 from 10.8.0.1 on dev tun0. The host I would like to reach is 10.100.0.101, behind MAAS.
17:18 < redrabbit> andrew-ii53: push "route 10.100.0.0 255.255.0.0"
17:18 < redrabbit> route 10.100.0.0 255.255.0.0
17:19 < redrabbit> +enable forwarding
17:25 < Gaaab> hi !
17:27 < Gaaab> what openvpn version supports cipher AES-256-GCM ?
17:29 < cyberanger> Gaaab: I want to say that's in 2.4, what version are you on?
17:29 < Gaaab> debian stretch
17:30 < Gaaab> and
17:30 < cyberanger> Did you install with apt?
17:30 < Gaaab> yep
17:31 < Gaaab> OpenVPN 2.4.4
17:33 < cyberanger> Uhh, your saying your on 2.4.4 in Strech? (I thought Strech-backports was on 2.4.3)
17:34 < Gaaab> would clients support it ?
17:34 < cyberanger> Anything that's 2.4 or newer.
17:34 < Gaaab> clients as debian/ubuntu network manager
17:35 < cyberanger> Right, so as long as it's using openvpn 2.4 or newer underneath your client's covered. Your server would also have to be that new too.
17:36 < cyberanger> From what you said your debian strech install would be.
17:38 < Gaaab> that's a great news
17:40 < Gaaab> thanks
17:41 < cyberanger> Gaaab: No problem, anytime.
17:41 < Gaaab> :)
20:44 < kishmesh> hi folks. i'm having trouble with vpn download speed. how to debug?
20:45 < kishmesh> case 1) download file via vpn tunnel from server where openvpn is running => good speed
20:45 < kishmesh> case 2) download file via vpn tunnel from WAN (firewall on vpn server does nat-ing) => download speed very slow (<10KB/s)
20:47 < kishmesh> from case 1 I can conclude that the slow speed is not because of VPN encryption or MTU settings, nor my ISP throttling VPN/UDP packets. Correct?
20:47 < kishmesh> regarding the firewall, it is an OpenBSD firewall with very basic settings / nat-ing, I doubt that this is the problem.
20:48 < kishmesh> what else could it be?
22:41 < andrew-ii53> I want to connect to a host on a remote VLAN. OpenVPN (dev tun0 on 1.8.0.1) says the IP 10.100.0.11 is unreachable, but I can connect to 10.100.0.1, which is on the same server as OpenVPN (but on dev bond0)
22:42 <@ordex> andrew-ii53: did you enable forwarding? and do nodes in 10.100.0.0/24 know how to reach 1.8.0.0/24 ?
22:43 < andrew-ii53> Forwarding is enabled, and I think they can
22:43 < andrew-ii53> I'll double check again
22:43 < andrew-ii53> (it's been... a long confusing round of troubleshooting, and I am forgetting earlier steps)
22:44 < andrew-ii53> ok, yes, 10.100.0.1 can see the 10.8.0.1 - but I don't know if it can see me (my client)
22:45 <@ordex> that was not my question
22:45 <@ordex> my point was if hosts in the 10.100.0.0/24 network have a route towards 1.8.0.0/24
22:45 <@ordex> otherwise where do they send their reply?
22:46 <@ordex> like the host having IP 10.100.0.11
22:46 <@ordex> does it know how to talk to your VPN client ?
22:47 <@ordex> normally you set this up by either doing NAT on the VPN server or by setting up proper routing. it depends on your needs and on what you can do the hosts
22:47 < andrew-ii53> By default it should be sending that traffic to the server that his running OpenVPN. That may explain why it can see 10.8.0.1
22:48 <@ordex> mhh who is 'it' ?
22:48 < andrew-ii53> sorry, 10.100.0.11
22:48 <@ordex> oh ok
22:48 < andrew-ii53> The host I am trying to connect to
22:48 <@ordex> so the openvpn server is also the default gateway for 10.100.0.11?
22:48  * skyroveRR pokes ordex 
22:48 <@ordex> heya skyroveRR
22:48 < skyroveRR> o//
22:48 <@ordex> <o
22:49 < andrew-ii53> The server with OpenVPN is - it's actually a MAAS controller which is the DHCP for the 10.100.0.0/24 subnet
22:49 < andrew-ii53> That subnet is on a different device (bond0) from OpenVPN (tun0)
22:51 <@ordex> that's ok
22:51 < andrew-ii53> It seems like I can reach any IP on the server hosting OpenVPN, but not anything past it
22:51 <@ordex> if the OpenVPN server is also the default gw for 10.100.0.0/24, this makes thing easier
22:51 < skyroveRR> Having routes isn't enough... what do the firewall rules look like?
22:51 < andrew-ii53> It's not the default for any subnet but its own 10.8.0.0/24
22:52 <@ordex> andrew-ii53: yeah that's what we need as that's the network you want to talk to
22:52 <@ordex> if packets still don't flow through then as skyroveRR said, check the firewall
22:52 <@ordex> if it allows that kind of traffic
22:52 <@ordex> and make sure the vpn client has a route towards 10.8.0.0/24 too
22:52 <@ordex> ops I meant towards 10.100.0.0/24
22:53 <@ordex> but i think it has, since you can reach 10.100.0.1
22:53 < andrew-ii53> I think squid is ok, as it lets 10.8.0.0/24 through as well as 10.100.0.0/24
22:53 <@ordex> how is squid related?
22:54 < andrew-ii53> ordex: right, that's the confusing bit - I can hit the gateways (which are all on the same server). There's actually a lot of subnets, but I figure if I can get one I should be set for all
22:54 < andrew-ii53> MAAS uses squid by default
22:54 < andrew-ii53> err, it uses squid as its firewall
22:54 <@ordex> isn't squid a proxy ?
22:55 < andrew-ii53> yes
22:55 < andrew-ii53> huh... one sec, lemme dig the ufw config maybe?
22:55  * ordex is lost
22:55 < andrew-ii53> I actually never ran into a firewall problem yet, so I'm a bit lost too
22:55 < andrew-ii53> I don't have that answer yet
22:56 < andrew-ii53> oh, ufw is inactive
22:57 < andrew-ii53> I don't know of any other firewalls loaded by default on Ubuntu... searching
22:58 < andrew-ii53> Looks like that should probably be the firewall - and it's effectively off.
22:58 <@ordex> have you checked where the packets are stopping when you try to reach 10.100.0.11 ?
22:59 < andrew-ii53> Looks like at 10.8.0.1
22:59 < andrew-ii53> At least from when I run `tracert 10.100.0.11` in Windows
22:59 <@ordex> so on bond0 you see no outgoing traffic for that connection attempt?
23:00 <@ordex> well, that can block for any reason
23:00 < andrew-ii53> Yeah, I was a bit disappointed by that clue diagnostically too
23:00 <@ordex> as a first step you could check if on 10.100.0.11 you see any incoming packet at all from that openvpn client
23:00 < andrew-ii53> do I need to tail the logs on the server for bond0, or can I watch it directly as I try to hit 10.100.0.11?
23:01 <@ordex> you can try to watch packets directly
23:01 <@ordex> that's probably faster
23:01 < andrew-ii53> There's a lot of ways to do that it seems - got a preferred way? Or should I hork it to console?
23:03 <@ordex> I normally just use tcpdump
23:03 < andrew-ii53> tcpdump it is. log files be damned
23:03 < andrew-ii53> haha, ok, I figured I was just being lazy or something
23:03 <@ordex> because you can easily filter for what you are exactly looking for
23:03 < andrew-ii53> seems like the fasted thing
23:03 <@ordex> yap
23:04 <@ordex> how are you testing connectivity ?
23:04 <@ordex> ping ?
23:04 < andrew-ii53> I was, but I also tried tracert
23:04 < andrew-ii53> and, well, wget, since it's supposed to be serving a page
23:05 <@ordex> well, just be consistent with what you filter in tcpdump
23:07 < andrew-ii53> sunova
23:08 < andrew-ii53> Apparently it never gets past tun0. The bond0 device never sees nothin'
23:08 < andrew-ii53> Well. that's a clue I didn't have before. Thanks!
23:08 <@ordex> np
23:08 < andrew-ii53> If that's the case, does that mean I need to bridge the two?
23:08 <@ordex> bridge ?
23:08 < andrew-ii53> Or ... use tap?
23:08 <@ordex> you can't bridge tun
23:09 <@ordex> it's a layer 3 interface
23:09 <@ordex> you can just do bridging
23:09 <@ordex> which is what you have to check to be setup properly
23:09 < andrew-ii53> Right. Everything suggests not to do TAP or bridging
23:09 <@ordex> I guess the server has routes to both networks (otherwise it wouldn't really work I guess)
23:09 <@ordex> are you sure ip_forward is 1 ?
23:09 <@ordex> and are you sure iptables has nothing blocking in the FORWARD chain ?
23:09 < andrew-ii53> I'd like to say yes, but I'ma check again anyhow
23:10 < andrew-ii53> sysctl net.ipv4.ip_forward = 1
23:11 < andrew-ii53> one sec, getting rules
23:11 < andrew-ii53> !paste
23:11 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2)
23:11 <@vpnHelper> paste.ee is also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
23:13 < andrew-ii53> iptables output - https://gist.github.com/null-directory/8411b5de598c92a4f5fbaff52d61a11e
23:13 <@vpnHelper> Title: gist:8411b5de598c92a4f5fbaff52d61a11e · GitHub (at gist.github.com)
23:13 <@ordex> is that the command you run ?
23:14 < andrew-ii53> just to see what the forwarding rules were - wrong thing?
23:14 <@ordex> normally you'd do: iptables -nvL
23:14 < andrew-ii53> One moment
23:14 <@ordex> and it will print the filter table with all its current chains
23:14 <@ordex> because there might be more going on other than your command, so the current status may not be what you expect
23:15 < andrew-ii53> Ok, gist corrected
23:15 < andrew-ii53> I see what you mean.
23:16 < andrew-ii53> I'm obviously playing with about half a deck - I sorta kinda know what stuff might mean, but I seem to be getting snagged on the detail bits a lot
23:16 <@ordex> ok it looks like you don't block anything
23:16 <@ordex> can you paste the output of: 'ip route' and 'ip rule' ?
23:17 < andrew-ii53> Sure - lemme just scrub my public address details
23:21 < andrew-ii53> Sorry for the delay - https://gist.github.com/null-directory/13c3d8038189f0285409450523bb12f5
23:21 <@vpnHelper> Title: ip route and ip rule · GitHub (at gist.github.com)
23:22 <@ordex> mh routes look good
23:23 <@ordex> can you confirm that if you run tcpdumpon tun0 while pinging 10.100.0.11 you see incoming packets while if you move to dumping bon0 you see none?
23:23 <@ordex> (with the same tcpdump filter)
23:23 < andrew-ii53> So not an obvious problem between bond0 (internet), bond1 (internal lans), and tun0 (OpenVPN)?
23:24 < andrew-ii53> ok, one sec, running...
23:24 <@ordex> mh I am wondering what 10.100.0.0/16 via 10.100.0.1 dev bond1.100  scope link
23:24 <@ordex>  is for
23:25 <@ordex> 10.100.0.1 is itself...wondering it that cases any loop ? not sure actually, might just be useless
23:25 < andrew-ii53> So MAAS is serving VLAN ID 100 on that subnet
23:25 <@ordex> MAAS is another host ?
23:26 < andrew-ii53> Where the MAAS gateway is 10.100.0.1
23:26 < andrew-ii53> It's actually the same server
23:26 <@ordex> 10.100.0.1 << isn;t this the VPN server ?
23:26 <@ordex> ah ok
23:26 < andrew-ii53> 10.8.0.1 is OpenVPN
23:26 <@ordex> that's why I am saying why having a route that specified itself as nexthop
23:26 < andrew-ii53> sorry, it's sort of a hairy mess, I'm starting to think
23:26 <@ordex> :D
23:26 < andrew-ii53> huh
23:27 < andrew-ii53> I honestly don't know how to approach that question. I mean, it's sort of obvious, right? Why would I need to specify the other bonded pair of NICs as the route
23:28 < andrew-ii53> but I though MAAS was essentially isolated - controlling the whole MAAS network fabric on its own
23:28 < andrew-ii53> I think those routes are set up by MAAS automatically
23:28 <@ordex> ah maybe
23:29 <@ordex> btw the network you are tyring to talk to is on bond1 not on bond0
23:29 <@ordex> did you tcpdump bond1?
23:29 < andrew-ii53> Yeah, I just sorta noticed  that
23:29 < andrew-ii53> Just redid all of 'em, and it's still only showing on tun0
23:29 <@ordex> actually it's bond1.100 but bon1 should show the packet too
23:29 <@ordex> ok
23:30 <@ordex> how are you filtering on bond1 ?
23:30 < andrew-ii53> point - one sec
23:30 <@ordex> by source IP ?
23:30 <@ordex> did you configure MASQUERADING ?
23:30 <@ordex> in that case the IP would change
23:30 < andrew-ii53> It looks like MASQUERADE is not configured this time, but I do have that in my notes
23:31 < andrew-ii53> So at one point, I thought I needed it
23:31 < andrew-ii53> one moment, checking my logs
23:31 <@ordex> well, not strictly required if both networks know each other
23:32 < andrew-ii53> Yeah, I do that for bond0
23:32 < andrew-ii53> one sec
23:33 < andrew-ii53> https://gist.github.com/null-directory/bd697950cb63b3fedde23cf2c8087746
23:33 <@vpnHelper> Title: initial rules on start · GitHub (at gist.github.com)
23:33 < andrew-ii53> I do set MASQUERADE for bond0
23:33 < andrew-ii53> So, and this may be a face palm moment for you ordex, but should I set that for tun0 as well?
23:34 <@ordex> it depends, as I Said above this is not required if both networks know about each other
23:34 < andrew-ii53> Where I replace bond0 with tun0?
23:34 <@ordex> right now packets are not getting through
23:34 <@ordex> it's not about masquerading or not
23:34 < andrew-ii53> o
23:35 < andrew-ii53> would the forwarding rules also apply, though?
23:35 <@ordex> can you run tcpdump with '-i any' and filter for the icmp packet type and see where it is going ? if anywhere ?
23:35 <@ordex> forwarding is all ACCEPT
23:36 <@ordex> so everything is passing through right now, no drop is applied
23:36 < andrew-ii53> sure, running
23:39 < andrew-ii53> results for tcpdump - https://gist.github.com/null-directory/781ab38a61cc1f057866a3db79ebe0e7
23:39 <@vpnHelper> Title: tracert 10.100.0.11 with tcpdump any icmp · GitHub (at gist.github.com)
23:41 <@ordex> uhm
23:41 <@ordex> weird
23:41 < andrew-ii53> 10.8.0.2 is me, if that wasn't clear
23:42 <@ordex> yeah
23:42 < andrew-ii53> Seems like 10.8.0.1 just has no idea how to talk to 10.100.0.0/24
23:42 <@ordex> not sure what's blocking the packet at this point
23:42 <@ordex> yeah
23:42 < andrew-ii53> so... I guess I just need to fix that
23:43 <@ordex> but you can ping 10.100.0.11 from the vpn server, right ?
23:43 < andrew-ii53> I mean, that's actually an improvemtn
23:43 < andrew-ii53> If I am ssh'd into the server, yes
23:43 <@ordex> yeah
23:43 <@ordex> so the server knows how to reach that host (we have seen the route in ip route)
23:43 <@ordex> weird that packets just get blocked. seems like there is something else
23:43 <@ordex> btw
23:44 <@ordex> "sysctl net.ipv4.ip_forward = 1" << how did you get this?
23:44 <@ordex> what did you run ?
23:44 < andrew-ii53> just that
23:44 < andrew-ii53> I mean, without the = 1
23:44 <@ordex> if you run "sysctl -a | grep net.ipv4.ip_forward" what do you get?
23:44 <@ordex> ah ok
23:44 < andrew-ii53> `sudo sysctl net.ipv4.ip_forward
23:44 < andrew-ii53> ` from my history
23:45 <@ordex> ok, and you got =1
23:45 <@ordex> ok that makes sense
23:45 < andrew-ii53> Right. Sorry. Sorta core dumped there
23:46 < andrew-ii53> Ok, I'll resume troubleshooting later, focusing on getting the subnets connected
23:47 < andrew-ii53> because I doubt this is the only issue
23:47 < andrew-ii53> Thanks a million ordex - you've ruled a huge amount of stuff out for me
23:48 <@ordex> np
23:48 < andrew-ii53> Sleep well!
23:51 <@ordex> you bet, although I just got up!
23:51 <@ordex> :D
--- Day changed Mon Oct 30 2017
00:31 < aib> Hmm, why do I have split routes for 0.0.0.0/1 and 128.0.0.0/1? https://pastebin.com/mtn52mxT
00:35 < aib> ah never mind https://serverfault.com/questions/312860/why-openvpn-use-network-0-0-0-0-netmask-128-0-0-0-as-default-route
00:35 <@vpnHelper> Title: networking - Why Openvpn use network 0.0.0.0 netmask 128.0.0.0 as default route? - Server Fault (at serverfault.com)
00:41 < aib> okay, how can I get the server to push a default route?
00:51 < aib> hmm, push redirect-gateway almost works but the client destroys the existing default route
00:58 < aib> not only does it delete my default route, it fails to restore it, breaking my whole damn internet connection.. nice going
00:58 < aib> who ever thought deleting the default route was a good idea?!?
01:03 < aib> !goal
01:03 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:03 < aib> !welcome
01:03 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind
01:03 <@vpnHelper> openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
01:03 < aib> !bug
01:04 < aib> !1925
01:04 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
01:04 <@ordex> aib: the def1 flag is there to exactly avoid removing the default route
01:05 <@ordex> but to make it work, it must create two routes 0.0.0.0/1 and 128.0.0.0/1
01:05 <@ordex> what's the problem with having those two ?
01:05 <@ordex> and it's weird it fails to restore the default route anyway. that should work
01:06 < aib> ordex: it downgrades to nobody/nogroup. that's probably why it fails to restore the route
01:06 <@ordex> sure thing
01:06 <@ordex> there is a plugin to workaround that, though but i never used it
01:06 <@ordex> another trick consists in using a combination of scripts with sudo
01:06 < aib> but in any case I want it too add a default tun0 route. not 0/1 128/1 and not delete my existing route
01:07 < aib> s/too/to
01:07 <@ordex> 0/1 + 128/1 == default
01:07 < aib> then by default I mean 0.0.0.0/0
01:07 <@ordex> 0/1 + 128/1 = 0/0
01:08 < aib> I want it to add 0.0.0.0/0 and not 128.0.0.0/1 + 0.0.0.0/1. And I want it to do this without deleting my existing route, which makes no sense
01:08 <@ordex> it's the same thing. it just takes higher priority because more specific
01:08 <@ordex> if you do not delete your current default, which default route should a packet take?
01:08 < aib> it's two entries. it's two entries I need to manage if I want to manage it manually
01:08 < aib> why the one with the lower metric, of course
01:08 < aib> that's what the metric is for
01:09 <@ordex> right
01:09 <@ordex> on linux
01:09 <@ordex> I think this does not work well everywhere that's probably why it got implemented this way
01:09 <@ordex> don't ask me why
01:09 < aib> it's been a while since I've used Windows, but I think metric worked there, too
01:09 <@ordex> no clue honestly
01:09 < aib> the only problem being, of course, that all the metrics are set to the same number by default
01:10 < aib> yep, that's what I guessed. having two default routes messed someone's configuration up and they first went with deleting the default route
01:10 <@ordex> and I think the redirect-gateway option does not have a metric argument
01:11 < aib> I can't use redirect-gateway anyway, it deletes my default route
01:11 <@ordex> dunno, it ha sbeen like that since I first looked at openvpn .. and the def1 behaviour seemed good enough to not care about the rest
01:11 <@ordex> if you specify def1 it does not, but then you end up with two routes, as we said
01:11 <@ordex> maybe you can setup a default route manually with the 'route' command ?
01:11 <@ordex> have you tried?
01:11 <@ordex> --route option I meant
01:11 < aib> yeah I've been using openvpn for a long while and this stuff never came up, it just works
01:12 <@ordex> yeah, what changed now that this became a problem?
01:12 < aib> oh yes, there are workarounds. that's what I'm doing right now, manually adding the route
01:12 < aib> in fact, adding --route 0.0.0.0 0.0.0.0 works as well
01:13 <@ordex> yeah that's what I guessed
01:13 < aib> I just started needing to change my default route often
01:13 <@ordex> ah I see
01:13 <@ordex> so you want to manually handle it ?
01:13 <@ordex> (I mean the switch)
01:14 < aib> yep - route add default tun0 / route del default tun0
01:14 <@ordex> yeah
01:14 < aib> and I haven't noticed def1 before --I upgraded the server to 2.4 last week-- maybe it wasn't there
01:14 <@ordex> well, since you are going to deal with the default route manually, I think it makes sense that you also (somehow) override the automatic openvpn behaviour
01:15 <@ordex> and set it up yourself with --route or in a script
01:15 < aib> yep, that makes sense as well
01:16 <@ordex> patching the gateway-redirect command to have a metric and other sort of flags is definitely doable .. but it's probably better to handle such custom cases manually
01:16 <@ordex> because there will always be another strange case to handle otherwise :)
01:16 < aib> but the route non-restoring bit needs to be reported, I think, to at least be documented more loudly
01:17 < aib> There is a similar report at https://community.openvpn.net/openvpn/ticket/778
01:17 <@vpnHelper> Title: #778 (Routes changed by --redirect gatway not re-instated on exit if interactive service is in use) – OpenVPN Community (at community.openvpn.net)
01:18 < aib> (yeah, I would have started working on a patch myself if I knew what behavior would be sensible)
01:18 <@ordex> aib: yeah, but i think that's more related to that specific usage with the interactive interface
01:18 <@ordex> aib: is the route the same when openvpn exits ? or it includes a different GW ?
01:18 <@ordex> because you said it could switch
01:19 < aib> let me check real quick (I'm on a bouncer so I won't disconnect)
01:23 < aib> https://pastebin.com/JzZ5t1rt
01:24 < aib> anyway, as I was saying, I'd be happy to submit a patch myself but I don't know whether this is considered a bug
01:25 < aib> and in any case, I need to learn more about the rationale. I assume openvpn simply used to add a default route. then because of the metric clash, it started deleting the existing route. then someone came up with the def1 workaround to keep the old default route
01:26 <@ordex> honestly I don't know when the default route was kept
01:26 <@ordex> I have never seen that behaviour (but I am relatively new)
01:27 < aib> I think redirect-gateway needs a keep-old-default-route option. (It's more sensible for it to have a delete-old-default-route option, but that would not be backwards compatible)
01:28 <@ordex> you could implement a metric flag that, if specified, adds the default with that metric and keeps the current default
01:28 <@ordex> but not sure when that would be useful, other than the case of "I don't like having two entries"
01:29 <@ordex> and you can already do that with the --route command, as we agreed earlier
01:29 <@ordex> because --route takes a metric argument
01:31 <@ordex> so rather than redirect-gateway (which it's some sort of automated logic for particular cases) you can just do --route 0.0.0.0 0.0.0.0 vpn_gateway $your_metric_here
01:32 < aib> well, the def1 solution is hacky. and I presume it would be just as problematic when there are two VPN connections. (or would we use 0/2 64/2 128/2 192/2 routes instead?)
01:33 < aib> but yes, adding a 'metric' argument which also prevents the deletion would be great
01:33 <@ordex> nope it does not try to outsmart you. it only tried to provide an easy switch for simple setups
01:33 <@ordex> aib: but then why not just using the --route option if that already works the way you want?
01:33 < aib> (which has worked great for me for years)
01:34 < aib> oh I have resigned to just using --route alright
01:35 <@ordex> it's simply because making the redirect-gateway command more complex (it already is inside) to mimic an option that is already avaiable feels a bit weird
01:35 <@ordex> but this is just my personal opinion eh :) you can still propose your patch if you want
01:35 < aib> it's client-side and it requires route-nopull. I just hope I don't have to push any routes in the future
01:35 <@ordex> why does it requires that ?
01:36 <@ordex> and you can also push it if you want, no ?
01:36 < aib> because pushing and pulling routes causes the default to be deleted?
01:36 <@ordex> you mean the default route?
01:37 < aib> hmm wait, I never tried *replacing* redirect-gateway with a server-side route command
01:37 <@ordex> yeah, that can be done too
01:38 <@ordex> just make sure no client is using its own redirect-gateway
01:38 <@ordex> otherwise they are gonna fight with each other :P
01:43 < aib> ah, okay, no default route is added unless I push redirect-gateway
01:43 < aib> okay, simply pushing route 0/0 instead of redirect-gateway solves it
01:46 < aib> (and is a reasonable alternative.) sorry, I somehow thought redirect-gateway was mandatory
01:48 < aib> I like OpenVPN even better now!
01:51 <@ordex> :D
01:51 <@ordex> flexibility is the keyword!
01:51 <@ordex> :D
02:05 < yute> !welcome
02:05 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
02:05 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
02:23 < olerem> hallo all, are there any good/up-todate openvpn client for android?
02:23 <+hyper_ch> there's openvpn connedct and the other one
02:25 < olerem> hyper_ch: the openvpn connect was updatet in 26. Mai 2016
02:25 <+hyper_ch> so how much more up-to-date do you want it to be? did anything significant change since then?
02:27 < olerem> hyper_ch: no idea. security/stablity fixes?
02:27 <+hyper_ch> and OpenVPN for Android
02:28 <+hyper_ch> btw, you're using android... you really complain about security issues in openvpn?
02:30 < olerem> hyper_ch: depends on the thread model. In this case if i see CVE list for OpenVPN, i fear it is the weackest part in the chain
02:32 <+hyper_ch> also openvpn for android?
02:32 <+hyper_ch> Updated
02:32 <+hyper_ch> June 26, 2017
02:33 <+hyper_ch> that seems rather current
02:33 < olerem> https://play.google.com/store/apps/details?id=net.openvpn.openvpn ?
02:34 <+hyper_ch> https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en
02:34 < olerem> is it provided by one of openvpn devs?
02:34 <+hyper_ch> arne schwabe is one of the openvpn devs
02:35 < olerem> ok, thanks!
02:35 <+hyper_ch> I think
02:35 <+hyper_ch> https://community.openvpn.net/openvpn/wiki/TesterDocumentation#SourceforOpenVPNforAndroid
02:35 <@vpnHelper> Title: TesterDocumentation – OpenVPN Community (at community.openvpn.net)
02:35 <+hyper_ch> they link to https://github.com/schwabe/ics-openvpn
02:35 <@vpnHelper> Title: GitHub - schwabe/ics-openvpn: OpenVPN for Android (at github.com)
02:37 <+hyper_ch> it will be interesting when librem phone getsa available
02:37 < olerem> hyper_ch: i would love to have one. especially we do lots of development for imx6
02:38 < olerem> this phone will use imx6, so far i know
02:39 <+hyper_ch> there's only one app that I totally need that I can't seem to get on Librem
02:40 < olerem> there is olways "one app" :D
02:40 <+hyper_ch> blitzer.de :)
02:42 < olerem> cool app
02:43 <+hyper_ch> saved me a few times
02:43 <+hyper_ch> not that I'm speeding on purpose but if you just follow the flow or sometimes don't see a signal...
02:49 <+hyper_ch> e.g. when I drive towards the city and leave town, there's a "steep" slope going down on the road
02:49 <+hyper_ch> even with cruise control activated at 50km/h you usually end up at like 60km/h... it's not dangerous at all there.. it's just considered "still in town" hence no higher speed limit
02:50 <+hyper_ch> sometimes they just like to setup a radars at the bottom to catch unattentive drivers
02:50 <+hyper_ch> a lot of those radars are just to make money IMHO
03:12 -!- LocaMocha is now known as Sauvin
03:25 -!- zvirbliukas1 is now known as zvirbliukas
05:35 -!- zvirbliukas1 is now known as zvirbliukas
06:17 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
06:17 -!- mode/#openvpn [+o dazo] by ChanServ
06:26 -!- zvirbliukas1 is now known as zvirbliukas
07:06 -!- esde [a5e37d5b@openvpn/user/esde] has quit [Ping timeout: 260 seconds]
07:15 -!- zvirbliukas1 is now known as zvirbliukas
07:38 < baconology> greetings
07:38 < baconology> i used the flowchart as described and have discovered that i need to add a route to the server to route between eth0 and tun0
07:38 < baconology> and the literature suggests i should push this to clients (somehow)
07:38 < baconology> these will be windows clients
07:39 < baconology> i am in the middle of googling but if you have any specific advice i would apprecaite it.   i saw i need to uncomment ipv4_forward_ip = 1 in /etc/sysctl.conf
07:51 < Amethystra> Hi is anyone around to help with a problem please?
07:51 -!- abenz_ is now known as abenz
07:54 < Amethystra> I can't get my OpenVPN client to connect as it won't recognise the key files are there
07:55 <@ordex> Amethystra: could you provide the client log to better understand the issue?
07:55 <@ordex> !logs
07:55 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
07:55 <@ordex> baconology: are you talking about VPN clients?
07:56 <@ordex> baconology: in that case you can push routes with --push 'route ..'
07:57 < Amethystra> verb set to 4?
07:57 <@ordex> that would be better
07:58 <@ordex> it refers to --verb in the config
08:02 -!- zvirbliukas1 is now known as zvirbliukas
08:10 < Amethystra> ok call me thick but I'm confused. What do you want me to do with my client log?
08:11 < Amethystra> (sorry stepped away from my computer for a few mins)
08:12 < Amethystra> do you want me to just copy & paste the log text?
08:15 <@ordex> !paste
08:15 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
08:15 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
08:15 <@ordex> you can paste it in one of the online service
08:15 <@ordex> s
08:15 <@ordex> so we can have a look at it
08:17 < Amethystra> ok here you go: https://gist.github.com/anonymous/1e47428fb46fa111c783d73f391f414c
08:18 <@vpnHelper> Title: My OpenVPN client log · GitHub (at gist.github.com)
08:18 < ^7heo> Okay, I wanted to setup a VPN server today
08:18 < ^7heo> and quickly use it
08:19 < ^7heo> turns out I probably have followed the wrong directions and whatnot
08:19 < ^7heo> now I get: VERIFY KU ERROR when connecting
08:19 <@ordex> Amethystra: what client version are you using and on what operating system ?
08:19 < ^7heo> and TLS_ERROR: BIO read tls_read_plaintext error
08:19 < ^7heo> I'm not sure I put the right data at the right places.
08:19 < ^7heo> for example, I was missing the ca.crt
08:19 <@ordex> ^7heo: sounds like something is wrong with your keys, but the longer log is required
08:19 <@ordex> !logs
08:19 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
08:20 < ^7heo> yeah I used --verb 11
08:20 < ^7heo> after reading the help
08:20 < ^7heo> but it doesn't change the output at all
08:20 < Amethystra> OpenVPN GUI v11.9.0.0 on Windows 10
08:21 <@ordex> Amethystra: how about specifying the full path to those files in the config? I guess the openvpn process is not finding them as they are not where it expects
08:22 <@ordex> ^7heo: 11 is way too much .. could you upload the client log with verb 4 somewhere ?
08:23 < ^7heo> ordex: I have no clue where the log is to start with. I expected it on stderr.
08:23 < ^7heo> I suppose openvpn magically creates a file somewhere?
08:24 < ^7heo> I assume in /var/log ?
08:24 < Amethystra> ordex the files are EXACTLY where they expect
08:24 < ^7heo> no, I expect them on stderr
08:24 < ^7heo> and I'm not ordex
08:24 <@ordex> ^7heo: if you configure a log file with --log then it will log there, otherwise, yes, on stderr
08:24 <@ordex> ^7heo: I think he was talking to me :D
08:25 < ^7heo> ok I see :D
08:25 < Amethystra> 7heo I  was talking to ordex
08:25 <@ordex> Amethystra: Amethystra how do you start openvpn ?
08:25  * ordex has no big windows experience
08:25 < ^7heo> ordex: ok so the --verb flag does not change anything on stderr
08:25 < Amethystra> as administrator
08:25 <@ordex> but I can only say that the path in the config is relative to where openvpn is being started and on windows I don't know where that happens
08:25 < Amethystra> by right clicking
08:25 <@ordex> therefore specifying the full path should avoid any ambiguity
08:26 <@ordex> ^7heo: if the log is going to stderr, then it will increase the verbodity on stderr
08:26 <@ordex> ^7heo: if you have a --log entry, then it will be more verbose in the file
08:26 < Amethystra> openvpn on windows looks for the keys to be in the keys folder which you paste into program files/openvpn/config
08:26 < ^7heo> ordex: what I have in /var/log/openvpn.log
08:26 < ^7heo> ordex: is essentially one line; complaining about the lack of the diffie-hellman file
08:26 <@ordex> Amethystra: no clue then, I have never used openvpn on windows. using the full path was just an attempt to see if that is the problem or if there is something else
08:26 < Amethystra> while the client.ovpn file sits inb the config folder seperately
08:27 <@ordex> ^7heo: ah, on the server
08:27 <@ordex> ^7heo: then fix that :)
08:27 < ^7heo> ordex: nah I'm configuring the client
08:27 < ^7heo> wait, lemme check the timestamp of that log
08:27 < Amethystra> are there other admins about who do know how to use the client on Windows?
08:27 < ^7heo> yep today
08:27 < ^7heo> so what's it
08:27 < ^7heo> is my client mad?
08:27 < ^7heo> and thinking it's a server?
08:27 <@ordex> ^7heo: --dh is only for the server
08:27 < ^7heo> I see.
08:28 < ^7heo> I have the diffie-hellman key there
08:28 < ^7heo> it's setup properly.
08:28 <@ordex> the client should not ask for dh parameters
08:28 < Amethystra> For what it's worth I also run openvpn via android app on both my tablet and my phone and have similar issues on my phone but on tablet it works fine
08:28 < ^7heo> ordex: damn
08:28 <@ordex> can you paste the client config that you are currently using ?
08:28 < ^7heo> minus the IP addresses, yes.
08:31 < ^7heo> ordex: http://ix.io/BRQ
08:31 < Amethystra> hello?
08:32 <@ordex> ^7heo: can you set verb to 4 and run "openvpn $that_config_file.conf" and paste the output somewhere ?
08:34 <@ordex> I am assuming config and key/cert/ca are in the same folder where you will launch the process from
08:36 < ^7heo> ordex: yes they are
08:36 < ^7heo> but since I just grokked what the ca.crt should be
08:36 < ^7heo> I just took the cacert.pem from the server
08:36 < ^7heo> and renamed it ca.crt
08:37 < ^7heo> not sure if it's what openvpn is expecting.
08:38 <@ordex> assuming that cacert.pem is the CA certificate that issued server and client certs, thn everything is ok
08:38 < ^7heo> well, it has a plaintext description of what the cert is
08:38 < ^7heo> followed by a base64 binary block
08:39 <@ordex> yeah
08:40 <@ordex> how about running openvpn like I suggested above? :P
08:40 < ^7heo> yeah
08:40 -!- zvirbliukas1 is now known as zvirbliukas
08:41 < Amethystra> so is there no one around who is familiar with openvpn on Windows?
08:41 < ^7heo> ooooh nice
08:41 < ^7heo> so --verb does NOT take priority over the settings in the file
08:41 < ^7heo> that was... unexpected
08:44 < Amethystra> ordex?
08:44 <@ordex> ^7heo: run 'openvpn --config $configfile.conf --verb 4'
08:44 <@ordex> it processes sequentially
08:45 <@ordex> or change the config
08:45 <@ordex> Amethystra: yeah?
08:45 < Amethystra> so is there no one around who is familiar with openvpn on Windows?
08:45 <@ordex> Amethystra: another strategy to avoid problems with the keys is to embed them inthe config file directly and avoid hassles at all
08:45 <@ordex> dunno
08:46 < Amethystra> I don't know how to do that
08:46 < Amethystra> and this isn't a problem I've had before
08:48 < DArqueBishop> Amethystra:
08:48 < DArqueBishop> !inline
08:48 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV, or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
08:49 < Amethystra> does it matter that I used the 2.4 install?
08:49 < DArqueBishop> FYI - I use OpenVPN on Windows and I've always put the cert/key files in C:\Program Files\OpenVPN\config.
08:49 < DArqueBishop> No.
08:50 < Amethystra> yup that's where my cert/key files are
08:50 < Amethystra> ok
08:50 < DArqueBishop> Then again, I've used inline files for a while now.
08:51 < Amethystra> puting the files in the config folder has always worked before but for some reason not on this laptop
09:01 <@ordex> ^7heo: ?
09:02 < Amethystra> ok that's truly weird, on a whim I just tried changing the path in the OpenVPN settings fromt he config folder to the folder I downloaded the keys & ovpn file into....my openvpn is now connected!
09:02 < Amethystra> *from the
09:02 < Amethystra> wtf?!
09:23 < ^7heo> sorry ordex
09:23 < ^7heo> watching the IT crowd at the same time
09:23 < ^7heo> I'm not the most reactive right now
09:23 < ^7heo> anyway, what does "Certificate does not have key usage extension" mean?
09:23 <@ordex> when does it appear exactly?
09:23 <@ordex> when checking the server certificate ?
09:24 < ^7heo> right before the VERIFY KU ERROR
09:24 <@ordex> probably because your server certificate has no the key usage extension
09:24 <@ordex> but you have instructed your client to check for it
09:24 <@ordex> it's the tls-verify thing in your config
09:24 < ^7heo> before that, I get a VERIFY OK
09:24 < ^7heo> so I suppose it's the client
09:25 <@ordex> you can't use tls-verify if your certificates do not have the key usage extension
09:25 < ^7heo> okay
09:26 < ^7heo> that's nice :)
09:26 < ^7heo> but I don't have the tls-verify option in the config file
09:27 <@ordex> remote-cert-tls server
09:27 <@ordex> remote-cert-tls server
09:27 <@ordex> this thing here
09:27 <@ordex> sorry, I assume you read the manpage :P and I don't recall all the options by heart
09:28 < ^7heo> I did not read the manpage
09:28 < ^7heo> this is my day off
09:28 <@ordex> hehe
09:28 < ^7heo> I'm kinda trying to make it fall in order
09:28 < ^7heo> without putting too much effort in it
09:28 <@ordex> well, it's 11pm here and I won't put much effort than you :P
09:28 < ^7heo> and I'm kinda sorry I'm relying on your assistance for that
09:28 < ^7heo> right
09:28 < ^7heo> :D
09:28 <@ordex> :D
09:28 < ^7heo> but also IT crowd here
09:28 < ^7heo> "what kind of operating system does it use?"
09:28 < ^7heo> "vista"
09:28 < ^7heo> "we're going to die!"
09:29 < ^7heo> anyway
09:29 < baconology> !routing
09:29 < ^7heo> ok now it crashes more
09:29 < a1fa> hey is there a way to dump server certificate by a non-patched client
09:30 < ^7heo> but at least I'm past the verification problem
09:30 < a1fa> (openvpn ticket: 458)
09:30 <@ordex> :D
09:31 < ^7heo> now I get some problem with the routes that I push from the router
09:31 < ^7heo> not sure how this goes, let's see.
09:32 < ^7heo> so the MTU is inconsistent
09:32 < ^7heo> also, is BF-CBC okay as a cipher?
09:32 < a1fa> no
09:33 < a1fa> jesus
09:33  * ordex sets everything on fire and runs away
09:34 < ^7heo> ordex: that's why I woke up at 8:30 and rushed to the office to powercycle a router on a day off
09:34 < ^7heo> ordex: please don't :D
09:34 < baconology> is there a way to reroute traffic from my local subnet to the tun0 interface without playing with iptables directly?
09:35 < ^7heo> yeah, by using something else than iptables to manipulate iptables
09:35 < ^7heo> :D
09:36 < ^7heo> ordex: looks like the server isn't really configured properly.
09:36 < ^7heo> meh, I'll do it in a proper ticket, during a proper working day
09:36 < ^7heo> that's not just working
09:36 < ^7heo> =/
09:37 < rob0> baconology, describe in non-technical terms what you mean by that, what you hope to accomplish.
09:37 < rob0> "reroute from local to tun0"?
09:38 < baconology> i connect OK, i can ping the vpn server from the windows client
09:38 < baconology> but i can't see anything on my private work subnet
09:38 < baconology> i used a flowsheet som eone provided here
09:38 < baconology> http://www.ircpimps.org/serverlan.png
09:38 < rob0> so, you want to access a client-side LAN?
09:39 < rob0> or server-side?
09:39 < baconology> no no
09:39 < baconology> server-side lan
09:39 < baconology> i want the clients to be able to access server side lan resources
09:39 < baconology> including a samba server
09:39 < baconology> i am stuck at the first part of the flowsheet
09:39 < rob0> and where did you get stuck on the flowchart?
09:39 < baconology> so yes i can ping the vpn IP of the server
09:39 < baconology> but it clearly says "ROUTE"
09:40 < baconology> but i am looking for more detailed reading on this topic instead of doing things without understanding
09:40 < baconology> is there a guide that covers this portion of the configuration?
09:40 < rob0> !route
09:40 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
09:40 <@ordex> !bibble
09:41 <@ordex> sorry, it's late here :-P
09:41 < baconology> ah it was !route not ~routing
09:41 < baconology> thanks
09:41 < rob0> yw
10:16 < baconology> what do i need to do to eanble ip forwarding with the windows client
10:16 < baconology> i know wher to set it in my server conf
10:16 < baconology> does the windows client handle this?
10:17 <@ordex> the client does not know what the server is doing, so it does not need to be setup for that (it only needs to send the traffic to the server)
10:33 < DArqueBishop> !ipforward
10:33 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
10:35 <@ordex> !dazo
10:35 <@vpnHelper> "dazo" is The project name krzee always forgets .... eurephia ... http://www.eurephia.net/
10:42 -!- zvirbliukas1 is now known as zvirbliukas
10:59 < baconology> i am gettinga little lost on routing
11:00 < baconology> so here's what im trying to do
11:00 < baconology> https://puu.sh/yaJG7/0af310e87a.png
11:00 < baconology> does https://secure-computing.net/wiki/index.php/OpenVPN/Routing still apply to me?
11:00 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at secure-computing.net)
11:01 < baconology> now i dont know the IP's that my clients will have
11:02 < baconology> so I am confused over the applicability of this FAQ
11:02 < baconology> !winipforward
11:02 <@vpnHelper> "winipforward" is (#1) reboot after enabling it, or (#2) https://support.microsoft.com/EN-US/kb/230082 to enable ip forwarding on windows
11:03 < baconology> must i do this on al lthe windows clients?
11:03 < baconology> man i need a openvpn for dummies on this toipc
11:04 < baconology> https://openvpn.net/index.php/open-source/documentation/howto.html#scope
11:04 <@vpnHelper> Title: HOWTO (at openvpn.net)
11:04 < DArqueBishop> !serverlan
11:04 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
11:04 < baconology> i think i finally found something that is at my level :)
11:09 < baconology> so i need to add push "route 192.168.0.0 255.255.255.0" to my /etc/samba/smb.conf, i believe
11:10 < rob0> that looks like openvpn syntax, not smb.conf(5) syntax
11:12 < baconology> er fu**
11:12 < baconology> sorry
11:12 < baconology> hahaha
11:12 < baconology> i am in the wrong conf
11:18 < baconology> alrite so that was one line, awesome
11:20 < baconology> so i dont know what to do next... do i need to do anything to the actual client configs?
11:20 < baconology> or should that do it?
11:21 < baconology> is there any reason for me to want to push dns?
11:22 < baconology> besides being able to resolve network entities by name?
11:22 < baconology> if i've got samba mapped to windows via UNC path using an IP, then, i should be good?
11:24 < baconology> IOT WORKS
11:24 < baconology> hahahahaha
11:24 < baconology> you guys are great!!!!
11:24 < baconology> as usual1
11:24 < baconology> thanks!!!
11:51 < MacGyver> Huh.
11:51 < MacGyver> Happy to rubberduck, you're welcome.
11:55 < kishmesh> when posting message to openbsd mailinglists, how should one include logs? email attachments or links to some pastbin?
11:56 < kishmesh> pastebin
11:56 < kishmesh> wrong channel sorry.
12:40 < Kniaz> Hi. I just upgraded debian 8 to debian 9 where my openvpn server is running. I just connected from my windows openvpn client, it connected fine, but it seems like the internet is not working after I connect with a client.
12:40 <+hyper_ch> !configs
12:40 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
12:43 < Kniaz> server.conf https://apaste.info/DVFd
12:47 < rob0> !redirect
12:47 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
12:47 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
12:47 < Kniaz> client conf https://apaste.info/anND
12:50 < Kniaz> rob0: all of that was set up before debian release upgrade
12:53 < rob0> how far did you get on the flowchart?
12:56 < Kniaz> rob0: at the second step, where I can ping the vpn ip of the server, but cannot ping 8.8.8.8
12:58 < Kniaz> !def1
12:58 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
12:59 < Kniaz> !ipforward
12:59 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
12:59 < skyroveRR> !osxipforward
12:59 <@vpnHelper> "osxipforward" is (#1) sysctl -w net.inet.ip.forwarding=1 for a temp solution, or (#2) add IPFORWARDING=-YES- in /etc/hostconfig for a permanent solution
12:59 < skyroveRR> !winipforward
12:59 <@vpnHelper> "winipforward" is (#1) reboot after enabling it, or (#2) https://support.microsoft.com/EN-US/kb/230082 to enable ip forwarding on windows
13:00 < skyroveRR> Interesting.
13:02 < Kniaz> rob0: looks like forwarding is enabled https://apaste.info/FSwB
13:34 -!- abenz_ is now known as abenz
14:10 < NEOhidra> Client: HexChat 2.12.4 • OS: Ubuntu "artful" 17.10 • CPU: Intel(R) Core(TM) i5 CPU       M 480  @ 2.67GHz (2,66GHz) • Memory: Physical: 5,4 GiB Total (1,7 GiB Free) Swap: 5,5 GiB Total (5,5 GiB Free) • Storage: 16,0 GB / 107,0 GB (91,0 GB Free) • VGA: Intel Corporation Core Processor Integrated Graphics Controller @ Intel Corporation 1st Generation Core i3/5/7 Processor Reserved • Uptime: 51m 39s
14:51 -!- abenz_ is now known as abenz
14:51 < Cobra84> hi
14:52 < Cobra84> Mon Oct 30 20:26:59 2017 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1602'
14:52 < Cobra84> Mon Oct 30 20:26:59 2017 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-256-CBC'
14:52 < Cobra84> Mon Oct 30 20:26:59 2017 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA512'
14:52 < Cobra84> what does it mean?
14:55 < Cobra84> ???
14:56 < DArqueBishop> Cobra84: it means that in all three cases, the client and the server have different settings.
17:15 -!- abenz_ is now known as abenz
20:08 -!- pekster [~rewt@openvpn/community/developer/pekster] has quit [Ping timeout: 248 seconds]
20:16 -!- pekster [~rewt@openvpn/community/developer/pekster] has joined #openvpn
20:16 -!- mode/#openvpn [+o pekster] by ChanServ
20:24  * russell--- is having trouble with the openvpn-mbedtls client in lede-project interoperating with an existing openvpn server, the openvpn-openssl client works fine, it isn't clear what is wrong.  the openvpn server (on x86_64) says "VERIFY ERROR: depth=0, error=unable to get local issuer certificate: CN=myclient"
20:25 <@ordex> russell---: are you using exactly the same certs for the two clients?
20:25 < russell---> yes
20:26 < russell---> nothing changed except the version of openvpn on the client end
20:26 < russell---> or, rather, the ssl library bindings or whatever
20:28 < russell---> the server end is on an archlinux box, pacman -Qe | grep openvpn says: "openvpn 2.4.4-1"
20:37 < russell---> i found the line in src/openvpn/ssl_verify_openssl.c with a comment above that says: /* Remote site specified a certificate, but it's not correct */
20:44 < russell---> beyond that, i don't know what's wrong
20:47 < russell---> oh, there is also this:
20:47 < russell---> OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
20:47 < russell---> TLS_ERROR: BIO read tls_read_plaintext error
20:48 < russell---> TLS Error: TLS object -> incoming plaintext read error
20:51 <@ordex> yeah that's the generic error saying that the cert verification failed, but the reason is usually above or on a lower level
20:54 < getsetgo> hello
20:54 < getsetgo> Hello! Question: I followed the instructions on https://riseup.net/en/vpn/vpn-red/linux under the Command Line header, to configure OpenVPN and such. Just ran it with sudo openvpn riseup.ovpn. Is there anything else I need to do?
20:54 <@vpnHelper> Title: GNU/Linux - riseup.net (at riseup.net)
20:56 < getsetgo> Or, better question, what is a way to confirm the VPN is running properly? Some "what is my IP" sites still list my actual IP/location, while others say I'm in Washington or Virginia.
21:37 < russell---> ordex: is there a way to not-have-to-guess what the problem is?
21:39 <@ordex> increase verb and post the log :P
21:39 <@ordex> not sure to be honest
21:39 <@ordex> openssl is not very friendly in this
21:39 <@ordex> but I think "unable to get local issuer certificat" is already quite specific, but I have no idea what it means, maybe syzzer can help
21:47 < russell---> ordex: SSL alert (write): fatal: unknown CA
21:47 < russell---> this rings a bell
21:47 <@ordex> yeah
21:47 <@ordex> that's the missing issuer
21:47 <@ordex> that it can't verify
21:47 <@ordex> tjhat's why I asked if the certificate is the same for both clients
21:48 <@ordex> because I don't see why it would work one time but not the other
21:48 <@ordex> btw, the log you are showing is on the server, right ?
21:48 < russell---> yes
21:48 <@ordex> ok
21:48 < russell---> so, i used easy-rsa3 and created a sub-ca
21:49 < russell---> and the way i got that to work is to ask here and was told to concatenate the root-ca and sub-ca certificates together
21:49  * russell--- is guessing that is what is going wrong
21:49 <@ordex> on the server ?
21:49 < russell---> on the client
21:49 <@ordex> ah ok
21:49 <@ordex> yeah
21:49 <@ordex> but it's the server complaining, no?
21:50 < russell---> yes
21:50 <@ordex> yeah, so what is set as CA on the client does not affect it
21:50 <@ordex> (in theory)
21:50 <@ordex> still, why would that work with openssl and not mbedtls is *everything* is the same
21:51 < russell---> the server is using openssl (afaik) and the client is using mbedtls (definitely), to be extra clear
21:52 < russell---> but the configuration is identical between working openvpn-openssl and non-working openvpn-mbedtls on the client end
21:52 <@ordex> also same certificates/keys/ca, right ?
21:53 < russell---> yes, everything is exactly the same except for the package selection in lede
21:53 <@ordex> ok
21:53 <@ordex> weird
21:53 < russell---> indeed
22:03 < russell---> i am building new images to reconfirm working and non-working
22:04 <@ordex> ok
22:54  * russell--- confirmed that on lede-project (reboot-5216-g5302abe745) openvpn-openssl works; openvpn-mbedtls does not work, otherwise identical configuration and package selection.
22:55 <@ordex> russell---: have you tried openvpn-mbedtls on a non-lede system?
22:55 <@ordex> openwrt/lede is famous for little optimizations :P
22:55 < russell---> nice idea, i will try that
22:56 <@ordex> cool!
22:56  * skyroveRR burps at ordex 
22:56  * ordex dodges
22:57 < skyroveRR> :|
22:57 <@ordex> :D
23:26 -!- rax-Y is now known as rax-
--- Day changed Tue Oct 31 2017
01:44 < Gaaab> can i ask here for easy-rsa package ?
01:46 < Gaaab> after editing vars, build-ca keeps on telling me i should edit vars and run clean-all .... ???
02:20 < TC`> Hi, I have openVPN 2.2.1 on the server. Trying to debug, why my clients cannot connect after their pc with openvpn client reboot.
02:21 < TC`> tcpdump shows that packets comes to my server on port 1194
02:21 < TC`> but it doesn't show in openvpn server log
02:21 < TC`> as that specific client connected or got dropped etc.
02:21 < TC`> How I should debug this problem?
02:22 < TC`> openvpn server is on debian 7.8
03:27 < TC`> turns out that after summer vpn user ussage increased and max-clients was set to low
03:32 <@ordex> TC`: you should also consider upgrading to something less ancient thna 2.2
03:34 <+hyper_ch> debian 7.. that's wheezy right?
03:39 < TC`> yes
03:46 <+hyper_ch> isn't that out of suppor?
03:46 <+hyper_ch> stable is stretch
03:46 <+hyper_ch> old stable ise squeeze
03:46 <+hyper_ch> and I think wheezy is out of support meanwhile
04:00 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
04:02 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
04:02 -!- mode/#openvpn [+o syzzer] by ChanServ
05:05 -!- aykut_ is now known as aykut
05:39 < russell---> using this config, and keys/certs that work with openssl, with mbedtls i get failure: https://pastebin.ca/3901765
05:39 < russell---> built on ubuntu 16.04 from git source
05:41 <+hyper_ch> why use tap?
05:41 <+hyper_ch> and what failure do you get?
05:45 < russell---> hyper_ch: the client side says: TLS Error: TLS key negotiation failed to occur within 60 seconds
05:46 <+hyper_ch> sever config?
05:49 < russell---> hyper_ch: this has both configs, https://pastebin.ca/3901768
05:49 <@ordex> russell---: the server failure is more interesting (if still the same as before)
05:49 <@ordex> russell---: so you reproduced it on ubuntu?
05:49 < russell---> yes
05:50 <@ordex> oh cool
05:50 <@ordex> maybe the client is stripping something from the cert
05:50 <@ordex> that openssl does not strip
05:50 <@ordex> russell---: can you paste the server log (verb 4) so we can clearly read the error
05:50 <@ordex> ?
05:51 <@ordex> russell---: and why me and you are always in the same channels? :D
05:51 < russell---> standby
05:51 < russell---> lol
05:53 <+hyper_ch> ordex: you got a stalker!!!
05:54 <@ordex> :D
05:54 <@ordex> sure thing
05:54 <+hyper_ch> only important people have stalkers
05:54 <+hyper_ch> still no krzee :(
05:55 <@ordex> hyper_ch: he gave us a sign in the devel channel once
05:55 <@ordex> so still on this planet
05:55 <+hyper_ch> there's a super secret dev channel? oO
05:55 <@ordex> yes, only for people with stalkers
05:55 <@ordex> :P
05:55 < russell---> https://pastebin.ca/3901769
05:55  * hyper_ch feels left out
05:56 < russell---> clearly ordex follows interesting channels, /me wonders if he's missing any
05:57 <@ordex> hyper_ch: #openvpn-devel is the live version of the openvpn-devel list
05:57 <@ordex> while this channel is for user support
05:59 <+hyper_ch> russell---: you sure you use the right certs/keys?
05:59 <+hyper_ch> and why use tap?
05:59 <@ordex> :D
05:59 <@ordex> russell---: he'll keep on asking about tap, no matter what :P  give him a resonable answer!!
05:59 <@ordex> :D
06:00 <@ordex> hyper_ch: :*
06:00 < russell---> we run olsrd over it
06:00 <+hyper_ch> no idea what olsrd is
06:00 < russell---> so, i guess broadcast is important
06:00 < russell---> a mesh routing protocol
06:00 <+hyper_ch> pretty sure you just made that up to mess with me :)
06:01  * russell--- can drop some tcpdumps to prove it! ;-)
06:01 < russell---> anyway, we've always used tap, and it works fine with openssl
06:01 <+hyper_ch> but but but
06:01 <+hyper_ch> !tunortap
06:01 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
06:01 <@vpnHelper> rooted/jailbroken) support only tun
06:02 < russell---> yeah, we want that
06:02 <+hyper_ch> I guess with mesh thingies you want mac address
06:03 <+hyper_ch> well, I still think you messed up the certs and keys in the configs
06:03 <+hyper_ch> I hope you use some kind of script to create proper conf files
06:03 < russell---> easyrsa3
06:03 < russell---> and, again, same config works with olsrd
06:03 <+hyper_ch> and scripts to create the .conf files?
06:03 < russell---> with openssl, that is
06:04 < russell---> yeah, we have a configurator
06:04 < russell---> so, like no typos
06:05 < russell---> 4096-bit RSA keys
06:05 <+hyper_ch> I kept messing up configs with the hardphones, so I first creaed generator for th ehardphones and then for other stuff  https://github.com/sjau/sipGenVPN
06:05 <@vpnHelper> Title: GitHub - sjau/sipGenVPN: Small collection of bash scripts to create client config files for SIP hard- and softphones (at github.com)
06:07 < russell---> again, precisely the same config/keys/certs work with openssl on both ends. with mbedtls at the client, failure.
06:16 < russell---> yeah, i just confirmed on ubuntu as well
06:16 <@dazo> russell---: using --crl?
06:16 <@dazo> oh, I saw the config pastebins now
06:16 <@dazo> nope, you're not using crl
06:17 < russell---> if i build with --with-crypto-library=openssl instead of mbedtls it works
06:17 <@dazo> try:  openssl verify -CAfile $CA_FILE $CERTFILE
06:18 <@dazo> which version of mbedtls?
06:18 < russell---> on lede, it's libmbedtls - 2.6.0-1
06:18 <@dazo> if openssl verify is OK ... then, pastebin the output of 'openvpn x509 -noout -text -in $CERTFILE' ... of both CA, client and server certs
06:19 <@dazo> mbedtls-2.6 is very picky about the certificates, btw ... 2.4 was cruel, 2.6 is crueller .... but with the up-side of really decent certificate quality
06:21 < russell---> verify is OK
06:22 <@dazo> okay, good ... then lets have a look at the certificate dumps (openssl x509)
06:25 < russell---> dazo: this is the client crt: https://pastebin.ca/3901782
06:27 < russell---> and the ca cert: https://pastebin.ca/3901785
06:27 < russell---> note that the client is signed with an sub-ca key
06:29 <@dazo> ahh, that makes it slightly more challenging
06:30 <@dazo> and the server cert?
06:31 < russell---> and, this is the server crt: https://pastebin.ca/3901788
06:32 < russell---> dazo: i had trouble before, and the advice (that worked) was to concatenate the root-ca and sub-ca crts and use that on the client side, which worked
06:32  * dazo is silent, just because he is parsing all the provided input ...
06:32  * russell--- waits patiently for the slightest clue
06:33 <@dazo> right ... I wonder if you need to look into --extra-certs with mbed TLS
06:36 <@dazo> syzzer: do you know about any quirks with mbed TLS and sub-CA configs?
06:40 < russell---> extra-certs looks promising
06:40 <@dazo> iirc, the sub-CA could go into extra-certs
06:41  * russell--- will try that
06:50 < russell---> hmm, tried it both ways, get the same error
06:52 < russell---> that is, used ca root-ca.crt, extra-certs sub-ca.crt and the other way around
06:53 < russell---> oh, wait, i may have things slightly messed, trying again
07:00 <@syzzer> dazo, russel: my openvpn-with-mbed test setup does test sub ca's, using stacked CA's (concat the PEM for CA and sub-CA in a single file)
07:00 <@syzzer> that should work just fine
07:03 < Gaaab> does easy-rsa belong to this channel ?
07:05 < russell---> syzzer: yeah, it didn't help anyway.  openssl server not liking my mbedtls client, at all.
07:12 <@syzzer> russel: so, where is the cert with CN=foo ?
07:13  * dazo need to head out for some hours
07:13 < russell---> foo was my obfuscation of turd
07:13 <@syzzer> ah
07:13  * russell--- gives up on obfuscation, finds enough already
07:14 <@syzzer> ok, and /etc/openvpn/keys/root-ca.crt has the concatenation of the root ca and the sub ca ?
07:15 < russell---> in the winning case, where the client is using openssl, i see VERIFY OK on the root on all the certs
07:15 < russell---> uh, whatever i used for the option ca had the concatenated crts
07:16 <@syzzer> ah, wait, I think I get what's going on.  If I rememeber correctly, openssl send the cert *chain* to the peer, while an mbed client only sends the client *cert* (ie, without intermediate)
07:16 <@syzzer> but if the server has both the root and sub ca in the ca-file, it should still work...
07:17 < russell---> i'm not sure it does, because i didn't need them concatenated with an openssl client
07:17  * russell--- should maybe try that?
07:18 <@syzzer> that works in my test setup
07:20 < russell---> that fixed it! yay!
07:20 < russell---> syzzer++
07:20 <@syzzer> great!
07:21  * russell--- can die happy now
07:31 < russell---> thanks also to dazo and hyper_ch and ordex for your clarifying questions and suggestions
07:39 <+hyper_ch> syzzer saves the day
07:39 <+hyper_ch> Gaaab: yes
07:43 < Gaaab> and, on my debian9 VPS with openssl 1.0.2l and openvpn2.4.4 i have set AES-256-GCM cipher
07:44 < Gaaab> and on client side ubuntumate 16.04 library versions: OpenSSL 1.0.2g
07:44 < Gaaab> Cipher algorithm 'AES-256-GCM' not found && Exiting due to fatal error
07:47 <@plaisthos> that is a bit strange but might be the case
07:48 <@plaisthos> can you try running openssl speed -evp aes-256-gcm?
08:06 < Gaaab> playsthos: do you want me to paste results on pastebin ?
08:06 < Gaaab> plaisthos:
08:08 <@plaisthos> just if it works or not
08:08 < Kryczek> Gaaab: the last line is the summary
08:09 <@plaisthos> should look similar list this (last two lines):
08:09 <@plaisthos> type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
08:09 <@plaisthos> aes-256-gcm     396080.60k   884605.09k  1950671.26k  2860043.45k  3204635.17k  3492175.13k
08:09 < Kryczek> aes-256-gcm       2029.93k     2206.97k     2261.16k     2280.50k     2293.76k     2284.53k
08:09 < Kryczek> yours is faster :P
08:09 <@plaisthos> Kryczek: are you running on a potato?
08:09 <@plaisthos> *ducks*
08:09 < Kryczek> plaisthos: Soekris Net5501
08:10 < Gaaab> https://paste.ee/p/WZael
08:10 <@plaisthos> Kryczek: potato confirmed! :P
08:10 < Kryczek> plaisthos: it does have a crypto acceleration card (VPN1411) but it does not do AES-GCM, just AES-CBC and a couple of others
08:10 <@plaisthos> Gaaab: is that the side that complains about not having aes-gcm-256
08:10 < Kryczek> plaisthos: don't you dare, I love my Soekris box! :)
08:11 <@plaisthos> I had one too, years ago
08:11 <@plaisthos> but compared to modern cpus its cpu is more potato ;)
08:11 < Kryczek> this one is from 2009, still going strong
08:12 < Kryczek> true :) I wish it had a TPM in fact, so I could do Remote Attestation (check that your VPN gateway is still running what you think it's running) but no need to replace the Soekris with a PC for as long as it's running perfectly...
08:12 <@plaisthos> oh my rasbpberry pi is in the same potato league (~6MB/s)
08:12 < Kryczek> ha! :P
08:13  * Kryczek switches on huge potato out of curiosity...
08:13 <@plaisthos> :)
08:14 < Gaaab> plaisthos: do you mean where i read (aes partial) ?
08:14 <@plaisthos> also depends if you crypto accleration or not
08:14 <@plaisthos> 13:44:56 <Gaaab> Cipher algorithm 'AES-256-GCM' not found && Exiting due to fatal error
08:14 < Gaaab> ah ok
08:16 < Kryczek> aes-256-gcm     759968.42k  1808912.58k  3073623.72k  4342047.74k  5013307.39k
08:16 < Kryczek> take that, Mr Potatohead :P
08:16 < Gaaab> ubuntu network does not list aes-256-gcm at all
08:17 < Gaaab> ubuntu network manager i mean
08:20 < Kryczek> Gaaab: https://github.com/trailofbits/algo/issues/418 from April 2017 says "Network Manager does not support AES-GCM."
08:20 <@vpnHelper> Title: Ubuntu desktop 17.04 Network manager not able to connect (as a client) · Issue #418 · trailofbits/algo · GitHub (at github.com)
08:21 < Gaaab> i'm going from command line
08:22 < Kryczek> yeah but afaik nm-applet, nm-cli etc are just overlays on the same NM backend
08:24 < Kryczek> plaisthos: pity that https://github.com/heipei/engine-cuda does not support GCM, it would have been an interesting comparison :)
08:24 <@vpnHelper> Title: GitHub - heipei/engine-cuda: engine-cuda is a CUDA/OpenCL engine for the popular OpenSSL cryptography framework. (at github.com)
08:30 < Kryczek> plaisthos: which kind of Raspberry Pi by the way?
08:42 <@plaisthos> rpi2 iirc
08:49 <@ordex> russell---: solved??
09:02 < Cobra84> WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1602'
09:02 < Cobra84> WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-256-CBC'
09:02 < Cobra84> WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA512'
09:02 < Cobra84> may I ask what it means?
09:05 < DArqueBishop> Cobra84: as I answered yesterday, it means those three parameters are set differently on the client and server configs.
09:06 < Cobra84> DArqueBishop: thank you very much I got disconnected yesterday (sorry)
09:06 < Cobra84> so I basically have a bad configuration file
09:07 < Cobra84> DArqueBishop: may I ask if there's a security risk?
09:08 < Cobra84> is my connexion safe and encryted or should I asume it isn't
09:08 < DArqueBishop> I wouldn't say there's a security risk, but it's best if you're consistent between server and client.
09:08 < Kryczek> Cobra84: null-digest is definitely not good
09:08 < evilgohan2> ,seen Selavi
09:08 < evilgohan2> grr
09:09 < Cobra84> Kryczek: null digest is only the auth though? it odesn't really matter to me if my password is stolen
09:09 < Cobra84> however I want to be sure my connexion is crypted and not hijacked
09:10 < Cobra84> connection*
09:10 <@ordex> Cobra84: firt of all: does connectivity really work after you see those messages?
09:10 < Kryczek> Cobra84: do you not see a problem between "doesn't really matter to me if my password is stolen" and "I want to be sure my connexion is crypted and not hijacked" ? :)
09:10 < Cobra84> it seems so
09:11 < Cobra84> Kryczek> I'm not too sure, I mean does it really matter if my vpn password is stolen? it just means someone else can use my account, it doesn't mean my connection is not encrypted
09:11 <@ordex> weird, because the ciphers are different ..
09:12 < DArqueBishop> "I mean does it really matter if my vpn password is stolen?"
09:12 <@ordex> 'auth' to the packet authentication (aka the signing algorithm)
09:12 <@ordex> it says null because GCM provides auth by itself
09:12  * DArqueBishop hits Cobra84 on the nose with a rolled-up newspaper.
09:12 < DArqueBishop> NO! BAD USER! BAD!
09:12 < Cobra84> ....
09:12 < Cobra84> I'm not an expert friends
09:13 < Cobra84> :)
09:13 < Cobra84> you figured I guess
09:13 < DArqueBishop> It's not a matter of being an expert. It's security 101.
09:13 < DArqueBishop> You NEVER share your account credentials with anyone.
09:13 < Cobra84> so my connection is not correctly encrypted ?
09:13 < Cobra84> or is it?
09:13 < Kryczek> it's not
09:14 < Cobra84> damn .... :/
09:14 < DArqueBishop> Again, you need to have them be consistent.
09:14 < DArqueBishop> Is this your VPN server?
09:14 < Cobra84> ok I'll have to fix this ASAP then
09:14 < Cobra84> no I use vpn provider
09:14 < DArqueBishop> Then you really should be talking to their tech support.
09:14 < Cobra84> not sure if I can tell the name, is it allowed?
09:15 < Cobra84> Yes I will, immediately going to contact the suppot
09:15 < Cobra84> support*
09:19 < Cobra84> Thank you very much
09:19 < evilgohan2> DArqueBishop: What abotu hardcoding your password into a script that's accessible by anyone with credentials to that box
09:19 < evilgohan2> and obfuscating it by converting it to base64, and then to a binary :P
09:19 < Cobra84> Kryczek> thank you
09:20 < evilgohan2> Oh, for the record, this isn't a hypothetical
09:20 < evilgohan2> a former coworker did exactly just that.
09:20 < DArqueBishop> My response would probably be on a piece of paper.
09:20 < DArqueBishop> It'd be colored pink.
09:20 <@dazo> DArqueBishop: when you see these WARNING with inconsistency *and* AES-256-GCM is mentioned, it means the cipher got upgraded through the new 2.4 feature - NCP
09:20 <@dazo> that impacts both 'auth' and 'link-mtu'
09:21 <@dazo> Kryczek: You need to ditch those crappy Linux distros with outdated NetworkManager .... I'm on RHEL 7 (which by default is not bleeding edge, btw) ... and it supports AES-256-GCM ;-)
09:22 <@dazo> NetworkManager-1.8.0-11.el7_4.x86_64
09:22 <@dazo> NetworkManager-openvpn-1.2.6-1.el7.x86_64
09:22 <@dazo> NetworkManager-openvpn-gnome-1.2.6-1.el7.x86_64
09:23 < Kryczek> dazo: thanks but it wasn't me, I use openvpn without NM ;-)
09:23 <@dazo> Kryczek: ahh, I just saw you posted a pointer to somewhere claiming lack of GCM support :)
09:24 < Kryczek> dazo: yeah Gaaab was asking, and (s)he apparently left without saying thanks, sigh
09:25 <@dazo> :)
09:26 <@dazo> speaking of the sun ...... :-P
09:27 < Kryczek> apparently network-manager-openvpn is version 1.2.6 in Ubuntu 17.04 (Zesty) and 1.2.10 in 10.10 (Artful)
09:28 < Cobra84> so basically if the encryption algorythm is not consistent between server and client, then it means the connexion is not encrypted at all? strange
09:28 < Cobra84> this must be a very incompetent vpn provider
09:28 <@dazo> Cobra84: please, provide some logs
09:28 <@dazo> Cobra84: oh, the majority of VPN providers are just that ... incompetent
09:29 <@dazo> in fact VPN as a service is not useful for security to start with, but that's a different story
09:29 <@dazo> (VPN as a service is more like a virtual ISP)
09:29 < Cobra84> dazo> can I pm you the logs?
09:29 <@dazo> !pastebin
09:29 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site, or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups, or (#3) If you're pasting config files, see !configs for grep syntax to remove comments, or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#5) <bibble> termbin is good.
09:29 <@vpnHelper> just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
09:29 < Cobra84> dazo: is it safe to post logs publicly?
09:30 <@dazo> yes
09:30 <@dazo> there's no encryption keys there (unless you're using verb 7 or higher .... and they would be invalid after the next re-connect; unless someone have saved tcpdumps of your traffic)
09:31 < Cobra84> dazo: https://pastebin.com/wH77N9xh
09:31 <@dazo> and the cert info is by default public information anyhow
09:31 <@dazo> Tue Oct 31 12:38:20 2017 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
09:31 <@dazo> Tue Oct 31 12:38:20 2017 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
09:31 <@dazo> your tunnel is using AES-256-GCM ... which implies also packet authentication (part of the GCM cipher)
09:32 < a1fa> (openvpn ticket: 458)
09:33 <@dazo> the inconsistency stuff is basically because you have AES-256-GCM in your local config and the server uses AES-256-CBC.  But since both sides runs v2.4.x, the tunnel is upgraded to AES-256-GCM
09:33 < a1fa> is there a way to dump server certificate by a non-patched client
09:33 < Cobra84> so it's encrypted?
09:33 <@dazo> Cobra84: yes
09:33 < a1fa> Ya
09:33 < Cobra84> you got me worried
09:33 < a1fa> when in doubt, tcpdump
09:33 < Cobra84> wowo
09:33 < Cobra84> wow*
09:33 <@dazo> Cobra84: you can remove those warnings by changing your local cipher in the config to AES-256-CBC ... and your tunnel should (in theory at least) still upgrade to AES-256-GCM
09:34 < Cobra84> in the configuration files I imagine?
09:34 <@dazo> The warnings I'm pointing at are:  WARNING: '{link-mtu,cipher,auth}' is used inconsistently
09:34 < Cobra84> since I'm a noob I think I'll ask vpn provider to just update the configuration files they distribute
09:34 <@dazo> yeah ... locate the 'cipher' line and change it to AES-256-CBC
09:35 <@dazo> Cobra84: they should probably rather change their server configs instead ;-)
09:35 < Cobra84> they probably just forgot to update their packages
09:35 < Cobra84> as long as it's encrypted it's no priority issue
09:36 < Cobra84> i guess
09:36 <@dazo> Their server configs should use:  --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-256-CBC  (as a minimum)
09:36 <@dazo> that's right
09:36 < Cobra84> but i'll contact them nonetheless
09:36 < Cobra84> dazo: thank you very much dazo
09:36 < Cobra84> you people are great and helpful
09:36 <@dazo> yw!
09:38 < a1fa> dazo: (openvpn ticket: 458) :P
09:40 <@dazo> a1fa: nope, not possible .... and to be honest, if you need that feature I think you should be capable of just doing that patching yourself.  IMO, this isn't much of a useful feature for 99.8% of the OpenVPN users
09:40 < a1fa> ;P other use cases
09:44 < Gaaab> is forward secrecy possible just by dh parametr ?
09:44 < Gaaab> uhm i don't think so
09:46 <@plaisthos> Gaaab: recent openvpn versions also disable all ciphers that don't have forward secrecy
09:47 < Gaaab> good
09:47 <@plaisthos> which broke some crappy routers :D
09:47 < Gaaab> and finally
09:47 <@dazo> Gaaab: you cannot start the OpenVPN server without --dh .... so it's not relevant if it is possible or not to do PFS without DH
09:48 < Gaaab> ok thanks dazo
09:48 <@dazo> but generally, those TLS implementations not needing a --dh equivalent often have hard-coded DH parameters in the build
09:49 <@dazo> (which is why some softeare got hit worse by the logjam attack than others)
09:49 <@plaisthos> You intentionally have to configure OpenVPN not to have forward secrecy
09:50 <@dazo> yeah, you can probably play with --tls-ciphers to avoid the DH/DHE algorithms ... which is not possible with 2.4 at least .... so the last alternative is a static tunnel
09:50 <@dazo> (static key tunnel)
09:52 <@plaisthos> dazo: I think you can still configure 2.4 to avoid DH/DHE algorithms
09:52 <@plaisthos> if you understand OpenSSL cipher selection good enough and do it on both sides
09:52 <@dazo> plaisthos: on my install, --show-tls does not anything else than DHE and ECDHE based ciphers
09:53 <@dazo> hmmm .... I need to do another git master build .... latest v2.4.4 EPEL update replaced my private build :)
09:54 <@dazo> plaisthos: unless syzzer adjusted the --show-tls to lie, that it can do more than it lists there ;-)
09:56 <@plaisthos> dazo: try openvpn --tls-cipher DEFAULT --show-tls
09:57 <@dazo> plaisthos: ahh!  you're right ... syzzer made openvpn lie by default! :-P
09:58 <@dazo> yeah, here I see some non DH ciphers
09:58 < Gaaab> what's wrong with diffie hellman ?
09:58 <@plaisthos> has always been that way
09:58 <@plaisthos> but before the other changes you always got the DEFAULT list
09:59 <@dazo> right, I still blame syzzer ... it's so seldom we get a chance to do just that :-P
09:59 <@plaisthos> :)
10:00 <@plaisthos> When you spend too much time figuring out openssl like me, that seems natural
10:00 <@plaisthos> But I totally understand all the weirdness of it :)
10:00 <@ordex> is that good or bad? :P
10:01 <@dazo> plaisthos: you understand the openssl weirdness .... or you understand that openssl carries lots of weirdness? ;-)
10:02 <@plaisthos> dazo: a bit of the first and definitively the 2nd
10:03 <@dazo> :)
10:05 < DArqueBishop> <dazo> plaisthos: you understand the openssl weirdness .... or you understand that openssl carries lots of weirdness? ;-)
10:05 < DArqueBishop> Yes.
10:05 <@dazo> :)
11:01 < Silex> Hello, I'm setting up a VPN and I want that clients don't see each others, except for a few "sysadmin" clients. I'm trying to setup https://openvpn.net/index.php/open-source/documentation/howto.html#policy and I have my clients in one subnet, and my sysadmins in the other.
11:01 <@vpnHelper> Title: HOWTO (at openvpn.net)
11:01 < Silex> So far so good, except my sysadmins cannot ping the clients...
11:02 < Silex> this is what I've tried: iptables -A FORWARD -i tun0 -s 10.8.1.0/24 -d 10.8.0.0/24 -j ACCEPT
11:04 < Silex> Should I do it the other way around? that is enable "client-to-client" but then drop packets from the 10.8.0.0/24 range?
11:07 -!- albech1 is now known as albech
11:19 <@ordex> Silex: client to client packets do not exit the openvpn process, thus iptables can't do anything
11:19 <@ordex> Silex: you'd need to use "pf" for this. it's a hidden firewall internal to OpenVPN
11:19 <@dazo> Silex: by _not_ using --client-to-client, then the packets will go via iptables
11:20 <@dazo> (at least in TUN mode)
11:39 < Silex> yes I'm in tun mode.
11:39 < Silex> and https://openvpn.net/archive/openvpn-users/2006-08/msg00113.html suggests iptable is the way to go
11:39 <@vpnHelper> Title: Re: [Openvpn-users] Restrict use of client-to-client directive to certain users (at openvpn.net)
11:40 < Silex> in the meantime I made a SO question: https://stackoverflow.com/questions/47040248/openvpn-clients-hidden-from-each-others-except-administrators-clients
11:40 <@vpnHelper> Title: vpn - openvpn clients hidden from each others except "administrators" clients - Stack Overflow (at stackoverflow.com)
11:44 < rob0> well, you do NOT use --client-to-client if you intend to restrict it
11:45 < rob0> I would put the admins in a separate CIDR block (not shared with your regular clients' pool)
11:45 < rob0> you'd want a ccd to use for the admins
11:46 < rob0> You know, this would probably be a lot simpler to just run two server instances, one for admins, the other for everyone else
11:55 < Silex> rob0: okay, and then how do the admins "see" the everyone else?
11:55 < Silex> iptables?
12:03 < Silex> well thanks for the suggestions, I'll ask again tomorrow
12:10 < palate> hello
12:11 < palate> Running `sudo openvpn --remote 192.168.7.2 --dev tun --ifconfig 10.0.0.2 10.0.0.1 --route 172.18.0.0 255.255.255.0`, instead of getting a `tun0` interface on the client, I get `cscotun0` with a very weird IP (not 10.0.0.2 but 129.131.210.192)
12:12 < palate> And the openvpn messsage says stuff like `TUN/TAP device tun0 opened`
12:12 < palate> How could it be?
12:43 < rob0> Silex, right.  In filter/FORWARD, -i tun1 -j ACCEPT along with the typical -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
12:44 < rob0> (Where of course tun1 would be the admins' server instance, tun0 for others.)
12:58 < TheWhisper> Hey, I'm trying to do something that may be totally ridiculous, but I'm not sure. I have my OVPN server at a specific IP — let's call it IP 1. I can connect to IP 1 via the VPN and send traffic through it normally. I also have a Plex Media Server instance running at IP 1. I was trying to route my traffic (from the Plex client app) to the Plex Media Server (at IP 1) through the OVPN server (also at IP 1).
12:59 < TheWhisper> However, when I set up this routing in my client config, it doesn't work properly. I am still able to connect to (and through) the OVPN server, but cannot connect to the Plex Media Server.
12:59 < TheWhisper> I'm thinking the issue is because both the Plex Media Server and OVPN server are at the same place
12:59 < TheWhisper> with the same IP
12:59 < TheWhisper> so it's causing some sort of loop or dead-end.
12:59 < TheWhisper> Is what I'm trying to do feasible at all?
13:00 < TheWhisper> (Other routes to other IPs work properly. It's just when I add the `route {IP 1}`, which is the same as the `remote` IP, that it breaks.)
13:04 < TheWhisper> Ah, actually! I think Plex already knows to look for the internal IP when connected through the VPN
13:04 < TheWhisper> because it is fooled into thinking it's on the same LAN
13:04 < TheWhisper> https://dl.dropboxusercontent.com/s/vc5q3d2y274n50n/Screenshot%202017-10-31%2014.04.20.png
13:08 < TheWhisper> 👍
14:39 < palate> Does networkmanager on ubuntu sometimes conflict with openvpn?
14:40 <@dazo> palate: conflict how?
14:41 <@dazo> (does drivers sometimes drive on red light? .... is sand sometimes warm?)
14:43 < palate> dazo: on my computer (Arch Linux), if I run a pptp connection with:  sudo openvpn --remote 192.168.17.2 --dev tun --ifconfig 10.0.0.2 10.0.0.1 --route 172.20.0.0 255.255.255.0, it creates a tun0 interface with ip 10.0.0.2
14:44 < palate> dazo: on my colleague's Ubuntu 16.04, she gets a cscotun0 interface with a weird ip such as 129.12.44.131
14:45 < palate> Since I am really running a very basic openvpn command, I don't even have config files to check. So I'm wondering if network-manager could be the reason for this weird behavior
14:46 <@dazo> palate: cscotun0 smells like a cisco tunnel ... not openvpn
14:46 < palate> dazo: The other thing she has is a `wlxf4f26d0de3fa` ethernet interface connected to the enterprise network with ips: inet addr:10.20.21.136  Bcast:10.20.31.255  Mask:255.255.240.0
14:46 < palate> dazo: It does, but she really runs this command (sudo openvpn) =/
14:47 <@dazo> openvpn will by default (unless otherwise provided in the config) use tunX ... where X is an integer which is automatically incremented one by one for each openvpn instance
14:47 < palate> And the openvpn output talks about interface tun0, not cscotun0: " TUN/TAP device tun0 opened"
14:48 <@dazo> hence there is something more in play here than just the openvpn tunnel
14:48 < palate> dazo: so you mean that maybe, the tun0 interface is just not created at all, and cscotun0 comes from somewhere else?
14:48 <@dazo> it might be very well that the cisco tunnel doesn't like the openvpn tunnel
14:48 <@dazo> yeah
14:48 < palate> dazo: hmm
14:48 < palate> dazo: do you have an idea what I could do? Or how I could check that?
14:48 <@dazo> pastebin the output of 'nmcli con'
14:49 < palate> She's not online anymore :/. I was hoping to get some ideas so that I can debug her tomorrow
14:49 < palate> dazo: But I have outputs like ifconfig and ip addr if you want?
14:49 <@dazo> well, that should give you an idea of which connections are configured and which have been activated
14:50 < palate> by network-manager, right?
14:50 <@dazo> yeah
14:50 < palate> so my openvpn connection will not appear in nmcli c, will it?
14:50 <@dazo> and if you're using a recent NM version with the nm-openvpn plugin .... that should generally work quite fine .... nowadays it even supports multiple VPNs running at the same time
14:50 <@dazo> the upside of that is that DNS configurations are handled much better
14:51 < palate> you mean using the network-manager-pptp package?
14:51 < baconology> guys openvpn is working great, thank you so much for everything over the last few weeks
14:51 <@dazo> the downside is that NM kills all VPNs if the Internet connections goes down (it doesn't let OpenVPN, at least, to handle re-connection by itself)
14:51 < rob0> pptp is not openvpn is not pptp
14:52 < palate> rob0: oh, so an openvpn point-to-point connection is still openvpn? :D
14:52 < rob0> !pptp
14:52 <@vpnHelper> "pptp" is (#1) PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
14:52 <@vpnHelper> read about why to not use pptp, or (#2) Why not to use it: http://en.wikipedia.org/wiki/Pptp#Security, or (#3) https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
14:52 < palate> right
14:53 < palate> so dazo: package network-manager-openvpn and I ask her to connect with the GUI? :)
14:54 < palate> rob0, dazo: Is there a way to know if network-manager is somehow conflicting? Would it log something?
14:55 <@dazo> it will be in the systemd journal or /var/log/messages
15:09 < palate> dazo: thanks a lot
15:15 < adac> Is it possible to have multicast via openvpn?
15:16 <@dazo> adac: not 100% sure .... if you can route the multicast, it should in theory work ... but it might be we're missing some special treatment of multicast packages
15:16 < rob0> I suppose with tap/bridging it would work, ^^ likewise not sure with tun
15:24 < adac> dazo, rob0 thanks! Will investigate a bit
15:46  * swg0101 pokes novaflash
17:36 < russell---> ordex: yes!
17:56 -!- derpSaucey is now known as papadopoulas
17:56 -!- papadopoulas is now known as papadopoulos
18:10 -!- abenz_ is now known as abenz
18:46 <@ordex> new OpenVPN Connect for Android is out (1.1.21) :)
19:03 < Kryczek> ordex: yay! \o/
19:04 <@ordex> please crashes, if any :)
19:04 < Kryczek> ordex: question that comes to mind, if I may: OpenVPN Connect for my Android 4.1.2 phone does not like using the Keystore anymore, it only works if I put the <cert> and <key> directly into the ovpn file
19:05 < Kryczek> any idea why? Maybe OpenVPN Connect is using a new kind of call to Keystore that does not work on older Android versions?
19:05 <@ordex> Kryczek: when you say it does not like, what do you exactly mean?
19:05 <@ordex> and is this problem started with the version released today?
19:06 < Kryczek> sorry, trying to get the exact error message :) It had at least "OpenSSL RSA_sign failed"
19:07 <@ordex> eheh ok
19:07 <@ordex> and about the version ?
19:07 < Kryczek> I'll try now and try with the update :)
19:07 <@ordex> oky
19:08 <@ordex> unfortunately with the zoo of releases it is not easy to catch all kind of malfunctioning. especially on older versions
19:08 <@ordex> but theoretically we try to keep compatibility
19:09 < Kryczek> I know, I hope it does not come across like I'm complaining :)
19:15 < Kryczek> ordex: the error on screen in "External PKI error : java.security.InvalidKeyException: OpenSSL RSA_sign failed" but the line before that in the logs says "EVENT: EPKI_INVALID_ALIAS info='galaxy'" (galaxy being the name of my cert)
19:15 <@ordex> oh I see
19:15 <@ordex> and this happened with the version *before* and *after* the upgrade?
19:15 < Kryczek> happy to share the whole log but I can't seem to find a way to share it...
19:16 < Kryczek> that is before the upgrade, version...
19:16 <@ordex> mh not sure there is an easy way
19:16 <@ordex> ok
19:16 <@ordex> good to know
19:16 < Kryczek> OpenVPN Connect 1.1.17 (build 76), OpenVPN core 3.0.12 android armv7a thumb2 32-bit built on May 24 2016 09:42:05
19:17 <@ordex> yup, thanks
19:17 <@ordex> I'd have to dig a bit. normally that just works
19:17 <@ordex> but I can't exclude that something changed in the API
19:17 < Kryczek> there is an update for it in my Play store, shall I install it now? :)
19:18 <@ordex> yeah
19:18 <@ordex> and try again, to see if the error changes, please
19:18 < Kryczek> of course :)
19:18 < Kryczek> interesting, it's not listing that profile anymore
19:19 < Kryczek> hah, if I try to import it again the UI says:
19:20 < Kryczek> "Error parsing OpenVPN profile : mytest.ovpn : option_error: option 'cert' not found"
19:20 <@ordex> mh
19:20 <@ordex> this is interesting
19:20 < Kryczek> indeed
19:20  * Kryczek rubs chin
19:21 <@ordex> Kryczek: how do you import the profile into android? just by clicking on a .p12 file from the file explorer?
19:21 < Kryczek> ordex: no no, I did Menu button > Import > Import Profile from SD card, but I can try otherwise if you want
19:22 < Kryczek> ordex: also do you mean the profile or PKCS#12 bundle?
19:22 <@ordex> nono, I mean the bundle
19:22 <@ordex> sorry, still waking up here :)
19:22 <@ordex> you use the import function from android too, right?
19:22 <@ordex> from *Connect
19:23 < Kryczek> I think I tried both, but I can try again; as it so happens I had to reimport the PKCS#12 bundle as we were speaking since I had cleared the Keystore previously as part of the debugging, and this time I did it through the OpenVPN UI
19:24 < Kryczek> well, what I think is the OpenVPN UI: when I clicked Connect I got a popup asking me to pick a cert but there was none so it offered to import one
19:25 <@ordex> yup
19:38 < Kryczek> ordex: I read somewhere that such errors might be due to PKCS#12 decryption gone wrong, but I can't seem to find a way to make one entirely without a password, the best I have managed is just a blank password, but that probably makes no difference if the decryption is buggy
19:39 <@ordex> mhhh well, but it should work anyway
19:39 <@ordex> with or without encryption
19:39 <@ordex> otherwise i think android would complain when you import the bundle
19:39 < Kryczek> indeed :) it used to
19:40 < Kryczek> is the code of the Android app's current version somewhere online? Maybe I can help?
19:41 <@ordex> nop sorry
19:41 <@ordex> the UI is closed for now
19:42 < Kryczek> no worries
19:42 < Kryczek> the new errors sounds like it's rejecting the OVPN file before querying the Keystore
19:42 <@ordex> I'll into this soon. 'mytest.ovpn : option_error: option 'cert' not found"' is even more critical
19:43 <@ordex> yap
19:43 <@ordex> it's complaining about the missing cert while it should not
19:50 < Kryczek> ordex: here is the OVPN in case it helps: https://pastebin.com/9c72ULQG
19:50 <@ordex> thanks a lot Kryczek
19:50 <@ordex> I'll use it as test case
19:50 < Kryczek> happy to be of help :)
19:51 < Kryczek> and please don't hesitate to ask if there is anything else I can do, my IRC client is here 24/7
19:52 <@ordex> Kryczek: thanks! I may shoot a test release at you if you want to be an early tester
19:53 <@ordex> thanks, really
20:40 < dimm0k> is it possible to use an encrypted private key in my .ovpn on Android with the latest OpenVPN?
20:41 < dimm0k> i have the askpass parameter, but when i import the .ovpn it gives me the error mbed TLS: error parsing config private key : PK - Private key password can't be empty
20:42 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: by bye]
20:46 < Kryczek> dimm0k: hah we were just discussing something similar
20:48 < Kryczek> dimm0k: can you try importing the private/public key pair as a PKCS#12 (.p12 or .pfx) bundle into the Android Keystore, which is even better than encrypting the private key, especially if your Android phone has a Hardware Security Module
20:49 <@ordex> dimm0k: yeah I think there is a bug in the latest release
20:55 < dimm0k> Kryczek: i actually have imported that as a .p12 into the keystore...
20:55 < Kryczek> strange
20:55 < dimm0k> but when i import the .ovpn, it asks me to put in a <key> section and if i do, i get the above mentioned error
20:56 <@ordex> dimm0k: would you be open to testing a preliminary build fixing that ?
20:56 < dimm0k> ordex: sure!
20:56 <@ordex> Kryczek: it's the same problem that then got moved somewhere else
20:56 <@ordex> I know what it is
20:56 <@ordex> just working on that NOW!
20:56 <@ordex> :)
20:56 < dimm0k> lol
20:57 < Kryczek> dimm0k: ah yeah the very latest version tells me "Error parsing OpenVPN profile : mytest.ovpn : option_error: option 'cert' not found" if I put it in the keystore
20:57 < dimm0k> Kryczek: i guess we wait for ordex's prelim build?
20:57 < Kryczek> ordex: many thanks for your efforts :)
20:57 <@ordex> np, thanks for reporting back this fast
20:58 <@ordex> there has been quite some reworking on this build, even though there are not many new features. so we expected some glitches, unfortunately
20:59 < dimm0k> yeah, not digging the white background... but that's nothing major
21:00 < Kryczek> out of curiosity can I ask why is the Android client closed source? Maybe some licencing issue or something? :)
21:01 < Kryczek> dimm0k: the background is black on mine... maybe something to do with the Android version? My whole Android 4.1.2 is dark
21:01 <@ordex> honestly this is a question to redirect to the upper layer in OpenVPN Inc. :)
21:01 <@ordex> it's dark here too (android 6, 7 and 8)
21:01 <@ordex> Kryczek: the core is open (it's on github)
21:01 <@ordex> it's the ui that is basically closed
21:02 <@ordex> probably to avoid the average provider to get it, rebrand it and sell as its own app for its own service, but this is just my guess
21:02 < Kryczek> understandable
21:04 < Kryczek> it's awesome already to have official clients for a variety of platforms... I couldn't believe there was one for Windows Mobile when I needed it on my HTC Diamond ~10 years ago
21:05 <@ordex> hehe
21:05 <@ordex> the zoo is so broad
21:05 <@ordex> :D
21:07 <@ordex> Kryczek: dimm0k: if I'd ship you an apk, would you be able to test it on your devices?
21:07 < Kryczek> ordex: pinky-promise you won't hack us?
21:08 <@ordex> Kryczek: you'll receive it signed from my @openvpn.net email, I hope that's enough to trust me as much as you trust the apk on the store :)
21:08 < Kryczek> I know, just teasing :)
21:08 <@ordex> the apk will also come signed with the same key as the store, if you want to verify that :)
21:09 < dimm0k> i was going to trust you since you had the @ ;)
21:09 <@ordex> heh
21:10 <@ordex> don't do that with everybody!
21:10 <@ordex> :D
21:10 < dimm0k> and then let Kryczek go first
21:10 < dimm0k> haha
21:10 < Kryczek> lol
21:12 < Kryczek> should we uninstall the store version first, or?
21:13 <@ordex> it should upgrade
21:14 < dimm0k> in preparation for this, we won't need the <key>, <cert>, <ca> parameters as long as we have them imported as a .p12/.pfx correct?
21:14 <@ordex> right
21:15 <@ordex> everything should work as before
21:15 <@ordex> before the upgrade I mean
21:16 < Kryczek> dimm0k: I keep the <ca> inside the OVPN to avoid having it as an OS-wide trust, and hopefully it also limits OpenVPN to trusting only that particular CA
21:17 <@ordex> Kryczek: I think the CA can also be in the bundle, no dimm0k ?
