gmane.network.openvpn.user

OpenVPN ethernet bridging

Otto Julio — 2012-05-24T00:32:54

Hi,

I have created 4 virtual machines (VMs) for purpose of testing OpenVPN
instalation and configuration before to implant it. These VMs are M1,
M2, M3, M4.
For installation of OpenVPN, I have followed this tutorial:
http://openvpn.net/index.php/open-source/documentation/howto.html. The
openvpn was installed on M2 (server) and M3 (client) and aparently is
working fine, but I'm not capable of execute ping command between VMs
that are in tunnel different sides.

Objective: provide comunication between M1 and M4.

The interfaces address of VMs are:

              eth0                   eth1
M1 - 192.168.1.2
M2 - 192,168.2.1   |   192.168.1.1
M3 - 192.168.2.2   |   192.168.1.11
M4 - 192.168.1.12

This is how VMs interfaces are connected:
M1 (eth0) <---> (eth1) M2 (eth0) <---> (eth0) M3 (eth1) <---> (eth0) M4.

When I ping M1 from M4, the arp request is delivered to M1 and the
response is generated by M1 on eth0. But the "tcpdump -ni eth1"
command on M2 don't show arp replies, show only the arp requests.

P.S. There is no firewall blocking traffic and the forwarding was activated.

Below I posted both M2 and M3 configuration.


***M2 configuration (OpenVPN server):

IFCONFIG
# ifconfig
br0       Link encap:Ethernet  HWaddr 08:00:27:6a:88:08
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe6a:8808/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5668 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1552 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:306299 (306.2 KB)  TX bytes:164663 (164.6 KB)

eth0      Link encap:Ethernet  HWaddr 08:00:27:9f:ec:2b
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe9f:ec2b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4523 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1298 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:638103 (638.1 KB)  TX bytes:166373 (166.3 KB)

eth1      Link encap:Ethernet  HWaddr 08:00:27:6a:88:08
          inet6 addr: fe80::a00:27ff:fe6a:8808/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:1879 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5446 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:154502 (154.5 KB)  TX bytes:420042 (420.0 KB)

tap0      Link encap:Ethernet  HWaddr f2:30:ff:33:b6:a8
          inet6 addr: fe80::f030:ffff:fe33:b6a8/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:4014 errors:0 dropped:0 overruns:0 frame:0
          TX packets:454 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:258604 (258.6 KB)  TX bytes:53738 (53.7 KB)


BRCTL
# brctl show
bridge name    bridge id                       STP enabled   interfaces
br0                   8000.0800276a8808   no                    eth1

             tap0

OPENVPN.CONF
port 1194
proto udp
dev tap0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.1 255.255.255.0 192.168.1.11 192.168.1.11
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3




***M2 configuration (OpenVPN client):
IFCONFIG
# ifconfig
br0       Link encap:Ethernet  HWaddr 08:00:27:9e:6c:db
          inet addr:192.168.1.11  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe9e:6cdb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4410 errors:0 dropped:0 overruns:0 frame:0
          TX packets:187 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:220153 (220.1 KB)  TX bytes:19659 (19.6 KB)

eth0      Link encap:Ethernet  HWaddr 08:00:27:40:24:b0
          inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe40:24b0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1354 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5056 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:172542 (172.5 KB)  TX bytes:706873 (706.8 KB)

eth1      Link encap:Ethernet  HWaddr 08:00:27:9e:6c:db
          inet6 addr: fe80::a00:27ff:fe9e:6cdb/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:4478 errors:0 dropped:0 overruns:0 frame:0
          TX packets:435 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:277071 (277.0 KB)  TX bytes:57606 (57.6 KB)

tap0      Link encap:Ethernet  HWaddr 52:d5:c9:46:30:c5
          inet6 addr: fe80::50d5:c9ff:fe46:30c5/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:493 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4512 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:56269 (56.2 KB)  TX bytes:288594 (288.5 KB)


BRCTL
# brctl show
bridge name   bridge id                       STP enabled    interfaces
br0                  8000.0800279e6cdb    no                    eth1

             tap0

OPENVPN.CONF
client
dev tap0
proto udp
remote 192.168.2.1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client1.crt
key /etc/openvpn/keys/client1.key
ns-cert-type server
comp-lzo
verb 3



Thanks for any help,
Otto Julio.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Help with bridging setup

2012-05-23T16:31:21

Greetings All,

I'm having some trouble with bridging I can't quite figure out.  Here's
the scenario:

3 hosts, all Linux.  "Host 1" is the OpenVPN server.  It has a working
connection to "Host 2", which connects as a client.  This connection is a
normal routed ip connection.  "Host 3" is the host I wish to add to the
configuration.

Details:  "Host 2" has one public interface and two private interfaces. 
One of these private interfaces has it's subnet joined by routing to the
private subnet of "Host 1" via OpenVPN across the public interfaces.  This
works great.  "Host 2" also has another private interface, connected to a
switch with a bunch of WAPs on it.  This interface has no IP.  "Host 3"
has one public interface and one private interface.  It's private
interface is the gateway for a bunch of WAPs on one subnet.

The Goal: I'd like to connect the unnumbered interface on "Host 2" and
it's associated physical network to the private interface of "Host 3" via
a bridged connection over OpenVPN.  I have additional interfaces available
on "Host 3" if needed.