21:18 <@ordex> and openvpn will us eonly that
21:19 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
21:19 -!- mode/#openvpn [+v s7r] by ChanServ
21:19 < Kryczek> ordex: if I put the CA in the bundle (my) Android installs it as an OS-wide CA, and then complains that I trust 3rd party CAs
21:20 < dimm0k> it can handle the bundle just checked
21:20 <@ordex> Kryczek: ah ok
21:20 <@ordex> this may vary across android versions
21:21 < dimm0k> Kryczek: i threw that CA into /system/etc/security/cacerts/ to get rid of that message
21:21 < Kryczek> dimm0k: no need if you keep the CA inside the OVPN :)
21:22 < Kryczek> dimm0k: that's how mine looks like: https://pastebin.com/9c72ULQG
21:23 <@ordex> ok, just tested here and it works
21:23 <@ordex> Kryczek: shipping your way ..
21:23 <@ordex> yeah I embed the CA in the ovpn file too. just easy to maintain
21:44 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds]
22:16 < dimm0k> ordex: just installed the second version, so far so good...
22:17 <@ordex> dimm0k: thanks a lot!
22:17 < dimm0k> was i supposed to notice any changes?
22:17 <@ordex> nope
22:17 <@ordex> it was just supposed to work as good as the previous one ;)
22:17 <@ordex> so now you can happily use your external bundle?
22:18 < dimm0k> yep, so far so good
22:18 <@ordex> thanks a lot for testing
22:19 <@ordex> this has been very helpful from you guys
22:23 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
22:23 -!- mode/#openvpn [+v s7r] by ChanServ
22:27 < dimm0k> ordex: np!
22:48 < dimm0k> ordex: will these changes see PlayStore soon? just wondering if i should update my other devices now or wait
22:48 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: by bye]
22:49 <@ordex> dimm0k: hopefully by tomorrow
22:50 < dimm0k> oh, that i can wait... too lazy to sign into the other devices lol
22:51 <@ordex> :D
23:12 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
23:12 -!- mode/#openvpn [+v s7r] by ChanServ
23:21 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: by bye]
23:21 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
23:21 -!- mode/#openvpn [+v s7r] by ChanServ
--- Day changed Wed Nov 01 2017
01:41 <@ordex> dimm0k: Kryczek: the new app should already be in the store
02:37 < Silex> rob0: thanks! I'll give it a try
03:29 -!- pekster [~rewt@openvpn/community/developer/pekster] has quit [Ping timeout: 248 seconds]
03:30 -!- pekster [~rewt@openvpn/community/developer/pekster] has joined #openvpn
03:30 -!- mode/#openvpn [+o pekster] by ChanServ
04:03 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Quit: ZNC - http://znc.in]
04:09 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
04:09 -!- mode/#openvpn [+o syzzer] by ChanServ
04:38 -!- zvirbliukas1 is now known as zvirbliukas
05:30 < Gaaab> easy-rsa: what's the "unable to find 'distinguished_name' in config - problems making Certificate Request" issue ?
05:32 < Gaaab> needless to say i have edited and sourced the vars script and clean-all
05:39 < Gaaab> and i did ln -s openssl-1.0.0.cnf openssl.cnf
05:56 < _ADN_> Hi guys, do you have any mailing list for the SW releases?
05:57 <@ordex> _ADN_: community editions are announced on the devel and the user mailing list
05:59 < _ADN_> thx
05:59 <@ordex> np
06:01 < _ADN_> I was checking the announce list: Nothing there?
06:06 < _ADN_> basicly want to know when a new version is release and the rlease notes
06:06 < _ADN_> nothing else really
06:22 <@dazo> the announce-list is fairly low volume ... as we're not releasing things that often :)
06:22 < ^7heo> announce it just for releases?
06:22 < ^7heo> not even for any other important information?
06:22 < ^7heo> like vulns, events, etc.
06:24 <@dazo> not currently
06:24 <@dazo> we have the twitter accounts which carries more of that
06:24 < ^7heo> maybe mv announce-list@ release-list@ ?
06:24 <@dazo> @OpenVPN and @PrivateTunnel
06:24 < ^7heo> ok
06:25 <@dazo> nah, the list have been called like that from the early 2000, so renaming it would be an ugly move now
06:25 < ^7heo> it's misleading tho
07:53 -!- zvirbliukas1 is now known as zvirbliukas
08:02 -!- zvirbliukas1 is now known as zvirbliukas
08:31 < palate> hello
08:32 < palate> Running an openvpn point-to-point connection on a computer that is already connected to another (cisco) VPN seems to not work properly
08:32 < palate> What could be a reason for a conflict?
08:35 < palate> The cscotun0 is on ip 129.x.x.x, and my openvpn tun0 is on 10.0.0.2. But still, I cannot ping 10.0.0.1 (the openvpn server) until I stop the cisco vpn =/
08:36 < ^7heo> palate: what about routes?
08:37 < rob0> I think that is a Cisco feature; it won't allow any traffic except through the Cisco VPN.
08:37 < BtbN> Isn't cscotun some Cisco stuff?
08:37 < BtbN> oh, yes, it is
08:37 < BtbN> Yes, AnyConnect will actively manage other routes
08:38 < palate> rob0: is that a joke?
08:39 < rob0> huh?
08:39 < palate> ^7heo: you mean `ip route show`?
08:40 < palate> I'm sorry, I'm quite a novice with VPNs :D
08:40 < ^7heo> ip r
08:40 < ^7heo> does the same, has much less characters to type ;)
08:40 < palate> :)
08:40 < rob0> A Cisco VPN client does what you describe.  It is a feature, a deliberate design decision.
08:40 < BtbN> If the Cisco VPN Server is configured that way, AnyConnect will very aggressively get rid of any routes that bypass the VPN, except for the VPN host itself.
08:41 < BtbN> Nothing you can do against that from the client. No idea if OpenConnect allows for circumvention of that.
08:41 < palate> so it's not a joke. cisco is actually doing that
08:41 < ^7heo> well
08:41 < ^7heo> it's Cisco for you.
08:41 < BtbN> My University has two profiles a client can select from "Route all Traffic" and "University Traffic Only"
08:41 < ^7heo> there's a reason I run Juniper stuff.
08:42 < ^7heo> Cisco is the microsoft of networking.
08:42 < BtbN> It's entirely up for configuration, and really, I think it's a good feature to prevent leakage
08:42 < palate> I see
08:42 < ^7heo> "good feature" (tm)
08:42 < BtbN> Stuff not going through the VPN while you think it is, I'd call that a serious problem.
08:43 < ^7heo> well, yes
08:43 < ^7heo> but handholding the people in a jail isn't the solution.
08:43 < jb> I would like to inspect a specific x.509 field in a user's certificate to check for the precense of a string to determine if the user has access to the VPN or not.. is using a custom script with 'tls-verify' the only way to accomplish this?
08:43 < ^7heo> educating them, is.
08:43 < ^7heo> The problem is the "just make it work, machine" culture.
08:43 < BtbN> Way over 99% of people using AnyConnect won't have any clue what an IP, let alone routing, is
08:44 < ^7heo> yeah that's the real issue at hand.
08:44 < ^7heo> consider users dumb, and you will have dumb users.
08:44 < rob0> OpenVPN is more flexible than Cisco, in general; you can tunnel whatever you want, rather than forcing it all through the tunnel.
08:44 < BtbN> That's not an issue, that's just normal users.
08:44 < ^7heo> assuming "normal people" to mean "stupid people" is the issue, really.
08:44 < BtbN> You cannot expect every VPN user to have advanced knowledge about network routing
08:44 < ^7heo> it's HARDLY advanced knowledge to know what a route is.
08:44 < ^7heo> people get it when they drive.
08:44 < BtbN> It is
08:44 < ^7heo> so why not when someone else drives?
08:44 < DArqueBishop> <^7heo> it's HARDLY advanced knowledge to know what a route is.
08:45 < DArqueBishop> You have obviously never supported actual non-IT users.
08:45 < ^7heo> I actually have.
08:45 < rob0> oh it is, most users have no concept of routes
08:45 < ^7heo> their knowedge is depressing.
08:45 < ^7heo> or lack thereof.
08:45 < ^7heo> but it doesn't mean it is a fatality.
08:45 < ^7heo> people *CAN* be educated.
08:45 < ^7heo> that's the whole point.
08:46 < palate> But what that means is that if you don't route everything through cisco, depending on which website you visit, it will not go through the same network, right?
08:46 < DArqueBishop> I stand by my earlier statement.
08:46 < ^7heo> people don't know what AIDS or HIV really is
08:46 < ^7heo> they just don't know how not to contract it.
08:46 < ^7heo> they don't need someone to accompany them to put a condom on them every time they have sex.
08:46 < ^7heo> fortunately.
08:46 < palate> :)
08:46 < DArqueBishop> And they don't need or want to know what routes are.
08:47 < ^7heo> they don't want to, granted.
08:47 < BtbN> "Hey, before using VPN, open a command prompt, enter these commands and interpret the output to make sure all the traffic you are going to cause goes through the VPN"
08:47 < ^7heo> as for the need...
08:47 < ^7heo> well...
08:47 < BtbN> good luck with that in any kind of real world environment
08:47 < ^7heo> if we want security to improve...
08:47 < ^7heo> BtbN: who said anything about a command prompt?
08:47 < ^7heo> BtbN: I never said the current tools were satisfactory
08:48 < ^7heo> BtbN: I never talked about giving user complete IT lessons about CLI, CLI output, traffic, etc.
08:48 < palate> but what it really means is that if you don't route everything through the VPN, you could have two tabs on your Firefox that actually don't use the same network, right?
08:48 < BtbN> Just a lesson about how to figure out their network routes, sure
08:48 < ^7heo> all you need to tell them is that a route is a "GPS planned route"
08:48 < ^7heo> and that if it takes the wrong one, they might have problems
08:48 < ^7heo> and really, GPS has coordinates, like IPs
08:49 < palate> ^7heo: how do you teach people how to know which tab is going through which network? Should the browser show that? Or am I completely wrong?
08:49 < ^7heo> so people usually get that.
08:49 < ^7heo> palate: they shouldn't care.
08:49 < ^7heo> palate: THAT is advanced knowledge.
08:49 < ^7heo> palate: the whole discussion at hand is about not leaking data with a dead-simple all-via-VPN setup.
08:49 < ^7heo> palate: i.e. what cisco does.
08:50 < palate> ^7heo: So you mean that it should just be an option: either "route everything" or "don't route everything"?
08:50 < BtbN> The only thing Cisco does in their AnyConnect client is constantly monitor the configured routes, and it defends their redirect-all route
08:50 < ^7heo> "defends"
08:50 < rob0> For some sites, that's exactly what they want.
08:50 < palate> BtbN: but you said you can choose "University traffic only", right?
08:51 < ^7heo> rob0: that's also not the point.
08:51 < BtbN> That's up to the VPN Gateway administrator
08:51 < rob0> depends on your Cisco VPN admin
08:51 < BtbN> If all they offer is a role that redirects everything, that's what you get
08:51 < ^7heo> the point is to teach random users what a simple route looks like
08:51 < ^7heo> what it is for
08:51 < ^7heo> and how to spot if it's simple or not.
08:51 < ^7heo> if it's not simple, it's obviously risky
08:51 < ^7heo> unless they know how to read it
08:51 < ^7heo> if it's simple, they can understand it, because it's simple.
08:53  * DArqueBishop shrugs.
08:54 < palate> ^7heo: but more concretely, what does that mean? People should know if everything goes through the Cisco or if not everything goes through the Cisco, and that's it? So if not everything goes through, they should consider it as "risky" for them?
08:54 < DArqueBishop> palate: define "risky".
08:54 < palate> DArqueBishop: good point :). Let's keep this out for now :D
08:55 < rob0> Really, if you have questions about how your Cisco VPN works, we are not the ones you should ask.  Does that organization have a help desk you can contact?
08:55 < rob0> !notovpn
08:55 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn.
08:55 < palate> rob0: actually, you guys answered my question already :)
08:55 < rob0> yes, we answered the openvpn part of it
08:55 < palate> rob0: I had not thought about the cisco client managing that
08:55 < DArqueBishop> It should be pointed out that while a VPN can be used as a sort of anonymization tool, it's not its only function... and there are those who would argue it's a poor anonymization tool.
08:56 < palate> rob0: yeah, well, in my use-case, I can tell people to disable the cisco vpn while they use my VPN server
08:56 < palate> rob0: I'm doing robotics, and I use the VPN just to join a robot's ROS network while debugging.
08:57 < palate> rob0: So I guess it's fine to just say "Cisco is conflicting, shut it down while debugging"
08:57 < palate> DArqueBishop: right
08:57 < rob0> DArqueBishop, indeed it is poor for anonymization; you exchange having your ISP know everything about your Internet use, to having your VPN provider know all.  Either party is free to snoop on you and to sell your information to marketers.
08:58 < rob0> and in case of a subpoena, the ISP knows exactly which VPN provider you're using.
08:58 < palate> But other than anonymization, sometimes you want to route everything through the VPN because you have some special access with it. For the university example, if you route everything through it, you gain access to scientific papers, for instance
08:59 < rob0> right, all my VPNs have been for those kind of uses
08:59 < palate> So it seems like it makes sense to route everything through it, right?
08:59 < palate> As long as there is an option to not do it
08:59 < palate> But in my case, people use the VPN for that, so I don't see how they could not route everything through it
09:00 < rob0> if you're only using the VPN to provide special access behind your firewall, there is no need to redirect everything
09:01 < DArqueBishop> palate: again, it depends on who's providing the access. If it's an employer, for example, you may not be given the choice for regulatory or security reasons.
09:02 < palate> DArqueBishop: I see
09:02 < palate> rob0: What do you mean by special access behind your firewall?
09:02 < palate> rob0: Say I connect to ieee.something to get a paper. If my IP comes from my university, I get access to the paper. Otherwise I don't
09:03 < palate> rob0: I guess I do need to go through the VPN to gain that access, right?
09:03 < DArqueBishop> Hell, if it's a company laptop or similar that you're using and you try to get around the VPN restrictions, you'll likely anger the IT department.
09:03 < palate> rob0: And my Cisco client doesn't know which website should go through the VPN and which one should not
09:03 < palate> DArqueBishop: :D
10:10 < Gaaab> what's the "MULTI: bad source address from client [192.168.1.59], packet dropped" issue ?
10:11 < Gaaab> it's a couple of days strugling wit it
11:29 <+hyper_ch> dazo: ecrist: krzee: ordex:  Comodo was sold http://www.securityweek.com/francisco-partners-acquires-comodo-ca --> Francisco Parnters is majority shareholder of NSO - NSO creates spyware:  https://en.wikipedia.org/wiki/Pegasus_(spyware)
11:29 <@vpnHelper> Title: Comodo Sells Certificate Business to Private Equity Firm | SecurityWeek.Com (at www.securityweek.com)
11:33 < havoc> that sucks, they used to provide decent/affordable SSL certs
11:33 <+hyper_ch> Let's Encrypt
11:33 <+hyper_ch> very affordable
11:33 <+hyper_ch> and starting next year, also with wildcard support
11:33 < havoc> ah, hadn't heard of them
11:33 < havoc> most of our stuff comes from godaddy now :(
11:34 < havoc> (not my choice; out of my control)
11:34 < havoc> godaddy, and other questionable providers
11:35 <+hyper_ch> what do you know you haven't heard of Let's Encrypt? oO
11:35 <+hyper_ch> automated DV certs for free
11:36 <+hyper_ch> gazillions of clients (I prefer the acme.sh pure shell one since it can do DNS-01 with the control pnael I use)
11:36 < havoc> I've been stuck, primarily, in the Windows world for the past 15+ years :(
11:37 <+hyper_ch> why not upgrade to linux?
11:37 <+hyper_ch> acme.sh runs in WSL
11:37 <+hyper_ch> and there's also windows clients
11:37 < havoc> again, out of my control
11:37 <+hyper_ch> https://community.letsencrypt.org/t/list-of-client-implementations/2103
11:37 <@vpnHelper> Title: List of Client Implementations - Issuance Tech - Lets Encrypt Community Support (at community.letsencrypt.org)
11:37 < havoc> I don't make policy
11:37 <+hyper_ch> you should
11:38 < havoc> ok :)
11:38 <+hyper_ch> since that requires additional knowledge and experience
11:38 <+hyper_ch> you should also ask for a pay raise ;)
11:38 < havoc> that is happening pretty definitely
11:39 < havoc> and I don't "ask", I "state"
11:39 <+hyper_ch> yey
11:39 <+hyper_ch> been using LE for 2 years now
11:39 <+hyper_ch> ever since public beta
11:39 < havoc> this ovpn rollout of mine is affecting the corporate landscape quite a bit
11:40 < havoc> we've been trying to move towards more "industry standard
11:40 < havoc> we've been trying to move towards more "industry standard" stuff, i.e. proprietary/expensive
11:40 <+hyper_ch> proprieteray/expensive/less secure
11:40 < havoc> sicne I'm apparently the only one in the company that can read a freaking book
11:40 <+hyper_ch> finished that for you
11:41 < havoc> anyway, outsourcing crap, and proprietary crap, only works if you pay for it; They don't want to pay
11:41 < havoc> so we may end up moving back towards more OSS stuff again
11:41 <+hyper_ch> outsourcing stuff - usually more expensive
11:42 < havoc> whatever, I hope to walk away from the whole industry in a few years, or less
11:42 <+hyper_ch> how so? and what industry?
11:42 < havoc> ^^^^^ ding ding ding
11:42 < havoc> the "computer industry"
11:42 < havoc> Wife and I have plans in motion to start a metal fabrication/welding biz
11:42 <+hyper_ch> and you want to move on to the "movie industry"?
11:43 <+hyper_ch> welding.. sounds dangerous
11:43 < havoc> if you're stupid about it, it is, very :)
11:43 < havoc> we've been doing it on the side for ~3yrs now
11:43 < ^7heo> it's like wood work
11:43 < ^7heo> best way to lose your thumbs
11:43 < ^7heo> unless you're very careful.
11:43 <+hyper_ch> :)
11:44 < havoc> gotta keep those thumb-detectors under control
11:44 < ^7heo> eyes?
11:44 < ^7heo> also, some expensive saws actually stop before they cut you.
11:44 < ^7heo> which is awesome
11:44 < havoc> not our saws ;)
11:45 < ^7heo> https://www.youtube.com/watch?v=eiYoBbEZwlk
11:46 < havoc> we've got quite the shop already, welders, plasma cutters, torches, saws, grinders everywhere, press, brake, etc...
11:46 < havoc> it's what we do on weekends, mostly
11:46 < ^7heo> there's a lot of clubs where they have grinders everywhere.
11:46 < ^7heo> esp. gay clubs.
11:46 <@dazo> havoc: that's quite impressive to not have been exposed for LE in such a long time ..... ;-)
11:47 <+hyper_ch> dazo: he must have lived behind a rock or in a cave or on the moon
11:47  * dazo uses https://github.com/diafygi/acme-tiny for his own stuff
11:47 <@vpnHelper> Title: GitHub - diafygi/acme-tiny: A tiny script to issue and renew TLS certs from Lets Encrypt (at github.com)
11:47 <+hyper_ch> dazo: why that one?
11:47 <@dazo> It doesn't require root privileges to run properly
11:48 <+hyper_ch> :)
11:48 <@dazo> simple and slick, easy to audit
11:48 <+hyper_ch> that's why I like acme.sh
11:48 < ^7heo> the said tiny script is bigger than my sh script
11:48 <+hyper_ch> only root privleges required if you want to reload services
11:48 <@dazo> it grabs certificates and puts them in a directory a root cron job moves to the proper places and restart the services
11:48 < ^7heo> also mine does not require root to run
11:48 <+hyper_ch> after obtaining new certs
11:48 < ^7heo> and it's proper sh
11:48 < ^7heo> not some bash crap
11:48 <+hyper_ch> and dns-01 just works so fine :)
11:48 < vectr0n> acme.sh rocks
11:49 <@dazo> hyper_ch: oh, and it also doesn't require the access to the private keys even
11:49 < ^7heo> vectr0n: I beg to disagree.
11:49 < vectr0n> you would ;)
11:49 < ^7heo> not beg, whatever
11:49 <+hyper_ch> vectr0n: it does indeed :)
11:49 < vectr0n> :)
11:49 < ^7heo> whatever
11:49 < ^7heo> you don't know what's good for you
11:50 <+hyper_ch> if I know api login info to my server, I can ask for any certy by dns-01 for a domain that's dns-hosted there :)
11:50 < vectr0n> the you would was more to the disagree, but take it as you want ^7heo
11:50 <+hyper_ch> so really nice to get certs to other machines
11:50 < ^7heo> vectr0n: too much automated stuff is too much.
11:50 < ^7heo> vectr0n: there should be the right amount of automation.
11:50 < vectr0n> for you.. lots of people have no issues with it
11:50 < ^7heo> vectr0n: at the right place.
11:51 < ^7heo> lots of people have no issues with getting fat and smoking cancer lollipops
11:51 < havoc> there is no substitute from human oversight and monitoring
11:51 < ^7heo> and you know what? lots of flies have no issue eating shit, literally.
11:51 < ^7heo> havoc: +1
11:51 < vectr0n> right.. you think you are the best thign since sliced bread ;p
11:51 < vectr0n> thing*
11:51 <@dazo> ^7heo: so what do you use instead?
11:51 < ^7heo> vectr0n: also slice your own bread..
11:52 < ^7heo> dazo: < ^7heo> the said tiny script is bigger than my sh script
11:52 <+hyper_ch> havoc: LE warns you if certs are close to expire and haven't been renewed
11:52 <@dazo> ^7heo: where's the source?
11:52 < havoc> hyper_ch: nice
11:52 < vectr0n> theres also letsmonitor.org i think it is
11:52 < ^7heo> dazo: currently, local.
11:52 < ^7heo> dazo: when I'm done with HPKP, it may be on calomel.org
11:52 <+hyper_ch> havoc: LE certs are valid for 90 days only
11:52 <+hyper_ch> so no need to revocate...
11:52 < ^7heo> dazo: depending on the person managing calomel.org
11:52 <+hyper_ch> and you'll get first warning 10 days before expiration
11:53 < havoc> ah
11:53 <+hyper_ch> and it's recommended to renew after 60 days - so 30 days before expiration
11:53 < ^7heo> yeah
11:53 < ^7heo> I wonder tho, I didn't check the API for that, can one generate certs with a valid-after date in the future?
11:53 < ^7heo> with LE
11:54 < ^7heo> or are the certs valids only from NOW on?
11:54 <+hyper_ch> only from now on
11:55 < ^7heo> so that's gonna be a challenge with HPKP
11:55 <+hyper_ch> I think
11:55 < ^7heo> unless I make certs for 60 days only.
11:55 < ^7heo> which... might be fine
11:55 <+hyper_ch> le certs are 90 says
11:55 <+hyper_ch> recommended to renew after 60
11:55 < ^7heo> you can't set less?
11:55 <+hyper_ch> so no issues getting new cert afterwards
11:55 < ^7heo> it's hardcoded to 90?
11:55 <+hyper_ch> not that I know of
11:56 < ^7heo> damn
11:56 < ^7heo> ok.
11:56 <+hyper_ch> but there are indications, that they will lower it even further
11:56 < ^7heo> tbf I focused on making my script work, before
11:56 < ^7heo> not on the possibilities of the LE api
11:56 < ^7heo> I hope they don't set it to 1 day
11:56 < ^7heo> s/do/wo/
11:56 <+hyper_ch> also, not sure if CAB rules even allow to set the "begin" date to a later point in time
11:57 < ^7heo> it would help
11:57 <+hyper_ch> since CAB rules say you have to prove ownership of the domain
11:57 < ^7heo> esp if the 90 days are reduced.
11:57 <+hyper_ch> you can prove ownership only now but you might not have ownership in 10 days anymore
11:57 < ^7heo> well it's easy to see if the domain 'expiration date' is after the 'valid after' or not.
11:57 < ^7heo> of course you can always sell it...
11:58 < ^7heo> hyper_ch: but that's the same issue with the 90 days tho
11:58 < ^7heo> if someone generates a cert just before selling the domain...
11:58 < ^7heo> they will be able to MitM the domain for 90 days
11:58 <+hyper_ch> still better than 1y or 2y
11:58 < ^7heo> MitM is MitM
11:58 < ^7heo> there's no better, there.
11:59 <+hyper_ch> ^7heo: https://community.letsencrypt.org/t/shorter-validity-period-for-certificates/25709/6
11:59 <@vpnHelper> Title: Shorter validity period for certificates - Issuance Policy - Lets Encrypt Community Support (at community.letsencrypt.org)
11:59 <+hyper_ch> At some point, ideally in 2017, we'll introduce a new API endpoint which implements the final IETF ACME spec. It will initially run alongside our original API endpoint. This new API endpoint will likely have a shorter maximum (default) certificate lifetime
12:00 < ^7heo> "Let's just issue certs every 7 days."
12:00 < ^7heo> wtf
12:00 < ^7heo> I suggest, every 2h
12:01 < ^7heo> or maybe 30 minutes?
12:01 < ^7heo> that way you constantly have to prove your ownership
12:01 <+hyper_ch> we're talking about ssl certs, not zfs snapshots ;)
12:01 < ^7heo> and you will pay more in traffic to generate the certificates than in actual traffic from visitors.
12:01 < ^7heo> \o/
12:01 <+hyper_ch> onhly if your website isn't popular
12:02 < ^7heo> well we don't all work at google/facebook/twitter
12:02 <+hyper_ch> I work at no tech company
12:09 < acidvegas> mullvlad or cryptostorm
12:10 <+hyper_ch> ?
13:12 -!- zvirbliukas1 is now known as zvirbliukas
14:01 <@ecrist> havoc: sometimes that stuff comes with valuable things, like support
14:02 < havoc> ecrist: yup, if you have a current support contract; i.e. you actually pay for it, we usually don't, or let it lapse :(
14:04 < havoc> we usually don't renew until we need "support", usually access to firmware
14:05 < havoc> a lot of companies have begun charging penalties for renewal of lapsed support contracts, and back-charging for the lapsed time, so there's negative benefit to not keeping current
14:05 < havoc> They get their money either way
14:06 < havoc> and some actually don't work without a valid/current contract; like Meraki
14:06 < havoc> which to me is a "lease"
14:07 < havoc> this ovpn solution of mine is ~600% the capability/functionality, for ~5% the cost
14:07 < havoc> maybe closer to 2-3% the cost
14:07 < havoc> so, the Company is coming around, not that they had a lot of choice, but I doub't it'll happen before I'm gone
14:13 <@ecrist> Yeah, we're seeing most software turn to a subscription model.
14:13 -!- zvirbliukas1 is now known as zvirbliukas
14:13 <@ecrist> We get a perpetual license for a given version, but can only upgrade or get support during the subscription time.
14:17 < havoc> as I've said, I hope to walk away from the computer industry entirely in not too long
14:17 <@ecrist> what are you going to do instead?
14:18 < rob0> and what then?  Wreaking havoc everywhere?
14:18 < havoc> metal fabrication/welding
14:18 < havoc> Wife and I have been doing it on the side for almost 3yrs now
14:19 < havoc> I got her to quit her job of >21yr a few years ago, and go to the local tech school for their 2yr metal fab & welding program
14:20 < havoc> *she's* the welder :)
14:20 < havoc> I'm the designer and business manager
14:20 < havoc> ...and grunt labor
14:20 < havoc> but the welding is only 10%, or less, of the job, most of the time
14:21 <@ecrist> That's pretty cool
14:21 < havoc> we've been tooling up for the past few years, while I still have a job to fund it
14:22 < havoc> we're as well equipped as possible, for the small space we have to work with
14:23 < havoc> been gutting/renovating the house the past few months, to get a better price when we sell
14:23 < havoc> want to get a place where we can put up a 12,000sqft shop
14:24 < havoc> current house is 1,000sqft on 1/4ac
14:24 < havoc> figure we need 1-2ac for the shop, but we're fine with the small house
14:25 < havoc> current "shop" is out 720sqft garage, where we do automotive, plumbing, electrical, carpentry, and metal work
14:25 < havoc> 12,000sqft would be a lot nicer :)
14:26 < havoc> plus we'd have room for a lathe, mill, etc...
14:26 < havoc> we've had to turn down a bunch of jobs just because of lack of space
14:27 < havoc> a place where we could get 3-phase power wouldn't be bad either
14:30 < havoc> ok, enough OT babble from me :)
15:12 -!- abenz_ is now known as abenz
15:42 -!- esde [a5e37d5b@openvpn/user/esde] has joined #openvpn
15:42 -!- mode/#openvpn [+v esde] by ChanServ
16:48 < simpledat> Hi
16:48 < simpledat> What do you call openvpn on linux with terminal?
16:48 < simpledat> I mean not GUI
16:49 < simpledat> if you run it on commands like, openvpn --config "here.conf"
16:52 < rob0> "call"?  I don't get what you are asking.
16:53 < simpledat> the name of it
16:53 < simpledat> I guess the name is CLI
16:53 < simpledat> command line interface, right?
16:53 < rob0> I suppose
16:55 < simpledat> thanks
17:34 < definitelynotjq> My head is about to explode
17:34 < definitelynotjq> I have openvpn server set up on my router through tomato, and I'm using shimo on mac to connect, but when connected I can't access any websites
17:35 < definitelynotjq> Where do I start to fix it :(
17:47 < eelstrebor> definitelynotjq, maybe this server option will help: push "redirect-gateway local def1 bypass-dhcp"
18:32 < SpeakerToMeat> Hello all
18:33 < SpeakerToMeat> Question, I tried setting up a config file for a client with route-nopull to avoid route pushes from server from applying, but it seems this also stops the routing to the vpn address space from being populated, is there any way to still get it?
19:04 -!- _Catatronic is now known as Catatronic
19:24 < wallbroken> hell
19:24 < wallbroken> is a good thing to install openvpn on openwrt?
19:24 < wallbroken> or could it be dangeours'
19:24 < wallbroken> ?
19:28 < dimm0k> ordex: thanks! actually saw the update this morning =)
19:32 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 240 seconds]
19:45 -!- abenz_ is now known as abenz
20:00 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
20:00 -!- mode/#openvpn [+o syzzer] by ChanServ
20:03 < wallbroken> anybody?
21:07 -!- esde [a5e37d5b@openvpn/user/esde] has quit [Ping timeout: 260 seconds]
21:25 < SpeakerToMeat> wallbroken: I don't see what the particular danger would be, what are you worried about? are you installing it as a server?
21:25 < SpeakerToMeat> I use openvpn on openwrt in two routers, but as client not server
21:27 <@ordex> wallbroken: I have it both as server and client. what could be the problem? as soon as you keep it up-to-date..
21:27 <@ordex> and don't do like people sticking on 2.3.1
21:27 <@ordex> :P
21:27 <@ordex> but that can happen on any platform
21:31 < SpeakerToMeat> Siiigh
21:32  * SpeakerToMeat whines "I don't wanna update my routeeersss"
21:32 <@ordex> too bad the router is exactly your interface to the outside world :P
21:33 < SpeakerToMeat> It's not that I'm worried much but krack.
21:33 < SpeakerToMeat> My neighbors shouldn't be sofisticated enough to exploit krack but still... sigh I need to update the routers
21:34 < Kryczek> SpeakerToMeat: how do you know they're not sofisticated enough? I tell people I barely know how to use a computer :P
21:34 <@ordex> :D
21:35 <@ordex> "not sophisticted people tell you they can do everything"
21:35 <@ordex> that's how you distinguish them :P
21:35 < SpeakerToMeat> Kryczek: Mostly because they spend their nights doing drugs, listening to low social class music at full blast and fighting eachother drunkenly
21:36 < Kryczek> ordex: oh man I 100% second that!
21:36 < Kryczek> especially in the field of Security
21:37 < Kryczek> SpeakerToMeat: maybe one of them is Mr Robot :P
21:37 <@ordex> lol
21:37 <@ordex> that matches
21:37 < Kryczek> I haven't watched the series yet but from what I hear there's drugs involved
21:37 < SpeakerToMeat> Kryczek: I wish he would've taken "care" of them already. I've thought about it, but decided not to go the black hat route
21:37 < SpeakerToMeat> Not that it'd do me any good
21:38 < SpeakerToMeat> Kryczek: there's more than drugs, I'm only halfway through the series though
21:38 < SpeakerToMeat> Kryczek: Have you seen Blade Runner 2049?
21:39 < Kryczek> not yet
21:39 < SpeakerToMeat> Hmm ok I can't use the reference then
21:39 < SpeakerToMeat> I was gonna say it was a little more like living in front of Joe's apartment building, but really it IS more like Mr. Robot's building really
21:41 < SpeakerToMeat> Anyhow if you liked the original one, do watch it, I find it a very worthy continuation to the first one
21:43 < Kryczek> SpeakerToMeat: thanks for the recommendation :)
21:43 < Kryczek> speaking of remakes/sequels, I just recently watched the new Total Recall, thinking it would be a remake of the original, but actually it was very different, a nice surprise
21:44 < SpeakerToMeat> It is a remake, more like a retake on the original
21:44 < Klox> !welcome
21:44 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
21:44 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
21:44 < SpeakerToMeat> The main storyline is the same, only (a lot) of details changed but.
21:44 < SpeakerToMeat> Klox: Thank you
21:46 < Klox> Big total recall fan myself, but they really need a commando remake ;)
21:46 < Klox> !goal
21:46 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:47 < Klox> Ah easy enough, lol
21:48 < SpeakerToMeat> Can I state magical goals? As in, "I wish I could still acces direct routes to my home and work lans from my laptop when connected to networks that use the same address space as either of those because i chose very common address spaces for home and work lans."?
21:49 < Klox> Well I am interested in hosting OpenVPN community edition in Azure, and providing a secure connection to a set of private Azure servers. I have OpenVPN installed on a CentOS 7.4 instance and it is working fine; I can connect from a windows client. The VPN is at 10.5.1.4 on a 10.5.1.0/24 subnet. Clients are under 10.8.0.0/24 subnet. The set of Azure server I want to see are under 10.5.0.0/24 subnet. I cannot get through to these servers
21:49 < Klox> from the client though =/
21:49 < SpeakerToMeat> At least I didn't choose 192.168.[01].0/24 for my vpn address space
21:50 < Klox> Anyone got any experience in that area? I can go into a bit more detail of what I've attempted if there's anyone willing to listen to my woes ;)
21:50 < SpeakerToMeat> Klox: Ok I'm surely by far not the most experienced user here but... the azure instances at 10.5.0 are all connected over lan (and not vpn)?
21:51 < Klox> Yes there is a single virtual network of 10.5.0.0/16, and two subnets 10.5.0.0/24 and 10.5.1.0/24
21:52 < SpeakerToMeat> Klox: If so, you would need to allow ip forwarding on the host centos for packages to be able to travel from the vpn space/interface to the azure one, and then either make routes in the azure machines to your vpn space through your vpns erver azure net's ip, or nat the packages leaving from vpn -> azure-lan
21:53 < Klox> I have enabled IP Forwarding in the OpenVPN instance in the Azure portal, is there something to do also in the OS? I have also added a user route to the 10.5.0.0/24 subnet to route 10.8.0.0/24 traffic to 10.5.1.4 (the OpenVPN instance).
21:54 < SpeakerToMeat> Ok, first, you have a lot of nets here, your azure portal is in 10.5.1 and 10.5.0 too right? it has addresses on both subnets? so it can directly access both?
21:56 < Klox> Yes I can ping between 10.5.1.4 (OpenVPN) and, say 10.5.0.6 (FreeIPA). I originally did not have the two separate subnets, but from some further understanding I think it might be needed because the user route rule should (I think) only be applied to the 10.5.0 subnet.
21:57 < Klox> I can also ping from my windows client to the 10.5.1.4 (OpenVPN).
21:57 < SpeakerToMeat> If so, you're getting packages from 10.8, the vpn subnet, going t 10.5.0 machines, if you're not natting the out of the 10.5.0 interface, the machines in the 10.5.0 net will be getting packages with a source in the 10.8.0 net, so to respond they would need to know how to reach 10.8.0, if they don't have a static route saying "send everything to network 10.8.0.0/24 to gateway 10.5.0.x (your OpenVPN's server's
21:57 < SpeakerToMeat> 10.5.0 ip)" then they'll send the responses back to their default gateway which if defined and not the OpenVPN server ip's, will fail to reach your vpn network
21:58 < SpeakerToMeat> So, you could test if you have tcpdump in one of the azure machines (freeipa for example) if you are getting packages from 10.8.0 (do a ping during tcpdump to generate packages), and responding back to 10.8.0
21:59 < Klox> Right that is what I have been stuck with. I have created a Virtual Appliance route to map 10.8.0.0/24 to 10.5.1.4 to hopefully do this, but these routes won't show up in my instances. According to some comments, the routing is applied at the Azure portal gateway.
22:00 < Klox> I have been running tcpdump and have not gotten packets from 10.8.0, so that is definitely a problem.
22:00 < Klox> I do get the tcpdump from the 10.5.1.4 instance, so I am listening correctly.
22:01 < SpeakerToMeat> Ok, sorry I'm gonna leave you in the hands of abler people here, right now I have a head cold and my brain is mush, normally I'd be able to understand your setup but it's a little too much for me right now, sorry
22:01 < Klox> No worries I appreciate the comments!
22:02 < Klox> I am wondering if my pushed route is incorrect in my server.conf since I don't get packets hitting the 10.5.0.6 instance.
22:03 < Klox> At the moment my server.conf has 'push "route 10.5.0.0 255.255.0.0"', and I see this in my windows client route table.
22:05 < Klox> Hm, maybe a firewall issue? I'm not the brightest and this basic networking stuff.
22:17 < Klox> SpeakerToMeat: THANK YOU! I had a typo in my /etc/sysctl.conf in my ipv4 key (facepalm).
22:18 < Klox> So it was the ip forwarding all along.
--- Day changed Thu Nov 02 2017
05:59 < Gaaab> sinze i have debian9 i'm never been able to use easy-rsa for openvpn certs
05:59 < Gaaab> never
06:00 < Kryczek> what is the problem?
06:02 < Gaaab> after simlinkin openssl-1.0.0.conf to openssl.cnf, editing it, editing vars, sourcing it, ./clean-all, i get "unable to find 'distinguished_name' in config"
06:02 < Gaaab> problems making certificate request and so on ...
06:03 < Gaaab> this is after launching the build-ca script
07:48 -!- gthank is now known as gthank_away
07:48 -!- gthank_away is now known as gthank
07:50 -!- zvirbliukas1 is now known as zvirbliukas
08:06 < Aichan> Good afternoon everyone ! I'm using a freshly installed version of OpenVpn. Configurations are "default", everything is working but now I'm trying to get static IPs
08:06 < Aichan> I've read about ipp where you could put the format CN,IP per line but it seems OpenVPN override those
08:07 < Aichan> I've also tried the "ccd", one file per CN but I'm a bit confused by the line "ifconfig-push IP1 IP2"
08:08 < Aichan> I read different thing about this line on different websites
08:09 < Aichan> I thought this was "ifconfig-push ip_I_want_for_user ip_of_server" as seen here : http://dnaeon.github.io/static-ip-addresses-in-openvpn/
08:09 <@vpnHelper> Title: Static IP addresses in OpenVPN – Marin Atanasov Nikolov – A place about Open Source Software, Operating Systems and some random thoughts (at dnaeon.github.io)
08:09 <+hyper_ch> easy-rsa3?
08:17 < Aichan> But it seems that I have to put those two ips in the same /30 subnets, as seen here https://openvpn.net/index.php/open-source/documentation/howto.html#policy
08:17 <@vpnHelper> Title: HOWTO (at openvpn.net)
08:18 < Aichan> In that part it says the like will be "ifconfig-push virtual_client_ip virtual_server"
08:19 < Aichan> If that's important both server and client are running on Windows
08:19 < Aichan> Using everything by default (I think?)
08:24 < rob0> no need to use that /30 garbage,
08:24 < rob0> !/30
08:24 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
08:31 < Aichan> Ok I guess I will go with
08:31 < Aichan> !topology
08:31 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
08:36 < Aichan> rob0, thanks ! That was it ! Forgot to uncomment ";topology subnet"
08:56 -!- def_jam is now known as eb0t
09:47 < jb> is there an 'official' way to inspect and verify the CN/DN of a client certificate or do I need to use an external script with 'tls-verify'?  this forum posts alludes to an "auth-user-cn-verify" command, but I don't think it exists?
09:49 < DArqueBishop> jb: I suppose it depends on what you're trying to do. If you're trying to make sure a client certificate is legitimate, the server does that on connection as a legit certificate would be signed with your CA's key. If you want to revoke certificates so they can't be used to connect, you need to use a CRL.
09:50 < acidvegas> http://www.strawpoll.me/14310365
09:50 < acidvegas> <-
09:50 <@vpnHelper> Title: Which VPN should I purchase for 1 year?: - Straw Poll (at www.strawpoll.me)
09:50 < jb> DArqueBishop: I'm trying to inspect the OU of a client certificate to make sure it contains a certain string.
09:54 < Gaaab> Easy-Rsa: since i'm running debian9 easy-rsa is giving me this issue "unable to find 'distinguished_name' in config"
09:54 < Gaaab> this after ./buil-ca launch
09:55 < DArqueBishop> !provider
09:55 < Gaaab> never happened before in my life
09:55 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team., or (#2) Please contact their support team., or (#3) https://gist.github.com/joepie91/5a9909939e6ce7d09e29 for why not to use vpn providers
10:02 < zvirbliukas> acidvegas: Voted 'other' :-)
10:07 < jb> are multiple 'tls-verify' directives supported?
10:23 <@plaisthos> no
10:23 < jb> ok - and is there a way to capture $TLS_AUTH_X so I can test scripts that parse it?
10:24 < jb> actually, maybe I can just use "${X509_0_OU}" to test the OU in a remote peer certificate?
11:14 < chiggins> Seem to have a TLS error with a client trying to connect to my VPN. Was working up until a few days ago, nothing should've changed https://pastebin.com/95ztQUeg
11:15 < chiggins> Main error seems to be "TLS ERROR: Plaintext buffer too short (1 bytes)."
11:17 < pierre`> chiggins: are you using openvpn connect ?
11:18 < chiggins> pierre`: Currently using the OpenVPN android app
11:18 < pierre`> the last update broke the compatiblity with openvpn <2.3
11:18 < pierre`> read the forum and the playstore review - everybody is screaming in terror
11:18 < chiggins> Fires, fires everywhere
11:19 < pierre`> i fixed this problem by recompiling by hand the last release of openvpn on my server
11:20 < chiggins> Bleh that sounds morbid
11:20 < pierre`> it depends
11:20 < pierre`> but it's strange to break compatibilities like that
11:21 < chiggins> Right right, that seems like a bad move
11:22 < chiggins> Does the Windows program still work? I just generated stuff for a new client last night and haven't had a chance to test the client out yet
11:22 < pierre`> only the android client is affected. i think the android client is using a custom rewrite of the protocol over polarssl (but not sure)
11:23 < chiggins> FOr sure
11:23 < chiggins> I just saw thi https://forums.openvpn.net/viewtopic.php?f=33&t=25190
11:23 <@vpnHelper> Title: Nov 1, 2017 Update broken? Try to update your server to OpenVPN 2.4 - OpenVPN Support Forum (at forums.openvpn.net)
11:23 < chiggins> I imagine that upgrading outside of the official debian repo should fix it?
11:25 < chiggins> Guess I'll give it a go and see what's up. God bless snapshots
11:31 < chiggins> Upgraded and now this is what I get https://pastebin.com/UZCHcrFF
11:49 <@novaflash> well to be fair, those older versions are like 3 years old
11:49 <@novaflash> so it's about f-ing time those dragons got an update
11:49 <@novaflash> but on the other hand, it's just an unexpected clash of bugs, and i believe the cause has been found and a fix is coming
11:49 <@novaflash> so all will be right with the world in the end
11:49 <@novaflash> ....well... i mean... at the end, the world ends
11:49 <@novaflash> so i guess that's not exactly... right
11:49 <@novaflash> you know what i mean!
11:58 < chiggins> Go home novaflash you're drunk lol
11:58 <@novaflash> i am home!
11:59 <@novaflash> about the drunk part, i'll work on it some more, not quite there yet
12:12 < chiggins> I believe in you
12:12 < chiggins> Breaking changes like this though, makes me sad.
12:12 < aaron_2112> I'm looking to spec out the hardware requirements for an OpenVPN server that can handle 10k concurrent clients on a 10Gbps port. Was wondering if a recent 4 core Xeon processor and 64GB of RAM would be able to handle this.
12:27 <@dazo> aaron_2112: plausible ... but beware that you need to run multiple openvpn processes to make use of multiple cores ... openvpn 2.x itself is single threaded (for historic reasons, and have been darn hard to fix)
12:35 < aaron_2112> Running multiple instances shouldn't be a problem. Actually just got informed that we'll likely have 2x10 cores to work with, so should have plenty of breathing room.
12:46 < havoc> damn, 10,000 clients, that's got me beat
12:47 < havoc> I've currently got 17 instances, at 125 clients each, for 2,125 total allowed
12:50 < aaron_2112> That's still way more than I've tried previously. Have only ever got about 20 clients on a test server working before. Hopefully the new hardware is able to handle the load.
12:50 < havoc> this is on a vmware blade center, "somewhere"?
12:51 < havoc> but it's only got 8 vCores, and 8GB RAM, and it barely touches any off it with ~1,700 clients connected at any given time
12:51 < havoc> but right now the load is low; little data other than AD/LDAP chatter
12:52 < havoc> each instance is a /25, on ports udp:[1194-2010]
12:55 < aaron_2112> It'll be on a dedicated chassis in some datacenter or something. Probably an off-the-shelf dell or HP or something. We don't expect the bandwidth to be that high, but I've heard about re-keying taking a lot of CPU time.
12:56 < havoc> eh, depends, largely on how many try to do it at the same time
13:00 <@dazo> chiggins: OpenVPN Connect 1.1.23 build 90 just hit Google Play store .... should fix your connectivity issue
13:01 <@dazo> pierre`: ^^
13:04 < chiggins> dazo: WOO
13:05 <@dazo> The reason this bug hit us was due to upgrading from PolarSSL libraries to mbed TLS 2.6 in the Android app.  mbed TLS 2.x added a new feature which splits up the TLS packets, which in particular OpenVPN 2.3 does not expect. And this even triggers a bug in OpenVPN 2.3.6 and older, causing the server to crash.
13:05 <@dazo> so that's also a lesson to learn from .... your server crashed?  Upgrade!
13:06 < chiggins> Connected wooooo
13:06 <@dazo> cool!  thanks for confirming!
13:06 <+hyper_ch> dazo: you don't happen to use zfs, do you?
13:06 <@dazo> nope
13:07 <+hyper_ch> you're more a btrfs person?
13:07 <@dazo> if it isn't shipped natively in the distros I use, I tend to stay away from external file systems
13:07 < chiggins> dazo: Thanks for the help :)
13:07 <@dazo> nope, xfs + lvm
13:07 <@dazo> chiggins: yw!
13:07 <@dazo> hyper_ch: or more like mdadm + lvm + xfs
13:08 <+hyper_ch> never used xfs
13:08 <@dazo> I stay away from btrfs too ... it needs to stabilize far more before I'm willing to let it eat my data :-P
13:08 <+hyper_ch> heard it's good for servers with small files like email server
13:08 <+hyper_ch> never liked lvm
13:08 <+hyper_ch> :)
13:08 <@dazo> xfs is default in RHEL7
13:08 <+hyper_ch> I have one centos server /me shivers
13:09 <+hyper_ch> and my majority of debian servers is slowly getting replaced with nixos
13:10 <@dazo> lvm is great, especially when using virtualization and you need to really expand partitions .... add a larger virtual disk, pvcreate and vgextend ... and then pvmove ... once done you can remove the old drive
13:10 <@dazo> and this can be done on a live running system
13:10 <+hyper_ch> I just never liked it
13:10 <@dazo> then you just need to run fsadm resize and you have more space :)
13:10 <@dazo> that's like saying "I've never liked rain" :-P
13:11 <+hyper_ch> but I like rain
13:11 <+hyper_ch> rain is great to fall alseep
13:11 < chiggins> Funny, upgrading to 2.4 breaks my server :(
13:11 <@dazo> chiggins: be sure to read the Changes.rst file carefully
13:11 <@dazo> https://github.com/OpenVPN/openvpn/blob/v2.4.4/Changes.rst
13:11 <@vpnHelper> Title: openvpn/Changes.rst at v2.4.4 · OpenVPN/openvpn · GitHub (at github.com)
13:12 < chiggins> Niiice
13:12 <@dazo> (read it all, as it is slightly un-organized despite the attempt to organize it)
13:13 < chiggins> Yeah there's a lot there
13:43 < havoc> dazo: you use proxmox?
13:46 <+hyper_ch> isn't everone?
13:46 < wallbroken> dazo, openvpn 2.3.7 is old?
13:46 <+hyper_ch> yes, it is
13:46 < wallbroken> ops, 2.3.6
13:46 < wallbroken> hyper_ch, vulnerabilities?
13:47 <+hyper_ch> wallbroken: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
13:47 <@vpnHelper> Title: ChangesInOpenvpn23 – OpenVPN Community (at community.openvpn.net)
13:47 < wallbroken> that will not help me
13:51 -!- wallbroken is now known as wallbroken_
13:53 <@dazo> wallbroken_: we released 2.3.18 in September ... so yeah, 2.3.7 is old ... 3 years, iirc
13:54 <@dazo> wallbroken_: but some distros (like Debian) might ship a build based on 2.3.7 which carries additional patches resolving bug and security issues ... so you need to understand what your distro does before judging the version number
13:54 < wallbroken_> dazo, i run it on openwrt on a router
13:54 < wallbroken_> is safe?
13:55 <@dazo> wallbroken_: I honestly don't know
13:55 <@dazo> I have no idea how they maintain their builds .... if you do an opkg update + opkg list-upgradable ... you might get a hint
13:56 < DArqueBishop> Answer: migrate to LEDE.
13:56 < DArqueBishop> LEDE 17.01 uses OpenVPN 2.4.
13:58 < DArqueBishop> IIRC the last release of OpenWRT was back in 2015. Most of the developers migrated to LEDE after the fork.
14:18 < pierre`> dazo: so basically, your released a PoC to crash old openvpn server ? :)
14:20 < wallbroken_> running openvpn on a router is a fine thing?
14:23 < DArqueBishop> wallbroken_: sure.
14:25 < wallbroken_> RSA is 1977 and we are still using that
14:35 < dino82> Hey quick question -- Is it  best practice to use /24 for routed networks on openvpn or can I use larger networks (wary of broadcast storms, ARP flooding, etc.)
14:35 <@dazo> pierre`: nah, that's been fixed ages ago ... so if anyone are stupid enough to not update their server ... well, then be it ... that's not our fault ;-)
14:37 <@dazo> pierre`: that got fixed in 2.3.15 and is referenced CVE-2017-7478
14:38 < Pilfers> great so openvpn installed on routers can be crashed easily?
14:39 < Pilfers> thats what this invalid ip js in logs
14:39 < Pilfers> invalid ip flood
14:39 <@dazo> yeah, as announced in the security announcement with the 2.3.15 release
14:39 < Pilfers> never heard of jt
14:39 < Pilfers> you expect somrthing to be rock solid or dont release it
14:40 < Pilfers> stay in beta then
14:40 <@dazo> that's just silly
14:40 <@dazo> that's why all software issues updates ... because bugs happens.
14:41 <@dazo> wallbroken_: but the RSA components we're using today does not carry any critical known vulnerabilities ... in regards to crypto algorithms, age a good thing
14:41 < wallbroken_> dazo, some dude told me " you don't want to use a 3 years old openvpn version but you use RSA which is 1977", he is right?
14:41 < Pilfers> if it works never update it
14:41 < Pilfers> i have an nt 4.0 box still running
14:41 <@dazo> Pilfers: lets define "works" first ...
14:42 <@dazo> Pilfers: this is trolling .... NT4 is a can of worms these days in regards to security issues
14:42 <@dazo> but sure, go ahead and put your head in the sand
14:43 < Pilfers> !vulninfo
14:43 <@vpnHelper> "vulninfo" is See these factoids for more info about specific vulnerabilities: !heartbleed !poodle !ovpnuke !sweet32 !duhk
14:43 < Pilfers> which one is it?
14:43 <@dazo> wallbroken_: comparing software with mathematical algorithms is just as fruitful as comparing apples to oranges
14:44  * DArqueBishop sighs.
14:44 <@dazo> Pilfers: it never got such an attention
14:44 <@dazo> DArqueBishop++
14:44 <@dazo> Pilfers: http://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
14:44 <@vpnHelper> Title: SecurityAnnouncements – OpenVPN Community (at community.openvpn.net)
14:45 < DArqueBishop> Again, I feel it should be pointed out that possible re-merging of projects aside, OpenWRT is technically (if not completely) a dead project and you should be running the latest LEDE firmware if one exists for your device.
14:46 < DArqueBishop> If you're using OpenWRT 15.05 or earlier, you're using a firmware that is no longer getting support.
14:56 <@dazo> !learn vulninfo as See here for all security announcements: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
14:56 <@vpnHelper> Joo got it.
14:59 < Pilfers> DArqueBishop thx
14:59 < Pilfers> dazo thx im on my phone
15:00 < Pilfers> hard to search
15:00 < plujon> I'm trying to install openvpn to connect from my home to a digital ocean droplet.
15:00 < Pilfers> can u version me
15:00 <@dazo> !howto
15:00 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
15:00 < Pilfers> can someone version me abd paste it to me
15:01 <@dazo> #2 there is a good starting point for configuring OpenVPN, step by step
15:03 < Pilfers> DArqueBishop  they say they r merging bacj
15:03 < Pilfers> so no more
15:03 < DArqueBishop> They've been saying that for months. It hasn't happened yet.
15:03 <@dazo> LEDE is where the development happens, and their efforts is going to be renamed to OpenWRT ... but they haven't gotten that far yet
15:33 < dino82> is there a way to FORCE clients to use a ccd config file? i.e. if your client's ovpn config name XYZ does not exist in the ccd directory, deny the connection?
15:38 < plujon> Is there a standard location for the server configuration files?  /etc/openvpn/server.conf ..?
15:39 < Eugene> plujon - /etc/openvpn/<foo>.conf. If your distribution is using the new SystemD unt files, you can use `systemctl <start|stop|enable|disable> openvpn@foo`.
15:40 <@dazo> plujon: using systemd?
15:40 < plujon> ubuntu 16, yes using systemd
15:41 <@dazo> Eugene: that's the bad systemd unit file .... server configs into /etc/openvpn/server and client configs into /etc/openvpn/client .... using openvpn-server@CONFIGNAME and openvpn-client@CONFIGNAME units
15:41 <@dazo> plujon: ^^
15:41 < Eugene> O rly
15:41 < Eugene> !systemd
15:41 <@vpnHelper> "systemd" is (#1) Most systemd based distros package the upstream OpenVPN openvpn-server@.service and openvpn-client@.service unit files. Use those instead of the distro provided ones (openvpn.service, openvpn@.service), as they too often work poorly., or (#2) Unfortunately, Debian have added some weird OpenVPN systemd integration trying to simulate how things worked before systemd arrived. These
15:41 <@vpnHelper> approaches often causes more confusion, so _do_ consider #1 carefully.
15:41 <@dazo> yeah, really ;-)
15:41 < Eugene> Ah, the factoids have even caught up
15:41 < Eugene> How unusual for our bot
15:41 < Eugene> I stand corrected
15:41 <@dazo> :)
15:43 < plujon> So, /etc/openvpn/server/server.conf ..?
15:43 < plujon> And /etc/openvpn/server/{ca,server}.crt
15:44 <@dazo> yeah
15:44 < Eugene> I personally prefer to use inline certificates & keys. It keeps the directory cleaner
15:44 < Eugene> YMMV
15:44 <@dazo> yeah, I'm doing the same too ... and it resolves a lot of other issues too
15:44 < plujon> easy-rsa forced me to specify a password when generating the key
15:44 < plujon> Won't that keep openvpn from starting after a reboot?
15:44 <@dazo> plujon: even server key?
15:44 < Eugene> You can strip the password from the key
15:44 < DArqueBishop> dino82: that sounds... rather inefficient.
15:46 < plujon> Hmm.  I may be misremembering.  It may have just prompted for the CA passphrase.  I'll check.
15:46 <@dazo> DArqueBishop: expect things to change in this regard in the future ... there's a nice talk about how to automate such things here: https://www.youtube.com/watch?v=PIKRy3WEn74
15:47 <@dazo> DArqueBishop: at some point, I'm going to try to figure out if I can manage to get support for this into OpenVPN somehow ... so keys can have passwords and still be able to start service automatically without interruption during boot
15:47 <@dazo> (but currently it is far down on my todo list)
15:48 < DArqueBishop> dazo: oh! I was wondering what you were going on about.
15:48 < DArqueBishop> I wasn't referring to what you and plujon were talking about.
15:48 <@dazo> ahh :)
15:48 < DArqueBishop> <dino82> is there a way to FORCE clients to use a ccd config file? i.e. if your client's ovpn config name XYZ does not exist in the ccd directory, deny the connection?
15:49 <@dazo> dino82: actually you can create a DEFAULT file which contains just a single line with the word "disable" ... that will reject all clients which does not have a CCD file
15:50 < dino82> Ah good call, thanks dazo DArqueBishop
15:50 < DArqueBishop> I would personally think adding user/pass authentication and enabling/disabling those accounts would be the saner route, but that's just me.
15:51 < dino82> These are just headless Linux machines at customer sites, no user interaction available
15:54 < Eugene> Or you could use --ccd-exclusive ?
15:55 < plujon> https://openvpn.net/index.php/open-source/documentation/howto.html#quick implies that /etc/openvpn/<foo>.conf is the place to be
15:55 <@vpnHelper> Title: HOWTO (at openvpn.net)
15:56 < dino82> Having trouble finding documentation on the ccd-exclusive flag.  I assume by its name that it requires clients to exist in ccd?
15:56 < plujon> systemctl start openvpn@server # fails
15:57 < plujon> journalctl -xe # Error opening configuration file: /etc/openvpn/server.conf
15:57 < dino82> does /etc/openvpn/server.conf exist?
15:58 < plujon> No; and as per above, I guess I should fixup the systemd files.
15:58 < plujon> But actually, that might be a PITA on Debian.  I don't want to maintain those long term...
16:00 <@dazo> plujon: that howto is dated .... and written post systemd era
16:00 <@dazo> most of it is still valid, in regards to configuring openvpn tunnels ... but the Linux parts is definitely dated and not up-to-date
16:00 < plujon> !howto
16:00 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
16:00 < plujon> Maybe s/great/somewhat dated/
16:00 <@dazo> :)
16:01 <@dazo> it is great when it comes to the openvpn specific side of things ;-)
16:03 < plujon> Debian does indeed have /etc/init.d/openvpn.  It also has /etc/systemd/system/multi-user.target.wants/openvpn.service .
16:03 < plujon> Inside this file is:
16:03 < plujon> [Service]
16:03 < plujon> . . .
16:03 < plujon> WorkingDirectory=/etc/openvpn
16:04 < plujon> Should that be WorkingDirectory=/etc/openvpn/server ?
16:04 <@dazo> plujon: as !systemd #2 says ....
16:04 <@dazo> !systemd
16:04 <@vpnHelper> "systemd" is (#1) Most systemd based distros package the upstream OpenVPN openvpn-server@.service and openvpn-client@.service unit files. Use those instead of the distro provided ones (openvpn.service, openvpn@.service), as they too often work poorly., or (#2) Unfortunately, Debian have added some weird OpenVPN systemd integration trying to simulate how things worked before systemd arrived. These
16:04 <@vpnHelper> approaches often causes more confusion, so _do_ consider #1 carefully.
16:05 <@dazo> plujon: put all your stuff into /etc/openvpn/server .... and use systemctl status openvpn-server@CONFIGNAME ....  (so if the config file is tun0.conf, you use openvpn-server@tun0 )
16:07 <@dazo> and replace 'status' with start,stop,enable,disable .... etc
16:07 < plujon> I don't know where to get the upstream OpenVPN openvpn-server@.service files.
16:07 <@dazo> you're using openvpn-2.4.x?
16:08 < dino82> Should be in /lib/systemd ?
16:08 <@dazo> it should be packaged in the openvpn package
16:08 <@dazo> *but*
16:08 < dino82> Err /lib/systemd/system that is
16:08 <@dazo> I just realised, Debian have some bugs in theirs .... which we fixed upstream ....
16:08 <@dazo> dino82++
16:08  * dazo finds the url
16:09 <@dazo> plujon: https://github.com/OpenVPN/openvpn/tree/master/distro/systemd ... copy these conf.in files ... rename to .conf and replace @sbindir@ with /usr/sbin ... that should work for you
16:09 <@vpnHelper> Title: openvpn/distro/systemd at master · OpenVPN/openvpn · GitHub (at github.com)
16:11 <@dazo> oh ... and copy these files to /etc/systemd/system .... and run: systemctl daemon-reload
16:12  * dazo will try to remember to update the Debian package maintainer about their bugs
16:12 < plujon> Thanks.
16:14  * dazo calls it a day
16:18 < plujon> "Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/server.conf"
16:19 < plujon> Strange, it looks like it is still using the WorkingDirectory=/etc/openvpn , even though I replaced the systemd file and ran systemctl daemon-reload
16:22 < plujon> Oh, there are two openvpn.service files: openvpn.service and openvpn@.service.  I might have screwed that up earlier..?
16:24 < plujon> Specifically: /lib/systemd/system/openvpn.service /lib/systemd/system/openvpn@.service
16:25 < plujon> The one with @ is from February 2016, and has the abd WorkingDirectory.
16:25 < plujon> bad
16:34 < plujon> So, where am I supposed to put openvpn-server@.service ?  In /etc/systemd/system/multi-user.target.wants/openvpn-server@.service ?
16:36 < plujon> Phew, finally:
16:36 < plujon> /usr/lib/systemd/system/openvpn-server@.service
16:41 < plujon> Indeed, the server key has a pass phrase.  s/easy//
16:43 < plujon> ./easyrsa gen-req polly # Enter PEM pass phrase: <ENTER>:
16:43 < plujon> 140014036760384:error:28069065:UI routines:UI_set_result:result too small:crypto/ui/ui_lib.c:778:You must type in 4 to 1024 characters
16:45 < plujon> Eugene: How does one remove the passphrase from a key file?
16:46 < plujon> ./easyrsa set-rsa-pass foo # fail: . . . unable to load Private Key
16:46 < Eugene> `openssl rsa`
16:55 < plujon> systemctl start openvpn-server@server # does not return; is --daemon screwed up?
16:56 < plujon> The Debian service file contains --daemon.  The upstream version does not.
17:00 -!- russell--- is now known as russell--
17:03 < plujon> I think I'm just going to give up.  ssh tunnels it is
17:04 < Encrypt> Hello guys!
17:04 < Encrypt> I've been reinstalling OpenVPN on Debian Stretch and I'm completely stuck when I try to launch the server
17:04 < Encrypt> The systemd unit fails and returns:
17:04 < Encrypt> openvpn-server@server.service: Failed at step CHROOT spawning /usr/sbin/openvpn: No such file or directory
17:05 < Encrypt> In my conf, the relevant line is probably: chroot /etc/openvpn/jail
17:06 < Encrypt> Have you ever experienced that?
17:27  * swg0101 pokes novaflash in the cloud.
17:27 -!- def_jam is now known as eb0t
17:28 < Encrypt> Ok, I managed to make it work
17:28 < Encrypt> I had removed the /etc/openvpn/{server,client} directories sinec they were not here when I used it under Raspbian Wheezy
17:28 < Encrypt> But the systemd unit uses te "server" directory as working directory
17:28 < Encrypt> So, obviously I had errors
17:39 < kalipso> hey guys. i have a openvpn server up and running. my router at home connects to it via a secondary gateway and i connect from somewhere else. this way iam able to ssh into my router from anywhere (using client-to-client option) but i would like to be able to access my whole home network without ssh'ing through my router. so is there a guide or something to make your home network visible inside the vpn
17:39 < kalipso> network?
18:40 < Eugene> !clientlan
18:40 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route
18:40 <@vpnHelper> for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
18:40 < Eugene> kalipso ^
18:59 < kalipso> Eugene: great thanks!
19:45 -!- abenz__ is now known as abenz
20:09 < Spawndemonic> what does active(exited) mean because i i don't think its running for me
21:17 <@ordex> wallbroken_: re: RSA from 1977: the algorithm is from 1977, same as openvpn is from 2012 (iirc), but the implementations of both have seen quite importantbugs and required upgrades in both cases
21:17 <@ordex> namely the getRandom() not so random on debian that basically made RSA implementations fake
21:17 <@ordex> :P
23:27 < P1ro> hi, im trying to configure openvpn on openwrt, so far i followed this "https://www.robertkehoe.com/2015/08/setup-openvpn-using-openwrt/" and got this error on syslog "Options error: specify only one of --tls-server, --tls-client, or --secret"
--- Day changed Fri Nov 03 2017
00:36 <@ordex> P1ro: paste your config please
00:36 <@ordex> !configs
00:36 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
00:45 < P1ro> ordex: well reading around i think im doing it wrong, i want to connect from a windows client to a openwrt route, how it should be done ?
00:46 <@ordex> well I guess the openwrt router should be configured as server
00:46 <@ordex> and windows as client
00:46 <@ordex> nothing fancy in theory
00:46 <@ordex> you have to configur eopenwrt like a normal vpn server
00:46 < P1ro> ordex: ok i have a sample server, let me check it
00:47 <@ordex> P1ro: what is the problem?
00:47 <@ordex> let's start with that
00:47 < P1ro> well so far i think im doing it wrong
00:49 <@ordex> what do you mean?
00:55 < P1ro> ordex: ok here its teh config
00:55 < P1ro> https://pastebin.com/raw/YCHZ2D3Z
01:00 <@ordex> P1ro: are they all enabled by default ?
01:00 <@ordex> or disabled?
01:00  * ordex can't remember
01:00 < P1ro> no
01:00 < P1ro> i have to enable each one
01:00 < P1ro> but when trying to enable
01:00 <@ordex> ok
01:00 < P1ro> ill get he select only one error
01:00 < P1ro> specify only one
01:01 <@ordex> what are you trying to enable now ?
01:01 <@ordex> the sample server?
01:06 < P1ro> i try with bpia and sample server
01:06 < P1ro> both same error
01:08 <@ordex> P1ro: can you paste the exact error?
01:08 <@ordex> what openvpn version are you running?
01:08 <@ordex> in sample_server you have the option 'server', therefore it should account for --tls-server
01:08 < P1ro> this error on syslog "Options error: specify only one of --tls-server, --tls-client, or --secret"
01:09 <@ordex> but this does not match the configuration you have in the file
01:09 <@ordex> how are you running openvpn ?
01:10 <@ordex> honestly this look like 1) lede is not creating a proper config 2) something is missing in the way you configure openvpn in lede. so it's lede specific, maybe they can offer better help
01:12 <@ordex> P1ro: are you sure that error is not coming from pia_client ?
01:12 <@ordex> sample_server should not trigger that error
01:12 <@ordex> but pia_client might do
01:12 < P1ro> ordex, sample server its trygerring it too
01:13 <@ordex> dunno, in the config you only have 'server'. there is no secret or client
01:13 <@ordex> either you or lede is doing something wrong
01:14 <@ordex> imho it's easier to debug if you put everything in a config file and then specify it in the lede config (like you have down with the first entry)
01:14 <@ordex> that is easier to debug
01:25 < P1ro> but where i should change server for --tls-server ?
01:27 <+hyper_ch> ?
01:28 < P1ro> the option "server" should be for openwrt use not for the config of openvpn
01:32 <@ordex> P1ro: no. server is a openvpn config option and it "includes" tls-server. check the manpage if you want to know more
01:32 <@ordex> and the complaint says "specify *only* one"
01:32 <@ordex> meaning that you have more of those ... like in pia_client
01:33 <@ordex> but again, I'd rather create a config file and use it as it instead of fiddling with the lede options
01:33 < P1ro> umm
01:33 < P1ro> im checking everywhere on the configs cant find one
01:34 < P1ro> in pia, the client option should be the one
01:43 <@ordex> P1ro: but you also have 'secret' there
01:43 <@ordex> and that is wrong (hence the error message)
01:43 <@ordex> P1ro: but i'd focus on one at a time
01:43 <@ordex> not all together
01:43 < P1ro> what you mean ?
01:43 <@ordex> let's comment eeverything ecept the one you want to run and focus on that
01:43 <@ordex> *except
01:44 < P1ro> i can just delete it all
01:44 < P1ro> ill make a backup
01:44 <@ordex> ok
01:44 <@ordex> and start with one section only, like sample_server
01:45 < P1ro> ok only sample_server
01:45 < P1ro> well i rename to test_server
01:46 <@ordex> as you wish
01:46 <@ordex> enable it and try to start openvpn ..
01:46 <@ordex> and see what you get exactly
01:46 <@ordex> you can also specify a 'log' option so that all the output will go there instead of syslog
01:49 < P1ro> how for a exclusive log ?
01:50 <@ordex> what I said above
01:50 <@ordex> use the option 'log'
01:50 <@ordex> and specify a filename
01:59 < P1ro> back
02:27 < P1ro> sorry i lagged again
03:56 < acidvegas> https://github.com/acidvegas/vpntools
03:56 <@vpnHelper> Title: GitHub - acidvegas/vpntools: A collection of scripts for working with virtual private networks. (at github.com)
03:56 < acidvegas> smoke bash scripts i wrote form PIA, riseup, and cryptostorm vpns
03:56 < acidvegas> leave some feedback or a pull request if you notice any issues or have any suggestions
03:56 < acidvegas> some*
04:36 <+hyper_ch> dazo: ecrist: krzee: ordex:  http://eschatologist.net/blog/?p=266
04:36 <@vpnHelper> Title: Eschatology : Raspberry Pi vs SPARCstation 20: Fight! (at eschatologist.net)
07:24 -!- zvirbliukas1 is now known as zvirbliukas
10:10 < Kingsy> I am running source ./vars as root however when running ./clean-all it says Please source the vars script first (i.e. "source ./vars") what am I missing?
10:26 < raktajino> hey folks I just wanted to pop in and say thanks for the *super awesome* documentation, you rule
10:27 < DArqueBishop> Thanks, coffee-dude. ;-)
10:33 < raktajino> 👍🤓✨
10:50 < jb> does anyone know why I wouldn't be able to access environment variables from inside of a script executed by "tls-verify"?
12:34 < Dougy> has krzee resurfaced yet
12:36 < skyroveRR> You mean he was in some submarine? ;)
13:16 < minikdo> Hi, I'm having troubles setting up an openvpn server on Debian 9.2. While trying to ./build-ca I get: unable to find 'distinguished_name' in config
13:17 < minikdo> and req: Error on line 198 of config file "/etc/openvpn/easy-rsa/openssl.cnf"
13:45 < KookyMan> Good morning all.  I'm looking for release notes that apply to OpenVPN Connect v1.1.23 (b90).  The Play Store only has for 1.1.21 -> 1.1.22.  What appears to be the appropriate web page hasn't been updated since v1.1.16
13:58 < KookyMan> And has anyone discovered any connection issues when establishign a VPN connection via Cellular, when the 'Always-on VPN' setting is used in Oreo?
14:07 < husz> hello
14:07 < husz> how to solve openvpn_execve: CreateProcess /etc/openvpn/update-resolv-conf failed: The system cannot find the path specified.  ?
14:17 < KookyMan> Nevermind on the release notes.. Appears to be updated now on the play store.
14:19 < KookyMan> But it appears that at least one other person is experincing the 'Connecting....' loop, as noted from the reviews on 1.1.23.
14:19 < KookyMan> (Unsure if they are using cellular or WiFi, as not documented in review)
14:39 < KookyMan> Ok.  Apparently in Android Oreo (8.0) if you enable the 'Always-on VPN' AND 'Block connections without VPN', OpenVPN Connect (1.1.23 b90) gets a "Transport Error: DNS resolve error on 'server' for UDP session:  Host not found (authoritative)". This does not happen when on WiFi.
14:44 < KookyMan> If I disconnect, I will return. Upgrading my gateway (and OpenVPN)
14:45 <+hyper_ch> how do you handle dns servers?
14:45 < ^7heo> unbound
14:57 < KookyMan> Back and sorry for the disconnect. hyper_ch, ^7heo, were you addressing me?
14:57 < BtbN> !tuntap
15:18 < KookyMan> Further information.  If the DNS Resolution in the cache, the error becomes 'Network is unreachable'  That would explain the DNS error if it's not in the cache.  So the block all appears to even be blocking the VPN from connecting via cellular?
15:22 -!- abenz_ is now known as abenz
15:23 < KookyMan> Ok.. to continue answering my own questions (but providing it to the room in case others run across it)...  It appears there is an upstream bug in Android Oreo 8.0 that prevents Android from adding a default route to the mobile carrier gateway, but not wifi routers.  Temporary bypass, disable the 'block all' apparently.  (Not sure how OpenVPN Connect's block all feature interacts or if it is
15:23 < KookyMan> a sufficient substitute for the OS implimentation).  This appears to be resolved in Android 8.1.
15:32 < jpwhiting> hey all, does anyone know what to set DDK to when trying to build tap-adapter with vs 2015 and the WDK for windows 10 version 1703 ?
15:32 < jpwhiting> windows WDK doesn't seem to create any c:\WINDDK stuff these days I guess
15:33 < jpwhiting> some path deep in the bowels of VS2015 maybe ?
15:39 < thedogcatcher> I'm trying to set up a TAP VPN using an existing DHCP server, which works fine- the client gets an IP address on the correct subnet. However, it does not receive the gateway from DHCP like wired clients do. I want VPN clients to have their default gateway set to the one set by the DHCP server. This cannot be hardcoded in the OpenVPN config because there are multiple subnets and gateways
15:40 < thedogcatcher> Any ideas how to get the DHCP gateway to work?
15:45 < DArqueBishop> thedogcatcher: I've not worked with TAP in a while, but I was under the impression that OpenVPN still set the networking info for the client and not the server LAN's DHCP server.
15:45 < thedogcatcher> DArqueBishop: There are different ways to do it; I am already getting the IP address and DNS configuration from the DHCP server.
15:51 < DArqueBishop> Honestly, I'm not sure how you would do it without using redirect-gateway, as resetting the default gateway instead of adding a /1 route (like redirect-gateway uses) would simply cause your client to stop communicating with the VPN server, thanks to the client now thinking the VPN server's traffic has to go through the new gateway.
15:51 < DArqueBishop> I could very well be wrong, though; I haven't needed to use tap for OpenVPN in years.
15:58 < thedogcatcher> Yeah, that sounds about right, but I think we got it working using the DHCP proxy options in server-bridge
16:13 < thedogcatcher> Actually still not
21:02 -!- raidz [49e7b79d@openvpn/corp/admin/andrew] has joined #openvpn
21:02 -!- mode/#openvpn [+o raidz] by ChanServ
21:26 -!- raidz [49e7b79d@openvpn/corp/admin/andrew] has quit [Quit: Page closed]
--- Day changed Sat Nov 04 2017
03:16 -!- abenz_ is now known as abenz
06:10 -!- blackbaba_ is now known as blakebaba
06:14 -!- blakebaba is now known as blackbaba
09:38 -!- Dougy [~dougy@openvpn/community/support/Dougy] has quit [Remote host closed the connection]
11:44 -!- P1ro_ is now known as P1ro
16:14 < Spawndemonic> what does active(exited) mean? I'm having trouble knowing if my vpn i runing correctly
17:23 < V7> Hey all ;)
17:23 < V7> Is okay to use OpenVPN for VPN server these days ?
17:23 < V7> I mean ... i.e. script https://github.com/Nyr/openvpn-install.sh
17:24 < V7> Oh dear
17:24 < V7> This one: https://github.com/Nyr/openvpn-install/blob/master/openvpn-install.sh
17:24 <@vpnHelper> Title: openvpn-install/openvpn-install.sh at master · Nyr/openvpn-install · GitHub (at github.com)
18:52 < posi_> hello all
18:54 < posi_> I have a openvpn service up and working, just not the way I want it.  I would like to use the clients gateway for internet and only tunnel private lan blocks.  It should be some command for the client?
19:20 < rob0> !redirect
19:20 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
19:20 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
19:20 < rob0> posi_, don't use redirect-gateway if you don't want to redirect the gateway.
19:21 < rob0> It's not a default setting, so why did you set it?
19:25 < posi_> in my testing all my data is going to the openvpn server's DG.  If I rem out the push "redirect-gateway def1 bypass-dhcp" on the server conf then I get no internet at all
19:26 < posi_> can't the client conf change this to use the local DG for Internet traffic
19:28 < rob0> so what you want is --redirect-gateway for SOME clients but not all?
--- Day changed Sun Nov 05 2017
00:08 -!- abenz_ is now known as abenz
00:10 < abenz> hi, when making static key lan-to-lan (A to B), and openvpn is running on a separate box in B, I have to add the hop network (eg 10.8.0.4----10.8.0.3) as static route, is there a way to use the devices LAN IP instead of the hop network?
00:10 < abenz> eg A is 192.168.10.x, while B is 192.168.12.x
00:31 <@ordex> abenz: what is the "hop network" ?
00:32 <@ordex> are 10.8.0.4 and 10.8.0.3 the IP used on the openvpn tunnel interfaces?
00:32 <@ordex> today is sunday, crystall ball shops are closed
00:32 <@ordex> :-P
00:35 < abenz> ordex: hey :)
00:35 < abenz> ordex: yup correct, the tunnel interfaces
00:35 <@ordex> and where are you adding the static route?
00:35 <@ordex> on hosts in LAN-B ?
00:36 < abenz> no, in main router in LAN B
00:36 <@ordex> ok and the VPN is not running on the main router, right?
00:37 < abenz> correct
00:37 <@ordex> what route are exactly adding right now?
00:37 < abenz> my question is, can I use the devices' LAN IP instead of its tunnel IP
00:37 <@ordex> generally I'd say 'YES' because the main router does not know anything about 10.8.0.4----10.8.0.3
00:38 <@ordex> I was tyring to understand how that can even work
00:38 <@ordex> *trying
00:38 <@ordex> that's why I asked about the exact route you are adding
00:38 < abenz> ohh
00:40 < abenz> its something like 10.8.0.0 255.255.255.0 192.168.12.10 (12.10 being the VPN box IP)
00:40 < abenz> ordex: so this is standard practise then?
00:41 <@ordex> abenz: you are already using the LAN IP in your route
00:41 <@ordex> this is how I expected it to be
00:41 <@ordex> what do you want to change then?
00:41 <@ordex> yes, this is how you normally do, because the LAN IP is the only one that your main router knows about the VPN box
00:42 < abenz> I see
00:43 < abenz> I figured there might be a way to only use the LAN IPs
00:43 < abenz> but yes now that I think about it..
00:44 < abenz> eg when I do a traceroute from a LAN A client, I see it stopping at 10.8.0.3 (I thought it would show the devices LAN IP)
01:08 <@ordex> < abenz> I figured there might be a way to only use the LAN IPs << if the destination if the VPN network, you must specify it somehow
01:13 < abenz> ordex: thanks buddy. only you help around here (me at least) :)
01:13 <@ordex> :D
01:20 < skyroveRR> \\o ordex
01:23 <@ordex> <o
01:19 -!- abenz_ is now known as abenz
04:31 < ius> !welcome
04:31 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind
04:31 <@vpnHelper> openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
07:00 -!- zvirbliukas1 is now known as zvirbliukas
10:53 < flying_sausages> Hey guys, is there a way I can disable all torrent traffic only over VPN connections?
10:59 <+hyper_ch> not easily
10:59 <+hyper_ch> block port 6881 for public trackers for dht
11:12 < BtbN> You cannot block torrent or other defensive p2p things
11:13 < BtbN> Unless you go for extensive DPI
11:13 <+hyper_ch> blocking port 6881 will at least hinder dht for bittorrent
11:13 <+hyper_ch> also you could blacklist the most famous public and private trackers
11:14 <+hyper_ch> but why do you even wanna do that?
11:14 < BtbN> Pretty much all trackers and primary dht nodes have backup ports
11:14 < BtbN> I have even seen boxes that accept connections on every single port
11:15 < BtbN> You can make it harder, but if someone really wants to, there are ways
11:15 <+hyper_ch> general dht is 6881
11:15 <+hyper_ch> also ip blocking public and private trackers
11:15 < havoc> best method I've found for handling unknown/unknowable traffic, is to whitelist known stuff, and QoS/throttle everything unknown
11:15 < BtbN> They use cloudflare
11:15 < havoc> it doesn't block it, but it can/may discourage it
11:16 <+hyper_ch> limit maximum concurrent connections
11:16 < havoc> that too, that really messes with BT
11:16 <+hyper_ch> (blacklist cloudflare)
11:16 < havoc> heh
11:16 < BtbN> might as well just blackhole route all trafic
11:16 < havoc> eh, throttle unknown stuff usually discourages it
11:16 < BtbN> that will get rid of torrenting as well
11:17 <+hyper_ch> do not allow incoming traffic on high ports
11:17 <+hyper_ch> but that will have huge collateral damage as well
11:17 <+hyper_ch> still, why do you wanna block bittorrent?
11:17 < BtbN> If you want to be super-paranoid, pipe all traffic through a transparent http proxy.
11:17 < BtbN> And block all non-http traffic
11:17 <+hyper_ch> that would also block email ;)
11:18 < BtbN> everybody uses webmail anyway
11:18 <+hyper_ch> I don't
11:18 <+hyper_ch> so your statement is incorrect
11:18 < BtbN> That is litterally the defense-mechanism my old school had
11:18 < BtbN> http _only_
11:18 < BtbN> https? go figure
11:18 <+hyper_ch> :)
11:19 < havoc> bah, webmail :(
11:19 < BtbN> google was inaccessible there
13:13 -!- abenz_ is now known as abenz
13:24 < flying_sausages> I am running a server in Germany and want to offer VPN to my friends but I just want to make sure they will not torrent over it. I would actually need to be able to access the websites of some private torrent trackers as I'm quite active and so are my friends, I just want to prevent as much torrent traffic as possible
14:00 -!- hyper__ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
14:00 -!- mode/#openvpn [+v hyper__ch] by ChanServ
14:11 -!- Netsplit *.net <-> *.split quits: +hyper_ch
14:11 -!- flying_sausages_ is now known as flying_sausages
14:11 -!- EugeneKay is now known as Eugene
14:11 -!- DArqueBish0p is now known as DArqueBishop
14:12 -!- hyper__ch is now known as hyper_ch
14:13 -!- Algernop_ is now known as Algernop
14:17 -!- rax-Y is now known as rax-
14:45 -!- mete- is now known as mete
15:43 < Jppe> !welcome
15:43 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
15:43 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
15:53 -!- abenz_ is now known as abenz
17:35 < a1fa> is there a config line that would make config not import into openvpn, or tunnelblick?
23:35 -!- def_jam is now known as eblip
--- Day changed Mon Nov 06 2017
00:31 -!- Netsplit *.net <-> *.split quits: +s7r, @novaflash
01:12 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
01:12 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
01:12 -!- ServerMode/#openvpn [+vo s7r novaflash] by moon.freenode.net
03:04 < Kingsy> I am running source ./vars as root however when running ./clean-all it says Please source the vars script first (i.e. "source ./vars") what am I missing?
03:05 < Kingsy> Just going through the installation process
04:15 < sisve> I'm having a weird issue where my vpn connection no longer "works". This occurs after 5-30 minutes after I opened the connection. I have a long-running ping that suddenly stops receiving responses. I'm running with verb=8 at the moment and seeing "SENT PING" and "RECEIVED PING PACKET", so the connection is considered alive by openvpn. Restarting ovpn will fix the issue. I'm tailing the syslog without seeing anything happening at the same tim
04:15 < sisve> e this happens. How can I debug this further and determine which network god I have angered?
04:17 < sisve> I see no changes in "ip route" or "ip link" when this occurs.
04:43 < Kingsy> When trying to generate my keys, I am running source ./vars as root however when running ./clean-all it says Please source the vars script first (i.e. "source ./vars") what am I missing?
07:43 < baconology> !audit
07:43 < baconology> is there an easy way to audit connections/failed attempts
07:43 < baconology> i'm considering writing a script that sends this all in a daily summary
07:44 < baconology> google says ulogd?
07:45 < baconology> perhaps this is relevant
07:45 < baconology> https://forums.openvpn.net/viewtopic.php?t=20742
07:45 <@vpnHelper> Title: Configure VPN connection logs for auditing - OpenVPN Support Forum (at forums.openvpn.net)
07:48 < baconology> (i'm helping myself, but feel free to jump in if you know better than me reinventing the wheel)
08:22 < marshmallow> does anything change if I use fake CA vars when configuring openvpn?
08:30 < Kingsy> When trying to generate my keys, I am running source ./vars as root however when running ./clean-all it says Please source the vars script first (i.e. "source ./vars") what am I missing?
08:45 < DArqueBishop> Kingsy: in Linux? Try running it as ". ./vars" instead.
09:12 < Kingsy> DArqueBishop: erm ok
09:13 < Kingsy> DArqueBishop: didnt work either..
09:14 < Kingsy> https://hastebin.com/niqezecepo.rb
09:14 <@vpnHelper> Title: hastebin (at hastebin.com)
09:53 < jpwhiting> hey all, anyone here built tap-adapter6 before?
09:53 < jpwhiting> if I build without --sign it doesn't create .cat files, only .inf and .sys, is that expected?
09:53 < jpwhiting> if I try with --sign it fails since I don't have the default openvpn certificate, but does generate .cat files, but tapinstall fails, I guess because of the signature missing/error with signing
09:56 <@plaisthos> yeah
09:56 <@plaisthos> you need a certificate to build the tap adapter iirc
09:56 < jpwhiting> plaisthos: k, that's what I was thinking, makes sense, ok
09:56 < jpwhiting> thanks
09:57 <@plaisthos> most people also don't build the driver
09:57 <@plaisthos> and just use the normal driver
09:57 <@plaisthos> since you need a special certificate to sign to allow driver installation under windows anyway
09:57 < jpwhiting> yeah, the guy I'm doing this work for wants their own tap adapter so it won't get used by vanilla openvpn
09:57 < jpwhiting> I explained that we can use tap0901 fine just need to add another adapter if it's in use
09:58 < jpwhiting> but that doesn't help if we use it up and some other vpn software expects to use it also or something
09:58 < jpwhiting> the instructions in the .inf file for creating our own renamed/custom id tap adapter make it seem pretty straightforward :)
09:58 <@novaflash> just install 500 tap adapters. sure the installation process will take 3 hours to complete, but you're unlikely to run out of tap adapters.
09:58 < jpwhiting> hehe, nice
09:59 <@novaflash> that was a joke, of course. good luck though.
09:59 < jpwhiting> yep, I understand
10:06 -!- NotSecwitter is now known as NonSecwitter
10:46 < savoir-faire> Hi, Not sure if I should post it in here or #epel, but I'm not 100% sure if this is a packaging or software issue so I'll post in both. Since the upgrade from openvpn 2.4.3-1.el7 (https://hastebin.com/dusagovomu.coffeescript) to 2.4.4-1.el7 (https://hastebin.com/toyitejuyo.coffeescript) I started getting errors with old clients (running openvpn OpenVPN 2.0.9 i686-pc-linux - updating openvpn on these
10:46 <@vpnHelper> Title: hastebin (at hastebin.com)
10:46 < savoir-faire> devices is unfortunately not an option) when connecting to the openvpn server. I have tried enabling all the different tls-cipher suites listed in openvpn --show-tls to no avail. Is anyone here able to spot what might have changed to be causing me issues, and even better, can anyone suggest a way to get these older clients to connect other than finding a way to downgrade again?
11:16 < DArqueBishop> savoir-faire:
11:16 < DArqueBishop> !configs
11:16 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
11:16 < DArqueBishop> !logs
11:16 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
11:18 < savoir-faire> !paste
11:18 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2)
11:18 <@vpnHelper> paste.ee is also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
11:27 < savoir-faire> DArqueBishop: Thanks for the pointers. The server config as was working is: http://termbin.com/zhvs, the client config as was working is: https://paste.fedoraproject.org/paste/-zXmx9IX-fBnHlrOmFgQSQ, the server log for a connection from the client at verb 4 is: https://paste.fedoraproject.org/paste/BrhJnNKOSiRdf262-vGObA, the box log for the connection at verb 4 is:
11:27 < savoir-faire> https://paste.fedoraproject.org/paste/zY24iG~x7BJ-SbIDn22Obg
11:28 < savoir-faire> The OS of the server is centos 7, the version was included in the initial post. The client os is busybox with (I assume) source-compiled openvpn, though I wasn't around when it was installed. the version of that is 2.0.9
11:30 < DArqueBishop> savoir-faire: I'm going to make a somewhat-educated guess and say that the client is trying to use SSL ciphers that the server no longer supports. Note the line in the server log that says "OpenSSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher".
11:31 < DArqueBishop> It looks like the client is trying to use SSLv3 to connect to the server. SSLv3 is broken and I'm pretty sure support for it was removed in recent versions of OpenVPN.
11:32 < savoir-faire> DArqueBishop: Aaahh, ok, so it's possible there is no way to get it working with the newer versions? If not I'll just downgrade the server and live with knowing that 2.4.3 is the highest version of openvpn I'll be able to run for a while. thanks :)
11:33 < MacGyver> What. Why wouldn't you just upgrade the version on the client?
11:33 < DArqueBishop> Well, I would check and find out what ciphers OpenVPN 2.0 supports that are in common with OpenVPN 2.4, and work from there.
11:33 < DArqueBishop> Either way, if security is an issue, I would not accept "I need to downgrade the servers because I can't upgrade the clients" as an answer.
11:33 < MacGyver> I mean, if it's source-compiled...
11:42 < savoir-faire> MacGyver: They are on boxes run over unreliable GPRS in the middle of nowhere with no reliable way to update all of the hundreds of these things spread over multiple countries. As much as I'd love to upgrade them it's just not feasable at the moment unfortunately
11:43 < savoir-faire> DArqueBishop: Luckily, security isn't really an issue here, the vpn is purely to allow server->client connectivity over a gprs connection so I can live with reduced security
11:44 < savoir-faire> DArqueBishop: I will take a look at that, is there an easy place to look for these - is the output of --show-tls what you would suggest comparing? Either way, that will have to wait until tomorrow, thanks both of you for your suggestions
11:46 < MacGyver> Ah, so it's really only for reverse tunneling?
11:47 < MacGyver> Then yeah... *shrug*.
11:49 < savoir-faire> MacGyver: Yup, I'd love to get rid of these old things as much as the next person (I hate using busybox with a passion) but alas.... I have no choice for the forseeable future
12:42 -!- You're now known as openvpn
12:43 -!- You're now known as ecrist
12:48 < Yiota> anyone have experience setting up a USG Unifi conroller with openvpn?
12:49 < Yiota> I've set up openvpn on ubuntu 16.04 on 443
12:50 < Yiota> this is what I have so far
12:50 < Yiota> https://imgur.com/a/qyUE3
12:50 < Yiota> our remote host actually has something - does the remote address / local address + ports matteR/
12:52 < Yiota> for the shared secret key? where am I generating it? Am I doing this on the openvpn server with openvpn --genkey?
12:57 < rob0> you might want to back up and tell us your goal
12:57 < rob0> !goal
12:57 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:00 < Yiota> goal: connect both of our offices to our openvpn server on aws
13:00 < rob0> oh, and this router's firmware has openvpn?
13:00 < Yiota> that's right
13:01 < Yiota> I've tested the openvpn connection on osx via tunnelblick, ipv4 forwarding is working and my ip address changes
13:08 -!- novaflash is now known as openvpn
13:09 -!- openvpn is now known as novaflash
13:09 < Hotpot33> can I force ignore the redirect-gateway def1 that is getting pushed?
13:10 < rob0> why are you pushing a directive you don't want?
13:43 < Yiota> rob0 seems like I got dc'd, any ideas?
14:01 < DArqueBishop> Yiota: AFAIK Ubiquiti only supports shared-key OpenVPN configs for site-to-site use; in a shared key situation, you can only have one client connecting to the server. You'll need a second OpenVPN service on your AWS server for the second site.
14:01 < DArqueBishop> !shared
14:02 < DArqueBishop> Yiota: AFAIK Ubiquiti only supports shared-key OpenVPN configs for site-to-site use; in a shared key situation, you can only have one client connecting to the server. You'll need a second OpenVPN service on your AWS server for the second site.
14:10 < Yiota> DArqueBishop Currently the OpenVPN configuration via the WebGUI only supports a shared secret.  A common OpenVPN configuration is to also use certificates, it would be nice to configure this from the GUI as well.
14:12 < DArqueBishop> Yiota: I agree, which is why my home router (which runs an OpenVPN server) has not been replaced with a Ubiquiti one.
14:14 < Ultima> Hey there! I have an OpenVPN server version 2.4.4 running. When a client connects running Archlinux, the only issue I am currently having is OpenVPN seems to not be pushing the default gateway (::/0) through the vpn. Does anyone know if there is another flag for this for ipv6?
14:31 < Ultima> ah nm I figured it out, I forgot to add the ipv6 flag to redirect-gateway
14:31 -!- abenz_ is now known as abenz
14:34 < Kendo_Cocaine> Hello all! Quick question, have not found a great answer for, I am running openvpn server on a windows based machine. I am trying to gain access into my internal lan from the client side. push route on the server side for the subnet I want access to. Still cannot ping internal gateway of router, in the subnet I want access to. Do I need to bridge the 2 adapters or how the hell do I accomplish just getting access to that internal LAN?
14:36 < Kendo_Cocaine> In other words, 10.23.23.0/24 is what I want access to from the outside. IPv4 forwarding is enabled on the windows machine
14:36 < Kendo_Cocaine> As well as IProuter service enabled for auto startup
14:37 < DArqueBishop> Kendo_Cocaine: is the Windows machine the default gateway for the internal LAN? If not, then you either need to NAT the traffic from the VPN subnet, or (easier and better) put a route in the default gateway saying traffic for the VPN subnet needs to go to the VPN server.
14:37 < rob0> !serverlan
14:37 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
14:47 < Kendo_Cocaine> thanks!
14:49 < Kendo_Cocaine> windows machine is not default gateway, router is. DArqueBishop
14:49 < Kendo_Cocaine> so maybe a static route is needed
14:49 < Kendo_Cocaine> Will look into it
14:51 < DArqueBishop> For what it's worth, when I had a Linux server as the OpenVPN server for my home LAN, I had to do the same thing. I had to put a route in my router saying all traffic for the VPN subnet needed to go to my VPN server's LAN IP.
14:52 < Kendo_Cocaine> dope and that does make sense, I had it running well on a linux machine where everything was natted in the server fierwall
14:52 < Kendo_Cocaine> but this seems cleaner
14:53 < Kendo_Cocaine> his was the ufw before rule that worked # START OPENVPN RULES
14:53 < Kendo_Cocaine> # NAT table rules
14:53 < Kendo_Cocaine> *nat
14:53 < Kendo_Cocaine> :POSTROUTING ACCEPT [0:0]
14:53 < Kendo_Cocaine> # Allow traffic from OpenVPN client to wlp11s0 (change to the interface you discovered!)
14:53 < Kendo_Cocaine> -A POSTROUTING -s 10.8.0.0/8 -o wlp11s0 -j MASQUERADE
14:53 < Kendo_Cocaine> COMMIT
14:53 < Kendo_Cocaine> # END OPENVPN RULES
14:54 < Kendo_Cocaine> but this is windows now, i know it's not standard practce to do it on a windows machine but I was curious on it anyway
14:55 < DArqueBishop> Kendo_Cocaine: like I said, the easier option would be to go onto the internal LAN's router and put a route in for the VPN gateway.
14:55 < Kendo_Cocaine> gotcha
16:02 -!- mundus2018 is now known as mundus
18:03 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 255 seconds]
18:23 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
18:23 -!- mode/#openvpn [+o dazo] by ChanServ
18:34 -!- remirol is now known as lorimer
18:39 < LargePrime> heyo!  I am using OpenVPN as a client in lubuntu 17.10.  I am having an issue and would like to add more verbosity to the logs.  /etc/openvpn has no .conf  please advise.
19:06 -!- def_jam is now known as eb0t
19:07 < LargePrime> thankyou
19:08 < Kendo_Cocaine> Hello all, I asked a question earlier on this, I am able to ping server at VPN IP as well as LAN IP. Not other machines. I need to add a static route, is it true that I would enter it as anything destined for VPN subnet 10.8.0.0/24 to go use vpn lan address of 10.33.150.3
19:08 <@ordex> LargePrime: where is the openvpn config?
19:09 <@ordex> LargePrime: --verb is what decides the verbosity and usually 4 is enough to understand most of the high-level problems
19:10 < LargePrime> i do not know how to find the config
19:10 < LargePrime> ordex,
19:11 <@ordex> LargePrime: where did you configure openvpn?
19:11 <@ordex> via the networkmanager applet?
19:12 < LargePrime> network manager yes
19:12 < LargePrime> ordex,
19:12 <@ordex> LargePrime: mh ok, then i guess in the networkmanager window there migh be something about verbosity or a field to add options to the config ?
19:13 <@ordex> mh i can't find anything (I started to use NM recently too)
19:14 <@ordex> LargePrime: maybe you could "export" the config file from NM ?
19:14 <@ordex> (there seem to be a button for that) and then add verb there
19:14 <@ordex> and launch openvpn from the console to debug the issue
19:14 < LargePrime> i see
19:16 < Kendo_Cocaine> can anyone tell me, after the static route has been added to my router, do I need to do any further configuration on the windows openvpn server to be able to see lans behind that server?
19:16 < Kendo_Cocaine> this is driving me nuttsssssss
19:17 <@ordex> Kendo_Cocaine: I have no experience with windows, but normally the server should allow packets to flow through. and this is not enabled by default
19:17 <@ordex> !serverlan
19:17 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
19:18 < Kendo_Cocaine> !route
19:18 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
19:19 < LargePrime> ordex, can you give command to launch vpn using client,conf?
19:19 <@ordex> LargePrime: just 'openvpn client.conf'
19:19 <@ordex> normally you'd start that as root
19:23 < Kendo_Cocaine> uggh that still dosnt help
19:24 < Kendo_Cocaine> i have ipforwarding enabled in windows
19:25 < Kendo_Cocaine> i have a static route added to my router
19:25 < Kendo_Cocaine> can only see vpn server ip and vpn server lan ip from client
19:31 <@ordex> sorry I have 0 experience on windows as server. maybe somebody else will have some hint
19:32 < Kendo_Cocaine> thx ordex
19:33 < LargePrime> ordex, how do i know if it working?
19:34 <@ordex> LargePrime: you should see that in the log. it should say that it connected and the init was completed
19:34 <@ordex> note that if your config has a 'log' statement, it will log in the file indicated by that
19:46 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 250 seconds]
19:46 < LargePrime> thanks ordex
19:47 <@ordex> np
19:59 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
19:59 -!- mode/#openvpn [+o dazo] by ChanServ
20:51 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 255 seconds]
20:53 -!- def_jam is now known as eb0t
21:01 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
21:01 -!- mode/#openvpn [+o dazo] by ChanServ
--- Day changed Tue Nov 07 2017
01:28 <@krzee> guess who's back
01:28 <@krzee> back again
01:29 < scj643> ・゜゜・。。・゜ ​ ゜\_ø<​ QUAC​K!
01:44 <@krzee> Kendo_Cocaine: do you still need help?
01:51  * swg0101 pokes novaflash 
01:55 <@ordex> krzee: good morning !!!
01:55 <@ordex> :D
01:55 <@ordex> welcome back
01:55 <@krzee> thanks!
01:55 <@krzee> good to be back
01:55 <@krzee> had to get a new laptop and configure it and whatnot
01:55 <@ordex> been a bit worried here as we haven't had any signal from you in a while
01:55 <@krzee> ya i been getting that all over :D
01:56 <@krzee> from all the msgs im almost surprised i didnt get a text from eric haah
01:57 < swg0101> where da novaflash go ;]
01:58 <@krzee> id be the last to know
01:58 <@krzee> lol
02:38 <@novaflash> hi swg0101
02:38 <@novaflash> what do you want from meee
02:38  * swg0101 gives you a poke
02:44 <@novaflash> nyyehh
02:56 < Kingsy> When trying to generate my keys, I am running source ./vars as root however when running ./clean-all it says Please source the vars script first (i.e. "source ./vars") what am I missing?
03:00 <@krzee> !easy-rsa
03:00 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
03:00 <@krzee> use version 3
03:06 < ^7heo> like you would ever want handholding in security...
03:06 < Kingsy> ah ok great.
03:06 < Kingsy> thanks
03:45 <+hyper_ch> so, had a breakin at work this night.... server gone, various other electronic devices gone.... some money missing... they even took toilet paper and paper handkerchiefs.... they didn't take some.... they didn't take some other, expensive electronic things like yealink t48g phones but an ancient microwave.... they even took wireless keyboard and mouse... so annoying to type on the notebook
04:19 <@ordex> hyper_ch: cr0p, srry to hear that :/
04:25 <+hyper_ch> checking to get new server now and pondering to replace debian/proxmox with nixos/qemu
04:25 <+hyper_ch> ordex: just take 2-3 days until everything is resetup.. that's the annoying part ;)
04:29 < Kingsy> hm looking at this tutorial --> https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto <-- looks like there are 3 systems? CA server and client? what is meant by the CA system?
04:29 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net)
04:33 < Kingsy> oh forget that. It acutlaly says it in the tuorial.. DOH
04:33 <@ordex> :)
04:41 <+hyper_ch> Kingsy: if you want to generate all keys and certs, you can also follow the insecure howto
04:41 <+hyper_ch> it's only insecure because the CA then has the priv keys as well
04:41 < Kingsy> so when signing server keys, I am guess you sign as server? client as client?
04:42 <+hyper_ch> https://community.openvpn.net/openvpn/wiki/EasyRSA3-Insecure-PKI
04:42 <@vpnHelper> Title: EasyRSA3-Insecure-PKI – OpenVPN Community (at community.openvpn.net)
04:43 < Kingsy> looks lioke I get an error when trying to sign ./easyrsa: 644: ./easyrsa: [[: not found
04:44 < Kingsy> or deos the client key get signed as server an dhte server as client? meh that doesnt make sense I guess
04:44 <+hyper_ch> just follow the howtos :)
04:44 < Kingsy> I am :)
04:45 < Kingsy> I might aswell continue with this one given I am 3/4 through it
04:47 < Kingsy> hyper_ch: ok fair enough, I'll bin this tutorail and use that one
04:47 < Kingsy> thanks
04:48 <+hyper_ch> the howto you have would require the clients to create own priv keys and then request signing thingy....
04:49 <+hyper_ch> (I'm not too good with all those details...) so I follow the insecure one becuase then I as CA create everything and finally just hand out one file containing the openvpn configuration and keys all inside
06:44 < havoc> krzee: welcome back!
07:07 <+hyper_ch> krzee is back?
07:08 < havoc> yes
07:09 <+hyper_ch> yey
07:09 <+hyper_ch> I got robbed and krzee is back... coincidence?
07:57 -!- mode/#openvpn [-v hyper_ch] by ecrist
07:57 <@ecrist> muahaha
07:57  * ecrist waves at krzee 
08:45 -!- abenz_ is now known as abenz
08:54 < Kendo_Cocaine> krzee, yeah man
08:54 < Kendo_Cocaine> i do still need help
08:55 < Kendo_Cocaine> So far, I've entered a static route in my router for 10.8.0.0/24 to point to 10.33.150.3, which is the IP of the VPN server itself
08:57 < Kendo_Cocaine> Can still only hit the server itself at the lan IP, and even then services are limited to remote desktop
08:57 < Kendo_Cocaine> push route shows that it succeeds for 10.33.150.0/24 when I connect
08:58 < Kendo_Cocaine> but I cant hit any other machines in that internal lan that the openvpn server sits on
08:59 < Kendo_Cocaine> so weird. I cant even ping the VPN server once connected, at either address, but I csn RDP to both
08:59 < Kendo_Cocaine> 10.33.150.3 and 10.8.0.1
09:02 < DArqueBishop> Kendo_Cocaine: are you sure you have IP forwarding enabled?
09:02 < DArqueBishop> !winipforward
09:02 <@vpnHelper> "winipforward" is (#1) reboot after enabling it, or (#2) https://support.microsoft.com/EN-US/kb/230082 to enable ip forwarding on windows
09:02 < Kendo_Cocaine> I enabled it in the registry
09:03 < Kendo_Cocaine> Yep followed those instructions
09:05 < Kendo_Cocaine> hold up, weird, it was no longer enabled
09:06 < Kendo_Cocaine> nvmd yeah it was
09:06 < Kendo_Cocaine> lol
09:10 < Kendo_Cocaine> https://imgur.com/a/TZIvR
09:10 <@vpnHelper> Title: Imgur: The most awesome images on the Internet (at imgur.com)
09:11 < Kendo_Cocaine> i know right, i believe that post belongs in reddit/r/gonewild
09:11 < Kendo_Cocaine> im gonna get flagged for abuse
09:14 < Kendo_Cocaine> that's my static router entry https://imgur.com/a/6eVKs
09:14 <@vpnHelper> Title: Imgur: The most awesome images on the Internet (at imgur.com)
09:53 < asgs> !welcome
09:53 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
09:53 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
09:53 < rob0> krzee, \o/ HE LIVES!
09:55 <@novaflash> great, now we can ignore him again
09:57 < asgs> !goal Hello! I'm trying to access my company VPN from my debian 9 and have received my username, password and the client.ovpn file. I could start the openvpn client by passing the --config parameter the .ovpn file location and could see the tun0 created. however, all browser requests to the VPN hosts are turned down by "Server not found" errors. where should I begin to troubleshoot this problem?
09:58 < rob0> again, the bot does not understand that.
09:58 < asgs> Hello! I'm trying to access my company VPN from my debian 9 and have received my username, password and the client.ovpn file. I could start the openvpn client by passing the --config parameter the .ovpn file location and could see the tun0 created. however, all browser requests to the VPN hosts are turned down by "Server not found" errors. where should I begin to troubleshoot this problem?
09:58 < asgs> sorry, misread it
09:59 < rob0> You probably are using your ISP nameservers, need to use DNS via the tunnel.
10:00 < asgs> yeah, I was reading about that. so if I manage to get their IP addresses (which I haven't yet), I should be fine, right?
10:00 < rob0> The simplest approach is "echo nameserver 8.8.8.8 > /etc/resolv.conf"
10:00 < rob0> assuming of course that your server is using --redirect-gateway
10:00 < asgs> yes, I use the Google DNS already, so no worries there
10:01 < rob0> !redirect
10:01 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
10:01 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
10:01 < rob0> ^^ go with the flowchart
10:01 < asgs> nice! I'll check this out, rob0
10:07 < Kendo_Cocaine> asgs can you ping those hosts
10:08 < asgs> no, I guess it's got something to do with the DNS. that's why I'm hoping knowing the IP addresses will resolve this temporarily, Kendo_Cocaine
10:09 < asgs> there's a note on the openvpn website about DNS - " When a Linux/Unix client is used with Access Server, the Access Server is unable to alter the DNS settings on the client in question." may be my issue is related to this?
10:10 < asgs> I got a workmate who uses Macbook and it was easy enough to get connected
10:11 < DArqueBishop> asgs:
10:11 < DArqueBishop> !as
10:11 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
10:12 < asgs> sorry about that and thanks for the hint
10:12 < rob0> 8.8.8.8 should work whether on the VPN or not.
10:13 < asgs> all my internet access is fine, just the VPN hosts
10:13 < rob0> "dig openvpn.net. @8.8.8.8"
10:13 < rob0> um
10:13 < rob0> okay, so they are NOT redirecting your gateway?
10:13 < DArqueBishop> rob0: not if he's trying to reach FQDNs that are only listed in his company's DNS servers.
10:13 < rob0> or ... oh
10:14 < rob0> !dnsmasq
10:14 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
10:14 < DArqueBishop> rob0: it should also be pointed out that he is NOT the VPN admin.
10:14 < rob0> yes, I knew that part
10:14 < DArqueBishop> asgs: you really should be talking to your IT department for support first.
10:15 < rob0> you will need to know a VPN (LAN) address of an internal nameserver
10:15 < asgs> DArqueBishop, sure thing. he's looking into it, but the people on Macbooks/Windows are able to connect fine, and that note on DNS made me think that something needs to be done on a Linux machine to get it done
10:15 < rob0> and your IT folks can answer that
10:16 < rob0> correct.  --dhcp-option is Windows-only
10:16 < asgs> one moment, I got a few warnings about unknown options
10:17 < asgs> https://gist.github.com/asgs/f4aea24eaa1226a3aaead89677e39b51
10:17 <@vpnHelper> Title: OpenVPN client warnings · GitHub (at gist.github.com)
10:18 < asgs> so "register-dns" could be the thing may be? in any case, we'll troubleshoot with the IT folks
10:38 < Kendo_Cocaine> krzee lemme know when you have a feew
10:58 -!- LargePrime is now known as nOOb
11:02 -!- nOOb is now known as LargePrime
12:30 < Kendo_Cocaine> So I can ping through now!!!!!
12:30 < Kendo_Cocaine> Is it bad that in my server log I'm seeing OPTIONS IMPORT: adjusting link_mtu to 1624
12:31 < Kendo_Cocaine> shouldnt that be waaaayyyy lower
12:31 < Kendo_Cocaine> I can send pings to other devices but thats it
12:31 <@novaflash> Mr. Sulu. Warp 13. Engage.
12:33 < Kendo_Cocaine> nvmd now I can ping the server and my router
12:33 < Kendo_Cocaine> i'm beginning to think openvpn is a poor choice for a windows server
12:33 < Kendo_Cocaine> I cant ping any other device
12:36 < vectr0n> i havent been following but do you have the client-to-client option?
12:52 < Kendo_Cocaine> yes
12:52 < Kendo_Cocaine> that is enabled
12:52 < Kendo_Cocaine> and IP forwarding
12:52 < Kendo_Cocaine> in the log i see that mtu is set for the link to 1624, seems kinda odd
12:53 < Kendo_Cocaine> and I can ping the router, which is progress as up to this point I've only been able to ping the VPN server at 10.8.0.1 and it's lan IP of 10.33.150.3
12:53 < Kendo_Cocaine> router is at 10.33.150.1
12:54 < Kendo_Cocaine> I can only ping the router though, I cant log in
12:54 < Kendo_Cocaine> Mikrotik router
12:55 < Kendo_Cocaine> I tried an mmsfix directive but that didnt change openvpn changing mtu to 1624
12:57 < Kendo_Cocaine> annnnndddddd I can only pass 5mbps through it at a time
12:57 < Kendo_Cocaine> super gay
13:00 < Kendo_Cocaine> does Spectrum Internet limit VPN traffic?
13:03 < BtbN> I wouldn't want Windows as any kind of router. It's just not made for that.
13:04 < Kendo_Cocaine> true, im running ovpn on linux as well and getting the same shitty speeds
13:04 < Kendo_Cocaine> maybe it's in my config
13:04 < Kendo_Cocaine> though I've gotten faster speeds on other ISPs on that same linux config
13:04 < BtbN> OpenVPN isn't super fast, yes
13:05 < hyper_ch> BtbN: but you're ok with Windows on ATMs?
13:05 -!- gthank is now known as gthank_away
13:05 < Kendo_Cocaine> sha256 isn't over envrypted is it
13:05 < BtbN> Use big packets, no fancy crypto but just AES. AES-128 if you really need the speed
13:05 -!- gthank_away is now known as gthank
13:05 < BtbN> sha is no encryption
13:05 < Kendo_Cocaine> there are different lavours of sha
13:06 < asgs> just an update - I installed resolvconf and added a couple of lines (up and down the conf file, not sure what it means) to my .ovpn and now DNS issues are gone!
13:06 < Kendo_Cocaine> nice
13:06 < BtbN> sha is a hashing algorithm
13:06 < DArqueBishop> <hyper_ch> BtbN: but you're ok with Windows on ATMs?
13:06 < Kendo_Cocaine> glad someone is fixing their issues around here
13:06 -!- gthank is now known as gthank_away
13:06 < asgs> this article was written for people like me (judging from the comments sections) http://www.softwarepassion.com/solving-dns-problems-with-openvpn-on-ubuntu-box/
13:06 <@vpnHelper> Title: Solving DNS problems with OpenVPN on Ubuntu box | Software Passion (at www.softwarepassion.com)
13:06 <@novaflash> DArqueBishop: please don't hurt me so much
13:06 -!- gthank_away is now known as gthank
13:06 < DArqueBishop> As long as they're audited and kept up to date, I'm not against it. The lack of updates to these ATMs are the biggest issues.
13:06 < Kendo_Cocaine> i like openvpn's option to push routes and not have to redirect all traffic through the vpn
13:06 < Kendo_Cocaine> im fairly new to this
13:07 < BtbN> Well, in theory the lack of updates doesn't matter. As long as they don't do stupid bullshit like exposing USB ports to the public, or putting them on the public internet.
13:07 < DArqueBishop> BtbN: that too.
13:10 < Kendo_Cocaine> so cipher AES-256-CBC is too much for a dude who just wants to transfer some files and check on his apt through some cameras?
13:11 < BtbN> 256 is fine
13:11 < BtbN> 128 is just a bit faster, due to CPU optimizations
13:11 < BtbN> and 128 easily fitting into registers
13:11 < lastc> Hi!, i got openvpn running on a vps and i tried to use build-keys to allow my phone to connect to the network, but everytime i do so, it tells me to run "source vars"
13:12 < lastc> But even after i do so, it keeps showing the same message
13:12 < Kendo_Cocaine> so say I', only getting 500Kb/s (5mbps) on 256, what can I expect to get on 128
13:12 < BtbN> no idea
13:12 < Kendo_Cocaine> mind you my CPU isnt taxed in the slightest on the server side
13:12 < BtbN> 5mbps sounds so low that I'd suspect something else is at fault
13:12 < BtbN> 100mbps should be totally possible already
13:13 < Kendo_Cocaine> seriously dude and it's a 100mbps circuit on one side and a 500mbps circuit on the other
13:13 < Kendo_Cocaine> just doesnt make fkn sense
13:13 < Kendo_Cocaine> and I've already fucked with the buffer directive on the config to no avail
13:14 < Kendo_Cocaine> I'm just going to be stupid and completely open a machine up to the public internet
13:15 < BtbN> One of them isn't a RPi or something?
13:17 < Kendo_Cocaine> RPi?
13:18 < hyper_ch> raspberry pi
13:18 < hyper_ch> !configs
13:18 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
13:20 < Kendo_Cocaine> so.....no comments?
13:21 < Kendo_Cocaine> dont wanna piss people off on here
13:21 < Kendo_Cocaine> it's windows
13:24 < hyper_ch> Kendo_Cocaine: give configs as vpnHelper outlined above
13:25 < Kendo_Cocaine> # Which local IP address should OpenVPN
13:25 < Kendo_Cocaine> # listen on? (optional)
13:25 < Kendo_Cocaine> ;local a.b.c.d
13:25 < Kendo_Cocaine> # Which TCP/UDP port should OpenVPN listen on?
13:25 < Kendo_Cocaine> # If you want to run multiple OpenVPN instances
13:25 < Kendo_Cocaine> # on the same machine, use a different port
13:25 < Kendo_Cocaine> # number for each one.  You will need to
13:26 < Kendo_Cocaine> # open up this port on your firewall.
13:26 < Kendo_Cocaine> port 1195
13:26 < Kendo_Cocaine> # TCP or UDP server?
13:26 < Kendo_Cocaine> ;proto tcp
13:26 < Kendo_Cocaine> proto udp
13:26 < Kendo_Cocaine> # "dev tun" will create a routed IP tunnel,
13:26 < Kendo_Cocaine> # "dev tap" will create an ethernet tunnel.
13:26 < Kendo_Cocaine> # Use "dev tap0" if you are ethernet bridging
13:26 < Kendo_Cocaine> # and have precreated a tap0 virtual interface
13:26 < Kendo_Cocaine> # and bridged it with your ethernet interface.
13:26 < Kendo_Cocaine> # If you want to control access policies
13:26 < Kendo_Cocaine> # over the VPN, you must create firewall
13:26 < Kendo_Cocaine> # rules for the the TUN/TAP interface.
13:26 < Kendo_Cocaine> # On non-Windows systems, you can give
13:26 < Kendo_Cocaine> # an explicit unit number, such as tun0.
13:26 < Kendo_Cocaine> # On Windows, use "dev-node" for this.
13:26 < Kendo_Cocaine> # On most systems, the VPN will not function
13:26 < Kendo_Cocaine> # unless you partially or fully disable
13:26 < Kendo_Cocaine> # the firewall for the TUN/TAP interface.
13:26 < Kendo_Cocaine> ;dev tap
13:26 < Kendo_Cocaine> dev tun
13:26 < Kendo_Cocaine> # Windows needs the TAP-Win32 adapter name
13:26 < Kendo_Cocaine> # from the Network Connections panel if you
13:26 < Kendo_Cocaine> # have more than one.  On XP SP2 or higher,
13:26 < Kendo_Cocaine> # you may need to selectively disable the
13:26 < Kendo_Cocaine> # Windows firewall for the TAP adapter.
13:26 < Kendo_Cocaine> # Non-Windows systems usually don't need this.
13:26 < Kendo_Cocaine> ;dev-node MyTap
13:27 < Kendo_Cocaine> # SSL/TLS root certificate (ca), certificate
13:27 < Kendo_Cocaine> # (cert), and private key (key).  Each client
13:27 < Kendo_Cocaine> # and the server must have their own cert and
13:27 < Kendo_Cocaine> # key file.  The server and all clients will
13:27 < Kendo_Cocaine> # use the same ca file.
13:27 < Kendo_Cocaine> #
13:27 < Kendo_Cocaine> # See the "easy-rsa" directory for a series
13:27 < Kendo_Cocaine> # of scripts for generating RSA certificates
13:27 < Kendo_Cocaine> # and private keys.  Remember to use
13:27 < Kendo_Cocaine> # a unique Common Name for the server
13:27 < Kendo_Cocaine> # and each of the client certificates.
13:27 < metellus> please use a pastebin next time
13:27 < Kendo_Cocaine> #
13:27 < Kendo_Cocaine> # Any X509 key management system can be used.
13:27 < Kendo_Cocaine> # OpenVPN can also use a PKCS #12 formatted key file
13:27 < Kendo_Cocaine> # (see "pkcs12" directive in man page).
13:27 < Kendo_Cocaine> ca ca.crt
13:27 < Kendo_Cocaine> cert server.crt
13:27 < Kendo_Cocaine> key server.key  # This file should be kept secret
13:27 < Kendo_Cocaine> # Diffie hellman parameters.
13:27 < Kendo_Cocaine> # Generate your own with:
13:27 < Kendo_Cocaine> #   openssl dhparam -out dh2048.pem 2048
13:27 < Kendo_Cocaine> dh dh2048.pem
13:27 < Kendo_Cocaine> # Network topology
13:27 < Kendo_Cocaine> # Should be subnet (addressing via IP)
13:27 < CptLuxx> good lord pastebin
13:27 < Kendo_Cocaine> # unless Windows clients v2.0.9 and lower have to
13:27 < Kendo_Cocaine> # be supported (then net30, i.e. a /30 per client)
13:27 < Kendo_Cocaine> # Defaults to net30 (not recommended)
13:27 < Kendo_Cocaine> topology subnet
13:28 < Kendo_Cocaine> # Configure server mode and supply a VPN subnet
13:28 < Kendo_Cocaine> # for OpenVPN to draw client addresses from.
13:28 < Kendo_Cocaine> # The server will take 10.8.0.1 for itself,
13:28 < CptLuxx> are you crazy
13:28 < Kendo_Cocaine> # the rest will be made available to clients.
13:28 < Kendo_Cocaine> # Each client will be able to reach the server
13:28 < Kendo_Cocaine> # on 10.8.0.1. Comment this line out if you are
13:28 < Kendo_Cocaine> # ethernet bridging. See the man page for more info.
13:28 < Kendo_Cocaine> server 10.8.0.0 255.255.255.0
13:28 < Kendo_Cocaine> # Maintain a record of client <-> virtual IP address
13:28 < Kendo_Cocaine> # associations in this file.  If OpenVPN goes down or
13:28 < Kendo_Cocaine> # is restarted, reconnecting clients can be assigned
13:28 < Kendo_Cocaine> # the same virtual IP address from the pool that was
13:28 < Kendo_Cocaine> # previously assigned.
13:28 < vectr0n> ;/
13:28 < Kendo_Cocaine> ifconfig-pool-persist ipp.txt
13:28 < Kendo_Cocaine> # Configure server mode for ethernet bridging.
13:28 < Kendo_Cocaine> # You must first use your OS's bridging capability
13:28 < Kendo_Cocaine> # to bridge the TAP interface with the ethernet
13:28 < Kendo_Cocaine> # NIC interface.  Then you must manually set the
13:28 < Kendo_Cocaine> # IP/netmask on the bridge interface, here we
13:28 < Kendo_Cocaine> # assume 10.8.0.4/255.255.255.0.  Finally we
13:28 < Kendo_Cocaine> # must set aside an IP range in this subnet
13:28 < Kendo_Cocaine> # (start=10.8.0.50 end=10.8.0.100) to allocate
13:28 < Kendo_Cocaine> # to connecting clients.  Leave this line commented
13:28 < Kendo_Cocaine> # out unless you are ethernet bridging.
13:28 < Kendo_Cocaine> ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
13:28 < Kendo_Cocaine> # Configure server mode for ethernet bridging
13:28 < Kendo_Cocaine> # using a DHCP-proxy, where clients talk
13:28 < Kendo_Cocaine> # to the OpenVPN server-side DHCP server
13:29 < Kendo_Cocaine> # to receive their IP address allocation
13:29 < Kendo_Cocaine> # and DNS server addresses.  You must first use
13:29 < Kendo_Cocaine> # your OS's bridging capability to bridge the TAP
13:29 < Kendo_Cocaine> # interface with the ethernet NIC interface.
13:29 < Kendo_Cocaine> # Note: this mode only works on clients (such as
13:29 < Kendo_Cocaine> # Windows), where the client-side TAP adapter is
13:29 < Kendo_Cocaine> # bound to a DHCP client.
13:29 < Kendo_Cocaine> ;server-bridge
13:29 < CptLuxx> !op
13:29 <@vpnHelper> Error: You don't have the #openvpn,op capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
13:29 < Kendo_Cocaine> # Push routes to the client to allow it
13:29 < Kendo_Cocaine> # to reach other private subnets behind
13:29 < Kendo_Cocaine> # the server.  Remember that these
13:29 < Kendo_Cocaine> # private subnets will also need
13:29 < Kendo_Cocaine> # to know to route the OpenVPN client
13:29 < Kendo_Cocaine> # address pool (10.8.0.0/255.255.255.0)
13:29 < Kendo_Cocaine> # back to the OpenVPN server.
13:29 < Kendo_Cocaine> push "route 10.8.0.0 255.255.255.0"
13:29 < Kendo_Cocaine> push "route 10.33.150.0 255.255.255.0"
13:29 < Kendo_Cocaine> ;push "route 192.168.20.0 255.255.255.0"
13:29 < Kendo_Cocaine> # To assign specific IP addresses to specific
13:29 < Kendo_Cocaine> # clients or if a connecting client has a private
13:29 < Kendo_Cocaine> # subnet behind it that should also have VPN access,
13:29 < Kendo_Cocaine> # use the subdirectory "ccd" for client-specific
13:29 < Kendo_Cocaine> # configuration files (see man page for more info).
13:29 < Kendo_Cocaine> # EXAMPLE: Suppose the client
13:29 < Kendo_Cocaine> # having the certificate common name "Thelonious"
13:29 < Kendo_Cocaine> # also has a small subnet behind his connecting
13:29 < Kendo_Cocaine> # machine, such as 192.168.40.128/255.255.255.248.
13:29 < Kendo_Cocaine> # First, uncomment out these lines:
13:30 < Kendo_Cocaine> ;client-config-dir ccd
13:30 < Kendo_Cocaine> ;route 192.168.40.128 255.255.255.248
13:30 < Kendo_Cocaine> # Then create a file ccd/Thelonious with this line:
13:30 < Kendo_Cocaine> #   iroute 192.168.40.128 255.255.255.248
13:30 -!- Kendo_Cocaine was kicked from #openvpn by ecrist [GTFO]
13:30 < vectr0n> woot ty
13:37 < Kendo_Cocaine> has anyone been able to chec that link
13:38 < Kendo_Cocaine> pasting that message was a honest error
13:40 < hyper_ch> Kendo_Cocaine: (1) use a pastebin (2) remove commented out lines (3) remove private info like inline certs :)
13:41 < Kendo_Cocaine> thx
13:58 <@ecrist> CptLuxx: you are not an op
14:09 <@krzee> ecrist!
14:09 <@krzee> hiiii
14:09 <@krzee> *erratic wave*
14:10 < havoc> krzee: welcome back :)
14:11 <@krzee> thank you!
14:11 < havoc> how many hurricanes hit/affected you?
14:13 <@krzee> 0
14:13 < havoc> ah
14:13 <@krzee> im not in that area =]
14:13 < havoc> why offline for so long then?
14:13 <@krzee> old laptop started to die, had to get a new one and configure it
14:14 <@krzee> while working a ton and in a new house and taking care of 2 dogs 4 geese and 8 chickens and a 1/2 acre garden
14:14 < havoc> ah
14:14 <@krzee> err 1/4 acre garden i mean
14:14 < havoc> Life
14:14 <@krzee> yep
14:15 <@krzee> one of the geese just tried to attack me and got soccer kicked
14:15 <@krzee> he volunteered to be thanksgiving dinner
14:15 <@krzee> lil f'er thinks she runs the show lol we'll see how she likes being eaten
14:16 < havoc> heh
14:22 < hyper_ch> krzee: YOU'RE ALIVE
14:22 <@krzee> unlike that goose will be!
14:22 <@krzee> muahaha
14:22 < hyper_ch> there were 1 or 2 people in here really worried about you
14:22 < DArqueBishop> krzee has not been killed by Mother Nature.
14:22 < DArqueBishop> Mother Nature will try harder next time.
14:23 <@krzee> sorry to worry anybody, i was just lazy
14:23 <@krzee> for the record ecrist can probably reach me in case of emergency
14:23 <@krzee> i say probably because who knows what he did or didnt save
14:24 < hyper_ch> hmmm, weird.... krzee's old laptop died.... my office got burglared last night... krzee is now online..... coincidence?
14:24 <@krzee> hyper_ch: thanks for the laptop
14:24 < hyper_ch> there was no laptop at the office but tons of other stuff :(
14:24 <@krzee> except you're like across the world and my laptop is cheaper than the plane ticket to rob you
14:25 < hyper_ch> I'm right here... and not accross the world...
14:25 <@krzee> you in us?
14:25 < hyper_ch> no, I'm here :)
14:25 <@krzee> haha
14:25 <@krzee> eu iirc, far far away
14:26 < hyper_ch> so, anyone here is super knowledgable regarding qemu/kvm?
14:26 < hyper_ch> switzerland is not part of the EU
14:26 <@krzee> negative ghostrider
14:26 <@krzee> it isnt? hah i thought it was (i totally admit my ignorance of much of that part of the world)
14:26 <@krzee> is norway?
14:26 <@krzee> is cz?
14:27 < hyper_ch> norway isn't either
14:27 < hyper_ch> czech repulic.... hmmm... not sure
14:27 <@krzee> sweden?
14:27 < DArqueBishop> I used KVM for my old VM host server at home, but I wouldn't claim to be an expert.
14:28 < hyper_ch> DArqueBishop: on the office server I've used mdadm raid1 (with 3 disks), luks/dm-crypt, ext4 debian with proxmox to run several vms (vpn server, mail server, voip server, data server, ca server)
14:28 < hyper_ch> now, I like Nixos quite a bit meanwhile and I thought I could ditch proxmox and just go full qemu/kvm instead
14:29 < hyper_ch> and using native encrypted ZFS in mirrored mode
14:29 < hyper_ch> I know kvm/qemu is awesome, I just don't have experience with it
14:29 <@krzee> linux has zfs now??
14:29 <@krzee> or you came to bsd?
14:30 <@krzee> https://europa.eu/european-union/about-eu/countries_en
14:30 <@vpnHelper> Title: EUROPA - Countries | European Union (at europa.eu)
14:30 <@krzee> ahh you guys are Schengen but not eu
14:30 < hyper_ch> krzee: zfs on lilnux (zol)
14:30 <@krzee> thats how i was all confused
14:30  * DArqueBishop shrugs.
14:30 < hyper_ch> krzee: https://github.com/zfsonlinux/
14:30 <@vpnHelper> Title: ZFS on Linux · GitHub (at github.com)
14:31 < hyper_ch> krzee: we we're in Schengen
14:31 < DArqueBishop> I suppose I should have encrypted my VM host's drives, but I simply couldn't be bothered.
14:31 < hyper_ch> but how do you know about Schengen?
14:31 < DArqueBishop> As it stands the server is sitting disconnected on a shelf in my bedroom closet right now. ;-)
14:31 <@krzee> wife had to get a visa to go to eu on our honeymoon
14:31 < hyper_ch> since office server was stolen, it's good that all of it was encrypted
14:32 <@krzee> we had to keep it Schengen
14:32 < hyper_ch> and with zfs I can do like hourly backups
14:32 < hyper_ch> and not just nightly with rsync
14:32 < hyper_ch> krzee: they let you into the EU? oO
14:33 < hyper_ch> (at least I think your wife's honeymoon was with you....)
14:33 <@krzee> hyper_ch: twice now... they just dont know who i am :-p
14:33 < hyper_ch> you know that UK isn't really part of the EU?
14:33 < hyper_ch> ;)
14:34 <@krzee> i even got to hang with syzzer out there, he showed us some good beer and a good time =]
14:34 <@krzee> i never been to uk
14:34 < hyper_ch> ah... an USian tasting real beer for the first time in his life :)
14:34 <@krzee> lol i been to australia twice as well
14:34 <@krzee> they have great beer too
14:35 < hyper_ch> you mean Foster's?
14:35 <@krzee> they dont drink that crap
14:35 < hyper_ch> it's sold to foreigners ;)
14:35 <@krzee> just like americans dont drink the crap you guys think we do
14:35 <@krzee> but nah us has some good beer, its just small batch not for wide distribution
14:36 <@krzee> like you cant get the good california beer in new york even
14:36 < hyper_ch> well, they're not exactely next-door neighbours
14:36 <@krzee> you gotta figure out whats the good craft beer local to where you are when in usa
14:56 < hyper_ch> so, what shiny new notebook do you have now, krzee?
14:57 < havoc> good craft brew is everywhere, it's just not advertised; it's not a volume production
15:00 < hyper_ch> krzee: http://www.openwall.com/lists/oss-security/2017/11/06/8
15:00 <@vpnHelper> Title: oss-security - Linux kernel: multiple vulnerabilities in the USB subsystem (at www.openwall.com)
15:55 < xtuh> hi, need help to better understand site to site configuration.
18:45 < a1fa> i managed to setup a cool openvpn setup..
18:45 < a1fa> oauth2+temporary certs that expire when you disconnect, then you gotta go do oauth again
18:47 < a1fa> bitching setup
18:55 < pierre`> a1fa: online howto to setup this ? :)
19:40 < a1fa> pierre`: ;} i should write it up
19:41 < a1fa> "poorman's openvpn-as"
19:41 < a1fa> pierre`: i also have a setup openvpn-radius+mfa | all off the shelf components
22:00 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Quit: ZNC - http://znc.in]
22:04 -!- r00t^2 is now known as jth4n
22:04 -!- jth4n is now known as r00t^2
22:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:10 -!- mode/#openvpn [+o syzzer] by ChanServ
22:46 -!- abenz__ is now known as abenz
23:28 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 248 seconds]
23:43 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
23:43 -!- mode/#openvpn [+v s7r] by ChanServ
--- Day changed Wed Nov 08 2017
00:04 <@krzee> hyper_ch: a latitude e7240
00:05 <@krzee> a1fa: feel free to use community.openvpn.net if you like
00:05 <@krzee> (for your writeup)
00:18 < hyper_ch> krzee: how do you like it?
00:18 <@krzee> nice, good linux supports
00:19 <@krzee> support*
00:19 < hyper_ch> :) got myself a thinkpad.. generlly nice but there's one thing that really irks me about it
00:20 < hyper_ch> on the right hand side, from the back to the front you have kensington lock thingy, dvd drive, lan port, usb port
00:20 < hyper_ch> the lan port is close to the front which I think is really bad
00:20 < hyper_ch> they should have put it at the end
00:22 < hyper_ch> https://images.sjau.ch/img/d63cd3c1.jpg  -  if you attach lan cable (which come from the back) it blocks the dvd rom and also I like to have the mousmat close and it's annoying there as well
00:22 < hyper_ch> still getting re-setup in the office
00:23 <@ordex> dvd ?
00:23 <@ordex> how old is the laptop ?
00:23 < hyper_ch> not that old, why?
00:23 <@ordex> btw, best thinkpads, imho, are series T and X
00:23 <@ordex> oh haven't seen a laptop with a dvd rom in a while
00:23 < hyper_ch> whats wrong with dvd drive?
00:23 <@ordex> just haven't seen any in a while :P
00:24 < hyper_ch> most 15" + notebooks have them
00:24 < hyper_ch> :(
00:24 <@ordex> mhhhh I am not entirely sure it's "most"
00:24 < hyper_ch> or 17"
00:24 <@ordex> anyway, I haven;t surveyed all the laptops out there
00:25 < hyper_ch> not sure if I have 15 or 17
00:25 <@krzee> whats wrong with a floppydrive
00:26 <@krzee> i still rock the 5.25"
00:26 < hyper_ch> floppy drives are great
00:26 < hyper_ch> everybody should have 2 of them
00:28 < hyper_ch> it's probably a bluray drive
00:28 < hyper_ch> but I only use it sometimes anyway when I get case files on cd / dvd
00:28 <@krzee> my 5.25" floppy?
00:29 <@krzee> nah it doesnt do blueray
00:29 < hyper_ch> pretty sure it can do bluray if you put enough effort into it
01:01 <@ordex> :D
02:15 < pierre`> a1fa: i used openvpn with radius too (with OTP tokens from Entrust years ago)
02:15 < pierre`> was hell to manage with disconnections
03:44 -!- Netsplit *.net <-> *.split quits: @syzzer, @vpnHelper, |Mike|, @dazo, +RBecker, @krzee, @mattock, @novaflash, hyper_ch, @pekster
03:50 -!- Netsplit over, joins: @pekster, @dazo, @syzzer, @novaflash, @vpnHelper, hyper_ch, |Mike|
03:50 -!- ServerMode/#openvpn [+oo vpnHelper ordex] by moon.freenode.net
03:50 -!- Netsplit over, joins: @krzee, @mattock, +RBecker
03:50 -!- ServerMode/#openvpn [+vo _FBi mattock] by moon.freenode.net
03:51 < ch1pp0> appearently mssfix and fragment need to be set independently on both server and client. But a list of the variables that are pushable would be great.
04:10 <@dazo> ch1pp0: have you looked at the --push man page entry?
04:17 < ch1pp0> dazo: hmm interesting, thanks. Although it is a "partial" list.
04:22 < ch1pp0> the man-pages are confusing though. For the keepalive option it says: "This option can be used on both client and server side, but it is in enough to add this on the server side as it will push appropriate --ping and --ping-restart options to the client. If used on both server and client, the values pushed from server will override the client local values." But the description for --push implies that you
04:22 < ch1pp0> need to specify if the option is to be pushed or not.
05:20 <@dazo> ch1pp0: Read the "macro expansion" of --keepalive .... there you see why.  --keepalive itself is not a single option
05:28 < ch1pp0> dazo: I know that but the keepalive option is the combination of --ping and --ping-restart which are mentioned in the --push description which makes it confusing.
05:28 < ch1pp0> gad damn it, sorry
05:29 < ch1pp0> thanks for that ;)
06:16 < tiny> Hi. I'd like to force a disconnect for clients that exceed predefined connection ti,e.
06:16 < tiny> time*
06:16 < tiny> possible?
06:20 <@ordex> you have to handle it externally, but you can do that via management interface
06:20 <@ordex> (I think)
06:24 < tiny> This would be a reaaaaly usefull option :) , ok I'll check how to do this over management interface. Thanks.
06:26 <@ordex> np
07:25 <@dazo> tiny: yes, you can kill clients from the server side via the management interface .... look at the management-notes.txt file for details (often packaged, or at least in our git trees and source tarballs)
07:51 <@krzee> good evening ordex
08:07 < a1fa> pierre`: exactly -- thats why i'm moving over to oauth2+short lived certs
08:07 < a1fa> dazo: are clients stored in the memory, or they are in a file?
08:09 < a1fa> wondering if multiple servers could nfs mount config directory, and other directories
08:09 < a1fa> trying to prevent duplicate-cn across the servers
08:10 <@krzee> memory but you could write login info to a db
08:10 <@krzee> then check the db in a client-connect script or similar
08:10 <@krzee> !scripts
08:10 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
08:11 <@krzee> then you could deny attempt #2 or you could forcefully remove #1 when #2 logs in
08:11 <@krzee> whatever you want to make it...
08:11 < a1fa> sweet
08:11 < a1fa> is there client-disconnect script?
08:11 < a1fa> yes there is
08:12 < a1fa> cool
08:12 <@krzee> remember if the client disappears it wont be triggered until --keepalive gives up on the client
08:12 <@krzee> keepalive or similar*
08:29 < havoc> I've never used the openvpn management interface, I should learn that
08:33 < hyper_ch> havoc: why?
08:33 < havoc> because I don't know it?
08:35 < havoc> but from what I'm reading, the only immediately, remotely useful capability, for my needs, is the ability to disconnect a specific client
10:16 < schwetzon> Ok, so I'm running a working openvpn server on a server at home.. And I thought I should setup another ovpn server on my vps.. Said and done, Ive installed and configured it and started it. I've added openvpn service to firewalld, and added masquerade - triple checked everything.. I've also enabled ipv4 forwarding in sysctl.conf. So, to my problem - when I'm trying to connect, I do get a response from the openvpn server, but it halts during the auth
12:19 <@dazo> !logs
12:20 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
12:20 <@dazo> !configs
12:20 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
12:20 <@dazo> schwetzon: ^^^
13:52 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 255 seconds]
13:52 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
13:52 -!- mode/#openvpn [+o dazo] by ChanServ
13:54 < schwetzon> dazo: right! I'll hand you guys the log(s) and configs when I get back home from work.. In out of here (from work), in about 2 hours.
13:54 < schwetzon> Ttyl
14:51 -!- abenz_ is now known as abenz
16:16 < meffe> so.. im home!
16:16 < meffe> im schwett something, whatever i was named in my mobile irc app
16:18 < meffe> anyone awake and feel like they got a bit of time to help me troubleshot?
16:20 < rob0> well, I should note it doesn't work that way, you would normally just make your pastebin and wait.  But in your case I suspect firewalld is the problem.
16:22 < rob0> assuming the VPN is on tun0, on the server, "for x in INPUT FORWARD ; do iptables -vI $x -i tun0 -j ACCEPT ; done", and see if it works after that
16:23 < rob0> that loop adds two firewall rules which won't be permanent in firewalld
16:25 < rob0> I suppose firewalld blocks everything unless you tell it to unblock.  You allowed the tunnel packets in, but did you open the tunnel itself?
16:38 < meffe> sorry, i was afk for a lil while..
16:39 < meffe> i added the openvpn service to firewalld, since im running it on the default port.. and i set the masquerade..
16:40 < meffe> i also opened the 1194/udp, just to be on the safe side
16:40 < meffe> but give me a sec, ill try your iptables test - ill need to remove my old iptables rules first though, so im not blocked out from the server
16:45 < meffe> rob0: nah, still the same issue
16:49 < meffe> this is what a 'systemctl status openvpn@server' says -> https://paste.meffe.se/dutalesoco.vbs
16:54 < meffe> ah, i might have found the issue
16:54 < meffe> maybe - need to try it out
16:58 < meffe> nope :/
18:04 < meffe> oh my f- god.. why didnt i think of this earlier
18:05 < meffe> apparently, for some reason, my isp is blocking 1194
18:05 < meffe> i changed the port, and tada - its working
18:05 < Kryczek> lol
18:05 < Kryczek> what ISP does that? :)
18:05 < a1fa>  knob
18:05 < meffe> i didnt even think swedish isp's did these kind of things
18:06 < Kryczek> send pewdiepie after them
18:06 < meffe> why is everyone mentioning that nerd
18:06 < Kryczek> :D
18:06 < meffe> when ppl think of sweden, they think of some nerd ytber
18:07 < meffe> i dont even know who that is, ive been told of some american that there is some swedish nerd on yt named pewdiepie - "do you know him?!"
18:07 < Kryczek> ah, so how do you know he's a nerd?
18:08 < Kryczek> maybe it's fake news :)
18:08 < Kryczek> anyway, not really openvpn stuff
18:09 < meffe> anyone named "pewdiepie" must be a nerd :)
18:09 < meffe> no, you're right
18:10 < meffe> anyhow, i got some notifications from tunnelblick when i connected.. something about ip bla bla.. let me reconnect and ill show you
18:13 < rob0> that's bizarre
18:14 < rob0> China, sure, it's not unusual to hear about 1194 blocking
18:14 < rob0> a few other countries
18:14 < meffe> directly translated "A problem occurred when the computer's perceived public IP address was investigated" & "Tunnelblick could not retrieve the information regarding the IP address before the connection to the server was established"
18:15 < meffe> https://cl.ly/302k061i3c2d
18:15 <@vpnHelper> Title: Skärmavbild 2017-11-09 kl. 01.11.43.jpg (at cl.ly)
18:16 < meffe> regarding the what i believe is a blocked port - i'll reach out to my provider tomorrow, and ask them what's up.
18:17 < Kryczek> "Varning" I love it :D
18:17 < Kryczek> could it be something particular to TunnelBlick?
18:18 < Kryczek> Maybe try with the regular OpenVPN?
18:18 < meffe> ive never seen that kind of "error" before.. and ive used tunnelblick for a long time
18:19 < meffe> never seen it before on any of the other vpn servers ive been connecting to
18:19 < meffe> thats why im asking
18:25 < yute> Hi channel.
18:25 < yute> Looking for someone who could help guide me. I'm a newbie to dd-wrt and openvpn.
18:27 < yute> Trying to connect two linksys devices, that are behind modems. I was able to connect the two when they're on the same lan, but now that they are behind the modems and going through the internet, they are not connecting.
18:27 < yute> Is this commonly done?
18:31 < yute> this is what I'm trying to do.. https://www.area536.com/projects/securely-link-two-offices-using-openvpn/
18:31 <@vpnHelper> Title: Securely link two offices using OpenVPN (at www.area536.com)
18:33 < yute> am I at the right channel for help?
18:54 < Kryczek> hah, we just needed more time...
18:57 < meffe> :)
21:13 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 250 seconds]
21:14 -!- remirol is now known as lorimer
21:16 < CryptoManiac> i hav openvpn server running on Ubuntu 14. The server has its main IP address on eth0 and an additional IP from the host provider which I have assigned as an alias to eth 0:0. I've tried a lot of things so far to get my vpn traffic to see originate from the alias IP instead of the main server IP but it doesn't work. I edited the ufw before rules with these lines but still nothing...
21:16 < CryptoManiac> https://pastebin.com/PYntEnTe
21:17 < CryptoManiac> probably something simple but it's my first time configuring vpn server
21:20 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
21:20 -!- mode/#openvpn [+o dazo] by ChanServ
21:50 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
21:56 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
21:56 -!- mode/#openvpn [+o krzee] by ChanServ
23:46 -!- abenz_ is now known as abenz
--- Day changed Thu Nov 09 2017
00:15 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 248 seconds]
00:15 -!- BtbN_ is now known as BtbN
00:17 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 260 seconds]
00:18 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
00:19 -!- mode/#openvpn [+o krzie] by ChanServ
00:20 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
00:20 -!- mode/#openvpn [+o syzzer] by ChanServ
00:22 -!- Netsplit *.net <-> *.split quits: @krzee
01:57 < hyper_ch> krzie: https://twitter.com/h0t_max/status/928269320064450560
03:40 -!- Aichan_ is now known as Aichan
04:43 < adac> Hi there!
04:44 < adac> I was wondering if there is an official docker image out there of openldap?
04:44 < adac> and if not, can somebody suggest me a good comunity one?
04:49 < adac> this one looks nice https://github.com/osixia/docker-openldap
04:49 <@vpnHelper> Title: GitHub - osixia/docker-openldap: A docker image to run OpenLDAP 🐳 (at github.com)
05:01 < meffe> How would i go about to enable ipv6 over an ipv4 vpn ?
07:04 <@ecrist> what does that have to do with openvpn?
07:36 < hyper_ch> ecrist: I assume you were referring to adac?
07:51 < adac> worng channel sorry
08:03 < adac> hyper_ch, no wonder nobody replied me :D
08:04 < hyper_ch> it happens
08:04 < hyper_ch> but there's a good chance that someone who uses openvpn maybe also knows a thing or two about openldap
08:07 -!- gthank is now known as gthank_away
08:07 -!- gthank_away is now known as gthank
08:07 -!- gthank is now known as gthank_away
08:07 -!- gthank_away is now known as gthank
08:08 < DArqueBishop> hyper_ch: ... I wouldn't put money on it.
08:08 < hyper_ch> "maybe"
08:18  * ecrist knows LDAP far better than he'd like to
08:18 <@ecrist> that said, my LDAP skills pay the bills
08:18 <@ecrist> nnzt nnzt nnzt
08:18 <@ecrist> that rhymed
08:19  * hyper_ch heard that everytime someone mentions LDAP, God kills a baby seal
08:22 < DArqueBishop> No, that's "devops".
08:25 < havoc> ^^^^^^^
08:25 < havoc> I hate that word :(
08:26 < havoc> my M$ skills pay the bills :(
08:37 <@ordex> Connect for Android is also on the Amazon Market now
08:38 <@ordex> :]
08:40 <@ecrist> I've tried to not be "that guy", but LDAP is hard because nobody wants to help
08:40 <@ecrist> It's treated like some big secret that you need to know the handshake to figure out
08:40 <@ecrist> There is a very steep learning curve.  Once you get over the hump, it's pretty straight forward, though.
08:41 <@ecrist> Kind of like the concept of an electrical relay, or a transistor.
08:50 < davidebeatrici> Hi
08:50 < davidebeatrici> I need a VPN over port 53 TCP
08:50 < davidebeatrici> I have ZorroVPN
08:51 < davidebeatrici> For some reason, the speed is around 35/15
08:51 < davidebeatrici> It's horrible
08:52 < davidebeatrici> I tried with the port 443 UDP and I get almost full bandwidth
08:52 < davidebeatrici> What can I do?
08:52 < davidebeatrici> Full bandwidth is 70/35
08:54 <@ecrist> tcp is usually bad
08:54 <@ecrist> !tcp
08:54 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay
08:56 < davidebeatrici> ecrist: I can't avoid it
08:57 < davidebeatrici> As the VPN doesn't connect over port 53 UDP
08:57 <@ecrist> davidebeatrici: sure, I get that, but that's likely part of your bandwidth problem.
08:57 < davidebeatrici> ecrist: Is there anything I can do to fix it?
08:57 < davidebeatrici> It also drops when doing a Speedtest
08:57 < DArqueBishop> Why are you using port 53?
08:57 <@ecrist> TCP isn't a problem if the connection is reliable.
08:58 <@ecrist> how are you doing "a speed test?"
08:58 < davidebeatrici> DArqueBishop: It allows me to have unlimited LTE
08:59 < davidebeatrici> ecrist: The connection is provided by an Android phone
08:59 < DArqueBishop> That may be your problem as well. They may have traffic shaping in place.
08:59 < davidebeatrici> I doubt that
09:00  * DArqueBishop chuckles.
09:00 < davidebeatrici> They don't know about that
09:00 < DArqueBishop> That you're aware of.
09:01 < davidebeatrici> That don't, trust me
09:01 < DArqueBishop> Then again, such shaping may not be because of VPNs but because of other reasons.
09:01 < davidebeatrici> With the VPN on 443 UDP I get full bandwidth
09:03 < davidebeatrici> It seems like a sndbuf/rcvbuf problem
09:03 < davidebeatrici> Setting them to 0 prevents the VPN from dropping
09:03 < davidebeatrici> But the speed is ridiculous
09:06 < davidebeatrici> DArqueBishop: Any suggestions?
09:10 < davidebeatrici> ecrist?
09:18 < davidebeatrici> Ridiculous
09:19 < davidebeatrici> Every time I start a speed test and it gets near 20 Mb/s, the VPN drops
09:19 < davidebeatrici> Connection reset, restarting [-1]
09:20 < davidebeatrici> Why? Just why?
09:43 <@ecrist> davidebeatrici: you're not dealing with a technical problem, per se, you're fighting against shaping policy on the network is my guess
09:44 < davidebeatrici> ecrist: Impossible, otherwise also UDP would suffer from the same problem
09:44 < davidebeatrici> Oh, let's find out out
09:44 < davidebeatrici> 443 TCP
09:44 < davidebeatrici> *it out
09:45 < adac> I can have  a netmask 255.255.0.0 for an openvpn server right?
09:45 < hyper_ch> probably, never tried
09:45 <@ecrist> adac: sure, but it's not advisable
09:46 <@ecrist> davidebeatrici: You have a lot of variables in play, and you don't really know where your problem lies.
09:46 < adac> ecrist, but how can I have more host then 254 then?
09:46 < adac> if I cannot use another netmask?
09:46 < hyper_ch> ecrist: so if you have more than 255 clients, wouldn't it be better to just deploy ipv6? or can you use normal just ipv4 and then just use private ipv6?
09:46 < davidebeatrici> ecrist: 443 TCP has the same problem
09:46 < davidebeatrici> It's definitely a TCP problem
09:46 <@ecrist> adac: OpenVPN performance tanks at about 200 clients
09:47 < davidebeatrici> Because 443 UDP works fine
09:47 <@ecrist> beyond that, you should have more than one server, and each server should have it's own subnet, with proper routes in place.
09:47 < davidebeatrici> But the VPN doesn't connect over 53 UDP
09:47 < davidebeatrici> I'm obliged to use 53 TCP
09:47 < adac> ecrist, I see thanks!
09:48 <@ecrist> davidebeatrici: I suspect someone in the middle is limiting port 53 bandwidth
09:48 < davidebeatrici> ecrist: 443 TCP has the same problem
09:48 <@ecrist> regardless, none of your problems are with OpenVPN
09:48 < davidebeatrici> Are you sure?
09:49 <@ecrist> these appear to be network related
09:49 < adac> ecrist, So at the moment I reach 200 clients, even if there is not a lot of traffic, I do get problems?
09:49 < adac> *I might get performance issues
09:49 <@ecrist> adac: no, but there's some limits in the openvpn main thread that hurt efficiency
09:49 < adac> ecrist, ok I see thanks
09:54 < adac> ecrist, can proxy my vpn server with for example with haproxy? Is that possible?
09:55 <@ecrist> adac: yes, you can.  If the connection fails from one to another server, it will be reset, though.
09:55 <@ecrist> So be careful in how you configure haproxy
09:55 < adac> ecrist, yes I see. Thanks!
09:56 < adac> Is there actually a way to cluster openvpn? or should one just setup two servers ldap1.example.com and ldap2.example.com and if one fails all the clients connect to the second one?
09:57 <@ecrist> OpenVPN doesn't support clustering right now.
09:57 <@ecrist> You can have multiple connection blocks, and the client will cycle through those, though.
09:58 < havoc> well, a connection block, w/ multiple connections/sections, is a better explanation
09:58 < adac> can I have half of the connections to ldap1 and the other one to ldap2? Is that possible?
09:58 < havoc> that was my original plan for the 2,000 clients, but provisioned them with static IPs instead
09:58 < adac> mean can these client still see each other?
09:59 <@ecrist> adac: that's a job for a load balancer, like haproxy or relayd
09:59 < havoc> adac: if you have the proper routes, and firewall rules, between the two vpn client segments, then yes.
09:59 < havoc> or what ecrist said :)
09:59 <@ecrist> "see" is something you need to define
09:59 < adac> havoc, where would one setup these routes? :)
10:00 < adac> ecrist, I mean can they still connect to each other via VPN
10:00 <@ecrist> same broadcast domain (i.e. subnet), probably not a good idea.  You can use WINS and DNS records to span the netbios domain across subnets, though
10:00 <@ecrist> yes, they can still connect.
10:00 < adac> ecrist, ok thanks!
10:01 < adac> Hmm I really need to look this up. Not that I need that now urgently but maybe later I'd like to have some kind of openvpn cluster
10:03 < adac> If one of you guys know a nice tutorial to such stuff, would be nice to get the URL :-)
10:03 <@ecrist> !books
10:03 <@ecrist> !book
10:03 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) Troubleshooting OpenVPN (April, 2017) by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
10:03  * ecrist shameless plug
10:05 < adac> Ok thanks!
10:19 < Kryczek> 15:57 <@ecrist> You can have multiple connection blocks, and the client will cycle through those, though.
10:20 < Kryczek> you can also have the --remote line point to a FQDN resolving to more than one IP :)
10:20 < Kryczek> then you could do some load balancing at the DNS level
10:24 < davidebeatrici> ecrist: To me it seems like a OpenVPN problem
10:24 < davidebeatrici> Maybe I will ask someone with a decent home connection to test the VPN
10:26 < Kryczek> davidebeatrici: it's not impossible that it's a traffic shaping policy
10:27 < Kryczek> i.e. some admin forgot to cover UDP like they do TCP
10:28 < Kryczek> which apparently they forgot to do the other way around: blocking your UDP 53 but forgetting TCP 53
10:59 < davidebeatrici> Kryczek: Exactly, that's what I tought
11:00 < davidebeatrici> But also the other ports should be shaped
11:00 < davidebeatrici> Such as UDP 443
11:00 < davidebeatrici> Instead, it works fine (but the data is not unlimited)
11:04 < Kryczek> davidebeatrici: no I'm saying it's not impossible that have TCP 443 shaped and UDP 443 not shaped
11:04 < davidebeatrici> Kryczek: Oh, OK
11:39 < prauscher> hello, i set remote to a hostname and get "TCP/UDP: Incoming packet rejected from [AF_INET6]::ffff:<IPv4>:52306[10], expected peer address: [AF_INET6]<IPv6>:52306 (allow this incoming source address/port by removing --remote or adding --float) or from peer address: [AF_INET]<IPv4>:52306"
11:40 < prauscher> can anyone help me with this issue?
11:42 -!- pitastrudl_ is now known as pitastrudl
11:52 <@ecrist> davidebeatrici: not openvpn
11:52 < davidebeatrici> ecrist: How can you be so sure about that?
11:53 <@ecrist> if it was openvpn, it would perform the same, regardless of port number.
11:53 < davidebeatrici> ecrist: That's exactly my situation
11:53 <@ecrist> no
11:53 < davidebeatrici> Why?
11:54 <@ecrist> your problem is it performs differently when you change ports
11:54 < davidebeatrici> I said that 53 and 443 perform the same
11:54 < davidebeatrici> It's UDP that performs better than TCP
11:54 <@ecrist> it's like either congestion on the network, or traffic shaping somewhere along the way
12:02 < davidebeatrici> Pretty weird
12:17 -!- abenz_ is now known as abenz
12:26 < DArqueBishop> Not really. Either your provider has rules in place to stop what you're doing explicitly, or they're deliberately limiting DNS traffic to prevent congestion from rogue devices.
12:26 < davidebeatrici> That may be true
12:26 < davidebeatrici> But DNS uses 53 UDP, not >TCP
12:27 < davidebeatrici> *TCP
12:27 < DArqueBishop> Either way, your problem is not with OpenVPN.
12:28 < davidebeatrici> I have to try with a decent normal connection, to be sure about that
12:29 <@ecrist> davidebeatrici: DNS can use either TCP or UDP
12:29 <@ecrist> I believe DNSSEC requires TCP
12:29 < davidebeatrici> ecrist: Oh, OK
12:30 < DArqueBishop> Besides which, it really should be pointed out that what you're asking for help with has some legal or ethical implications, as you're asking for help to try and abuse a loophole regarding your agreement with your wireless carrier.
12:31 < davidebeatrici> DArqueBishop: Not a chance
12:31 < davidebeatrici> My home connection is offered by the same ISP
12:31 < davidebeatrici> I pay 45 euros per month for a 12.5/0.8 connection
12:31 <@ecrist> davidebeatrici: you did indicate above that you're trying to leverage OpenVPN to get unlimited data.
12:32 < davidebeatrici> ecrist: He said "ethical" implications
12:32 <@ecrist> theft is unethical
12:32 < DArqueBishop> I said "legal and ethical".
12:32 < davidebeatrici> They're the ones stealing money from people
12:32 < davidebeatrici> Certainly not me
12:32 -!- davidebeatrici was kicked from #openvpn by ecrist [GTFO]
12:33 < DArqueBishop> Maybe he should have picked the nick "robinhood".
12:33 <@ecrist> lol
12:34 < davidebeatrici> Seriously? You kicked me without even asking me to leave?
12:34 < davidebeatrici> I would've left if you asked me
12:34 -!- davidebeatrici was kicked from #openvpn by ecrist [and I'll do it again]
12:35 < davidebeatrici> What's your problem? Everybody has its own opinions
12:35 < davidebeatrici> I didn't say that stealing is right
12:36 < davidebeatrici> I said that in that case it's like if they are stealing money from the users. Do you know how many 45 euros per month are for such a connection?
12:36  * ecrist waits for a compelling reason to not ban you
12:37 < davidebeatrici> Here where I live, there aren't better connections
12:37 < davidebeatrici> The maximum I can have is their 12.5/0.8 connection, which should be a 20/1
12:37 < davidebeatrici> LTE, instead, works really really well
12:37 < davidebeatrici> But they don't offer any kind of unlimited data plans
12:38 <@ecrist> that doesn't make it OK to steal the bandwidth.  We're not interested in helping you with that.
12:38 < davidebeatrici> OK, I can understand that
12:38 <@ecrist> So, 1) we've told you your problem isn't with OpenVPN  2) You're trying to steal service.
12:38 <@ecrist> We don't support either of those items.
12:39 <@ecrist> For the first, we even have a factoid.
12:39 <@ecrist> !notovpn
12:39 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn.
12:39 < davidebeatrici> I thought that the TCP protocol was the problem, that's why I initially thought it was OpenVPN's fault
12:40 <@ecrist> !tcp
12:40 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay
12:40 <@ecrist> I told you that, too.
12:40 <@ecrist> Now, kindly fuck off. :)
12:41 < davidebeatrici> What kind of connection do you have and how much do you pay?
12:41 < davidebeatrici> Trust me, if you had my connection, you would probably think to do what I'm doing
12:42 < davidebeatrici> You clearly don't know how it feels to take 16 hours (yes, hours) to upload a 2.5 GiB file
12:43 <@ecrist> you missed that last part
12:43 <@ecrist> 12:40:41 <@ecrist> Now, kindly fuck off. :)
12:52 < styler2go> Hey everyone. I changed from tun to tap and the connection works but i can't connect from my windows system to my linux system anymore. is there any additional thing i need to change except for the ovpn config?
13:00 < DArqueBishop> Just out of curiosity, why did you switch to tap?
13:00 < styler2go> I wanted to be able to use UPnP services over vpn
13:03 < hyper_ch> isn't upnp really evil?
13:04 < styler2go> No it's a friend of mine :<
13:05 < styler2go> anyway, i'll change it back to tun
13:06 < DArqueBishop> If you have to use tap, you have to reconfigure the server to bridge the VPN and ethernet adapters.
13:07 < MacGyver> Or to route between them.
13:18 <@ecrist> Some of!tunortap
13:18 <@ecrist> grr
13:18 <@ecrist> !tunortap
13:18 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
13:18 <@vpnHelper> rooted/jailbroken) support only tun
13:18 <@ecrist> styler2go: see that above
13:18 <@ecrist> UPnP doesn't need tap
13:19 < styler2go> Oh yeah, i once tried playing through tun.. Now i know why it didn't work
13:19 < styler2go> So tap is more difficult to set tup because i need to set routes etc.?
13:19 < styler2go> i just changed back to tun and everything works like always again
13:20 <@ecrist> tap has a lot more implications.
13:20 <@ecrist> also, mobile devices don't have a tap driver
13:20 <@ecrist> so, tap is no-go on mobile
13:20 < styler2go> let's say i have tun on my server
13:20 < styler2go> but two clients with tap
13:20 < styler2go> does that work?
13:21 <@ecrist> no
13:21 <@ecrist> everyone has to use the same adapter type
13:21 < styler2go> i see
13:49 < styler2go> different question: i have an ip camera which does not support vpn settings. Is there any way to bring it into vpn anyway? my router doesn't support openvpn either
13:55 < troulouliou_dev> hi when i maunch openvpn from a commercial provider i creates a tun iface and add a route to the tun iface with a lower metric. However i don't see any source nat rules in netfilter
13:55 < troulouliou_dev> is it an internal behavior from tun interfaces ?
14:15 < skroon> hi all
14:47 < Yiota> how would I go about routing all traffic from my openvpn server with destinations in 192.168.4.0/23 through the tunnel?
14:47 < Yiota> I tried sudo route add -net 192.168.4.0/23 gw 10.8.0.1 dev tun0 but I can't reach the other side
15:47 <@ordex> Yiota: ?
15:47 <@ordex> can you rephrase a bit
15:48 <@ordex> where is 192.168.4.0/23 located?
15:48 < Yiota> our office network
15:49 <@ordex> Yiota: yeah, I mean, it is behind a client ?
15:49 < Yiota> yes
15:49 < Yiota> our router is literally a ovpn client
15:49 <@ordex> ah ok
15:49 <@ordex> !clientlan
15:49 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
15:49 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
15:49 <@ordex> check that ^^
15:55 < Yiota> so I should just modify the route to whatever the subnet defined is?
15:55 < Yiota>     "subnet": "10.8.0.0", so in this case it should be "10.8.0.0 255.255.0.0", ?
15:55 <@ordex> there are a number of steps described above
15:55 <@ordex> I don't know which one you are talkingabout
15:55 <@ordex> *talking about
15:56 < Yiota> the first step - setting up the route
15:56 < Yiota> Did you give the server and clients a route to the client lan?
15:56 <@ordex> yeah they all need a route for thet LAN that goes to tun0 (or whatever the interface is called)
15:57 <@ordex> you can push that to clients if you want, so it gets setup automatically
16:05 < Yiota> what im really asking is do i need to set up routes manually to route traffic to 192.168.4.0/23 manually via ip route add
16:05 < Yiota> (on the openvpn server)
16:05 < Yiota> here - does push route only set up routes for clients?
16:10 <@ordex> push is to send a config option to the clints, yes
16:10 <@ordex> you can have one push "route ..."
16:10 <@ordex> and one route
16:10 <@ordex> the latter would work on the server
16:10 <@ordex> the former would send it to the clients
16:11 <@ordex> but then you need the iroute too
16:12 <@ordex> Yiota: ^^
17:21 < watom> hey. in my lan i usually use computer hostnames to connect to hosts since my router is the dns server and translate em
17:21 < watom> can i do something similar in a vpn?
17:22 < watom> it's kinda uneasy to use 10.8.0.x as examples instaed of just idk hostname.vpn
17:22 < watom> i know i can use /etc/hosts but i'm asking if openvpn support some kind of name resolution of the vpn clients
17:46 < meffe> ok.. so i got a question - i believe "everything" is working as it should with my openvpn server, except when connecting to it with my tunnelblick client from my macbook pro.. or, it works - and whatsmyip.org tells me my ip is the ip of the vpn server.. now to my problem, when i ssh in to the server which is running the vpn, when im connected to the vpn - i still connect with my "normal" ip.. but when i
17:46 < meffe> ssh anywhere else, i have the ip of the vpn. if i ssh in to my server from my mobile, while connected to the vpn - im connecting with the tunnel ip (10.8.0.x).. what's going on here, what am i missing?
17:54 < meffe> super weird.. when im running a traceroute to the server im running the openvpn on (not the ip im getting with the vpn, i have 2 ips on the server), it's not going through the vpn - its going to my router then hops away.. but if i traceroute another server, the first hop is through the vpn..
17:54 < meffe> what's going on?
18:27 < meffe> im pretty sure its not working as it should ..
18:27 < meffe> ill come back later.
21:05 -!- abenz_ is now known as abenz
22:22 < jpwhiting> ok, signing, I have a self signed cert on windows in a pfx file generated like this: http://www.itprotoday.com/management-mobility/creating-self-signed-certificates-powershell
22:23 < jpwhiting> building tap-windows6 builds, but I can't seem to figure out the right --cert or --cert-file arguments to get a signed tap adapter with .cat file
22:23 < jpwhiting> SignTool keeps saying Error: IsDiskFile() failed.
22:45 < Eugene> meffe - yup, intended behaviour. When using redirect-gateway, the IP of the VPN server itself is not routed through the tunnel. Because otherwise how would traffic get through the tunnel?
22:46 < Eugene> jpwhiting - why are you building from source instead of using the Windows packages? See also #openvpn-devel
22:46 < jpwhiting> Eugene: the guy I'm doing this work for wants his own tap adapter to not conflict with openvpn's tap adapter
22:47 < jpwhiting> it's silly, but so is he :/
22:47 < Eugene> Charge him more.
22:47 < jpwhiting> the OemVista.inf files in tap-windows6 make it seem so easy to just change the name in a few places and go
22:47 < jpwhiting> but it doesn't generate a .cat file if I don't add --sign
22:47 < jpwhiting> yep
22:47 < Eugene> But seriously though, that's a dev question.
22:47 < jpwhiting> yep, gotcha, thx
22:47 < Eugene> Sure. Good luck.
23:16 < watom> hey again. is there in openvpn a dns resolution for hostnames?
23:19 < Inst> so...
23:20 < Inst> i'm in china and using some third party VPS that's giving me a headache
23:20 < Inst> erm, VPN
23:20 < Inst> I'm thinking about going back to my old VPS VPN set-up
23:20 < Inst> using a japanese server
23:20 < Inst> beut i need to configure obfsproxy to get it to work
23:50 < miroesq> I've been using openvpn to connect to my router in Egypt using openvpn on my iphone and computer for a couple of years now, but recently, the government has been cracking down with dpi to stop vpn. The strange problem now is that I am able to connect with my computer, but not my iphone. I haven't changed any settings and have no idea what is going on for the life of me so am not sure if this has something to do with the crackdown or what.
23:57 < InstX1> miroesq:
23:57 < InstX1> it's probably that they run DPI on your cell isp, but not your computer isp
23:58 < miroesq> InstX1: I thought that may be the case, but I am trying to connect using my phone on my wifi local network.
23:58 < InstX1> ah
23:59 < miroesq> I just connected now using teh phone, but if I disconnect, I may have to try literally 50 times before it connects again. Just don't get it. Even using 3 different iPhones
--- Day changed Fri Nov 10 2017
00:58 < watom> so the only way to refer to vpn clients with names is /etc/hosts?
02:35 <@ordex> ecrist: if you want bridging, you don't know what you are doing :D:D:D
02:36 <@ordex> ecrist: you should have added "and you should be punished"
04:27 < meffe> Eugene: oh lol :D i didnt think of that haha.
04:28 < meffe> but one thing though.. when im connecting to the vpn from my mobile, and sshing to the server of the vpn - im connecting from 10.8.0.x - not my mobile wan ip
05:26 -!- abenz_ is now known as abenz
07:11 <@ecrist> meffe: it depends on which IP you ssh to
07:11 <@ecrist> if you SSH to the server VPN IP, then yes, otherwise you'll connect from your public IP.
07:13 < meffe> i can't ssh to the server vpn ip, thats the thing.. also, i have my ssh sites pre-set on both my mac and my mobile
07:13 < meffe> but now when i try to reproduce, im not able too
07:13 < meffe> super weird
07:13 <@ecrist> meffe: sometimes, after the VPN server process has started, you need to restart sshd
07:16 < meffe> nah, its not it. ive configured sshd to only listen on a specific ip - not on all interfaces and ip's
07:18 < meffe> thats what makes it so very very strange
07:18 <@ecrist> Is the IP it's listening on a VPN IP?
07:20 < meffe> no
07:21 <@ecrist> is the IP routed over the VPN?  Is it the public IP of the server?
07:22 < meffe> its one of the public ip's of the server, yes
07:55 -!- albech1 is now known as albech
09:18 < meffe> ok, next question. if anyone could point me in a direction with information -- about how to make the vpn also share/tunnel the ipv6..
09:19 < meffe> is tap needed then?
09:28 <@ecrist> no
09:28 <@ecrist> !ipv6
09:28 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6, or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ, or (#3) http://xkcd.com/865/, or (#4) to ignore ipv6 from the server see !noipv6client
09:32 < meffe> oh, yeah thats it. thank you!
09:33 < meffe> !vulninfo
09:33 <@vpnHelper> "vulninfo" is (#1) See these factoids for more info about specific vulnerabilities: !heartbleed !poodle !ovpnuke !sweet32 !duhk, or (#2) See here for all security announcements: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
10:17 < ^7heo> So guys
10:17 < ^7heo> when I get Certificate does not have key usage extension
10:17 < ^7heo> Which certificate is it about?
10:17 < ^7heo> the local hone?
10:17 < ^7heo> one
10:18 < ^7heo> the one my client is using to connect?
10:18 < ^7heo> is that one missing options?
10:23 < DArqueBishop> ^7heo:
10:23 < DArqueBishop> !logs
10:23 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
10:24 < ^7heo> DArqueBishop: "Certificate does not have key usage extension"
10:24 < ^7heo> DArqueBishop: "VERIFY KU ERROR"
10:24 < DArqueBishop> ^7heo: " please pastebin your logfiles from both client and server with verb set to 4"
10:24 < ^7heo> yeah that's the same thing.
10:25 < ^7heo> look, if you wanna know what server I connect to, and all, ask politely.
10:25 < ^7heo> I will decline.
10:25 < ^7heo> politely.
10:25 < ^7heo> now, about the error, it's because my certificate is missing the key exchange extensions
10:25 < DArqueBishop> Then we will decline to help you.
10:25 < ^7heo> fine ;)
10:25 < DArqueBishop> !topsecret
10:25 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust., or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice.
10:25 < ^7heo> so wait
10:26 < ^7heo> I'm providing you with enough information to help
10:26 < ^7heo> and you're hiding incompetence behind !topsecret?
10:26 < ^7heo> nice
11:41 < sYnfo> Hey, I'm trying to set up OpenVPN so that I can access our internal network in google cloud without having to expose it to public too much. I've followed the tutorial at https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04, and I have generated an .ovpn file, but when I try to import it into Tunneblick it complains that it's missing ta.crt
11:41 < sYnfo> AFAICS ta.crt wasn't even generated on the server
11:42 < sYnfo> I'm I doing something wrong?
11:43 < DArqueBishop> sYnfo: that's... definitely odd. Can you post the ovpn to a pastebin?
11:44 < DArqueBishop> You're right in that a ta.crt would not be generated.
11:45 < sYnfo> Sure, give me a second
11:46 < sYnfo> https://gist.github.com/sYnfo/260d1c9980ec205e7ae96af34ebda24a
11:46 <@vpnHelper> Title: gist:260d1c9980ec205e7ae96af34ebda24a · GitHub (at gist.github.com)
11:47 < DArqueBishop> That looks right to me.
11:47 < sYnfo> Hmmm
11:47 < DArqueBishop> Admittedly I haven't used Tunnelblick in a decade or more so I don't know if it's a bug specific to it.
11:47 < DArqueBishop> !tunnelblick
11:47 <@vpnHelper> "tunnelblick" is http://www.tunnelblick.net - Free OpenVPN GUI Client for Mac OS X
11:48 < DArqueBishop> Damn - was hoping the factoid would point to a Tunnelblick channel or something.
11:48 < sYnfo> Tunnelblick says line no 108 leads it to the ta.crt
11:48 < sYnfo> tls-auth ta.key 1
11:48 < sYnfo> FWIW
11:49 < DArqueBishop> Wait!
11:49 < DArqueBishop> I see the issue.
11:49 < DArqueBishop> Uncomment that line.
11:50 < DArqueBishop> If you have it embedded and key-direction set, you don't need "tls-auth ta.key 1" as well.
11:50 < sYnfo> Let's see
11:50 < DArqueBishop> Sorry, I meant COMMENT out that line.
11:50 < sYnfo> Right :)
11:52 < sYnfo> Yup! That helps, thank you. Now let's see if it's configured correctly...
11:52 < DArqueBishop> You're welcome. :-)
11:54 < sYnfo> The tutorial also calls for setting key direction to 0 on server and 1 in the .ovpn. Does that make sense?
11:54 < sYnfo> Because I am getting errors
11:54 < DArqueBishop> Yes, that's correct.
11:54 < sYnfo> OpenSSL: error:0BFFF074:x509 certificate routines:CRYPTO_internal:key values mismatch
11:54 < sYnfo> Error: private key password verification failed
11:55 < DArqueBishop> Was the key generated with a password?
11:55 < sYnfo> No, I left the pw empty
11:55 < DArqueBishop> Hrm.
11:56 < sYnfo> There's also 2017-11-10 18:52:52 Cannot load private key file [[INLINE]]
11:57 < DArqueBishop> Weird. Are you sure the contents of the in-line key file match the actual key file?
11:57 < sYnfo> I'll take a look
11:58 < sYnfo> matt.key and <key> in matt.ovpn are identical according to diff
12:50 < Yiota> hi! I finally got my openvpn server to talk to our lan here at the office. However I want to forward all traffic on all ec2 instances in the VPC through the openvpn server (ec2 box) to our lan. how can I accomplish this?
13:00 < Yiota> nevermind. it was source/destination check on the openvpn box
13:34 < meffe> is it possible that the tun0 and openvpn server have messed with the routing and what not on my server.. i need to figure out what's causing my problems atm.. ive got 2 public IP's on the server, both with rDNS.. and now im not able to set one of my hostnames on my eggdrops nor in irssi - it automatically goes for the other hostname.. if i down the interface with the other IP, i get the the hostname i
13:34 < meffe> couldnt get before.. i didnt have this problem before.. and when i change the routing from the one ip to the other, its just the same thing but reversed..
14:14 < arij> hello
14:17 < meffe> ok, i now know what the problem is - but im no closer to a solution -- since the obvious way of solving it, doesn't work
14:18 < meffe> so if anyone have any experience with firewalld and openvpn server, please let me know
15:09 < meffe> i give up
15:09 < meffe> ive tried almost everything - the other options i would need help to figure out
15:14 < Eugene> meffe - a large part of openvpn usage is for routing, so yes, it is definitely possible. I am not seeing what you're seeing, so we can't really say what is going on in your server exactly.....
15:14 < Eugene> !configs
15:14 < Eugene> !logs
15:14 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
15:14 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
15:14 < Eugene> A good start to getting help ^
15:15 < Eugene> !ask
15:15 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
15:15 < Eugene> Perhaps you should start with what you're doing, more details on your setup(IP addresses are very handy), etc
15:20 < meffe> i know what the problem is, but i dont know how to get around it.. the logs wont provide you with any information usable in  this matter.. but sure, i can start over and try to explain to you what's going on
15:20 < Eugene> So if you know what the problem is, why are you here? ;-)
15:20 < meffe> ?
15:20 < meffe> i told you
15:21 < meffe> nvm.. ill come back at another time
15:22 < Eugene> Good luck!
15:26 < meffe> good luck with coming back at another time? sure, thanks.
15:30 < rob0> ?
--- Day changed Sat Nov 11 2017
03:02 < dakar> im running openvpn to let users connect from outside to the local network, it puts them on some 10.8.0.0/24 subnet, and push route 192.168.1.0/24 through the router
03:03 < dakar> now i want to create another subnet (other than the 10.8.0.0/24) that will allow a _different set of users_ to connect from the outside, but this time have them on their subnet and isolate them from any other network
03:03 < dakar> what's the best approach?
03:05 < dakar> i'm starting to think it might be a good idea to just run a completely new instance of openvpn for that isolated network
08:12 < meffe> ok, so i wrote down my question in a pastebin - i also included a link to a demonstration video. i really hope there's someone that know how to fix this, that maybe have had the same problem - i mean, i can't be the only one with more then 1 public ip, and running firewalld and a openvpn server
08:12 < meffe> https://paste.meffe.se/raw/marimajexa.sql
08:22 < rob0> MASQ is a simplified version of SNAT.  If you need to specify the new source IP address, you must use SNAT.  No, I can't help with firewalld; we in #Netfilter would suggest that you get rid of it and use a simpler ruleset.
08:25 < meffe> thats the thing, i dont want to get rid of it - if i dont really need to..
08:25 < meffe> there must be a way of doing it, but yeah, i need someone with knowledge of firewalld
08:26 < meffe> and i dont know here to find someone like that
08:29 < hyper_ch> I still fail to comprehend the actual problem
08:29 < meffe> rob0: but i still want to know, what are you suggesting if i do get rid of firewalld.. to just run iptables?
08:30 < meffe> hyper_ch: did you watch the movie
08:30 < hyper_ch> no
08:30 < meffe> do that, that might tip you over the edge so to speach
08:30 < meffe> speak
08:31 < hyper_ch> no thx
08:33 < meffe> why are you even saying you still dont comprehend the actual problem then, if you dont want to know?
08:33 < hyper_ch> I fail to see why I should watch a video
08:35 < meffe> cause you dont understand?
08:36 < meffe> i cant explain it better then i did in the text, english isnt my native language - that's why i did a video too.. duration 1min37sec.
08:43 < `mist> heya fellas. I've just moved all my config to a brand new machine and after starting openvpn it doesn't do anything. Doesn't seem like the config is picked up whatsoever
08:43 < `mist> previous machine was running ubuntu 14, am now running 16
08:43 <@dazo> meffe: try checking it out in #firewalld
08:44 < `mist> the log literally only says "Openvpn has started" and then nothing. I've bumped verbosity in the config to 7 but as it is not being loaded that really doesn't matter
08:44 <@dazo> !ubuntu
08:44 <@vpnHelper> "ubuntu" is dont use network manager to configure your vpns! get it working via commandline and then import to network manager if you want to use it.
08:44 <@dazo> nah
08:44 <@dazo> !systemd
08:44 <@vpnHelper> "systemd" is (#1) Most systemd based distros package the upstream OpenVPN openvpn-server@.service and openvpn-client@.service unit files. Use those instead of the distro provided ones (openvpn.service, openvpn@.service), as they too often work poorly., or (#2) Unfortunately, Debian have added some weird OpenVPN systemd integration trying to simulate how things worked before systemd arrived. These
08:44 <@vpnHelper> approaches often causes more confusion, so _do_ consider #1 carefully.
08:44 < `mist> Nov 11 15:31:24 lime systemd[1]: Starting OpenVPN service...
08:44 < `mist> Nov 11 15:31:24 lime systemd[1]: Started OpenVPN service.
08:44 <@dazo> `mist: ^^^^ that should give some clues .... together with https://github.com/OpenVPN/openvpn/blob/master/distro/systemd/README.systemd
08:44 <@vpnHelper> Title: openvpn/README.systemd at master · OpenVPN/openvpn · GitHub (at github.com)
08:45 < `mist> ah
08:45 < `mist> thanks dazo
08:45 <@dazo> yw!
08:46 <@dazo> !learn systemd as Also see this README for OpenVPN + systemd: https://github.com/OpenVPN/openvpn/blob/master/distro/systemd/README.systemd
08:46 <@vpnHelper> Joo got it.
08:46 <@dazo> !systemd
08:46 <@vpnHelper> "systemd" is (#1) Most systemd based distros package the upstream OpenVPN openvpn-server@.service and openvpn-client@.service unit files. Use those instead of the distro provided ones (openvpn.service, openvpn@.service), as they too often work poorly., or (#2) Unfortunately, Debian have added some weird OpenVPN systemd integration trying to simulate how things worked before systemd arrived. These
08:46 <@vpnHelper> approaches often causes more confusion, so _do_ consider #1 carefully., or (#3) Also see this README for OpenVPN + systemd: https://github.com/OpenVPN/openvpn/blob/master/distro/systemd/README.systemd
08:48 < `mist> root@lime:/etc/openvpn/client# openvpn --version
08:48 < `mist> OpenVPN 2.3.10
08:48 < `mist> so i'm not running 2.4 as i assume it has not been put into the xenial repo yet
08:49 < hyper_ch> I doubt it'll ever be put there
08:49 < hyper_ch> but it's easy to compile
08:49 <@dazo> we have some repos for that I think
08:49 < `mist> is there a openvpn ppa or repo that i can add?
08:50  * dazo finds some pointers
08:50 < meffe> dazo: yeah i am, or i have been for a while.. still waiting for an answer. thanks
08:50 < rob0> dakar, probably right, and don't use --client-to-client on either instance if you need to control access with a firewall.
08:50 <@dazo> `mist: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
08:50 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net)
08:50 < `mist> k i'll try that version
08:56 < meffe> rob0: when you said you guys in #netfilter recommended me to drop firewalld, and go for a more simple ruleset.. may i ask what you had in mind?
08:57 < `mist> good news, tunnel came up. Bad news, it required me putting the config files in /etc/openvpn/<files> and not in the directory like the readme
08:57 < `mist> also i forgot to add a route to my local network... =D
08:58 < hyper_ch> dazo: never knew about the repos.... why didn't you ever tell me?
09:00 < rob0> meffe, the /topic in #Netfilter would be a good place to start.  Frontends like firewalld are supposed to simplify things for the end user, but they do so through horribly complex rulesets.  A simple ruleset might end up being easier overall.
09:01 < rob0> Now, firewalld claims system integration, such that you activate a service and it should automatically adjust firewall rules for you.
09:01 < rob0> I personally would not want that, but some see it as useful.
09:01 < havoc> I like shorewall
09:02 < hyper_ch> krzie: https://arstechnica.com/information-technology/2017/11/russia-linked-fancy-bear-attacks-abuse-macro-less-ms-word-to-infect-pcs/  good that I've been using LO for years
09:02 <@vpnHelper> Title: New Microsoft Word attacks infect PCs sans macros | Ars Technica (at arstechnica.com)
09:04 < rob0> I respect shorewall, but what I say about firewalld is mostly applicable there too (except the system integration.)
09:04 < meffe> rob0: right.. thank you
09:05 < havoc> rob0: shorewall also provides ready-to-run examples for 1, 2, and 3 iface setups
09:05 <@dazo> hyper_ch: you never asked!! ;-)
09:05 < meffe> i feel that "all" i need to figure out, is how to setup the SNAT correctly, instead of using MASQ. i think that will solve it, since it focus on one ip instead of the whole interface..
09:06 < hyper_ch> dazo: see also linke above :)
09:06 < meffe> but i will take your advice into consideration.. i will give up at some point
09:08 <@dazo> firewalld as it is today mostly makes sense on desktops/laptops and servers providing specific servers .... on routers/firewalls firewalld is not the right tool
09:09 < meffe> sure.. but i dont run it on a router/firewall
09:10 < meffe> i believe the masquerade is the problem, since it's applying to the interface itself, and not a specific IP. but ill find out soon enough - i have some reading ahead of me
09:16 <@dazo> masquerading/nat is a hack ... it's bad on routers/firewalls .... anywhere else it is even worse
09:19 < meffe> then how am i supposed to get the openvpn to work?
09:20 < meffe> ive not seen anything suggesting something else - nothing..
09:26 < meffe> i found *something* now, it looks promising. pray for me :) ill be back with the results..
09:32 < meffe> sucess
09:32 < meffe> s/sucess/success
09:36 < meffe> i actually did the right thing before, by splitting up the interfaces into different zones, and enable the masquerade in the zone with the tun0 interface. but what i didnt do was to add 'firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $DEV -j MASQUERADE" where $DEV is the wan interface..
09:43 < meffe> im still going to take rob0's advice, and begin to work on a smooth transition.. i can't believe there wasnt more information out there regarding my issue.
09:58 < meffe> oh lord :( next problem.. apparently that line is bypassing my default zone, so now i cant get in to the server - even though the public zone is still default, and all the ports should be open
10:24 < meffe> ok, solved again. this was a one man show - im sorry
10:31 < memo1> Hi, in my gateway, connected to a openvpn server, have a destination 0.0.0.0/1.   Whats that mean=
12:09 <@dazo> memo1: you will also notice you have 128.0.0.0/1 too .... together with 0.0.0.0/1  that results in a default gateway without not removing the original default gw
12:09 <@dazo> so if OpenVPN crashes ... you will still retain internet connectivity
12:09 <@dazo> s/without not/without/
12:12 < havoc> the two /1's trick, I use/have used that
12:17 < memo1> dazo: Thank you.  All my traffic form my gateway leave through the openvpn tunnel, except when i do ssh to some server, why?
13:10 < rob0> !def1
13:10 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
13:15 < havoc> when I started using the /1 trick, def1 didn't exist yet
13:16 < havoc> >10yrs ago, at least
14:36 -!- abenz__ is now known as abenz
16:40 -!- mattock2 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
16:40 -!- mode/#openvpn [+o mattock2] by ChanServ
17:11 < sunrunner20> whats the lightest CPU load openVPN config that's still reasonably secure
17:12 < sunrunner20> not concerned about state actors
17:12 < sunrunner20> just your run of the mill hacker
17:18 -!- mattock2 [~mattock@openvpn/corp/admin/mattock] has quit [Quit: IRC for Sailfish 0.9]
17:25 < sunrunner20> got it
17:25 < sunrunner20> dh 2048 blowfish 128
18:08 < pinky> hey is it possible to use a cert type server for both clients and servers?
18:31 < arij> i just set up openvpn-as docker container and everything seems right but i keep getting timed out when trying to connect but when im trying to connect and i click on "current users" in the admin panel i see a connection
18:31 < arij> i asked in openvpn-as but havent received a response in a few days
18:36 < CygniX> does the openvpn for android support ec cert?
18:36 <@krzie> !certverify
18:36 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt, or (#2) also make sure you use the same ca.crt on both sides by checking their md5
19:17 < pinky> hmm on both client and server i can see i have TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 when running openvpn --show-tls yet i can't force that on the server .. LS error: The server has no TLS ciphersuites in common with the client.
19:17 < pinky> if i comment the tls-cipher on the server it works
19:23 < pinky> ah i guess the naming is just different? ECDHE-ECDSA-AES256-GCM-SHA384 works
19:23 < pinky> but i don't see that in show-tls :)
19:37 < pinky> https://github.com/libressl-portable/openbsd/issues/79
19:37 < pinky> hmm
19:37 <@vpnHelper> Title: SSL error with a ecc secp521r1 key · Issue #79 · libressl-portable/openbsd · GitHub (at github.com)
21:37 -!- abenz__ is now known as abenz
--- Day changed Sun Nov 12 2017
01:17 < CygniX> can both tls-auth and tls-crypt be used or, it's either or?
01:19 -!- abenz_ is now known as abenz
01:21 < CygniX> seems like it's either or from what I can gather
01:40 -!- piklu is now known as JihanHu
03:29 < sanderjuki> !welcome
03:29 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
03:29 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
03:30 < sanderjuki> !route
03:30 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
03:35 < sanderjuki> I upgraded to Debian Stretch a few weeks ago and since then I broke internet access in OpenVPN. (I'm ussing tun)
03:36 < sanderjuki> I may have found a clue: is tun0 supposed to get an IP address? At this moment it gets none...
03:36 < sanderjuki> ifconfig shows no "inet..." line
03:37 < sanderjuki> and when stopping OpenVPN, I get this error:
03:37 < sanderjuki> ovpn-server[15444]: Linux ip addr del failed: external program exited with error status: 2
03:41 <@ordex> sanderjuki: are you dropping priviledges to another user ?
03:42 <@ordex> you normally do that with the 'user xxx' statement in your config
03:42 <@ordex> if you do that, then the error on stop is normal because that user is not allowed to modify interfaces. nothing to worry about generally
03:42 < sanderjuki> yes, to user nobody
03:43 <@ordex> yeah, then the message at stop is ok
03:43 < sanderjuki> and is it normal that my tunnel device gets no IP?
03:43 <@ordex> can you paste the log of the client with verb 4?
03:43 <@ordex> no
03:43 <@ordex> it is not
03:43 <@ordex> !logs
03:43 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
03:49 < sanderjuki> what information should I be looking at? I am connecting using OpenVPN Connect on my smartphone and it does not seems to be possible to copy the logs.
03:50 < sanderjuki> verb is set to 3 btw in my .ovpn client config
03:52 < sanderjuki> I see a line "Connected via tun"
03:54 < sanderjuki> and then EVENT: CONNECTED <snip> on tun/10.8.0.6/ gw=[10.8.0.5/]
03:55 < sanderjuki> that looks ok to me, isn't it?
04:09 < sanderjuki> I created a new profile for my client with verb 4, but it neither shows anything unusual
04:18 < sanderjuki> ordex: tcpdump -i tun0 on the server shows that the client is correctly connected and issuing DNS lookups
04:19 < sanderjuki> so, it must be a server side issue
04:22 <@ordex> sanderjuki: how can the client send DNS requests if it does not have an IP ?
04:24 < sanderjuki> it has IP 10.8.0.6
04:24 < sanderjuki> but tun0 does not get an IP
04:26 < sanderjuki> so all traffic does not reach destination
04:40 < sanderjuki> with openvpn --remote CLIENT_IP --dev tun1 --ifconfig 10.9.8.1 10.9.8.2 I get no IP neither, but I DO get one when testing the same command on my desktop
04:52 < sanderjuki> ordex: I got it working, but maybe found a bug or misconfiguration somewhere...
04:53 < sanderjuki> service openvpn start && ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2 && ip route add 10.8.0.0/24 via 10.8.0.2
04:54 < sanderjuki> for some unknown reason these commands are not well executed by OpenVPN or Debian
04:55 < sanderjuki> can NetworkManager be the culprit?
04:58 < sanderjuki> can this output mean NetworkManager breaks my OpenVPN setup?: https://pastebin.com/zk1hsz0N
05:11 <@ordex> sanderjuki: nope, I don't see any problem in that chunk
05:12 < sanderjuki> any idea where I have to look for the problem?
05:12 <@ordex> sanderjuki: how about sharing the log first?
05:12 <@ordex> :D
05:12 <@ordex> that's where the search starts
05:12 <@ordex> based on that then we can think about what to do next
05:13 <@ordex> and the config used by the client too
05:13 <@ordex> !configs
05:13 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
05:44 < sanderjuki> ordex: I don't see how the client logs would help; all is fixed when I manually run "ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2 && ip route add 10.8.0.0/24 via 10.8.0.2" on the server
07:17 < sanderjuki> ordex: I disabled network-manager and the issue remains, so it will not be the culprit
07:17 < sanderjuki> This is the startup log: https://pastebin.com/iTnuA8uc
07:18 < sanderjuki> as you see it says the 3 commands "ip link", "ip addr" and "ip route" are executed
07:19 < sanderjuki> However, when I verify tun0 did not got an IP address.
07:19 < sanderjuki> So this failed for some reason without giving any clue that it failed.
07:20 <@ordex> sanderjuki: weird, if it fails it definitely prints something. are you sure there is no udev rule cleaning that up ?
07:25 < sanderjuki> I checked all files in /etc/udev/ and all looks normal
07:45 < sanderjuki> more ideas?
08:24 < sanderjuki> I give up, to make it work, I just add /etc/openvpn/dirty-workaround.sh to /etc/network/if-up.d/openvpn
09:01 -!- P1ro_ is now known as P1ro
11:46 < specing> Hi
11:47 < specing> I'm getting "...was signed using an insecure algorithm" for certificates signed with easy-rsa
11:47 < specing> Any news on this?
11:48 <@ordex> specing: you are probably signing your certificates with MD5, are you?
11:49 < specing> I'm not sure, was using defaults
11:50 <@ordex> actually, it could even be sha1 I think
11:50 < specing> I know that a collision for sha1 was found a year or so ago
11:50 <@ordex> we have a patch on the ml which will allow users to use "insecure" signatures like md5 and sha1, but if you are the server admin, you should really consider switching to something stronger
11:50 < specing> I would
11:50 < specing> but how?
11:50 <@ordex> both sha1 and md5 are not allowed by mbedTLS by default
11:51 < specing> if the default is sha1...
11:51 < specing> why is the default sha1?!
11:51 <@ordex> you have to regenerate the certificates specifying a different signing algorithm
11:51 <@ordex> you are probably using an old version of easy-rsa?
11:51 <@ordex> I recently used easyrsa3 and the default is sha256
11:51 < specing> maybe, I think 3.0.1 was the latest
11:55 < specing> default_md = $ENV::EASYRSA_DIGEST in openssl config
11:58 <@ordex> yap, in the easyrsa script you have that variable being set, I think
11:58 <@ordex> that's how i found the default last time
11:59 <@ordex> easyrsa3/easyrsa:1067:	set_var EASYRSA_DIGEST		sha256
11:59 <@ordex> and you can tweak that with the --default-md=$whateveryouwant command line argument
12:00 < specing> its sha256
12:01 < specing> perhaps I didn't regenerate since last update
12:01 <@ordex> how are your certificates signed then?
12:01 <@ordex> could be
12:01 <@ordex> you can check with the openssl command
12:01 <@ordex> I think something like: openssl x509 -in $certificate_path -text
12:01 <@ordex> and then look for Signature Algorithm (iirc)
12:02 < specing> sha256WithRSAEncryption
12:02 <@ordex> then it looks good
12:02 <@ordex> how about the server ?
12:03 <@ordex> if it's the client printing the message, then it's the server certificate being rejected
12:03 < specing> the same, sha256
12:04 <@ordex> then maybe you should paste the full log somewhere, so we can better look at the entire thing
12:04 <@ordex> !logs
12:04 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
12:04 < nado> hi
12:05 < nado> by switching from debian to a gentoo server, i realized that the "log/log-append" config lines were now executed *after* the --cd directive
12:05 < nado> whyle on the debian server, the --cd directive was executed before trying to open the logfile
12:06 < nado> this gave me some hard to understand errors
12:06 < nado> can anyone point me to an explanation about this ?
12:06 < nado> version 2.4.0 on debian and 2.4.4 on gentoo
12:07 <@ordex> weird
12:08 <@ordex> nado: do you only use --cd or you also use chroot or something affecting folders?
12:08 < nado> no, simply --cd, set by the init service on openrc
12:09 < nado> giving something like openvpn --cd /etc/openvpn /etc/openvpn/openvpnservice.conf
12:10 < nado> making it short, i had "log-append yggdrasil/yggdrasil.log" yggdrasil being my openvpn name, and it didnt work, although /etc/openvpn/yggdrasil/yggdrasil.log was given correct permissions, i had to check strace to observe that the log line was executed *before* the --cd directive
12:11 < nado> so now i have to use absolute path, not an issue, but still really weird
12:11 < specing> ordex: all is fine, the problem is somewhere in Portage
12:11 <@ordex> specing: ah ok!
12:11 < specing> it works fine when I call wget manually with the CA cert
12:11 < nado> oh, right i didnt even check bugs.gentoo.org
12:11 <@ordex> nado: I am wondering if that can work. Normally when you specify arguments on the command line you would use "--config $configfile --someoption ..."
12:12 -!- JihanHu is now known as piklu
12:13 < nado> ordex, oh, no the log-append command was in the config file
12:14 < nado> sorry if im not clear
12:14 < nado> the --cd is written in the init script
12:14 < nado> and the log-append in the config file
12:14 <@ordex> nado: yeah I understand, I was wondering if the "--cd" is interpreted at all without having "--config" infront of the config file
12:14 <@ordex> but probably it is
12:14 < nado> yes it is, it works for my certs/keys
12:15 < nado> in the strace it was done after the chdir and used the path "yggdrasil/filename"
12:15 < nado> and didnt fail, so it did change dir
12:15 <@ordex> yeah
12:15 <@ordex> just checking the code now: the cd is performed right when the --cd option is parsed
12:17 < nado> and the log ?
12:17 < nado> is the --cd parsed first ?
12:17 <@ordex> the log is opened afterwards
12:17 <@ordex> yeah, it's first on the command line
12:17 < nado> hmm
12:18 < nado> i'll try to reproduce it on my workstation instead of doing it on my server
12:18 <@ordex> k
12:18 < nado> probably not tonight
12:18 < nado> i still have work for tomorrow
12:18 < nado> but thanks for taking a look
12:37 <@ordex> np!
13:50 <@plaisthos> CygniX: kind of
13:51 <@plaisthos> CygniX: if you try to put them in android keystore it breaks, otherwise ec certs work fine
17:26 < pinky> anyone know anything about the openvpn connect iphone app?
17:26 < pinky> trying to use it with elliptic curve
17:27 < havoc> iphone can only do hexagons
17:28 < pinky> lol
21:14 < Eugene> Thats pretty good
21:26 -!- remirol is now known as lorimer
23:55 -!- abenz_ is now known as abenz
--- Day changed Mon Nov 13 2017
01:17 -!- abenz_ is now known as abenz
02:20 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
02:20 -!- mode/#openvpn [+o novaflash] by ChanServ
02:24 -!- abenz_ is now known as abenz
03:02 < cnythnk> Hello, so I've set up an OpenVPN server it works as it should, routing ipv4 traffic through etc, however when I use OSX (tunnelblick) client I get the "CAN’T ASSIGN REQUESTED ADDRESS (CODE=49" Issue, where I have to flush the routing table on client side. Is there anyway to bypass/fix this on server side?
03:04 < cnythnk> edit: does this issue also appear using the paid version of OpenVPN access client?
03:06 <@ordex> cnythnk: OpenVPN connect for iOS is free (although it's a commercial edition), but I am not aware of such error
03:06 <@ordex> and honestly you are the first to report this error in general
03:07 <@ordex> (at least here on irc)
03:07 <@ordex> therefore I guess there is something on your client triggering the problem
03:08 < cnythnk> The client i'm speaking of is Tunnelblick on OSX desktop. The same issue did appear on two co-workers, which had switched wi-fi (home/office) while the others it still worked (those who didn't bring their laptops home/switched wi-fi). And the only solution I could find were to flush the routing tables on the mac's client-side to be able to establish a new connection through tunnelblick to our OpenVPN server
03:10 <@ordex> cnythnk: oh sorry, I thought you were talking about iOS
03:10 < cnythnk> "UDPv4: Can’t assign requested address (code=49)"
03:10 < cnythnk> Ah no worries :)
03:10 <@ordex> cnythnk: does this happen "always"? or only the first time after switching network/wifi ?
03:11 < cnythnk> first time after switching network/wifi @ordex
03:11 <@ordex> I wonder if osx is caching some configuration that prevents the new connection from working fine
03:11 <@ordex> yeah
03:12 < cnythnk> Right, what I thought also after google the issue people did say it was a 'common issue' with OSX that u'd had to flush the routing tables.. however, not very convient so I did hope someone had a server-side fix for it :P
03:13 <@ordex> eheh would be nice
03:14 <@ordex> the server can't really instruct clients to do that
03:14 < cnythnk> nope and instruct economists, and other co-workers to flush their routing tables.. well :D
03:16 <@ordex> mh..does tunnel blick support client side scripts?
03:16 < cnythnk> hm let me see
03:16 <@ordex> the linux client itself does support them, and you could hook the command to flush the routing table in there
03:19 < cnythnk> @ordex thanks for the tip, will look into that!
03:19 <@ordex> np!
03:45 < cnythnk> Thanks did solve it by adding a pre-connect.sh script which brings down the eth0 flushes routing tables and then brings it up again @ordex
03:46 <@ordex> cool
03:46 <@ordex> so this means tunnelblick supports client side scripts?
03:46 < cnythnk> Correct
03:46 <@ordex> cool
03:47 < cnythnk> 2017-11-13 10:43:49 *Tunnelblick: openvpnstart log:
03:47 < cnythnk>      Executing pre-connect.sh in /Library/Application Support/Tunnelblick/Users/USERNAME/OPENVPNCLIENT.tblk/Contents/Resources...
03:47 < cnythnk>      stdout from pre-connect.sh: Take down en0 interface..
03:47 < cnythnk>      Flush routing tables..
03:47 < cnythnk>      Bring up en0 interface..
03:47 < cnythnk>      Complete
03:47 < cnythnk> Ops haha
08:38 < freenoodle> why can't windows clients reach clients on the subnet by name, even though nslookup for the name does work? It seems nslookup does use the DNS pushed by the server but other clients ignore it. (I have no similar issues on Linux)
09:36 < |Mike|> freenoodle: wins
09:36 < |Mike|> !wins
09:36 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
09:36 < freenoodle> sorry, asking the same question again, as nobody has answered: nslookup resolves local names in the server's subnet, but I can't ping them or reach them with other clients, as they apparently don't use the DNS pushed by the server. Why is that?
09:37 < freenoodle> any more importantly: what can I do to change this? I don't see this on Linux
09:43 < freenoodle> ping with a trailing dot works, but not without
09:54 < rob0> go figure
10:07 < kalipso> hey guys. i wanna sign certificates comming from debian server on my archlinux ca-machine. what i get from the debian server is a *.csr file, but the newer easyrsa tool on arch requires a .reg. does someone knows how to sign them correctly?
10:07 < rob0> Does the name of the file matter?
10:08 < kalipso> maybe not, but isnt the data-structure of both kind of files are different?
10:08 < rob0> anyway, if it does, tell the debian openssl to use a filename of *.req
10:10 < MacGyver> Just try renaming it. If it works, it works, if it doesn't, start digging.
10:11 < rob0> AFAIK openssl does not have any "magic" file extensions that force a file type.
10:13 < kalipso> okay, renamed and import-req then sign-req worked
10:14 < rob0> Also, if the problem is a different version of easyrsa, simply copy the newer easyrsa to the other machine.
10:14 < rob0> (they're just shell scripts)
10:18 < kalipso> rob0: okay i thought that would break some dependencies. i will go for that next time, the differing syntax was a bit confusing :)
10:19 < rob0> just copy it into the CA user's $HOME, it does not need to be installed in a standard place.
10:38 < LaserAllan> hey guys
10:38 < LaserAllan> Is there anyone who has tried using 16k dh keys with openvpn?
10:38 < LaserAllan> I am trying to test it on pfsense but i am getting weird issues
10:40 <@ordex> 16k dh ? :O
10:40 <@ordex> how long does it take to generate them ?
10:40 < LaserAllan> I dont know
10:40 < LaserAllan> But I have a 16 core Xeon
10:41 < LaserAllan> And when i do it in pfsense it takes maybe 10 minutes?
10:41 < LaserAllan> Or pfsense might not be reflecting the reality
10:49 < LaserAllan> ordex: I haven't seen any logs of the key generation so it might be that since the service doesnt' start even when i force it to it might bet hat it stgill ahsn't generetated the key
10:50 < LaserAllan> But i guess it'll take days even with a 16 core Xeon
10:51 <@ordex> honestly I have no clue but it might be
10:51 <@ordex> :D
10:51 <@ordex> with DH it has to find large (almost) prime numbers...and 16k...is just very large imho
10:52 <@ordex> LaserAllan: what is the problem that you are trying to solve? why 16k in the first placE?
10:57 < rob0> also, pfsense, does it have a good hardware source of entropy?  Generally that would come from keyboard & mouse.
13:31 < Eugene> Honesttly, 10 minues is a great time to generate a 16K DH key. I've waited longer for shorter keys on older hardware
13:31 < Eugene> Prime numbers that big take time to crunch
13:38 < BtbN> Isn't the algorithm pretty much just "generate random number, check if prime, if not, retry"?
13:42 < Eugene> You tell me. The rabbit hole starts here. https://github.com/openssl/openssl/blob/master/apps/dhparam.c#L196
13:42 <@vpnHelper> Title: openssl/dhparam.c at master · openssl/openssl · GitHub (at github.com)
13:42 < Eugene> I haven't actually read this section of openssl.....
14:38 < hackz> hi there i need some help about a probs that i got configuring openvpn
14:39 < hackz> Laptop win10 with vmware workstation with a vm Freebsd inside the bhyve i got ubuntu with a openvpn server
14:41 < hackz> Then i set on win10 the client.ovpn the machine connect but i can't get any ineternet access
14:41 < NotSecwitter> i remember a while back I had found a diagram showing the internal traffic flow from application -> vpn client -> internet. I can't find that now... anyone know where to fin dit?
14:45 < DArqueBishop> !redirect
14:45 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
14:45 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
14:46 < hackz> tell me if my config are ok via pastebin
14:48 < NotSecwitter> DArqueBishop: Thanks, but it was not that one. The one I'm looking for went into the networking subsystem and showed at which point on the machine the message was encrypted or not
14:55 < hackz> win10 ip addr  192.168.0.5 vmware(freeBSD)ip addr 172.16.154.129-->bhyve-->Ubuntu ip addr  172.16.154.139 255.255.255.0 tun0 10.8.0.1 255.255.255.255
14:56 < rob0> Eugene, but it would be a shame if you spent 10 minutes generating a 16K DH key with guessable random numbers.
15:25 < hackz> server.conf https://pastebin.com/JAc1ZLEd
15:29 < hackz> and this is the ufw rules https://pastebin.com/SO6qyGmj
15:30 < hackz> sorry the exact link https://pastebin.com/S06qyGmj
15:30 < hackz> i can't paste and copy
15:31 < hackz> via VNC through HexC
15:37 < hackz> do i need to redirect tun0? on ufw
17:09 -!- abenz_ is now known as abenz
23:58 < hyper_ch> krzie: http://www.aviationtoday.com/2017/11/08/boeing-757-testing-shows-airplanes-vulnerable-hacking-dhs-says/
23:58 <@vpnHelper> Title: Boeing 757 Testing Shows Airplanes Vulnerable to Hacking, DHS Says - Avionics (at www.aviationtoday.com)
--- Day changed Tue Nov 14 2017
02:00 < hackz> I'm in this situation, Win10-->VmWare->Freebsd->bhyve->Ubuntu
02:00 < hackz> , i configured an openvpn server on Ubuntu and client openvpn on Win10 the VPN works but no Internet connection
02:04 < hyper_ch> !configs
02:04 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
02:20 < hackz> https://pastebin.com/gX2CESV3 server.conf
02:26 < hackz> https://pastebin.com/2TbERSTH client
02:28 < hackz> openvpn server on an Ubuntu 17 inside a vm of bhyve freebsd of Vmware and client on win10
02:38 < hackz> any tips?
03:42 < nacelle> does the ubuntu server nat the 10.8.0.0/16 into something usable?
03:42 < nacelle> maybe also dont use such a huge range for your clients, but thats not the problem
03:43 < nacelle> also make sure your ubuntu server has ip forwarding enabled
04:32 <@dazo> nacelle: ubuntu (and all other Linux distros for that matter) NATs only the network you tell it to nat
07:10 -!- P1ro_ is now known as P1ro
09:06 < hackz> my ip forwarding is enabled
09:11 < meffe> am i misremembering when i think i've seen a one-liner that strips the commented lines from the config(s), somewhere in here? so you could strip away all the commented lines before putting configs in a pastebin?
09:12 < meffe> nvm found it
09:25 -!- P1ro_ is now known as P1ro
10:42 < nacelle> dazo: right, which is why I was asking in the form of a question that reveals its own answer :-)
10:56 < Yiota> hey guys. I have a router on our office network. I have successfully set up an openvpn server in aws, and set up the client on the router. I'm trying to access the machines on the AWS private subnet. I can ping my desktop from any of the aws boxes but when I try to do the reverse (traceroute the aws private ip the traceroute hangs at the tun0)
10:56 < Yiota> is this something that is solved via the openvpn on the router?
11:07 < Sindar> I'm going to be trying to switch from tap to tun and was wondering if there's any differences in regards to leaking info between the two. Also I had my firewall setup to only allow outbound traffic through the TAP device and am wondering how I'm going to be able to replicate that behavior with TUN...
11:20 -!- albech1 is now known as albech
11:35 <@dazo> nacelle: ahh, sorry!  ignore me, I thought you asked that question as one needing help ;)
11:40 < rob0> /ignore dazo
11:42 <@dazo> heh
11:58 < nacelle> lol
11:59 < nacelle> I remember messing around with ipmasq the day it was announced on lkml... :-)
12:05 < Yiota> IT'S ALWAYS THE FIREWALL
12:58 -!- gigantic is now known as strength
13:07 < strength> how do i add the ta.key to the client.ovpn file?
13:09 < hyper_ch> strength: https://paste.simplylinux.ch/view/9362d039
13:15 < strength> hyper_ch: thank you!
13:15 < strength> now im getting somewhere
13:16 < hyper_ch> you can include the rest as well into the config
13:16 < hyper_ch> so you have all-in-one
13:16 < strength> what do you mean the rest?
13:17 < strength> i have ca, crt, and key there now is that what you mean?
13:17 < strength> plus the tls-auth i just added
13:17 < strength> unfortunately im getting a fatal error now
13:17 < strength> but i think this is better than a time out
13:18 < strength> Insufficient key material or header text not found in file '[[INLINE]]'
13:18 < hyper_ch> ca, cert, key, tls-auth
13:18 < hyper_ch> those are the one I have
13:19 < strength> good, so im doing it right so far
13:19 < hyper_ch> also you need to have:    key-direction 1     in client config and     key-direction 0    in server config
13:19 < strength> i think im just missing something for the tls-auth
13:19 < strength> is that inside the .ovpn?
13:20 < hyper_ch> key-direction 1 probably
13:20 < hyper_ch> !tls-auth
13:20 <@vpnHelper> "tls-auth" is "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to
13:20 <@vpnHelper> make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
13:20 < hyper_ch> yep, you need to add key-direction 1
13:23 < strength> in which config file? ovpn or the server config?
13:23 < strength> https://paste.simplylinux.ch/view/9362d039
13:23 < hyper_ch> 1 for client
13:23 < hyper_ch> 0 for server
13:23 < hyper_ch> see above vpnHelper
13:24 < hyper_ch> if you have inline keys, use key-direction #
13:24 < strength> yes i know thats what i need to do im just not sure where that variable is. because its not in client.ovpn
13:24 < hyper_ch> in the client config add:      key-direction 1
13:24 < hyper_ch> in the server config add:    key-direction 0
13:25 < hyper_ch> IF the ta key is in the config itself
13:25 < hyper_ch> if not, use tls-auth ta.key #
13:26 < strength> does it matter where i put it? cat is fine?
13:26 < hyper_ch> no idea, test it yourself
14:05 < strength> # If a tls-auth key is used on the server
14:05 < strength> # then every client must also have the key.
14:05 < strength> tls-auth ta.key 1
14:06 < strength> thats the client, server config is 0, but i still get the same error
14:17 -!- CptLuxx is now known as CptFutureLuxx
14:32 -!- CptFutureLuxx is now known as CptLuxx
15:16 < strength> how would i check the header text for this error?
15:16 < strength> Insufficient key material or header text not found in file '[[INLINE]]' (0/128/256 bytes found/min/max)
15:33 < b00kworm> strength: I probably missed some messages, but my guess is you shuld fix the inline key in your config
15:34 < strength> b00kworm: i looked at it already and it seems fine. but  maybe im not sure exactly qhat should be there
15:35 < b00kworm> does it contain ----Begin OpenVPN Static key V1---- and end with ---END OpenVPN Static key V1---- ?
15:35 < strength> as far as i knew it just has the variable <tls-auth> then the key with -----BEGIN CERTIFICATE------- and end and thats it
15:35 < b00kworm> also maybe specify the full path from root?
15:35 < strength> it does not say static key
15:35 < strength> hrmm
15:36 < strength> isn tthat justlike a comment thoguht?
15:38 < b00kworm> it is, but I assume that if you used openvpn to generate the key it should be the same
15:39 < strength> i followed the tut on blueocean to the T. everything seems to be correct. ports are open etc.. its like it cant see the keys or something
15:39 < b00kworm> Then again, I just followed the Arch wiki 😉 but mine is working, yours is not
15:39 < b00kworm> https://wiki.archlinux.org/index.php/OpenVPN
15:39 <@vpnHelper> Title: OpenVPN - ArchWiki (at wiki.archlinux.org)
15:43 < b00kworm> here's the command to generate the key I used: # openvpn --genkey --secret /etc/openvpn/server/ta.key
15:43 < b00kworm> then specify the full path to this file in the config to avoid surprise and you should be good to go
15:47 < strength> A HA! the plot thickens...
15:48 < strength> Options error: --dh fails with 'dh2048.pem': No such file or directory
15:48 < strength> Options error: --ca fails with 'ca.crt': No such file or directory
15:48 < strength> Options error: --cert fails with 'server.crt': No such file or directory
15:48 < strength> Tue Nov 14 21:47:22 2017 WARNING: cannot stat file 'server.key': No such file or directory (errno=2)
15:48 < strength> Options error: --key fails with 'server.key': No such file or directory
15:48 < strength> Tue Nov 14 21:47:22 2017 WARNING: cannot stat file 'ta.key': No such file or directory (errno=2)
15:48 < strength> Options error: --tls-auth fails with 'ta.key': No such file or directory
15:48 < strength> Options error: Please correct these errors.
15:49 < strength> these are in the .ovpn file though. and i also have copies of them in the keys folder on the server and in the same directory as the client ovpn
15:58 < strength> how does the server know to check the config file for the keys rather than the files on the client? i put ; in front of them in the config file
16:03 < strength> added ;dh2048.pem to ovpn > same error
16:18 < b00kworm> just use absolute paths from root... or inline the keys
17:16 < SharkQUIRKS> Hi,
17:16 < SharkQUIRKS> Hi.
17:22 < strength> b00kworm: how do you mean? absolute path in the config? inline the keys? i thought i had done that. does it mean to put them in the config?
17:22 < strength> i think i just don't understand where its looking for the keys
17:22 < b00kworm> absolute path as in from "/" so probably /etc/openvpn/something
17:23 < b00kworm> or you can inline it in the acutal config (not recommended)
17:24 < strength> server config? or the client.ovpn?
17:24 < strength> all the tuts im reading are saying to put the cert in the .ovpn so you can use the same file for all clients
17:25 < b00kworm> both
17:25 < b00kworm> I am not using .openvpn files so I have no clue how it works there
17:25 < b00kworm> I just generate a .config for every client I want to set up
17:25 < b00kworm> *.conf
17:48 < rob0> ewww, a tutorial on security software written by someone who doesn't understand security?  Lousy.
17:49 < rob0> Just stick with
17:49 < rob0> !howto
17:49 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
18:01 < strength> which one are you referring to?
18:01 < strength> and yes i agree! how do we find better articles?
18:02 < strength> jesus christ thats not a how to thats a friggin text book!
18:03 < b00kworm> What did you expect? A vpn is complicated
18:04 < strength> just something to get up and running at first
18:05 < strength> first i build sand castles, then i apply heat and try to turn it into something solid. then you take that as a mold for turning it into steeeeeeel
18:07 < strength> actually its not as long as i thought
18:12 < strength> ok, ok ,ok... if i start from scratch using this howto, how can i reset all the bad shit i've probably done?
18:12 < b00kworm> Remove the config deleta nay routes thta are left
18:22 -!- Kryczek_ is now known as Kryczek
19:52 < strength> when they server config file do they mean the overall server config or the one just for openvpn?
20:03 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 258 seconds]
20:04 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
20:04 -!- mode/#openvpn [+o dazo] by ChanServ
20:47 < arij> Tue Nov 14 18:42:22 2017 Initialization Sequence Completed
20:47 < arij> does this mean im connected?
21:06 <@ordex> arij: most likely
22:40 < arij> hi when i try to connect to my vpn on ubuntu it says connection successful but im unable to access the network folders that im looking for
22:40 < arij> when i use the same info to connect on my phone it works just finem
23:32 < nbastin> anyone know off the top of their head how keepalive works on L2 tunnels?
23:32 < nbastin> it definitely does *something*, as it will kill vpns, but it doesn't seem to actually know whether they are really alive before it does it
23:34 < nbastin> yeah it seems to trigger Wed Nov 15 00:40:21 2017 us=857913 Inactivity timeout (--ping-restart), restarting
23:34 < nbastin> even though it's wrong
23:36 < nbastin> ordex: you around?  :-)
23:46 <@krzie> nbastin: afaik thats the control channel and doesnt change for l3 v l2
23:46 < nbastin> krzie: yeah I'm trying to find the code that does it, what I've found so far seems like it should work
23:46 < nbastin> but it's clearly not.. :-/
23:46 < nbastin> the ping doesn't reach the tap interface, so it's hard to sniff to see if there's some other problem
23:47 <@krzie> have you tried sniffing both inside and outside the tunnel and also pinging when it goes down?
23:47 <@krzie> is it predictable at all? how often?
23:47 < nbastin> if *I* ping (icmp), it comes up
23:47 < nbastin> every 120 seconds, the keepalive timeout.. :)
23:48 <@krzie> do you have errors on either side besides inactivity timeout? verb 5?
23:48 <@krzie> i guess verb 4 is fine actually
23:48 < nbastin> krzie: https://pastebin.com/dyV1KHhN (that is where the tcpdump just hangs at the end)
23:49 < nbastin> no more packets, I got it to start by doing the first icmp
23:49 < nbastin> just inactivity
23:49 <@krzie> lets see the configs
23:49 < nbastin> krzie: kk sec, lemme strip the key out of one of them.. :-)
23:50 <@krzie> yes, no keys pls
23:50 <@krzie> can strip the cert too
23:50 <@krzie> and any inline stuff
23:50 <@krzie> obviously you connect, thats all good
23:50 < nbastin> krzie: https://pastebin.com/Ktt66i5q
23:51 < nbastin> they are dead simple
23:51 < nbastin> but maybe I missed somethign
23:51 < nbastin> it works for endpoints that send more traffic, but not for this one, so I'm a little confused
23:51 < nbastin> but the ping seems to be in the control channel in the vpn, so it shouldn't be dropped in some way
23:51 < nbastin> (I was worried it was trying to actualyl echo-request the endpoint, but it's not)
23:52 <@krzie> and the other side?
23:52 < nbastin> there's both in there
23:52 <@krzie> ahh right
23:52 < nbastin> sorry, was trying to save a paste.. :-)
23:52 <@krzie> no thats good
23:53 <@krzie> and i dont see anything that should  cause this
23:53 <@krzie> do you have a reason for tap"?
23:53 < nbastin> yeah I mean these configs are auto-generated by the orchestrator, and they work everywher eelse
23:53 < nbastin> yeah I mean we have to move MPLS over the tunnel
23:53 < nbastin> so it's MPLSoE signaled by OSPF
23:54 < nbastin> (we use openvpn where l2tp over ipsec doesn't work)
23:54 < nbastin> but this site isn't pushing any real traffic
23:54 < nbastin> but it's "there"
23:54 < nbastin> if I push traffic over the link it stays up
23:54 < nbastin> but the keepalive doesn't seem to keep it up by itself
23:55 < nbastin> (and once it goes down I have to restart it from the client side, of course)
23:55 <@krzie> i do ospf over tun but seems mpls is a valid reason for tap
23:55 <@krzie> weird problem, both sides are up to date?
23:55 < nbastin> yeah I mean the ospf is not the problem, but the data packets are mpls
23:55 < nbastin> krzie: probably not...
23:55 < nbastin> 2.3.2 on client
23:56 <@krzie> ahh, if you can update the client and the problem persists it sounds like a bug report
23:56 < nbastin> 2.3.2 on server  as well, it turns out
23:56 <@krzie> well, both
23:56 <@krzie> or file it as 2.3.2 and see what happens
23:57 < nbastin> yeah, I just need to test a live upgrade on a lab box and see if I can risk it on the production env.. :-)
23:57 <@krzie> but id think you may need to update and check that first
23:57 < nbastin> (or at least nail down the right procedure)
23:58 < nbastin> but I can do that tomorrow night maybe
23:58 < nbastin> I'm trying to grab a trace of a working tunnel outer interface
23:58 < nbastin> and then see if I can match that to this one
23:58 < nbastin> to see what's different
23:58 < nbastin> I just need to find a tunnel that doesn't have a crapload of traffic..
--- Day changed Wed Nov 15 2017
00:01 <@krzie> well i think first should be seeing if it happens on new openvpn
00:01 <@krzie> you're on a pretty old version
00:01 < nbastin> krzie: yeah, I mean it's just easier to do the passive things
00:01 < nbastin> I can upgrade the client easily on this side
00:01 < nbastin> but not the server
00:02 < nbastin> I have to build a procedure to update the server and restart all the vpns
00:02 < nbastin> and then test it.. :-)
00:03 < nbastin> I can build a new client pretty quickly..
00:03 < nbastin> lemme do that at least I guess
00:06 <@krzie> the clients should just reconnect, thats part of the keepalive command, but i understand the hesitance if you dont have failover
00:06 < nbastin> krzie: yeah I just need to make absolutely sure a newly built server actually *works*
00:07 < nbastin> krzie: so I need to test it on the same platform in the lab
00:07 <@krzie> and any config issues, i dont blame you
00:07 < nbastin> I'm not worried about dropping the peers for N seconds
00:07 <@krzie> you're right
00:07 < nbastin> the platform has a wacky openssl that ties into the crypto unit
00:07 < nbastin> so builds don't always work
00:08 < nbastin> (thanks, freescale!)
00:08 <@krzie> see if you can lab up a test to see if its worth doing
00:08 < nbastin> yeah it occurs to me I should connect this client to a new server that has no other clients, and then I can do whatever
00:08 < nbastin> it already doesn't work.. :-)
00:08 <@krzie> if you cant recreate the issue on new openvpn you know updating is worth it
00:08 < nbastin> yeah
00:09 <@krzie> although i think you have bigger issues with that old of a version
00:09 <@krzie> !vuln
00:09 <@krzie> !vulninfo
00:09 < nbastin> no bot for you!  :-)
00:09 <@vpnHelper> "vulninfo" is (#1) See these factoids for more info about specific vulnerabilities: !heartbleed !poodle !ovpnuke !sweet32 !duhk, or (#2) See here for all security announcements: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
00:10 < nbastin> yeah I mean the T4240 isn't susceptible to any of the openvpn CVEs
00:10 < nbastin> er, openssl
00:10 < nbastin> since it's not really openssl
00:10 <@krzie> mbed?
00:10 < nbastin> but specific openvpn things may be true
00:11 <@krzie> or libre?
00:11 <@krzie> (its in openvpn --version)
00:11 < nbastin> it is "openssl", but it's implemented in teh T4240 crypto unit
00:11 < nbastin> so it's just ABI compatible
00:12 < nbastin> (and when we end up with a vulnerability, we'll end up being screwed and have to bail on a lot of acceleration, probably)
00:12 < nbastin> I'm just waiting for this to happen...
00:13 < nbastin> just today I was telling someone in the lab "please don't ever say 'never' when it comes to breaking security things"
00:14 < nbastin> we do have broken sweet32 ciphers but we don't use them
00:14 < nbastin> ok finally configure didn't fail at least.. :-)
00:15 < strength> Key file ('/Downloads/client.conf') can be a maximum of 2048 bytes
00:15 < strength> anyone know what this 'error' means?
00:15 <@krzie> yep i dont see anything effecting you, except of course your issue
00:16 < nbastin> krzie: It seems weird though, because other sites should have the sameproblem, ping doesn't seem to be influenced by traffic
00:16 <@krzie> not sure if they put a check, but is your dh 2048 bytes?
00:16 < nbastin> but maybe I'm not seeing the right part in the source
00:16 <@krzie> nbastin: i agree, weird
00:16 < nbastin> I mean maybe our other sites are actually restarting very often, and I'm not paying attention
00:17 <@krzie> your dh and rsa should be the same, but like i said i dont know of a check
00:17 < nbastin> although the bandwidth charts don't seem to indicate anything weird
00:17 <@krzie> nbastin: that would be in the logs
00:17 <@krzie> grep for restarts or whatever
00:18 < nbastin> krzie: yeah, will do that for sure...is there anything other than the ping itself that tickles the activity timer?
00:18 < nbastin> clearly not STP.. :-)
00:18 < nbastin> but stp is weird
00:19 < nbastin> not even 802.3
00:21 <@krzie> nah not with your config
00:21 <@krzie> there exists options...
00:21 <@krzie> but you didnt use them
00:21 < nbastin> hrmph
00:22 <@krzie> the error seems to state that your client didnt respond to packets on the control interface
00:22 < nacelle> strength: it means something resembling a configuration file was specified as a key file
00:22 <@krzie> could be firewall related...
00:22 < nbastin> well shit...
00:22 <@krzie> like -i tun0
00:22 < nbastin> $ sudo grep restart tap*/vpn.log|wc -l
00:22 < nbastin> 186439
00:22 < nbastin> we have a problem...
00:23 < nbastin> apparently it doesn't happen for long enough to really make anyone notice
00:23 < nbastin> but it happens everywhere
00:23 < nbastin> that is comforting at least
00:23 < nbastin> things that happen everywhere I can deal with.. :-)
00:23 <@krzie> then could be server not responding on control channel
00:25 < nbastin> yeah I need to build up a test server with a modern version
00:25 < nbastin> blah, sorry, I should have figured out that everything was having this problem
00:25 <@krzie> all good i know how it is
00:26 < nbastin> ok well 2.4.4 on a client at least
00:27 <@krzie> im starting to wonder about firewalls
00:28 < nbastin> krzie: well I was too, but the ping is inside the tunnel (this is what I was looking for in the source)
00:28 < nbastin> if it was an actual outside ping, then I could believe that
00:28 < nbastin> but packets flow easily inside the tunne
00:28 < strength> nacelle: thank you!
00:30 < nbastin> ok well 2.4.4 client is working at least, so that's good
00:31  * nbastin waits 3 minutes
00:32 < nbastin> yeah still dies
00:32 < nbastin> ok, so not client anyhow
00:33  * nbastin wonders how much he could really break.........
00:33 < nbastin> well, I shall trundle off to build it on the lab T4240 at least
00:34 < nbastin> make sure THAT works
00:55 < nbastin> yeah that didn't work cleanly, I shall poke it tomorrow after sleepins.. :)
11:55 < redrabbit> im trying to setup a metric on a static route from the .ovpn file
11:55 < redrabbit> i tried this
11:55 < redrabbit> route 192.168.133.0 255.255.255.0 metric 100
11:55 < redrabbit> and the route stops working
11:58 < Sircle> HI
11:58 < Sircle> diffie hellman parameters. Using kvpnc and getting debug: [openvpn] Options error: --dh fails with 'dh1024.pem': No such file or directory
12:01 <@ecrist> That should be a path to the actual file.
12:02 <@ecrist> if you just have --dh dh1024.pem in your config, then kvpnc is probably not doing a --cd to the path
12:02 <@ecrist> so, just put the whole path to the file in there.
12:12 < Sircle> diffie hellman parameters. Using kvpnc and getting debug: [openvpn] Options error: --dh fails with 'dh1024.pem': No such file or directory
12:13 < rob0> 18:01 <@ecrist> That should be a path to the actual file.
12:13 < rob0> 18:02 <@ecrist> if you just have --dh dh1024.pem in your config, then kvpnc is probably not doing a --cd to the path
12:13 < rob0> 18:02 <@ecrist> so, just put the whole path to the file in there.
12:16 < Sircle> rob0,  where is that file or how to change path?
12:16 <@ecrist> that's the part you need to figure out
12:16 < rob0> I don't know if you have that file
12:16 < rob0> I did not set it up for you
12:16 < Sircle> ecrist, rob0 I am using kvpnc but I do not know who/how this file was set and whats the purpose of it
12:16 < Sircle> where it is located
12:17 <@ecrist> Sircle: we get it.  Who set it up?
12:17 < Sircle> I used used 'import .ovpn'
12:17 < Sircle> all got set auto
12:17 <@ecrist> where did you get the .ovpn file from?
12:18 < Sircle> office network guy (same files worked on my mac via tunelblink)
12:18 <@ecrist> talk to him then, not us
12:18 < Sircle> but notn working with kvpnc
12:18 < Sircle> he doesn't knows much :)
12:18 < rob0> bummer
12:18 <@ecrist> neither do you, it seems
12:18 < Sircle> correct
12:19 <@ecrist> whoever manages the VPN needs to help you
12:19 <@ecrist> we cannot help you
12:19 < Sircle> isnt it client side?
12:19 < rob0> and maybe you could find a place which supports kvpnc
12:19 < Sircle> as it was working iwth mac/tunelblink
12:19 < Sircle> hm
12:19 < Sircle> anyone knows what is that file dh.pem?
12:19 < BtbN> the dh parameters.
12:20 <@ecrist> yes, it's the diffie-hellman parameters
12:20 < BtbN> Never seen them being used on a client.
12:20 < Sircle> how to disable it
12:20 <@ecrist> remove the line from the file
12:20 < Sircle> which file?
12:20 <@ecrist> the .ovpn file
12:21  * ecrist finds another way to waste time
12:22 < Sircle> ecrist,  there is none-in that file. thanks for the time
12:23 < Sircle> BtbN,  yes.
13:54 -!- CptLuxx is now known as therealweq
13:54 -!- therealweq is now known as CptLuxx
15:59 < echelon> hi, my vpn provider lets me forward a local port, does openvpn need to be configured a certain to make use of the feature?
16:00 < echelon> i've tested it with provider's custom client, so i dunno how they did it
16:02 < echelon> or to expose the port rather
16:13 <@plaisthos> !vpnprovider
16:13 <@plaisthos> !factoids
16:13 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
16:14 <@plaisthos> !paidvpn
16:14 <@vpnHelper> "paidvpn" is We are very reluctant to help you if you use a (commerical) VPN provider since we do not want to be their unpaid support team. See also !both
16:15 < nbastin> krzie: so, I tested on client/server both at 2.4.4 and keepalive still kills the tunnel every interval
16:22 < nbastin> although also keepalive says it reduces to ping / ping-restart, but the ping docs say: "Ping remote over the TCP/UDP control channel if no packets have been sent for at least n seconds"
16:22 < nbastin> but we have packets over the tunnel
16:24 < nbastin> alternatively really maybe I should be using --inactive to get the behaviour I want anyhow
16:25 < nbastin> (sortof, except for firewall cases, but we seem to constantly be killing the tunnel anyhow)
16:35 < echelon> it was a general question, but anyway, i got it working
19:22 -!- Netsplit *.net <-> *.split quits: @pekster, |Mike|
19:28 -!- Netsplit over, joins: @pekster, |Mike|
19:30 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 240 seconds]
19:31 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
19:31 -!- mode/#openvpn [+o syzzer] by ChanServ
20:11 < darth_nmmnzo> !vulninfo
20:11 <@vpnHelper> "vulninfo" is (#1) See these factoids for more info about specific vulnerabilities: !heartbleed !poodle !ovpnuke !sweet32 !duhk, or (#2) See here for all security announcements: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
20:12 < darth_nmmnzo> !heartbleed
20:12 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl, or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised., or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected., or (#4)
20:12 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed, or (#5) http://xkcd.com/1354/
23:50 < darth_nmmnzo> !ovpnuke
23:50 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
23:56 < darth_nmmnzo> !vulninfo
23:56 <@vpnHelper> "vulninfo" is (#1) See these factoids for more info about specific vulnerabilities: !heartbleed !poodle !ovpnuke !sweet32 !duhk, or (#2) See here for all security announcements: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
23:56 < darth_nmmnzo> !duhk
23:56 <@vpnHelper> "duhk" is OpenVPN is not vulnerable to DUHK. It does not use any hard coded keys, neither OpenSSL nor mbed TLS touches the broken ANSI X9.31 algorithm and both libraries does re-seeding on regular intervals. More details on DUHK: https://community.openvpn.net/openvpn/wiki/DUHKattack https://duhkattack.com/
--- Day changed Thu Nov 16 2017
00:01 -!- Crypto_JimB0 is now known as n0Str3s5
00:58 < nbastin> There is no evidence on the outer inteface that ping is doing anything...
01:03 < nbastin> although the great part about upgrading to 2.4.4 is that the progressive restart pause means low-use tunnels never come back.. :-/
01:08 < nbastin> arg, yeah, ping-restart is not working right
01:16 < nbastin> well, it's working as implemented, btu not as documented
01:25 < nbastin> arg, it sends a packet every 2 seconds and still kills the damn thing
01:31 < nbastin> trying to backtrack it through event_timeout_trigger
01:34 < nbastin> I sortof get lost there, can't figure out where it really checks whether there have been packets
01:38 < nbastin> timeval is completely ignored in this case
01:38 < nbastin> it doesn't affect the value of ret at all, might as well not be checked
01:39 < nbastin> as far as I can tell check_ping_restart does not actually care if packets have been sent
01:42 < nbastin> @(^@#(^&$
01:43 < nbastin> it does not touch ping_rec_interval reset for 802.3 packets...
01:43  * nbastin smashes his head into the desk
01:44  * ^7heo provides nbastin with a harder desk
01:44 < nbastin> I'm going to need it
01:45 < ^7heo> why, do you plan to correct the implementation by threatening a dev with it? ;)
01:45 < ^7heo> my, think a minute if that could work
01:45 < nbastin> I mean, I'm going to goddamn fix this right now and recompile
01:46 < ^7heo> lemnard, stop syatemd. I have a very hard desk, and I won't hesitate to use it.
01:46 < nbastin> oh, well, if that's the topic, then I'll provide backup
01:46 < nbastin> I'll bring my own desk
01:46 < ^7heo> nbastin: and then provide a patch to upstream I hope?
01:46 < nbastin> ^7heo: of course, although my hack will not pass muster.. :-)
01:47 < ^7heo> meh
01:47 < nbastin> I understand some about openvpn, but probably not enough to do it right
01:47 < ^7heo> juat say it comes from an openssl dev
01:47 < ^7heo> just*
01:47 < nbastin> unclear actually how to do this "right" in a system that doesn't understand L2 len fields
01:47 < nbastin> those bytes ain't the ethertype.. :-)
01:48 < ^7heo> nbastin> I understand some about openvpn, but probably not enough to do it right
01:48 < ^7heo> that's open source
01:48 < ^7heo> it'a fine
01:48 < ^7heo> it's*
01:48 < ^7heo> you'd be doing like everyone else
01:49 < nbastin> I need to figure out who fills c2.buf.len
01:50 < ^7heo> how about valgrind?
01:50 < nbastin> and fix the fact that it is totally broken for len packets
01:51 < nbastin> I was hoping I could be more efficient with ctags
01:51 < nbastin> the remote is sending a shitload of packets, so things like valgrind (and even strace) are crushed
01:52 < nbastin> and by shitload I mean "more than 2 packets a second", which is what makes the valgrind output go nuts.. :-)
01:52 < nbastin> so I was trying to figure out where this was calculated
01:52 < nbastin> in the source
01:55 < ^7heo> nbastin: can't you filter it?
01:55 < nbastin> I have limited choices here, I'm ssh'd to WAN things on both sides
01:56 < nbastin> in december I can debug it locally, but I'm in a bad spot here
01:56 < ^7heo> I see
01:57 < ^7heo> sorry for you
01:57 < nbastin> indee
01:57 < nbastin> d
01:57 < nbastin> so I will just disable ping-restart and deal with the pain from where that works poorly
01:58 < ^7heo> yep
01:58 < ^7heo> sounds like your best bet
01:58 < nbastin> sadly
02:17 < ilyaigpetrov> I try to understand how openvpn work. So it creates TUN device and then configures routes. How routes are configured: in c syscalls or in bash scripts?
02:23 <@ordex> ilyaigpetrov: depends on the platform. on linux it currently uses ifconfig/route or ip
02:23 <@ordex> (ip is used if you specified --enable-iproute at configure time)
02:23 <@ordex> but we have a plan for moving towards netlink in 2.5
02:23 < ilyaigpetrov> ordex: netlink in two words?
02:24 <@ordex> mhh let's say it means "syscalls"
02:24 <@ordex> it's a messaging system to talk directly to the kernel. it is basically what the "ip" command uses internally
02:24 <@ordex> it's the "preferred" way for talking to the kernel about networking operations
02:25 < ilyaigpetrov> ordex: and how it works on android currently? With netlink I think it will have no problem on android, yes?
02:26 <@ordex> to be honest I don't know about android itself. I should check the code - I imagine it uses some android api
02:26 < ilyaigpetrov> ordex: I want to look at how routes are configured for linux -- where in code to start?
02:26 <@ordex> route.c
02:27 <@ordex> it's quite messy right now - we've planned how to make it more clear in the future too
02:27 <@ordex> ilyaigpetrov: however, if you enable the right log level right now openvpn prints every "ip"/"route" command before executing it
02:27 <@ordex> therefore if something fails you can easily copy/paste the command from the log and try yourself
02:28 < ilyaigpetrov> ordex: on the abstract way it crates a deafult route to TUN and one special route for VPN destination endpoint -- righgt?
02:29 <@ordex> it depends on the settings. the former is created only if redirect-gateway was specified
02:30 <@ordex> the latter is created when adding the address I think. but really, it is much easier to check the log. this way you get a way better understanding of the sequence of commands
02:30 <@ordex> and which comes first or later
02:30 <@ordex> anyway bbl!
02:30 < ilyaigpetrov> ok, so vpn with flags, thanks
02:47 < ilyaigpetrov> what be a gentle introduction into programming in openvpn?
05:36 < High_Priest> hi guys, my tun0 interface (debian 8.9) disappears suddenly after some time that vpn server is running,  and vpn client can connect, but there's no traffic, client cannot reach services on the vpn server. when I do "systemctl restart openvpn" tun0 shows up and after reconnecting the client, everything works. Any ideas on how to debug this and/or why this is happening?
06:09 < ttyX> Hi all
06:10 < ttyX> I'm trying to setup AD(ldap)+Gauth authentication on openvpn but don't know where to start
06:10 < ttyX> has anyone here done something like this?
06:11 < ttyX> Our current setup AD(ldap)+certs auth which works fine
06:11 < ttyX> Was hoping I could get rid of the certs altogether
06:59 -!- SerusWor1 is now known as SerusWork
07:25 < ilyaigpetrov> High_Priest: tun may be persistent and impersistent, try making it persistent via configs (have no clue about openvpn)
07:27 < ilyaigpetrov> where in openVPN sources I can read which routes it creates and how for its TUN to work?
07:27 < High_Priest> ilyaigpetrov, I have "persist-tun" already set in the config
07:28 < ilyaigpetrov> High_Priest: tried changing it vice versa? Have no clue what else to try
07:40 < High_Priest> ilyaigpetrov, no, I haven't
07:41 < ilyaigpetrov> High_Priest: it's the opposite of what you want, but who knows, maybe it will work
07:43 < Olufunmilayo> is there any reason a openvpn server would push aes-128-gcm by default instead of aes-256-gcm? (a logical one)
08:06 < |Mike|> Olufunmilayo: performance*
08:07 < |Mike|> High_Priest: running some pid killer or smt?
08:13 < Olufunmilayo> |Mike|, I just find it strange is all. The only way to obtain aes-256-gcm is to disable ncp on the client...in terms of performance what are we really talking about?
08:19 < High_Priest> |Mike|, no
08:45 < redrabbit> i run an openvpn client on my server @home that maintains a connection to my VPS
08:45 < redrabbit> once in a very while it gets stuck
08:45 < redrabbit> i have to run systemctl restart openvpn@client.service
08:46 < redrabbit> is there something in my client.conf file i should change
08:46 < redrabbit> my other option is to run a script with crontab that check the connectivity and restarts if it fails
08:46 < redrabbit> just checking if there's a proper way
09:00 < jb> looking for a way to execute/chain multiple "tls-verify" scripts.. is it feasible to build a 'wrapper' script which is specified as 'tls-verify' and then executes multiple scripts?  I feel like properly managing exit status would be difficult.
10:31 < penguin__> Hi i am using nordvpn with openvpn and my connection goes from 100mbs to 0.1mbs any help?
10:31 < penguin__> it is not that slow on windows btw
10:35 -!- metachr0n is now known as metachr0n-away
10:35 < ilyaigpetrov> could somebody show me in openvpn sources where openvpn changes default route
10:44 < hackz> back again with route problem, anyone who could help?
10:47 < hackz> internet->router->win10(OVPN0client)->vmware(Freebsd)--bhyve->Ubuntu(openVpn Server) no inetrnet connection
11:37 < jb> grr - why can't openvpn support multiple tls-verify's :/
14:54 <@ecrist> ?
15:18 < nacelle> hacks: your client and server are on the same subnet?
15:19 < daemon> hey all following a tutorial for centos6 and openvpn and hitting a weird problem: https://paste.ee/p/1gr5h
15:19 < daemon> anyone have any idea whats going wrong
15:19 < daemon> key_size is default 2048
15:20 < nacelle> you're probably missing a prerequisite library/package
15:21 < daemon> nacelle, my theory too so I added openssl and openssl-devel
15:21 < daemon> seemed to make no difference I cannot find any relative reference on google
15:22 < nacelle> maybe try a newer easyrsa if thats not the one from github?
15:22 < nacelle> https://github.com/OpenVPN/easy-rsa
15:22 <@vpnHelper> Title: GitHub - OpenVPN/easy-rsa: easy-rsa - Simple shell based CA utility (at github.com)
15:23 < daemon> nacelle, I used the one from centos's repo
15:28 < daemon> ls
15:31 < daemon> nacelle, I grabbed easyrsa3 worked a treat
15:31 < daemon> must be something knackard with centos 6's easyrsa distro somehow
15:31 < daemon> package evem
15:31 < daemon> even*
15:37  * nacelle flexes
17:03 < nbastin> Olufunmilayo: an obvious reason would be if you have hardware acceleration for 128 but not 256
18:40 < |Mike|> moin!
19:10 -!- abenz_ is now known as abenz
21:03 < strength> hrrmm, why does my easy-rsa not have a .vars but it has a vars file
21:04 < strength> the clean-all script wont work because its saying to source .vars first
21:05 < strength> however, when i . ./vars i do get something
21:32 < nacelle> read the vars file :-)
--- Day changed Fri Nov 17 2017
01:12 < scj643> Well shit iOS 11 breaks my vpn setup
01:54 < hyper_ch> upgrade to android
02:52 < strength> anyone get bottlenecking from their vpn?
02:52 < strength> im wondering if its my configuration or my service provider
02:58 < daemon> hey guys I have this: https://itsosticky.com/1u1vy3u
02:58 <@vpnHelper> Title: Itsosticky | Simple image sharing (at itsosticky.com)
03:00 < daemon> if I am right ... to get this working, I need a ccl for hetzner on the uk openvpn, saying that the hetzner CLIENT introduces 172.19.[18,19,20].0
03:00 < daemon> and likewise on the hetzner server group in the mainconfig
03:00 < daemon> I will need to tell everything there the route to 172.19.21.0 is via 172.19.21.1 ?
03:01 < daemon> basically trying to tie two vpns together
03:11 -!- SerusWor1 is now known as SerusWork
03:26 < daemon> !ccl
03:26 < daemon> !ccd
03:26 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
03:50 -!- lev__ [~lev__@openvpn/corp/lev] has joined #openvpn
03:50 -!- mode/#openvpn [+o lev__] by ChanServ
03:58 -!- lev__ [~lev__@openvpn/corp/lev] has quit [Remote host closed the connection]
04:42 < ntt> Hi, I'm trying to configure DNS with openvpn but I have some doubts: push "dhcp-option DNS 10.8.0.1" doesn't work on a fedora client because I have to add some script that really changes DNS on the client. Is this correct?
04:52 < gertvdijk> ntt: yes, probably need a line in the client config like "up /etc/openvpn/update-resolv-conf" to parse those options (and also need to adjust script-security perhaps). also; there's a systemd resolvd updater script rather than resolvconf, but I haven't used it yet.
04:52 < ntt> gertvdijk: thank you
04:52 < ntt> I have a similar problems on yealink phones... I don't know if there is a script that I can call
05:45 < gertvdijk> ntt: forgot to mention, also use the 'down' script to undo the change done when disconnecting. not sure what to do with phones really.
05:47 < ntt> gertvdijk: sure! thank you
08:17 -!- NotSecwitter is now known as NonSecwitter
08:34 < ttyX> anyone using pam for ldap auth?
08:34 < ttyX> I know there's ldap module for that but I'm looking to use multiple pam modules
08:40 <@dazo> ttyX: I've done some tests with auth-pam + freeipa + openvpn with good success
08:41  * dazo still have a todo item on writing this down and share it with the interwebs .... somewhere far down on his list
08:48 < ttyX> dazo: nslcd doesn't seem to return any results, ldapsearch does
08:48 < ttyX> AD backend
08:49 <@dazo> have you tried 'getent passwd $USERNAME' ?
08:50 <@dazo> ttyX: btw ... the IPA setup I've used, uses sssd .... which works very well in my environments
08:50 < ttyX> dazo: this same config works fine on tac_plus
08:50 < ttyX> maybe it's the platform
08:50 < ttyX> that's on ubuntu
08:50 < ttyX> this is centos
08:51 <@dazo> I'm running all my stuff on ScientificLinux ... which is another RHEL clone
08:53 < ttyX> I do see: nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
08:53 < ttyX> when I run nslcd -d
08:55 <@dazo> ttyX: try looking into using sssd instead .... authconfig is one way of preparing the systemd to use sssd .... and in /etc/sssd/sssd.conf you set up all the various backends you want
08:56 < ttyX> dazo: so you're suggesting I use sssd pam module instead on ldap pam module?
08:56 <@dazo> yeah
08:58 <@dazo> then you can have your own pam.d/openvpn service ... which can do some filtering too if you want to further restrict who can use your vpn
08:58 < ttyX> dazo: we already have a unqiue group for that, only members of that group can connect
08:58 < ttyX> unique*
08:59 <@dazo> ahh, then it is easy
09:00 < ttyX> yeah my current setup should work but it doesn't
09:02 < ttyX> auth-ldap module works fine
09:02 <@dazo> In my pam setup ... I have these lines in /etc/pam.d/openvpn
09:02 <@dazo> auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
09:02 <@dazo> auth        sufficient    pam_sss.so otp_in_password
09:02 <@dazo> auth        required      pam_deny.so
09:02 <@dazo> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
09:02 <@dazo> account     required      pam_permit.so
09:02 < ttyX> but I'm trying to combine pam_ldap with pam_googleauthenticator
09:04 <@dazo> and then the ipa setup is defined with the openvpn service ... and openvpn is using --plugin openvpn-plugin-auth-pam.so "login login USERNAME password PASSWORD"
09:04 <@dazo> and then inside IPA the ACL grants certain users/groups access to the openvpn service
09:20 < ttyX> I have a two line config in /etc/pam.d/openvpn
09:20 < ttyX> auth   required          pam_ldap.so auth   requisite         pam_google_authenticator.so forward_pass user=0 secret=/home/user/.google_authenticator
09:20 < ttyX> auth   required          pam_ldap.so
09:20 < ttyX> auth   requisite         pam_google_authenticator.so forward_pass user=0 secret=/home/user/.google_authenticator
09:20 < ttyX> This same config works with tac_plus
09:21 < ttyX> Then is server.conf I have plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/openvpn
09:43 < Rumbles> !welcome
09:44 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
09:44 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
09:44 < Rumbles> !goal 'Create server profile with user based ACL'
09:47 < Rumbles> !configs
09:47 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
09:48 < Rumbles> hi, I'm struggling to find a guide on how to do this, I have a working openvpn server, I am able to change the config on the server to allow access to a seperate VLAN, but I want to restrict access on that connection to a few users
09:49 < Rumbles> So I want to set up a new server profile, which will allow a whitelist of usernames to connect on a seperate port to the main profile
09:49 < Rumbles> Can someone suggest where something like that is documented?
09:50 < rob0> Again, the bot does not understand your "!goal <whatever>" command.
09:51 < Rumbles> okay
09:51 < rob0> okay, you want a second server for "more privileged" users?
09:51 < Rumbles> yep
09:52 < rob0> what I'd do:
09:52 < rob0> !ccd
09:52 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
09:52 < rob0> !ccd-exclusive
09:53 < adac> On the same vpn server, can I run certain clients with fixed ip's and certain with floating ip's?
09:53 < rob0> use --ccd-exclusive on the second server and only create ccd files for your more privileged users
09:54 < adac> rob0, so you suggest to use use two servers?
09:54 < rob0> that way you can use the same CA for both servers
09:54 < Rumbles> thanks rob0, I think that gives me some reading to do :)
09:54 < adac> rob0, ah that wasn't for me :D
09:55 < rob0> Rumbles, note that you probably don't want --client-to-client, so you can apply firewall rules to limit access to VPN resources
09:55 < Rumbles> putting ccd-exlusive in to google gets me straight ot a forum post about what I'm trying to do, which is what I couldn't find before, so thanks :)
09:55 < rob0> !man
09:55 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
09:55 < rob0> !google
09:55 <@vpnHelper> "google" is Don't trust google searches blindly. Start first by looking at the official docs at https://community.openvpn.net/openvpn/wiki/
09:57 < rob0> adac, while indeed those comments were not for you, they definitely maybe are.  At least that could be one of several ways to do what you want.
09:57 < rob0> you probably DO want:
09:57 < rob0> !ccd
09:57 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
09:57 < rob0> at least for your static hosts
09:58 < adac> rob0, I would like to have static hosts and dynamic human clients
09:58 < rob0> but maybe not --ccd-exclusive
09:58 < adac> rob0, but maybe I go first with static for every one
09:59 < adac> rob0, it is just then humans cannot have their vpn on two different devices at the same time, or?
09:59 < adac> rob0, ok will have a look at it, thanks
09:59 < rob0> I don't know what you are asking, but I suspect there are unstated assumptions behind the question.
10:00 <@dazo> Rumbles: have a look at !eurephia
10:00 <@dazo> !eurephia
10:00 <@vpnHelper> "eurephia" is http://www.eurephia.net/
10:00 <@ordex> !dazo
10:00 < rob0> BTW as a point of clean network design, I would use a separate CIDR range for the dynamic pool and the static pool.
10:00 <@vpnHelper> "dazo" is The project name krzee always forgets .... eurephia ... http://www.eurephia.net/
10:00 <@ordex> :p
10:00 <@dazo> heh
10:02 <@dazo> Rumbles: and if you have issues with that plug-in .... let me know, and I'll see if I can spend more time on it.   It's been a quiet project for some years - but that's mostly as it is rock solid stable.  But willing to consider to put efforts into it again, to extend features if needed
10:06 < Rumbles> can I put the push route line from my server conf in to the ccd file? So I can run a single openvpn server, and if you're in the list of files in ccd you get an extra route?
10:07 < adac> rob0, What I mean is: When I have a fixed IP for a certificate via ccd set, I cannot have this certificate running for more then one client at the same time or?
10:09 < rob0> oh, why would you want to have more than one connection from the same client certificate?
10:10 < rob0> yes, if you want that "feature" it gets much more difficult
10:12 < ttyX> dazo: I'm sure it's nslcd and not openvpn my tac_plus setup also stopped working on new server
10:33 < hyper_ch> krzie: dazo: https://0patch.blogspot.ch/2017/11/did-microsoft-just-manually-patch-their.html
10:33 <@vpnHelper> Title: 0patch Blog: Did Microsoft Just Manually Patch Their Equation Editor Executable? Why Yes, Yes They Did. (CVE-2017-11882) (at 0patch.blogspot.ch)
10:39 < hyper_ch> dazo: you're the local routing expert, right?
10:42 < havoc> wow, MS has some decent coders
10:42 < havoc> *some*
10:43 < hyper_ch> they can patch binaries directly :) that's serious skills
10:43 < hyper_ch> many people can't even patch source code :)
10:44 < havoc> yeah
10:44 < havoc> most "developers" nowadays know nothing of ASM, or even C
10:44 < hyper_ch> could it be that MS lost the source code?
10:45 < havoc> who knows?
10:45 < hyper_ch> MS knows :)
10:46 < hyper_ch> oh, was that one of those questions where you don't actually expect an answer? :)
10:50 <@dazo> hyper_ch: I'm sure I can handle the not too advanced routing challenges .... but there are even more skilled users on this channel :)
10:50 < hyper_ch> dazo: so what is facebook's OpenR good for?  https://github.com/facebook/openr
10:51 <@vpnHelper> Title: GitHub - facebook/openr: Distributed platform for building autonomic network functions. (at github.com)
10:51 <@dazo> I have absolutely no clue :)
10:52 < hyper_ch> but you're my local routing expert ;)
10:52 < hyper_ch> well, in my datacenter (aka home and offce) I'm not quite yet at 100gpbs lines... but who know.... 20 years down the line....
10:55 <@dazo> hyper_ch: I think it all is related to FB having a master plan to become an ISP too ... https://code.facebook.com/posts/1072680049445290/introducing-facebook-s-new-terrestrial-connectivity-systems-terragraph-and-project-aries/
10:56 <@dazo> oh, here's some more docs .... which mentions OpenR directly https://code.facebook.com/posts/1782709872057497/building-express-backbone-facebook-s-new-long-haul-network/
10:56 < hyper_ch> dazo: you seem to be quite familiar with facebook...
10:57 <@dazo> nah, just lucky .... and these pointers could be found here: https://github.com/facebook/openr/blob/master/openr/docs/Overview.md  (at the very bottom)
10:57 <@vpnHelper> Title: openr/Overview.md at master · facebook/openr · GitHub (at github.com)
10:58 < hyper_ch> but only smart people know how to scroll to the bottom
10:58 <@dazo> I actually deleted my FB profile quite a long while ago .... also due to the fact I almost never logged in there
10:59 < hyper_ch> you had a facebook profile? oO
10:59 < hyper_ch> and can you really delete a facebook profile?
11:00 < hyper_ch> I guess I don't have quite use yet for openR in my "home" and "office" "datacenter"
11:00 <@dazo> hehe :)
11:01 <@dazo> whatever FB still might have saved from my account .... is definitely not going to be that interesting .... I always kept a very low profile there
11:01 < hyper_ch> so germany banned smart watches with tracking capabilities for children
11:02 <@dazo> *that* makes so much sense
11:02 < hyper_ch> do you happen to have a linked in account?
11:02 < hyper_ch> http://www.bbc.com/news/technology-42030109
11:02 <@dazo> yeah, I do .... but that is strictly business related
11:02 < hyper_ch> linkedin
11:02 <@vpnHelper> Title: Germany bans children's smartwatches - BBC News (at www.bbc.com)
11:03 < hyper_ch> there's an indian "Dazo" company
11:04 <@dazo> heh .... good to know :)
11:04 <@dazo> Perhaps I can shift some blame to them :-P
11:04 < hyper_ch> :)
11:12 < hackz> i got subnet probs redirecting client and server openvpn, apart what is described on the doc page, can some one point to the right direction?
11:13 < rob0> !redirect
11:13 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
11:13 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
11:14 < hackz> internet->router(192.168.0.1)-Vmware(172.16.0.0/24)->freebsd->Ubuntu(10.8.0.1/24)
11:15 < hackz> vpnHelper, already view that
11:16 < hackz> internet->router(192.168.0.1)Win10->Vmware(172.16.0.0/24)->freebsd(bhyve)->Ubuntu(10.8.0.1/24)
11:19 <@dazo> smells like VMcrap is in the way and causing troubles .... but that setup is fairly complex and have many traps
11:21 < hackz> but client and server can ping each other the probs is that i have no internet access, if i disable redirect-gateway !def1, i can surf the internet but my ip on what's my ip result as my ip provider
11:22 < hackz> but client and server can ping each other the probs is that i have no internet access, if i disable redirect-gateway !def1, i can surf the internet but my ip on what's my ip site result as my ip provider
11:24 < rob0> where on the flowchart did it fail?
11:27 < hackz> at the bootom where it says Are the client and server on the same LAN? but i do not see any firewall issue
12:50 -!- P1ro__ is now known as P1ro
14:42 < vook> I would like to implement a network of openvpn v6 routers to carry tunneled ipv6 traffic between multiple locations. The ultimate goal is to have multiple VPN clients at different sites connect to a single server and for all ipv6 networks to be accessible from each site (each vpn client to act as a router).
14:43 < vook> I have implemented the basic concept successfully using static key based VPN (Host(site A) can ping6 Host(site B)), but so far I haven't been successful getting the TLS client-server setup working.
14:43 < vook> Full details at: http://shorttext.com/8f64a55f
14:43 <@vpnHelper> Title: I would like to implement a network of openvpn v6 - shortText.com (at shorttext.com)
14:50 < vook> It looks like I duped the last part of the paste
16:47 -!- ptx0_ is now known as ptx0
19:07 < elcoc0> Hi, i am trying to reverse proxy open vpn traffic from my nginx configuration using SNI, but it seems using Wireshark that openVPN client does not send any SNI, is there a configuration instruction to send it please ?
19:12 < rob0> where did you read that openvpn implemented SNI?  This is the first I have heard of it.
19:14 < elcoc0> I can't find anything online, so here I am asking on IRC if this is possible
19:14 < elcoc0> ahah...
19:20 < zoredache> elcoc0: I have heard of a tool called 'sslh' that can multiplex https/openvpn/ssh on a single port.  Haven't used it though
19:20 < CygniX> is it recommended to use the default port 1194?
19:21 < zoredache> CygniX: Sure. using the default port is usually fine if you are also using the tls auth key and certs.
19:22 < zoredache> Switching to a different port wouldn't really buy you much security wise.  Though using a more common port like udp/53 might mean your VPN would be reachable from places with more restrictive (but stupid) firewalls.
19:22 < CygniX> zoredache: what protection does tsl auth key provides that relates to port?
19:28 -!- abenz_ is now known as abenz
19:30 < CygniX> does the latest ios client support tls-crypt?
19:30 < CygniX> I know android client does
19:50 < nacelle> yes, ios does tls too
19:50 < nacelle> (ios openvpn)
20:18 -!- m0nkey__ is now known as m0nkey_
20:27 < monokrome> hiii
20:27 < monokrome> Does anyone know where to find the OpenVPN client for Windows? It doesn't seem to be here: https://openvpn.net/index.php/open-source/downloads.html
20:27 <@vpnHelper> Title: Downloads (at openvpn.net)
22:04 < taskmask21> hey, anyone up this late at night?
22:07 < cremansor12> hi, I have a question. I want to connect to a .ovpn profile via the command line (Windows 7 btw) which I know I can do via openvpn-gui.exe --connect "profile.ovpn"
22:07 < cremansor12> The thing is, the server requires a username & password and the provider only allows me to connect with just that, i am not provided an private key
22:08 < cremansor12> After some Googling, I dont see how I can pass my username & password through the command line to connect. Is it possible to connect either way?
22:12 <@ordex> cremansor12: I am not expert of the windows client, but i know that the auth-user-pass option that you have in the config, should be allowed to take a filename as argument. In such file you can put the user & password
22:12 <@ordex> check the man page for auth-user-pass
22:13 <@ordex> !manpage
22:13 <@ordex> !man
22:13 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
22:13 < cremansor12> Ohh, so I can put the auth in a seperate file and use it to connect to the .ovpn profile?
22:14 <@ordex> yap
22:14 <@ordex> the manpage explains it better
22:14 < cremansor12> Okay, one last thing. Is it possible to disconnect from the server through the command line if i am already connected?
22:16 < cremansor12> @ordex
22:16 <@ordex> I think you can do that via management interface
22:16 <@ordex> not via command line
22:16 < cremansor12> ahh, but if i kill the openvpn-gui process, it wont harm anything right?
22:17 <@ordex> to be honest. .. I don't know :P
22:17 < cremansor12> okay, thank u for your help about the auth thing
22:17 <@ordex> np
--- Day changed Sat Nov 18 2017
03:37 < ullbeking> ok so i'm probably going to yelled at for asking such a basic question... i want to set up a vpn server on a vps i have "out there"
03:37 < ullbeking> for simple privacy when using untrusted networks using my phone, etc
03:37 < ullbeking> on debian stable
03:39 < ullbeking> is there an especially "blessed" guide or tutorial on how to do this for ovpn newbies?
03:48 <@ordex> ullbeking: any basic howto or guide should work. that's one of the basic usage I'd say
03:49 <@ordex> !howto
03:49 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
03:53 < ullbeking> ordex: i pretty much figured
04:45 < TwistedFate> umm.. hi :D where does one begin learning OpenVPN if he doesnt know anything about it? :S
04:45 < TwistedFate> !welcome
04:45 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
04:45 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
04:45 <@vpnHelper> you
04:45 < ^7heo> !welcome
04:45 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
04:45 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
04:46 < ^7heo> that is weird
04:48 < ^7heo> is the bot output non deterministic? :/
05:49 -!- abenz_ is now known as abenz
07:45 < Azrael_-> hi
07:46 < Azrael_-> i just added a new client to my openvpn server and connected it. everything seems to work just fine, but it is listed with the same name in ipp.txt as another client. what did i forget to change when i created this client?
07:54 < BtbN> the name in the cert.
08:00 < tomy> hi ,im just seeing that tou have a tor-sasl connection to get on freenode ,how did you do that?
08:01 < Azrael_-> just had a look at when i created the cert. no, i changed the name. also had a close look at the certificate. don't see the displayed name anywhere. in the logs (during connection), it also displays the correct name. only in the ipp.txt i see the other client twice :(
08:04 < Azrael_-> BtbN: also had a look into the "status"-output in the management-console. i see there the right name
08:16 < BtbN> Maybe you gave the same cert out twice by accident?
08:16 < BtbN> so both clients are using the same cert, and one is unused
10:14 -!- b00kworm is now known as b00kworm_2
11:18 < CygniX> !cert
11:18 < CygniX> !verify
11:18 <@vpnHelper> "verify" is (#1) If you receive certificate-based 'VERIFY ERROR' messages, you can manually verify the remote cert against a local CA using openssl: `openssl verify -verbose -CAfile /local/ca.crt /remote/copy/of/other.crt`, or (#2) Note that this requires you to manually transfer the remote certificate to the local system for testing, or (#3) You can also manually check issuer fingerprints with
11:18 <@vpnHelper> detailed cert output: `openssl x509 -in /some/cert.crt -noout -text` and compare against the CA cert fingerprint
13:23 < noregret> doesn't easy-rsa have a binary named easy-rsa? im' trying with this scrip https://github.com/Nyr/openvpn-install but it's failing on the easy-rsa call
13:23 <@vpnHelper> Title: GitHub - Nyr/openvpn-install: OpenVPN road warrior installer for Debian, Ubuntu and CentOS (at github.com)
13:25 < swg0101> did you try searching for it?
13:27 < noregret> swg0101: yeah, can't find it on my system (ubuntu 16.04) even tho the easy-rsa package is already installed
13:27 < swg0101> I think Ubuntu names it a bit differently
13:27 < swg0101> I think there is a package with the 3 after it
13:28 < swg0101> or instead you can glone it from git
13:28 < swg0101> git clone git://github.com/OpenVPN/easy-rsa
13:28 < swg0101> cd easy-rsa/easyrsa3
13:32 < noregret> swg0101: nope, only package that exists is "easy-rsa"
13:32 < swg0101> try git :D
13:32 < noregret> will do
14:56 < undrwater> hi all! do the openvpn configs allow for the client to access the LAN of the server? or is it necessary to use IPTABLES or similar
15:03 < inSync> !welcome
15:03 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
15:03 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
15:05 < inSync> !goal
15:05 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:05 < inSync> !route
15:05 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
15:13 < antiswifty> hi
15:13 < antiswifty> i have a problem with connection to any website after i successfully connect through VPN to my remote workplace
15:14 < antiswifty> i can ping and get 40-60ms
15:14 < antiswifty> but the websites don't work...
15:14 < antiswifty> what might be the problem?
15:15 < inSync> antiswifty: do you have DNS?
15:15 < antiswifty> how do i check that
15:15 < inSync> does you traffic to the internet runs through the tunnel or is it direct?
15:16 < inSync> open a console
15:16 < antiswifty> through wi-fi usually but now needs to go to through this vpn
15:16 < inSync> ping www.google.com
15:16 < inSync> if it translates to an ip address, you have DNS, if it turns out unknown host, you don't
15:17 < antiswifty> i tried with an ip it said unknown host
15:17 < antiswifty> ip of the website i need to reach
15:22 < undrwater> !goal
15:22 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:23 < undrwater> I would like to access the LAN behind the server, currently connecting is successful, but confused about methodology for reaching the LAN.  I think i've got it clear conceptually
15:29 < inSync> undrwater: what about that methodology...
15:30 < undrwater> inSync: i'm wondering if the openvpn configs handle accessing the LAN behind the server, or if I need to use IPTABLES or similar to get there
15:32 < inSync> i'm pretty fresh on openvpn, but as far as i have seen it working, you need ip forwarding on the kernel, that's it
15:33 < undrwater> inSync: does the client config need an entry for it to work?
15:34 < inSync> iptables... of coarse that the machine that is forwarding the packets needs propper firewall support to ensure that it is not bloking the traffic
15:35 < undrwater> is there a good doc that explains to determine if that's happening?
15:36 < inSync> https://secure-computing.net/wiki/index.php/OpenVPN/Routing
15:36 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at secure-computing.net)
15:36 < undrwater> ohh...thanks
15:36 < undrwater> i on't think i've seen this article
15:37 < inSync> that is small and to the point, i guess you could look at the official docs on the project website
15:37 < undrwater> the official ones i've seen...i know i have ip forwarding
15:38 < inSync> https://openvpn.net/index.php/open-source/documentation.html
15:38 <@vpnHelper> Title: Documentation (at openvpn.net)
15:39 < inSync> https://openvpn.net/index.php/open-source/documentation/howto.html
15:39 <@vpnHelper> Title: HOWTO (at openvpn.net)
16:01 < inSync> undrwater: reading up?
16:03 < undrwater> inSync: indeed...also distracted by something else ;-)
16:56 < undrwater> inSync: i think i see my problem now...since openvpn is not running on the gateway machine (router), i need to open the route from the gateway
16:57 < undrwater> I'm connecting through ip 10.100.0.0, and the client (android) can ping 10.100.0.1, but can't ping the server at 10.100.0.2
17:00 < inSync> undrwater: that seems plausible
17:00 < undrwater> oh...and netstat -rn on the server shows itself as gateway for client...does that sound correct?
17:03 < inSync> undrwater: don't know that, but if the server is not the gw of the remote network, you definitivelly need a route on the default gw
17:06 < undrwater> wait...tun0 has ip of 10.100.0.1
17:07 < undrwater> netstat shows the gateway as .2
17:07 < inSync> and?
17:07 < undrwater> internal ip (192.168.1.x) doesn't have a gateway
17:09 < inSync> so what?
17:09 < inSync> you could draw it
17:10 < inSync> to clear things up
17:16 < CygniX> psa: tls-crypt + tcp + port 443 not enough to default Egypt's new GFW
17:18 < inSync> CygniX: just for the sake of academic discussion, what would it take to circumvent that?
17:18 < CygniX> When you find out, inSync, let me know :P
17:19 < inSync> lol
17:19 < inSync> what about TOR? too inconspicuous?
17:20 < CygniX> all blocked
--- Day changed Sun Nov 19 2017
02:55 -!- abenz__ is now known as abenz
04:20 < user3x> hello
04:21 < user3x> i use openvpn 2.4.4 but only 50 configurations allowed, i need more! can it be "fixed" to unlimited in a newer version?
04:22 < hyper_ch> what do you mean by only 50 configurations allowed?
04:22 < user3x> only 50 config files allowed
04:24 < user3x> you know waht i mean?
04:24 < hyper_ch> not really
04:24 < user3x> i've more than 50 config files in the openvpn config-folder
04:25 < user3x> so if i click on openvpn-icon in tray a message "pops up" with only 50 configuraions allowed (sorry the message is in german)
04:27 < hyper_ch> what openvpn-icon?
04:27 < user3x> the gui!
04:27 < user3x> gui=graphical user interface
04:27 < hyper_ch> no idea
04:28 < user3x> you are only a user, no dev, right?
04:28 < hyper_ch> yes
04:28 < user3x> so you can't help. ;-)
04:29 < hyper_ch> how so?
07:26 <@ordex> user3x: is a gui specific problem. I think somebody else already mentioned that in the past
07:27 <@ordex> user3x: why do you have so many configs? what problem are you solving that way? is that a server or client ?
07:42 < MrTijn> !welcome
07:42 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
07:42 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
07:44 < MrTijn> !goal
07:44 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:45 < MrTijn> Hi, I'm using OpenVPN on my laptop running Ubuntu 16.04.2 LTS. After every hibernation or suspension OpenVPN starts using ~100% of one of my CPU cores and I need to manually restart the OpenVPN service in order to get internet access and stop the CPU hog. I am running OpenVPN 2.3.10 x86_64-pc-linux-gnu
07:46 < MrTijn> Is there any way to fix this, or a workaround?
08:16 < MrTijn> Someone on an other channel linked me this https://askubuntu.com/questions/903057/how-do-i-autostart-and-use-openvpn-cli-on-ubuntu-16-04-after-suspend-resume which worked.
08:16 <@vpnHelper> Title: How do I autostart and use openvpn cli on Ubuntu 16.04 after suspend / resume? - Ask Ubuntu (at askubuntu.com)
09:00 < Hotpot33> wew that's weird
10:20 -!- remirol is now known as lorimer
12:15 < jcjordyn120> !welcome
12:15 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
12:15 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
12:15 <@vpnHelper> you
12:15 < jcjordyn120> !goal
12:15 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:19 < jcjordyn120> !goal accessing the internet over the vpn.
12:20 < jcjordyn120> !redirect
12:20 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
12:20 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
12:21 < jcjordyn120> !nat
12:21 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
12:25 < jcjordyn120> !linnat
12:25 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
14:51 < Crazy_Hopper> Hello everyone. It seems I'm having trouble understanding the manual page, could anyone please help me? I'm running v.2.4.0 (debian jessie), and connecting as a client to the server with user/pass authentication and a key w/o a passphrase. My current client config is: daemon, auth-user-pass FILE, auth-nocache, auth-retry nointeract. I thought that this config would result (in case of AUTH_FAILED) in permanent reconnection and FILE to be read on
14:51 < Crazy_Hopper> each connection attempt. But instead I get the following the syslog: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'CHALLENGE: Enter Pin'.  If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
14:51 < hyper_ch> !howto
14:51 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
14:51 < Crazy_Hopper> So the question is: is there a way to make openvpn work as I expected?
15:02 < Crazy_Hopper> oh, I actually get one restart, but FILE isn't reread on second attempt
15:04 < marvin2> hi. i have a device A that is streaming movies, PC that will be running openvpn, and I want to access device A from the internet, through the VPN on PC. should I be using bridging or routing mode?
15:04 < marvin2> device A and PC are on the same LAN
15:30 < b00kworm> marvin2: you can use a tun setup and push either the full subnet or the corresponding IP of A. At least that's what I am using
15:35 < marvin2> b00kworm i would prefer that if it doesn't have any significant downsides, I'm just not sure how I'd go about pushing subnet or IP of A
15:35 < marvin2> will all the traffic go through VPN in this setup?
15:36 < b00kworm> not necessarely, you can but you don't have to (depending on how you setup the routing marvin2
15:36 < b00kworm> )*
15:37 < b00kworm> I push everything through my vpn and also push the complete local lan (so I can access my boxes behind my router)
15:37 < b00kworm> and by push everything I mean "route my internet traffic"
15:40 < b00kworm> as for how to push a subnet: `push "route 192.168.1.0 255.255.255.0"`
15:43 < marvin2> then tablet will access A through its local IP, 192.168.x.x?
15:44 < marvin2> that could cause conflicts when i am connecting through public wifi
15:48 < b00kworm> yes, that's why my subnet is an unusal one
15:49 < b00kworm> you can pick any from the vast 10.0.0.0/8 block
15:49 < marvin2> oh, I thought I can't use 10.0.0.0/8 on my LAN
15:49 < marvin2> this would require to change LAN ip for all my devices I suppose?
15:51 < marvin2> btw device A also runs a webpage. if webpage traffic doesn't go through VPN then I'm not sure how much I am gaining security wise?
15:53 < b00kworm> yes, but as most of them anyway just use dhcpd who carse 😛
15:53 < b00kworm> cares*
15:54 < marvin2> yeah
15:54 < marvin2> how about security?
15:55 < marvin2> since traffic is unencrypted
15:55 < b00kworm> no worse than before, the subnet doesn't really have a security function. Your firewall does
15:55 < marvin2> actually I am not even sure if I want to encrypt everything (for example video streaming traffic)
15:55 < b00kworm> well traffic PC --> A  is encrypted (that's the point)
15:56 < marvin2> ah
15:56 < marvin2> hmm, but how about tablet to A, or I guess tablet to PC if everything goes through PC? tablet is connected to internet, often through public wifi
16:02 < b00kworm> the subnet would be encrypted between your pc and your vpn server, so the public wifi just sees the encrypted data stream
16:03 < b00kworm> or your tablet and the vpn server rather
16:03 < b00kworm> "The client"
16:04 < marvin2> so device A would be doing the encryping?
16:14 < b00kworm> yes, take an example say my phone is connected to my vpn and I am connecting to my irc bouncer. then it would be phone --> encrypted --> public wifi --> VPN server (does the encryption) --> irc bouncer
16:15 < b00kworm> VPN --> bouncer may or may not be encrypted, the public wifi never sees anything besides scrambled nonsense (well plus the address of the vpn server)
17:19 < jcjordyn120> I just got a vpn :)
17:24 < jcjordyn120> Oops wrong channel
17:27 < b00kworm> depends on how you look at it :P
18:00 -!- abenz__ is now known as abenz
18:43 < Eugene> marvin2 - you always want to use routing/tun mode. If you read something that says to use bridging/tap, it is wrong and you should stop reading it.
18:43 < Eugene> Subnet & routing design is a large topic, and we'd need to know more about your network layout to give good advice.... also I'd need to stick around to care
18:43 < Eugene> But here's some starting points in the bot for you
18:43 < Eugene> !route
18:44 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
18:51 < marvin2> Eugene yeah that is exactly what someone told me:
18:52 < marvin2> "If your VPN client uses bridging (i.e. your tablet gets an IP address through the VPN tunnel in your LAN range), it should work without any additional work. If not, your VPN server (= your PC) needs to route between your LAN subnet and your VPN subnet, and your LAN devices need to know how to access the VPN subnet. Which is not for novices I'm afraid, so avoid this situation if possible."
18:53 < Eugene> It sounds like you are really only interested in accessing services through a secure tunnel, served by A?
18:53 < Eugene> You can set up an OpenVPN server there, and have Clients connect to it. Access the VPN IP of your server(10.8.0.1 in most examples, but please pick different subnets), and you're done
18:54 < marvin2> I am accessing some services on PC through the tunnel as well, such as VNC, but I did not mention that in the question that above quote responded to. also A is embedded device, and I'm not sure how demanding encrypting everything (including streaming video) would be
18:56 < Eugene> Acceptable data rates can be accomplished on surprisingly cheap hardware, thanks to Moore's Law. Older blog posts forget this fact
18:56 < Eugene> Try It And See ;-)
18:57 < marvin2> I'll try. one more concern though, openvpn client on android (that i'll install on tablet, which will access PC and A) can have certificates from only one vpn server loaded. to switch between connecting to PC and VPN server I'd have to keep loading their certificates or is there a better way?
18:59 < Eugene> !android
18:59 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html, or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android, or (#3) For a difference between the clients see http://ics-openvpn.blinkt.de/FAQ.html#faq_androids_clients_title, or (#4)
18:59 <@vpnHelper> Really old (<4.0) see !android-old
18:59 < Eugene> You can definitely have multiple profiles in the Android app
19:00 < marvin2> "to switch between connecting to PC and A VPN server", even
19:00 < marvin2> ah ok
19:00 < Eugene> Are you perhaps using the Access Server client by accident? Common mistake
19:01 < Eugene> !as
19:01 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
19:04 < marvin2> it could be. i reinstalled android since then, i'll make sure to install non-as version
19:13 < marvin3> Eugene, what is the reason to have two servers installed though over just having one (on PC)? easier configuration, better performance, both?
19:15 -!- marvin3 is now known as marvin2
19:31 < nacelle> marvin2: you have to have multiple configurations loaded for each kind of setup.  udp is one, tcp is another, etc.  one openvpn server cannot listen on udp and tcp at the same time.
20:03 <@ordex> marvin2: OpenVPN Connect should work fine as well
20:03 <@ordex> with multiple profiles
21:34 -!- abenz_ is now known as abenz
--- Day changed Mon Nov 20 2017
01:34 -!- abenz_ is now known as abenz
02:12 -!- abenz_ is now known as abenz
02:53 < marvin2> ordex thanks. it was late last night and I will attempt to get it working today. I'm still wondering though about the pros/cons of having servers on both devices I want available through VPN tunnel, vs only having server on PC
02:54 < marvin2> (when I say server I mean VPN server)
03:05 < marvin2> to recap: I have OpenVPN server running on PC, and I want to have embedded device (that runs on the same LAN as PC) available through VPN as well. I want to connect to embedded device and PC over the tablet that is connected on public WIFI or mobile network, without exposing any ports directly. should I: 1) install OpenVPN server on embedded device as well 2) connect through VPN on the PC that
03:05 < marvin2> runs server in bridge mode 3) connect through VPN on the PC that runs server in routing mode
03:07 < Kryczek> marvin2: which one is more likely to be on 24/7? PC or embedded device?
03:07 < marvin2> they are both running 24/7
03:20 < marvin2> so that isn't a concern. my main concern is performance (embedded device has less resources available) and security (i'd have to update two servers instead of one). ease of config is secondary
03:20 < marvin2> among other things embedded device will be streaming HD video, not sure if that matters in my choice
08:55 < metachr0n> hi ... does anyone know how to properly setup an openvpn client sv script ( runit )?
08:56 < hyper_ch> what's an openvpn client sv script ( runit )?
09:31 < marvin2> "Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines)." <- how do I do this?
09:32 < marvin2> I guess I have to do this in my router, but I'm not sure if it supports this, or what such an option would be usually called
09:33 < rob0> I'd look for something called "routes"
09:37 < marvin2> I don't see "routes" or anything similar to it on my router's webpage
09:37 < marvin2> perhaps Static Address Assignment?
09:42 < DArqueBishop> What model router do you have?
09:43 < marvin2> Genexis HRG1000
09:43 < marvin2> under network section I have these subsections: WAN, LAN, Wireless, WLAN Access, WPS, DHCP, UPnP, DNS, Port Forward, IPv6 Forward, DMZ Host
09:45 < DArqueBishop> Yeah, it doesn't look like your router supports adding additional routes. That's pretty silly.
09:45 < DArqueBishop> !route_outside_ovpn
09:45 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
09:46 < DArqueBishop> It looks like you'll need to use NAT on the OpenVPN server.
09:46 < rob0> ewww
09:46 < rob0> I suspect it might have some way to add routes, but they just didn't make it obvious, and didn't document it well
09:47 < DArqueBishop> rob0: right. I looked at the router's user guide and it had nothing.
09:47 < DArqueBishop> If there is a way it's not on the web GUI.
09:48 < marvin2> perhaps I can try contacting ISP? I had to contact them to disable WPS as this wasn't possible from the options I had available
09:48 < rob0> Before I'd consider NAT, I'd consider getting rid of that garbage.  Millions of cheap routers can do this.
09:48 < marvin2> if that doesn't work, would bridging be a better choice at this point?
09:48 < rob0> oh, you didn't mention you didn't control the router
09:49 < marvin2> this is my isp's router. I can change some options, but I know from experience that my isp can change additional ones, like turning the WPS off
09:55 < marvin2> (because I don't have admin password for the router, isp isn't giving it, and it isn't known online, or at least I couldn't find it)
11:51 < chillfan> Hey everyone. Is there a way I can failover to a separate VPN service? So that if one fails I can use an alternative vpn configuration
13:07 < musti> hi
15:27 < vook> Is there some sort of option I need to enable on the client side to enable it to act as an ipv6 router?  I'm trying to tunnel ipv6 over ipv4 in client-server mode.  From the client, I can ping both ipv6 addresses for tun0 and eth0 on the server side, but on the server side, I can only ping the tun0 ipv6 address on the client side.  I've got this fully working with key based, but running into a wall with tls.
15:28 < vook> I do have client-to-client enabled
15:29 < vook> I've replicated the routing table that I had in use in the (working) static key mode to the client-server mode, but still no dice.  Makes me thing some function of openvpn is in effect firewalling access beyond tun0 on the client.
15:55 < vook> woah, it worked with tap
16:01 < rob0> !ipv6
16:01 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6, or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ, or (#3) http://xkcd.com/865/, or (#4) to ignore ipv6 from the server see !noipv6client
16:03 < tezogmix> Seem to have an issue where my connectivity freezes for a few minutes/disconnects when using the NDI6 tap-windows-9.21.2.exe on windows-7-64 (seems always when using google-related services on the desktop). The problem resolved when I rolled back to the NDIS 5 (tap-windows-9.9.2_3.exe) but I'm on concerned on the driver's age + why in the first place the issue happens with the newer one.
16:12 < tezogmix> I've also noted and followed the comments in the official openvpn downloads page when using the NDI6 "If you have 9.9.x installed, you need to uninstall it before installing 9.21.x"
16:14 < tezogmix> and uninstalled with the "Delete the driver software for this device" check box when removing the TapV9 adapter from device manager. The only other comments for now I can add is, my IP is set to static (laptop) using the 2-google dns's servers.
17:57 -!- jpwhiting_ is now known as jpwhiting
23:41 < chiggins> Any reason that a client can only hit a few servers/services while in a tunnel, and not others?
23:41 < chiggins> For example, I can ping the DC and reach HTTP on another, but there's one server that I cannot ping, but it's pingable from other devices in the network
--- Day changed Tue Nov 21 2017
00:19 < chiggins> Bad netmask settings on the server :\ oops
02:28 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
02:37 -!- SerusWor1 is now known as SerusWork
02:39 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
02:39 -!- mode/#openvpn [+o syzzer] by ChanServ
03:22 -!- specing_ is now known as specing
04:50 < nick_tdqfittvn> hi
04:50 < nick_tdqfittvn> i have a server that accepts incoming connection only from local IP
04:50 < nick_tdqfittvn> so i created an openvpn server
04:51 < nick_tdqfittvn> but when i try to onnect to that server trough openvpn, i get connection refused the same
04:51 < nick_tdqfittvn> maybe because it sees 10.0.0.0 as a source ip
05:43 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 248 seconds]
08:13 < hyper_ch> krzie: dazo: ecrist: https://www.openssl.org/news/secadv/20171102.txt
08:36 <@ecrist> 2017: The year of security hell.
08:36 < DArqueBishop> s/security//
08:56 < hyper_ch> Need Librem5 - https://yro.slashdot.org/story/17/11/21/1351225/google-collects-android-users-locations-even-when-location-services-are-disabled
08:56 <@vpnHelper> Title: Google Collects Android Users' Locations Even When Location Services Are Disabled - Slashdot (at yro.slashdot.org)
09:10 <@ecrist> Any of you jokers implemented HOTP or TOTP?  Do any of you have any way to leverage a public/private key type to generate similar repsonses?
09:11 < hyper_ch> ecrist: haven't heard of hotp and totp before
09:11 <@ecrist> Can HOTP be adapted to leverage a GPG signature?  I'm trying to avoid using a shared secret in the event that the system doing the authentication is compromised.
09:11 <@ecrist> hyper_ch: it's the one time passcode scheme everyone is using these days.
09:11 <@ecrist> RFC 4226
09:12 < hyper_ch> oh noe... I feel left out again since I don't use one time passcode I think
10:43 < SpeakerToMeat> Hello good peeps
10:43 < hyper_ch> where?
10:44 < SpeakerToMeat> Ok, I have a laptop, it's part of my vpn, I use it on linux 99% of the time but I need to use windows, so I copied the vpn config and keys to windows, installed openvpn, I had to change the cc on server as I had a set of IPs not compatible with the 252 mask on windows-tap, so I moved from 84,83 to 86,85, I can connect to the vpn server, in the admin interface of the server I see the client connected.. but I
10:44 < SpeakerToMeat> can't ping or transmit fom client to server or the other way around
10:44 < SpeakerToMeat> I tried disabling the windows firewall, smae thing..
10:45 < SpeakerToMeat> I think the gui client was run with admin, as if I run route.exe print on console I see the vpn routes exist
10:45 < SpeakerToMeat> Any tips please?
10:47 < hyper_ch> !configs
10:47 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
10:47 < SpeakerToMeat> Hmm ok, let me obfuscate the server address too
10:48 < hyper_ch> better to bofuscate any inline certs
10:49 < SpeakerToMeat> none
10:49 < hyper_ch> you don't have inline certs?
10:49 < hyper_ch> !log
10:49 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
10:49 < hyper_ch> !logs
10:49 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
10:51 < SpeakerToMeat> The fun thing is the config file works well in linux, same config
10:51 < SpeakerToMeat> No inline certs no
10:53 < hyper_ch> wow, life without inline certs was so miserable :)
10:53 < SpeakerToMeat> Config: https://pastebin.com/jfkLGpqs
10:54 < hyper_ch> management?
10:55 < hyper_ch> is that openvpn-as?
10:55 < hyper_ch> not using tls?
10:55 < hyper_ch> !tls
10:55 < SpeakerToMeat> nope nt openvpn-as
10:56 < hyper_ch> !tls-auth
10:56 <@vpnHelper> "tls-auth" is "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to
10:56 <@vpnHelper> make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
10:56 < hyper_ch> what's management then=
10:56 < hyper_ch> ?
10:56 < SpeakerToMeat> I dont know
10:56 < inSync> hyper_ch: openvpn community supports a management service
10:56 < hyper_ch> inSync: it does?
10:57 < inSync> it allows some runtime control
10:57 < SpeakerToMeat> I do have a management interface in my server
10:57 < hyper_ch> ha, never knew
10:57 < inSync> disconnect clients for instance
10:57 < SpeakerToMeat> via that port, to get status, etc
10:57 < SpeakerToMeat> I thought you were refering to the management comments in the log....
10:57 < SpeakerToMeat> which ive not shared yet, sorry
10:57 < hyper_ch> so, what about log? configs seem fine
10:58 < SpeakerToMeat> client side log: https://pastebin.com/dAjFs1hj
11:01 < hyper_ch> looks all fine
11:01 < SpeakerToMeat> Server side log https://pastebin.com/nmPnuNKt
11:01 < hyper_ch> Initialization Sequence Completed
11:01 < SpeakerToMeat> yuppers
11:01 < SpeakerToMeat> and the management status on the server says the client is connected...
11:01 < hyper_ch> be happy, it works :)
11:02 < hyper_ch> (and don't tell me the logs lie)
11:02 < hyper_ch> no idea
11:02 < hyper_ch> what's your routing table on the windows computer?
11:02 < SpeakerToMeat> Aaand... it was the firewall....
11:02 < SpeakerToMeat> sigh
11:02 < SpeakerToMeat> Now I need to find how to enable the protocols to pass through the firewall
11:03 < hyper_ch> turn it off?
11:04 < SpeakerToMeat> no but........
11:04 < SpeakerToMeat> ugh urgh glurgh
11:04 < hyper_ch> upgrade the system to linux?
11:04 < SpeakerToMeat> hyper_ch: Please dont :(
11:05 < inSync> SpeakerToMeat: windows firewall is easy
11:05 < SpeakerToMeat> inSync: yeah but being stupid is not
11:06 < hyper_ch> actually, I replaced it with https://www.binisoft.org/wfc.php  --> I found this quite nice :)
11:06 < DArqueBishop> SpeakerToMeat: that's odd. There shouldn't be a reason off the top of my head why Windows Firewall would block outgoing traffic over the VPN.
11:06 <@vpnHelper> Title: Windows Firewall Control (at www.binisoft.org)
11:06 < SpeakerToMeat> inSync: As in "you need to have the phone you're trying to connect from be in the vpn before connecting to an ip in the vpn" stupid
11:07 < inSync> on windows, by default outgoing traffic is allowed
11:07 < DArqueBishop> Is the Windows install on a domain and the domain controlling the firewall?
11:08 < SpeakerToMeat> inSync: my problem is stpidity... and ibound
11:08 < DArqueBishop> SpeakerToMeat: ahh! You're having problems with traffic reaching the client?
11:08 < SpeakerToMeat> yes
11:09 < DArqueBishop> THAT explains it.
11:09 < DArqueBishop> IIRC, the VPN network is always placed in the Public network, so any port openings have to be done there.
11:10  * DArqueBishop has had that issue too.
11:16 < DArqueBishop> Also, a suggestion...
11:16 < DArqueBishop> <hyper_ch> upgrade the system to linux?
11:16 < DArqueBishop> That is almost never a helpful suggestion.
11:17 < rob0> well, I'm not so sure
11:17 < rob0> it's much harder doing advanced networking things on poorly-documented OSs
11:17 < DArqueBishop> In this case it certainly wasn't.
11:17 < DArqueBishop> ... especially when SpeakerToMeat made it clear in his original query that Windows was a requirement.
11:18  * rob0 didn't read the scrollback so can't comment, but takes issue with "almost never" :)
11:19 < hyper_ch> DArqueBishop: I'm pretty sure you can point out where in his original question he made it clear that windows is a requirement?
11:20 < DArqueBishop> <SpeakerToMeat> Ok, I have a laptop, it's part of my vpn, I use it on linux 99% of the time but I need to use windows, so I copied the vpn config and keys to windows, installed openvpn, I had to change the cc on server as I had a set of IPs not compatible with the 252 mask on windows-tap, so I moved from 84,83 to 86,85, I can connect to the vpn server, in the admin interface of the server I see the client connected.. but I
11:20  * inSync grabs the popcorns
11:20 < DArqueBishop> Note the part I bolded.
11:21 < hyper_ch> nothing bolded
11:21 < DArqueBishop> "I use it on linux 99% of the time but I need to use windows"
11:22 < hyper_ch> :)
11:22 < hyper_ch> my kitty must have deleted that from my backlogs
11:24 < rob0> your "bold" text did not come through
11:24 < DArqueBishop> Weird. My apologies. It's showing as bold on this end.
11:24 < inSync> not bold here
11:24 < rob0> IRC doesn't really support that.  My client shows *asterisk-delimited* strings in bold.
11:25  * DArqueBishop shrugs.
11:25 < inSync> *yes*
11:25 < DArqueBishop> Either way, my point stands.
11:25 < hyper_ch> I see now start though
11:28 < DArqueBishop> A strong argument could be made (and that I would agree with) that Linux is a much better technical choice than Windows on the server side for OpenVPN. However, other reasons (like company political ones) would mean Linux would not be the right choice. On the client side, well... considering a VPN client would be just one service on the system...
11:29  * DArqueBishop steps off his soapbox.
11:29 < inSync> lool
11:33 < hyper_ch> one could always run windows in a vm to get the best of both worlds?
11:34 < DArqueBishop> Not really.
11:35 < DArqueBishop> For example, two jobs ago, our engineers' design software was Windows-only, and there was no way you were going to get that working properly (let alone efficiently) in a VM.
11:36 < hyper_ch> did it require 3d? that's the only thing where windows in vm still falls short IMHO
11:36 < DArqueBishop> Yes.
11:37 < Kitty> https://twitter.com/EverydaySexism/status/932911409855418374
11:37 < Kitty> oops, wrong window
12:00 < thalunil> easy-rsa3 on LibreSSL/OpenBSD gives me: "Missing or invalid OpenSSL". Despite the fact that the command is present
13:40 <@ecrist> I think there's a bug for that already.
13:40 <@ecrist> But, if not, please file one on github.
15:18 < SpeakerToMeat> For the future though I will setup a windows VM on my linux install for these things, even when my linux (and windows) partitions are awfully small as they share a small ssd for now.
15:19 < SpeakerToMeat> DArqueBishop: And thanks for defending the point, I decided not to pursue then, I was too stressed right then and it would've ended badly
15:19 < DArqueBishop> No worries, SpeakerToMeat.
15:46 < rob0> stressed?  Why?  If you think comments like that in IRC are hard to take, perhaps you're taking IRC (and yourself) too seriously?
15:47 < SpeakerToMeat> rob0: Stressed because shit explodes at the last hour possible and I'm forced to install and setup a shitload of stuff sitting in an unconfortable chair to try and use an untested setup to transfer something that's horribly urgent?
15:48 < SpeakerToMeat> rob0: You shouldn't jump to conclussions that bad dude, you're gonna break an ankle
15:48 < rob0> my right ankle's already a bit sore
15:55 <@dazo> rob0: been kicking around too much? ;-)
16:18 < TrevorV> Hey all!  I've got a possible very simple problem someone here could probably help me with.  I have a server that I have set up with a simple hypervisor, and one node on that hypervisor.  I'm trying to make an OpenVPN server on the host machine such that I could connect that node to that VPN.  There is more to me doing this, but there inlies the problem...
16:18 < TrevorV> I can SSH between the host/node, and I can use netcat to attach on the port that would be running the server.  However, the node cannot reach the host machine's VPN server.
16:19 < TrevorV> For reference, I've followed this article to almost a T:  https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-7
16:19 <@vpnHelper> Title: How To Setup and Configure an OpenVPN Server on CentOS 7 | DigitalOcean (at www.digitalocean.com)
16:32 < TrevorV> It would appear that this guide is incomplete.  The config assumes creation of "ta.key" on the server, and you have to share that to the client servers.  Just in case anyone else in here was going to follow along.  Have a good night!
20:03 -!- m0nkey__ is now known as m0nkey_
--- Day changed Wed Nov 22 2017
00:16 < hyper_ch> !howto
00:16 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
03:17 -!- 5EXAAS9LS is now known as easzero
03:27 < hyper_ch> dazo: ecrist: krzie: ha, Quad9 already support DNS over TLS
03:27 -!- abenz_ is now known as abenz
04:23 < marc494_> Hi, I have one question about the option comp-lzo. When this option is "comp-lzo yes" in the server and "comp-lzo" in the client will comp-lzo be applied at the tunnel?
04:57 < fahmad> hello everyone
04:57 < fahmad> i have quick question, i would like to know if i can bridge multiple network both local and remote sites ?
05:05 < marc494_> When a client has the option "comp-lzo no", and the server the option "comp-lzo" will compression be applied at the tunnel?
05:36 < gertvdijk> marc494_: afaik it should be the same on all peers and you will get a warning if any have a different comp-lzo configuration. so best is to push the comp-lzo value to the client to make it consistent and configurable from the server.
05:48 < marc494_> Hi gertvdijk, Is comp-lzo at that moment applied at the tunnel? Or only from server side
06:30 < fahmad> i have quick question, i would like to know if i can bridge multiple network both local and remote sites ?
06:32 < rob0> #include usual-bridging-warnings.h
06:32 < rob0> of course you can
06:34 < hyper_ch> so, on Black Friday, will the put Sasmung 960 2TB on sale for half price?
06:40 < fahmad> hmm
06:40 < fahmad> rob0: still alive :-)
06:40 < fahmad> its good to see you bro
06:41 < rob0> ty, it's good to still be on the green side of the grass!
06:41 < fahmad> yup
06:41 < fahmad> rob0: any configuration example for multi sites bridges with multiple lans ?
06:42 < rob0> it's tricky, not something I have done (nor would likely WANT to do!)
06:46 < fahmad> rob0: i can get help :-)
06:47 < rob0> well, as per the usual bridging warnings, I think you'd be better off to scrap the idea and go with routed VPNs
06:47 < rob0> !tunortap
06:47 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
06:47 <@vpnHelper> rooted/jailbroken) support only tun
07:13 < fahmad> rob0: can i have multiple server-bridge in server configuration ?
07:29 < hyper_ch> need moooore coffee
08:14 < dstensnes> !welcome
08:14 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
08:14 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
08:15 < dstensnes> !ask
08:15 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
08:16 < dstensnes> Running Debian 9.2 Stretch. After my openvpn server has been running for a while, my clients are suddenly unable to communicate via openvpn. Message at client: "Authenticate/Decrypt packet error: missing authentication info"
08:16 < dstensnes> anybody have a hint?
08:17 < dstensnes> requires openvpn server daemon restart
08:18 < dstensnes> Using openvpn package from Debian Stretch repository. Version "2.4.0-6+deb9u2"
08:46 <@ecrist> !hyper_ch
08:47 <@ecrist> !learn hyper_ch as Random stuff you didn't know you wanted to know.
08:47 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
08:47 <@ecrist> fuck you vpnHelper 
08:48 <@ecrist> !learn hyper_ch as Random stuff you didn't know you wanted to know.
08:48 <@vpnHelper> Joo got it.
08:48  * hyper_ch gives vpnHelper a cookie
08:55 <@ecrist> hyper_ch: by no means is that meant as an insult.  50% of the time, you post links that *are* interesting. :)
09:00 < hyper_ch> btw, reead about bcache isse in 4.14?
09:01 < hyper_ch> onyl 50% of thee tieiem?
09:03 < hyper_ch> stupid keyboard, needed to replace batteries
09:03 < hyper_ch> but only 50% of the time?
11:36 < nacelle> bugs are bugs
11:46 -!- remirol is now known as lorimer
13:10 -!- invisiblek_ is now known as invisiblek
13:15 < blahdawg> I have OpenVPN setup through pfsense and it works beautifully.  I am finding out now though i need to restrict clients to their specific machine.  Is there an easy way to do this?  What about having a certificate that needs imported through the broswer? i've seen this before with products like juniper just not sure what its actually called or how to go about it.
13:16 < blahdawg> Can anybody please advise me on where to look or point me to where i can do this in the documentation?
13:26 <@ecrist> blahdawg: what do you mean, restrict them to their specific machine?
13:29 < blahdawg> Yes basically
13:29 < blahdawg> Meaning i have several openVPN users (setup in pfsense) tunneling in, but now require to restrict them to their specific machine they use.
13:30 < blahdawg> They can't take the exported client config (user cert) and use it on another machine
13:47 <@ecrist> they can always do that
13:47 <@ecrist> if you don't have physical control, how are you going to do that?
13:52 < crackpotmark> the only two things I can think of, is IP limits and no duplicate sessions
13:57 <@ecrist> IP limits becomes a PITA
13:57 <@ecrist> no duplicate sessions is ideal
15:39 < hyper_ch> dazo: ecrist: krzie:  https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html  :) I wonder in which of the 50% this belongs
15:39 <@vpnHelper> Title: Site list (at webtransparency.cs.princeton.edu)
16:07 -!- 14WABSA2M is now known as easzero
17:58 < hays> I am getting this route failed to add when i run openvpn https://bpaste.net/show/87b91a3fb65e
19:45 < lastc> Hi!, I just installed OpenVpn on a VPS with Ubuntu server 14.04, and at first, everything seem to work fine, but after i rebooted the VPS, everytime a client tries to connect, it shows SIGUSR1[soft,connection-reset] received, client-instance restart
19:45 < lastc> and the client closes the connection with the server
22:00 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:10 -!- mode/#openvpn [+o syzzer] by ChanServ
22:58 -!- abenz__ is now known as abenz
--- Day changed Thu Nov 23 2017
00:35 < krzyzaq> !welcome
00:35 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
00:35 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
00:36 < krzyzaq> hello all
01:39 < b00kworm> !1925
01:39 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
01:40 < b00kworm> meh I expected more than that 😕
03:14 < adac> Wondering if it is possible to proxy a VPN trough for example haproxy?
03:17 < krzyzaq> i'm looking for solution for a problem that has rised recently after moving openvpn to a new server. I can ping ie. the 10.1.10.2 from the openvpn server, but not from the openvpn client. Here are the conf's. Can you suggest me some solution? http://webstorage.kfam.pl/index.php/s/3ZhQDkomJi1iJ00
03:17 <@vpnHelper> Title: KFAMStorage (at webstorage.kfam.pl)
06:44 < easzero> hi
06:57 < krzyzaq> hi
07:07 < naquad> hi
07:07 < naquad> is there any way to set up openvpn authentication with something like secrets file? there's pam plugin but i'm not sure it can do what i need (at least i can't find anything looks like in google)
07:36 < adac> What is the parameter in a ovpn/config file that says that all the internet traffic does not need to be routed trough the vpn server?
07:36 < adac> it works in linux when I run it on command line
07:37 < adac> but when I try to import the ovpn/config file in the ubuntu it tries to route all the traffic trough the VPN
09:34 < pinky> is it possible to push a route after a client has been connected (for some time) ?
09:35 < pinky> like to change routes around without the client having to disconnect first?
09:41 < rob0> adac, ...
09:41 < rob0> !redirect
09:41 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
09:41 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
09:45 < adac> rob0, The network manager vpn file parser has some issues, I had to set this manually https://ubuntuforums.org/showthread.php?t=1668165
09:45 <@vpnHelper> Title: [SOLVED] NetworkManager redirecting all traffic over OpenVPN... (at ubuntuforums.org)
09:46 < adac> The network manager should see if redirect-gateway is not there and therefore set the correct option/flag in my eyes
14:42 < speedio> im using openvpn route-up and route-pre-down to run two scripts which sets new iptables rules, but for some reason the rules are not applied, anyone know why? im running openvpn with --script-security 2..
15:53 < pinky> is there any way to dynamically add/remove iroutes without clients having to disconnect? like say via the management interface?
15:54 < pinky> or maybe if an iroute could have a metric, that could also solve my problem
15:55 < pinky> i have a subnet i want to be behind a given client, unless a second client is connected then i want the routes to go over the second client (the first will remain connected but i don't want that route being taken anymore for that subnet)
15:55 < pinky> i could use a client connect script and force disconnect the first client when the second joins
15:55 < pinky> but ick
16:04 < path[l]> Hello, I’m running into an issue I don’t quite understand. When I start openvpn, it runs and i get a pid. However when I run ifconfig, I do not see the “tun0” interface
16:05 < path[l]> this is the openvpn client not server
16:06 < inSync> path[l]: try ifconfig -a
16:06 < rob0> what OS is this?
16:07 < path[l]> oh that gave me the tun0 interface. This was freebsd.
16:07 < path[l]> looking up what -a does now
16:08 < inSync> all interfaces
16:08 < inSync> even thosse that are down
16:08 < inSync> s/thosse/those
16:10 < path[l]> ah thank you. Do you know why the interface might be down?
16:11 < inSync> i have no experience on freebsd..
16:11 < inSync> but was curious to see if the interface was up
16:11 < inSync> have you checked if the module and device are ok?
16:12 < rob0> can you ping through the VPN?
16:13 < path[l]> I’m unable to now, and this seems to have started recently when I’ve been playing around with firewall rules. So now I want to see if this works atleast when the firewall is down
16:13 < path[l]> ah looks like my firewall rules are messing with it. Which the topic of this channel seems to have guessed : x
16:14 < rob0> :)
16:26 < path[l]> rob0: when I try ping -I tun0 172.217.6.68 it says “ping: invalid multicast interface: `tun0’”
16:26 < path[l]> do you know why that might happen
16:27 < path[l]> oh its a freebsd thing
16:31 < path[l]> can someone help me figure out whats wrong with my firewall rules. ipfw list shows me
16:31 < path[l]> 00010 allow ip from any to any via tun0, 00103 deny ip from any to any, 65535 allow ip from any to any
16:46 -!- sunrunner20_ is now known as sunrunner20
17:08 -!- LocaMocha is now known as MochaLoca
23:01 -!- abenz__ is now known as abenz
--- Day changed Fri Nov 24 2017
00:41 < krzyzaq> does anyone has some idea or can help with solution for a problem that has rised recently after moving openvpn to a new server. I can ping ie. the 10.1.10.2 from the openvpn server, but not from the openvpn client. Here are the conf's. Can you suggest me some solution? http://webstorage.kfam.pl/index.php/s/3ZhQDkomJi1iJ00
00:41 <@vpnHelper> Title: KFAMStorage (at webstorage.kfam.pl)
01:25 < nacelle> whatever 10.1.10.2 is needs to know the vpn clients route goes through eth0.200's 10.1.10.x interface
01:26 < nacelle> assuming thats the layout
01:37 < rob0> Sounds like maybe ...
01:38 < rob0> !serverlan
01:38 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
01:49 < hyper_ch> why aren't any samsung 960 pro 2TB on 50% sale today.... I was really hoping for that....
02:53 < bushid0> !welcome
02:53 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
02:53 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
02:55 < bushid0> !goal I want to know how to enable debugging on the openvpn server to analyse the connection attempts of my client.
03:14 -!- abenz_ is now known as abenz
04:44 < ocb> Hello, I have a small issue with openvpn, openvpn server is running on centos 6, one client is on linux and another client is on windows. The linux client can connect to it without any problems, but when connecting from windows (XP), getting the following error; VERIFY ERROR: depth=0, error=unsupported certificate purpose .... full server log; http://paste.debian.net/997353/
04:45 < ocb> did anyone have such issues, so the problem is in the client and in the client i get VERIFY OK: depth=1 C=RU.... eth
04:45 < ocb> TLS Error: TLS handshake failed
05:05 < ocb> Solved, had to convert them to .pem and sign
05:58 < krzyzaq> nacelle: you intend to add a route on vpn server to route the traffic from client 10.1.81.0 (the clients addresses) to the 10.1.10.0 trough eth0.200?
06:40 < krzyzaq> i have some issues with routing rules so if you could confirm that it's the way to quick win I would appreciate
06:59 -!- aib42 is now known as aib
07:44 < krzyzaq> nacelle: there is in fact a route on the server for dest:10.1.10.0 gw:0 mask: 255.255.255.0 Flags:U Metric:0, Ref:0 Use:0 Iface:eth0.200
07:44 < krzyzaq> it's on the server
07:51 -!- m0nkey__ is now known as m0nkey_
09:13 < adac> I run an openvpn server on a local KVM machine and try to connect to that one also locally. Yesterday this worked just fine but today it suddenly stopped working. When I go onto one KVM machine that hangs in the network as well and I try to ping my local machine I see the following:
09:13 < adac> https://gist.github.com/anonymous/f6142b96b91e5c7c1a574a907cb7b020
09:13 <@vpnHelper> Title: gist:f6142b96b91e5c7c1a574a907cb7b020 · GitHub (at gist.github.com)
09:14 < adac> how can that happen?
09:44 < gertvdijk> adac: sounds like a route loop in your network. TTL exceeded happens when a packet has been routed by too many routers (hops). Perhaps you want to see where it loops with a traceroute.
09:54 < adac> gertvdijk, yes it was something like that. The vpn config file was missing the correct route. I however cannot explain how this then could have worked yesterday :D
10:44 -!- albech1 is now known as albech
15:08 < telmich> hello
15:08 < telmich> I added an ipv6 route through a tunnel, but when pinging the icmp6 packets that are for this route do not arrive on the other side of the tunnel
15:09 < telmich> I can see on the server side that the packets are routed into the tunnel
15:09 < telmich> and pinging the dynamic address from the pool also works, just not the one that I routed; anyone an idea what I could have done wrong?
15:40 < telmich> iroute ftw
16:48 < nacelle> krzyzaq: what is your topology?  i presumed the .2 server was not your vpn server
17:19 < dqx__> hey, how do I configure my OpenVPN server so that a given client can get a range of IPs instead of a single one? I mean, I wanted to map client's LAN nodes to the VPN transparently, without having to use openvpn client everywhere in my network
18:01 < rob0> !clientlan
18:01 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for
18:01 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
20:16 < ratcheer> I'm a total newbie to openvpn. Running client, successfully. I don't know how to use it or gracefully stop it.
20:22 < ratcheer> I am trying to read the openvpn.net HOWTO
21:46 -!- abenz__ is now known as abenz
--- Day changed Sat Nov 25 2017
05:03 -!- ketas is now known as ketas-
07:08 < [sID]> I have a question .. how can I add a class to the tunnel? I have a subnet connection 172.20.1.0/24 and each terminal has this IP class and wants to add another class that will support these subnets
09:22 < |Mike|> re.
11:43 < inSync> i just enherited a nice openvpn server, realised that the CA is not there, so i will have to roll my own CA, right? i need to be able to add more clients
11:44 < |Mike|> Yup, might be handy :-)
11:45 < |Mike|> But why's there no CA?
11:45 < |Mike|> !ca
11:46 < inSync> the people who assembled the vpn server used another machine to host the CA, and i didnt got hold of it
11:46 < |Mike|> how many clients are connected?
11:47 < inSync> about a dozen sites and a few users
11:47 < |Mike|> All users are known - have contact with you?
11:48 < inSync> yep
11:50 < |Mike|> that's nice. You can generate a new CA and hand them out to the clients (assuming that you're using ca/cert/key setup)
11:51 < inSync> most of the clients are kikrotik routers
11:52 < inSync> mikrotik
11:52 < |Mike|> "A CA requires a private key which is used for signing the certificates your clients and servers will use. If you loose control of your CA private key, you can no longer trust any certificates from this CA. Anyone with access to this CA private key can sign new certificates without your knowledge, which then can connect to your OpenVPN server without needing to modify anything on the VPN server. Place
11:52 < |Mike|> your CA files on a storage which can be offline as much as possible, only to be activated when you need to get a new certificate for a client or server."
11:54 < inSync> thanks |Mike| for that insight
11:55 < inSync> still have to learn about those routers
11:55 < inSync> as far as i have seen, they seem complex
11:56 < |Mike|> there's a wiki page on the mikrotik website about OpenVPN tho
11:58 < inSync> i've been there, but i still haven't got my hands on one thats not in production
11:58 < inSync> so i can tinker with it
11:59 < |Mike|> Might be smart to purchase 2 test devices and move services over from 1 server imho
11:59 < |Mike|> s/server/device
12:03 < inSync> i might run a second instance of openVPN on another port on the same machine
12:03 < inSync> and add devices there one by one
12:04 < |Mike|> There's just 1 openvpn server?
12:04 < inSync> yep
12:07 < inSync> take them down from instance 1 and reconfigure to instance2
12:08 < |Mike|> for example, yes.
12:14 < inSync> brb
16:49 -!- SirNeo is now known as Mihaita
18:06 < |Mike|> *yawn*
18:07 < |Mike|> krzie: ping
18:07 < |Mike|> dazo: any news on krzie ?
18:14 < rob0> !seen krzie
18:14 <@vpnHelper> krzie was last seen in #openvpn 1 week, 3 days, 17 hours, 46 minutes, and 38 seconds ago: <krzie> im starting to wonder about firewalls
18:14 < rob0> !seen krzee
18:14 <@vpnHelper> krzee was last seen in #openvpn 2 weeks, 3 days, 10 hours, 1 minute, and 29 seconds ago: <krzee> keepalive or similar*
18:26 < |Mike|> rob0: still no sound from him?
18:33 < vantablack> Hello. New to using VPN's and openvpn in particular. I've been having some issues with sites randomly getting Unable to connect / Firefox can’t establish a connection to the server at X
18:33 < vantablack> Is this a problem with the sites blocking my VPN? Or is it a problem with my VPN?
18:35 < |Mike|> redirect issues? ;-(
18:35 < vantablack> Ahh, alrighty. Any way to fix that?
18:35 < |Mike|> Or https / ssl connections? :)
18:36 < vantablack> Idk lol, it's almost always instant
18:36 < |Mike|> !config
18:36 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
18:36 < |Mike|> !logs
18:36 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
18:36 < |Mike|> !configs
18:36 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
18:36 < rob0> |Mike|, 10 and 17 days ago
18:37 < |Mike|> rob0: joining / reconnecting yeah. But did he utter some masterly important words in this channel?
18:38 < rob0> "seen" reports words of wisdom
18:38 < vantablack> Ahh, how do I do that in Linux? /home/name/vpn/client and /server are both empty
18:38 < |Mike|> rob0: Sir, you're allowed to smack teh Mike :)
18:38 < |Mike|> it's in /etc/openvpn/ ;-)
18:38 < rob0> no, that gets noisy :)
18:39 < vantablack> still nothing in there lol
18:39 < |Mike|> noisy =! bloody
18:39 < |Mike|> vantablack: huh? ps aux | grep openvpn
18:40 < vantablack> all I get from that is https://ghostbin.com/paste/8akgw
18:41 < |Mike|> that's from the client :)
18:42 < |Mike|> rob0: i've been in CZ for a few weeks and didn't pay attention to #openvpn
18:43 < rob0> if I was in CZ I'm sure I'd be focused much more on local cuisine and BEER than on IRC
18:43 < |Mike|> Mala Skala soup <3
18:43 < vantablack> I don't follow
18:44 < vantablack> This is the first time I've ran openvpn on this installation, do I need to exit it first?
18:44 < rob0> vantablack, is this a VPN provider, and if so, did you ask their helpdesk?
18:44 < vantablack> Yes, and no not yet. Unsure if they have one. I'll look into it. Thanks
18:44 < |Mike|> I kinda assumed that he was running his own OpenVPN server :-p
18:45 < vantablack> Nope lol, using riseup.net
18:45 < |Mike|> (like many others....)
18:45 < rob0> it's quite possible that many sites block VPN providers.
18:46 < vantablack> So should I take this up with the site? My one issue in particular is my college's e-learning site blocking it lol
18:47 < |Mike|> particular <==
23:50 -!- abenz__ is now known as abenz
--- Day changed Sun Nov 26 2017
00:34 -!- abenz_ is now known as abenz
06:32 < mingdao> I have a connection that has been working, but now is resetting continually http://sprunge.us/JBhc
06:33 < mingdao> is this enough information to go on? I have contacted someone for help on the server side, but no reply in 24h
06:39 < rob0> eww, net30 ... you don't control the server, I guess?
06:40 < mingdao> 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
06:40 < mingdao> 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
06:41 < mingdao> oops, sorry; moved the laptop
06:41 < mingdao> no, I don't control the server
06:42 < mingdao> I can get on it from another, existing connect, but don't have root so can't read any logs
06:42 < mingdao> I could changed verb 3 to 5 on my side if that would help
06:43 < mingdao> there is one connection that has been existing on another LAN since Nov 19, and I can ssh to the server with it
06:44 < mingdao> however, if I run "svn update", it disconnects
06:44 < mingdao> bhill@titan ~/site/providence $ up
06:44 < mingdao> svn: Network connection closed unexpectedly
06:45 < rob0> is this TCP?  It says you got a connection reset.
06:47 < rob0> when you try again, same result?  Always 5 seconds to reset, or does the time vary?
06:48 < mingdao> TCP/UDP: Closing socket
06:49 < mingdao> it's always the same time
06:49 < rob0> is this tcp or udp?
06:50 < rob0> you did not include your client config in the paste
06:55 < mingdao> it's TCP -- client config http://sprunge.us/NiFS
07:13 < mingdao> what I meant to say earlier, is when I increase verb from 3 to 5, the only extra output is "TCP/UDP: Closing socket" between "Connection reset, restarting [0]" and "SIGUSR1[soft,connection-reset] received, process restarting"
07:49 < mingdao> rob0: did you see anything in the client config you want to note?
07:50 < mingdao> been using that config for months; it's sent to us by the guy who admins it, nothing to do on the client side
07:50 < mingdao> I'm sure this is a server error
08:21 < rob0> well, TCP and net30 indicate that your admin is some variant of lazy or clueless.  TCP was never a good idea, and net30 has been deprecated somthing like 10 years.
08:23 < havoc> I only use tcp:443 when I'm redirecting all, to get around hotel captive portals and such
08:23 < havoc> "looks" like regular HTTPS traffic, which is normally allowed
08:25 < rob0> I know mingdao IRL, and have some idea about his employer, and I doubt they're up against the captive portal thing.  Note they're not redirecting, just pushing a bunch of internal routes.
08:25 < havoc> ah
08:25 < havoc> just saying, that's what *I* use TCP for :)
08:26 < rob0> so I'm sticking with the lazy/clueless thing for now :)
08:26 < havoc> ok then :)
09:07 < mingdao> when you begin with servers whose OS is >5.5 years EOL, it only goes downhill from there
09:08 < mingdao> I looked through old email, and had this issue back in Sept.
09:08 < mingdao> It got fixed, but he never replied back then, either.
09:08 < mingdao> thanks rob0 ... hope to see you next weekend
09:08 < mingdao> and yes, why not UDP?
09:09 < mingdao> and we do redirect like a pinball machine btw
09:09 < mingdao> reverse tunnel ftw!
09:09 < mingdao> thanks, guys; I'm mobile now and probably no connection again for ~12h
13:23 -!- Elon_Satoshi is now known as Copenhagen_Bram
14:10 < diizzy> hmm....
14:11 < diizzy> Has anyone compared how gcc optimization option affects openvpn performance?
14:11 < diizzy> O2 Os O3 for instance
15:52 < 32NABD6D8> hi
17:06 < DaveCFatal> Hello, my issue may very well have nothing to do with OpenVPN since I don't know what it is but I dunno where else to ask
17:06 < DaveCFatal> I've been without a IPv4 connection for nearly two weeks, ISP have no idea what the problem is
17:07 < DaveCFatal> My hope is I could get a VPN that works over IPv6 that would allow me to access IPv4 sites
17:07 < DaveCFatal> Anyone care to hold my hand through this process?
22:50 < DaveCFatal> Hello, Is it possible to connect to a vpn using openvpn over IPv6?
22:58 < nacelle> yes
22:58 < nacelle> https://community.openvpn.net/openvpn/wiki/IPv6
22:58 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net)
--- Day changed Mon Nov 27 2017
00:03 -!- abenz_ is now known as abenz
00:15 < krzyzaq> nacelle: no, the .2 is not the openvpn server. It's in the one of many subnets. The openvpn is 10.1.81.3/24 and the clients for openvpn receive 10.1.81.100-200/24 ip range. Unfortunately they don't pass to the other subnets ie. 10.1.10.0/24
00:18 < krzyzaq> I can ping the server from the client, but not any other subnet...
00:28 < mojtaba> Hello, have you used stunnel?
00:28 < mojtaba> I am getting connection error to localhost over TCP local port.
00:29 < mojtaba> Do you know what could be wrong, or where should I check?
00:37 < mojtaba> no one?
00:40 < nacelle> krzyzaq: sounds like routing issues on the .2 server not knowing how to reach the 10.1 network, maybe
02:07 < mojtaba> Hello, have you used stunnel? I am getting connection error to localhost over TCP local port. Do you know what could be wrong, or where should I check?
02:13 < krzyzaq> nacelle: sorry, but I had some hw problems, and needed an reboot.. About the accessing for me it's strange since without the vpn tunnel directly from the server I'm able to ping the server .2, also there are on the server routes 10.1.10.0       *               255.255.255.0   U     0      0        0 eth0.200
02:14 < krzyzaq> as well as pushed to the vpn client: 10.1.10.2       10.1.81.3       255.255.255.255 UGH   0      0        0 tap0
05:04 < kubanc> hello. I need some help, I am stuck. I have a VPN server with 3 dedicated IP numbers, so each user that connect gets its own IP address to access internet. 2 of users are working fine, but one of them is getting error:Connection reset by peer (WSAECONNRESET) (code=10054). Any ideas what caould be wrong with user no.3?
05:15 -!- abenz_ is now known as abenz
06:17 < gebbione> any ideas how i can fix this ? http://paste.ubuntu.com/26057800/
06:18 < BtbN> Don't use the same port twice
06:19 < gebbione> so you mean there is a service on my machine that does bind on 1195 and does not allow the connection?
06:19 < BtbN> You cannot bind on the same port twice, how would that work?
06:19 < BtbN> Whoever comes first wins
06:20 < gebbione> i know that, but i dont recall running anything on that port. I am going to check
06:20 < BtbN> If this is a client, you must have misconfigured something. Clients are supposed to use random ports
06:21 < gebbione> it is a client
06:21 < gebbione> i am just using  a config file
06:21 < BtbN> well, there is a mistake in that config file then
06:22 < BtbN> it's trying to bind on 1194. Random ports are not usually in that range
06:23 < gebbione> correct me if I am wrong ... isnt it just trying to bind to that port against a remote service? not on my machine
06:23 < gebbione> so the vpn client is trying to bind to that remote ip on that port
06:23 < BtbN> no, that's the local port.
06:24 < BtbN> you do not bind on remote ports
06:26 <@dazo> gebbione: if this is an openvpn client config, ensure you use --nobind in the config ... otherwise, running "ss -lntup | grep openvpn" might give you more clues about running OpenVPN instances
06:26 < gebbione> ss -lntup | grep openvpn ... shows nothing
06:27 < gebbione> dazo can i pass --nobind against the config file?
06:28 <@dazo> !--
06:28 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
06:28 <@dazo> gebbione: ^^
06:31 < BtbN> Just edit the config?
06:32 < gebbione> dazo, the --nobind worked
06:32 < BtbN> That config must be explicitly binding on that port
06:32 < BtbN> fix it
06:32 < gebbione> i ll try to understand how to remove the binding in the config file too
06:32 < gebbione> thanks both
06:32 < prauat> Hi
06:34 < gebbione> another question, is there a way to add a new nameserver through the VPN config?
06:34 <@dazo> BtbN: by default, OpenVPN client configs binds on the same port as the remote port used .... so if you have two clients or a server biding to 1194 and running a client against a remote on port 1194, it will collide like this
06:34 < gebbione> I have just changed resolv.conf and I know this is a hack
06:34 < BtbN> dazo, the server isn't even on the same port though
06:35 <@dazo> hmm well, then there must be a lport 1194 in that server config ... or similar
06:35 <@dazo> hmm it truly is odd though
06:36 <@dazo> on second thought, a server config with --port actually results in --lport
06:36 <@dazo> (the --port option is essentially just a macro, setting both --lport and --rport to the same port number)
06:36 < BtbN> How would something in the server config result in something on the client, before the connection was even made?
06:37 < BtbN> Or you mean if you just copy it, and change the remote bits?
06:37 <@dazo> Now I don't quite follow .....
06:53 < styler2go> Hi. I have a security camera which doesn't support vpn. Any idea how i can still bring this device into vpn?
06:54 < BtbN> Put a device in front of it that does.
06:54 < styler2go> Hmm
06:56 < styler2go> I have one device in my network which is always on (and in vpn). Can i somehow route the ip camera with this?
07:00 <@dazo> styler2go: yes
07:11 < mojtaba> Hello, have you used stunnel? I am getting connection error to localhost over TCP local port. Do you know what could be wrong, or where should I check?
07:44 < hyper_ch> my internet is down :(
07:47 < rob0> ha, I'm too late to say !notovpn
08:26 < MacGyver> I just realized that that factoid title can be read as "No to VPN".
08:26 < rob0> haha, yes
09:05 < styler2go> dazo, do i need to map each port i need?
09:06 <@dazo> styler2go: it depends ... what's your setup?  show your configs, and we'll be able to give a better qualified answer
09:06 <@dazo> !configs
09:06 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
09:07 <@dazo> in this case, the configs you use on the trouble some openvpn box is required here
09:17 < henti> Good day al.
09:43 < henti> I've setup a test network using the server config at https://openvpn.net/index.php/open-source/documentation/howto.html, but using our IP ranges. Connection works, everythign seems fine, but I cannot get to any place on the VPN network. Investigating shows the Internal Gateway: 10.43.32.9, but I cannot ping that IP on the client. I can however ping the vpn server ip 10.43.32.1. Any ideas whats going on ?
09:43 <@vpnHelper> Title: HOWTO (at openvpn.net)
10:05 <@dazo> !serverlan
10:05 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
10:05 <@dazo> henti: ^^^
10:28 < nacelle> krzyzaq: if you can, maybe run tcpdump on the .2 machine to watch the packets from the vpn client... and you'll probably see the replies directed out the .2' boxes default gateway instead of going back to the vpn client via the vpn server.   (its weird to put your clients on the same subnet as something physical, not that it cant be done but you induce a lot of networking broadcast issues that way)
10:28 < nacelle> might want to adjust topology such that the clients are on a dedicate vpn range and thats route to the vpn server
10:29 < nacelle> much easier to deal with
10:55 < shootbird> uggh
10:55 < shootbird> I'm trying to force vlan route to specific VPN on linux
10:56 < shootbird> I've got 1 working.... but had issues w/the 2nd
10:56 < shootbird> marked in iptables, applied same rules....no go.
10:56 < shootbird> are there any notable guides out there for this? - maybe I'm missing something basic.
12:50 <@ecrist> !notovpn
12:50 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn.
14:12 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds]
14:15 < Yiota>  how can I access a network behind an openvpn client?
14:16 < Yiota> the openvpn client is on the route in an office, however there is a 10.20.30.0/24 network and a 192.168.1.0/22 network
14:24 <@ecrist> !route
14:24 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
14:24 <@ecrist> !iroute
14:24 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
14:24 <@ecrist> Yiota: those are for you
14:29 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 258 seconds]
14:40 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
14:40 -!- mode/#openvpn [+o mattock] by ChanServ
15:25 -!- NotSecwitter is now known as NonSecwitter
15:41 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
15:41 -!- mode/#openvpn [+v RBecker] by ChanServ
15:41 < Yiota> @ecrist I've push "route 10.20.30.0 255.255.255.0" and route 10.20.30.0 255.255.255.0 in server.conf
15:41 < Yiota> and in the client's ccd I've added iroute 10.20.30.40 255.255.255.0
15:41 < Yiota> i've sudo systemctl restart openvpn
15:42 < Yiota> but traceroute to any ip on that netmask does not go through the interface
15:42 < Yiota> (tun0)
16:43 <@dazo> Yiota: please see !systemd
16:43 <@dazo> !systemd
16:43 <@vpnHelper> "systemd" is (#1) Most systemd based distros package the upstream OpenVPN openvpn-server@.service and openvpn-client@.service unit files. Use those instead of the distro provided ones (openvpn.service, openvpn@.service), as they too often work poorly., or (#2) Unfortunately, Debian have added some weird OpenVPN systemd integration trying to simulate how things worked before systemd arrived. These
16:43 <@vpnHelper> approaches often causes more confusion, so _do_ consider #1 carefully., or (#3) Also see this README for OpenVPN + systemd: https://github.com/OpenVPN/openvpn/blob/master/distro/systemd/README.systemd
16:43 <@dazo> (probably not related to your issue, just saw you used a systemctl syntax we don't really recommend)
20:15 -!- allizom1 is now known as allizom
21:20 < nightfly> Running OpenVPN version 2.3.10. There seems to be a server-wide delay sometimes when hitting pam for auth: https://gist.github.com/anonymous/7c489139afb02d073761f9bf258d1b20
21:20 <@vpnHelper> Title: gist:7c489139afb02d073761f9bf258d1b20 · GitHub (at gist.github.com)
--- Day changed Tue Nov 28 2017
00:07 < kubanc> hello, I am receiveing error code Unknown error (code=10054) when trying to connect to my VPN Server. I have 3 dedcated IP numbers for my VPN Server. Each IP is for specific user. Is it possible that one of IP numbers is not configured correctly
00:10 <@ordex> kubanc: what client are you using? where do you see that error?
00:48 < krzyzaq> nacelle: ok I'll try that
00:49 < krzyzaq> nacelle: how according to you should the 'correct' setup look like?
00:52 -!- mojtaba1 is now known as mojtaba
00:59 -!- mojtaba1 is now known as mojtaba
01:16 -!- mojtaba1 is now known as mojtaba
01:17 < nacelle> krzyzaq: pm if you want, there's no one way to do things correct, but there are ways to save a lot of effort, etc. :-)
01:23 < kubanc> ordex: Are you still here?
01:27 <@ordex> yes
02:25 -!- ketas is now known as ketas--
02:30 -!- ketas- is now known as ketas
03:10 < gebbione> hi folks, how do i understand openvpn config files so i can modify them? is there a page that documents how to change options? in my case i want to add the --nobind option in the file
03:17 < gebbione> never mind, i saw the example
03:17 < gebbione> though in docs it was not obvious
03:32 <@dazo> nightfly: if your pam backend is somewhat slow, then that delay is not entirely unexpected
03:34 <@dazo> nightfly: you might want to consider using nscd or sssd with caching .... if it will help depends on if it is some LDAP (or similar) lookups being slow or if it is the authentication itself
03:34 <@dazo> but we should actually improve the auth-pam plug-in to use deferred authentication
03:52 < kubanc> i am checking the log file of 2 clients, one that can connect and one that cannot connect. the only difference between them is that the one user I cannot connect has a route_method=0 and the working one has route_method=3
03:59 <@ordex> gebbione: each config option in the config file is documents in the manpage
03:59 <@ordex> *documented
03:59 <@ordex> kubanc: and?
04:00 < dakar> and he's asking what may be causing that
04:01 < kubanc> ordex: the one that has inside the .log file "route_method = 0" cannot connect to Server, it stops with error: read UDP: Connection reset by peer (WSAECONNRESET) (code=10054), while the other one can connect normally. So I went through log file of each other, and saw the difference in the "route_method = 0"
04:02 <@ordex> kubanc: could you paste the full logs?
04:02 <@ordex> !logs
04:02 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
04:02 <@ordex> if you could paste the log of the server it would be easy to understand what's wrong too
04:03 < kubanc> I am looking at the server's side but the connections does not even come to the Server, because nothing changes inside the .log file (verb is set to 4)
04:03 <@ordex> th connection does not even come to the server? then sounds like a firewall problem, no?
04:05 < kubanc> ordex: https://paste.ubuntu.com/26063583/
04:05 < kubanc> i'll copy the .ovpn to different computer
04:06 <@ordex> I don't think it's a config problem
04:06 <@ordex> it seems the udp connection is getting reset
04:06 <@ordex> do you see incoming packets at all on the server frm that client? (you can check with tcpdump or wireshark)
04:09 < kubanc> ordex: I have copied the .ovpn to the computer from which I can normally connect to this server and It stops with the connection at the line:" MANAGEMENT: >STATE:1511863712,WAIT,,,,,,"
04:09 <@ordex> and does it connect?
04:10 < kubanc> ordex: no
04:10 < kubanc> it just stays at this...
04:10 < kubanc> now  I tried with other .ovpn connection and it works fine
04:10 < kubanc> ordex: could be something wrong with certificates?
04:11 <@ordex> it depends what you see on the server side
04:11 <@ordex> when the client connects
04:11 <@ordex> that's why I asked for both logs :P
04:12 < kubanc> well, I will create a new certificate for client...
04:12 <@ordex> kubanc: why not checking the server log first ?
04:12 < kubanc> ordex: if I try with the one that does not work, the connections does not even come to the server side. Log file does not recognize anything
04:13 <@ordex> even with the second ('working') pc ?
04:13 < kubanc> ordex: yes
04:13 <@ordex> if so, what is the difference between the 2 config files (other than the certificates) ?
04:16 < kubanc> ordex: IP they connect to (I have two virtual network cards so each client gets its own IP), then we have a difference in Serial Number
04:16 < kubanc> ordex: differences in certificates
04:16 <@ordex> then are you sure the server is listening on both IPs?
04:17 < kubanc> ordex: I can do SSH to both IP numbers
04:18 <@ordex> kubanc: I was asking about the openvpn server/daemon
04:18 <@ordex> is it listening on 0.0.0.0 ?
04:18 < kubanc> just a sec
04:21 < mojtaba> Hello, I am using stunnel and openvpn, (I am in China), but still I cannot open websites like youtube.com
04:21 < mojtaba> Does anybody know what should I do?
04:22 < kubanc> ordex: where can I check that, I cannot find the command to display that
04:24 < kubanc> ordex: it is not listening on 0.0.0.0 but on a different IP
04:29 < mojtaba> Hello, I am using stunnel and openvpn, (I am in China), but still I cannot open websites like youtube.com Does anybody know what should I do?
04:30 < specing> huh, VPNs are still wroking for you?
04:31 < specing> I heard they started blocking vpns en-masse
04:31 < kubanc> specing: yes me to, VPN does not work anymore in China
04:32 < kubanc> ordex: OK, I recieved some more info on the client's side https://paste.ubuntu.com/26063710/
04:32 < kubanc> TLS key negotiation failed to occur within 60 seconds
04:32 < mojtaba> specing: it was wrapped in ssl encryption. So it is like https.
04:36 < mojtaba> I am using stunnel on port 443, which is https
04:36 < mojtaba> So, it suppose to work. Do you know what could be wrong?
04:37 < specing> you think they don't filter https? :D
04:38 < specing> I mean that would be a major oversight on their part, even larger than VPNs
04:43 < mojtaba> specing: most of the web is on HTTPS
04:43 < mojtaba> besides, I can open some https websites, even without vpn.
05:10 < mojtaba> Hello, I am using stunnel and openvpn, (I am in China), but still I cannot open websites like youtube.com Does anybody know what should I do?
05:13 < diizzy> mojtaba: you probably want shadowsocks
05:14 < mojtaba> diizzy: Is that better that stunnel?
05:46 < hyper_ch> my fiber is defect :(
10:05 < ayaka> I have a problem with fragment and mssfix, they must be match in both client and server side
10:06 < ayaka> but if a client request a lower value, which maybe in a bad network environment, is there a way to do that?
11:11 < GammelSmurf> https://www.vilfo.com/
11:11 <@vpnHelper> Title: Protect your home with a VPN router | Vilfo (at www.vilfo.com)
11:11 < GammelSmurf> it's nice.
11:15 < BtbN> "protect"
11:15 < BtbN> If you don't trust your ISP, but some weird StartUp company, something is very wrong.
11:18 < rob0> yes, that company is no more likely to "protect" you than your own ISP
11:41 < DArqueBishop> If you're that concerned about your traffic being protected, you're more likely better off with moving to Tor.
13:08 < blawdawg> Does openVPN support client certificates that would be imported int your browser?
13:42 < ThereIsNoYeti> Is it considered bad practice to host other services, like a web server, on the same linux server as an OpenVPN server?
13:43 < rob0> that would be impossible to say.  Maybe, maybe not?
13:44 < ThereIsNoYeti> I had this vauge itching in my brain that having more than one port open with packet forwarding/masquerade enabled might be some kind of risk. Assume the web services are running under their own users and groups (not nobody or root) and all the files and permissions are properly set
13:46 < rob0> oh, I don't automatically assume that an openvpn server is doing forwarding/masq.  Some might be simply providing services via the secured link.
13:46 < rob0> But even so, I don't see how that increases your exposure very much.
13:48 < rob0> Generally the worst thing likely to happen is CPU overload on the core which runs openvpn, I think.
13:48 < rob0> but the OS should allocate other processes to other cores
13:50 < ThereIsNoYeti> okay, just a vauge thought I had I figured I would check
13:50 < efb84> Is there any way to serv openvpn gui from an openvpnas server? That was user locked profiles come with the client? The standard client downloaded from the server doesn't seem to allow for non autologin profiles?
13:50 < rob0> no idea about that, ...
13:50 < rob0> !as
13:50 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
13:51 < rob0> It's different software, we don't use it.
13:51 < efb84> Gotcha, thanks
13:54 -!- ThereIsNoYeti is now known as SkeletorWasRight
13:54 -!- SkeletorWasRight is now known as ThereIsNoYeti
13:54 -!- ThereIsNoYeti is now known as SkeletorWasRight
14:34 < sIRwa2> !welcome
14:34 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
14:34 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
14:37 < sIRwa2> !goal i like to know where i can find client log's about possible disconnects
14:45 < Hidden_Tundra> Hey everybody, I'm trying to install openvpn on a windows host, and when I run build-ca.bat, it outputs that openssl isn't a recognized command. Anyone have any thoughts?
15:02 < nbastin> ok, does anyone know how to keep a site-to-site PSK server up all the time, but still close the connection if the client disconnects?
15:03 < nbastin> over UDP this does not seem to work regardless of the configuration I use
15:03 < nbastin> if I use inactive, it actually kills the server process
15:04 < nbastin> if you use keepalive it constantly resets the connection because it doesn't work properly with non-ip traffic apparently
15:06 < nbastin> "Causes OpenVPN to exit after n seconds of inactivity on the TUN/TAP device. The time length of inactivity is measured since the last incoming or outgoing tunnel packet." is what the docs for inactive say
15:07 < nbastin> which apparently doesn't *really* mean since the last packet, since if it never got a packet it still dies
15:08 < Hidden_Tundra> Right, solved the openssl bit. Now I'm getting that -config needs a value. Ideas?
15:11 < nbastin> 2.4.4 takes this problem to a whole new level since it has some kind of restart backoff by default, and so the tunnels don't even come back up
15:12 < nbastin> I think someone shared a config tweak to eliminate the backoff, but the constant disconnects still persist
15:18 < Hidden_Tundra> Right, solve THAT issue. Now it throws an error when trying to create the ca(?). Pastebin: https://pastebin.com/P1G2xqe3
15:20 < nbastin> that error seems pretty clear
15:20 < Hidden_Tundra> ?
15:20 < nbastin> your cert config needs a DN
15:20 < nbastin> you can't make a cert without one
15:20 < Hidden_Tundra> nbastin: Is that something I can just edit into the .cnf file?
15:20 < nbastin> yes
15:21 < nbastin> I mean I'm not sure how you're making certs, but apparently using .cnf files, so you should add it there.. :-)
15:21 < nbastin> somewhere there should be a [req] section
15:21 < nbastin> that has distinguished_name (or apparently not)
15:21 < Hidden_Tundra> I mean, I'm trying to follow the instructions on the website for setting it up. But things aren't being agreeable
15:21 < nbastin> which will reference req_distinguished_name usually
15:22 < nbastin> which has a section that will have countryName and such
15:22 < nbastin> where did you get your .cnf file from?
15:23 < Hidden_Tundra> It's the cnf that came with ovpn when it installed
15:23 < nbastin> there's one installed from the source package?  really?
15:23 < rob0> no
15:24 < rob0> certainly not a working one
15:24 < rob0> examples in documentation
15:24 < Hidden_Tundra> Ah, well that may well be where my problem lies
15:24 < nbastin> rob0: you don't have any idea how to solve my keepalive/inactive problem do you?  :-)
15:24 < rob0> but, it could be from a provider's distribution
15:25 < rob0> nbastin, I was thinking maybe some kind of watchdog script or daemon to restart it
15:25 < nbastin> rob0: I guess I could do that, and hope inactive works otherwise...
15:25 < nbastin> my problem is really that ping-restart does not actually work, and I can't figure out why (it restarts all the time, not just when it hasn't had traffic)
15:26 < Hidden_Tundra> rob0: This is literally just the basic windows install
15:26 < nbastin> if inactive works, then the watchdog will work...if inactive fails the same way ping-restart does, that won't help
15:26 < nbastin> guess I should test it
15:28 < nbastin> "In server mode, --ping-restart, --inactive, or any other type of internally generated signal will always be applied to individual client instance objects, never to whole server itself." this also doesn't seem to be true - it kills the server
15:29 < Hidden_Tundra> At the moment 've been following this guid: https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide
15:29 < nbastin> (ping-restart doesn't, but inactive does)
15:29 <@vpnHelper> Title: Easy_Windows_Guide – OpenVPN Community (at community.openvpn.net)
15:29 < Hidden_Tundra> However when I get to the build-ca.bat stage it complains about -config not having a value
15:45 < diizzy> hmm....
15:45 < diizzy> I'm a bit confused, cipher AES-192-CBC isn't valid if you use TLS?
15:46 < BtbN> why would you use that odd size?
15:46 < diizzy> apart from that heh
15:46 < BtbN> I wouldn't be surprised if it's slower than 256 as well
15:47 < diizzy> client and server reports AES-256-GCM on "Data Channel"
15:48 < diizzy> http://paste.ubuntu.com/26067254/
15:49 < diizzy> I'm not sure if that means you can only use * when using TLS or if these only works if you're using TLS
15:49 < diizzy> it seems to be the latter
16:05 < nacelle> AES-192 is almost always faster than AES-256
16:05 < nacelle> AES-128 usually faster than those
16:10 < diizzy> ahh, you need to set ncp-ciphers AES-192-CBC
16:10 < diizzy> chiper seems to get ignored :/
16:23 -!- 5EXAAT6YU is now known as easzero
16:31 < diizzy> hmm... looks like gcc optimization doesn't affect openvpn much in terms of performance
16:32 < diizzy> at least not Os vs O3 on mips heh
16:34 < nbastin> I mean I suppose the difference between -g and -O3 might be a percent or two
16:34 < diizzy> doing aes-192-cbc it's 0.2mbit ;-)
16:35 < nbastin> on what mips?
16:35 < nbastin> also if oyu have some exotic platform, gcc is almost never the right answer for the compiler to use.. :-)
16:35 < nbastin> (for optimal performance anyhow)
16:35 < diizzy> Atheros AR9344 560Mhz
16:35 < nbastin> ew
16:35 < nbastin> :-)
16:36 < diizzy> haha
16:36 < diizzy> at least aes gets ~15% faster using O3 than Os for OpenSSL
16:36 < diizzy> on the same platform
16:37 < nbastin> I mean you have a big memory copy problem if it has no hardware acceleration for AES
16:37 < diizzy> mbedtls seems to be slower overall, not that I've really benchmarked however
16:38 < nbastin> in general in my experience openssl is the fastest implementation, although we're still working on a comprehensive test suite
16:38 < nbastin> maybe over the holiday..
16:38 < diizzy> btw, does kernel hz have any "real" impact on performance?
16:38 < nbastin> well sure
16:39 < diizzy> I've been seeing a few random posts claiming that 1000 is better than lets say 100 for openvpn
16:39 < nbastin> it affects memory copy speed and instructions per second of course
16:39 < diizzy> (without any numbers)
16:39 < nbastin> oh you mean the scheduler hz?
16:39 < diizzy> yeah
16:39 < nbastin> it probably does, but in what way is sortof interesting.. :-)
16:39 < nbastin> I mean it means it context switches slower, which may help you, but also may hurt you
16:40 < diizzy> that sounds reassuring :P
16:40 < nbastin> on the other hand if no context switch is necessary, a larger number is much bigger, as the overhead of scheduler is reduced
16:40 < nbastin> much better even
16:40 < diizzy> being that openvpn is userspace it should help?
16:40 < diizzy> until you get to the point that its inefficient that is
16:40 < nbastin> I mean that has nothing to do with it, generally
16:41 < nbastin> anything being scheduled is affected
16:42 < nbastin> but I doubt much will help your situation.. :-)
16:42 < nbastin> although 200kbits is pretty bad
16:44 < diizzy> according to top openvpn slams the cpu
16:44 < nbastin> yes
16:44 < BtbN> There is no simd on mips
16:44 < BtbN> so of course shit is slow
16:44 < diizzy> BtbN: I'm just trying to get as much performance as possible without breaking things ;)
16:45 < BtbN> No compiler option you can possibly set will make any difference
16:45 < BtbN> Disable all sse/aes-ni features on x86, and it will be similarily slow, even on a modern Intel
16:45 < BtbN> mips does not have that stuff in the first place
16:46 < nbastin> I mean that chip has AES hardware acceleration, which I'm sure your OS doesn't use
16:46 < diizzy> the only fancy thing this soc has is dsp
16:46 < diizzy> https://gcc.gnu.org/onlinedocs/gcc/MIPS-DSP-Built-in-Functions.html
16:46 <@vpnHelper> Title: Using the GNU Compiler Collection (GCC): MIPS DSP Built-in Functions (at gcc.gnu.org)
16:46 < diizzy> but that doesn't really help in this case
16:46 < BtbN> if it's a dedicated hw accelerator, you'll need special software to use it
16:47 < diizzy> this is a dinky consumer router, no go
16:48 < nbastin> also fwiw there is simd on mips, including in the 74k
16:48 < nbastin> but that's not the issue
16:49 < nbastin> it's just a slow low power soc for which you don't have a hardware optimized crypto build
16:50 < nbastin> because I assume this is lede or something
16:50 < nbastin> and they have diddly for hardware support mostly
16:52 < diizzy> Yeah, it's LEDE
16:52 < nbastin> yeah so to the extent that the original firmware had any hardware acceleration, you don't have it now
16:53 < diizzy> It doesn't, the only hw acceleration you have is nat via the switch chip
16:55 < diizzy> I'm not expecting miracles but getting ~20mbit using 192 would be nice
16:56 < nbastin> diizzy: the soc has AES 128 acceleration and 2x8 SIMD, but you'd need the BSP and docs to exploit them
16:56 < nbastin> (plus, you know, the desire to dig through openssl source...)
16:57 < diizzy> or expose it to cryptodev?
16:57 < nbastin> well you can't expose it publicly, it's licensed.. :-)
16:58 < nbastin> I have no idea if qualcomm is any more giving than atheros used ot be
16:58 < nbastin> but atheros was where good ideas went to die
17:05 < dym> Hey guys! I just moved a VPN Server from one VM Host to another, and suddendly it starts assigning ipv6 adresses to roadwarriors? This is my config: https://pastebin.com/tQtu9rtd
17:06 < diizzy> heh
17:07 < dym> Client list: https://pastebin.com/raw/kRmKpsce
17:07 < dym> damn, thats a mac.
17:08 < dym> good morning!
18:31 < Kobaz> are CRLs always checked from the on-disk copy?  Ie... new revocation... do i need to reload openvpn?
18:59 < diizzy> interesting, mbedtls is actually faster than openssl on this mips box
19:04 <@dazo> Kobaz: CRLs are refreshed automatically, no need for a reload
19:04 <@dazo> (refreshed as in, the OpenVPN process will re-read the file when needed)
19:05 < Kobaz> k great
19:06 <@dazo> diizzy: might be openssl is lacking some CPU optimizations ... OpenSSL carries a lot of such optimizations, often written in assembly .... whereas mbed TLS is "purer" C in that regard
19:09 < diizzy> dazo: http://paste.debian.net/998084/
19:10 < diizzy> openssl is used unless mbedtls is mentioned
19:11 < diizzy> not exactly scientific but you get an idea at least :)
19:11 < diizzy> stock config --> -Os (on everything)
19:13 <@dazo> oh another detail ... mbed TLS is targeting embedded devices
19:13 < diizzy> I'm quite surprised that mbedtls doesn't really have much arm specific optimizations
19:48 < isagirl> part
22:15 < easzero> hi, I was connected to sites in the internet a few minutes ago, an still AM connected. Now i additionally set up a vpn connection to my server. Are now all connections within this vpn tunnel or only the NEW ones?
23:43 < hyper_ch> security done right:  https://twitter.com/lemiorhan/status/935578694541770752  :)
23:57 -!- albech1 is now known as albech
23:59 < albech> Hi all.. I have 2 different kinds of users accessing my VPN system admins and users and wish to create different firewall rules for these two groups. Would it be best practice to run two instances of openvpn or assign a ccd to the system admins with their own IP number and create firewall rules around that?
--- Day changed Wed Nov 29 2017
00:24 <@ordex> albech: I think it depends on you. two instances look more like a sane splitting of the networks
00:24 <@ordex> so each group has its own network and interface, probably easier to handle
00:24 <@ordex> especially with big groups
00:25 <@ordex> but it depends on your requirements mostly
00:25 < albech> ordex: so there is really no security issue in running them on the same openvpn server and splitting the admins out with ccd.. its less than 10 admins
00:26 < albech> in the past it was done with ccd, but now that we are rebuilding the vpn we might as well do it the 'right' way.
00:26 <@ordex> albech: well, same instance mean they share the same interface
00:27 < albech> sure
00:27 <@ordex> although it might be ok
00:27 <@ordex> having two instances also mean that if by accident one instance gets abused, the other might remain unaffected
00:27 < albech> they could also run same interface on different instances of openvpn
00:27 <@ordex> but this is just my opinion. I am not sure there is any "best practice"
00:27 <@ordex> and with ccd you need 1 ccd per admin, no?
00:27 <@ordex> while with one instance you don't need to care
00:27 < albech> yes 1 ccd per admin
00:28 < albech> im leaning towards running the admin vpn on another port and not having to worry about ccd at all
00:29 <@ordex> exactly, that was my thought
00:29 <@ordex> I find it cleaner and easier to maintain
00:29 <@ordex> you can't "forget" to enable a rule or something similar
00:29 < albech> ordex: exactly
00:30 < albech> ordex: thanks for the input. cheers
00:30 <@ordex> np
00:37 < gecko_x2> hello. I run a simple openvpn client on windows, and when connected to a remote vpn server, i can access LAN devices on 192.168.1.0/24. But i can't access devices on another LAN, 192.168.2.0/24. What is the correct way to tell the client not to route 192.168.2.0/24 over vpn? thanks
00:38 < hyper_ch> !serverlan
00:38 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
00:39 < hyper_ch> also, how are we supposed to know what your neworks are if you just describe them as "lan"
00:41 < gecko_x2> lemme try to explain better: windows client behind pfsense, gets DHCP ip 192.168.1.100. pfsense gw is 192.168.1.1. openvpn client running on the windows computer connects to external openvpn server for internet access. everything works. i can surf the net, and i can ping and access computers on the LAN which is 192.168.1.0/24
00:42 < gecko_x2> but i can't access devices on another pfsense interface, which is 192.168.2.0/24
00:42 < gecko_x2> so for ex i can't ping 192.168.2.1, it tries to access that through the vpn connection
00:42 < hyper_ch> I still not getting it
00:42 < hyper_ch> and having two lans using same subnet sounds troublesome
00:43 < gecko_x2> how can i make traffic intended for 192.168.2.1 not go through openvpn?
00:43 < gecko_x2> no it's not the same subnet
00:43 < gecko_x2> it's just another interface on pfsense
00:43 < gecko_x2> OPT1
00:43 < albech> gecko_x2: can the two lans see eachother through your router at all?
00:43 < vectr0n> you would need to add a static route and gw, then you can click advanced in the rule and select a gw to push it out
00:44 < gecko_x2> look there's a server running on 192.168.2.1
00:44 < gecko_x2> but when connected to VPN for internet surfing
00:44 < gecko_x2> it will try to access 192.168.2.1 through the vpn
00:45 < gecko_x2> i need it to bypass the vpn connection, just as it does for 192.168.1.1
00:45 < vectr0n> i just told you how :P been using pfsense for a long time
00:45 < vectr0n> you probably get better help in #pfsense imo
00:45 < gecko_x2> i don't want to change anything in pfsense
00:46 < vectr0n> why do people always complicate the simple things? :P
00:46 < gecko_x2> i need the client to stop routing traffic for 192.168.2.0/24 through the vpn when connected
00:46 < gecko_x2> can't be that hard?
00:46 < gecko_x2> 192.168.1.0/24 works fine
00:46 < albech> gecko_x2: then set a static route on your windows machine
00:46 < gecko_x2> nothing i can add to the config?
00:46 < gecko_x2> in openvpn?
00:47 < gecko_x2> in android client i have the option to 'bypass vpn for LAN'
00:48 < gecko_x2> i'd like to enable that for my windows openvpn client
00:49 < gecko_x2> sry for noob Q, but i just don't have time to research this right now
00:50 < gecko_x2> !route
00:50 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
00:51 < gecko_x2> !clientlan
00:51 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route
00:51 <@vpnHelper> for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
00:51 < gecko_x2> lol..
00:52 < gecko_x2> i tried adding 'route add 192.168.2.0/24 gw 192.168.1.142' to the config file
00:52 < gecko_x2> .142 is the windows client
00:52 < gecko_x2> no joy
00:53 < albech> gecko_x2: you cant solve it like that.. do what vectr0n told you.
00:53 < gecko_x2> ok, thx.
02:11 < nbastin> anyone around to revisit any guidance on dealing with idle tunnels?  :-)
02:47 < krzyzaq> hello all
04:00 < mitescugd> When deploying an ovpn, how important is the buff/cache memory for the performance of the vpn? Could it be a bottleneck?
05:03 -!- abenz__ is now known as abenz
10:16 < einveru> i am having a bit of trouble with openvpn and localhost on Arch/i3. I setup openvpn using a third party service, and this connects and works proper. But, i cannot connect to localhost when connected. When i disconnect from the VPN, i am still unable to connect to localhost as i did before. Attempting reboot did not fix issue. Is there a service i need to restart with systemd, or a configuration i need to
10:16 < einveru> 10:15 <einveru> edit? Or, is there a way to get back to default network configuration as it seems openvpn did some tweaking?
11:13 < b00kworm> einveru: don't route localhost over the vpn then... Check the config
14:37 < adac> On one of my server the openvpn deamon does not create the tun0 interface
16:56 < easzero> hi
16:57 < easzero> i am using a vpn service (octane vpn under linux), but some sites that read your IP and reveal it to you show me my original country and city and not my fake country/city, why could that be?
17:03 <@dazo> easzero: try the same test you do with a 100% clean browser profile (create a new one)
17:04 <@dazo> might be cookies and browser fingerprinting betraying you
17:18 < nbastin> mmm...now I want cookies
20:35 < jerichowasahoax> I have a script that automatically launches OpenVPN GUI and connects. If I run it while the GUI is already running, I get an error message. Can I instead tell that existing process to reconnect somehow?
20:35 < jerichowasahoax> Via a command line switch or something?
--- Day changed Thu Nov 30 2017
01:44 -!- pekster [~rewt@openvpn/community/developer/pekster] has quit [Ping timeout: 240 seconds]
01:45 -!- pekster [~rewt@openvpn/community/developer/pekster] has joined #openvpn
04:27 < applejack> so, i've been trying everything under the sun to get this to work, but to no avail.
04:27 < applejack> would any of you guys be kind and have a look at this, see if i've missed something obvious?
04:27 < applejack> https://bpaste.net/show/204f69334a3e
04:45 < applejack> never mind, found it, lol
05:24 < master_pink_> Good day oh great gurus :) I would like to ask some help with compression. Is LZO the only choice I have? Can I get higher compression, I don't care about cpu overhead
05:32 < master_pink_> I was not able to find anything meaningful in the interwebs. Apparently gzip and zlib are available but I do not know how to get openvpn to use them. Is there a way to have openvpn list the available compression algos?
05:39 < master_pink_> !welcome
05:39 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
05:39 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
05:39 <@vpnHelper> you
05:40 < master_pink_> !goal compression
05:44 < master_pink_> !goal I would like to increase compression ratio of my traffic
06:09 -!- albech1 is now known as albech
06:13 <@ordex> master_pink_: you can also use lz4 on recent versions of openvpn
06:21 < master_pink_> How much better is it? I didn't really notice any difference
06:22 < Kryczek> LZ4 is for high speed, not high compression ratio
06:22 < Kryczek> Yann Collet, the inventor, then created another one called Zstd for that
06:22 < Kryczek> and it's now being used in Tor for example
06:23 < master_pink_> Is it built into the openvpn?
06:24 < master_pink_> If install the library, how do I get openvpn to use it?
06:25 < Kryczek> maybe with this: https://github.com/jcadduono/compat-zstd
06:25 <@vpnHelper> Title: GitHub - jcadduono/compat-zstd: Zstandard compression library - OpenVPN compatibility submodule (at github.com)
06:25 < Kryczek> but I don't see OpenVPN support anywhere other than in the title...
06:26 < Kryczek> maybe it was just someone starting a project and giving up
06:26 < Kryczek> master_pink_: you could code it into OpenVPN and then we can all benefit :)
06:29 < master_pink_> Haha, I wish, I'm no coder :(
06:30 < master_pink_> So in order for openvpn to use a compression algorythm it must be coded into it?
06:33 <@ordex> yes, openvpn must be "instructed" about how to use it
06:35 < master_pink_> is there a way to find out which compression algos openvpn is able to use?
06:41 <@ordex> lzo and lz4 as of now
06:43 < master_pink_> I see. I will try the lz4-v2 compression. Now if I do decide to try and code that into openvpn, where would I start?
07:01 < master_pink_> Well, thank you guy :) Now I know that it's not my searching skills that are lacking
07:01 < master_pink_> guys*
09:03 < Furai> !welcome
09:03 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
09:03 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
09:07 < Furai> https://www.linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server#disable-ipv6 < quick question, how true is that? Author claims that using IPv6 with openvpn isn't secure.
09:07 <@vpnHelper> Title: Set up a Hardened OpenVPN Server on Debian 9 (at www.linode.com)
09:07 <@ordex> Furai: where does it say so ?
09:08 < Furai> Oh, wait.
09:08 < Furai> https://www.linode.com/docs/networking/vpn/tunnel-your-internet-traffic-through-an-openvpn-server#append-networking-rules
09:08 <@vpnHelper> Title: Tunnel Your Internet Traffic Through an OpenVPN Server (at www.linode.com)
09:09 < Furai> Ok, might have twisted words about not being secure...my bad.
09:09 <@ordex> btw
09:09 <@ordex> IPv6 was disabled since OpenVPN doesn’t support using both transport layers simultaneously << this is not true on the server
09:09 <@ordex> it can listen on a socket that is able to receive connections from both ipv4 and ipv6
09:09 < Furai> Ok, that's what I wanted to figure out.
09:10 < Furai> And what about that "leak" claim?
09:10 <@ordex> I don't know what it really means on a server. normally that is something you'd worry about on a client
09:11 <@ordex> because you want to be sure all the traffic goes through the vpn. so if you don't use ipv6 it might be "easier" to disable it and prevent leakage (there are also other ways to achieve the same)(
09:11 < Furai> Mhm, so if I'll be for example just connecting to the server socket via ipv4 and I'd like use server as well to tunnel it to IPv6 it all should be good?
09:11 <@ordex> tunnel it to ipv6 ? you mean provide ipv6 to the client?
09:11 < Furai> I actually want to have tunnelled IPv6 connection, especially that my ISP doesn't provide me with it.
09:12 < Furai> Yeah, that's what I meant
09:12 <@ordex> yeah, then the server definitely needs ipv6 :P
09:12 <@ordex> (and the client too, of course)
09:12 < Furai> I know, I was just scared of what was written in that guide.
09:12 <@ordex> well, it simply says "if you don't know what you are doing, just disable ipv6 because you won't need it"
09:12 <@ordex> but in this case you need it and you have a reason for it
09:13 < Furai> So wait, is it possible to connect to the server via IPv4 and then use IPv6 on the VPN?
09:13 <@ordex> that was just a very semplicistic (and inaccurate) way of dealing with the non-need of ipv6
09:13 < MacGyver> (Considering it's 2017, that advice may require some updating soonish.)
09:13 <@ordex> sure
09:13 <@ordex> MacGyver: agreed
09:13 <@ordex> Furai: sure, transport and tunnel are two separate things
09:14 < Furai> Considering IPv6 was a thing for quite a while...all websites I host support IPv6 in some way.
09:14 < Furai> Mkey, I guess I need to read more about this stuff. So transport will be what I'm looking for?
09:14 <@ordex> transport is the layer used to connect to the VPN server
09:15 <@ordex> so basically your native tcp/ip layer
09:15 <@ordex> the tunnel is the tun0 interface with whatever you configure on top
09:15 < Furai> Oh, ok. Gotcha. Thanks for clarifying. :)
09:15 <@ordex> np
09:16 < Furai> And thanks for taking your time to answer my questions. :)
09:16 < Furai> I guess all the rest is up to me RTFM.
09:16 < MacGyver> (And if you have IPv4-connectivity to the internet, disabling IPv6 *on the external interface* is actually a valid way to ensure you don't leak v6-traffic)
09:17 < Furai> on the external interface?
09:17 < MacGyver> The real one that's not the virtual tun/tap interface.
09:18 < Furai> And what if my ISP doesn't provide me at all with IPv6 and I have it only on my server?
09:18 < MacGyver> Then it's one way of enabling IPv6-connectivity for your home network.
09:19 < Furai> I'm sorry if I'm asking some ridiculous questions, I'm new to it and I don't like doing stuff without researching and understanding beforehand
09:20 < Furai> So to clarify "external interface" you have mentioned is one one the server or on the client?
09:20 <@ordex> Furai: it depends on the interface type, but some of them will still generate link-local ipv6 traffic, even though your ISP does not provide you with a public IPv6
09:21 < Furai> Ok, so whole that leaking is about vpn routes catching some of my traffic which was mentioned for my external ipv6 traffic and actually going through vpn when not meant to?
09:21 <@ordex> I guess he meant on the client. so that you are sure that no ipv6 traffic will go out of the 'external interface'
09:23 <@ordex> leaking is normally the other way around
09:23 <@ordex> you want all the traffic to go through the vpn, but you leak some out of the external interface
09:23 <@ordex> this normally happens with ipv6 when your VPN does NOT provide any ipv6 route and therefore any ipv6 traffic will just go out through your uplink
09:23 <@ordex> thus leaking
09:24 < Furai> Ok, makes sense.
09:24 < Furai> Thanks again, ordex MacGyver
09:25 <@ordex> np
09:56 < gkwhc> hey guys, is openvpn free or not free? i see that there is pricing/license fee which im really confused
09:56 < skyroveRR> The software is free, but the VPN service provider is not, gkwhc :)
09:58 < gkwhc> skyroveRR: oh as in, if i were to download the software and host it on my server for my company, it is free? but if i were to use their service, itd be paid?
09:58 < skyroveRR> You got it right :)
09:59 < gkwhc> cool
09:59 < gkwhc> im debating whether i should use openvpn or windows sstp vpn
10:13 < easzero> hey, i have a octaneVPN account and use it with Openvpn under linux mint 18.3. When i use vpn and download from usenet the speed is good. but when I download from the internet the speed can be very low (max 400KB/s). Whats the reason?
10:16 < DArqueBishop> !paidvpn
10:16 <@vpnHelper> "paidvpn" is We are very reluctant to help you if you use a (commerical) VPN provider since we do not want to be their unpaid support team. See also !both
10:22 < easzero> ok
10:25 < gkwhc> so im trying to set up openVPN. the guide says to generate keys for each client. if i have 10 machines thatd connect to the server, do all these need to be genereated individually, each? or can they use the same?
10:25 < hyper_ch> !howto
10:25 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
10:25 < gkwhc> hyper_ch: yes im following that right now
10:26 < hyper_ch> make seperate cert for each machine
10:26 < gkwhc> thats quite tedious! what do people do in enterprise deployment?
10:26 < hyper_ch> they automate it
10:27 < hyper_ch> there's also other ways... but if you're starting, just generate the certs ;)
10:27 < gkwhc> okay
10:27 < hyper_ch> btw, for the cert generation I would follow this:  https://community.openvpn.net/openvpn/wiki/EasyRSA3-Insecure-PKI
10:27 <@vpnHelper> Title: EasyRSA3-Insecure-PKI – OpenVPN Community (at community.openvpn.net)
10:28 < gkwhc> i was trying to get SSTP VPN to work. would you happen to know about that?
10:28 < hyper_ch> and at step 7, I'd also add the "nopass" option
10:28 < hyper_ch> I have no idea what sstp vpn is
10:29 < gkwhc> whats nopass?
10:30 < hyper_ch> gkwhc: see the link above for generating certs all on the CA
10:30 < hyper_ch> the nopass will just not ask for a password when the cert is used
10:30 < hyper_ch> it is added in step 4 for the server
10:30 < hyper_ch> but I think it's also good for client in step 7
10:30 < hyper_ch> but that's my opinion
13:03 < gkwhc> hey guys, im having alot of trouble with vpn setup. it says it could not determine ipv4 protocol and socket bind failed on loal address: 443. any ideas?
13:13 < DArqueBishop> gkwhc:
13:13 < DArqueBishop> !configs
13:13 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
13:13 < DArqueBishop> !logs
13:13 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
13:14 < DArqueBishop> Also, if you're going to put the VPN server on tcp/443, you're best making sure there isn't a web server installed already using that port, like Apache, nginx, or (if in Windows) IIS.
13:16 < gkwhc> ahhh good point DArqueBishop
13:17 < gkwhc> DArqueBishop: upon connecting to vpn, can the server push DNS configuration to the client?
13:17 < DArqueBishop> Sure.
13:17 < DArqueBishop> !pushdns
13:17 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like
13:17 <@vpnHelper> OpenVPN for Android and OpenVPN Connect will happily accept push dhcp-option
13:18 < gkwhc> oh cool
13:21 < gkwhc> hmm maybe i have some config issues
13:21 < gkwhc> the server sits on 192.168.0.5, which is the network that clients are supposed to be on too
13:22 < gkwhc> but has ip of 10.8.xx
13:23 < gkwhc> so can i set all to 192.168.0.x?
13:24 < DArqueBishop> That sounds normal. 10.8.0.0/24 is the typical "example" subnet given to the VPN. A VPN server in routing mode will have at least two IP addresses: in addition to the ones for the physical network adapters, there'll be one for the VPN subnet.
13:24 < DArqueBishop> gkwhc: in routed mode? No. It's possible in bridged mode, but unless you have a very specific need for bridging, you don't want to do that.
13:24 < gkwhc> so once connected, how can clients access the network thats on 192.168.0.x?
13:25 < DArqueBishop> !serverlan
13:25 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
13:25 < DArqueBishop> At this point, I feel it's prudent to point you to the HOWTO.
13:25 < DArqueBishop> !howto
13:25 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
13:25 < gkwhc> yes ive quickly scanned over that to get things up and running
13:32 < gkwhc> DArqueBishop: i mean, im able to connect to the vpn server but it is not able to ping the vpn server using the 10.x.x.x address
13:40 < gkwhc> DArqueBishop: any ideas?
13:41 < DArqueBishop> Again:
13:41 < DArqueBishop> !configs
13:41 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
13:41 < DArqueBishop> !logs
13:41 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
13:43 < rob0> connected, but can't ping across the VPN?  Sounds like the /topic wins another one.
13:45 < henti> I'm having some issues getting verify-x509-name '<DN here' subject working. Do I just use the subject from the output of "openssl x509 -in server.crt -subject" for the DN ?
13:46 < henti> !welcome
13:46 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
13:46 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
13:47 < henti> !goal verify x509 name
13:48 < rob0> the bot did not understand that
13:49 < rob0> the bot can only give you factoids that already exist
13:50 < henti> !goal verify server certificate
13:53 < gkwhc> DArqueBishop: https://pastebin.com/K8cEhDuk
13:54 < henti> gkwhc: ip forwarding enabled on that server ?
13:55 < gkwhc> henti: to forward vpn subnet to remote network?
13:56 < DArqueBishop> !winipforward
13:56 <@vpnHelper> "winipforward" is (#1) reboot after enabling it, or (#2) https://support.microsoft.com/EN-US/kb/230082 to enable ip forwarding on windows
13:57 < gkwhc> whats the use of ip forwarding in this case?
13:58 < henti> gkwhc: to forward ip packets between interfaces?
14:00 < gkwhc> henti: vpn server sits at 192.168.253.1 and client is connected at 253.6. however client cannot ping the server at 253.1
14:02 < gkwhc> not sure what the problem is
14:02 < henti> http://www.ircpimps.org/serverlan.png
14:02 < henti> !serverlan
14:02 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
14:03 < gkwhc> i see that the default gateway on that interface is blank
14:03 < gkwhc> perhaps this is also why?
14:04 < henti> possibly.
14:05 < henti> I fixed my problem which was the same as yours.
14:06 < henti> Can anybody help me with verify-x509-name '<DN string here>' subject . I get the following error : https://hastebin.com/yiyebugufa.txt
14:06 <@vpnHelper> Title: hastebin (at hastebin.com)
14:08 < henti> This si connecting with viscosity on windows.
14:08 < gkwhc> henti: but my server isnt behind a lan. its on a lan?
14:09 < henti> gkwhc: will you need to route traffic from the VPN onto any server on the LAN ?
14:10 < gkwhc> henti: the goal is so that i can vpn into the "work" network and remote desktop into machines
14:10 < gkwhc> but without forwarding set up i should be able to ping the server vpn ip. but i CANT
14:10 < henti> then the VPN server wil need to pass traffic between the tunnel interface and the LAN interface... to do that .. it will need to forward IP packets between interfaces .. which it can only do if you have ip forwarding enabled.
14:12 < gkwhc> henti: right. but even without forwarding i should be able to ping the server vpn ip address
14:12 < gkwhc> no?
14:12 < gkwhc> they are afterall on the same network
14:15 < henti> I have no idea about the technical. I can just tell you that with my setup, without ip forwarding, I could connect to vpn but not ping the ip of the vpn server, but once I enabled ip forwarding, I could.
14:18 < henti> DArqueBishop sent me the link I gave you.
14:18 < henti> use it, don't use it.
16:52 < GrandPa-G> I am trying to run client on raspberry pi and server on ubuntu. I have both starting ok, but can't ping. Trying to do a basic configuration.
16:52 < GrandPa-G> On client I get an error at startup that I don't know if it matters: RTNETLINK answers: File exists
16:52 < GrandPa-G> Thu Nov 30 15:48:44 2017 ERROR: Linux route add command failed: external program exited with error status: 2
17:11 < Kryczek> GrandPa-G: the RTNETLINK error often does not matter, it's usually a leftover from a previous test that did not fully clean up
17:12 < Kryczek> GrandPa-G: `apt-get install wireshark` where you have a graphical environment and `apt-get install tcpdump` on the others
17:13 < Kryczek> it really helps to see what is going on in the network
17:13 < Kryczek> or not going on
17:15 < Kryczek> for example if you're pinging but do not see ICMP Echo Request lines (highlighted in purple in Wireshark) appearing on the OpenVPN interface (probably called something like "tun0" unless you gave it a fixed name) on the sender side then it means they are not even trying to get through the VPN link
17:16 < Kryczek> with Wireshark you can just click on the interface(s) of interest, and with tcpdump you can launch it with `sudo tcpdump -i tun0` for example
17:16 < Kryczek> with Ctrl+c to stop
17:16 < GrandPa-G> you aren't supposed to be here
17:17 < Kryczek> haha yeah I was just leaving :) good luck!
17:22 < |Mike|> GrandPa-G: are you running openvpn as root?
17:22 < GrandPa-G> |Mike|:yes
17:28 < |Mike|> GrandPa-G: can you show me your configs?
17:29 < |Mike|> and another q; are you pushing these routes?
17:29 < |Mike|> push "route 10.8.0.1 255.255.255.255"
17:29 < |Mike|> push "route 10.8.0.0 255.255.255.0"
17:29 < GrandPa-G> no pushes.
17:31 < GrandPa-G> server https://pastebin.com/hxCxzDXN
17:32 < |Mike|> !configs
17:32 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
17:32 < |Mike|> mind the grep -vE ...
17:34 < GrandPa-G> sorry, am cleaning up my act now.
17:35 < GrandPa-G> client https://pastebin.com/gf16vcGM is raspberry pi Jessie OS latest ovpn version.
17:38 < GrandPa-G> server https://pastebin.com/g8KXSVVg Ubuntu 16. server. latest ovpn version All on local net should not be any firewalls (but I will recheck) I see what looks like packet log entries on both sides.
17:40 < |Mike|> cipher and auth are double btw GrandPa-G
17:40 < GrandPa-G> thanks, too many comments.
17:41 < |Mike|> begin and end of <cert> tags are correctly as well?
17:43 < GrandPa-G> I believe so. This was all generated for me.
17:45 < |Mike|> by?
17:46 < GrandPa-G> I followed directions on this website https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
17:46 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com)
17:53 < |Mike|> what does 'ip route | grep default'
17:53 < |Mike|> show?
17:58 < GrandPa-G> default via 192.168.0.1 dev enp0s25 onlink
17:59 < GrandPa-G> you are very patient with and I appreciate it.
18:04 < GrandPa-G> I see lines like this on the server side and similar on client Thu Nov 30 17:04:34 2017 us=432304 0666965C/192.168.0.125:50194 UDPv4 WRITE [81] to [AF_INET]192.168.0.125:50194: P_DATA_V1 kid=0 DATA len=80
18:05 < |Mike|> could you paste a partial log on pastebin?
18:06 < GrandPa-G> what part would you like? Where it starts up? I have level 6 on.
18:06 < |Mike|> yes and where the client connects
18:06 < |Mike|> can you ping 10.8.0.1 from the client?
18:06 < |Mike|> and ping 10.8.0.6 (client itself)
18:07 < GrandPa-G> no to 10.8.0.1.
18:07 < GrandPa-G> yes to 10.8.0.6 at client
18:08 < |Mike|> did you add iptables ? :-)
18:09 < GrandPa-G> here is log https://pastebin.com/yMRnthBz
18:09 < GrandPa-G> yes to iptables. Of course I could have made a mistake somewhere.
18:12 < |Mike|> did you blindly copy paste the UFW rules from the tut?
18:13 < GrandPa-G> yes except for eth name.
18:15 < |Mike|> did you enable the ufw rules?
18:19 < GrandPa-G> yes
18:20 < GrandPa-G> maybe no.
18:21 < GrandPa-G> re disabled, enabled. still no ping.
18:23 < GrandPa-G> I had it working earlier today with totally different (simple config). Tomorrow I think I will try to reconstruct what I did. I know I didn't do anything with firewall then.
18:27 < GrandPa-G> I just restart client. Now pings go from client to server. Also ssh works client. But so far not the sever to client. Progress.
18:28 < GrandPa-G> enough for today. thanks
18:28 < |Mike|> youll need client-to-client for that
18:29 < |Mike|> I better go to sleep. 01:28 AM here :-o
20:20 -!- NightMonkey_ is now known as NightMonkey
20:22 -!- Aichan_ is now known as Aichan
21:35 < ullbeking> heyyy all, i find the documentation on the website comprehensive but a bit disorganized.  is there any up to date book that is particularly recommended?
21:35 <@ordex> !books
21:36 <@ordex> !book
21:36 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) Troubleshooting OpenVPN (April, 2017) by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
21:36 < ullbeking> ty ordex
21:36 <@ordex> np
21:36 < ullbeking> you rock
21:45 -!- dvl_ is now known as dvl
23:02 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 240 seconds]
23:04 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
23:04 -!- mode/#openvpn [+o dazo] by ChanServ
--- Day changed Fri Dec 01 2017
02:31 -!- aykut_ is now known as aykut
02:50 < mojtaba> Hello, I have installed openvpn and stunnel. I am running openvpn through cmd. I am seeing "Initialization Sequence Completed" as the last statement, and I can connect to my local network. But I cannot open websites like youtube.com. Do you know how can I check what could be wrong?
03:05 <@ordex> mojtaba: are you redirecting all your traffic to the vpn server ?
03:06 < mojtaba> ordex: yes
03:06 < mojtaba> ordex: through stunnel
03:06 <@ordex> mojtaba: can you ping any public IP address?
03:06 <@ordex> which means: is your server routing packet to the internet properly?
03:07 < mojtaba> ordex: yes, at least that's what I think.
03:07 <@ordex> mojtaba: well just try to ping and see what happens :)
03:07 <@ordex> like ping 8.8.8.8
03:07 < mojtaba> 64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=399 ms
03:12 < mojtaba> ordex: any idea?
03:13 <@ordex> can you also ping hostname ?
03:13 <@ordex> *hostnames
03:13 < mojtaba> you mean google?
03:14 < mojtaba> ordex: I can ping google.com
03:14 < mojtaba> But I cannot ping youtube.com or its ip address.
03:17 <@ordex> maybe there is some block towards that server ?
03:17 <@ordex> can you reach youtube.com from the VPN server directly?
03:18 < mojtaba> ordex: yes, but what I am saying is that, because of stunnel, it should be like that
03:18 < mojtaba> yes
03:18 <@ordex> stunnel does not really make any difference here, that's just at the transport level
03:18 <@ordex> so if you are on the server you can ping youtube.com and it works ?
03:19 < mojtaba> ordex: But I thought it hides the vpn traffic.
03:19 < mojtaba> ordex: yes
03:19 <@ordex> sure, but again: at the transport level
03:19 < mojtaba> So, at what level filtering happens?
03:20 <@ordex> what filtering?
03:21 < mojtaba> youtube is filtered here.
03:21 < mojtaba> My server is in Canada and I am in Iran.
03:21 <@ordex> mojtaba: can you make sure the traffic to youtube is going to the server and not directly to the internet ?
03:22 < mojtaba> ordex: using traceroute?
03:23 <@ordex> that's one way
03:23 <@ordex> yeah
03:24 <@ordex> or also using tcpdump on the server
03:24 < mojtaba> ordex: It is going through my vpn server. http://paste.ubuntu.com/26087878/
03:25 <@ordex> uhm
03:25 <@ordex> mojtaba: that IP does not look like the youtube ip
03:25 <@ordex> are you still using your ISP DNS?
03:25 <@ordex> maybe they are returning a fake IP as part of the filtering
03:25 < mojtaba> ordex: which ip?
03:25 <@ordex> the ip you are tracing
03:26 <@ordex> youtube.com (10.10.34.34)
03:26 < mojtaba> ordex: I see.
03:26 <@ordex> that is a private IP, not youtube's
03:26 < mojtaba> So what should I do?
03:26 <@ordex> change DNS might be an idea
03:26 <@ordex> you could use some public dns, then the dns traffic should also go through the vpn
03:27 < mojtaba> I am using google and openvpn dns servers
03:27 < mojtaba> ordex: These are in my server.conf file
03:27 < mojtaba> push "dhcp-option DNS 10.8.0.1"
03:27 < mojtaba> push "dhcp-option DNS 208.67.222.222"
03:27 < mojtaba> push "dhcp-option DNS 208.67.220.220"
03:27 < mojtaba> push "dhcp-option DNS 8.8.8.8"
03:28 <@ordex> 10.8.0.1 << is this the vpn server ?
03:28 < mojtaba> The first one is my vpn server, the next two are openvpn servers, and the last one is for google.
03:28 < mojtaba> Yes
03:28 <@ordex> the next two are openvpn servers << you meant opendns I think ?
03:28 < mojtaba> My bad, yes
03:28 <@ordex> mojtaba: dunno, maybe your client is actually appending them and thus still using the local DNS first ?
03:29 <@ordex> is your client a linux host ?
03:29 < mojtaba> ordex: My client is ubuntu and I am connecting using command line.
03:29 < mojtaba> how can I check that?
03:30 <@ordex> no sure if ubuntu is providing any script for updating the DNS settings ... but I guess that everything still goes in /etc/resolv.conf
03:30 <@ordex> can you check that file ?
03:30 < mojtaba> sure
03:30 < mojtaba> ordex: nameserver 127.0.1.1
03:31 <@ordex> ah you are running some dnscache/proxy then, I guess?
03:31 <@ordex> like dnsmasq?
03:31 < mojtaba> ordex: I am not sure
03:31 <@ordex> "ps aux |grep dnsmasq" says anything useful ?
03:31 <@ordex> mojtaba: btw the problem is there. it is not openvpn per se, but the dns you are using to resolve the hostnames
03:32 <@ordex> you could also override that and replace 127.0.0.1 with 8.8.8.8 (but somebody will probably override that again later)
03:32 < mojtaba> http://paste.ubuntu.com/26087915/
03:34 < mojtaba> ordex: I thought those push statements in the server will handle the dns issue.
03:35 <@ordex> I think it depend show they are handled
03:35 <@ordex> *Depends
03:35 <@ordex> and honestly I am not expert of ubuntu
03:35 <@ordex> so I don't really know what it does with them
03:36 <@ordex> as I said, if you want to workaround the issue for now, you could stop dnsmasq and set the DNS manually in resolv.conf
03:37 < mojtaba> ordex: I am not sure if any other program depends on dnsmasq
03:37 < mojtaba> But I will read more about dnsmasq
03:37 < mojtaba> thanks for the info.
03:37 <@ordex> well, maybe you can find something specific about dns+openvpn+dnsmasq+ubuntu
03:37 < mojtaba> Do you know what should I ask in the ubuntu channel?
03:37 <@ordex> np
03:38 <@ordex> well, you can ask about the specific case: if there is anything special you need to tweak in openvpn to make it work with dnsmasq on ubuntu
03:38 <@ordex> in a way that does not interfere with the rest
03:40 < mojtaba> ordex: thanks
03:40 <@ordex> np
03:41 < eagle_> Hi guys, I want to VPN setup, where i can connect to certain service [both CLI/GUI] only if i  m logged in to the VPN network. How can I achieve this via OpenVPN ?
03:43 < Kryczek> eagle_: make them reachable only inside the VPN :) i.e. either make them listen specifically on the VPN IP, or configure the firewall to only allow connections on those ports from inside the VPN interface
03:47 < eagle_> Kryczek: Thanks! I also want only certain service to be router to the specific VPN network. Not all the traffic originating from my system.
03:48 < Kryczek> ah, that's very different
03:48 < eagle_> i.e. google.com via normal network, my personal site only via my custom setup VPN
03:49 < mojtaba> ordex: It seems it is a bug https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1636395
03:49 <@vpnHelper> Title: Bug #1636395 “dnsmasq not working with OpenVPN” : Bugs : dnsmasq package : Ubuntu (at bugs.launchpad.net)
03:50 <@ordex> yeah
03:55 < eagle_> Kryczek: Any suggestions ?
03:59 < Kryczek> eagle_: https://www.evolware.org/?p=369
03:59 <@vpnHelper> Title: Per process routing take 2: using cgroups, iptables and policy routing | Evolware (at www.evolware.org)
04:18 < eagle_> Kryczek: Any suggestions ?
04:32 < Kryczek> eagle_: https://www.evolware.org/?p=369
04:32 <@vpnHelper> Title: Per process routing take 2: using cgroups, iptables and policy routing | Evolware (at www.evolware.org)
04:32 < Kryczek> sigh
04:32 < Kryczek> eagle_: https://www.evolware.org/?p=369
04:32 <@vpnHelper> Title: Per process routing take 2: using cgroups, iptables and policy routing | Evolware (at www.evolware.org)
06:11 < mojtaba> Hello, I have added down /etc/openvpn/update-resolv-conf to my client config file; But the problem is that, when I disconnect the client it does not update the resolve.conf file.
06:11 < mojtaba> Do you know what should I do, or what could be wrong?
06:11 < mojtaba> I have also down-pre after that line.
06:40 < henti> !goal I would like to verify my server certificate
06:43 < henti> :(
07:19 < hyper_ch> verify? how?
07:23 < |Mike|> by connecting?
07:28 < hyper_ch> dazo: ecrist: krzie: ordex: https://www.theregister.co.uk/2017/12/01/system76_bans_bugridden_intel_management_engine/
07:28 <@vpnHelper> Title: Linux laptop-flinger says bye-bye to buggy Intel Management Engine • The Register (at www.theregister.co.uk)
07:29 <@ordex> somebody is reacting :)
07:30 < hyper_ch> the first ones from what I know
11:51 < _FBi> !vulninfo
11:51 <@vpnHelper> "vulninfo" is (#1) See these factoids for more info about specific vulnerabilities: !heartbleed !poodle !ovpnuke !sweet32 !duhk, or (#2) See here for all security announcements: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
11:52 < _FBi> !duhk
11:52 <@vpnHelper> "duhk" is OpenVPN is not vulnerable to DUHK. It does not use any hard coded keys, neither OpenSSL nor mbed TLS touches the broken ANSI X9.31 algorithm and both libraries does re-seeding on regular intervals. More details on DUHK: https://community.openvpn.net/openvpn/wiki/DUHKattack https://duhkattack.com/
11:52 < _FBi> Afternoon guys
12:11 -!- TheSilentLink_ is now known as TheSilentLink
14:08 <@ecrist> hyper_ch: at $work, we've been tracking these ME bugs for MONTHS
14:08 <@ecrist> I DON"T KNOW WHY I"M YELLING
14:09 <@ecrist> heh
14:09 <@ecrist> We found a bug in it late last year, and have been tracking things.  I can't say more than that.
14:22 < hyper_ch> ecrist: are you actually using ME to manager servers or do you consider it just a PITA?
14:26 < Davidian1024> Hello
14:28 -!- TheSilentLink is now known as TheSilentLink_
14:33 < Davidian1024> I'm trying to configure an OpenVPN server to push dhcp-option DNS with a remote DNS server IP back to the clients.  In the client logs I can see that the options I'm pushing are reaching the clients.  But they don't seem to be taking effect.  I see some mention of an external script that must be run on the Linux machine that's running the VPN client.  And it sounds like Windows is a different story.  Is there a universal method 
14:34 < DArqueBishop> Davidian1024: not really.
14:34 < DArqueBishop> !pushdns
14:34 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like
14:34 <@ecrist> hyper_ch: "burn it with fire"
14:34 <@vpnHelper> OpenVPN for Android and OpenVPN Connect will happily accept push dhcp-option
14:37 < Davidian1024> !pushdns
14:37 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like
14:37 <@vpnHelper> OpenVPN for Android and OpenVPN Connect will happily accept push dhcp-option
14:37 < Davidian1024> !windns
14:37 <@vpnHelper> "windns" is (#1) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#2) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#3) http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
14:38 < Davidian1024> thanks DArqueBishop
16:28 < GrandPa-G> I want to manage a bunch (20) raspberry pi machines hanging on the internet. If I want one or two people, also on the internet, to be able to ssh into them, is openvpn a good tool. I am thinking everyone connects to my central server with openvpn server. Do I have a reasonable plan?
16:39 < Dixie_F> I have openvpn up on a ipf/ipnat (smartos box).  both it and the lan can access the net fine when openvpn is down.  When I bring up openvpn, the lan can see the internet fine but the gateway itself cannot.  It can see both subnets and the next physical gateway.  It cannot ping the vpn gateway although it is sending and natting traffic for the entire lan.  Any ping in the direction of the internet yields: ping: sendto Network is
16:39 < Dixie_F>  unreachable
16:39 < Dixie_F> Anyone have any suggestions
16:58 < KNERD> Dixie_F: sounds like a routing issue to me
17:00 < Dixie_F> If I change to a different ruleset for ipf it works fine.  Which would say it was an ipf issue except I copied all of the subnet rules for the working subnet..... and still no go
17:02 < Dixie_F> I mean the box gets everybody else's traffic and NATs it to itself then manages to ship it out the door.  but can't figure out what to do with it's own packages
17:04 < Dixie_F> I tried adding an interface route for tun0.  no change
17:06 < timdotrb> Afternoon, all. Is anyone aware of how to do split tunneling on a Chromebook? I have the VPN setup and working based on my ovpn file, but am not sure how to implement the split tunnel
17:06 < KNERD> you really not giving people much to go on as guessing all day long does not help
17:07 < KNERD> timdotrb: Chromebook has nothign to do with it, but the VPN setup
17:07 < Dixie_F> route get also shows it pointed the right way
17:08 < timdotrb> KNERD: I realize the Chromebook VPN config is completely separate from an OpenVPN config, but thought someone here might have run into the same issue
17:12 < KNERD> http://swimminginthought.com/routing-traffic-vpn/
17:12 <@vpnHelper> Title: Split Tunneling with OpenVPN (Routing some traffic out a VPN connection) (at swimminginthought.com)
17:13 < timdotrb> KNERD: Right, that is the OpenVPN config. The config for a Chromebook is different
17:15 < KNERD> it's all the same. I use the same config files for all my devices
17:15 < KNERD> windows, Android, Linux, etc
17:18 < timdotrb> KNERD: You can’t use an ovpn file on a Chromebook. You have to use an onc file
17:18 < timdotrb> KNERD: https://docs.google.com/document/d/18TU22gueH5OKYHZVJ5nXuqHnk2GN6nDvfu2Hbrb4YLE/pub
17:18 <@vpnHelper> Title: OpenVPN on ChromeOS Documentation (publish) (at docs.google.com)
17:20 < KNERD> Yes I see that now
17:20 < KNERD> https://github.com/CharlesErickT/oncgenerator
17:20 <@vpnHelper> Title: GitHub - CharlesErickT/oncgenerator: Web page to generate an ONC file that can be used to import an OpenVPN connection in ChromeOS (at github.com)
17:20 < timdotrb> KNERD: He did not account for a split tunnel configuration
17:22 < KNERD> while it seems OpenVPN has been getting a lot more users, their help base has been twindleling . The forum only hasa few posts from 2017, and mailing list seems to have stopped around 2008.
17:23 < KNERD> Maybe the Chromebook groups can help
17:23 < KNERD> or try again later today, or earlier tomorrow
17:23 < KNERD> here
17:28 < GrandPa-G> I noticed that I put 2 clients on my server. The first came out as 10.8.0.6 and second 10.8.0.10. How did I get a jump of 5? How do I prevent it?
17:28 < KNERD> give them a static IP
17:30 < GrandPa-G> is it just a bit random, like dhcp? I wondered if I put more on will the hole be filled at some time?
17:33 < GrandPa-G> Also, is there any way at the server I can tell some identifier from the client is which ip? like mac address or whatever?
17:33 < KNERD> i have no idea
17:34 < KNERD> of course..it has to know how to talk back to the client
17:34 < KNERD> it knows the IP address
17:35 < GrandPa-G> yes, but I want to know the ip address of a specific client from the server view
17:36 < KNERD> yes
17:36 < KNERD> it's in the OpenVPN status log
17:37 < GrandPa-G> thanks. I just found that as you typed. Just what I need.
17:41 -!- timdotrb_ is now known as timdotrb
17:44 < KNERD> Anyone know about this?  /sbin/route add -net 192.241.222.181 netmask 255.255.255.255 gw 192.168.1.1       W ERROR: Linux route add command failed: external program exited with error status: 255
17:48 < Exagone313> Hi, how can I set up NAT-ed IPv6 like with IPv4?  I only have _one_ IPv6 on my server.  I'm only finding guides for a block, it's not what I have.  Thanks for your help.
17:50 < Exagone313> Otherwise I would have to disable IPv6 :'(
17:56 < KNERD> seems all the ones who knwo the answers are not on righ tnow
18:34 < Dixie_F> KNERD ANY CHANCE THAT A 1 IP ROUTE SHOULD BE FLAGGED AS POINT TO POINT?
18:34 < Dixie_F> Sorry for the caps
18:36 -!- timdotrb_ is now known as timdotrb
18:36 < rob0> well, Linux net-tools including route(8) are woefully outdated; iproute2 (/sbin/ip) is the replacement
18:36 < rob0> and yeah, that looks odd to me, why -net with a /32?
18:36 < KNERD> Dixie_F: I really dont know
18:37 < Dixie_F> rob0: yeah good point
18:37 < Dixie_F> I'm on smartOS but it should be -host for me
18:41 < rob0> is that Linux or BSD?
18:43 < rob0> oh, Solaris
18:43 < rob0> so why did it say "Linux route add command ..."?
18:44 < Dixie_F> he said that.  I am commenting
18:44 < rob0> ah, that wasn't you
18:45 < Dixie_F> I was too lazy to spin up a linux instance to check man for him...
18:45 < Dixie_F> yeah
18:45 < rob0> <-- not fully paying attention
19:20 < Eugene> Hi, how are you?
19:21 < Eugene> Exagone313 - get a kernel with IPv6NAT(dumb), ask your providr for a routed /64 block, or find a less-dumb provider.
19:21 < Eugene> I like & shamelessly Linode for $5/mo shell boxes and such
19:26 -!- varesa is now known as varesa|
19:42 < Dixie_F> I figured out my problem but I am not sure what is causing it.  from the LAN my ip filter is creating a state and registering the source as being on the LAN. From the openvpn client it is seeing the packet as coming from the openvpn generated interface 10.x.x.x and failing to create a state.  The packet actually goes out fine but no return is accepted without a firewall state
--- Day changed Sat Dec 02 2017
03:33 -!- TheSilentLink_ is now known as TheSilentLink
05:56 < backtrack_> hello
05:56 < backtrack_> i have a problem
05:57 < backtrack_> tun interface keeps down even if a client is connected
05:57 < backtrack_> http://sprunge.us/DYeY
06:00 < backtrack_> http://sprunge.us/MBFX
06:06 < hyper_ch> dazo: ecrist: krzie: ordex:  remember MacOS simple root login? Well, seems Apple undid that patch with another patch... working with pros:  https://www.wired.com/story/macos-update-undoes-apple-root-bug-patch/
06:06 <@vpnHelper> Title: Apples MacOS High Sierra Update Reintroduces "Root" Bug For Some Users | WIRED (at www.wired.com)
06:06 <@ordex> lol
12:43 < GrandPa-G> I have client-client setup. Is there anyway to do something like a dns entry such that client1 can do a ping client2 instead of ping <client2 ip>? where client2 is the name of client2?
12:45 < rob0> sure, but it doesn't have much to do with openvpn.  Fortunately I have a writeup,
12:45 < rob0> !dnsmasq
12:45 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
12:50 < GrandPa-G> Since I have a fixed number of clients (~30), would it be easier to manipulate the linux openvpn host file? Like when a client connects via a script?
13:01 < rob0> fixed number of clients, sure, I'd list them in /etc/hosts
13:02 < GrandPa-G> rob0:other than making my own program, any simple programs to add/subtract entries?
13:03 < rob0> why not just static entries?  Keep this simple.
13:06 < GrandPa-G> just thinking of admin maintenance when we get new client. Happens very frequently but would like to do it as part of a backend admin website.
13:06 < GrandPa-G> do you happen to know when/if the server processes a client-disconnect script if the client just powers off without shutting down?
14:23 < MacGyver> No, it would not be easier to manipulate the linux openvpn hosts file.
14:23 < MacGyver> 30 is not a small number.
14:24 < MacGyver> Static entries, yes. But not /etc/hosts on each client pointing to the 29 other clients.
16:17 < backtrack_> hi
16:17 < backtrack_> something strange happens
16:18 < backtrack_> if i use tap as interface
16:18 < backtrack_> i can't reach hosts behind openvpn
16:18 < backtrack_> if ovpn is 10.0.0.0
16:18 < backtrack_> i can't reach 192.168.10.0
16:18 < backtrack_> which is the lan behind ovpn
16:18 < backtrack_> if i use tun, all works
17:08 < GrandPa-G> MacGyver:actually it is more like 3 that will connect this way to the other 27. I am just trying to find an easy way for one of the 3 to know what client 23's ip is so they can do a ssh into it.
17:49 -!- fractal is now known as Guest96194
22:11 -!- svm_invi_ is now known as svm_invictvs
--- Day changed Sun Dec 03 2017
03:14 < gh16ito> !goal
03:14 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
03:18 < gh16ito> I'm fairly certain this must be in a FAQ somewhere, but I'm failing to come up with the right search terms, hopefully someone can help.
03:18 < gh16ito> I'd like to be able to access computers on my LAN when connected through the VPN. Currently I think this is failing because the VPN clients are put on a different subnet than the LAN computers. Should I try and do some sort of bridge between the two subnets? Just reconfigure my VPN to start assigning IP addresses from the LAN subnet?
03:18 < gh16ito> Currently VPN clients are getting 10.0.x.x, LAN clients are getting 192.168.x.x
03:19 < gh16ito> I don't know the actual subnet masks offhand.
03:19 < hyper_ch> !serverlan
03:19 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
03:25 < gh16ito> !ipforward
03:25 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
03:26 < hyper_ch> or just make every computer in your lan also a client in the vpn
03:27 < gh16ito> That seems too complicated and unnecessary.
03:27 < gh16ito> I had this configured properly and seamlessly in the past.
03:27 < hyper_ch> I fidn that far simpler than the routing stuff
03:27 < gh16ito> You mean have every device on the LAN connect to the VPN?
03:28 < gh16ito> I'd rather just do it once than have to maintain all that.
03:29 < hyper_ch> yes... so much simpler IMHO
03:37 < mickmik> Hi
03:37 < gh16ito> I seem to have ip forwarding already enabled.
03:38 < gh16ito> !route_outside_openvpn
03:38 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
03:41 < mickmik> Hi, someone can help me with Emby server and PIA VPN ? I have PIA and EMBY server installed both on same PC. And obviously, when I start the VPN, my Emby server is unable to access from outside. (scuse for my english)
03:47 < mickmik> re
04:58 < apus> hi, i just read somewhere, that there is a design bottleneck that prevents openvpn from achieving gigabit speeds. is this something that is being worked on? can someone perhaps point me in the right direction, so that i can read up on it?
07:13 -!- xuumno is now known as Optimus_Prime
08:18 < redrabbit> its overhead
08:19 < redrabbit> maybe try different cyphers
08:19 < redrabbit> some are faster
08:19 < redrabbit> also, MTU, and other settings
08:21 < hyper_ch> use jumbo frames when on lan
12:41 < hyper_ch> due to a project I'll need to ride the train quite a bit next year. Anyone has recommendation for good headphones?
13:05 < str4nd> qc35
13:15 < hyper_ch> will have a look, thx
13:47 < diizzy> hyper_ch: depens on what you value
13:48 < diizzy> if you want nc, bose is one of the better ones... if you value sound quality I'd say Audio Technica by far
13:48 < diizzy> they do have some nc models that are quite good too
13:51 < KNERD> No highs? No lows? Must be Bose
14:09 < diizzy> hehe
15:14 < redrabbit> yeah bose products have the "bose" sound
15:14 < redrabbit> i own one of these dumb soundlink first gen
15:16 < redrabbit> even though i always and still thought its shit, when this bt speaker got out, there was little to no other stuff that did the same
15:16 < redrabbit> now the market is crowded id never get another bose product
18:10 -!- will__ is now known as wasutton3
18:48 < KNERD> I would still get the Bose 901 speakers
18:50 <@ordex> are they worth?
18:51 < KNERD> oh yeah. I recall this guy hooked those up to a Carver amp and wow did they crank
18:52 < KNERD> and sounded very good
18:56 < KNERD> i recall a friend had some Bose 601s. While he was out I cranked them way up, and saw some flashing come out of them, and thought I had burned them out. I was worried because I had no money to replace them for him at the time. Turns out it freaking had incandecent bulbs in them to keep from gettinng over driven.
--- Day changed Mon Dec 04 2017
03:11 < henti> hyper_ch: I'm trying to use verify_x509_name to verify the subject, but even using the subject extracted using openssl gives me https://hastebin.com/yiyebugufa.txt
03:11 <@vpnHelper> Title: hastebin (at hastebin.com)
03:20 < hyper_ch> henti: not really sure why you highlihgt me
03:35 < henti> hyper_ch: Sorry, my logs showed you replying to my question originally.
03:35 < henti> Nevermind then.
03:52 -!- abenz__ is now known as abenz
04:43 -!- Elon_Satoshi is now known as Stingy_Japanese
06:41 < xvifr> !welcome
06:41 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
06:42 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
06:43 < xvifr> !tap
06:43 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the protocol
06:43 <@vpnHelper> uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
06:48 < xvifr> !goal I would like to understand why "route-up" script is called at start after "up" in an openvpn config with topology p2p but not after an "up-restart" where only "down", "up" and "ip-change" are called.
06:56 < xvifr> !goal
06:56 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:12 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
07:12 -!- mode/#openvpn [+o novaflash] by ChanServ
07:44 < pseudonymous> Hey - I'd like to set up a openvpn server to permit me access to a private LAN (available to the VPN of course). I don't want to route anything else than requests to that network. Is there any book I should acquire to help me along ? (I intend to use EasyRSA and such, just wondering about context)
07:51 < rob0> just the !howto and !serverlan
07:51 < rob0> !howto
07:51 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
07:51 < rob0> !serverlan
07:51 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
08:00 < pseudonymous> rob0: I see :) Good, I'll use those, then
08:01 < rob0> The flowchart is meant for troubleshooting, but it covers, step by step, what you need.
10:09 < GrandPa-G> I have a up and down script on the server. in the script there is a output >> to file of each command. For some reason the scripts don't seem to be running now. They did a few hours ago. How can I debug that they are really being run?
10:26 <@ecrist> !books
10:26 <@ecrist> !book
10:26 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) Troubleshooting OpenVPN (April, 2017) by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
10:26  * ecrist shameless plug
10:50 < GrandPa-G> All of the sudden the server will only execute the client-disconnected script for both client starting and stopping. Any ideas what I must have done to make this work this way?
11:16 < GrandPa-G> I am slowly solving my own questions, but then a new one comes up. Is there way to reload the server's host file without restarting openvpn. I tried sending SIGHUP but that disconnects everyone.
11:18 < hyper_ch> server's host file?
11:18 < GrandPa-G> yes
11:19 < hyper_ch> just edit it
11:19 < rob0> "reload"?
11:19 < GrandPa-G> yes, but I want want openvpn to know what the new entires are.
11:20 < rob0> Nothing "loads" the hosts(5) file, except perhaps dnsmasq or other hosts-to-DNS implementations
11:20 < GrandPa-G> from what I can read, openvpn only reads the hosts file at start. It has to be restarted to re-read the file. That kills all the connections.
11:20 < hyper_ch> and hwere do you read such a thing?
11:22 < rob0> you have client names in hosts, and openvpn is supposed to use those names to assign client addresses?
11:22 < GrandPa-G> I think I am wrong, so I retract my question for now.
11:23 < GrandPa-G> I am definitely wrong, don't know what made me think about this. sorry
11:24 < hyper_ch> it's the internet
11:24 < rob0> If my guess was right, I would expect openvpn to do a gethostbyname() query each time it wants to resolve a client name.
11:24 < hyper_ch> I'm sure the internet is the culprit that made you think so
11:25 < GrandPa-G> The question should have replaced openvpn with dnsmasq - which of course is off topic.
11:27 < GrandPa-G> when a client connects, I put their ip and a special name from a database into hosts file. Then the other clients can easily connect (client-to-client).
11:27 < rob0> yeah, a SIGHUP to dnsmasq, that's in the dnsmasq(8) manual
11:28 < GrandPa-G> yes, I just needed a simple find-replace brain neuron to get the correct thought.
11:30 < GrandPa-G> I claim a defense of mature thinking (senility)
11:34 < rob0> we'd have to know how old you are; a nick of GrandPa-G isn't enough to prove your case!
11:35 < GrandPa-G> As I have said else where, I am older than dirt, My social security number is 1
12:08 < GrandPa-G> am I correct in understanding how to push a dns server to client? If the server is at 10.8.0.1 for tun then in client opvn file I put dhcp-option DNS 10.8.0.1?
12:46 < onitlikesonic> hi all, got a bit of a problem, my old certificates  (which would be a PITA to renew now) dont have a unique CN, i saw we can use "x509-username-field " to specify another field for uniquely identifying nodes, however none of the values seems to be unique also, is it possible to use the thumbprint or something else that would be unique? any form of hash ?
12:47 < onitlikesonic> with our future certificates this is already changed, however i need something now for backwards compatibility
12:50 < onitlikesonic> or hardcoded on configs ?
13:33 -!- abenz__ is now known as abenz
13:41 < rob0> GrandPa-G, --dhcp-option is Windows-only, but yeah, something like that
14:51 < Dixie_F> So I set up this rather complicated firewall for a vm which is running NAT and OPENVPN for my lan then going through my router to my VPN provider.  It functions.  However,  there doesn't appear to be a way to test my firewall configuration because I am still behind my VPN providers firewall.
14:52 < Dixie_F> Is this a problem someone has already solved?
16:59 < nacelle> do eet in a lab
17:03 < meffe> how would i go about to set a cap on the amount of data allowed on the vpn per day or week, or month - whatever. i need the cap - but i dont want to have to set a limit on the tx/rx if i dont have to
17:06 < alanic> Hi, I installed OpenVPN at my home server. I'm trying to connect to it from my laptop at home. When I connect with my laptop, OpenVPN GUI becomes green, but my laptop cannot make any connections. Soon, the OpenVPN GUI becomes yellow and I get read TCP_CLIENT: Unknown error (code=10060) Connection reset, restarting [-1]
17:07 < alanic> how can I debug this situation?
18:35 < farms> good evening all
18:36 < meffe> how come i get disconnected from my znc, which is running on the same server as the vpn - when I'm connected to the vpn?
20:05 < GrandPa-G> Ihave one openvpn server and a number of clients (client-to-client). On the openvpn server there is a inhouse dns (dnsmasq) server running. How can I get the clients to look at this dns as well for resoultion of names?
20:34 <@ecrist> GrandPa-G: for most unix boxes, that's manual.
20:34 <@ecrist> you can do it in an --up script to update resolv.conf
20:35 <@ecrist> there's some push options on the windows side to do the same
20:35 <@ecrist> !dns
20:35 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns
20:35 < GrandPa-G> Do I put the ip address of the tun on the openvpn server in the client resolv.conf via up script?
20:36 <@ecrist> well, you would add your internal domain to the search string and add the IP address as the sole DNS server.  make sure you put it back when you're disconnected
20:36 < GrandPa-G> I have put 10.8.0.1 (my openvpn server tun ip) in the resolv.conf. yet if I do a dig with that ip as dns, it can't be found.
20:38 < GrandPa-G> on my client if I telnet to that ip via port 53, it immediately says connected... escape char is.. connection closed. Does that imply my dns server has an issue?
20:39 <@ecrist> is the openvpn server dnsmasq instance listening on the VpN server IP?
20:39 <@ecrist> GrandPa-G: this sounds more like a dnsmasq question.  that channel might be able to give you better troubleshooting suggestions.
20:39 < GrandPa-G> if I understand correctly, it is listening on all ips. Yes, I will ask dnsmasq.
20:42 <@ecrist> and you can do your dig tests with "dig @serverip -t A foo.com
20:42 <@ecrist> "
20:42 < GrandPa-G> that is basically what I did, minus -t A
20:43 <@ecrist> -t A is assumed by default
20:43 < GrandPa-G> that works on the server, not on client. I am aksing in dnsmasq, not many folks home there
21:22 <@ecrist> I'm only familar with BIND.  Is there an allowed clients ACL?  You need to allow the VPN subnet.
22:12 < xboner> wasnt the openvpn access server apt-get install name just openvpn-as ?
22:14 < hyper_ch> !as
22:14 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
22:16 < xboner> in that channel
22:16 < xboner> got it thanks
--- Day changed Tue Dec 05 2017
00:39 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Excess Flood]
00:39 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
00:39 -!- mode/#openvpn [+v RBecker] by ChanServ
02:39 -!- abenz_ is now known as abenz
03:49 -!- Kryczek_ is now known as Kryczek
03:50 < pseudonymous> !serverlan
03:50 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
03:54 < pseudonymous> !ipforward
03:54 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
03:55 < pseudonymous> !linipforward
03:55 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
06:24 < ilyaigpetrov> how does openvpn configures routes on windows, does it use unix tools port?
06:31 < ilyaigpetrov> I see it uses system32\\route.exe, thanks
06:40 < GrandPa-G> In my client-connect script I have a kill -SIGHUP <dnsmasq pid>. The command never seems to work, no indication from dnsmasq that it receive the signal. If I run the script as a command it works. I have tried adding sudo. Any idea why it won't execute?
06:42 < BtbN> so you hardcoded the pid in your script?
06:42 < BtbN> And are you sure that script is even run?
06:44 < GrandPa-G> BtbN:no, I get the pid via piof dnsmasq. If I hand run the same command it works. I have other parts of the script that are being executed. if I ./connect.sh the script it works
06:45 < BtbN> Is openvpn even running as root? And if it is, that's a bad idea.
06:45 < BtbN> And if not, it can't kill random processes.
06:47 < GrandPa-G> it is running as default user which shows to be root.
06:53 < pseudonymous> Can someone speak to the security model of OpenVPN + EasyRSA ? I know that, with the CA.key, I can issue new certs(& secrets) and thus widen the circle of trusted clients. But is there anything more ? Do clients only connect to a server whose SSL cert is issued by the same CA as referenced in the client config ?
06:54 < BtbN> If you configure the client that way
06:55 < pseudonymous> BtbN: I mostly followed hhttps://www.linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server#client-configuration-file - so referencing the CA.crt here has that effect ?
06:55 <@vpnHelper> Title: Set up a Hardened OpenVPN Server on Debian 9 (at www.linode.com)
07:03 < pseudonymous> Similarly, if there's any section of any handbook I should consult to understand the security implications of what I've chosen, I'd be happy to hear about. I'd really like to know these things before I start relying on it
07:39 < marc512> Hi, I've a question about the comp-lzo compression, when enabled, is is possible to show it in Wireshark?
08:05 < GrandPa-G> is there anyway to get the output of a script file like client-connect into a file or log?
08:37 <@krzie> ecrist: serverisdown
08:38 <@ecrist> already working on it
08:38 <@krzie> oh sweet
08:38 <@krzie> thought i caught it first
08:38 < rob0> @seen krzie
08:38 < rob0> haha
08:38 < rob0> serverisdown
08:39 -!- krzie is now known as krzee
08:39 <@krzee> rob0: https://www.youtube.com/watch?v=W8_Kfjo3VjU
08:40 <@krzee> oldie but goodie
08:42 < havoc> my large ovpn setup is running amazingly well, where/when the client isn't explicitly blocked
08:43 < havoc> ~1,700 connected clients at any given time
08:43 <@krzee> damn
08:43 <@krzee> how many servers?
08:43 < havoc> 1
08:43 <@krzee> :O
08:43 <@krzee> dazo, rob0: ^^
08:43 < havoc> 8 vCores, 8GB RAM, hardly anything touched; no load, unless I restart the ovpn process
08:44 < havoc> there will be a second/backup though, don't worry ;)
08:44 < havoc> the physical infra just isn't in place yet at the DR site
08:45 <@krzee> thats awesome
08:45 < havoc> no real data over the vpn yet either though, just the baseline AD/LDAP crap, ~1.5mbps baseline
08:45 <@krzee> oh
08:45 < havoc> but I still don't anticipate any issues, as we can through more vcores at it at will
08:46 < havoc> and it's capped at 125 ovpn clients per ovpn server process
08:46 <@krzee> umm
08:47 <@krzee> <havoc> and it's capped at 125 ovpn clients per ovpn server process
08:47 < havoc> there will be streaming video over it, but should be limited, the bottleneck is the server's available bandwidth
08:47 <@krzee> <havoc> ~1,700 connected clients at any given time
08:47 <@krzee> <havoc> 1
08:47 < havoc> krzee: 17 server processes, 1194 is the "provisioning" server, 1195-1210 are production
08:47 <@krzee> ohh ok
08:48 <@krzee> so 17
08:48 <@krzee> less interesting than i thought :D
08:48 < havoc> each is a /25, so 125 usable IPs :)
08:48 < havoc> well, it's one "server"/VM/machine
08:48 <@krzee> gotchya
08:52 < havoc> I like iftop -F
08:53 < havoc> all the vpn clients are under 172.28.0.0/20, iftop -F 172.28.0.0/20 makes it easy to see all "vpn" traffic usage
08:54 < havoc> better than the tcpdump filter crap
08:54 < havoc> ...at least for this purpose
09:12 < GrandPa-G> I am on a raspberry pi as a client I want to start the client every time but with a named opvn file. Does something like sudo systemctl start openvpn@client.service work?
09:30 < meffe> so if i got two different internet sources, one primary, and one secondary.. and i want to install a openvpn on that server - and the openvpn is supposed to use the secondary gateway.. how would i go about to setup this? thanks
09:33 < rob0> GrandPa-G, that would be a raspbian or Debian uestion, no?
09:34 < rob0> meffe, the proposed server already has the dual gateway working?  IPv4, v6 or both?
09:34 < GrandPa-G> rob0:maybe. Can you just copy foo.ovpn into client.conf and have it work or are they really different?
09:34 < rob0> I don't use Debian so I could not say.
09:35 < rob0> but ... I would expect there's no difference in a config file by any name
09:38 < GrandPa-G> must be ok, it works!
09:42 < havoc> is there an explanation of --status-version anywhere? i.e. examples?
09:43 <@ecrist> havoc: the man page
09:43 <@ecrist> otherwise, I wrote an extensive description on the status file in the Mastering OpenVPN book
09:44 < havoc> nope, not in the man page, not that I've seen so far anyway
09:45 < havoc> other than it can be 1, 2, or 3, but no explanation of format
09:45 < havoc> it's the format that I'm looking for
09:46 <@ecrist> havoc: you could check out the book, then
09:46 <@ecrist> or, you can run openvpn and try all three
09:46 < havoc> is the book online?
09:47 <@ecrist> You can buy it.
09:47 <@ecrist> Online
09:47 <@ecrist> You can download a PDF
09:47 < havoc> doesn't help me today
09:47 <@ecrist> !book
09:47 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) Troubleshooting OpenVPN (April, 2017) by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
09:47 <@ecrist> or, you can look at the openvpn source code
09:47 < havoc> https://www.packtpub.com/networking-and-servers/mastering-openvpn
09:47 <@vpnHelper> Title: Mastering OpenVPN | PACKT Books (at www.packtpub.com)
09:48 <@ecrist> https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/status.c
09:48 <@vpnHelper> Title: openvpn/status.c at master · OpenVPN/openvpn · GitHub (at github.com)
09:54 <@krzee> maybe you could steal from this:  https://github.com/ojarva/openvpn-status-parser
09:54 <@vpnHelper> Title: GitHub - ojarva/openvpn-status-parser: Parser for openvpn status file (at github.com)
09:56 < havoc> krzee: not looking to "steal", I can parse it just fine, I'm just looking for an example of what it is, to see if I'd even want to use ver2, or ver3
09:58 <@krzee> by steal i mean glean whats where without digging
10:00 <@ecrist> havoc: just run openvpn with the various options
10:00 < havoc> krzee: nothing there, I just looked
10:00 < havoc> ecrist: that's what it's looking like I'll have to do
10:03 < havoc> from a forum post: "the main difference between 2 and 3 is the separator character used"
10:03 < havoc> doesn't sound like there any additional info in ver2 or ver3, from what I've been able to find so far
10:04 < havoc> hmm, that may not be correct
10:07 <@ecrist> in case you didn't see
10:07 <@ecrist> havoc: just run openvpn with the various options
10:07 <@ecrist> havoc: just run openvpn with the various options
10:07 <@ecrist> havoc: just run openvpn with the various options
10:07 <@ecrist> havoc: just run openvpn with the various options
10:07 <@ecrist> havoc: just run openvpn with the various options
10:07 <@ecrist> havoc: just run openvpn with the various options
10:07 <@ecrist> havoc: just run openvpn with the various options
10:07 < havoc> 10:00:59 <havoc> ecrist: that's what it's looking like I'll have to do
10:10 < rob0> or, just choose v3 and figure out how to parse that
10:11 < meffe> rob0: sorry for the late reply, I'm at work. Well yeah, both connections are working. The primary is v4 & v6, secondary (which I'm going to use) is v4 only.
10:12 < deftjack> I assume it is something the client is running but anyone know why openvpn clients would attempt to connect to the server (after authenticated etc) on ephermal ports like 40497 udp?  I doubt its related to openvpn at all, not all do it, but thought Id check.
10:14 < rob0> meffe, then you just need an "ip rule" to route the VPN out secondary table, and an iptables SNAT rule to set the source to secondary IP address.
10:14 < rob0> If you have gotten this far, that part should be simple.
10:15 < meffe> Right.. I'll check in when I get home from work, and see if you're still here. I might have some questions while setting it up.
10:19 < rob0> if you flag me I'll see it eventually, but there are others who can help also
10:26 < D4ni3l> Hi.
10:29 <@ecrist> hello
10:55 < speedio> im using vpn to access a remote host on which i run kvm and im unable to access the vms running on the host.. anyone know how to fix it so i can access them remotely?
10:58 < hyper_ch> make them also clinets
10:58 < hyper_ch> are you using virt-manager?
11:00 < MacGyver> Seems like overkill to make them VPN clients... fix the routing and the virtual interfaces correctly...
11:00 < MacGyver> Which isn't exactly a topic for this channel, mind.
11:01 < MacGyver> How would you access the vms running on the host if there *wasn't* a VPN in place?
11:01 < hyper_ch> automagic :)
11:12 < DArqueBishop> speedio: make sure that the VPN network and the VMs' network can talk to one another?
11:12 < DArqueBishop> !ipforward
11:12 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
11:51 < rokups> is there any server/client option that would make windows client set default gateway on tap network adapter?
11:54 < HankMoody> Hi there. I'm having issues getting the final strings of my VPN setup. I've got the server set the way I want it, the keys are made (and working), I have access to the network, the packets go through and connect me to the internet from my client. I can ping devices on the VPN's network, but my last (and consequently biggest) problem is I can't see my media server (currently on a different machine than my VPN server). I'd like to be able to
11:54 < HankMoody> access it via MedaHouse on my tablet when I'm away from the house.
11:55 < HankMoody> I've been dicking around with this final part for a few hours and either my google-fu isn't up to snuff today or I'm just missing something here. Any help is greatly appreciated.. Thanks! :D
11:56 < hyper_ch> HankMoody: make media server also a client in the vpn or
11:56 < hyper_ch> !lan
11:56 < hyper_ch> !route-lan
11:56 < hyper_ch> !lan-route
11:56 < hyper_ch> dammit
11:56 < hyper_ch> !serverlan
11:56 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
11:57 < HankMoody> That's where I think I need assistance in heading. Before when I had it setup (VPN was setup through my media server machine) I'd just set the interface it broadcasted on at tun0 as opposed to the regular nic interface. Ahh, thank you @hyper_ch I'll give that a look and harass you some more if I get stumped :D
12:06 < MacGyver> HankMoody: What protocol does the media server use?
12:10 < HankMoody> It's Universal Media Server (fork of PS3 Media server).
12:11 < MacGyver> Unfortunately, that doesn't answer my question directly and I'm not inclined to figure this one out for you.
12:11 < MacGyver> What protocol (HTTPS? SSH? SMB?) does it use for querying it?
12:16 < MacGyver> (In particular, what I'm after is figuring out whether it uses a detection mechanism that requires broadcast packets by default)
12:16 < HankMoody> Apologies, and I wouldn't expect you to ;). It's a upnp DLNA compliant media server.
12:19 < MacGyver> This is probably an issue with NAT'ing and UPnP then.
12:19 < HankMoody> And I didn't have a problem with it working before when the VPN was on the same machine as the media server. I just told it to run over tun as opposed to the nic - So I know it's capable of advertising itself and my tablet recognized it when it was broadcasted over tun
12:20 < MacGyver> Right, but at that point it's not being NAT'ed, it's broadcasting directly on the VPN network.
12:22 < HankMoody> gotcha.
12:24 < HankMoody> I think anyway
12:35 < MacGyver> Solutions I can find on that front are mostly to do with linux-igd as a UPnP gateway.
12:35 < MacGyver> Another option is switching the VPN over to TAP mode, i.e. making VPN clients a part of the broadcast domain.
12:35 < MacGyver> But there be dragons because TAP-VPNs are (apparently) too hard for most people to wrap their heads around.
12:36 < MacGyver> Another solution might be to simply give the media server a static IP address in the network and contacting it directly, if it supports a normal, non-UPnP approach.
12:37 < HankMoody> Hmm, okay... So this is that *one* circumstance where a bridge is needed over a tunnel? heh. I thought about trying a bridge, but in everything I've read they essentially warn people that as you said they're difficult for most people, and that a tunnel works 99% of the time.
12:37 < HankMoody> And it's less complex than a bridge.
12:38 < HankMoody> Easier to get up and running, etc.
12:40 < HankMoody> I can access the machine directly as I've got samba on it, so locating it once I'm inside the VPN isn't a problem from a regular machine (read: laptop) standpoint, but as far as the program I use on my tablet it's upnp.
12:42 < HankMoody> I'm an idiot... I think. I believe it may just missing a route from my router to the VPN subnet
13:06 < HankMoody> @MacGyver: Since my VPN server and my media server are on two different machines, linux-igd wouldn't be of any help to me, would it?
13:07 < MacGyver> It would, I think; the media server would be talking to your clients as though they were the VPN server, aiui.
13:07 < MacGyver> However, I have zero actual experience with UPnP and VPN.
13:08 < HankMoody> Gotcha, so would I need to install linux-igd on my VPN machine or the media server?
13:10 < MacGyver> VPN machine. I think.
14:05 < HankMoody> Sweet kicking Jesus! I *MAY* have found an answer.
14:05 < HankMoody> https://stackoverflow.com/questions/37032269/how-to-run-ssdp-upnp-discovery-through-openvpn
14:05 <@vpnHelper> Title: routing - How to run ssdp (upnp) discovery through openvpn - Stack Overflow (at stackoverflow.com)
14:07 < HankMoody> I'll let you know how it works @MacGyver
14:18 < GammelSmurf> Viscosity or OPENVPN what is better?
15:41 < vinylfreak89> !welcome
15:41 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
15:41 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
15:41 <@vpnHelper> you
15:42 < vinylfreak89> !goal I would like to connect to my private VPC using my open vpn profile as a bridge.
15:42 < vinylfreak89> oops
15:42 < vinylfreak89> I didn't read properly :P
15:42 < vinylfreak89> !goal
15:42 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:43 < vinylfreak89> ah
15:43 < vinylfreak89> got it
15:43 < vinylfreak89> I thought it was some automated help system
15:45 < vinylfreak89> well... the issue here, i've created an ovpn server on AWS, created my client profile, securely transfered the ovpn file. Running windows 10, but when I try to connect to said profile, openvpn just crashes (the openvpn-gui)
16:37 < HankMoody> @vinylfreak89: My recommendation is don't use Windows, but I know that's not viable =P. Have you tried re-writing the client profile? I've done that a few times when I've had issues (not this one specifically) with it and it ended up working on the next try. Also off-topic you a DJ by chance?
18:11 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 255 seconds]
18:14 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
18:14 -!- mode/#openvpn [+o syzzer] by ChanServ
21:06 < vinylfreak89> HankMoody: what do you mean by rewrite the client profile. Regenerate it? And no, not a DJ...just an audiophile :P
21:15 < vinylfreak89> !howto
21:15 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
--- Day changed Wed Dec 06 2017
03:11 < styler2go> I have a openvpn server and lcients connected to it. Now i want to access a client from the server. Any idea why this could not work? Server IP is 10.100.0.1 and Client ip is 10.100.0.10. In route it says: https://p.styler2go.de/670738
04:16 -!- pekster [~rewt@openvpn/community/developer/pekster] has quit [Ping timeout: 276 seconds]
04:16 -!- pekster [~rewt@openvpn/community/developer/pekster] has joined #openvpn
04:28 < styler2go> noone?
05:12 <@novaflash> looks like a subnet conflict to me. are you using the same subnets for both the vpn clients and your physical network?
05:54 < sibok> Hi, does anyoen knows what could be causing that issue on a GNU/Linux client side? https://pastebin.com/Xr97v9gSHi Thx :)
06:11 < sibok> Excuse me, this is the right URL https://pastebin.com/Xr97v9gS
06:20 < sibok> Found that bug https://community.openvpn.net/openvpn/ticket/573
06:20 <@vpnHelper> Title: #573 (Client on Fedora 21: config option "auth-user-pass" works when in config file, but not on command line) – OpenVPN Community (at community.openvpn.net)
06:28 <@dazo> sibok: really hard to guess what is happening here.  That bug is truly annoying, as it is the same code paths being involved are identical .... plus it's a bug not many have been hitting
06:28 <@dazo> sibok: could you pastebin the output of your command line with --verb 4 as early in the command line as possible?
06:31 <@dazo> this also works as expected on my RHEL7 machine ... vpn.txt is read and parsed
06:31 < sibok> dazo: it changes nothing in the output as openvpn does not execute itself cause it states auth-user-pass is an unrecognized parameter, sames happens for --client cause i've tried setting --client as first argument and it complained about it issuing the same message
06:31 <@dazo> $ /usr/sbin/openvpn --verb 4 --remote example.com 1194 udp --compress lz4 --dev tun --auth-user-pass ~/vpn.txt --ca ~/.cert/ca.pem --client
06:32 <@dazo> this is the exact line I used in my test .... with a vpn.txt available in my homedir
06:32 <@dazo> $ /usr/sbin/openvpn --verb 4 --remote example.com 1194 udp --compress lz4 --dev tun --auth-user-pass ~/vpn.txt --ca .cert/ca.pem --client | grep auth_user_pass_file
06:32 <@dazo> Wed Dec  6 13:32:21 2017 us=230612   auth_user_pass_file = '/home/dev/vpn.txt'
06:34 < sibok> dazo: it's not working for me, always same error
06:34 < sibok> what openvpn version are you running?
06:34 <@dazo> $ openvpn --version
06:34 <@dazo> OpenVPN 2.4.4 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017
06:34 <@dazo> library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
06:35 <@dazo> try replacing ~ with the full path to your vpn.txt file
06:38 <@dazo> ehm .... I see you have "enable_crypto=no" ... have you built your own VPN client?
06:39 < sibok> dazo: yes, i'm on funtoo, gonna check that
06:40 <@dazo> without crypto, --auth-user-pass shouldn't be available
06:40 <@dazo> (that depends on the control channel, which is only available with crypto)
06:41 < sibok> Thx a lot, gonna work on that :)
06:42 < sibok> dazo: that made it :)
06:44 <@dazo> so, not the same bug :)
08:18 -!- dakar is now known as mantra
09:57 < mod_cure> hi all, I installed aws openvpn server.  when I connect to the vpn server i loose my internet connection. i notice the openvpn is pushing the default route of 0.0.0.0 to its gateway . when i delete this route in windows I can browser the internet. how do tell openserver not to push o.o.o.o route ?  also, when connected to openvpn server, my dns isnt working correct. i have to selet use the openvpn dns server ,please help. thank you
10:06 < DArqueBishop> Correct me if I'm wrong, but AWS uses OpenVPN Access Server, right?
10:10 < mod_cure> DArqueBishop, correct. i installed the aws openserver ec23
10:10 < mod_cure> DArqueBishop, correct. i installed the aws openserver ec2
10:12 < DArqueBishop> mod_cure: in that case...
10:12 < DArqueBishop> !as
10:12 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
11:15 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 255 seconds]
11:18 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
11:18 -!- mode/#openvpn [+o syzzer] by ChanServ
12:39 < Zajt> Hi, I'm trying to download openvpn and after I downloaded it, I run: ./configure, but in the end there I get: configure: error: openssl check failed
12:39 < Zajt> How can I solve this?
12:44 < MacGyver> By reading a bit further up *why* the openssl check fails.
12:44 < MacGyver> Possibly it's because you don't have the prerequisite dependencies installed.
12:45 < Zajt> yeah I get some "no"s there MacGyver , how can I install the ones that fails?
12:45 < MacGyver> That depends on what system you're trying this on.
12:45 < Zajt> ubuntu
12:46 < rob0> Which begs the question, why are you compliling this?  Does your OS/distro provide it?
12:46 < rob0> yes it does
12:46 < MacGyver> Why not just install openvpn from the repositories then?
12:46 < rob0> You probably should stop and go through an Ubuntu new user tutorial.
12:52 < styler2go> Hey everyone. I still have the issue that i can't access my clients from my server or my server from my clients. Can someone help?
12:58 < rob0> sounds like the /topic got another one right ... firewall
13:00 < styler2go> me?
13:01 < rob0> YOU, did you read the /topic yet?
13:02 < styler2go> Sure but i don't think the cause will be firewall.. I'll try disabling it
13:03 < styler2go> https://p.styler2go.de/7043422 it's not the firewall
14:23 < vinylfreak89> just letting people know I fixed the issue
14:23 < vinylfreak89> windows 10 is dumb
14:23 < vinylfreak89> reboot cleared it up... connected right up
14:24 < vinylfreak89> catch you guys later
15:19 < merlin1991> hi so I'm using the almost always bad idea (tap) to for a star shaped network to play games with my friends, that worked just fine, but since my update to debian stretch the tap interface on the server gets created, but does not move into UP state
15:19 < merlin1991> when i manually run ip link set dev tap0 up mtu 1500 the system starts working
15:21 < merlin1991> journal tells me  Initialization sequence complete but ip link gives me tap0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 100
15:21 < merlin1991> and I'm out of ideas
15:39 -!- Netsplit *.net <-> *.split quits: @syzzer
16:02 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
16:02 -!- ServerMode/#openvpn [+o syzzer] by moon.freenode.net
16:59 < Dixie_F> I have a tun device which is passing NAT'd traffic just fine from my LAN to the internet.  ifconfig and route looks fine.  but the machine itself can't connect to the internet or even the local ip address of the tun device (which is clearly working). ipf and ipnat are firewalling on the same machine.  Addtionally,  If I restart openvpn everything works again
17:20 < GrandPa-G> on a client (linux), if I have foo.opvn configuration file, how do I get it to be used when openvpn starts as a service on boot?
17:25 < rob0> you'd look that up in your distro's documentation
17:26 < Dixie_F> Likely it should be called openvpn.conf and be in /etc/openvpn/ or some such.  check the log file or ps and see if it shows the conf file location
17:28 < rob0> surely they have put a README somewhere
17:28 < GrandPa-G> I guess my question here is, if I take the opvn file which contains the certs and config, et. al. and just rename it to what the service thinks it should have (I think it is client.conf), should it work? So far I don't think it does.
17:28 < rob0> what happened when you tried that
17:29 < rob0> Perhaps a client.conf must be started manually?
17:30 < rob0> or you might have to tell systemd somehow that you want to start it at boot -- chkconfig, wasn't it in the old days?
17:30 < GrandPa-G> I know if I manually start sudo openvpn --config foo.opvn it works as desired. I could put it in a startup file, but I would rather have it controlled like a service.
17:31 < GrandPa-G> for me, I can put it in a cron job for reboot time.
17:32 < GrandPa-G> the setup of the service start files are put there by the openvpn install, thus why I am asking here.
17:32 < rob0> For distro-specific questions, you should probably say what distro it is, in case someone knows.
17:33 < rob0> dazo writes those service files, yes
17:33 < GrandPa-G> I have asked the question there in the general channel.
18:43 -!- P1ro__ is now known as P1ro
19:09 -!- svm_invi_ is now known as svm_invictvs
20:40 < GrandPa-G> My clients were working yesterday. I had to reboot server today for different reason. Now they don't. Am getting these errors https://pastebin.com/yZhAW28U. Ideas?
20:44 < GrandPa-G> This from server syslog file. It repeats.
22:50 -!- abenz__ is now known as abenz
23:11 < Pilfers> how do i connect using a ovpn file
23:15 <@ordex> you can just specify it on the command line
23:15 <@ordex> openvpn configuration.file
23:15 <@ordex> it's a normal configuration file like any other ... so you just do what younormally do
23:53 < Pilfers> so just openvpn config.ovpn
23:53 < Pilfers> its confusing because the website talks about all the options
23:54 < Pilfers> openvpn -dev tun -port 53 -protocol tcp etc
23:55 < Pilfers> !welcome
23:55 < Pilfers> !goal
23:55 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
23:55 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
23:55 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
23:55 < Pilfers> why is tap/bridge bad ?
23:55 < Pilfers> !vulninfo
23:55 <@vpnHelper> "vulninfo" is (#1) See these factoids for more info about specific vulnerabilities: !heartbleed !poodle !ovpnuke !sweet32 !duhk, or (#2) See here for all security announcements: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
23:56 < Pilfers> !tap
23:56 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the
23:56 <@vpnHelper> protocol uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
23:57 < Pilfers> !tunortap
23:57 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
23:57 <@vpnHelper> rooted/jailbroken) support only tun
--- Day changed Thu Dec 07 2017
04:18 < samael> hello. i'm setting up an openvpn server using 2.4.0. i have old setups using 2.1.x servers, on which i use comp-lzo. now i understand that lz4-v2 should be used and pushed whenever possible. many of my clients are embedded PCs like beaglebones and other resource-limited SBCs. i wonder what is the best compression to chose on such clients. any advice?
04:20 <@dazo> samael: lz4 vs lzo ... there is no clear guidelines what is best, both have strengths and weaknesses .... it depends on what fits your most common VPN traffic
04:21 <@dazo> What I'm saying is that --compress lzo is not necessarily worse than lz4 or lz4-v3
04:21 <@dazo> v2
04:22 < samael> dazo: i see. i'll begin with lz4v2 as proposed by the conf default, then i'll make some benchmarks later on. thanks
04:22 <@dazo> but moving away from to --comp-lzo to --compress lzo on the server side with v2.4 is definitely a good move .... --comp-lzo itself is deprecated and will at some point be removed
04:22 <@dazo> https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#a--comp-lzo
04:23 <@vpnHelper> Title: DeprecatedOptions – OpenVPN Community (at community.openvpn.net)
04:27 < samael> dazo: +1 for the new approach, then
04:30 <@dazo> samael: if you want to benchmark compression only on your hardware, you can have a look at this project: https://github.com/inikep/lzbench
04:30 <@vpnHelper> Title: GitHub - inikep/lzbench: lzbench is an in-memory benchmark of open-source LZ77/LZSS/LZMA compressors (at github.com)
04:33 <@dazo> (and also pay attention to your CPU load as well, for a better understanding what happens to your overall system load)
04:35 < samael> dazo: yep the cpu load is the first thing i need to keep an eye on. thanks for the pointer
05:46 < petaflot> hello! anybody here?
07:19 < |Mike|> petaflot: sometimes.
07:50 < petaflot> :-) |Mike| have you any experience with openvpn and pfSense?
08:48 -!- Netsplit *.net <-> *.split quits: @syzzer, @vpnHelper, @dazo, pekster
08:54 -!- ServerMode/#openvpn [+o ordex] by moon.freenode.net
08:55 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
08:55 -!- pekster [~rewt@openvpn/community/developer/pekster] has joined #openvpn
08:55 -!- ServerMode/#openvpn [+o syzzer] by moon.freenode.net
08:55 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
08:55 -!- ServerMode/#openvpn [+o dazo] by moon.freenode.net
08:55 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
08:55 -!- ServerMode/#openvpn [+o vpnHelper] by moon.freenode.net
09:18 -!- mode/#openvpn [+v hyper_ch] by ChanServ
10:00 < dongcarl> Hi all, any way I can exclude a website (say Netflix) from using my OpenVPN tun0?
11:53 <@ecrist>  
11:58 -!- varesa is now known as varesa|
13:26 < egonsen> i have a raspberry pi running an openvpn server. it is connected to the internet via ipv4. now sometimes my client (smartphone) is connected to an ipv6 network and i want to route all network traffic (including ipv6) through my raspberry openvpn server. is this possible?
13:44 < BtbN> If it doesn't have IPv6 connectivity, no
13:46 -!- nobody is now known as snowbody
14:22 <@ecrist> !ubuntu
14:22 <@vpnHelper> "ubuntu" is dont use network manager to configure your vpns! get it working via commandline and then import to network manager if you want to use it.
14:24 <@ecrist> !UAC
14:24 <@vpnHelper> "UAC" is On Windows >=Vista, you can check if UAC is on (0x1) or off (0x0) with this command: reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
14:24 <@ecrist> !book
14:24 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) Troubleshooting OpenVPN (April, 2017) by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
14:32 < havoc> I'm thinking I need to roll out another ovpn setup for one of our 250 unit programs
14:32 < havoc> but the clients would be windows in that one, not linux routers
14:33 < havoc> just need to be able to script a silent install, which I *think* the windows installer can do
14:34 < havoc> as well as pre-add the key/cert for the TAP driver
15:03 < GrandPa-G> if I have several clients, can I use the same ovpn file for all, but just rename each one to keep them identified uniquely?
15:46 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 260 seconds]
15:48 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
15:48 -!- mode/#openvpn [+o syzzer] by ChanServ
15:48 -!- ServerMode/#openvpn [+o ordex] by moon.freenode.net
16:14 < D4ni3l> Hello.
16:37 < ghormoon> hi, where is the right place to get ip for tap interface?  I've tried up script ,but that is too early obviously
16:42 -!- ServerMode/#openvpn [+o ordex] by moon.freenode.net
17:29 < ghormoon> any idea how to debug destination host unreacheable if  Itry to ping the vpn server, but dhclient works? it stipped workin during testing of when to run dhclient, it worked before :/
17:37 < ghormoon> ok, wrong way of redirecting route, so at least I'm back in state when I can start vpn and then add ip and routes later, though, why it never gets reply when run from up script? tried echong the user, it's still root
17:42 < |Mike|> GrandPa-G: nope, unless you change the </ ..> part :-)
17:43 < GrandPa-G> |Mike|:I don't think I understand what you mean.
17:45 < |Mike|> your ovpn file contains the config, keys, cert and ca, correct?
17:46 < GrandPa-G> |Mike|:I think I understand. You are saying copying up to where certs stuff starts is ok, but each client should (must?) have a seperate cert portion?
17:50 < GrandPa-G> When does a client need new cert type files? What action on server would trigger the need to generate new certs for client?
17:54 < |Mike|> well, you can't use 1 cert twice ;-)
17:59 < GrandPa-G> I really meant, if I have all my certs deployed, what would cause me to create new ones for the client. Will they last forever?
18:01 < |Mike|> not quite ure, you'll have to check your openssl config for that
18:01 < |Mike|> probably 10 years
18:07 < specing> GrandPa-G: old sig algos deprecated
18:31 < Abbott> so right now I connect to my vpn with `sudo systemctl start openvpn-client@server` and the server.ovpn file (and related crts and keys) are in /etc/openvpn/client. I would like to set up networkmanager-openvpn, but it seems like I would have to have all of the openvpn files in a user-accessible directory. Is this safe/normal?
18:45 <@ordex> Abbott: I am not sure, but i think so, because the nm-openvpn plugin is executed as user and needs to read the key material in order to create a valid configuration for openvpn
18:46 <@ordex> but i am no expert..i just use it everynow and then
18:54 < Abbott> okay, just seems strange to have a key that is user readable or whatever
19:00 < ghormoon> hm in tcpdump Ive found a difference between running the dhclient from script and later when the vpn is already running, there's RSTP running in the working case, might it be openvpn somehow enables it after up script?
20:29 -!- abenz__ is now known as abenz
--- Day changed Fri Dec 08 2017
00:22 < telegm2> Released!
00:22 < telegm2> !welcome
00:22 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
00:22 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
00:23 < telegm2> !goal
00:23 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
00:27 < telegm2> Hello community, someone could help me, I can not configure easy-rsa with
00:27 < telegm2> OpenSSL 1.1.0f
01:10 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has quit [Ping timeout: 240 seconds]
01:12 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
01:12 -!- mode/#openvpn [+v hyper_ch] by ChanServ
04:16 -!- snowbody is now known as nobody
05:50 < Angs> one of my client has been hacked. It might be possible that the hacker copied the client's keys. Is it enough to just remove the keys of the client from /keys and re-issue new keys?
06:12 < |Mike|> Angs: no. you've to revoke the key
06:13 < |Mike|> "If a private key is compromised, it can be disabled by adding its certificate to a CRL (certificate revocation list). The CRL allows compromised certificates to be selectively rejected without requiring that the entire PKI be rebuilt."
06:13 < ghormoon> also the vpn needs to check revoke lists, right? (might not in default?)
06:13 < |Mike|> https://openvpn.net/index.php/open-source/documentation/howto.html
06:13 <@vpnHelper> Title: HOWTO (at openvpn.net)
06:14 < |Mike|> ctrl f "revoke"
06:15 < |Mike|> ghormoon: crl-verify yes.
06:16 < ghormoon> yeah, just felt tne need to point it out as they might not have it there :)
06:20 < Angs> thanks, |Mike|
06:35 < ghormoon> btw is it normal that dhclient in "up" script for tap doesn't work (packets sent, nothing received), but run from commandline after works? I've noticed when run in the up, at that point RSTP packats don't run on the connection, after they do, so maybe that causes it. can I make openvpn run upscript after it enables rstp? or when that happens?
06:57 < GrandPa-G> is there any way to have a headless client query a server of any kind to send a request for their opvn file?
07:01 < |Mike|> like a cronjob => wget https:// ... ? ;)
08:09 < rob0> GrandPa-G, openvpn does not have that feature.  OpenVPN-AS has a web interface where users can download a config file (I guess that's what you mean by "ovpn file"?) but I don't think it can work non-interactively.  You might have to write something yourself, and note,
08:09 < rob0> !notovpn
08:09 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn.
08:11 <@ecrist> ghormoon: why are you using tap?
08:16 < ghormoon> ecrist: to be sure the same firewall rules apply as for clients of the admin vlan on the remote site (this will be basically vpn only for me as recovery way home)
08:17 < ghormoon> I had some issues with firewall rules on the routed variant (server is mikrotik) and this seems both easier and safer so I don't forget to allow something that is usually allowed from admin vlan
08:19 < sibok> Hi, does anyone knows why there are 2 openvpn processes runing on my system? https://pastebin.com/HJmrPQw5 Thsi happens when i run systemctl start openvpn@vpn.example.com  on an Ubuntu 17.04 OS
08:22 <@ecrist> ghormoon: just FYI, mobile devices have no tap adapter support
08:23 <@ecrist> so, if you have any intent on using a phone, tablet, or chromebook, don't use tap
08:23 <@ecrist> !tunortap
08:23 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
08:23 <@vpnHelper> rooted/jailbroken) support only tun
08:37 < ghormoon> ecrist: nope, just one laptop
08:39 <@ecrist> ok.  I'll still argue you're doing it wrong
08:41  * rob0 suspects ecrist is right :)
08:44 < l__q> How to do it so that Client 1 can communicate with the Client 2? client-to-client is already in the file: openvpn.conf
08:45 < l__q> im using docker https://github.com/kylemanna/docker-openvpn
08:45 <@vpnHelper> Title: GitHub - kylemanna/docker-openvpn: 🔒 OpenVPN server in a Docker container complete with an EasyRSA PKI CA (at github.com)
08:45 < rob0> The "d" word makes me suspect broken routing.
08:45 < rob0> !route
08:45 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
08:46 < ghormoon> ecrist: well, sort of, but at least this works, if I do routed one and use the vpn interface in accept rules in firewall, it doesn't work :) maybe if I used subnets instead of interfaces, but still ... vpn support in mikrotik is so limited I'd rather fix things on linux side :)
08:46 < rob0> BTW you definitely do not want your CA in a VM, and if you're interested in security (openvpn IS security software) you must not have the CA on the server.
08:48 < DArqueBishop> Easy-RSA 2 is available for Windows, right?
08:57 < |Mike|> Yep!
08:57 < |Mike|> rob0: keke, i'm breaching security o/ o/ :-P
08:59 < rob0> IIRC the official howto always recommended having the CA on a non-VPN (ideally, non-networked!) physical machine.
09:09 <@ecrist> We should really "fix" that.  It's unrealistic to put the CA generation stuff on a non-networked device.
09:10 <@ecrist> We should, instead, provide some tips on how to keep the CA and chain secure, when you do have it on a networked device.
09:10 <@ecrist> We can leave the current lingo as a foot note and list it as a "best practice".
09:14 < l__q> How to do it so that Client 1 can communicate with the Client 2? client-to-client is already in the file: openvpn.conf
09:16 < DArqueBishop> Oh, yay, Easy-RSA 3 works on Windows now.
09:17 < DArqueBishop> ecrist: what I may end up doing is putting my Easy-RSA environment on a USB stick encrypted with BitLocker To Go.
09:18 <@ecrist> Please feel free to provide usability feedback.
09:18 <@ecrist> I'll be making some significant updates this weekend, I think.
09:18 <@ecrist> The current release has a bug with egrep, that is fixed in Master
09:20 < DArqueBishop> No problem. This gives me a good excuse to change my certs.
09:23 < DArqueBishop> The only suggestion I might make at this point is that, well... I pulled from master so I may have missed something, but it might help to make it clear that you need to move the contents of the easyrsa3 directory into the distro/windows directory.
09:32 <@ecrist> DArqueBishop: that's normally handled by the packaging process
09:32 < DArqueBishop> .... oh.
10:46 < sibok> Could someone take a look at this issue when running OpenVPN in chroot? https://goo.gl/qgbV2e Thx :)
10:46 <@vpnHelper> Title: linux - OpenVPN WARNING: Failed running command (--client-connect): could not execute external program - Server Fault (at goo.gl)
11:30 < HankMoody> Upon doing much googling I've found that it is possible to run a TAP/bridged connection on a rooted Android (or just pay the $7 for OpenVPN Client) - I wanted to root it anyway so I figured I'd go through that process. Upon more googling after (the insanely complex) process of getting it rooted and flashing a custom ROM on it, I can't seem to find more than it CAN be done if it's rooted. Can anyone give me a hand or at least point me in the
11:30 < HankMoody> right direction?
11:49 < rob0> I suppose at the point you have it rooted, it's similar to a regular Linux.
11:55 < HankMoody> Yeah, I want to keep the android setup on there. It's beginning to look like i may have to go back to a tunneled setup and just use Kodi/Plex to stream to the droid. The last time I needed to get the media server over VPN I had my VPN server and media server on the same machine. I just used VNC and forced it over the tunneled connection and it broadcasted.. It worked somehow; but now since they're on different machines I can't do that.
12:10 < GrandPa-G> is anyone willing to help me set up iptables on ubuntu for server port? I did it wrong once and it shut down all ports! I don't mind doing it in dialog mode.
12:16 < HankMoody> If you're having trouble with iptables, you might try ufw. It's a LOT less complex than iptables. It's a little bit noiser over syslog if you constantly monitor it (e.g. via tail -F). I wouldn't be the best person to advise you though. I'm very "crude" with my ufw/iptables setups
12:16 < HankMoody> @GrandPa-G: ^^
12:17 < rob0> Also, nobody online, that I know of, really supports ufw.  #ubuntu sends them to #Netfilter and vice versa.
12:17 < GrandPa-G> HankMoody:That is exactly what I did based on a google document. It stopped all other ports and we had to send someone into the center and disable ufw.
12:17 < rob0> What is "dialog mode"?
12:18 < rob0> oh
12:18 < GrandPa-G> rob0:private talk?
12:18 < rob0> yeah, dump ufw, /j #Netfilter and read the /topic there
12:19 < GrandPa-G> I don't have anything to hide, just don't want to flood open channel with my specific stuff unless nobody minds.
12:19 < HankMoody> @GrandPa-G: Oh damn... Well yeah especially if you don't have physical access to the server I DEFINITELY don't feel comfortable doing that. All my stuff I've got hands on access to if I fuck it up.
12:19 < GrandPa-G> HankMoody:I have what looks correct for iptables (the default firewall). I just don't need all of the stuff explained in my case (I think).
12:20 <@ecrist> HankMoody: don't use tap
12:20 < rob0> #Netfilter is the channel for this.  I only help in /msg if I am being paid. :)  There are others in #Netfilter that can help.
12:20 <@ecrist> GrandPa-G: you're best off asking in an iptables channel
12:22 <@ecrist> HankMoody: if you're using tap, you probably don't know what you're doing.  It's a hot/cold question.  You either *really* don't know what you're doing, or you *really* know what you're doing.
12:22 < GrandPa-G> ecrist:going there for awhile.
12:23 < HankMoody> @ecrist: I didn't/don't want to, but as I haven't been able to get upnp/DLNA to broadcast over TUN - I gave up and tried TAP. I just stumbled across a link that claims to be able to get it running over TUN (in a fraction of the time I've been banging my head against the wall for as well...) I'm going to give this a shot.. The only obstacle I can see/think of is getting my media server box to work in conjunciton w/ the VPN to get it to
12:23 < HankMoody> broadcast over the VPN as well.
12:26 < HankMoody> @ecrist: I appreciate the honesty. I'm rather well versed in working on this: setting a VPN server up, and have read all the warnings of, "if you think you need a TAP connection, you probably don't. But from what I can figure, this is the exception to the rule. Unless I can get this new guide working the way the author claims he did *fingers crossed*
12:26 < HankMoody> https://blog.celogeek.com/201505/615/openvpn-with-upnp-support-in-10-minutes/
12:26 <@vpnHelper> Title: OpenVPN with uPNP support in 10 minutes | Celogeek (at blog.celogeek.com)
12:26 < HankMoody> That's the new link I've found that I'm going to give a shot now.
12:27 < rob0> I'm unfamiliar with upnp, so unable to advise.  But indeed if you "need" broadcast, you need tap for that.
12:27 <@ecrist> https://www.garyhawkins.me.uk/dlna-upnp-and-multicast-routing/
12:27 <@vpnHelper> Title: DLNA, UPnP and multicast routing The Gary Hawkins Full Size Blog (at www.garyhawkins.me.uk)
12:28 < HankMoody> @rob0: I can't/haven't gotten the media server to broadcast over the App I'm using on Android (MediaHouse) otherwise.
12:28 <@ecrist> so, in this case, one place where openvpn routed mode fails, is multicast traffic
12:29 < HankMoody> Precisely what I've read. And I currently have a TAP server and connection working, but I'm falling short on finding the way to get my rooted droid to run said TAP connection otherwise; as was suggested by everything I'd seen to that point.
12:29 < HankMoody> @rob0: ^^
12:32 < HankMoody> Now my other trick will be having to get my media server and my VPN server working in conjunction with one another to get it broadcasted over the VPN as they are not not the same machine.
12:43 < HankMoody> Sorry guys, I know this is convoluted as hell, but I appreciate all the info.
12:56 < raffo> hello, my vpn client exited after it lost connection with the server. The server had a network outage. The client issued SIGUSR1 restarts for about 10 minutes and then it terminated itself. I there a way for the client to continue to attempt to connect w the remote server indefinitely?
12:57 <@ecrist> !retry
12:57 <@ecrist> raffo: the option is --retry infinite, iirc
13:01 < raffo> I have "resolv-retry infinite" in the client config. Yet, the client terminated itself after about 15 restarts.
13:03 <@ecrist> raffo: --connect-retry and --connect-retry-max are what you're looking for.
13:08 < raffo> hummm, those two are for TCP operation. This client uses UDP.
13:10 <@ecrist> umm, where do you see those are for TCP?
13:13 < raffo> in the man page.
13:16 < HankMoody> Oops - had to restart the network interfaces, forgot I migrated the znc server to that machine too =P
13:16 <@ecrist> raffo: it doesn't say that where I'm looking at it
13:17 < raffo> --connect-retry n : For --proto tcp-client, number of seconds to wait
13:17 < raffo>                     between connection retries (default=5).
13:18 < raffo> straight from the openvpn --help.
13:18 <@ecrist> That's not in the 2.4 manual
13:18 <@ecrist> --connect-retry n [max] Wait n seconds between connection attempts (default=5). Repeated reconnection attempts are slowed down after 5 retries per remote by doubling the wait time after each unsuccessful attempt. The optional argument max specifies the maximum value of wait time in seconds at which it gets capped (default=300). 
13:18 <@ecrist> --connect-retry-max n n specifies the number of times each --remote or <connection> entry is tried. Specifying n as one would try each entry exactly once. A successful connection resets the counter. (default=unlimited). 
13:19 < raffo> I see. I'm not on that version.
13:19 <@ecrist> We typically only support the latest version in the channel.
13:22 < l__q> Can someone support me? https://serverfault.com/questions/887266/how-to-allow-communications-with-client-to-client-on-openvpn-server
13:22 <@vpnHelper> Title: debian - How to allow communications with client to client on OpenVPN Server? - Server Fault (at serverfault.com)
13:23 <@ecrist> l__q: should just need --client-to-client
13:23 <@ecrist> You also need to push the VPN subnet.
13:23 <@ecrist> !configs
13:23 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
13:24 < l__q> ecrist: i have client-to-client on server config
13:25 <@ecrist> and the second item?
13:32 < l__q> ecrist: push "route 192.168.255.0 255.255.255.0"?
13:39 <@ecrist> i don't know
13:39 <@ecrist> you didn't paste your configs like I asked
13:43 < l__q> !paste
13:43 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
13:43 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
13:44 < raffo> I'm using version 2.3.7. Setting that aside, is there a reason why the client daemon would terminate itself? My client config is:
13:45 < l__q> ecrist: http://paste.itunix.eu/view/raw/fe1a1e98
13:45 < raffo> client
13:45 < raffo> dev tun0
13:45 < raffo> proto udp
13:45 < raffo> remote xxxx 443
13:45 < raffo> resolv-retry infinite
13:45 < raffo> nobind
13:45 < raffo> user nobody
13:45 < raffo> group nobody
13:45 < raffo> persist-key
13:45 < raffo> persist-tun
13:45 < raffo> ca   /etc/openvpn/rootbsd.crt
13:45 < raffo> cert /etc/openvpn/vpn201.cdi.com.crt
13:45 < raffo> key  /etc/openvpn/vpn201.cdi.com.key
13:45 <@ecrist> for fucks sake
13:45 < raffo> tls-auth /etc/openvpn/ta-rootbsd.key 1
13:45 < raffo> ns-cert-type server
13:45 -!- raffo was kicked from #openvpn by ecrist [nope]
13:47 <@ecrist> l__q: you need the push like you posted above.
13:48 <@ecrist> without it, your clients don't know how to route the traffic
13:49 < l__q> Why is it still not working?
13:50 <@ecrist> you don't have the push route in your config
13:51 < l__q> ecrist: my current config: http://paste.itunix.eu/view/raw/65141e9b
13:53 < l__q> if server ip, eg. 192.168.44.0 than route 192.168.44.0 or 192.168.43.0?
13:55 <@ecrist> your question doesn't make sense.
13:55 <@ecrist> after update, you need to restart openvpn
13:55 <@ecrist> !logs
13:55 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
13:57 < l__q> docker stop id, docker run
14:27 -!- mantra is now known as testra
14:32 < sibok> Could someone take a look at this issue when running OpenVPN in chroot? https://goo.gl/qgbV2e Thx :)
14:32 <@vpnHelper> Title: linux - OpenVPN WARNING: Failed running command (--client-connect): could not execute external program - Server Fault (at goo.gl)
15:00 < GrandPa-G> does this in syslog on server mean a bad cert file on client? TLS Error: cannot locate HMAC in incoming packet from ..
16:40 < zoredache> Perhaps a silly question, but why does first 'man openvpn' google hit 'https://openvpn.net/man.html' redirect to the 2.0 manual, and not a more recent version, just the version list?
16:40 <@vpnHelper> Title: OpenVPN - Open Source VPN (at openvpn.net)
16:58 < GrandPa-G> I need some help understanding what is wrong. https://pastebin.com/Sq4KqCi8 I assume this means the client tried but something went wrong in the TLS key. I just created the client file (.ovpn) on the server and put on client.
17:01 < zoredache> do you have access to the server, check the logs on the server side
17:07 < sibok> Does anyone knows how to debug Failed running command (--client-connect): could not execute external program? When i run openvpn 2.4.6 in chroot mode, it always appears this warning event for a script with just return 0
17:09 < GrandPa-G> zoredache:that came from the server side syslog
17:10 < zoredache> ah, well check the client side then
17:10 < zoredache> sibok: is your script (and **everything** it uses) within the chroot?
17:10 < sibok> yes
17:11 < sibok> my script is just #!/bin/bash exit 0
17:11 < zoredache> ok, so is bash in the chroot?
17:11 < sibok> i also added it
17:11 < zoredache> the bash binaries and all the related libraries and son on?
17:11 < sibok> related libraries probably not
17:11 < sibok> is it really needed?
17:12 < zoredache> well, what happens at just the cli if you run chroot /direcotry command
17:13 < zoredache> where directory is the chroot directory you have in your config.
17:13 < GrandPa-G> zoredache:here is client https://pastebin.com/AKwpSzuK, keeps repeating.
17:14 < zoredache> GrandPa-G: increase your verbosity on both sides maybe?  'verb 4'
17:15 < zoredache> sibok: past that, I would probably try watching the process with strace, but that can be pretty painful to follow the output
17:16 < sibok> zoredache: https://pastebin.com/Lq6f2V8W
17:17 < sibok> zoredache: i already been watching the output through strace but i'm not able to find what's going on. I noticed openvpn looks for /etc/localtime inside the chroot which i fixed
17:17 < zoredache> and the 'a.sh' is in /etc/openvpn?
17:18 < sibok> zoredache: yes
17:18 < sibok> don't know why it's not finding it
17:19 < zoredache> maybe try doing strace chroot /etc/openvpn /a.sh
17:19 < analogical> does openvpn bypass my router firewall?
17:20 < zoredache> analogical: no idea.  Maybe, depends on how your network is setup, and how your vpn is setup and so on.
17:23 < GrandPa-G> zoredache:verb 5 client https://pastebin.com/Mt85ThGA server https://pastebin.com/nbcWmbQu
17:27 < zoredache> GrandPa-G: I am not seeing anything that is obvious to me.  Not sure what the problem could be.
17:28 < GrandPa-G> zoredache:I am trying tcp to see what happens. The client works on an internal lan server (different ovpn file) ok.
17:29 < GrandPa-G> zoredache:works on tcp, hmmmmmmmmmm
17:33 < sibok> zoredache: https://pastebin.com/4BgQ1hQ9 Can't understand how is it possible that chroot isn't finding a.sh inside /etc/openvpn
17:34 < sibok> Permissions are 755 and user and group set to openvpn
17:35 < velix> Does the OpenVPN client only work with OpenVPN-servers or also with others? Want to move from Shrew VPN client.
17:37 < zoredache> velix: the openvpn client only speaks the openvpn protocol  Which as far as I know is only implemented by openvpn.  It doesn't  speak pptp/ispec/l2tp/etc
17:37 < velix> Oh, I see :-(
17:37 < velix> Thanks for the info
17:39 < zoredache> Google seems to be telling me that shrew is an ipsec based  vpn.
17:39 < velix> yeah
17:42 < zoredache> sibok: btw, why are you trying to use chroot mode?  What are you hoping to gain from that?
17:42 < sibok> zoredache: security :)
17:44 < zoredache> Meh, chroot isn't that great for security.  Just put the openvpn server in its own VM or container or something.  You get the benefits, and a simpler setup.
17:44 < sibok> zoredache: ok, thx
17:47 -!- mode/#openvpn [+v pekster] by ChanServ
17:47 <+pekster> sibok: You need bash, and _all_ of its deps (do `ldd $(which bash)`, and recreate _all_ the structure) in order for that to work
17:48 <+pekster> chroot restricts when files can be opened; you apparently lack /bin/bash, or one of the (many!) libraries it's going to pull in. I'd strongly suggest you not use bash if you care about security
17:50  * pekster recommends writing POSIX-compliant sh, unless you really need all the trash bash brings in (do you really need a shell that can open TCP/IP socket?)
17:51 < sibok> pekster: thx, i was already going that way :)
17:51 < zoredache> You could probably build a busybox and put that in the chroot I guess.
17:51 < zoredache> Busybox tends to have all the stuff static compiled into one file.
17:51 < sibok> pekster: zoredache: gonna read about it, thx :)
17:54 < sibok> Also, i've been reading about the need of installing and configuring dnsmasq in order to mask dns requests but i don't get the point. I would be glad if you could brief it to me
17:55 <+pekster> to "mask" them? What's your need/goal with DNS?
17:55 < sibok> I think i'm mixing things, cause for me it doesn't make sense to install dnsmasq on the same machien where openvpn resides
17:57 <+pekster> All depends on what you're trying to do; server-managed dynamic client DNS could be a use-case dnsmasq is well-suited for
17:57 < zoredache> Well DNSmasq is mostly a DNS server.  But it allows you to setup zone specific forwarders a bit easier then you can with bind or other dns servers.
17:58 < sibok> pekster: yes, i found the dnmasq "thing" in an article where the server is behind dynamic ip on a domestic router/internet connection. That's not my case. I suppose in this scenario they masq dns requests from the openvpn server to the router but then they're wide open?
17:59 <+pekster> Again, I have zero clue what you mean by "masq [sic] dns"
18:00 < zoredache> DNSasq doesn't really hide anything.  It just is a DNS server.  I really don't like the name they choose.
18:00 <+pekster> dnsmasq is a combination DHCP / DNS server that supports a vast array of configuration options
18:00 <+pekster> Right
18:01 < sibok> pekster: probably all the article was talking was about installing a dns server to resolve dns queries on the vpn machine. The article is really bad and i didn't understand why they installed dnsmasq so i was curious about it and asked here
18:02 < sibok> liek you said, it is probably cuase their server didn't have a dns server liek bind
18:02 < sibok> *liek
18:02 < sibok> *like :)
18:02 < zoredache> Sad to say, but a lot of the articles  you can find about openvpn are kinda trash.  People don't do a very good job explaining the specific details of their setup.
18:03 < sibok> You're right, i've been reading for some weeks and i'm really happy iwth my setup
18:04 < sibok> Now i'm i'm just dealing with the firewall, just makign sure everything is set up correctly and trying to resolve some ipv6 issues
18:32 < rob0> "masq" in the name "dnsmasq" comes from "IP masquerading", that is, source NAT for RFC 1918 (SOHO) networks.
18:32 < rob0> That is, it provides DNS for masqueraded networks, and has nothing at all to do with "hiding" anything.
18:34 <+pekster> Well, it works just fine with public space too :P
18:34 < rob0> sure, I suppose it would
18:34 < rob0> but it was designed with the SOHO in mind
20:16 < HankMoody> @ecrist: Okay, I don't think I'll be able to get this working via TUN. I'm going to give TAP a shot here (I still have my configs from when I created a TAP VPN - I just couldn't implement it on my Droid as I as able to find references to TAP working on a rooted Droid, but I couldn't figure out how it did it.. Now I have. Hopefully it'll all get knocked out like a Bill Cosby victim. If it doesn't, I may be coming to you with a few questions,
20:16 < HankMoody> would that be alright?
20:20 < rob0> this channel exists for questions about openvpn
20:26 < HankMoody>  Yes rob0, I'm aware, but from the OpenVPN as well as articles I've read, and warnings like I've gotten from ecrist about, "Here be dragons", my problems will BE about OpenVPN. If I have problems with the Droid section of it, I'll ask in the appropriate channel.
22:00 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:10 -!- mode/#openvpn [+o syzzer] by ChanServ
22:25 -!- abenz_ is now known as abenz
23:06 -!- Netsplit *.net <-> *.split quits: @syzzer, @vpnHelper, @dazo, +hyper_ch, +pekster
23:11 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn
23:11 -!- ServerMode/#openvpn [+o dazo] by moon.freenode.net
23:14 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
23:14 -!- ServerMode/#openvpn [+o vpnHelper] by moon.freenode.net
23:14 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
23:14 -!- ServerMode/#openvpn [+o syzzer] by moon.freenode.net
23:39 -!- pekster [~rewt@openvpn/community/developer/pekster] has joined #openvpn
23:39 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
23:39 -!- ServerMode/#openvpn [+v hyper_ch] by moon.freenode.net
--- Day changed Sat Dec 09 2017
00:37 -!- abenz__ is now known as abenz
06:20 < GrandPa-G> My client is succesfully connecting via tcp but not udp. It gets TLS Error: TLS key negotiation failed to occur within 60 seconds. I see syslog entries so I (think) know udp is not blocked. I tried smaller mtu values. Where to go from here?
06:32 < GrandPa-G> If found my problem. I have 2 ethernet interfaces. Leaving the default in the server.conf confused the binding. I added local <ip> and it now works on udp.
07:01 < SirNeo_> i have a quick question if you can help me i will apreciate. I have 2 clients connected into vpn server. Both go out on internet with vpn server ip. but if i ping from client 1 to client 2 ip vpn ip adrresses i got timeout
07:03 < GrandPa-G> are you trying to do client to client ping?
07:03 < SirNeo_> yes
07:03 < GrandPa-G> do you have your sever config setup for client-to-client?
07:04 < SirNeo_> someone else configured my vpn, any hint (website or so) where to read how to configure it?
07:05 < GrandPa-G> google?
07:55 <@ordex> SirNeo_: client-to-client is a server option. you can read about that in the manpage
07:55 <@ordex> that would be the first step
08:07 < rob0> !man
08:07 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
09:40 < LFSveteran> trying to cross compile openvpn , however the linker keeps looking in the system lib dir for liblzo2.so even when I told configure where to look for the cross-compiled libs
09:41 < LFSveteran> https://pastebin.com/yMrZT4SB
10:53 < zy]x[yz> is it possible to configure openvpn in such a way that traffic between two clients' vpn addresses aren't routed through the server?
10:53 < |Mike|> and how would you achieve that? ;-)
10:55 < zy]x[yz> can't both clients be autheticated with the server, but then an encrypted channel directly between the two clients (on publicly-accessible interfaces) is opened
10:57 < zy]x[yz> maybe I should instead explain my use-case.  it might be that openvpn is not the right choice here, or that I need to reconsider my plan
10:57 < |Mike|> you can def. create a tunnel inbetween. But why would you use a tunnel in a tunnel?
10:58 < zy]x[yz> I have a grid of servers with some distributed service running on them.  one of these servers is also the openvpn server.  I'm using openvpn to control access to my distributed service
10:59 < zy]x[yz> my problem is that once access is granted, it's suboptimal to route all traffic through one server
11:00 < zy]x[yz> so to be clear, clients of this service are user workstations or laptops.  the servers don't necessarily need to talk to eachother, I just want the service's clients to be able to authenticate and then access the distributed resources
11:03 < rob0> openvpn does not have "mesh"
11:04 < rob0> I did a 7-point mesh with 6 p2p openvpn instances running on each endpoint.
11:04 < |Mike|> unfortunatly :x
11:06 < LFSveteran> https://pastebin.com/MsHPtp3f
11:09 < zy]x[yz> hmm, I was afraid of that.  I need to think about how to proceed, then: either live with it as is, or find a better way to do this.  thanks
11:12 < |Mike|> or setup a mesh net ;-)
11:17 < rob0> 7-point mesh wasn't as difficult as it might sound.  I scripted the generation & distribution of keys & config files.
11:17 < rob0> how many nodes do you need to connect?
11:19 < rob0> note that route/iroute settings avoid the need to connect multiple nodes from the same site.  My mesh was site-to-site, so hosts behind the endpoints could reach other LAN hosts behind other endpoints.
11:20 < zy]x[yz> I really don't need a mesh, and a brief look at the documentation indicates p2p isn't compatible with windows, which unfortunately some of my users run
11:20 < applejack> openvpn on android, is there a way to make android apps treat the tunnel as if it was wifi? i'd like to access my DLNA library when i'm out as if I was connected to my home wifi, but it seems all the DLNA client apps expect a wifi connection
11:20 < rob0> It was pretty slick, if I say so myself. :)  But not long after, they fired the guy who contracted me, and I suspect they tore my mesh network down. :(
11:22 < rob0> applejack, your question would be better suited to a place like #android
11:24 < applejack> rob0: ty
11:25 < rob0> zy]x[yz, where did you see Windows hosts can't do p2p?
11:27 < zy]x[yz> rob0, https://community.openvpn.net/openvpn/wiki/Topology
11:27 <@vpnHelper> Title: Topology – OpenVPN Community (at community.openvpn.net)
11:36 < rob0> zy]x[yz, no, that is talking about --topology in server/client mode.  I am talking about --mode p2p, which AFAIK should work fine on Windows just as it did in openvpn 1.x days.
11:36 < rob0> p2p is the default --mode
11:37 < zy]x[yz> oh!
12:06 < sibok> Hi, would someone be so kind to take a look at this issue? https://goo.gl/DxfdkD I've goot a fully working OpenVPN server but when i try to load ip6table rules for ipv6, ipv6 stops working. If i flush those rules then it works again. Th in advanced :)
12:06 <@vpnHelper> Title: linux - OpenVPN ipv6 working fine until i load ip6table rules - Server Fault (at goo.gl)
12:49 < l__q> can help me somebody? https://serverfault.com/questions/887266/how-to-allow-communications-with-client-to-client-on-openvpn-server
12:49 <@vpnHelper> Title: debian - How to allow communications with client to client on OpenVPN Server? - Server Fault (at serverfault.com)
12:55 < |Mike|> l__q: got client-to-client on?
12:56 < |Mike|> n/m
12:56 < |Mike|> read the last comment o/
12:56 < GrandPa-G> how are you pinging? by ip or name? if ip, what one? if name where does the name come from?
13:09 < l__q> |Mike|: i have client-to-client in my config
13:10 < l__q> GrandPa-G: client1 cannot ping client2 by ip, client1 ping 192.168.1.10 client2
13:12 < l__q> already 3 days I work on this, clients connect without problems with server, the only problem is that they cannot communicate.
13:18 < |Mike|> l__q: and where does it go wrong?
13:21 < GrandPa-G> aren't your clients on new network 192.168.255.0? can they ping their new vpn ip address?
13:22 < GrandPa-G> is 192.168.1.10 really the ip of client2?
13:23 < l__q> each client can ping his address ip, each client is in the new network 192.168.255.0
13:23 < l__q> yes, each client receives their own address ip 192.168.255.XXX
13:24 < |Mike|> can you ping the openvpn server?
13:25 < |Mike|> via the openvpn subnet obviously ^^
13:25 < l__q> wants only that each connected client can ping other clients in the vpn network
13:26 < GrandPa-G> are you sure they are really completely connected? Can the server ping any clien on the subnet?
13:26 < l__q> from the vpn network, the client can ping the server's external ip
13:26 < GrandPa-G> you need to ping internal openvpn ip of server for test
13:27 < |Mike|> but not the vpn server his ip?
13:28 < GrandPa-G> have you looked at client log with verb >3?
13:28 < |Mike|> or 5..
13:28 < l__q> client can ping 192.168.255.1
13:29 < l__q> but another client cannot
13:29 < |Mike|> so the client can ping the openvpn server, correct?
13:29 < l__q> yes
13:29 < GrandPa-G> can  you start openvpn on client in window and see what is happening?
13:29 < |Mike|> does the client have a firewall?
13:30 < GrandPa-G> fyi my client-to-client works like you want so I know it will work.
13:31 < l__q> client connection: http://paste.itunix.eu/view/raw/3c0db5d9
13:33 < l__q> hmm, maybe not "route 192.168.255.0 255.255.255.0" but "route 192.168.255.255 255.255.255.255"?
13:33 < l__q> in server config
13:34 < |Mike|> the .0 is correct.
13:34 < l__q> okay
13:35 < l__q> I do not know any more
13:35 < l__q> this is openvpn on docker
13:36 < l__q> is this a problem maybe? https://github.com/kylemanna/docker-openvpn/blob/master/bin/ovpn_run#L42
13:36 <@vpnHelper> Title: docker-openvpn/ovpn_run at master · kylemanna/docker-openvpn · GitHub (at github.com)
13:41 < |Mike|> do you need NAT?
13:43 < |Mike|> at Dec  9 20:27:38 2017 ERROR: Linux route add command failed: external program exited with error status: 2
14:07 < GrandPa-G> |Mike|:I always get that error and mine works.
14:40 < l__q> okay, this is windows problem, firewall
14:45 < rob0> score another one for /topic
14:46 < |Mike|> rob0: ;-)
14:48 < GrandPa-G> whew!
15:26 -!- |Mike| [~mike@178.255.49.239] has quit [Ping timeout: 240 seconds]
15:39 -!- |Mike| [~mike@178.255.49.239] has joined #openvpn
16:01 -!- |Mike| [~mike@178.255.49.239] has quit [Ping timeout: 255 seconds]
16:05 -!- |Mike| [~mike@178.255.49.239] has joined #openvpn
16:18 < dxtr> Why do I get `TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.' even though I haven't set a tls-cipher? --show-tls shows the same for both ends
16:18 < dxtr> Both ends are running openbsd 6.2
16:52 < l__q> GrandPa-G: thanks for help! :) https://sebastian.korotkiewicz.eu/minilog/posts/2017/12/09/allow-on-windows-firewall-to-communication-client-to-client-with-openvpn.html
16:52 <@vpnHelper> Title: Allow on Windows Firewall to communication client-to-client with OpenVPN (at sebastian.korotkiewicz.eu)
17:26 -!- Dougy [~dougy@openvpn/community/support/Dougy] has joined #openvpn
17:34 -!- abenz_ is now known as abenz
22:00 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:10 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Day changed Sun Dec 10 2017
00:12 -!- abenz__ is now known as abenz
01:46 -!- abenz__ is now known as abenz
14:07 -!- vectr0n_ is now known as vectr0n
15:58 -!- cthuluh_ is now known as cthuluh
15:59 -!- def_jam is now known as eblip
16:34 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has left #openvpn ["Konversation terminated!"]
16:35 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
16:35 -!- mode/#openvpn [+v hyper_ch] by ChanServ
19:16 < Pilfers> found a bug
19:16 < Pilfers> when running openvpn config the config doesn't look for files in its immediate directory
19:16 < Pilfers> at least for auth it requires absolute path
19:17 < Pilfers> when running from the directory with the config file though it doesnt
19:17 < Pilfers> so lets say your config is openvpn.ovpn
19:17 < Pilfers> and you run openvpn openvpn.ovpn
19:17 < Pilfers> it pulls the auth from the same directory
19:17 < Pilfers> if you are in / and run openvpn /path/to/openvpn.ovpn  the auth file fails
19:17 < Pilfers> without absolute
20:26 < rob0> see --cd in the manual
20:27 < rob0> I don't think you have a bug, just a misunderstanding.
--- Day changed Mon Dec 11 2017
00:57 < tezogmix> Does an i5 intel 2.6Ghz processor and 8gb ram limit OpenVPN from reaching speeds over 100-120 Mbps? I have a 150 + Mbps connection without. I also have a asus rtn-66u router but tested with and without the router in between but can't reach anything above this. Tried lowering my MTU to 1460 as well. Modem is a docsis 3.1 sb8200 arris, all stock firmware on windows 7 - 64bit.
00:58 < tezogmix>  My main laptop adapter = Intel 82579LM Gigabit Network Connection 10/100/1000 network interface card (NIC)
01:00 < tezogmix> encryption is = aes 128 / sha1 / rsa 2048 , UDP... tried TCP 443 and different UDP ports but that didn't change. I got about a 10 Mbps boost when lowering the MTU to 1460 (from 1492) on both the NIC and tap adapter but no improved speeds below 1400
01:01 < tezogmix> just trying to find what the bottleneck issue might be... I disabled QOS on the NIC and the router has QOS disabled as well, but no improvement changes from that.
01:04 < tezogmix> the asus router = Broadcom BCM4706 (600 MHz) single CPU. 32mb flash ram, 256mb general ram
01:05 < tezogmix> with cat6 cables.
01:23 < nacelle> try looking at your i5's single core openssl scores
01:23 < nacelle> (openssl --speedtest, etc.)
01:24 < nacelle> try using a 1024 bit key as a test or even a 512bit to see if its cpu bound too
01:24 < nacelle> but dont use those for real traffic
01:24 < nacelle> ewww
01:47 -!- abenz_ is now known as abenz
01:55 < adrian_1908> I'm new to OpenVPN. My disto package has create the dirs /etc/openvpn/{client,server}. Should I place the files of my VPN service (I want to connect as a client) in the "client" dir, or is that for something else?
01:56 < adrian_1908> I'm asking because most guides seem to point to the /etc/openvpn dir, not a subdirectory thereof.
01:59 < adrian_1908> !welcome
01:59 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
01:59 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
01:59 <@vpnHelper> you
02:06 < nacelle> oh you
02:35 < temuccio> hello all
03:40 < tezogmix> hi nacelle , thanks for that info... I just downloaded openssl for windows
03:45 < tezogmix> what's the command to run and how is this interpreted? i have a openssl-win64\bin path that has the openssl.exe file
03:52 < nacelle> openssl --speedtest
03:52 < nacelle> it should have been installed with openvpn, no?
03:53  * nacelle should bother to look at a windows box
04:53 < Phrk_> Hello, got this with Easyrsa  sign-req server myserverfile : unknown cert type 'server'
04:53 < Phrk_> ?
05:19 < adrian_1908> Excuse my ignorace, buthHow does the "tun" device get selected (as opposed to eth0) when I send a query over the network?
05:19 < adrian_1908> *but how does
05:21 -!- Kryczek_ is now known as Kryczek
05:25 <@ordex> adrian_1908: that's normally about routing. this question is related to linux networking in general, not openvpn. openvpn by itself does not really affect that behaviour
05:26 < adrian_1908> ordex: ok, i see.
05:38 < temuccio> hello all, I have one question
05:38 < temuccio> I have a vpn server and a vpn client
05:38 < temuccio> the connection works fine
05:38 < temuccio> but client receive ip address at every connection
05:39 < temuccio> it is possible to assign a hostname for identify a client on vpn network?
06:04 < temuccio> do you have this problem and a solution?
06:06 <@ordex> temuccio: to resolve hostnames you need a DNS - do you have one to dinamically configure with the IP of your client?
06:06 <@ordex> an alternative is to assign a static IP to the client, so it's easy to remember that
06:44 < temuccio> ordex, on the server I don't have a dns....I use public dns
06:45 < temuccio> good, how I can assign a static ip to the client when this is connect to server vpn?
06:46 <@ordex> !ccd
06:46 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name, or (#2) the ccd file is parsed each time the client connects.
06:46 < temuccio> in this case I can push an /etc/hostname to every client connected
06:48 < tezogmix> hey nacelle (yeah sorry, was using only the tap component of openvpn), I ran the openssl command and "speed" >>> Doing sha256 for 3s on 1024 size blocks: 759818 sha256's in 3.00s / seems to be ~3.00 seconds on all the cycled lists - was there a particular field to check?
06:52 < tezogmix> nacelle, openssl speed is still running (currently going through all the different aes's) and going through each listing from 16-64-256-1024-8192-16384 is showing 3.00s-3.01s
06:53 < Kryczek> tezogmix: 3s is just the duration of each test ;)
06:53 < Kryczek> what's important is how many bytes it managed to encrypt during that time
06:54 < tezogmix> Hi Kryczek - ok, now it's showing this:
06:54 < tezogmix> Doing 1024 bit private rsa's for 10s: 52212 1024 bit private RSA's in 10.02s
06:54 < tezogmix> Doing 1024 bit public rsa's for 10s: 807785 1024 bit public RSA's in 10.02s
06:55 < Kryczek> tezogmix: what are you trying to achieve?
06:56 < tezogmix> just trying to troubleshoot why windows is not allowing VPN speeds over 100 - 120 Mbits on a ISP connection of 150 Mbits. I just upgraded my ISP (double from before and the OpenVPN tap was able to get close to 100 Mbits).
06:56 < tezogmix> with disconnected, I can reach around 150-170 Mbps... sorry Mbps is what I meant above ^^
06:57 < Kryczek> tezogmix: you have to account for the overhead of the VPN layer
06:57 < tezogmix> so there's some discussion that it's possibly windows limiting this somehow... tested with and without router.
06:58 < tezogmix> and then read that CPU's could be a bottleneck, I'm on an i5 8gb ram windows 7, nic is gigabit...
06:58 < Kryczek> it could be indeed as OpenVPN (afaik) is still single-threaded
06:58 < tezogmix> So the other suggestion Kryczek was to test ubuntu on a live usb
06:59 < tezogmix> and see if that showed anything different
06:59 < Kryczek> good idea
06:59 < Kryczek> tezogmix: do you have control on both ends of the VPN ?
06:59 < tezogmix> oh I mean, I have control on my end... it's a service (PIA)
06:59 < Kryczek> ah
06:59 < Kryczek> do they also support IPsec?
06:59 < tezogmix> but using the openvpn TAP's
07:00 < Kryczek> tap? not tun?
07:00 < tezogmix> I'm not sure on that Kryczek - I'm using their defaults as I've been all these years... The TAP NDI5 adapter from the official openvpn page.
07:00 < Kryczek> I don't use Windows :P
07:01 < tezogmix> encryption is aes-128, 2048 and on udp... thought it was an isp throttle but changing to tcp-443 didn't do anything better
07:01 < |Mike|> i rest in my case
07:01 < Kryczek> maybe TAP is just the name of the driver... you use "tun" in the OpenVPN config, right?
07:01 < |Mike|> windows makes it TAP-XXXX yes
07:01 < tezogmix> Oh ok Kryczek
07:02 < Kryczek> yeah UDP is better for performance than TCP
07:02 < dstensnes> maybe you could try with some really simple ciphers too, just to see if that changes anything
07:02 < dstensnes> speedwise i mean
07:03 < Kryczek> tezogmix: somehow check if you have AES acceleration? In Linux you could see if the aesni_intel module is loaded but I don't know how to check AES-NI on Windows
07:03 < Kryczek> I mean if you have it enabled
07:03 < Kryczek> Intel CPUs all have it for ages now
07:03 <@ordex> tezogmix: are you sure the server can do more than 120Mbps for you ?
07:04 < tezogmix> ordex, yes the server can definitely handle it for the linux folks
07:04 < tezogmix> because they're getting 200-400+
07:04 <@ordex> oh ok
07:04 < Kryczek> #FirstWorldProblems though ;P
07:04 < tezogmix> :)
07:05 < Kryczek> tezogmix: a Linux live CD/USB should be a quick test
07:05 < tezogmix> yeah I'm not complaining 120 Mbps is pretty fast... I was testing some actual debian dvd iso's with vpn on/off - off speed = 22-24MB/s, with VPN on = 15-15MB/s. Before the speed upgrade, I was getting ~10MB/s both on VPN and off VPN.
07:05 < tezogmix> so figured I would get something close to that on the ISP speed upgrade
07:06 < tezogmix> yes definitely going to try that Kryczek -
07:06 < tezogmix> the modem is a docsis 3.1 sb8200 arris
07:06 < tezogmix> and router is an asus rtn66u broadcomm 600mhz
07:06 < Kryczek> tezogmix: make sure that your CPU has AES acceleration with `grep --color aes /proc/cpuinfo` and that support for it is loaded with `lsmod | grep aes` (should show aesni_intel among others)
07:07 < tezogmix> can that be checked on windows or was that in preparation for the ubuntu live usb Kryczek ?
07:07 < Kryczek> ubuntu
07:07 < tezogmix> Oh ok Kryczek -
07:07 < Kryczek> I guess it could be checked on Windows, I just don't know how
07:08 < tezogmix> yeah this is all a new path of exploration and curiosity for me Kryczek
07:08 < tezogmix> ok that openssl speed test is complete now
07:09 < tezogmix> not sure if there's any interesting value to share
07:09 < Kryczek> tezogmix: if single-thread performance is the issue, try IPsec (it looks like PIA supports it) with a cipher mode that allows for parallel processing, like CTR or GCM
07:10 < tezogmix> i'll check it out Kryczek - can't change anything while connected now
07:10 < tezogmix> taking notes to refer to however and thanks for the extra input Kryczek
07:11 < Kryczek> tezogmix: what does the summary line say for aes-128-cbc ?
07:12 < Kryczek> I get aes-128 cbc     181318.89k   200656.87k   205551.36k   207452.50k   208131.41k
07:12 < tezogmix> aes-128 cbc      97632.94k   107326.96k   108912.13k   109742.25k   110132.01k   109704.84k
07:12 < tezogmix> is mine Kryczek - what's your take?
07:13 < Kryczek> and with the CPU acceleration of AES tested with `openssl speed -evp aes-128-cbc`
07:13 < Kryczek> I get aes-128-cbc    1485553.50k  1631673.47k  1697776.81k  1710827.52k  1714771.29k
07:13 < tezogmix> let me try that line
07:14 < tezogmix> aes-128-cbc     429655.63k   574686.81k   624986.05k   638572.55k   644205.74k   641914.78k
07:14 < Kryczek> the "1024 bytes" column (the one before last) is the closest to what you would get with packets capped at 1500 bytes MTU
07:15 < Kryczek> looks like your CPU is perfectly capable of encrypting/decrypting faster than 150Mbps even :)
07:15 < tezogmix> The NIC and Tap adapter MTU is 1462
07:16 < tezogmix> it was 1492 but I lowered it and got another 10 Mbps
07:16 < Kryczek> 644205.74k is ~600 megaBYTES per second, so like 4+ Gbps
07:16 < tezogmix> but any lower didn't improve. Ok nice to know Kryczek - thanks for checking.
07:16 < tezogmix> so something in windows causing the limitation
07:17 < tezogmix> this is obviously without any other parallel network activities
07:17 < Kryczek> time to see how much better Linux is ;P
07:17 < tezogmix> it'll be interesting once i try the linux live... yes the story of my life Kryczek :P
07:18 < tezogmix> one day...
07:22 < tezogmix> Thanks again for that extra feedback Kryczek , really helps!
07:22 < Kryczek> you're welcome :)
07:22 < tezogmix> if by chance you're around later and I'm on, I'll let you know what happens once I try that live ubuntu
07:23 < Kryczek> I look forward to it
07:23 < Kryczek> I'm not always in front of the keyboard of course but my client is here 24/7 so you can leave a message
07:23 < tezogmix> ok great Kryczek
08:34 -!- abenz_ is now known as abenz
08:42 -!- testra is now known as tester
08:50 -!- tester is now known as testo
08:51 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 252 seconds]
08:55 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
08:55 -!- mode/#openvpn [+o plaisthos] by ChanServ
11:46 < GrandPa-G> if I am creating multiple clients with the same basic configuration, do I need to do the vars command before the ./build-key <foo> for each client?
11:47 <@ecrist> no
11:47 <@ecrist> only once.
11:47 <@ecrist> All . vars does is populate your environment with some variables
11:47 <@ecrist> they don't go away unless you unset them, or open a fresh shell
11:49 < rob0> once per session in easy-rsa
11:50 -!- abenz__ is now known as abenz
11:54 < GrandPa-G> I am trying to do this through a website script so permissions might be an issue. The key files don't get created, but the ovpn does. when I do the build-key I get a paragraph starting Please edit the vars script ....
11:54 < GrandPa-G> Permissions should be good since owner of all directories is the same as user running php scripts. Ideas where to look?
11:55 < GrandPa-G> I had to move the client-configs and openvpn-ca to another place, but I know I am in that directory when running build-key
12:00 <@ecrist> GrandPa-G: this is more a scripting question and less about openvpn.
12:00 <@ecrist> You might have better luck (and quicker response) in a scripting related channel
12:08 < GrandPa-G> how about help with easy-rsa/pkitool? since this is in a script, does it ask questions with the --interact option?
12:09 <@ecrist> yes, as the name would imply
12:12 < GrandPa-G> is there a way to not ask and just use vars file info or is there something specific I need to answer. I obviously can try this at command line, I claim laziness.
12:15 < GrandPa-G> ok, I did it for myself. I just have to figure out how to not have it ask.
12:16 <+hyper_ch> dazo: ecrist: krzee: ordex:  https://xkcd.com/1927/
12:16 <@vpnHelper> Title: xkcd: Tinder (at xkcd.com)
12:27 < GrandPa-G> I think I might have it figured out. thanks
12:38 <@ecrist> GrandPa-G: I think there is a batch option
12:38 < GrandPa-G> ecrist:I saw something about that, but have found enough clear docs to verify. Thanks
12:41 < GrandPa-G> ecrist:there is a build-key-batch script
12:41 <@ecrist> what version of easy-rsa are you using?  v3 has only one script
12:42 < GrandPa-G> I did an apt-get install openvpn easy-rsa , don't really know.
12:43 < GrandPa-G> that script doesn't exist on my installation.
12:44 < DArqueBishop> If it's a distro package changes are very good it's v2.
14:03 < daemon> hey all did I get something wrong with this config for a p2p link: https://paste.ee/p/Jt53D
14:03 < daemon> have I got some firewall in the way or something
14:03 < daemon> neither seem to be able to ping one another
14:05 < daemon> infact looking at the ogs
14:05 < daemon> they never even seem to try connect
14:07 < rob0> In the one you call "client" there is no "remote" line.  So it will just sit there waiting for a connection.
14:08 < daemon> ah I named the pastes backwards
14:08 < daemon> or do both have to have remote lines
14:08 < rob0> this is not client/server so both are trying to reach the other peer
14:09 < daemon> right so both need remote lines
14:09 < rob0> --topology is not valid in p2p mode, but I doubt that would be a fatal error.
14:10 < daemon> https://community.openvpn.net/openvpn/wiki/Topology#Topologyp2p
14:10 <@vpnHelper> Title: Topology – OpenVPN Community (at community.openvpn.net)
14:11 < rob0> and note that this page talks specifically about client/server mode.
14:11 < daemon> givingboth 'port 60001' and both 'remote <Other_servers_ip> 60001'
14:11 < daemon> still neither seem to try connect to one another
14:12 < daemon> so do I need to mark one as a client and one as a server
14:12 < rob0> see --mode in the manual
14:12 < rob0> p2p is the default mode.  Client/server requires TLS.
14:12 < daemon> right I want p2p mode
14:12 < daemon> for this link
14:13 < rob0> iirc in p2p mode you should see something logged about trying to reach the --remote
14:14 < daemon> seeing nothing at all on either system
14:14 < daemon> except one of them is writing something weird back to terminal
14:14 < daemon> 'rWrWrWrWrWWWWWWW'
14:14 < rob0> that's verb 5
14:14 < daemon> yep
14:15 < daemon> I thought some more verbosity would make it cleareer
14:15 < rob0> verb 4 or 5 should help, yes
14:15 < daemon> https://paste.ee/p/LgD94
14:15 < daemon> but neither openvpn is sayinganything about connections
14:16 < daemon> they both seem to just sit there
14:19 < daemon> https://paste.ee/p/4mEeK
14:19 < daemon> is an example of one of them
14:20 < rob0> typo in the last config paste, one of the ports is 60000, others are 60001
14:21 < daemon> its always the simple things -_-
14:21 < daemon> Mon Dec 11 20:21:08 2017 us=97890 Initialization Sequence Completed
14:21 < daemon> Mon Dec 11 21:21:16 2017 us=227720 Initialization Sequence Completed
14:21 < daemon> cheers rob0
14:21 < rob0> pingage?
14:22 < daemon> 64 bytes from 172.19.17.2: icmp_seq=0 ttl=64 time=18.000 ms
14:22 < daemon> yep :)
14:22 < rob0> great, yw
14:23 < rob0> p2p mode is very easy and nice for some things, but the paranoid would want to know about the lack of forward security.
14:23 < rob0> An attacker knowing your key could store the and replay the entire history of your VPN.
14:24 < pekster> (or could store your traffic in hopes of obtaining the key later, to the same effect)
14:26 < rob0> On the plus side, this wouldn't be a practical attack for any attacker who's not operating at state level.  And the openvpn data looks entirely random, when examined.
15:48 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
15:49 -!- XJR-9_ is now known as XJR-9
15:50 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
15:50 -!- mode/#openvpn [+o vpnHelper] by ChanServ
15:51 -!- CptLuxx_ is now known as CptLuxx
15:55 -!- hyper__ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
15:55 -!- mode/#openvpn [+v hyper__ch] by ChanServ
15:55 -!- rob0__ is now known as rob0
15:56 -!- Netsplit *.net <-> *.split quits: +hyper_ch
15:56 -!- hyper__ch is now known as hyper_ch
15:57 -!- K1rk_ is now known as K1rk
15:58 -!- specing_ is now known as specing
16:12 < davidebeatrici> Hi, is there a way to put in the log all of the options sent by the server?
16:13 < rob0> verb 4 IIRC.  Anyway that is a good level for most debugging.
16:14 < rob0> verb 5 adds R for packets received, W for packets sent
16:15 -!- badpixel_ is now known as badpixel
16:17 < davidebeatrici> rob0: Perfect, thank you very much
19:43 -!- CheckYourSix__ is now known as CheckYourSix
20:00 < mines5> Hello, I know its not strictly OpenVPN but in the case of pivpn does anyone know what I can do to fix the TLS handshake issue?
20:10 < rob0> Depends what's causing it.  Did you check with the provider's help desk?
20:21 < mines5> Not as of yet
20:22 < mines5> but everything appears fine
20:22 < mines5> I've tried it both internally and externally
20:29 < mines5> its sorta working now
20:29 < mines5> not sure how
21:11 < mines5> it is working
21:11 < mines5> although there seems to be a problem with just my windows client now
21:12 < mines5> but thats not as big of an issue
--- Day changed Tue Dec 12 2017
00:54 < tezogmix> Hi Kryczek - 150/20Mbps+ on ubuntu live usb speed testing! Installed uget to check multithread 8-part download with debian & android google images = 150down/~20Mbps up (much higher ~22-24MB/s). ISP advertised 150/20. This is via the rtn-66 asus router, intel gigabit NIC, i5-8gb 2.66Ghz laptop static-IP, same existing cable-modem setup on docsis 3.1 aes128-sha1-2048
00:55 < tezogmix> So this 100% verifies that a) not ISP VPN throttling b) windows 7-64bit and/or the Open VPN TAP adapter with PIA client (NDI5-NDI6 from Openvpn) is the limiting factor in not being able to reach over 100-120Mbps @ 1460 MTU / SHA1-128aes-2048 encryption. Where do we go from here is now the big question (other than not using windows :P)?
01:05 < tezogmix> I'm all out of options currently to troubleshoot the above in windows so open to hearing some other things to check on the system.
01:06 < tezogmix> We also did the windows openssl testing and ruled out the CPU, removed the router... all the above is hardwired
01:07 < tezogmix> tried both the windows NDI5 + NDI6 installers from the openvpn downloads page as well.
01:08 < tezogmix> From what PIA said, this scenario is also reproducible in windows 10, so not just a windows 7 issue
01:08 < tezogmix> and they're trying to figure it out as well since they were the ones suggestion to test the live ubuntu usb to see if there were any differences.
01:09 < tezogmix> suggesting*
01:24 -!- nbastin_ is now known as nbastin
01:28 <+hyper_ch> krzee: https://0.me.uk/ev-phishing/
01:28 <@vpnHelper> Title: First part of phishing with EV (at 0.me.uk)
02:04 <+hyper_ch> I wonder, could Let's Encrypt be abused to generate certs to use iwth openvpn?
02:04 <+hyper_ch> probably not
05:02 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 255 seconds]
05:51 -!- abenz__ is now known as abenz
06:21 < Kryczek> tezogmix: wow! Glad it worked out :)
06:27 < Kryczek> hyper_ch: sure you can :) You can use the LE client to get a cert for your FQDN, then you can use it for whatever; the trickier part will be getting OpenVPN to accept it if there is a constraint on the cert purpose
06:28 -!- Ripmind is now known as Styler2go
06:28 < Kryczek> hyper_ch: I looked into it for gettings certs for a SMTP service for example; personally I prefer to not have to worry about a 3rd party for my VPN both my clients and servers already know my CA
06:29 < Kryczek> since both*
07:17 <@ordex> hyper_ch: why would you want that? then any other certificate created by letsencrypt would be a valid client for your vpn ?
07:32 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
07:32 -!- mode/#openvpn [+o plaisthos] by ChanServ
07:38 <@ecrist> using LE for OpenVPN is a bad idea.
08:41 < tezogmix> Hi Kryczek - thanks for checking in, yes it was a good comparison test (ubuntu live usb) vs windows and vpn capped on windows but not ubuntu
08:42 < tezogmix> Now the troubleshooting part on why this is happening on windows Kryczek is the next step but no idea on how to go about figuring out where to continue the windows troubleshooting
08:58 < sunrunner20> any reported issues with openvpn and iphone8/ios11.2?
09:00 < sunrunner20> not sure how to get openvpn version from pfsense
09:00 < sunrunner20> but it was working on my phone till I upgraded to ios11, then I could only connect to non 2fa tunnels
09:00 < sunrunner20> now on the 8 I can't do any tunnels
09:01 < sunrunner20> reset network settings, uninstalled and reinstalled the app and the profiles
09:02 < sunrunner20> I would say i'm missing the cert but its embedded in the profile
09:06 <@ordex> sunrunner20: problems with the more stringent Apple's API
09:06 <@ordex> a new release of OpenVPN Connect is in the works and should land on AppStore soon
09:06 < sunrunner20> k
09:06 < sunrunner20> will adding the self signed CA to the phone solve it in the meanwhile?
09:07 < sunrunner20> also, where's the donate button?
09:07 <@ordex> not sure. I haven't tested how to workaround that. but you can give it a try
09:07 <@ordex> it may work
09:07 <@ordex> I don't think there is any "Donate" button for that app
09:07 < sunrunner20> openvpn in general
09:07 <@ordex> but you can feel free to donate to the openvpn community
09:08 <@ordex> I don't think we have any .. normally we handle donations adhoc
09:08 < sunrunner20> I assume they share developers
09:08 <@ordex> maybe ecrist or dazo can help here
09:08 < sunrunner20> even if they don't its a worthy cause
09:08 < mines5> Do any of you happen to know how to troubleshoot the TAP adapters for windows?
09:08 < sunrunner20> and you should put up a donate button
09:08 < mines5> because I finally solved the TLS issue with a workaround
09:09 < sunrunner20> I've had a TUN issue for 2 years :(
09:09 < sunrunner20> need to revisit that
09:09 < sunrunner20> put a bounty on its resolution if its allowed
09:10 < mines5> oh?
09:16 <@ecrist> what did I do?
09:24 < sunrunner20> mines5, yea I cdan connect and talk to the local network, but anything that goes THROUGH the gateway dies
09:24 < sunrunner20> I can talk to the gateway
09:24 < sunrunner20> and TUN is the Layer 2 VPN, correct?
09:29 < rob0> tun is layer 3, tap is layer 2
09:30 -!- Styler2go is now known as IsntFunny
09:41 <@ecrist> !donate
09:41 <@vpnHelper> "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel., or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc., or (#3) http://www.secure-computing.net/wiki/index.php/OpenVPN/Donations for Contribution totals and benefactors
09:44 <@ecrist> We don't have a plan of any sort for the money we get at this point. In the past it was used to pay for some hosting, and some software licenses we were going to use (vBulletin).
09:45 <@ecrist> We're not really soliciting donations at this point in time.
09:45 < mines5> at the same time I'm sure none of you would stop people from donating though
09:45 < sunrunner20> got it backwards as ususal then rob0  >_<
09:46 <@ecrist> mines5: no, we won't, but it's kind of a hassle for me to track the money and "do" something with it
09:46 < sunrunner20> will you guys sill be around in about 10-11 hours?
09:47 < sunrunner20> you sound like you could help me track down the issue
09:47 < sunrunner20> if so big donation
09:47 < sunrunner20> enough you could prob just buy everybody involved majorly a 6 pack
09:47 < sunrunner20> not a super fancy one
09:53 < sunrunner20> or just use it to pay for next years Apple Developer's fee
10:08 < rob0> This channel is always open, 24x7x365.  The people who are actively looking at it will vary throughout the day/week et c.
10:09 < sunrunner20> aye
10:09 < sunrunner20> was hoping these people i've been talking to would be around though
10:13 < raffo> !welcome
10:13 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
10:13 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
10:39 < sunrunner20> raffo, I'm familar with how IRC works. but i've asked repeatedly in here and #pfsense on this topic and nobody had any idea. mines5 and ecrist sound like they'd actually be able to help but I can't take the time away from work until later tonight
10:41 < mines5> sunrunner20, what is the question?
10:41 < mines5> raffo, please elaborate and I'll do what I can to answer it
10:42 < mines5> I'm still a junior from an IT standpoint but I've absorbed quite a bit in my few years in and out of college
10:43 < sunrunner20> mines5, debugging why I can't access the WAN side of things on a TAP tunnel
10:43 < sunrunner20> yes it needs to be TAP
10:45 < mines5> have you run anything like tracert to see where it ends?
10:45 -!- extremist is now known as NonSecwitter
10:45 < mines5> NonSecwitter, hello :D
10:46 < NonSecwitter> hey
10:46 < mines5> wasn't expecting to see you in here
10:46 < NonSecwitter> you've been quiet int he windows world
10:46 < NonSecwitter> yea, I hang out in about 20 rooms, although only frequent a handful
10:46 < mines5> Yeah, I've been busy with life and haven't really needed much in the way of windows help as of late
10:47 < mines5> the job I sysadmin'd in has long since ended as of last year
10:47 < mines5> been stuck dead-ending in a contract one at the current moment
10:47 < sunrunner20> mines5, dies at the gateway
10:48 < sunrunner20> which is a pfsense box
10:48 < NonSecwitter> hm. mines5 what are you in?
10:48 < mines5> job wise or something else?
10:48 < sunrunner20> i've tried turning pf off entirely thinking maybe it was a firewall rule
10:48 < NonSecwitter> geo
10:48 < sunrunner20> but it still happens
10:48 < NonSecwitter> should have said area*
10:48 < mines5> I live in New England
10:48 < mines5> I live in MA but tend to work in RI
10:48 < NonSecwitter> ah. i don'tknow of anything out that way
10:49 < mines5> thus why you see my IP coming from Boston
10:49 < NonSecwitter> I know of three jobs in my area, neaer Chicago
10:49 < mines5> I have a cousin out there, if they could pay me well enough I might be able to squat for a bit lol
10:49 < NonSecwitter> In the city, there are tons of jobs
10:50 < NonSecwitter> I work in Aurora
10:50 < NonSecwitter> harder to come by good admin stuff
10:50 < mines5> I may land myself a job with the state of RI so heres hoping
10:51 < mines5> sorry for the delay sunrunner20, I'm looking to see if I can find anything relevant
10:51 < mines5> is the subnet coming from openvpn different from your subnet in your local network?
10:52 < mines5> I guess I should ask where the VPN endpoint is
10:53 < sunrunner20> the TAP address is on the same subnet
10:53 < sunrunner20> the point of the TAP is so broadcast packets make it to the machine
10:53 < sunrunner20> so it has to be on the same sub
10:54 < mines5> have you checked the config to see if the gateway is set?
10:54 < sunrunner20> let me triple check but I think so
10:55 < mines5> I'd check both the server and client
10:55 < NonSecwitter> sunrunner20: what is running the client on the remote end? router/firewall or workstation?
10:55 < mines5> openvpn is frustrating in this regard
10:56 < rob0> Why does it need to be tap, again?
10:56 < NonSecwitter> broadcast... but I'm wondering if relays would work better
10:56 < sunrunner20> client
10:56 < mines5> rob0, I'm not sure it does but by default the windows client installs it to create the link
10:56 < sunrunner20> NonSecwitter, relays?
10:57 < rob0> why exactly did it need to be tap?  Broadcast or multicast?  Maybe you can work around that "need" somehow?
10:58 < mines5> I'm not as well versed in openvpn as I'd like
10:58 < rob0> I know
10:58 < NonSecwitter> sunrunner20: irrelavant if you're running the openvpn client on a workstation
10:58 < mines5> but I believe there was an article stating that TAP isn't required
10:59 < mines5> and is actually unsafe to use in certain situations
10:59 < sunrunner20> https://pastebin.com/W8hanc8e
11:00 < sunrunner20> is the config for that tunnel downloaded from pfsense
11:00 < sunrunner20> gotta go now
11:00 < sunrunner20> meeting
11:00 < mines5> NonSecwitter, I have a question I'd like to pm you with about a book/suggestions that aren't relevant to this channel
11:00 < mines5> do you mind?
11:00 < NonSecwitter> sure
11:01 < rob0> sunrunner20, again, and for the last time (if you don't answer I can't help), what was the specific need for broadcast?  Perhaps there are options which use routable IP traffic only?
11:03 < rob0> mines5, yes, tap is generally a bad idea, but in a few edge cases there is no choice.
11:12 < sunrunner20> rob0, didn't see it the first time
11:13 < sunrunner20> need broadcast packets for steam in home streaming
11:13 < sunrunner20> and it'd be nice to be able to access to fileservers by name but I think I can do that with DNS
11:16 < rob0> okay, I am not familiar with steam, but maybe you could ask them for suggestions.
11:16 < sunrunner20> they won't help
11:17 < sunrunner20> steam is notorious for lack of support on their product
11:17 < sunrunner20> and gah, now I can't reach the router
11:17 < rob0> broadcast generally has nothing to do with name resolution, except in very old and obsolete Windows file sharing protocol (netbios)
11:17 < DArqueBishop> If you have nVIDIA hardware and a sufficiently powerful gaming system, you could try nVIDIA GameStream and Moonlight.
11:20 < sunrunner20> DArqueBishop, I think my machine is up to it. I'll take a look
11:21 < mines5> netbios is used quite often in the real world surprisingly
11:36 < rob0> it is?  I know it was, but I thought Win98 would have mostly died out by now.
11:37 < rob0> All I can say is, I wouldn't want to work anywhere that was still using W9x and netbios.
11:38 < sunrunner20> unless you're using AD netbios is still how host discovery is done
11:38 < sunrunner20> which I imagine is a lot of the openVPN users
11:38 < sunrunner20> is there a way to give openVPN a default DNS domain?
11:39 < sunrunner20> so I type blah into the browser and it does a dns for blah.domain.net
11:39 < sunrunner20> tried googling for an answer, only got results for how to set the dns servers
11:43 < rob0> openvpn is not a resolver.  Resolver libraries call that feature "search".
11:44 < rob0> You might be interested in dnsmasq, which handles search without the second query ... if it knows a "hostname" in its set domain, it returns the answer for "hostname".
11:45 < rob0> Normal search, such as done by glibc, first does the "hostname" query and then "hostname.search-domain" with the domain appended.
11:45 < rob0> So where do you guys work, where netbios is still in use?
11:46 < sunrunner20> I'll see if I can set no base domain for this host on pfsense when I get home
11:46 < rob0> no, we rarely see people here who think they need netbios
11:46 < sunrunner20> this wifi disconnects me every 30s or so and I have to reauth with duo
12:17 < mines5> I work for a fairly large US bank
12:17 < mines5> they still use wins thats how bad there system is
12:17 < mines5> albeit its trying to handle 140,000 computers at once
12:19 < mines5> their*
12:26 < rob0> wins, you mean WINS?  What's wrong with that?
12:26 < rob0> !wins
12:26 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
12:27 < rob0> That's what we point people to if they think they need broadcast for netbios
12:30 < raffo> sunrunner20: sorry, I didn't realize the "!welcome" would show up in the room. I don't have a question at the moment.
12:35 < sunrunner20> No problem, thought you were sideways calling me a noob
12:36 < mines5> its not that its bad, just thats its really old
12:36 < mines5> and apparently necessary for function
12:36 < sunrunner20> Are 1400 machines on one broadcast domain?!
12:36 < mines5> I don't know
12:37 < mines5> and its 140k in total
12:37 < mines5> probably slightly more
12:37 < sunrunner20> Can’t be then
12:37 < sunrunner20> The arp traffic along would measure in gigabits at that scale
12:37 < sunrunner20> *alone
12:38 < sunrunner20> And I wish I could get hired by a mortgage company
12:38 < mines5> its all on one domain, but with many individual buildings
12:38 < mines5> why is that?
12:38 < sunrunner20> It’s what I’m doing now
12:39 < mines5> then why do you want to get hired?
12:39 < sunrunner20> Had an opportunity at fannie but I guess they went with somebody else because I haven’t heard anything
12:39 < mines5> All I know is sallie mae is dead to me
13:16 <@ecrist> sunrunner20: I might be around later, in a few hours if you haven't figured itout.
14:45 -!- Netsplit *.net <-> *.split quits: +RBecker
14:45 -!- Netsplit over, joins: RBecker
14:45 -!- mode/#openvpn [+v RBecker] by ChanServ
17:57 -!- davidebeatrici__ is now known as davidebeatrici_
18:42 < Lyberta> hi, I'm trying to setup OpenVPN client on Debian Testing with systemd, how can I read OpenVPN logs?
19:21 < zoredache> Lyberta: by default I believe everything will be sent to the /var/log/syslog unless you have set something different in your openvpn or syslog config
19:48 <@ecrist> Lyberta: there is no default for logs
19:49 <@ecrist> you need to have a log directive  in your config file.
20:24 < rob0> and where your syslogd puts it depends on how your distro configured its syslogd
20:25 < Lyberta> ok, I solved my problem, thanks
20:25 < rob0> Often for testing and debugging, the best thing to do is to run your config in the foreground, without daemon
22:00 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:10 -!- mode/#openvpn [+o syzzer] by ChanServ
23:09 -!- abenz_ is now known as abenz
--- Day changed Wed Dec 13 2017
00:10 -!- mines5_ is now known as mines5
02:08 < bhenc> !vulninfo
02:08 <@vpnHelper> "vulninfo" is (#1) See these factoids for more info about specific vulnerabilities: !heartbleed !poodle !ovpnuke !sweet32 !duhk, or (#2) See here for all security announcements: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
02:08 < bhenc> !ovpnuke
02:08 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
02:11 < bhenc> !welcome
02:11 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
02:11 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
02:11 < bhenc> !1925
02:11 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
02:13 < bhenc> !man
02:13 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker, or (#4) 'man openpvn' on a Unix system with OpenVPN installed
02:14 < bhenc> !topology
02:14 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
02:23 < bhenc> !/30
02:23 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
04:21 < defsdoor> can anyone recommend a good router for running openpvn routing only ?
04:25 -!- dakar is now known as testo
04:32 < BtbN> Get the most high-clocked x86 CPU you can find
05:41 <+hyper_ch> dazo: ecrist: krzee: ordex: https://robotattack.org/
05:41 <@vpnHelper> Title: The ROBOT Attack - Return of Bleichenbacher's Oracle Threat (at robotattack.org)
06:32 <@ordex> hyper_ch: seen that - apparently FB was affected
06:54 < i0nC4nn0n> hello, i have an openvpn server running that uses public/private keys. i wanna add a new user to it with a new key, but my issue is the easy-rsa folder is gone
06:56 < i0nC4nn0n> (i still have the key and cert, the dh and the ca)
06:59 <+hyper_ch> ordex: I don't use fb
06:59 <@ordex> me neither
06:59 < BtbN> i0nC4nn0n, if you lost the CA private key, you can't do that.
06:59 < i0nC4nn0n> BtbN: i did naht
06:59 <+hyper_ch> i0nC4nn0n: time to roll out a new ca... and you might to write a script to autogenerate your configs as well :)
06:59 < BtbN> If you do, you might be able to re-construct easy-rsa manually. Or issue certs by hand with openssl
07:00 < i0nC4nn0n> i have the ca
07:00 < i0nC4nn0n> i have the server key and its certificate
07:00 < BtbN> The ca cert, or the full ca?
07:00 <+hyper_ch> sounds like ca cert only
07:00 < i0nC4nn0n> i dont know what i have ;)
07:01 < BtbN> Well, is it a private key, or a ceritifate?
07:03 < i0nC4nn0n> https://wiki.openwrt.org/doc/howto/vpn.openvpn#create_the_certificates
07:03 < i0nC4nn0n> i followed that tutorial
07:04 < i0nC4nn0n> whatever build-ca, buiild-dh and build-key-server commands do
07:04 < i0nC4nn0n> i have them ;)
07:04 < BtbN> If it's only the thing you ship with client vpn config files, that's not enough
07:06 < i0nC4nn0n> so i need 2 keys?
07:06 < i0nC4nn0n> the CA key and the server key?
07:06 < i0nC4nn0n> (im really new to this, if u cant tell)
07:07 < BtbN> well, if the server is still working, you must still have it
07:08 < i0nC4nn0n> in the file /etc/openvpn
07:09 < i0nC4nn0n> we have 4 opetions that point to files files
07:09 < i0nC4nn0n> option ca, dh, cert and key
07:09 < i0nC4nn0n> i have all 4 of those
07:10 <+hyper_ch> (I think it would be easier to just create a new ca and issue everything anew)
07:10 < i0nC4nn0n> i do agree
07:10 < i0nC4nn0n> but i have some certs
07:10 < i0nC4nn0n> that are handed out to clients
07:10 < i0nC4nn0n> i cannot reach
07:10 <+hyper_ch> you can run multiple server instances
07:11 < i0nC4nn0n> on this piece of shit router? :D
07:11 < i0nC4nn0n> i doubth it
07:11 < i0nC4nn0n> single core arm at 600mhz
07:13 < i0nC4nn0n> hyper_ch: can u guide me through setting up a new ca and creating a new client?
07:13 < i0nC4nn0n> maybe ill figure out how to do it with my old one along the way
07:14 < i0nC4nn0n> for ex, check out this:
07:14 < i0nC4nn0n> https://wiki.openwrt.org/doc/howto/vpn.openvpn#prerequisites
07:14 < i0nC4nn0n> i seriously dont understand from where the "build-ca" binary or script or whatever wold come...
07:14 < i0nC4nn0n> the shell just yells "bad command or file name" at me in unixian
07:14 <+hyper_ch> i0nC4nn0n: https://community.openvpn.net/openvpn/wiki/EasyRSA3-Insecure-PKI
07:14 <@vpnHelper> Title: EasyRSA3-Insecure-PKI – OpenVPN Community (at community.openvpn.net)
07:16 < i0nC4nn0n> how would one obtain that magical "EasyRSA v3 zip or tarball"?
07:16 < i0nC4nn0n> (lets say on debian)
07:16 < i0nC4nn0n> https://github.com/OpenVPN/easy-rsa/releases
07:16 <@vpnHelper> Title: Releases · OpenVPN/easy-rsa · GitHub (at github.com)
07:16 < i0nC4nn0n> nvm, im retarded :)
07:18 <+hyper_ch> i0nC4nn0n: also, when generating the client certs (step 7), you might want to add   "nopass" as parameter as well, so that no password is needed when that cert is being used
07:19 <+hyper_ch> i0nC4nn0n: also the title "insecure" pki is named like that because you, as PKI do create client private keys and issue certs...
07:19 <+hyper_ch> so don't let that "insecure" scare you
07:29 < i0nC4nn0n> hyper_ch: i fink i got it
07:29 < i0nC4nn0n> build-ca (step 2) creates 2 files
07:29 < i0nC4nn0n> ca.crt and private/ca.key
07:30 < i0nC4nn0n> and i dont have the ca.key :|
07:31 <+hyper_ch> ?
07:31 <@ordex> i0nC4nn0n: that is the private key that BtbN was talking about earlier
07:31 <+hyper_ch> [14:29] <i0nC4nn0n> ca.crt and private/ca.key
07:32 <@ordex> hyper_ch: I think he is talking about the files he has from the previous pki
07:32 <@ordex> he lacks the CA key
07:32 < i0nC4nn0n> yes yes
07:32 <+hyper_ch> you can mind-read over the internet? oO
07:32 < i0nC4nn0n> now i see the error of my ways
07:32 < i0nC4nn0n> he apparently can
07:33 < i0nC4nn0n> no worries, cause i have a backup SOMEWHERE.... (i hope)
07:33 <+hyper_ch> rule 1 of computing: always have backups
07:33 <+hyper_ch> rule 2 of computing: always have a second backup set in a different location
07:36 <@ordex> rule 3 of computing: to be safe against privacy violation, always delete all your backups
07:36 <@ordex> XD
07:36 <@ordex> hyper_ch: I don't mind-read. I just bought a new crystal ball at the street market nearby yesterday
07:37 <+hyper_ch> I just encrypt them
07:38 <@ordex> and delete the key ?
07:38 <@ordex> :P
07:38 <+hyper_ch> no, back the key up to github
07:39 <@ordex> ah, that's what that plublic http://github.com/hyper_ch/allmyprivatekeys repo is for?
07:39 <+hyper_ch> yes, but don't tell anyone about it
07:39  * ordex feels utterly funn today - even though he is not
07:39 <@ordex> *funny
07:39 <@ordex> sure :P
07:39 <+hyper_ch> oh, you're hillarious today
07:40 <@ordex> jokes apart, is it snowing over there ?
07:40 <+hyper_ch> currently now.. but there's snow
07:41 <+hyper_ch> ordex: sunday afternoon https://images.sjau.ch/img/f8a6bbfa.jpg
07:41 <@ordex> eheh not bad
07:41 <+hyper_ch> unfortunately that white stuff isn't the same stuff you can buy from your trusted "trader" for $100/gram
07:42 <+hyper_ch> otherwise I'd be rich now
07:42 <@ordex> otherwise your trusted trader would be bankrupt by now
07:42 <@ordex> rich or really high mh
07:42 <+hyper_ch> why didn't I buy bitcoins when they were like $20
07:56 < i0nC4nn0n> hyper_ch: why didn't you buy stock in facebook or google or apple or tesla or way back why didn't you invest into the british east indian company?
07:57 < i0nC4nn0n> cause ur not a speculator and thats that
07:58 < i0nC4nn0n> btw, thanks for the help
07:58 < i0nC4nn0n> the backup doesn't contain the key... so it must be on the other router :|
08:00 <@ordex> i0nC4nn0n: the key is not something you deploy. it normally just stays where you run easyrsa
08:01 <@ordex> that couldbe on any machine you used to create the keys/certs/etc
08:01 <@ordex> hyper_ch: you can still buy now and speculate wit the derivatives
08:01 <@ordex> it is utterly lucrative if it does not fluctuate :D
08:02 < havoc> it's all fun and games, until enough people try to sell BTC
08:03 < havoc> no way any exchange can cover even 10% of them
08:03 <@ordex> well, especially when everybody wants to sell and nobody wants to buy
08:03 <@ordex> :D
08:03 < havoc> yes, rampant speculation does not make for a stable currency
08:03 <@ordex> that's why I think it might be meaningful to speculate on derivatives now that it is still growing
08:03 <@ordex> yap
08:03 < havoc> BTC is more commodity than currency
08:03 <@ordex> mah not even that
08:03 <@ordex> because a commodity has some kind of intrinsic value in the society
08:04 <@ordex> (even though it can be very low, but you can do $something with it)
08:04 < havoc> I'm just saying that it lacks the stability required for a functional/useful "currency"
08:04 <@ecrist> Back when BTC was ~$5 each, I thought about dumping $100 into it, maybe $200
08:04 <@ecrist> If I had done that, I'd have 20 - 40 BTC
08:04 <@ecrist> I could pay off my house, and then some
08:05 <@ordex> I even bought 20 BTC back then, then I sold them. I aways hoped it could be a currency only
08:05 <@ordex> all this speculation has destroyed its real meaning imho
08:15 <+hyper_ch> ordex: well, with all spam I've gotten regarding bitcoin lately and the introduction of derivatives... I better keep my fingers from i
08:15 <@ordex> :D
08:16 <+hyper_ch> bitcoin has two things going for it: (a) it was the first [successfull] one (b) it's a limited ressource.... everything that's limited has an inherent value
08:18 <@ordex> hyper_ch: mah not sure about b)
08:19 <+hyper_ch> it's the nature of things.... if it's limited it will get an inherent value due to its scarcity
08:19 <+hyper_ch> it might not be much
08:20 <@ordex> sure like 0.000000000000000000001
08:25 <@ordex> hyper_ch: even though it may have an intrinsic value, the tradable value is given yb the amount people are willing to pay to get the good
08:25 <@ordex> gold has been known to always be !=0 on thr tradable side, because people are always willing to accept it. on btc, I have the feeling this won't hold true
08:26 < DArqueBishop> ecrist: didn't you say a new version of easy-rsa 3 is going to drop soon?
08:30 <@ecrist> probably, yes
08:30 <@ecrist> there's a number of bugs I'm working on fixing
08:31 <@ecrist> quite a few are windows related (lack of utility in release, egrep instead of grep -E, etc)
08:37  * DArqueBishop nods.
08:37 < DArqueBishop> I'll wait until then to redo my environment, then.
08:51 <@ecrist> DArqueBishop: possibly this weekend.
08:51 < DArqueBishop> Cool.
10:52 -!- Dougy [~dougy@openvpn/community/support/Dougy] has quit [Ping timeout: 248 seconds]
12:49 < flugger> I've had an OpenVPN server setup on ubuntu for over a year, has always worked flawlessly. It's been running virtually untouched for the entire time. Last I connected to it was probably a couple weeks ago (roughly). Today, I can't get anything to connect (phone, iPad, laptop)....gettting Server Poll timeout messages
12:49 < BtbN> if you never updated the machine in a year, that's not surprising.
12:49 < flugger> No no, machine is up to date.
12:50 < flugger> untouched meaning, I haven't touched any configs
12:50 <+hyper_ch> expired certs?
12:51 < flugger> shouldn't be, if I recall the expiry was set to like 30 years or something
12:52 < rob0> First thing, I'd make sure it's running.  Second, I'd check its logs.
12:54 <+hyper_ch> and third thing?
12:55 < rob0> depends what I would see in the logs, of course
12:55 < rob0> maybe increase to verb 4 and restart?
12:55 < flugger> it's running...
12:56 < flugger> but uhmm
12:56 < flugger> I think I might have found the problem
12:56 < flugger> and uhhh
12:56 < flugger> I feel like an idiot
12:56 < rob0> oh good.  That's our specialty here. ;)
12:57 < flugger> looks like the ISP has chosen today to change my IP....after like 18 months.
12:57 < rob0> ahh
13:02 < flugger> thought I had dynamic DNS setup for the domain, but uh..
13:02 < flugger> idk
13:08 < flugger> updated the domain dns A records... all good OpenVPN connected on all devices.
13:09 < rob0> Your dhcp client probably has a means to run a script when the IP address changes.  You could have that script update your A record.
13:13 < flugger> that might be slightly out of my skillset... my dhcp client would be my router, would it not?
13:13 < nb> anyone around?
13:13 < nb> I have a openvpn server taht has ipv6 set up
13:13 < nb> and i have a /56 subnet that openvpn assigns addresses out of that is routed to my server
13:14 < nb> I want the client's traffic to not be nat'ed to the main ip of the server, but instead, to come from that client's ipv6 address
13:14 < nb> is that possible?
13:14 < nb> I tried just removing the iptables masquerade rule for ipv6 but then it can't do ipv6 at all
13:20 < rob0> flugger, some routers will work with some dynamic DNS services.  None support RFC 2136 dynamic updates, however, that I know of.
13:21 < rob0> nb, NAT is not even "necessary" for ipv4, if you are using routable (non-RFC1918) addresses for your client pool.
13:21 < flugger> Yeah, I thought I had done that.... doesn't look like it was effective. RFC 2136, huh?
13:22 < das_j> Hello everyone, are there any options when creating a persistent TUN interface? I use `openvpn --mktun --dev tun0`, but when I try to start dhcpcd, it complains with `tun0: unsupported interface family 00`. So is there any way to change the type?
13:22 < rob0> nsupdate(8) <-- the BIND CLI tool for 2136 updating
13:22 < rob0> das_j, tun is not compatible with DHCP.
13:23 < das_j> rob0: I don't try to gather a lease on the TUN interface. Instead, I use IPv6 prefix delegation and want an address from my physical interface to be delegated to the OpenVPN interface. Isn't that supported as well?
13:23 < DArqueBishop> rob0: routers running OpenWRT/LEDE can use nsupdate.
13:23 < das_j> s/as well/either/
13:23 < rob0> DArqueBishop, yes, but probably not supported in the web GUI, is it?
13:24 < DArqueBishop> I wouldn't know. I never use it. ;-)
13:26 < rob0> das_j, you cannot do ANY DHCP on tun; not client nor server.
13:27 < das_j> Damn. So how would you hand out global IPv6 addresses to clients? Or would you just use the link locals?
13:33 < nb> rob0, yes, I do not want NAT for ipv6
13:33 < nb> but it doesn't seem to be working without it
13:33 < nb> or i'm not setting something up right
13:34 < nb> i removed the masquerade line from iptables
13:34 < nb> but now it's not working at all for v6
14:26 < JumpY> Hello together, I have a damn problem and can't find a solution on google after 1000 pages.. I need to connect to a openvpn to configurate a little server but the internet connection is not stable at this point. Isn't it possible to route only all traffic to the vpn ip via openvpn and use for other traffic my normal internet connection?
14:28 < JumpY> If I can't do it clientside, I could adjust the openvpn servern, but I do not find any solution after testing 1000 commands -.-
14:28 < rob0> !redirect
14:28 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
14:28 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
14:28 < rob0> If you didn't set --redirect-gateway, traffic is not redirected.
14:30 < JumpY> Is this serverside?
14:32 < JumpY> I tried: "route-noexec" in clientside configuration -> No traffic via VPN. Then I tried to at a specific route to one IP clientside, can't connect anymore.
14:36 < JumpY> http://swimminginthought.com/routing-traffic-vpn/ <-- Is this the correct way?
14:36 <@vpnHelper> Title: Split Tunneling with OpenVPN (Routing some traffic out a VPN connection) (at swimminginthought.com)
14:46 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 260 seconds]
14:48 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
14:48 -!- mode/#openvpn [+o syzzer] by ChanServ
15:34 < lovetruth> hello :)
15:35 < lovetruth> I met a problem and I'm not sure how to solve it...
15:35 < lovetruth> the problem is that 70 out of 1300 clients can't connect
15:36 < lovetruth> the message in the log is "MULTI: bad source address from client [10.0.0.1], packet dropped"
15:39 < lovetruth> where / how can I get help?... I'm a little stuck?...
15:40 < lovetruth> I've tried all of these, described in this article: https://serverfault.com/questions/646130/multi-bad-source-address-from-client-any-one-off-solutions ... :)
15:40 <@vpnHelper> Title: vpn - MULTI: bad source address from client - any one-off solutions? - Server Fault (at serverfault.com)
22:54 -!- Dougy [~dougy@openvpn/community/support/Dougy] has joined #openvpn
23:20 < TuxBlackEdo> i have a dedicated server with a /29.. i was wondering if i can have access server give a vpn client a public ip address... would I have to do an ethernet bridge?
23:21 < rob0> well, an IP address is an IP address, "public" or not.  But,
23:21 < rob0> !as
23:21 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN
23:22 < rob0> and no, bridging is usually a bad idea and seldom needed
23:22 < rob0> also, probably not a good idea to IRC as root.  Develop better habits, you will be glad you did.
23:25 -!- TuxBlackEdo is now known as TuxBlackEdo2
23:27 < TuxBlackEdo> ok if i use the non-commercial version of openvpn how would i go about getting openvpn to handle a windows client with a public ip?
23:39 < rob0> there's nothing special about public IP addresses except you don't use NAT
23:39 < rob0> nothing special about Windows clients AFAIK (I don't use any)
--- Day changed Thu Dec 14 2017
01:10 < brutser> hello, I keep finding these lines in my log when client connects and attempt to communicate:
01:10 < brutser> Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
01:10 < brutser> MULTI: bad source address from client [::], packet dropped
01:11 < brutser> it's weird because my server.conf reads cipher AES-256-CBC - by the way, the client can browse and use the vpn "normal" but these packet drops keep appearing
01:11 < brutser> i use a client config directory for each client
01:11 < brutser> any hints where i should find the cause of this?
01:28 < brutser> i also notice: PID_ERR replay-window backtrack occurred
01:35 < Eugene> rob0 - pfsense does RFC2136 just fine
01:45 < brutser> anyone can help me where to start looking for the cause?
01:45 < brutser> should I switch to TCP, i read some documents saying packets are dropped because of udp
01:51 < brutser> switched to tcp protocol, but still getting the same errors in log
01:51 < brutser> again, the vpn connection is working ok, just i see in log these lines:
01:51 <+hyper_ch> dazo: ecrist: krzee: ordex: https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/
01:52 < brutser> MULTI: bad source address from client [::], packet dropped
01:55 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has left #openvpn ["Konversation terminated!"]
01:57 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
01:57 -!- mode/#openvpn [+v hyper_ch] by ChanServ
02:03 < adrian_1908> Where does openvpn look for files specified in a *.conf file? I have the certs 'n stuff in the same dir as the config file, but get "no such file or directory".
02:06 < adrian_1908> I can use full paths of course, but my VPN provider gave me a config file with relative paths (just the filename).
02:07 -!- abenz__ is now known as abenz
02:30 < brutser> adrian, normally when you put certs and all in same directory as .conf file, they should be found
02:31 < i0nC4nn0n> could it be that the user trying to connect doesn't have read access to the files?
02:49 < brutser> i make many changes, but still i receive the error: MULTI: bad source address from client [::], packet dropped
02:49 < brutser> the connection from client is working ok
02:50 < brutser> just i get a few lines with that error
02:50 < brutser> some documents online suggest to switch to TCP protocol, i did, but did not change anything
02:50 < brutser> also some document wrote I should add iroute in the ccd, which i did, but no effect
02:51 < brutser> why am i getting this error? any hints where to look and how to tackle this????
04:38 < adrian_1908> Can I ask here about openvpn's systemd units, or is that too specific?
04:58 < rudi_s> adrian_1908: Sure, just ask.
04:59  * adrian_1908 eating atm, I'll askin a bit later :f
05:20 < adrian_1908> rudi_s: Ok, I'm back. My question is about the existence of "openvpn@.service", "openvpn-client@.service" and "openvpn-server.service". I only want to run a client and was wondering if special attention is needed in that case.
05:20 < adrian_1908> I looked at these files, but am not quite sure what to make of it.
05:21 < adrian_1908> I noticed that there exists an /etc/openvpn/client and …/server directory, which I understand has been added to OpenVPN 2.4, and is not distro specific.
05:22 < rudi_s> adrian_1908: I think the -client/-server are the recommended way for new setups. - So I'd use openvpn-client@foo and put the config in /etc/openvpn/client/foo.conf in your case.
05:26 < adrian_1908> rudi_s: I see. Is it possible that the regular systemd service "openvpn@.service" handles this automatically? I'm having difficulty understanding that.
05:26 < adrian_1908> I added my VPN's config files to /etc/openvpn (not client subdir), an that seemed to have launched everything as desired.
05:26 < adrian_1908> I'm just not sure if that's the right way to handle it.
05:27 < rudi_s> adrian_1908: Yes, that uses the "traditional" openvpn@ service.
05:27 < rudi_s> I think either way will work, but I think the suggested solution is to use openvpn-client@
05:28 < adrian_1908> Ok. I'll do some more reading and see if I can get more clarity on this. Thanks for the information!
06:36 < adrian_1908> rudi_s: Just wanted to say thanks. You were right about `systemctl enable openvpn-client@myconf.service`. I disabled the general "openvpn.service" and the latter alone does the job.
06:36 < adrian_1908> the former* alone
08:55 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Ping timeout: 255 seconds]
12:07 < Petfrogg> hello!!!
12:08 < Petfrogg> My vpn client tells me that the DNS is not correct configured after 30 seconds of utime
12:08 < Petfrogg> the thing is that some pages are able to load but not all
12:37 < |Mike|> Petfrogg: os?
12:37 < Petfrogg> Ubuntu 16
12:38 < Petfrogg> i just found something
12:38 < Petfrogg> update-resolv-conf
12:39 < Petfrogg> seems to be something i could add to the base.conf and then create a new *.ovpn
12:41 < Petfrogg> |Mike|: or do you have any other suggestion
12:41 < Petfrogg> ?
12:41 < Petfrogg> it just strange that it works on some DNS lookups and some not.
12:46 < Petfrogg> hm
12:46 < Petfrogg> maybee not
12:50 < |Mike|> you could push dns settings from the openvpn server ;-)
12:50 < Petfrogg> i am doing that
12:50 < Petfrogg> 8.8.8.8
12:50 < |Mike|> !network-manager
12:50 < |Mike|> !networkmanager
12:51 < |Mike|> !ubuntu
12:51 < |Mike|> !logs
12:51 < |Mike|> o, no bot
12:51 < |Mike|> krzee:
12:51 < |Mike|> are you using network manager?
12:51 < rob0> no bot in this channel is a disaster!
12:51 < Petfrogg> i got the openvpn running on a ubuntu, i connect to it using Tunnelblick and I am using a mac on the clientside
12:52 < |Mike|> rob0: i fully agree!
12:52 < rob0> so where is the problem, on ubuntu or OS X?
12:52 < Petfrogg> the client
12:53 < Petfrogg> but i do not know if the problem can be fixed from the server or not
12:54 <+hyper_ch> so, the US abolishes net neutrality...
12:54 < Petfrogg> ok
12:55 < Petfrogg> after 40 seconds it breaks and states that the dns i not correct
12:55 < Petfrogg> my computer also seems to have the ip 0.0.0.0
12:55 < Petfrogg> my mac that is
12:56 < Petfrogg> https://pastebin.com/xHG2Cuej
12:57 < Petfrogg> that is the log form Tunnelblink
12:58 < Petfrogg> hyper_ch: what do you think about it?
12:58 < Petfrogg> hyper_ch: in theory i understand it
13:00 < zoredache> Petfrogg: You are getting lots of permission errors related to adding routes
13:00 < Petfrogg> hm
13:00 <+hyper_ch> teclos/cable providers getting even more power.... raising the bar for new competition to enter... basically creating monopolies IMHO
13:00 < Petfrogg> zoredache: it could be that my mac does not allow the route change
13:01 < zoredache> What version of OSX.  I think I saw something in a post recently that newer versions of OSX changed a default that breaks things running as root.  Maybe that is the problem
13:01 < Petfrogg> 10.13.1
13:01 < Petfrogg> hyper_ch: in sweden the state have dug all the cables into the ground so there is a limit on what can be done
13:02 < Petfrogg> zoredache: line 261
13:04 < zoredache> Right.  that is one of the lines with problems.  Your routes aren't able to be changed for some reason, so it is likely nothing is going to work.  I am trying to find that article I saw.  It had a fix
13:07 < zoredache> Ah, right the thing I had seen suggested disabling 'System Integrity Protection' as I look at the tunnelblick page it suggest this shouldn't be required
13:07 -!- nOOb__ is now known as nOOb
13:08 < Petfrogg> zoredache: where should change that=
13:09 < zoredache> It probably isn't a good idea.  But if you want to try it see https://www.howtogeek.com/230424/how-to-disable-system-integrity-protection-on-a-mac-and-why-you-shouldnt/
13:11 < Petfrogg> zoredache: aouch....
13:12 < Petfrogg> well it is worth a try
13:12 < Petfrogg> if it solves it then i know where the problems is
13:12 < Petfrogg> but it is a pain...
13:13 < Petfrogg> a bit like SELinux
13:15 < Petfrogg> ok - will take a dive now
13:20 < rob0> hyper_ch, it's the American Way.  We have the best gov't money can buy!
13:21 <+hyper_ch> The Leader of the Free World... guess the Free World is declining ;)
13:43 < Petfrogg> zoredache: https://pastebin.com/9aVSDa4H
13:45 < Petfrogg> I think we are on one problem here
13:46 < Petfrogg> going back into safe mode
14:42 < Petfrogg> zoredache
14:43  * ecrist fixes vpnHelper
14:43 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
14:43 -!- mode/#openvpn [+o vpnHelper] by ChanServ
14:44 < Petfrogg> dropping to disable it looks files where created
14:44 < Petfrogg> but still got the same problem
14:45 < Petfrogg> or it looks like the same problem
14:46 <@ecrist> !ubuntu
14:46 <@vpnHelper> "ubuntu" is dont use network manager to configure your vpns! get it working via commandline and then import to network manager if you want to use it.
14:46 <@ecrist> !logs
14:46 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
14:51 < Petfrogg> ahhh the setup of VPN has to be made easier
14:51 <@ecrist> ?
14:51 <@ecrist> It's pretty easy, IMHO
14:51 < Petfrogg> there are so many steps
14:52 < Petfrogg> and i still do not get the DNS to work
14:52 < Petfrogg> after flipping my client to disable security
14:53 < Petfrogg> the route added the file and is now written own
14:53 < Petfrogg> down
14:53 < Petfrogg> but i could surf
14:53 < Petfrogg> so i went back and enabled it
14:54 <@ecrist> so, if you're looking for help, see these
14:54 <@ecrist> !goal
14:54 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:54 <@ecrist> !configs
14:54 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
14:54 <@ecrist> !logs
14:54 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
14:54 <@ecrist> and if you paste this stuff directly in the channel, we will kick you.
14:54 < Petfrogg> now that error of the "/sbin/route add" is changed to "file written"fixed
14:54 < Petfrogg> ecrist: of course i will not paste the log in here
14:57 < Petfrogg> gonna flip the log level to 4 and start creating logs for you
15:20 < Petfrogg> when the client logs on - where does the server log that?
15:28 < |Mike|> yep
15:28 < |Mike|> in /var/log/openvpn.log or /etc/openvpn/
15:28 < |Mike|> depends on where you pointed it to ;)
15:29 < Petfrogg> 8 )
15:35 < Petfrogg> check this https://pastebin.com/3mvf947B
15:42 < Petfrogg> |Mike|: does those log work?
15:42 < Petfrogg> zoredache?
15:42 < Petfrogg> https://pastebin.com/3mvf947B
15:45 < zoredache> Petfrogg: honestly I don't know.  I don't know tunnelblick/osx enough to be much help
15:45 < nobody> what's the status on net neutrality?
15:45 < Petfrogg> ok - but are those logs what you all wanted?
15:47 < Petfrogg> https://pastebin.com/U7uSdTkr
15:47 < zoredache> That might be enough for someone that knows more about your environment to help.
15:48 < Petfrogg> good
15:48 < Petfrogg> that last paste is a quickscript i made in order to make the server logs
15:48 < Petfrogg> might be something that could be usable for someone else
15:50 < Petfrogg> zoredache: thanx for your help so far
15:50 < Petfrogg> zoredache: may i priv you?
15:56 < nb> rob0, so, the reason it wasn't working right was the routing for my ipv6 subnet was going to another server
15:57 < nb> but once i had linode change it to the right linode, and i removed iptables masquerade for ipv6, it uses the client's ipv6 address
16:10 < Petfrogg> time to slepp
16:11 < rob0> nb, yeah, I figured it had to be something about routing
20:03 < BoggGod> !Welcome
20:03 <@vpnHelper> "Welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
20:03 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
20:05 < BoggGod> just clone the latest github.com/easy-rsa, but when I try to sign a key I get a weird error
20:05 < BoggGod> https://paste.opensuse.org/86095985
20:05 < BoggGod> I don't think this happened when I did the same procedure a couple of weeks ago
20:05 < BoggGod> *github.com/openvpn/easy-rsa
21:18 -!- abenz_ is now known as abenz
--- Day changed Fri Dec 15 2017
00:50 -!- upbeta_______ is now known as upbeta
02:06 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has left #openvpn ["Konversation terminated!"]
02:08 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
02:08 -!- mode/#openvpn [+v hyper_ch] by ChanServ
03:52 < Qowy> !welcome
03:52 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
03:52 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
03:52 < Qowy> !redirect
03:52 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
03:52 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
03:52 < Qowy> !ipforward
03:52 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
03:53 < Qowy> !linipforward
03:53 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
03:54 < Qowy> Hi, this is probably something completely simple but I seem to miss the key piece.
03:56 < Qowy> I have a linux gateway server that has a subnet behind let's say eth1. I want to route all traffic from eth1 through tun0 but only that. So I cannot use redirect-gateway.
03:57 < Qowy> Traffic from the machine itself and other subnets behind eth0 and eth2 should still use the old default gateway. ipTables is already setup (and works fine as long as I redirect all traffic through the vpn). But how do I have to configure ip route?
04:44 -!- Kryczek_ is now known as Kryczek
04:52 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
05:03 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
05:03 -!- mode/#openvpn [+o syzzer] by ChanServ
05:48 < samael> i have a weird problem. openvpn 2.4.0 acting as udp server, then some clients (older versions). any node can ping others, i can telnet to 22/tcp, 80/tcp and other services to confirm they are open and reachable, but using ssh(1) or a browser on that ports keeps hanging on without reply. the server has no firewall, nor the clients. i feel a bit confused, any pointer would be appreciated.
06:26 < daemon> is there anything stopping me doing 'push "route 172.19.18.0 255.255.255.0"'
06:26 < daemon> can I push a B class to clients?
06:26 < daemon> C class even
06:26 < daemon> err
06:26 < daemon> I just totally messed up what I was meant to say
06:26 < daemon> is there anything stopping me doing 'push "route 172.19.0.0 255.255.0.0"'
06:26 < daemon> a /16
06:44 <@ordex> daemon: you can push any route you want. it's up to you to understand if that can break anything in your network
06:45 < daemon> ordex, ah cool, as a weird aside
06:45 < daemon> the p2p link
06:45 < daemon> I could not 'push routes' over it
06:45 < daemon> I had to handwrite 'route ....' in the appropriate configs
06:46 < daemon> is that normal
07:48 <+hyper_ch> dazo: ecrist: krzee: ordex:  https://www.schneier.com/blog/archives/2017/12/tracking_people_5.html
07:48 <@vpnHelper> Title: Tracking People Without GPS - Schneier on Security (at www.schneier.com)
08:01 <@ecrist> daemon: in the p2p setup, there is no "server" so neither side will attempt to push any routes/config
08:01 < daemon> ecrist, that explains it :)
10:01 -!- Dougy [~dougy@openvpn/community/support/Dougy] has quit [Ping timeout: 272 seconds]
10:02 -!- abenz_ is now known as abenz
10:04 <@dazo> daemon: to further explain what ecrist said .... the --push feature depends on a control channel, which requires PKI (--ca, --cert, --key or --pkcs12) ... in p2p mode, there is no control channel, just "random garbage" which is just the tunnelled network traffic.  With PKI enabled, that network traffic is put into the data channel of the VPN tunnel, while the user authentication, --push, etc is handled over the control channel  (the OpenVPN wire
10:04 <@dazo> protocol will in PKI mode multiplex data and control channels into a single port/socket)
10:07 <@dazo> so while the security is better with PKI mode, it contains enough clues to fingerprint an OpenVPN connection .... On the other hand, it is far harder to fingerprint --mode p2p traffic as OpenVPN (data stream looks completely random without too much patterns), with the downside that the security of the tunnel data itself is not as secure - the encryption key is static
10:08 < daemon> dazo, that was very precise thank you ;)
10:08 <@dazo> or actually it is quite wrong to say --mode p2p .... --secret is appropriate .... as you can use --mode p2p with --tls-client and --tls-server
10:08 <@dazo> (which is p2p with PKI)
10:08 < rob0> the truly paranoid will run a client/server inside a p2p tunnel ;)
10:08 <@dazo> inside a static tunnel, yes :)
11:05 <@ecrist> the truly truly paranoid will run a client/server inside a p2p tunnel inside a p2p tunnel through an ssh proxy
11:05 <@ecrist> :P
11:05 <@ecrist> over IPSec
11:06 <@ecrist> I think at that point there's more overhad than traffic
11:10 <+hyper_ch> ecrist: and best on a network airgapped from the internet inside a a mile deep tunnel in a mountain
11:11 < tezogmix> Anyone able to get more than 150Mbps+ downstream while on VPN (e.g. OpenVPN Tap adapter) + windows?
11:11 < tezogmix> I can achieve this on ubuntu when testing.
12:19 < Dixie_F> How does one determine what client side fire-walling is needed (not specifically an OpenVPN question I suppose)?
12:21 < Dixie_F> Having spent a few weeks getting a client side firewall and openVPN router working in a smartOS, it finally sank in that my VPN provider is clearly providing some firewalling.
14:14 < BoggGod2> Does this work for anybody rgiht now with the latest easy-rsa? I tried it on two machines with different openssl and different distros, but signing server keys fails every time: https://github.com/OpenVPN/easy-rsa/issues/168
14:14 <@vpnHelper> Title: signing a server fails for unknown reasons (fresh install OpenSUSE Leap, openssl 1.0.2j-13.1) · Issue #168 · OpenVPN/easy-rsa · GitHub (at github.com)
14:18 <@ordex> BoggGod2: <@ecrist> [04:38:31] comment out lines 655 through 659 and see if your error goes away.
14:18 <@ordex> this is what i was suggested for (I believe) the same error
14:18 < BoggGod2> in the executable 'easyrsa'?
14:19 <@ordex> yap
14:19 < BoggGod2> alright, sec
14:19 <@ordex> those lines correspond to the easyrsa script in master
14:23 < BoggGod2> Wooo! works
14:24 < BoggGod2> thanks so much
14:24 <@ecrist> also, shame on both of you for use "master"
14:24 <@ecrist> that's the development branch
14:25 < BoggGod2> ecrist: I was hoping to setup my vpn before I delve into properly understanding github :P but that's good to know
14:25 <@ecrist> BoggGod2: there are actual packaged releases you should use
14:26 <@ecrist> v3.0.3 is current.
14:26  * ecrist points to /topic
14:27 <@ordex> I use master not for production :P
14:29 < BoggGod2> ecrist: I'll probably continue my work with a stable release then :P
14:33 < |Mike|> haha
14:35 <@ecrist> I think I'm going to push in a flag for master
14:35 <@ecrist> if you clone from master, you'll have to pass in --i-know-its-master to run, otherwise you get a message pointing you to the release downloads
14:36 <@ecrist> or, we'll accept an environment variable, "NO_I_WONT_EXPECT_SUPPORT"
14:36 <@ordex> how about: --i-know-its-broken ?
14:36 <@ordex> :P
14:36 -!- ordex was kicked from #openvpn by ecrist [smartass]
14:36 < |Mike|> hehe, --oops-another-noob-fuckedup
14:36 -!- BoggGod2 is now known as BoggGod
14:36 -!- mode/#openvpn [+o ordex] by ChanServ
14:36 <@ordex> :D
14:37  * |Mike| hides from shazam
14:39 < BoggGod> ecrist: it would have helped in my case (and saved me 4 hours or so :D) as I'm a novice and relied in part on the instructions of a more knowledgable friend
14:39 < bhenc> errr
14:39 < bhenc> why exactly aren't you using what your distro provides?
14:39 < BoggGod> who simply sent a line like this: "git clone https://github.com/OpenVPN/easy-rsa"
14:40 < BoggGod> it doesn't provide easyrsa
14:40 < bhenc> really?
14:40 < bhenc> which distro?
14:40 < BoggGod> leap 42.3
14:40 < BoggGod> I'm trying to get a vpn to work against DPI (third world country o/) now trying from scratch with stunnel encapsulated openvpn
14:42 < bhenc> BoggGod: always go to the releases page on github or you'll go mad
14:43 < BoggGod> too late
14:43  * BoggGod has already gone mad :)
14:47 < bhenc> BoggGod: I'd stick to the 2.2.2 release if you're in a hurry, had to setup a VPN in like 2 days this week and the 2.x release had a lot more documentation, couldn't figure out how to increase the keysize to 4096 bits in the 3.x release
14:49 < BoggGod> bhenc: by now I'm pretty familiar with 3.x (had a running 4096 bit keysize, sha512 client-server setup. But due to DPI we had to look at another solution
14:50 < BoggGod> so I'm a bit reluctant to move away from it :P but at the first sight of trouble, I'll switch to save me future headaches
14:52 < bhenc> errr I'm a newb and a sysadmin, so I kinda count that some poor guy will have to maintain what I build, and if there's no clear-cut docs he'll go mad, so that advice doesn't apply to you really if you're already familiar with 3.x
14:53 < bhenc> !1915
14:53 < bhenc> !1925
14:53 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
14:53 < KookyMan> Good afternoon.  I wanted to ask, has anyone else been experincing difficulties with OpenVPN on Android 8.1 on a Nexus Device? (6P to be specific.)
14:56 < bhenc> BoggGod: ...rule #1 Anyway, which third-world country is stupid enough to turn on DPI ? How exactly are you supposed to administer servers without a VPN? Jump host/IPsec?
14:59 < BoggGod> bhenc: my networking-research inflicted wounds from yesterday are still fresh, please be gentle with those words like "IPsec". It's Egypt, they're just following the footsteps of China basically. When we had it running, and switched to port 443, they dropped the connection. Because in the current format they see it's OpenVPN running on port 443.
14:59 < bhenc> hm. did you try port 2222 or port 22?
14:59 < bhenc> :D
14:59 < BoggGod> ssh works fine, and a bunch of other 'sysadmin' related stuff. They just focus on great wall circumvention
14:59 < BoggGod> yes :)
15:00 < KookyMan> BoggGod - Did you try tunneling VPN Through SSH? (Yes its a network hit but...)
15:01 < BoggGod> KookyMan: that's essentially what stunnel does, trying to go in this direction, but failed yesterday at the step of key signing :P (which I got resolved just now) ^^
15:01 < BoggGod> anyway, it has to go in that direction, making it look like normal traffic when someone looks at the packets on the port
15:02 < bhenc> BoggGod: hm thanks for the heads up, will keep that in mind while dealing with Egypt.
15:03 < BoggGod> bhenc: np, they're moving quite fast here in that regard
15:03 < KookyMan> To be more specific, When I'm at home and connect to my VPN (Provided by OpenVPN on a pfSense server), it connects just fine.  If I switch to Mobile data, and disable Wifi, OpenVPN Connect will reconnect via Mobile.  When I leave the house, and connect to public Wifi access points, OpenVPN will fail to connect, and retry every 10 seconds.  If I disable Wifi and enable Mobile, it will immediately
15:03 < KookyMan> reconnect.  While it is possible that the Wifi sites I'm using have suddenly blocked OpenVPN (Must consider possibility), the the chances of two disparate networks blocking OpenVPN/Port at the same time seems remote.  What did change was I upgraded from Android Oreo 8.0 to 8.1.  I know 8.0 had a bug that wouldn't allow route adding when you switched from wifi to mobile and had the 'must have
15:03 < KookyMan> vpn link' option enabled in Android, wondering if the fix for that may have caused another problem.
15:03 < KookyMan> (Last word in last post was 'problem.' in case it was too long and got cut off, tell me.)
15:11 < bhenc> KookyMan: hm give me half an hour
15:12 < KookyMan> bhenc - not a problem.  I have time.  I'm not in a position at the moment to try other wifi sites (I'm home) but I can respond back tommorrow on anything that wants to be tried.
15:21 < bhenc> KookyMan: I was thinking of hooking you up to a test VPN server just to grab the logs on the server side at --verb 4 or more just to see what's going on
15:22 < KookyMan> Ok. I can try it
15:23 < KookyMan> I'm presuming I have to be on one of the troubled wifi points?
15:27 < bhenc> KookyMan: or mobile data? I'll just send you the .ovpn config and give you access to the logs. Then just test anytime. Simplest would be to just give you ssh access to the VPS, I'll just nuke the VPS afterwards.
15:27 < bhenc> ...right it works on mobile data
15:28 < KookyMan> Yea, I can switch between my home Wifi and Mobile without a problem..
15:28 < KookyMan> its just using a different wifi that seems to hit a wall. (Which makes no sense to me...)
15:28 < KookyMan> If it works for one wifi it should work on them all
15:38 < bhenc> there's a lot that can go wrong, fire up mtr vpn.ceresia.ch for example and see how many hops it's required to get to a server
15:39 < KookyMan> mtr?
15:47 < bhenc> KookyMan: it's a command that combines traceroute + ping to give you a cool way to see the network topology between you and a remote IP address
15:49 < KookyMan> Ah.
15:49 < KookyMan> I'd have to install it :)
15:50 < bhenc> KookyMan: https://paste.pound-python.org/show/mSC7SGGCnz90pvCNFWCL/ looks like this. it's useful when some genius decides that you should route trafic from Southern Africa to India through London
15:50 < KookyMan> Roflol.
15:51 < specing> s/genius/ghcq/
15:51 < KookyMan> No fair bringing out ed commands. :P
15:52 -!- Dougy [~dougy@openvpn/community/support/Dougy] has joined #openvpn
15:52 < Dougy> has krzee come back yet?
15:53 < KookyMan> bhenc - I'll be honest, I hadn't even thought about doing any tracing between where I'm at and where I'm going.
15:55 < Dougy> hey ecrist
15:58 < KookyMan> I forgot, my modem offers a "public hotspot" so I might be able to get a 'different network' wifi to test against... I just gotta get it on
15:59 < KookyMan> if I disconnect, I'm fighting with my modem so I will return.
16:00 < KookyMan> brb.
16:00 <@ordex> may the force be with you
19:12 < mavorsa> I'm currently using ProtonVPN through OpenVPN on linux mint. What I'm experiencing is that between every 5 to 15 minutes, the connection drops and I no longer have any connection indefinitely. I regularly have to hit ctrl-c and then restart openvpn and log back in, in order to regain connection. This doesn't happen on windows. Is there something in a config that might fix this?
22:31 < lovetruth> hello!...
22:31 < lovetruth> have some problems with Open vpn...
22:31 < lovetruth> Dec 16 06:20:29	openvpn	10528	S0138D642-68211/213.233.109.127:22900 MULTI: bad source address from client [10.0.0.1], packet dropped Dec 16 06:20:29	openvpn	10528	S0138D642-68211/213.233.109.127:22900 MULTI: bad source address from client [10.0.0.1], packet dropped
--- Day changed Sat Dec 16 2017
02:37 -!- Crazy_Hopp is now known as Crazy_Hopper
02:38 <@ordex> mavorsa: I'd suggest to contact ProtonVPN directly as they know your configuration better
03:14 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 276 seconds]
04:31 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
04:31 -!- mode/#openvpn [+o novaflash] by ChanServ
07:47 < Petfrogg> hello
07:49 < Petfrogg> i am trying to configure my vpn and have ran into problem
07:49 < Petfrogg> as a step of the solution i am gonna install a vpnclient on another machine and use a *.ovpn file to configure it
07:50 < Petfrogg> my question is - which one should i use for Windows?
07:54 < |Mike|> the client listed on the openvpn website?
07:58 < |Mike|> install the openvpn client from the openvpn website. Put the *.ovpn in OpenVPN/config/ and run the client. Right click on the traybar icon and hit "connect"
08:07 < Petfrogg> ok
08:07 < Petfrogg> |Mike|: thanx
08:07 < Petfrogg> can two clients use the same *.ovpn?
08:12 < |Mike|> nope
08:12 < |Mike|> you'll need to use easyrsa to add clients
08:12 < rob0> maybe?  Did you put the client cert inline?  Only one client connection per cert is allowed at one time.  But if the config file refers to another file for the cert, that could have the same name on different client machines.
08:13 < |Mike|> exactly rob0 o/ :-)
08:15 <@ordex> <o
08:52 < |Mike|> Petfrogg: works?
09:21 < Petfrogg> |Mike|!
09:21 < Petfrogg> R U there
09:21 < Petfrogg> ?
09:23 < |Mike|> y
09:25 < Petfrogg> ok
09:25 < Petfrogg> i have now tested my vpn setup with a windows 10 - and it works!!!
09:25 < Petfrogg> atleast something right
09:29 < Petfrogg> ok - so then it the mac that is wrong...
09:29 < |Mike|> congrats!
09:29 < Petfrogg> well know i know that something works
09:29 < Petfrogg> zoredache! thanx
09:30 < |Mike|> i've no experience with tunnelbrick and macos tbh
09:31 < Petfrogg> well... maybe i shouldt be that happy now when i started to do easy tests
09:31 < Petfrogg> seems like the DNS fails on my windoze too....
09:31 < Petfrogg> |Mike|: you have good experience with windows?
09:32 < |Mike|> a bit, yes
09:32 < Petfrogg> may i priv you?
09:32 < |Mike|> sure
10:11 -!- abenz_ is now known as abenz
13:55  * KookyMan wonders who come up with the brilliant idea to not put a way to capture the log from OpenVPN Connect into a file, or even be able to select the text.
16:20 < lovetruth> hello!... :)
16:20 < lovetruth> one little question: ...
16:20 < lovetruth> why doesn't work iroute ?... or... what iroute really does?...
16:20 < lovetruth> !vulninfo
16:20 <@vpnHelper> "vulninfo" is (#1) See these factoids for more info about specific vulnerabilities: !heartbleed !poodle !ovpnuke !sweet32 !duhk, or (#2) See here for all security announcements: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
16:22 < pekster> !iroute
16:22 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
16:23 < pekster> lovetruth: iroute is a way to tell OpenVPN that a route is managed by a specific remotely connected client
16:23 < dstensnes> lovetruth: if you want to route something through a specific client, you cannot use the kernel routing table. If you try, then openvpn will receive the packages, but it will have no idea which client you want to route that traffic to
16:24 < lovetruth> my problem is this: (can it be fixed with iroute?...)
16:24 < lovetruth> roughly, this is how the network's layout would be:            openvpn_client (10.0.0.0/24, with 10.x.y.0/24 too) -> MPLS cloud connect router (10.0.0.0/24) -> MPLS 10.216.0.0/13 -> MPLS terminal (belongs to the ISP) -> firewall at the datacenter (with 4 port redirects to the the 4 pfsense servers. The firewall's IP is specified in the client's "remote [IP] [port]") -> the 4 (FreeBSD) (PfSense) OpenVPN servers (virtual machines)
16:24 < dstensnes> so you can use iroute in a ccd file for a client to tell openvpn which client you want to route that traffic to
16:24 < lovetruth> I have 4 FreeBSD virtual machines running PfSense with Quagga and OpenVPN server (for around 1300 clients)
16:24 < lovetruth> for some unknown reason, after the last update (around 4 days ago...), 70 clients out of the 1300 are unable to connect
16:25 < lovetruth> actually, they connect for a few seconds, and then their connection drops. In the OpenVPN logs I can see this error for them: "Bad source address: [... - the client's local LAN's IP ]". And in the OpenVPN's client list, it's "UNDEF" for the few seconds that they are connected
16:25 < pekster> bad source address just means the client is sorucing packets from an address the server doesn't recoganize and is dropping them
16:25 < pekster> Either it's a bogus packet with bad sourcing (illegal address) or the serer is missing an iroute definition to permit that traffic
16:25 < lovetruth> (all the clients behind the MPLS cloud connect router is using the same IP on 10.0.0.0/24)
16:26 < lovetruth> are* using
16:27 < pekster> Is the source of the "bad source address" something you expect to route to over the VPN?
16:27 < pekster> Or is it complete garbage?
16:28 < lovetruth> it's the client's local LAN's IP, behind the MPLS router. But no, I don't expect that address to be found there
16:28 < pekster> Then the problem is with the source end; it's incorrectly sending across the VPN _from_ that address. To correct it, you'd need to stop whatever application is doing that from using that as the source over the tun device
16:28 < lovetruth> I mean the clients do usually connect. Just that the 10.0.0.1 IP is not shown usually in the OpenVPN log
16:29 < pekster> Right, to do that you'd need explcit routes for that network on the server (using --route), plus an iroute in the server for the VPN destination, plus a return-route on the gateway of the client-managed lan for the VPN address space
16:30 < pekster> And it sounds like you don't want that; just ignore the "bad source address" unless it's traffic that's valid but incorrectly sourced. If that's the case, go fix your misbehaving client
16:30 < lovetruth> I have a tcpdump and the only 10.0.0.1 src package I saw in there was some ARP asking who's 10.0.0.254 (MPLS cloud connect router that's over the client)
16:30 < lovetruth> only 70 out of 1300 are not connecting.
16:31 < pekster> Then check logs at both ends
16:31 < lovetruth> And what's most odd of all... - it's not the same list of 70 clients every day...
16:31 < pekster> Also, ARP? Try to avoid tap unless you actually need non-IP Ethernet frames
16:31 < lovetruth> without any settings change - every day I have some other 70 clients unable to connect, out of the 1300 clients
16:32 < pekster> And what have you logs shown you?
16:32 < lovetruth> pekster: that was my first thought, actually :) the tap adapter. But... surprise: they are not using tap adapter, it's tun
16:32 < pekster> "stuff is broken" results in a "that sucks, what have you tried to learn about why" reply from me
16:32 < pekster> You won't see ARP over tun, unless you're doing something really awful like arp-proxy
16:33 < lovetruth> pekster: I tried so far: changing static routes (on both ends). Also the iroute 10.0.0.0/24 in all ccd files
16:33 < dstensnes> is there a limit to how many clients may be connected at once btw?
16:34 < pekster> Only by the network you've allocated and resources
16:34 < dstensnes> ok
16:34 < pekster> I've tested thousands of connected clients before without issue
16:34 < dstensnes> thanks
16:34 < lovetruth> pekster: I just tried something else: i saw that quagga (ospf and zebra) had some 10.0.0.0/24 route. I just removed and is still the same...
16:34 < pekster> Really I have no clue about your layout without seeing some !configs and !logs as to your problem
16:34 < lovetruth> !configs
16:34 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
16:35 < pekster> I've supplied about all the conceptual aid I can given my lack of understanding of your topology or setup
16:35 < pekster> If you have key material in your configs (with <key> or <tls-auth>) be sure to scrub those
16:37 < lovetruth> !logs
16:37 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
16:38 < lovetruth> ah, just one more thing, before the !logs and so on... :)
16:39 < lovetruth> when I ping those problematic clients (i can get their supposed IP from PfSense) - it gives me ttl exceeded (even if I ping -t 255 IP)
16:39 < pekster> sounds like a routing loop somewhere
16:40 < pekster> Your dynamic routing may be doing something you're not expecting, which you can probably trace down by looking where the loop is in traceroute
16:40 < lovetruth> my thought also!...
16:40 < pekster> Some routers are just bouncing the packet back and forth until the TTL runs out
16:40 < pekster> Probably lack of a route somewhere to get it to the expected destination
16:40 < dstensnes> traceroute?
16:40 < lovetruth> when I traceroute -> I see it bouncing from one PfSense OpenVPN server to the other
16:41 < pekster> traceroute, mtr, any path-aware tool
16:41 < lovetruth> (I have 4 FreeBSD PfSense OpenVPN routers, with load balancing, Quagga [zebra and ospf] doing this)
16:41 < pekster> Over the VPN address? Whichever server is responsible for routing that traffic needs a route for that net (to make the kernel aware) and *IF* that network is managed by a VPN client, that openvpn config *also* needs an --iroute in that client's CCD file
16:42 < pekster> Smells like your ospf might be incorrectly configured
16:43 < pekster> Check the routing table on the VPN server you think is supposed to be handling the network you can't route to
16:44 < pekster> Presumably it has a route sending to the other server. If they both do, the data just goes back & forth ~255 times
16:45 < lovetruth> all the 4 PfSense servers had (automatically - I guess) routes to each other (i guess added by quagga, for load balancing)
16:46 < lovetruth> but the routes are on the bottom of the file...
16:46 < lovetruth> so - yes... that means shortes path will change
16:46 < lovetruth> hm, smart! :) maybe quagga is the problem, indeed :)
16:48 < lovetruth> !goal
16:48 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:48 < lovetruth> !welcome
16:48 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
16:48 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
16:52 < lovetruth> !mitm
16:52 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: remote-cert-tls server in the client config
16:52 < lovetruth> !1925
16:52 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
16:53 < lovetruth> interesting :)) nice bot :)
16:54 < pekster> Self-help (and saves us some typing for common things)
22:00 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer]
22:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:10 -!- mode/#openvpn [+o syzzer] by ChanServ
--- Day changed Sun Dec 17 2017
02:37 -!- pekster [~rewt@openvpn/community/developer/pekster] has quit [Ping timeout: 246 seconds]
02:37 -!- pekster [~rewt@openvpn/community/developer/pekster] has joined #openvpn
04:03 <+hyper_ch> dazo: ecrist:krzee: ordex: https://drewdevault.com/2017/12/16/Firefox-is-on-a-slippery-slope.html
04:03 <@vpnHelper> Title: Firefox is on a slippery slope | Drew DeVault’s Blog (at drewdevault.com)
04:17 -!- abenz_ is now known as abenz
04:53 < b00kworm> the fuck is that? o.O ? Code injection of ads into the browser?
09:17 -!- m0nkey__ is now known as m0nkey_
13:33 < terminalator> Hi, I'm using OpenVPN on Linux. I've configured /etc/default/openvpn to autostart my .conf. Everything works flawlessy, except that when logging in after locking my station the VPN connection is stalled. I can't ping google.com and have to manually stop and starts the service. Could someone help me out, please?
13:45 <+hyper_ch> dazo: ecrist:krzee: ordex: I'm sure you've heard it before that to us westerners all asians look the same - http://www.scmp.com/news/china/society/article/2124313/chinese-woman-offered-refund-after-facial-recognition-allows
14:39 < egrain> !welcome
14:39 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
14:39 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
14:39 < egrain> !goal
14:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:40 < egrain> one of my windows clients is using OpenSSL_1.0.2l__25_May_2017 because he says it came with openvpn. can he just install the new openssl and openvpn uses that then?
14:41 < egrain> !tap
14:41 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the
14:41 <@vpnHelper> protocol uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
14:41 -!- MochaLoca is now known as Sauvin
14:41 < pekster> OpenVPN will use the OpenSSL compiled library built with the installer, yes. There's no need to install a separate copy of OpenSSL for OpenVPN to work correctly
14:42 < egrain> pekster, but there is a security update for openssl. shouldn't openvpn then use the patched version?
14:42 < pekster> Not unless you build from source to link against a system-managed library, no
14:43 < pekster> s/system/OpenSSL/
14:44 < egrain> so you telling me openvpn is secure even though it uses an older openssl version?
14:47 < pekster> Provided you keep the client up to date, you'll get all the security improvements noted by the changelog
14:48 < egrain> so the bugs in openssl don't matter then.
14:48 < egrain> well, okay.
14:49 < pekster> What exactly are you concerned about? Have you verified the fix already corrected? Have you verified the issue impacts the build/version you're referring to?
14:49 < pekster> What CVE are you worried about?
14:49 < egrain> this thing: https://www.openssl.org/news/secadv/20171207.txt
14:50 < egrain> and i can't really verify anything, since i'm not using windows. one of my clients, remember?
14:50 < pekster> So do your own bloody research: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
14:50 <@vpnHelper> Title: ChangesInOpenvpn24 – OpenVPN Community (at community.openvpn.net)
14:51 < pekster> 1.0.21 is ancient; that's obviously not a current OpenVPN install
14:53 < egrain> he's running IV_VER=2.4.4 though.
14:53 < egrain> did he update it wrong? like should he have deinstalled the previous version and then installed the new one? how does this work exactly?
14:53 < pekster> Well I'm looking at the dll shipped with the release (you can too, btw; just use a program like 7-zip to open the .exe and you can inspect all the files yourself if you really want.) It ships a 1.0.2 version of OpenSSL
14:54 < pekster> It'll overwrite the old files on install, at least assuming the install directory is the same
14:54 < pekster> Regardless, the registry (where installed programs go) will be replaced with the new install path
14:57 < pekster> Not all vulnerabilities are going to impact OpenVPN, so there's no point in pushing a security-update for non-issues (even if other openssl uses _are_ impacted.) OpenVPN gets early notification from upstream about problems as well
14:58 < pekster> In addition, use of a tls-auth key is highly recommended as it's an additional HMAC layer that prevents a yet-untrusted client from even beginning the TLS process
14:58 < pekster> It's an "extra layer" of defense so to speak
15:00 < egrain> i have that.
15:02 < pekster> So, you're worried about a vulnerability that requires the software call a function that OpenVPN doesn't call, or the other low-severity vulnerability that requires you to use a DH size too low? :) These are non-issues, as OpenVPN does not call SSL_read() or SSL_write(), and you shouldn't be using 1024-bit DH params
15:06 < pekster> Best way to stay on top of security versions that do impact openvpn would be to subscribe to the openvpn-announce mailing list
15:25 < egrain> pekster, i update my boxes regularly, so i'm not worried. whenever i get an update i let the the clients know if they haven't updated already.
15:25 < egrain> anyway, issue resolved i'd say. thanks a bunch.
15:25 < pekster> Yea, just do pay attention when OpenVPN announces something, as security issues can have an impect than
15:26 < pekster> And you're free to inquire, but OpenVPN _does_ care about security issues. The project just also tries to avoid making users scramble if there's not actually a need/benefit
15:26 < egrain> i trust the arch people there. they bring updates pretty quickly once upstream releases a new version.
15:26 < egrain> i appreciate that.
22:58 < variable> "Your problem is probably firewall. Really"
22:58 < variable> lol
22:59 < cq1> Hey folks, incredibly dumb sounding question: I'm on a Windows machine that has OpenVPN installed and I can't for the life of me figure out how to turn it off. :(
22:59 -!- variable is now known as constant
23:00 < pekster> task manager and look for an openvpn.exe process, and kill it :). And then check that you don't have the service enabled to start on boot
23:01 < cq1> pekster: I kill openvpn.exe, and it restarts automatically. Where is it set to restart on boot? I'm a UNIX guy, so I'm not sure where to look on Windows.
23:04 < pekster> As an admin, run "mmc", go to file and attach the services snap-in, and look for the OpenVPN service
23:04 < pekster> It may be set to start on boot and possibly restart on failure
23:47 -!- abenz_ is now known as abenz
--- Day changed Mon Dec 18 2017
00:00 < cq1> pekster: Okay, thanks for the tips. I got it disabled.
02:10 < kripy> hello
02:10 < kripy> how up TAP adapter at 1gibits
05:04 < sunrunner20> any eta on the fixed ios client?
05:17 <@ordex> sunrunner20: it is out for beta testing right now
05:18 < sunrunner20> can I get a key?
05:18 < sunrunner20> I use daily
05:18 < sunrunner20> *it
05:18 <@ordex> sure
06:32 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Quit: ZNC - http://znc.in]
06:40 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
06:40 -!- mode/#openvpn [+o mattock] by ChanServ
07:13 < kripy> hello
07:13 < kripy> how have 1gbits for adaptater ?
07:23 < kripy> !welcome
07:23 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
07:23 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
07:53 < atdprhs> hi Guys
07:53 < atdprhs> I've been trying to debug an issue on openvpn for ages
07:53 < atdprhs> and not able to figure it out
07:53 < atdprhs> would really appreciate it BIG time if someone can advice
07:54 < atdprhs> I have purchased D7800
07:54 < atdprhs> Netgear router with openVPN built in service
07:54 < atdprhs> https://community.netgear.com/t5/DSL-Modems-Routers/D7800-VPN-not-connecting/td-p/1133493
07:54 <@vpnHelper> Title: D7800 VPN not connecting - NETGEAR Communities (at community.netgear.com)
07:55 < atdprhs> I have posted my issue there (look for adham)
07:55 < atdprhs> but they redirected me to openvpn
07:55 < atdprhs> I am not able to connect to the openVPN, not really sure why, I've been stuck for ages in this issue
07:56 < atdprhs> I get Connection refused
07:56 < atdprhs> WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
07:56 < atdprhs> NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
07:56 < atdprhs> can you pls help?
08:01 < atdprhs> One thing new about this time, I already bypassed this issue >>> "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" and I no longer get it
08:02 < atdprhs> but need help to know what else is the issue now and why the connection is refused?
08:16 <@ecrist> well then
08:16 <@ecrist> all that and didn't stick around
08:45 < paul123> !welcome
08:45 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
08:45 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
08:46 < paul123> !configs
08:46 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
08:47  * ecrist gives paul123 a gold star.
08:50 < paul123> !1925
08:50 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
08:50 < paul123> !redirect
08:50 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart:
08:50 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png
08:53 < paul123> !route
08:53 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts
08:53 < paul123> !serverlan
08:53 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
08:53 < paul123> !clientlan
08:53 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route
08:53 <@vpnHelper> for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
08:56 < paul123> mhm, ok, so this is my config atm: https://pastebin.com/dyueeUxi
08:56 < paul123> hello everyone btw. :P
08:58 < paul123> it pushes everything through the vpn, but what i want is that it only puts everything to 192.168.0.x through the VPN, everything else should go its normal direct way to the internet
08:58 < paul123> if I understand correctly I have to get rid of redirect-gateway
08:58 < DArqueBishop> Correct.
08:58 < paul123> and add a route in the client config for 192.168.0.x right?
08:58 < DArqueBishop> !serverlan
08:58 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
08:58 < paul123> anything else?
08:59 <@ecrist> paul123: This looks like client-only.  Do you control the server?
08:59 <@ecrist> Line 20, redirect-gateway, instructs OpenVPN to attempt to route ALL traffic from the local machine over the VPN.
09:01 < paul123> yes, I do control the server too
09:01 < paul123> so changing that cant be done in the client config only?
09:03 <@ecrist> the redirect-gateway?  yes/no
09:03 <@ecrist> Normally, that's something pushed from the server.
09:04 <@ecrist> The server can have per-client configuration directives.
09:05 <@ecrist> the trick about including it in a client config is that if the server isn't configured properly to support re-routing all traffic, it won't work.
09:05 < paul123> well currently it routes all traffic ok
09:06 < paul123> I would just want to restrict it to one specific net 192.168.0.x
09:06 <@ecrist> the server will need to 1) likely nat traffic from the VPN to the internet, 2) allow traffic from the VPN to the internet, 3) have routing configured for that traffic flow
09:06 <@ecrist> So, your VPN clients, you only want 192.168.0.0/24, and not all traffic?
09:06 < paul123> yes exactly
09:06 <@ecrist> If so, remove redirect-gateway from the client config
09:06 < paul123> only 192.168.0.0/24 should go through vpn
09:06 <@ecrist> in the server config, make sure you have two directives:
09:07 <@ecrist> route 192.168.0.0/24
09:07 <@ecrist> push "route 192.168.0.0 255.255.255.0"
09:07 < paul123> client doesnt need that, only server?
09:07 <@ecrist> don't use CIDR for the first one (bad on my part)
09:07 <@ecrist> only server
09:07 < paul123> I see
09:07 <@ecrist> your line 28, "pull" instructs the client to pull options from server
09:08 < paul123> and will that break all the clients still using the redirect-gateway config?
09:08 <@ecrist> the push "..." command above tells the server to push that to clients
09:08 <@ordex> Exagone313: why would the 'route 192.168.0.0/24' line be required too ?
09:08 <@ecrist> no, it won't break them
09:08 <@ordex> ecrist: ^^
09:08 <@ecrist> ordex: route ... tells the local process to route that traffic
09:08 <@ecrist> the push option tells it to push that command to clients
09:08 <@ecrist> they look the same, but have different functions
09:09 <@ordex> ecrist: right, but I think that network is "behind" the server, no ? so no need to inform the openvpn daeon about it
09:09 <@ordex> ecrist: otherwise openvpn will try to add 192.168.0.0/24 dev tunX, I think ?
09:09 < paul123> the server sits in 192.168.0.x, correct
09:09 <@ecrist> ordex: no
09:10 <@ordex> mh ok
09:10 < paul123> ok, thanks for the input, will test this in the evening
09:11 <@ecrist> paul123: there's a lot of information in the man pages about this
09:11 <@ecrist> but, you might also enjoy a book
09:11 <@ecrist> !books
09:11 <@ecrist> !book
09:11 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn, or (#3) Troubleshooting OpenVPN (April, 2017) by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
09:13 < paul123> yes, I did notice that there is a lot of reading material on this matter, but after some reading I figured why not ask the experts... :P
09:14 < paul123> however I will come back to the reading part, because its never bad to understand WHY things work a certain way...
09:16 < MacGyver> "The experts" tend to prefer that you read first and then ask questions about the parts you didn't understand.
09:16 < MacGyver> If you need pointers on what to read, that's obviously fine.
09:17 < paul123> I did read, no worries
09:17 < paul123> just not for hours yet :P
09:17 <@ecrist> No, I'm just a greedy bastard with a shamless plug for a couple books I wrote. :P
09:17 < MacGyver> Well and there's that.
09:17 < MacGyver> But really, I take the same approach to my students.
09:18 < MacGyver> "Have you read the chapter in the lecture notes that it said you should read before asking this question? No? Go read that chapter and ask again if the question hasn't disappeared by then."
09:18 <@ecrist> That said, I wrote some VERY detailed information in the Mastering book about how the configuration file is parsed, what is contained within it, and some explaination as to WHY certain directives should be included and when.
09:19 < MacGyver> But then they already know the parts that they should read and they're just being typical students about it :P
09:25 < atdprhs> hi everyone
09:25 < atdprhs> do anyone know the alternative for ipconfig set tap0 dhcp in ubuntu 17.10
09:34 < hannesDB> hi All, I'm running openvpn clients version 1.4.x and up suffering disconnects when multiple 100 MB's (up to 1G) are being transferred via the VPN, while the issue is non-existend using openvpn 2.3.x
09:35 < hannesDB> the server is version is 2.3.2
09:35 < hannesDB> I was shifting through the changelogs but seem to overlook something ...
09:37 <@ordex> hannesDB: 2.3.2 is ultra-old. several bugs have been fixed since then. If you want to stick to 2.3.x you should at least upgrade to the latest release (2.3.18)
09:37 <@ordex> and I am not aware of any 1.4.x client out there
09:37 < hannesDB> the issue is present using tunnelblick (on mac) using openvpn version 2.4.x, 2.5.x, on linux version 2.4.x and on mac viscosity (2.4.4)
09:38 < hannesDB> ordex: I will do the upgrade soon but i think it is weird 2.3.18 has no issues but 2.4 and up does have issues
09:38 <@ordex> ah 2.4 - you wrote 1.4
09:38 < hannesDB> sorry, 2.4
09:38 <@ordex> that's why I was puzzled :)
09:38 < hannesDB> the 1.4 would be worse then te 2.3.2 ;-)
09:38 <@ordex> hehe
09:38 < hannesDB> the 1.4 would be worse then the 2.3.2 ;-)
09:38 <@ordex> hannesDB: I'd suggest checking the log (with verb 4) around the time of the disconnection to see what it says exactly
09:39 <@ordex> both client and server
09:43 < sylr> Hi
09:44 < hannesDB> ordex: I need to doublecheck... are you around tomorrow?
09:44 < hannesDB> thanks in advacne!
09:44 <@ordex> hannesDB: just write, somebody will be here
09:45 < sylr> Is it possible to not push redirect-gateway but specify it in the client conf ?
09:46 < sylr> Cause I don't want to push redirect-gateway for all clients
09:47 <@ordex> sylr: sure. push is just a way to dinamically add something to the client config. you can avoid that and enable the option on selected clients only
09:47 <@ordex> or, clients can ignore routes being pushed
09:47 < sylr> ordex: I have the server pushing one route
09:48 <@ordex> ok
09:48 < sylr> I've setup  redirect-gateway on the client conf
09:48 < sylr> but it does not work
09:48 <@ordex> what do you get ?
09:48 < sylr> I've the route I push but the default gateway is not changed
09:49 < sylr> So I was thinking that if the client pull routes it might discard  redirect-gateway set locally
09:50 <@ordex> routes pushed by the server should be appended to the list, it should not be exclusive
09:50 < sylr> All right
09:50 < sylr> I'll turn on logs then
09:51 < atdprhs> I fixed "dhcp-client-request.sh" by changing the command from "/usr/sbin/ipconfig set tap0 dhcp" to "ip tuntap add tap0 mode tap;ip link set tap0 up;ip addr add 1.1.1.1/24 dev tap0"
09:51 < atdprhs> now, the issue is, I see "Tue Dec 19 02:44:49 2017 us=245997 /sbin/ip route add 0.0.0.0/1 via 192.168.1.1" >> "RTNETLINK answers: Network is unreachable" >> "Tue Dec 19 02:44:49 2017 us=251719 ERROR: Linux route add command failed: external program exited with error status: 2"
09:52 < atdprhs> how can I fix this?
09:54 < sylr> ordex: found the problem, according top the logs ovpn runs "/sbin/ip route del 0.0.0.0/0" to remove the current default gateway
09:54 < sylr> I've ran it and it does nothing
09:55 <@ordex> mh what do you mean with "it does nothing" ?
09:55 < sylr> It does not fail but does not remove the default gateway
09:55 <@ordex> uhm
09:55 <@ordex> interesting
09:55 < sylr> so when it tries to add the new defaultg gw after it fails
09:55 < sylr> "RTNETLINK answers: File exists"
09:56 < atdprhs> hi Guys, I fixed "dhcp-client-request.sh" by changing the command from "/usr/sbin/ipconfig set tap0 dhcp" to "ip tuntap add tap0 mode tap;ip link set tap0 up;ip addr add 1.1.1.1/24 dev tap0", now the issue is, I see "Tue Dec 19 02:44:49 2017 us=245997 /sbin/ip route add 0.0.0.0/1 via 192.168.1.1" >> "RTNETLINK answers: Network is unreachable" >> "Tue Dec 19 02:44:49 2017 us=251719 ERROR: Linux route add command failed: external program exited with error
09:56 < atdprhs>  status: 2", can anyone help me pls on resolving this issue?
09:57 <@ordex> mh weird...you should be able to add multiple default routes with different metric, but maybe the missing metric leads to this
09:57 <@ordex> not sure
09:58 < sylr> I was able to have multiple default routes using "route" instaed of "ip"
10:04 < sylr> "ip route replace default dev tun0" whork :s
21:25 <@ecrist> suuuuup folks?
21:25 < _FBi> yo
21:25 < _FBi> and goodnight yo
21:59 < skyroveRR> Hey ecrist
22:01 < rob0> Hey, roveRR of the sky
--- Log closed Tue Dec 19 01:08:18 2017
--- Log opened Tue Dec 19 01:09:14 2017
01:09 -!- Irssi: #openvpn: Total of 320 nicks [9 ops, 0 halfops, 3 voices, 308 normal]
01:09 -!- mode/#openvpn [+o ecrist_] by ChanServ
01:10 -!- Irssi: Join to #openvpn was synced in 55 secs
01:20 < paul123> so on one client using Android the warning came up recently that the server is using md5 somehow on a cert and that thats a bad idea
01:20 < paul123> however I could really figure out on which one
01:20 < paul123> but I guess I should just re-create all certificates since they are old already anyways
01:20 < paul123> but how do I make sure that it doesnt use MD5 for something again?
01:21 < paul123> or is that the default if I get EasyRSA today and do everything with default settings?
01:34 <+hyper_ch> by default, easy rsa uses 2048bit rsa
01:39 < paul123> hm I guess I generated those certs 3-4 years ago
01:39 < paul123> I guess stuff was different back then?
01:40 < paul123> I just want to make sure I dont go regenerating everything now and then it turns out to be the same thing...
01:49 < bhenc> paul123: you want to look at the crt files that easyrsa creates
01:50 < bhenc> paul123: cat test.crt | grep "Signature Algorithm"
01:50 < bhenc> Signature Algorithm: sha256WithRSAEncryption
01:50 < paul123> ok, can I just look into these with text editor?
01:50 < bhenc> yes
02:00 <+hyper_ch> easy rsa also used 2048bit rsa 3-4 years ago
02:31 < paul123> hm weird
02:32 < paul123> I just tried to run build-ca.bat
02:32 < paul123> but it acts like there are invalid parameters, just printing the syntax
03:40 < hannesDB> hi ordex, or any one else, I was asking yesterday about an issue I have with clients using version 2.4.0 and up, connecting to an 2.3.2 version openvpn server. when several 100MB's of data are being transferred, the connection gets closed without any logging on the client side. On the server side I get "TLS Error: local/remote TLS keys are out of sync:"
03:40 < hannesDB> so it seems the connection is being cut on the server side.
03:41 <@ordex> interesting..I Wonder if this is some bug on 2.3.2 that has been fixed later
03:41 <@ordex> could you upgrade to the latest 2.3.x ?
03:48 < hannesDB> I was allready working on that :D
03:48 < samael> is it possible to push comp-lzo from the server and explicitly remove it from the client conf?
03:54 <@ordex> samael: the client must have the compression enabled at least
03:54 <@ordex> check --compress (and forget comp-lzo
03:54 <@ordex> )
03:56 < samael> i have a brand new server running on 2.4.0, at first i tought it was a good idea to use (and push!) lz4-v2, but then i have v2.3.4 clients which seem not happy with it.
03:57 < hannesDB> ordex: since we are running ubuntu 14.04 LTS, the 2.3.2 version is the last version in the repo... but ubuntu has the habit of backporting patches of newer versions so they stay at the version they released (at least that's the idea I have)
03:58 <@ordex> hannesDB: dunno to be honest. 2.4 has the same codebase as 2.3, therefore I presume what you are seeing is a bug that has been fixed
03:58 <@ordex> maybe you can force the key renegotiation on the server
03:58 <@ordex> to workaround the issue
03:58 < samael> i have no problem forcing comp-lzo for now to make them work, but i'd like to push it instead of explicitly hardwire the comp-lzo option in the client conf. this way i can wait until all the client are updated to a recent openvpn version, then start to push lz4-v2 from the server without having to change the conf on all clients.
04:01 <@ordex> samael: as I said, you need clients to activate the compress framework at least
04:01 <@ordex> then you can push the algorithm from the server
04:01 < samael> ordex: i'm just RTFM-ing. that's good, thanks for the pointer
04:01 <@ordex> samael: check the manpage for --compress and --comp-lzo
04:01 <@ordex> it talks about this aspect
04:01 <@ordex> good!
04:14 < samael> better yet, it seems that i can enable the compression in the server conf, then push different compression settings to clients via their ccd file. that is awesome
04:22 <@ordex> samael: right, but again, the client must enable the compression frame first (this is what the manpage meant with using comp-lzo no or just compress)
04:39 < Wulf> Good Morning!
04:39 < Wulf> I quite often encounter MTU problems with openvpn. One setting which always works seems to be "mssfix 1200" or so. But is there a better / correct option?
05:30 < meffe> question.. is there an easy way of tracking/measure the amount of data openvpn is using/have been using?
05:31 < BtbN> iftop?
05:31 <@ordex> I think the stats from the tun interface should suffice?
05:32 < meffe> BtbN: iftop will only give me the current usage - right?
05:37 < meffe> ordex: wow, why didnt i think of that.. that was easier then i thought. but yeah, it should cover all data TX/RX from/with the openvpn -- correct?
05:39 <@ordex> it depends on what you want to measure
05:39 <@ordex> if you want the total, yes, you have to sum them up
05:39 <@ordex> it's just like any other interface at this point
06:26 -!- You're now known as ecrist
09:41 < PereP> hi people
09:42 < PereP> I have a problem running openvpn as a service...
09:42 < PereP> it only seems to pick up the first .conf file inside /etc/openvpn (I have two)
09:44 < PereP> strangely, the non-loaded .conf setup works fine when started with $ openvpn offendingfile.conf
09:44 < vectr0n> what os?
09:45 < PereP> ubuntu
09:45 < havoc> my guess is a systemd issue, where the missing conf hasn't been "enabled"
09:45 < PereP> I have to check if 16.04 or 17.10
09:45 < vectr0n> systemctl enable openvpn@<filename> so if /etc/openvpn/fw1.conf <filename> would be fw1
09:46 < PereP> 16.04.3 LTS
09:46 < vectr0n> same applies
09:46 < havoc> PereP: find /etc/systemd/ -iname "*openvpn*"
09:47 < PereP> thanks vectr0n, I'll take a look at it
09:47 < PereP> same to you, havoc
09:47 < havoc> you're welcome; that'll show you what confs are enabled
09:47 < PereP> my suspect was something related to "that", but... you know
09:49 < PereP> taking a look at that file I can't find the answer, havoc
09:50 < PereP> it says Type=oneshot, WorkingDirectory is the proper one, and some other parameters
09:51 < PereP> tried the recipe by vectr0n and a symlink has been sucessfully created
09:51 < vectr0n> now you can use start/stop w/ openvpn@<whatever>
09:52 < PereP> well was trying restart xDD
09:53 < vectr0n> restart should of worked, if not check your log files and see where it got hung up
09:54 < PereP> hmm... restart doesn't seem to work; I'll try a "hard" stop/start and will see...
09:59 < PereP> there should be one virtual interface per connexion, right?
10:01 < rob0> per openvpn instance, yes
10:01 < PereP> I'm running it as a service, with a couple of .conf connection files
10:05 < PereP> strange... I don't see any references to the offending connection on the syslog
10:17 < PereP> ovpn-whatever[31546]: event_wait : Interrupted system call (code=4)
10:17 < PereP> ovpn-whatever[31546]: Closing TUN/TAP interface
10:19 < PereP> ok, sorry... I just discovered I have to manually start this *new* openvpn service with its own name
10:20 < PereP> I thought all of them would start with a simple systemctl start openvpn
10:20 < PereP> so problem solved (at least until I restart the server -- I'm not sure if it has been properly configured to autostart on init)
10:42 < PereP> thanks a lot for helping, vectr0n and havoc ;)
11:41 < PereP> bye all!
14:03 < darthhomey> hi peeps, anyone know what these errors mean:TLS Error: incoming packet authentication failed from [AF_INET]<ip-adress:port>
14:04 < darthhomey> Authenticate/Decrypt packet error: bad packet ID (may be a replay)
14:28 < Alcap> !goal
14:28 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:28 < Alcap> !welcome
14:28 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
14:28 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
14:30 < Alcap> Hi guys. I have successfully set up openvpn in a jail on FreeBSD and I’m able to connect with my Mac with tunnelblick to it without any issues
14:31 < Alcap> However, my android cannot connect to the openvpn (using android connect)
14:31 < Alcap> I get a “TLS error: The server has no TLS ciphersuites in common with the client” on the logs
14:32 < Alcap> I’ve tried disabling the tls-ciphers on the configuration and also adding a TLS cipher that the client tries to negotiate with the server (I validated this using tcpdump)
14:32 < Alcap> can anyone help me troubleshoot this issue further?
14:33 < Alcap> !paste
14:33 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is
14:33 <@vpnHelper> also nice, or (#3) <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
14:35 < Alcap> I have also forced the AES-CBC ciphersuites on the openvpn client
15:18 < cybex_> hi all. I am using archlinux and am executing openvpn with pkexec, but it gives an error /etc/openvpn/update-resolv-conf: no such file or directory. It does exist, and has the correct permissions 0755 and owner root:root. Thoughts?
16:12 -!- LocaMocha is now known as TamePikachu
19:10 < currybullen> i'm using the openvpn app on android and i'm getting the warning that the server certificate is signed using md5. the server i am connecting to is my own, and from what i can tell the certificate is signed using sha256
19:11 < currybullen> do i also need to change something else in the server configuration?
19:15 <@ordex> currybullen: are you the guy that opened the post in the forum?
19:16 <@ordex> currybullen: I'd like to see this myself, could you please upload thr server cert somewhere ?
19:16 < currybullen> no
19:17 < currybullen> hang on
19:17 <@ordex> sure
19:18 < currybullen> https://ptpb.pw/6kgW
19:19 < currybullen> oh wait
19:19 < currybullen> there is supposed to be a bunch of data before BEGIN CERTIFICATE right?
19:20 <@ordex> nah does not matter
19:20 <@ordex> that's encoded in the base64 blob
19:20 < currybullen> oh
19:20 <@ordex> ok I see
19:21 <@ordex> this is the server certificate, right? not the client
19:21 <@ordex> I will perform some tests
19:21 <@ordex> and see if I understand how to fix that
19:22 < currybullen> openssl x509 -in server.crt -noout -text | grep "Signature Algorithm"
19:22 <@ordex> yeah seen that
19:22 <@ordex> this should not trigger a warning
19:22 < currybullen> i ran this command and it returned "Signature Algorithm: sha256WithRSAEncryption"
19:23 <@ordex> yeah
19:23 <@ordex> correct
19:23 < currybullen> so could this in any way be a server config error?
19:24 <@ordex> no
19:24 <@ordex> it
19:24 <@ordex> it's likely a bug in the app
19:24 <@ordex> we had other reports
19:25 < currybullen> i see
19:25 <@ordex> not many
19:25 <@ordex> but some people have reported that
19:25 <@ordex> so this seems to be some kind of bug
19:28 < currybullen> well it only just started happening recently
19:28 < currybullen> although maybe the warning message was pushed out recently as well
19:31 <@ordex> right
19:31 <@ordex> it has been implemented recently
19:44 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 248 seconds]
20:42 -!- Wulf4 is now known as Wulf
22:05 < Wintereise> Guys, what format is expected for inline pkcs12? I tried base64, no go.
22:12 < Wintereise> Not sure what other option is available to encode binary data into a text file
22:13 < Wintereise> > Wed Dec 20 12:58:47 2017 Error reading inline PKCS#12 file: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
22:13 < Wintereise> Which is expected, openssl pkcs12 -info also says the same with base64
22:30 < Wintereise> > When using the inline file feature with --pkcs12 the inline file has to be base64 encoded. Encoding of a .p12 file into base64 can be done for example with OpenSSL by running openssl base64 -in input.p12
22:30 < Wintereise> Hm, that's odd.
23:02 < pekster> Wintereise: X.509 PEM-encoded
--- Day changed Wed Dec 20 2017
10:07 -!- BoggGod2 is now known as BoggGod
11:52 -!- Wulf4 is now known as Wulf
13:39 < iodev> hi, I have a problem with OpenVPN connect, it mistakenly identifies my certificates as MD5
13:39 < iodev> (as signed with MD5)
13:39 < iodev> (I'm on android)
13:40 < iodev> but after checking with openssl x509 -text -noout -in ca.crt/server.crt/... many files
13:40 < iodev> it turns out they all are SHA256withRSA
13:42 < iodev> any way I can make this annoying alert dialog disappear?
13:42 < iodev> (it shows on every connect)
14:01 < BoggGod> iodev changing(lowering) verbosity/debug in client.conf might help
14:37 < iodev> BoggGod: it's at verb
14:37 < iodev> 0
14:37 < iodev> (zero)
16:10 < nigabyte> Hello
16:11 < nigabyte> I am using dnscrypt, and I lose DNS whenever I run openvpn
16:12 < nigabyte> Im on debian, anyone know what i can do to fix it
16:18 < BtbN> probably not much, but no idea how dnscrypt works
17:24 < D4ni3l> Hi
18:02 < analogical> did anyone of you try ProtonVPN ??
18:03 < Dougy> this is not the channel for that, analogical
18:04 < Dougy> hmm, i wonder
18:04 -!- mode/#openvpn [+v Dougy] by ChanServ
18:04 <+Dougy> cool
18:04 <+Dougy> I still got it baby
18:05 < analogical> Dougy, why not?
18:06 <+Dougy> i don't feel it is, anyway
18:06 <+Dougy> this is for support with the open source project, not for vpn service discussion. that's my personal take on it
18:06 <+Dougy> i could be wrong, will defer to an op. that's just where i sit
18:07 < analogical> in what channel can you have a vpn service discussion?
18:08  * Dougy has no idea
18:08 <+Dougy> i only hang out in a couple places here
18:08 < pekster> analogical: Discussion about paid services that use/leverage OpenVPN isn't strictly off-topic here, although interest in support it is minimal at best (see also: !provider)
18:08 < pekster> It's not really on-topic either. Neither encouraged nor banned
18:08 < analogical> I don't want support I just want to hear what people have to say about the service
18:11 <+Dougy> pekster: tks
18:12 < pekster> Dougy: no worries; it's really the requests for support that need to be redirected to the vendor. IMO anything else falls into a similar category as related networking aid/discussion that comes with VPN use (firewalls, routing, services, etc)
18:15 <+Dougy> pekster: i just suspect more people in here are like krzee and paranoid about people seeing what they are doing and as such wont use any of those services, then there are people that would
18:17 < pekster> Well, that's the irony of using any encryption to a 3rd party to relay: you're putting faith in that endpoint not to look, either because they can or due to leverage (court order, or other coercion.) Plus there's all kinds of subtle side-channel attacks, like traffic profiling based on the public X.509 details
18:18  * pekster should write up a blurb about that sometime. Outside of projects like tor, few kinds of relays are the anonymous panacea some folks seem to believe
20:07 -!- Netsplit *.net <-> *.split quits: @syzzer
20:07 -!- netwoodle is now known as noodle
20:08 -!- Netsplit over, joins: syzzer
20:08 -!- mode/#openvpn [+o syzzer] by ChanServ
20:10 -!- ohnx- is now known as ohnx
20:46 < cstk421> using pritunl for openvpn management.  Cant find where the server side configuration is.  anyone know ? the gui doesnt give me the snd rcv buffer options i need to change.
20:54 <@ecrist> Not heard of that one.
20:57 < cstk421> which do you use to manage openvpn ?
20:57 < cstk421> that was the only opensource access server manager i found
21:07 <@ecrist> cstk421: I manage them by hand, and through some scripting
22:36 -!- Wulf4 is now known as Wulf
--- Day changed Thu Dec 21 2017
00:22 -!- nbastin_ is now known as nbastin
00:26 -!- Netsplit *.net <-> *.split quits: @plaisthos
00:31 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
00:31 -!- ServerMode/#openvpn [+o plaisthos] by hobana.freenode.net
00:48 -!- Netsplit *.net <-> *.split quits: @plaisthos
01:24 -!- Netsplit over, joins: plaisthos
01:24 -!- mode/#openvpn [+o plaisthos] by ChanServ
02:04 < M1k3y> hello. I have a question. I'm connected via OpenVPN to my private server. I can access any site or service without problems, except for those hosted on the same server. When testing with curl, I get "Connection refused". Anyone knows why?
02:10 < genericsauce> having some issues with obfsproxy, anyone using this setup?
--- Log opened Thu Dec 21 11:35:20 2017
11:35 -!- Irssi: #openvpn: Total of 317 nicks [6 ops, 0 halfops, 4 voices, 307 normal]
11:35 -!- mode/#openvpn [+o ecrist] by ChanServ
11:35 -!- Irssi: Join to #openvpn was synced in 1 secs
11:35 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
11:35 -!- mode/#openvpn [+o vpnHelper] by ChanServ
11:36 <@ecrist> !ping
11:36 <@vpnHelper> pong
12:17 <@dazo> !firewall
12:17 <@vpnHelper> "firewall" is (#1) please see https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets., or (#3) Please see this for a better method to unloading netfilter (aka iptables ) rules: https://gist.github.com/QueuingKoala/6350127
12:17 <@dazo> !learn firewall as https://twitter.com/fronbasal/status/942537589017534464
12:17 <@vpnHelper> Joo got it.
12:48 <+hyper_ch> dazo: ecrist: krzee: ordex:  https://arstechnica.com/tech-policy/2017/12/iced-tea-company-stock-triples-after-adding-blockchain-to-name/
12:48 <@vpnHelper> Title: Ice tea company rebrands as “Long Blockchain” and stock price triples | Ars Technica (at arstechnica.com)
12:57 <+Dougy> lol
12:58  * hyper_ch renmaes openvpn community to open blockchain vpn
13:00 <@ordex> lol
13:06 <+Dougy>  * Yiota (~textual@2607:fea8:56df:fa6d:918d:2507:c924:331c
13:07 <+Dougy> i would not want to remember that address
13:07 <+Dougy> i thought 12 digit ipv6 addresses sucked
13:15 < DammitJim> if I vpn to a network with my laptop, what IP address would my laptop have to be accesible by others on that network?
14:30 < rob0> DammitJim, I'm a DOCTOR, not a network admin!  Ask whoever set yours up for you.
14:35 < DammitJim> LOL... I set it up
14:35 < DammitJim> I just don't remember
15:57 <@dazo> hyper_ch: .... anyone who got btc now should carefully pay attention to the price and sell before it begins to drop .... this begins to smell more and more like the dot-com buble of 2000
15:58 <@dazo> lots of new emerging start-ups which got boatloads of money "because it was the future" ..... and *poof*
22:36 -!- Wulf4 is now known as Wulf
23:32 <+hyper_ch> I should have bought bitcoin in 2012.....
23:32 <+hyper_ch> I have none
23:32 <+hyper_ch> rob0: you're The Doctor?
--- Day changed Fri Dec 22 2017
03:44 <+hyper_ch> dazo: ecrist: krzee: ordex:  VeriSign should use LetsEncrypt as well https://twitter.com/briankrebs/status/943862578740113409
04:12 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Quit: ZNC - http://znc.in]
04:20 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
04:20 -!- mode/#openvpn [+o mattock] by ChanServ
04:53 <@dazo> OpenVPN 3 Linux client released ....   https://gitlab.com/openvpn/openvpn3-linux   https://github.com/OpenVPN/openvpn3-linux  (not production ready, but ready for more widespread hacking)
04:53 <@vpnHelper> Title: OpenVPN / openvpn3-linux · GitLab (at gitlab.com)
04:54 <+hyper_ch> wooot???
04:54  * dazo runs for lunch with the family :)
04:55 <+hyper_ch> runs for indian/tibetan lunch at friend's place
06:07 -!- Chestal_ is now known as Chestal
06:42 < eigenstate> "TLS: Received certificate signed with MD5. Please inform your admin to upgrade to a stronger algorithm. Support for MD5 will be dropped at end of April 2018"
06:42 < eigenstate> Hey guys, on a CentOS box I'm having an issue with an OpenVPN instance. When connecting through the android OpenVPN app I get the above warning message, but for the life of me can't find out which cert has md5 sig and is being sent. Any ideas?
06:42 < eigenstate> I've checked and all the .crt on the server and client are signed with SHA256
07:00 <@plaisthos> eigenstate: and the ca?
07:53 <@dazo> eigenstate: you need to verify client, server and CA certificates
--- Log closed Fri Dec 22 09:08:04 2017
--- Log opened Fri Dec 22 22:52:56 2017
22:52 -!- Irssi: #openvpn: Total of 304 nicks [7 ops, 0 halfops, 4 voices, 293 normal]
22:52 -!- mode/#openvpn [+o ecrist] by ChanServ
22:52 -!- Irssi: Join to #openvpn was synced in 1 secs
--- Day changed Sat Dec 23 2017
02:49 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 248 seconds]
03:14 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
03:14 -!- mode/#openvpn [+o syzzer] by ChanServ
03:40 <@ordex> dazo: yes. it has been fixed in the latest release
03:41 <@ordex> eigenstate: the latest release of Connect for Android should have solved the problem
06:03 -!- eblip is now known as eb0t2
09:53 < iodev> hi everyone! :D
14:01 < eelstrebor> is there a way to give priority to openvpn connect on android phones? i want openvpn to startup faster - it generally takes about 2 minutes before it tries to connect to the server
14:01 <@ordex> eelstrebor: 2 minutes? something must be wrong with your phone then :S
14:07 < eelstrebor> it happens on both android phones and tablets
14:08 < eelstrebor> kinda of annoying when trying to do something and then have the openvpn window pop up showing that it's trying to connect
14:10 <@ordex> eelstrebor: not sure what to say...the connect app by itself is very small and light
14:10 <@ordex> it starts here in less than half a second and then i connect in a similar amount of time
14:20 <@ordex> this sound smore like an android problem, not related to the app by itself
18:01 < zpool> Hello
18:01 < zpool> How can I determine if compression is working?
18:01 < zpool> Server: pfsense 2.4.2 / openvpn 2.4
18:01 < zpool> Client: Viscosity macOS
18:01 < zpool> Server is configured to push lz4-v2
18:02 < zpool> Viscosity has Compression: Automatic
18:02 <@plaisthos> compression is becoming less and less important
18:02 < zpool> Why so?
18:02 <@plaisthos> stuff is already compressed (big downloads) or encrypted (https) or both
18:02 <@plaisthos> in both cases compression does not help
18:02 < zpool> You're right. Hmm
18:03 <@plaisthos> but if you want to try just put a file with a lot of zeros or something else on a server and check the speed
18:03 <@plaisthos> just for normal internet traffic you won't gain much if at all
18:07 < zpool> "There’s also a newer version of LZ4 named lz4-v2 which is even better, but currently neither the OpenVPN Connect application for iOS nor Viscosity support it."
18:07 < zpool> – https://ruimarinho.github.io/post/configuring-a-secure-openvpn-2-4-server-with-docker/
18:07 <@vpnHelper> Title: Configuring a secure OpenVPN 2.4 server with Docker - Data at rest - Rui Marinho (at ruimarinho.github.io)
18:07 < zpool> (September 2017)
18:07 < zpool> Okay.
18:17 < zpool> Thanks, plaisthos!
18:17 < zpool> I'll now go back to where I came from.
18:18 <@plaisthos> hm lz4-v2 should be suported in all 2.4 openvpn
18:18 <@plaisthos> we just forgot to document it
18:18 < zpool> I guess guys at Viscosity need to just add the option?
18:19 < zpool> What about the OpenVPN Connect iOS app though
18:19 <@plaisthos> if you push it from the server the client accepts it you are fine
18:19 <@plaisthos> you even see in the server log if the client supports it
18:19 <@plaisthos> Dec 24 01:06:54 hermes ovpn-aead-v6[18195]: 2a01:598:a807:bdf2:a055:314c:3ece:8721 peer info: IV_LZ4v2=1
18:28 < zpool> plaisthos: Perfect.
18:28 < zpool> I see the same in logs when connecting from viscosity
18:28 < zpool> However, I do not see any compression related entry when connecting from OpenVPN Connect (iOS)
18:30 < zpool> IV_GUI_VER=net.openvpn.connect.ios_1.1.1-212, : IV_VER=3.1.2, IV_PLAT=ios,o: IV_NCP=2, TCPNL=1, IV_PROTO=2
18:30 < zpool> "WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'"
18:35 < zpool> I have to go. Thanks plaisthos. Good to have learnt this stuff.
18:35 < zpool> I'm coming my people!
20:47 < adonis> Hi all, how do I configure openvpn to give me an ip on the same network as the ovpn server Im connecting to? Reason I ask is I have a multiplayer lan game which only works on the network its running on.
20:48 < adonis> so a game client on the remote site is running on 192.168.1.x. When I connect via vpn I want my address assigned to also be in 192.168.1.x. I tried to do it but I get issues.
20:54 < pekster> You'll need to setup a bridged connection for that, where the VPN interface uses tap (vs tun) which operates at the Ethernet level. Normally that's less recommended, but in your case it sounds required due to the apps/protocol you're using
20:54 < pekster> !tap
20:54 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the
20:54 <@vpnHelper> protocol uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#6) also look at !tunortap
20:55 < adonis> pekster: yup. I have tap configured already. Does making it a tap connection automatically give me a bridged connection?
20:55 < pekster> No, you need to set up the bridge yourself, which varies depending on your OS/distro
20:55 < Eugene> !bridging
20:55 <@vpnHelper> "bridging" is (#1) Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you, or (#2) See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
20:55 < adonis> im looking at the server-bridge directive.. seems I "can" use that
20:56 < Eugene> You probably don't actually want a full bridge. If all of the clients are joined to OpenVPN via TAP, you have what you want
20:56 < Eugene> (a broadcast domain share by all clients)
20:56 < Eugene> You don't need to extend that into the physical LAN for any reason
20:56 < adonis> Eugene: In my case the clients are not all on vpn
20:56 < pekster> True, you only need a bridge if you also need to expose the server-side LAN. Even if a LAN client wants to be on the L2 broadcast domain, it can still just join the VPN itself
20:57 < adonis> the use case is more I have a client on the remote lan.. and someone vpn in to get access to the lan
20:57 < Eugene> In any case, yes, you would need to set up the bridge device yourself. THere are pre-written wrapper scripts that may or may not do what you want
20:57 -!- mode/#openvpn [+v Eugene] by ChanServ
20:57 <+Eugene> I always set up bridges manually when I need to do this, because its a one-off
20:58 <+Eugene> Oi, that tickles
20:58  * pekster pulls strings
20:58 < pekster> Plus it can't hert to set some folks up in case one of the spam-attempts lands here and +m is a quick-fix
20:59 < pekster> I prefer +q $~a, but hey, lots of methods. opers are doing a good job mitigating the junk though
20:59 < adonis> thanks guys. I'll read up on the links you gave.
20:59 <+Eugene> I have un-identified users ignored in my IRC client. Solves the problem nicely.
21:00 <+Eugene> And WebIRC. I hate that.
21:00 < pekster> I set +R when I need, but I find a client /ignore using a pattern or regex max works well, and also stops public channel spam as a bonus
21:51 < mipple> hello, I am having an issue with the openvpn tool in Debian, it happens that when I stick a socks-proxy directive for Tor, I get connection timeouts
22:01 < mipple> like, most of the free vpns work fine if I connect over a conventional household NAT connection, but if I use the Tor socks proxy, it no longer connects successfully
23:21 < pekster> mipple: If you're getting simple timeouts on the client end that's going to be impossible to diagnose without servers logs (which it appears you don't have access to.) It could be tor exits are explicitly blocked, though it's impossible to say
23:22 < mipple> pekster: would you advise then I run a private OpenVPN server, and connect to it over Tor to debug my connection issues?
23:23 < pekster> What good would that do, beyond demonstrate you can accept tor connections if you don't explicitly block them?
23:23 < pekster> A tor exit node is selected based on the node's policy, so it own't pick one that isn't willing to present your traffic to the plaintext net
23:24 < mipple> pekster: wouldn't it give me access to the server logs?
23:24 < pekster> The server of your service? No, it'll give you access to _your_ server
23:24 < mipple> pekster: are you saying that Tor Project has large numbers of exit nodes censoring OpenVPN?
23:25 < pekster> Other way around, it would appaer
23:25 < pekster> These "free VPNs" as you call them apparently do not like anonymous connections, which is understandable. Chances are good they want more useful IPs in case of abuse to report
23:26  * pekster chuckles a bit at all these folks using "anonymous" VPNs since every connection is cryptographically verified to come from the owner of the certs and/or username presented. It's not anonymous at all, and only as masquerading as the records themselves are
23:27 < pekster> Tor is an anonyminity tool. VPNs are explicitly an _authenticated_ peering
23:27 < mipple> pekster: you would say then that the issue is because most Tor exit node's IPs are on the blacklist of free VPN operators?
23:27 < pekster> That was my comment, yes
23:43 <+rob0> For some strange reason, people trust their VPN providers more than they trust their ISP.
23:47 < mipple> rob0: or even some more then public wifi, sometimes VPNs are in fact far less safe it is seeming
23:49 < mipple> like if you use bitcoin over a VPN paid for with a cc, your identity is easily tied, but if no VPN, just public wifi, and SSL is used, you may actually be safer
23:50 <+rob0> yep, more difficult to track, anyway ("safer" might not be true because there are different possible threats)
23:50 < pekster> Related, lots of browsing
23:50 < pekster> Erm
23:51 < pekster> Lots of browsing "features" make you quite trackable. See: https://panopticlick.eff.org
23:51 <@vpnHelper> Title: Panopticlick (at panopticlick.eff.org)
23:51 < pekster> And that's before you even get into things like IPs, SLAAC IPv6 (without Privacy Extensions,) and all kinds of other subtle tricks
23:52 < pekster> Ideally, 1) come up with a threat model for issues you're concerned about, 2) research solutions & mitigation technology & services, and 3) identify which combinations of #2 help the threat model
23:52 < mipple> IPv6 I think is find without privacy extensions, if the MAC was already spoofed from the get-go
23:52 < pekster> Sort of, unless your threat model includes tracking
23:53 < mipple> pekster: can you expand on that?
23:53 < pekster> Any MAC, device or custom-set can be identified as the same devices if its SLAAC host component makes 2 hits from unique networks
23:54 < pekster> The whole point of PE is that it rotates it on regular intervals, essentially automating any "switching of your MAC" without having to actually do that
23:55 < mipple> what is SLAAC ?
23:55 < mipple> oh wait, nvm
23:55 < mipple> pekster: tracking can be fine, provided it doesn't go far enough
23:56 < pekster> And you trust every website operator and other service (or even router-hop along your path) to not go far enough? If NN rules are really relaxed, it'll even be legal to blatently use that to do all sorts of revenue-generating 'things' with that data
23:57 < mipple> pekster: frankly I don't, but I would say its mostly a matter of "capital" like a business may have capital in the form of reputation, public relations, and of course, money
23:59 < mipple> provided they aren't blackmailed into losing any such valued items, they will act to defend them, however as we all know, major telecommunications exchanges have been given what many of us see as rather intrusive and unjustified warrents allowing passive wiretapping of our information exchanged
--- Day changed Sun Dec 24 2017
00:00 < mipple> pekster: back to the smaller stuff though, OpenVPN over Tor, do you know any vpn operator who happily invites it?
00:00 < pekster> Nope, I'm happily ignoring most of the VPN-as-a-service things as I have no use for them
00:01 < mipple> pekster how do you get fairly anonymous quality internet?
00:01 < pekster> Tor, when I need it
00:03 < pekster> Using tor via a VPN hop: might be fine. Using a VPN over tor is a pretty silly idea with any kind of authentication, as it almost completely negates the benefits of tor's onion model
00:12 < mipple> pekster: it hides your IP from the VPN operator though, doesn't it?
00:12 < mipple> in which case would seem to not completely negate tor's onion model benefits
00:13 < pekster> I suppose, but the problem is that something you visit has a way to trace that back to the egress (the VPN service) which can quite possibly connect that to an account
00:13 < pekster> Again with the threat-model component of security design
00:14 < mipple> pekster: not if you connect over Tor though, is that incorrect?
00:14 < mipple> if you have an account paid for/arrange pseudoanonymously
00:14 < pekster> Even if you do. You -> tor -> VPN service -> some-Internet-thing
00:14 < mipple> no, You -> VPN service -> Tor (OpenVPN uses the tor socks proxy)
00:14 < pekster> some-Internet-thing can report the abuse to the public presense, and they may be willing to provide details of the connection/account it originated from if compelled to do so
00:16 < mipple> if OpenVPN uses the socks connection, and OpenVPN is not vulnerable to attack, and you arranged the account using a prepaid card, and you made the VPN account and paid, over Tor, never connected to the VPN without Tor, wouldn't it be far more difficult to associate you as a legal person with the traffic the VPN server operator has
00:16 < pekster> If OpenVPN _uses_ a proxy via tor, you're doing you -> tor -> VPN -> Internet
00:16 < pekster> Your anonymonity is only as secure as the VPN provider makes it, at that point
00:17 < mipple> pekster: how did the VPN operator get your IP?
00:17 < pekster> Not IP; account
00:18 < pekster> I never said they had your IP. I said they could "quite possibly connect that to an account." How secure that is depends on the _rest_ of your chain
00:18 < mipple> yes, and I was saying you created the account over Tor, with a prepaid card
00:18 < mipple> like at that point, their website, with you on Tor Browser
00:19 < pekster> Yea, I get it. I just fail to se the benefit of doing that over just using tor
00:20 < mipple> pekster: higher-quality IPs, many Tor Exit nodes are blocked, or sometimes people run bots, which result in reduced quality of service to websites (at one point I remember google got heavy bot traffic leading to capatchas not even being available)
00:21 < mipple> with a paid-for IP, its less likely bots are using it, and so other websites won't disown your IP due to excessive bad traffic
00:21 < pekster> It just seems a lot of trouble to go through. Keep in mind some sites are very permissive of tor. Freenode for one, and Facebook is another (they not only have a hidden-service, but also got an EV-cert for the .onion domain)
00:21 < mipple> pekster: I was thinking sites like netflix
00:22 < pekster> That's kind of a waste of tor's network :\
00:22 < mipple> and I would ideally like them to not even know I'm using Tor
00:22 < mipple> pekster: I'm willing to donate what ever would cover the infrastructural costs Tor burdens from my activity
00:23 < pekster> And you're worried that whatever you're doing on Netflix is so troublesome that tor may contact the VPN egress you're using and demand to know who you are by account, IP, and/or payment details?
00:23 < pekster> I mean, whatever, use the combination of tools that meet your threat criteria. I clearly don't have a good picture on what you want, and I really don't need one either
00:24 < pekster> s/tor/they/
00:25 < mipple> pekster: I was refering to GEO-IP blocking, like a government censors a movie
00:25 < mipple> using a quality VPN in a country like the US, can easily allow you to watch movies as if you were in the US
00:25 < pekster> Yes, has nothing to do with tor though
00:25 < mipple> I take my privacy seriously
00:26  * pekster shrugs. A bit like swatting a fly with a wrecking ball, but I suppose that "works" too
00:26 < mipple> using Tor makes it so the government, should they use an inexpensive way to comb through many people and have records laying around of what I do, using this setup would pose far superiour anonymity
00:26 < mipple> and if I can do it, I can show others how to do the same easier
00:28 < mipple> pekster: clearly you do not put a similar premium on anonymity, privacy and security that I do
00:29 -!- mode/#openvpn [+o pekster] by ChanServ
00:29 <@pekster> Enough of telling me what I do and don't think
00:29 < mipple> ok
00:30 <@pekster> Thanks. Questions about OpenVPN and related conversation is still permitted and welcome here, btw. Feel free to stick around
00:31 -!- mode/#openvpn [+v-o pekster pekster] by pekster
05:05 < iodev> pekster: hi, I have  a question
05:05 < iodev> so I have a VPN on a VPS, and I know it's not anonymous, should I use both VPN & TOR?
05:05 < iodev> and will my host see that I use TOR? they have something in their terms against piracy/running a exit node :)
05:29 <+pekster> You connect to your own VPS from another client device? By itself your connections would appear to be originating from the VPS. If you act as a tor client that's separate from being an exit or relay node
05:30 -!- mode/#openvpn [-v pekster] by ChanServ
05:31 < iodev> pekster: yes, I connect from my Linux device to the VPN, and yes they appear as orig from VPS
05:32 < iodev> I see, but can using tor really improve privacy?
05:32 < iodev> can it really make me anonymous?
05:33 < pekster> Used correctly, yes. In your case (vs the case discussed above) since you run the VPN, using tor before or after your VPN you don't gain much over just using either tor from your client or your VPN
05:34 < iodev> so what should I do to gain more?
05:36 <@ordex> iodev: if your goal is only pure anonimity, why not just using tor?
05:36 < pekster> https://www.torproject.org/about/overview.html.en#stayinganonymous
05:36 <@vpnHelper> Title: Tor Project: Overview (at www.torproject.org)
05:39 < iodev> ordex: because it's kinda slow
05:39 < iodev> I would like to be anonymous, but I need to get at least 50 mbps :D
05:39 <@ordex> iodev: that's what you have to pay to be anonymous that way
05:42 <@ordex> if you trust your vps provider, then you could use the vpn and get higher speed, but you have to accept the risk of trusting the provider. it's all about what you need to achieve
05:48 < iodev> ordex: I kinda trust them
05:48 < iodev> I'm aware of this, I've already accepted the risk
05:48 < iodev> (this is the setup i'm using right now()
07:03 <+rob0> pekster, PM?
07:03 < pekster> Go for it
07:45 < iodev> Anyway, could I, as a C dev help openvpn?
07:47 < pekster> Hackers welcome. There's both a mailing list and development channel, if you're vying to get more involved
07:50 < pekster> Ah, here's the wiki entry: https://community.openvpn.net/openvpn/wiki/Contributing , with a link to some more technical developer info
07:50 <@vpnHelper> Title: Contributing – OpenVPN Community (at community.openvpn.net)
07:57 < iodev> ordex: turns out, as soon as I enter into an account (that asked for my address)
07:57 < iodev> my anonimity is compromised (and I'm not gonna make up fake identities)
07:57 <@ordex> iodev: sure. you are trusting the entity that now holds your information
07:58 < iodev> I mean email, or paying with card, and so on :D
07:59 < iodev> by the way, what do you people do when you want to login onto your home bank, do you just use the vpn or not?
08:05 <@ordex> i trust the end-to-end encryption
08:05 <@ordex> which is way more important than any other underlying layer
08:06 <@ordex> iodev: why would you want to use a vpn in that case?
08:06 <@ordex> to not tell the bank where you are connecting from ?
08:07 < iodev> to protect my connection to the bank
08:07 <@ordex> the vpn does not protect the connection to the bank
08:07 <@ordex> it protects the connection over your isp up-to your vpn server
08:07 < iodev> what if I'm on a public wifi and wanna home bank?
08:08 <@ordex> what i said above: in this case the vpn would protect against your isp (the free wifi), so it may be reasonable
08:08 <@ordex> but
08:08 < iodev> but, the bank will see another country and get worried :D
08:08 <@ordex> the end-to-end encryption should already protect against that too
08:08 <@ordex> another country ?
08:09 < iodev> oh, bank got end-to-end :D
08:09 < iodev> ordex: well you do not put the VPN in same country :D that's just nuts :D
08:09 <@ordex> well, https to the bank is end-to-end
08:09 < iodev> right :-) RSA/EC\
08:09 <@ordex> not sure what "same country" means. same as what ?
08:09 < iodev> well, if you're in USA, you get a VPN in canada/europe, for privacy's sake :D
08:10 <@ordex> anyway, it all boils down to "what you want to protect against"
08:10 < iodev> otherwise you accomplished nothing, zip, nada.
08:10 <@ordex> there is no absolute best practice
08:10 <@ordex> i don't think so
08:10 <@ordex> it depends on the situation
08:11 <@ordex> and, again, what you are trying to protect against
08:12 <@ordex> if you use always the same VPN, do you think you are still anonymous ?
08:12 <@ordex> of course, it depends
08:12 < iodev> ISP snooping around :D
08:13 < iodev> no, not anonymous
08:13 < iodev> that's why I was asking about tor and so on
08:13 <@ordex> if you don't want your ISP to see where you are connecting to, then yes, the VPN will help against this
08:13 <@ordex> (assuming you trust your VPN provider more than your ISP)
12:33 < mipple> ordex: any idea reguarding usage of OpenVPN over Tor
14:56 <@ordex> mipple: what do you mean?
18:56 < infinisil> Um, question, I think i set up openvpn correctly (about), shouldn't there be a tun0 interface or something in my client now?
18:57 < infinisil> I only see a tun0 on the server
18:59 < pekster> If the connection completed successfully on the client you should see a tun device, although the name can change depending on the value of the --dev option (you can select any interface name you wish)
18:59 < infinisil> Hmm, I don't see any tun0 interface (with ifconfig)
19:00 < pekster> Is this a Linux distro?
19:00 < infinisil> Yes
19:00 < pekster> Try `ip addr` instead
19:00 < infinisil> Oh yup, it's there
19:01 < pekster> `ifconfig -a` might have shown it too, but try to move away from ifconfig as it doesn't do everything modern networking on Linux requires/offers
19:01 < infinisil> Oh good to know, thanks
19:03 < infinisil> Hmm, I'm still not sure if openvpn can really do what I need
19:05 < infinisil> I have a server with a public IP and 2 machines in a local network behind a NAT. I want each machine be able to talk to each other via a fixed IP (10.8.0.{1,2,3}). Optimally traffic between the 2 machines in the local network wouldn't go to the server machine.
19:06 < infinisil> Is this the kind of thing OpenVPN can do? I don't have a lot of experience with VPN's
19:07 < pekster> Not using the VPN IPs on 10.8.0.0/24, but you could set up a site-to-site VPN where a single host in the LAN connects to your server and then the server could access the LAN systems by their actual address
19:07 < pekster> There's a workflow for that, at !clientlan
19:13 < infinisil> pekster: Hmm.. :/
19:14 < infinisil> The ip's in the local network might change, and sometimes one of the machines in the local network might connect from outside (it's a laptop)
19:14 < pekster> The laptop could just join the VPN to the server when outside, although then the local systems would need to use the IP on that network to reach it then
19:14 < infinisil> I see there's client-to-client
19:15 < pekster> client-to-client just bypasses the server's firewall and let's openvpn directly "route" the traffic, verses letting your OS kernel do it
19:15 < pekster> Also, IPs changing can be fixed with a DHCP reservation or static IP
19:16 < infinisil> I kinda don't want to involve the router in this
19:16 < infinisil> I don't fully understand what you're saying admittedly
19:16 < pekster> Then you probably can't get what you want as routing and reservations are pretty much going to require that
19:17 < infinisil> Hmm right, it needs some way to know the 2 clients are in the same network
19:17  * infinisil thinks about that
19:18 < pekster> You _can_ run DNS and/or DHCP on a system that's not the router, if that helps. Same for the client-side VPN, which means you'd just need the return-route on the default gateway to send the server-VPN network to the local VPN endpoint
19:23 < infinisil> pekster: Oh, you mean to e.g forward DNS requests to the behind-the-NAT network, which then spits out its local machines addresses, which can then be used to directly connect within the behind-the-NAT network
19:26 < infinisil> Well I think it's probably cleaner to involve the router on second thought, it is after all the thing that connects the local machines
19:26 < infinisil> (and less complicated*
19:28 < pekster> Right
19:29 < infinisil> So I'll set up static ip addresses, then use some ifconfig option in openvpn
19:34 < infinisil> And I think I should use TLS mode, because using a static key seems to prevent me from using certain stuff I need
20:40 < mipple> ordex: I have been talking to people who have stated that OpenVPN does not work over Tor under normal conditions, now I am working on testing its feasibility
20:46 < pekster> I don't think anyone told you that won't work. OpenVPN over TCP is generally a bad idea (see: !tcp for why) but it'll work fine provided your endpoint doesn't discriminate based on the source
22:01 < noregret> when an ovpn profile is connected in windows 10, shouldn't all system traffic go thru the tap interface by default?
22:03 < pekster> "profile"? If you've connected and are using (or pushing) the --redirect-gateway option, that will generally be the case. Check your logs if you're unsure (using --verb 4 and look for the received options)
22:03 < pekster> Also, best not to use tap unless you know you need it:
22:03 < pekster> !tunortap
22:03 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not
22:03 <@vpnHelper> rooted/jailbroken) support only tun
22:04 < mipple> !tcp
22:04 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay
22:07 < mipple> pekster: I would say that the reasoning that the integrity-assurance protocols in tcp become redundant as tunnels are added, but do you have another means of being able to use any software tool over Tor with similar quality to a private residential gateway?
22:09 < mipple> because my interest in OpenVPN over Tor is to hide from the VPN vendor, an IP address, which while the redundant tcp is sub-optimal, I haven't found a better way
22:09 < pekster> There isn't one, using tor. Further, there are plenty of documented discussions and code changes specifically designed to reduce the impact of abusive high-bulk transfers on the Tor network
22:10 < pekster> IIRC there was even a rather lengthy whitepaper in the late 2000's discussing that exact problem
22:11 < mipple> pekster: I was also looking for a pay-for-privacy sort of thing where I could pay Tor Project to hide a 100T connection
22:11 < noregret> pekster: https://bpaste.net/show/8d569dcabc27 - that's the config
22:12 < pekster> noregret: Without seeing the server config it's not possible from that to say what's getting pushed, but 'client' (line 1) will pull whatever directives the server sends. These are visible at 'verb 4' if you want to look over what options the server sent
22:14 < noregret> pekster: https://bpaste.net/show/3170ff16d6e2
22:14 < pekster> Right, see line 15. The client will add two routes to override your eisting default gateway (using 0/1 and 128/1)
22:15 < noregret> got it, thanks!
22:15 < pekster> See also --redirect-gateway in the manpage that describes the operation (and options) in more detail
22:15 < noregret> i can always confirm by checking out the routing table on the client, but i keep forgetting to =)
22:16 < mipple> pekster: is there a sort-of TCP lite which OpenVPN can use, which would strip alot of the TCP protections which are unnecessary with the underlying architecture being TCP?
22:16 < mipple> and still work on Tor
22:18 < pekster> No. TCP follows the rules specified in RFC793. Doing otherwise would no longer be TCP.
22:20 < mipple> pekster: yes, but to what capacity does Tor enforce TCP
22:21 < pekster> TCP is enforced by the kernel. If you want to compile a custom kernel to violate the standards of the existing Internet, this has virtually nothing to do with OpenVPN
22:22 < pekster> I'm uninterested in helping you do such a silly thing, although there are probably channels for learning about how the kernel operates and what exactly you'd need to change to do what you propose. It's likely to break a lot and be very technically complex
22:23 < mipple> pekster: ok
22:25 < mipple> pekster: what problems would say OpenVPN is best applied to?
22:26 < pekster> The ones I don't get hilighted for every time a random thought comes into your head
22:27 < mipple> it may not appear organized, but this is all part of a small project
--- Day changed Mon Dec 25 2017
13:54 < BoggGod> !tcp
13:54 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay
21:30 -!- LocaMocha is now known as Sauvin
22:15 < Darkclaw> hello, what's the best way to run openvpn as non-root in FreeBSD?
22:34 < iodev> Darkclaw: don't you have user nobody; group nogroup?
22:34 < iodev> $ groups nobody
22:34 < iodev> nobody : nogroup
22:34 < iodev> ^ run this command Darkclaw
22:38 < Darkclaw> I'm currently running freebsd and was hoping there was an easy way to run openvpn without root
22:40 < iodev> Darkclaw: nobody, nogroup should exist in any UNIX system
22:41 < iodev> ahh, wiat you timed out, and didn't see my messages
22:41 < iodev> Darkclaw: also, you could always use something else
22:50 < Darkclaw> sorry about that
22:51 < iodev> Darkclaw: in shell type "groups nobody"
22:51 < iodev> this will check if user exists
22:51 < Darkclaw> yes, that exists
22:52 < iodev> Darkclaw: paste here output
22:52 < iodev> mine says nobody : nogroup, yours?
22:53 < Darkclaw> it just says nobody
22:53 < iodev> nobody: nobody?
22:54 < Darkclaw> literally just nobody
23:15 < Darkclaw> sorry I got disconnected, not sure if my question got answered. I am running openvpn and notice when it's running, all connections from the box is going through the tunnel. I would like to have it so that only the applications that use the tun interface use it instead of the entire server. can this be done?
23:16 < iodev> Darkclaw: just nobody?
23:16 < iodev> no group?
23:16 < Darkclaw> just nobody
23:16 < iodev> okay, Darkclaw then use in your openvpn server config/client config
23:17 < iodev> user nobody
23:17 < iodev> group nobody
23:23 < Darkclaw> it looks like root is required to run openvpn
23:23 < Darkclaw> and then it drops privledges once it starts
23:24 < iodev> yep
23:25 < iodev> that's how it works
23:25 < Darkclaw> no problem, in that case it's working
23:25 < iodev> afaik openvpn uses udp/1194
23:26 < Darkclaw> the only other thing I am trying to resolve is having applications only use tun0 when they are explicitly specified to do so
23:26 < iodev> tun0 is global.
23:26 < iodev> all apps use it
23:26 < Darkclaw> for example, ktorrent lets me specify to use a network adapter but the other apps I don't want them to use that interface
23:27 < iodev> can't be done
23:27 < iodev> tun0 reroutes all traffic, no matter what ethernet adapter you specify
23:28 < iodev> Darkclaw: if you want only some apps, then you need a SOCKS5 proxy
23:28 < Darkclaw> oh, that makes sense. like a basic proxy running on the same server that forces to listen on the local interface
23:28 < iodev> no no no
23:28 < iodev> a proxy instead of a vpn
23:29 < iodev> if you use a vpn, everything goes through it
23:29 < iodev> if you use a proxy, only what you want goes  through it
23:29 < iodev> (unfortunately proxy is more insecure)
23:29 < Darkclaw> ahh I see. I am using one of those private VPN things for the first time
23:29 < iodev> are you on PIA?
23:30 < iodev> (PrivateInternetaccess?)
23:30 < Darkclaw> yes exactly
23:30 < iodev> yeah, they offer socks
23:30 < iodev> had them before
23:30 < Darkclaw> I tried using socks with ktorrent but it seems to not worked
23:32 < iodev> Darkclaw: did you try the socks in browser first?
23:33 < iodev> did you add user and password?
23:33 < iodev> (the generated one, not your p<number> one's password)
23:39 < Darkclaw> it's a bit concerning though the PIA is going to see all traffic
23:46 < iodev> the vpn provider always is
23:47 < Darkclaw> I guess I'll just need to kill the openvpn session when it's not in use
23:48 < iodev> yep
23:48 < iodev> I for one run it all the time
23:48 < iodev> almost all, you don't wanna have it running when you do home bank or other stuff
23:48 < iodev> or else your bank will think your account is being hacked :D
--- Day changed Tue Dec 26 2017
00:19 < Darkclaw> just one last thing I want to do to wrap this up. I think I need to use sudo to allow a non-root user to run openvpn. not sure how to do that
00:21 < iodev> don't do that
00:21 < iodev> then any app would be able to turn off your vpn
00:21 < iodev> really you should have vpn on at all time
02:11 < mipple> iodev: not necessarily, you can block-off users from messing with the networking
02:12 < mipple> like with iptables, you can make certain users see a whole different network
03:26 -!- mode/#openvpn [+o pekster] by ChanServ
03:26 -!- mode/#openvpn [+v-o pekster pekster] by pekster
10:58 < Darkclaw> how can I make certain apps on a linux environment not to use the tun0 with openvpn?
11:03 <+rob0> apps?  Sounds like a job for selinux.
11:05 < Darkclaw> well, as an example znc
11:05 < Darkclaw> I know the whole premise of openvpn is to route all traffic but in my case, it's just certain programs
11:08 <+rob0> by user you can -j MARK or -j CONNMARK packets, and have an ip rule ... fwmark to lookup an alternate route table.
11:08 <+rob0> also by destination or source port
11:09 < Darkclaw> sounds a bit complicated :)
11:09 <+rob0> what you're describing is indeed not simple
13:14 <@ecrist> !policy
13:14 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario, or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic
13:14 <@ecrist> Darkclaw: what you're actually referring to is policy-based-routing
13:14 <@ecrist> i.e. this port for this IP goes over VPN, everything else doesn't
13:55 < papadopoulos> On Ubuntu, is their a default client configuration file? I have a configuration file and I'm tired of specifying that specific file and it's location
14:22 <+rob0> maybe Ubuntu has documentation of how their startup handles openvpn?
14:41 < BoggGod> papadopoulos: is it not in the default location? /etc/openvpn/client.conf
17:13 < sultani> hi, can somebody help me with this message: WARNING: Failed to stat CRL file, not (re)loading CRL.
17:13 < sultani> It looks like everything is working but I would like to solve this "problem"
17:14 < b00kworm> Well it didn't find the certificate revokation list , did you specifiy any?
17:14 < sultani> sure :)
17:15 < sultani> "crl-verify      /etc/openvpn/easy-rsa/keys/crl.pem"
17:15 < b00kworm> Does it exist?
17:15 < b00kworm> Are the permissions set correctly?
17:18 < sultani> Yes it exists, and perm. 644
17:18 < sultani> openvpn is running as user nobody, but this user should be able to read the file
17:19 <+pekster> sultani: Check permissions on the parent directory structure and remember that if you --chroot, the path needs to exist relative to the modified root
17:19 -!- mode/#openvpn [-v pekster] by ChanServ
17:19 < b00kworm> Who's the owner, root?
17:19 < b00kworm> Indeed, although it needs the same perms on every directory in the tree
17:19 < b00kworm> Can you cat it as nobody?
17:19 < sultani> owner is root, right
17:20 < sultani> how can I test if I can cat it as nobody?
17:21 < b00kworm> sudo -u nobody cat /path/to/file
17:22 < sultani> oooh ok
17:22 < sultani> permission denied...
17:22 < sultani> thanks!
17:22 < sultani> I solve this first and I will check the log again
17:24 < sultani> my ca and server cert are in the same folder, and nobody has no access to it at the moment but my openvpn server is running and clients can connect...
17:24 < sultani> That's strange, or not?
17:25 < Darkclaw> do I need to do something with ping-exit to enable autodisconnect?
17:28 < b00kworm> sultani: well openvpn starts as root and then drops to the user you specifiy, so no, not surprising really
17:28 < sultani> bookworm: ah ok, I thought it is something like that
17:28 < b00kworm> Specify*
17:29 < sultani> thank you very much, problem is solved :)
17:29 < sultani> Warning is gone!
17:31 < b00kworm> Good, enjoy your [insert time of the day] then 😉
18:08 < sultani> bookworm: hehe, yes I will do that :)
20:15 < BenderRodriguez> is the openvpn source audited for security?
--- Log closed Tue Dec 26 20:21:59 2017
--- Log opened Tue Dec 26 20:22:41 2017
20:22 -!- Irssi: #openvpn: Total of 305 nicks [7 ops, 0 halfops, 5 voices, 293 normal]
20:22 -!- mode/#openvpn [+o ecrist_] by ChanServ
20:23 -!- Irssi: Join to #openvpn was synced in 31 secs
20:24 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
20:24 -!- mode/#openvpn [+o vpnHelper] by ChanServ
22:13 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 268 seconds]
23:07 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
23:07 -!- mode/#openvpn [+o krzee] by ChanServ
23:45 < mipple> I read OpenVPN does not support socks4 proxies, is there anyway to check whether I am attempting interface with a socks4 or 5 proxy?
--- Log opened Sat Dec 30 16:56:45 2017
16:56 -!- Irssi: #openvpn: Total of 310 nicks [6 ops, 0 halfops, 5 voices, 299 normal]
16:56 -!- mode/#openvpn [+o ecrist] by ChanServ
16:57 -!- Irssi: Join to #openvpn was synced in 18 secs
16:57 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
16:57 -!- mode/#openvpn [+o vpnHelper] by ChanServ
17:51 < cstk421> openvpn server with a public ip of 45.x.x.x and a local ip of 10.2.96.3.  My machine is on the vpn with ip 10.2.96.10.  the .3 is reachable as well as the 45.x from my machine.
17:51 < cstk421> for some reason i can ping and access the server's web gui and ssh but i cannot connect to it via sip
17:52 < cstk421> i dont have all traffic going through the tunnel
20:22 -!- Dougy [~dougy@openvpn/community/support/Dougy] has quit [Remote host closed the connection]
20:23 -!- Dougy [~dougy@openvpn/community/support/Dougy] has joined #openvpn
22:25 < genericsauce> anyone know why if I connect to my vpn normally first then disconnect and connect via some sort of obfuscation it will work but if I just connect via ssh tunnel or obfs4 it wont
22:26 < genericsauce> like if I try to just connect first it will connect fine but not resolve anything
23:01 < Jakethepython> Sun Dec 31 00:01:28 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
23:01 < Jakethepython> Sun Dec 31 00:01:28 2017 TLS Error: TLS handshake failed
23:01 < Jakethepython> Sun Dec 31 00:01:28 2017 SIGUSR1[soft,tls-error] received, process restarting
23:08 < Jakethepython> https://pastebin.com/Y6XCFgz6
23:08 < Jakethepython> Client Setup
23:11 < Jakethepython> https://pastebin.com/p857U0Fe
23:11 < Jakethepython> Server.conf
23:15 < Jakethepython> i'v been trying for days to get this to work.. i redid the keys today
23:30 < Jakethepython> where are the verb 4 logs kept?
23:31 < pekster> !logs
23:31 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
23:40 < pekster> specifically, you probably want:
23:40 < pekster> !logfile
23:40 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
23:40 < Jakethepython> !logs
23:40 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
23:42 < Jakethepython>  !logfile
23:50 < pekster> Just look above; I already asked for it, and it's not going to be different 2 minutes later
23:50 < pekster> !ping
23:50 <@vpnHelper> pong
23:51 < pekster> Oh, you put a space in front of the '!' character; it won't work like that
23:51 < Jakethepython> !logfile
23:51 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
--- Day changed Sun Dec 31 2017
00:01 < Jakethepython> https://pastebin.com/xj7zMqsr
00:03 < Jakethepython> https://pastebin.com/umf2U1a6
00:04 < pekster> Those don't look like generic OpenVPN logs. What is "OVPN 10 OUT"?
00:05 < pekster> Eithe way your HMAC still appears to be the problem, but if you're using something not generic OpenVPN, you'd need to consult its docs, or stop using it and use vanilla openvpn
00:06 < pekster> That's also not a complete verb4 logfile, so including that might reveal clues as to what you're actually running/using
00:06 < cremansor12> Hi, I need some advice or help, depending on how you take it. Im looking for an OpenVPN GUI
00:07 < cremansor12> The default one is a little crappy and most VPN servies tell us to use the average OpenVPN client to connect to their servers
00:07 < cremansor12> All the fancy GUI programs are for Windows users, not Linux
00:07 < cremansor12> Anyone have something where I can place all my 100's of .ovpn file and configure it to 1 username & password?
00:08 < pekster> There's not usually much love for frontends here, although Windows ships with one as Windows users tend to be quite averse to CLI tooling
00:08 < cremansor12> Private Internet Access is the only client with a good VPN client
00:08 < cremansor12> But NordVPN, ExpressVPN, any other VPN does not have one. Just use the commandline
00:09 <+hyper_ch> if you want to manage 100s of .ovpn files, you probably don want a gui
00:09 < Jakethepython> I have no idea what OVPN 10 OUT is. I might have made a bad  assumption but i thouhgt i was uing generic OpenVPN
00:09 < cremansor12> why not a GUI? I would like to select the server and hit connect
00:09 < cremansor12> not type the entire file name in a commandline
00:10 < pekster> Jakethepython: Look at the _first_ logs in the ouptut of --verb 4. If you're still confused, post the _full_ verb 4 log here (don't past things above verb 5, as >=6 can include sensitive data)
00:10 < pekster> So write a tiny script to do that?
00:10 < pekster> ./go-vpn service23
00:11 <+hyper_ch> or put it int /usr/bin and save the ./ part :)
00:12 <+hyper_ch> and as feature you could add tab-completion :)
00:13 < cremansor12> but for each server?
00:13 < pekster> Some folks have luck with network-manager or some other frontends (IIRC KDE had one, though I forget its name. kvpnc or something like that?) The interfaces may not scale to many dozens of selections though
00:13 < pekster> Yes, it's a trivial case statement to set the config file, and maybe custom options you need at the CLI
00:13 < cremansor12> im surprised something like OpenVPN doesnt have something like this
00:14 < cremansor12> in the age of dying net neutrality
00:15 < pekster> openvpn is a framework for setting up a VPN, not a privacy tool. Lots of frontends exist, just not as part of the de-facto project. That would also detract from openvpn's core purpose
00:19 < cremansor12> got an example pekster?
00:19 < cremansor12> because i cant find one
00:19 < cremansor12> not on github or google
00:19 < pekster> I just gave you 2
00:20 < Jakethepython> how do i get to the _first_logs of -verb 4. I guess I have been confused about logging the entire time this is my first time using open vpn
00:21 < JustStephIt> AirVPN has a ui
00:21 < pekster> Just log to a file and there it'll be
00:21 < pekster> --log /some/path/openvpn.log
00:22 < pekster> You clearly managed to find wherever your logs are going now. If that's syslog, you can use that too, just go back further in your syslogs
00:22 < JustStephIt> Also Norde VpN now has a Gui too just not as nice as AirVpn
00:23 < JustStephIt> Plus Norde also supports IpSWC
00:23 < JustStephIt> oops
00:23 < JustStephIt> IPSEC
00:26 < JustStephIt> You need to install  StrongSwan to use that sec method though.  All the others supply <place>.ovpn files
00:26 <+hyper_ch> but ovpn file is something windowsy.... linux just likes .conf files
00:27 < pekster> It can take whatever. This works just fine, albiet with a very poor naming convention: openvpn --config /bad/file/name.exe
00:27 < Jakethepython> https://paste.ubuntu.com/26291382/
00:27 <+hyper_ch> and for some reasons the android clients als expect .ovpn :(
00:27 < JustStephIt> No.  the network managers almost all support using that for config.  I use Mate but LXDE had it too.
00:28 < pekster> Jakethepython: There are no VPN logs in that, only systemd notes that it's _starting_ openvpn
00:29 < pekster> If you use --log, your logfiles go where they're directed
00:29 < Jakethepython> ok
00:33 < Jakethepython> https://paste.ubuntu.com/26291410/
00:33 < Jakethepython> these are the only 2 log files i see
00:34 < pekster> Again, that does NOT appear to be openvpn. No clue what you're using, but it's also not the start of the log
00:34 < pekster> Just run it at the CLI
00:34 < pekster> openvpn --config /your/config/here.conf --log /var/log/openvpn.log
00:34 < pekster> Then that'll be your logfile. This really isn't that hard
00:35 < JustStephIt> Did you fix your firewall issue shown in the previous log posted?
00:36 < pekster> not a firewall, most likely bad HMAC
00:36 < JustStephIt> The first log showed UFW which is Unified Fire Wall
00:37 < pekster> Wouldn't get to report a bad HMAC if the firewall dropped it
00:37 < pekster> ;)
00:37 < JustStephIt> UFW was blocking all IPs to the server
00:37 < pekster> Nope
00:40 < JustStephIt> Whats the server IP in the ovpn file
00:40 < pekster> You're really not helping, and that's not, at the moment, relevant
00:45 < JustStephIt> I believe that if we are all cival and polite anyone with significant experience should find multiple heads can often be very beneficial when working a problem. Differing perspectives and knowledge of different issues, etc.
00:46 < pekster> A firewall cannot be the problem because openvpn is processing and *rejecting* traffic
00:46 < pekster> This is not a matter of opinion
00:51 < Jakethepython> https://paste.ubuntu.com/26291457/
00:51 < pekster> So, your config file is incomplete
00:51 < pekster> Whatever you were starting before is obviously not using that config file
00:52 < Jakethepython> that is the log from the server side. so the server side log file is incomplete right?
00:52 < pekster> No, your config file is non-functional
00:52 < pekster> Or your're in the wrong directory
00:52 < pekster> Best to include a --cd option in your config if you don't qualify your paths
00:53 < pekster> Are those in /etc/openvpn, or somewhere else? Toss that line in your config (the 'cd /whever/your/crypto/bits/live' line) and try again
00:57 < Jakethepython> they are all in the etc/openvpn directory
00:57 < pekster> Then do what I said
00:58 < pekster> Or qualify your paths to each of the files that are listed
00:58 < JustStephIt> pekster: ok..  but are we good ? No offence intended.   ;-)
01:02 < pekster> No worries, this has simply been painful enough for OP without muddying things further with identifying non-issues
01:10 < Jakethepython> Options error: You must define TUN/TAP device (--dev)
01:10 < Jakethepython> Use --help for more information.
01:10 < Jakethepython> thats the only line in the log now
01:11 < pekster> That's mandatory
01:12 < pekster> Your original server conf you posted had that (line 5) so I've no clue why that's now missing for you
01:13 < Jakethepython> it still does
01:14 < Jakethepython> ;dev tap
01:14 < Jakethepython> dev tun
01:15 < Jakethepython> do  oyu want me to post my new server.conf?
01:15 < Jakethepython> or edited not noew
01:15 < Jakethepython> new
01:15 < pekster> Sure (comments redacted would be preferred)
01:15 < Jakethepython> yep
01:16 < Jakethepython> https://pastebin.com/nrzzibsE
01:21 < pekster> Yea, line 6. You have 'dev tun' which appears fine to me. 'openvpn --config /etc/openvpn/server.conf' should not complain about that
01:32 < Jakethepython> so now does it seem like its client not server side breaking?
01:33 < pekster> It doesn't
01:33 < Jakethepython> ok
01:33 < pekster> I've been saying all along whatever your log is does not look anything like openvpn. I've no clue if this is openvpn-AS, or some other awful wrapper, but "OVPN 10 OUT" is not something OpenVPN generates
01:33 < pekster> I suggested you start your server directly so you can confirm your HMAC is what you think it is
01:35 < Jakethepython> ok i will try that
01:42 < Jakethepython> openvpn.service - OpenVPN service
01:42 < Jakethepython>    Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
01:42 < genericsauce> !welcome
01:42 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for
01:42 <@vpnHelper> lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping
01:42 <@vpnHelper> you
01:44 < genericsauce> !goal
01:44 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:46 < genericsauce> I feel as if this bot should msg you this, but yeah VPN connects properly if I connect to it first normally then behind some sort of obfsucation but if I try without connecting to it normally it wont resolve anything
01:47 < pekster> Not directly openvpn's problem, I suspect. Sounds like something is screwing up your DNS at some point
01:48 < pekster> Or your routing tables are modified in such a way as to make the then-current DNS unreachable
01:49 < genericsauce> any clues where to start?
01:49 < pekster> Start by checking over both the DNS resolver configuration and the routing table when you experience problems
01:49 < pekster> Attempt to reach each of the listed DNS servers, and if that fails, check routes specifically to them
01:49 < pekster> And feel free to use the bot; that's what it's there for :)
01:50 < pekster> !privmsg
01:50 < pekster> Hmm, I thought it had a way to do that, but I've either forgot or that was a different bot
01:50 < pekster> !pm
01:50 < Jakethepython> what is the bot?
01:50 < pekster> Some Bot :P
01:50 < pekster> !ping
01:50 <@vpnHelper> pong
01:50 < pekster> !query
01:50 < pekster> Yea, no idea. Bot spam is quite welcome as it's a useful tool
01:51 < pekster> (to be clear, _that_ bot.)
01:51 <+hyper_ch> just be aware that bot might become sentinent
01:51 < pekster> https://xkcd.com/1046/
01:51 <@vpnHelper> Title: xkcd: Skynet (at xkcd.com)
01:51 < pekster> good bot.
01:52 < genericsauce> Il stop dnsmasq and see if that will help
01:53 < pekster> There are often OS or frontend (think network-manager or related tooling) that try to manipulate resolvers with configurations. Much of that is hidden behind dbus interaction, often meaning you don't know what your resolver is actually doing unless you ask the frontend(s) you're using
01:53 < pekster> Kind of a crummy way to do it, but hey, it's the modern systemd way to not tell users what's going on anymore
01:53 -!- LocaMocha is now known as JPMorgan
01:54 < genericsauce> im using wicd for network management
01:55 < genericsauce> and dnsmasq to cache dns results
01:55 <+hyper_ch> back in the last decade I also used wicd
01:56 -!- JPMorgan is now known as Sauvin
01:57 < pekster> It may have not gotten the memo about a DNS switch at some point
01:59 < genericsauce> funny thing is that im using the same dns servers for my normal connection too
01:59 < pekster> If that's an ISP-provided DNS, that most likely breaks if you route traffic elsewhere
01:59 <+hyper_ch> !configs
01:59 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting
02:00 < pekster> Plus ISP DNS tends to suck badly; many people use better forwarders, like GoogleDNS
02:01 < genericsauce> naw using freedns
02:02 < pekster> Beware, many evil DNS resolvers insert ads in place of NXDOMAIN sites
02:03 < genericsauce> https://freedns.zone/en/
02:03 <@vpnHelper> Title: FreeDNS - your Open DNS (at freedns.zone)
02:03 < genericsauce> not too worried about that
02:06 < pekster> Seems quite a bit slower than google's stuff, but a quick test shows it's not outright evil :)
02:06 < genericsauce> better then google which is downright evil :P
02:09 < pekster> Devil I know. "Google Public DNS does not permanently store personally identifiable information." https://developers.google.com/speed/public-dns/privacy
02:09 <@vpnHelper> Title: Your Privacy | Public DNS | Google Developers (at developers.google.com)
02:10 < pekster> And at the end of the day, if someone in a position of power over Emerion WebHosting GmbH and/or Austria wanted your DNS queries, they could just demand the host (freedns) supply them, or introspect the traffic upstream
02:10 <+hyper_ch> I trust google more to keep personal data secure than other ompanies
02:10 < pekster> ^ basically, that
02:10 <+hyper_ch> dns over https is coming soon or something
02:10 < genericsauce> lol then we hang out different crowds :P
02:11 <+hyper_ch> ah, dns over tls
02:11 < pekster> RFC7858, currently a "proposed standard"
02:11 < genericsauce> https://hastebin.com/ewameluyad.pas
02:11 <@vpnHelper> Title: hastebin (at hastebin.com)
02:12 <+hyper_ch> genericsauce: that only gives me a blueish background
02:12 < genericsauce> so this is the difference between im guessing the read and recive before and after I connect to my vpn first
02:12 <+hyper_ch> genericsauce: and I'd need to enable google js apis
02:12 < genericsauce> uhhh it should have some next
02:12 <+hyper_ch> and you are worried about google tracking you?
02:13 < genericsauce> https://hastebin.com/raw/ewameluyad
02:14 < pekster> So, the r/R are reads, and w/W are writes, upper-case is encapsulated packets (tcp or udp) and lower-case are the tun/tap packets
02:15 < pekster> So the first line shows it's reading tun, writing to send encapsualted data, and not getting anything back in the first example
02:15 < pekster> ie: packets just aren't going anywhere
02:15 < pekster> (or aren't arriving, or the replies aren't coming back)
02:15 <+hyper_ch> [09:06] <genericsauce> better then google which is downright evil :P       +        [09:11] <genericsauce> https://hastebin.com/ewameluyad.pas       =     doesn't make sense :)
02:15 <@vpnHelper> Title: hastebin (at hastebin.com)
02:15 < pekster> Question seemed to make sense here
02:16 < pekster> <x doesn't work> <log of some differences between x and y>
02:16  * pekster points hyper_ch to the manpage and the --verb option if the letters are confusing
02:16 <+hyper_ch> pekster: me? fail to understand what you highlight me
02:17 < genericsauce> aight so if there are two configs, with the only difference being remote my.vpn.com 1939 and remote localhost 1234
02:17 < genericsauce> and if I connect to the first one, then disconnect and reconnect to the second
02:17 < genericsauce> and the second then works
02:18 < genericsauce> but if i try to connect to the second without connecting to the first and it gets that WrWrWr
02:18 < genericsauce> you still think its a dns issue
02:18 < pekster> The 2nd, as in localhost?
02:18 < genericsauce> yeah an obfs4 proxy
02:18 < pekster> Likely routing issue then
02:19 < pekster> Track down where those are going; might require some analysis of the routes
02:19 < pekster> Is this a Linux OS?
02:19 < genericsauce> yeah server debain client arch
02:19 < pekster> You'll find you can ask the routing table for where it would send data (and as what address) using 'ip route get 203.0.113.7' (for whatever your target IP is)
02:20 < pekster> Probably not a DNS issue if you get connected but then see that, since it's just a stream of attempts to send data with none coming back
02:20 < pekster> You said unable to resolve earlier, and that suggests one of DNS or routing trouble
02:21 < genericsauce> by target ip do you mean my vps or just some site
02:25 < pekster> Whatever the remote is on all those W packets
02:25 < pekster> The 'remote' value
02:26 < genericsauce> aight, imma try updating this laptop first. Didn't realise its been a week or so since iv -Syu'd
02:26 < pekster> "stuff gets written, never arrives." Do the usual troubleshooting to find out where it's getting routed and if that still gives no clues, a traceroute is always a good start, ideally keeping the target port the same
02:26 < pekster> same as the intended target, that is
02:37 < genericsauce> uh its vpsip via 10.8.0.5 dev tun0 src 10.8.0.6 uid 1000
02:37 < genericsauce> cache
02:42 < pekster> Sounds like you're missing a route to avoid sending the traffic to the VPN endpoint over the VPN
02:42 < pekster> (you can't do that ;)
02:42 < genericsauce> so what do I need to fix?
02:42 < pekster> How are you adjusting the routes? --redirect-gateway?
02:43 < pekster> Step 1) in that process should already have a /32 route to the 'remote' endpoint via your pre-existing gateway
02:43 < genericsauce> in client or server config?
02:44 < pekster> Client can specify that, or the server can push it (if the client pulls)
02:44 < pekster> So, "either", but it'll show in client logs either way
02:45 < genericsauce> !logs
02:45 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile
02:45 < genericsauce> !logfile
02:45 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
02:46 < pekster> At --verb 4, you'll get quite a lot of setup detail after openvpn finishes parsing the configs, then more as the connect occurs
02:46 < pekster> The PUSH_REPLY is where anything pushed will go, and you'll notice that'll basically match what the server is (effectively) sending
02:46 < genericsauce> im lauching it with verb 5, are the log files any different then console output?
02:48 < pekster> Nope, just allows you to send logs where most convenient
02:48 < pekster> stdout, logfile, or syslog all produce the same output
02:57 < genericsauce> ix.io/Dzs
02:58 < genericsauce> the only thing that I can think of is the RTNETLINK answers: file already exists part
02:58 < genericsauce> but it does that when its working too
02:59 < pekster> You can't add a route to 127.0.0.1, so yea, that failure is expected
02:59 < pekster> Not via that IP anyway..
03:00 < genericsauce> so try commenting out push "dhcp-option DNS 37.235.1.174"
03:00 < genericsauce> and send it?
03:07 < pekster> You presuambly need an exception to continue to reach the first obfs endpoint (whatever the "far" side of 127.0.0.1:1234 is) after the --redirect-gateway occurs
03:07 < pekster> That's presumably why the writes after setup fail
03:10 < pekster> Originally: You -> ISP -> Internet.  After-obfs:  You -> [socks5] -> [obfs-endpoint] -> [Internet]  After-VPN-setup: You -> [openvpn] -> [socks5] -> Whopsie, tried to route out via new adjusted gateway route via VPN, but this traffic needs to go out to the obfs-endpoint!
03:11 < pekster> Hence all the W's and no R's in the printout
03:14 < genericsauce> but how would that be fixed by connecting to the vpn directly first
03:15 < genericsauce> thats whats getting me
03:18 < pekster> if all the obfs does is add a local socks5 listener, it's not touching the default gateway
03:19 < pekster> Add a route to your obfs endpoint via your non-VPN gateway and this all goes away
03:21 < genericsauce> http://ix.io/Dzu first connect no work, http://ix.io/Dzv second connect works, http://ix.io/Dzw thrid connect works
04:02 <@ordex> !welcome
04:02 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans
04:02 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you
04:02 <@ordex> ah he is back !
04:37 < |Mike|> yayyyyyyyyyyyyyyyyy ordex++
04:38 <@ordex> :D
09:37 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 248 seconds]
09:40 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
09:40 -!- mode/#openvpn [+o krzee] by ChanServ
11:11 < cstk421> trying to register a sip extension over the vpn to the local interface of a hosted vm.  I can reach the vm web interface, ssh, etc no problem but for some reason i get no response or see any attempt in the logs.  Thoughts ?
11:34 <+hyper_ch> hi krze
16:24 < semitones> hi friends, i am remaking my openvpn server onto a raspberry pi, and hereś a setting from the old setup i don't understand
16:24 < semitones> push "route 192.168.2.0 255.255.255.0"
16:24 < semitones> what does that do, and is it necessary?
16:34 <+rob0> it tells clients to route that network through the VPN.  It is necessary if you need that.  We don't know what you need.
16:58 -!- xMopxShell is now known as xMopx
18:23 < semitones> Also, can I send the .ovpn config files over email, and communicate the password offline?
19:51 -!- Irving- is now known as Kitler
19:55 -!- Kitler is now known as aleph-
21:22 < semitones> anyone have success using fail2ban and openvpn?
21:31 < semitones> https://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_with_OpenVPN
21:31 <@vpnHelper> Title: HOWTO fail2ban with OpenVPN - Fail2ban (at www.fail2ban.org)
--- Day changed Mon Jan 01 2018