I've read through the howtos, and came up with the following config for
"Host 3":

-----8<----- /etc/openvpn/common.conf
secret /etc/openvpn/static.key
float
ping 10
verb 5
comp-lzo
persist-tun
persist-remote-ip
persist-key
-----8<----- /etc/openvpn/opentuns.sh
#!/bin/bash

/usr/sbin/brctl addbr br0
/usr/sbin/brctl addif br0 eth1

TAPS="public host2"

for name in $TAPS
do
    openvpn --mktun --dev tap$name
    brctl addif br0 tap$name
done

ifconfig eth2 0.0.0.0 promisc up

for name in $TAPS
do
    ifconfig tap$name 0.0.0.0 promisc up
done

ifconfig br0 privateip netmask 255.255.255.0 broadcast privatebc

exit 0
-----8<-----
#!/bin/bash

/etc/openvpn/opentuns.sh

VPN="openvpn --config /etc/openvpn/common.conf"

$VPN --dev tappublic --port 1194 --daemon tappublic
$VPN --dev taphost2 --port 4444 --daemon taphost2

exit 0
-----8<-----

In this case, on Host 3, eth0 is the public if, eth1 is the private.

On Host 2, I've got:
-----8<----- bridge.conf
dev tap0

remote host3pubip
port 4444

user openvpn
group openvpn

secret /etc/openvpn/static.key

ping 10
verb 5
comp-lzo

mute 10
-----8<-----

...and another working config for the routed ip part.

This tunnel comes up, or at least, connects and doesn't throw any error
messages, but the bridging isn't working.

Any ideas, input, etc. would be greatly appreciated!

Thanks,

-John



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

update openssl

Bonno Bloksma — 2012-05-21T06:09:58

Hi,

I was wondering, after an openssl update like we had this weekend.....
If I just do apt-get update ; apt-get upgrade on a Debian machine will OpenVPN automatically use the new openssl or do I need to restart something?

I do not see any restart as being part of the upgrade process:
[....]
Unpacking replacement openssl ...
Processing triggers for man-db ...
Setting up libssl0.9.8 (0.9.8o-4squeeze13) ...
Setting up openssl (0.9.8o-4squeeze13) ...
root< at >lola2:~#

 
Bonno Bloksma
senior systeembeheerder

tio
university of applied sciences


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

bufferbloat in the tunnel

Brian J. Murrell — 2012-05-17T12:34:11

Hello,

I'm not sure if you folks have been, but I have been following the
progress on the great work being done over at www.bufferbloat.net to
find and eliminate bloated buffers that are the cause of huge latencies
with no benefit.

I followed Jim Gettys' advise on how to ensure you can control the
buffers at the bottleneck by making sure that queuing is happening on
your own gear using traffic shaping. Well, to be honest, I have been
doing that for a lot longer than www.bufferbloat.net has been on the
case but it just happens to be one of their mitigating solutions (absent
codel).

Gettys also has some interesting experiments that one can do with an
interface's txqueuelen to demonstrate just how small a queue one really
can use on slow (read: Internet) links and still keep the pipe full and
since of course, the longer the queue, the higher the latency we want
that queue to be only as long as is needed to keep the pipe full.

Where this gets interesting and relevant to OpenVPN is that OpenVPN
configures a default queue of 100 packets. That's 100 packets of
buffering on top of the buffering that will be done at the egress
interface. I have not tested that 100 packet queue length with Ethernet
(10/100/1000Mb/s) speeds but that 100 packets is far, far too high for
consumer grade internet connections (i.e. 512Kb/s-1Mb/s uplink) and was
resulting in huge latencies inside my VPN while latencies outside the
VPN (i.e. across the same Internet) link where being managed very well.

Anyway, for the tests and data:

I proved my shaping was working by pinging the router across my "last
mile" connection to the internet and then saturated my uplink and could
maintain a sub-30ms ping time, proving that I was indeed managing the
bottleneck queues.

I then moved the ping into the VPN and saturated the uplink inside the
VPN and was observing ping times on the order of 2000-3000ms or higher.
I then tried reducing the txqueuelen on the tun0 interface in steps
down from 100 to 50 to 10 to 5 and eventually got down to a value of 1
on an uplink of 512Kb/s while maintaining full upstream bandwidth. At a
txqueuelen of 1, pinging inside the tunnel was a nice respectable
20-30ms. When I stepped it up to 2, it went to 100-200ms. But clearly
since 1 still achieves full bandwidth, that is the "ideal" value.

On the other side of this OpenVPN tunnel the upstream is actually 1MB/s
and I did all of the preliminary tests described above to prove that I
was managing the bottleneck queue and repeated my steps in reducing the
tun0 txqueuelen and observing ping times. I had to again get down all
the way to 1 to get ping times in the 20-30ms time range, but that was
at a cost of only utilizing half of the upstream bandwidth, which is not
acceptable. So I bump the txqueuelen up to 2 and get full upstream
bandwidth utilization but at a cost of ~75ms latencies.

This all clearly fits well with Gettys' [paraphrased] mantra of "there
is no single correct value", indeed, so I don't know what I am
recommending here. I don't know if 100 is even needed for Gige speeds
but maybe somebody wants to do that test.

I just thought I would share my findings for anyone else who is trying
to manage latency in their tunnels.

Cheers,
b.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Openvpn-users mailing list
Openvpn-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Need to set an environment variable in openvpn fordebuggung

Ralf Hildebrandt — 2012-05-14T15:30:13

In order to debug an authentication issue with Kerberos, I need to do
this:


How can I set an environment variable for the authentication context -
doesn't openvpn purge the environment except for a few variables?

VPN disconnects if there is no traffic for a while- howto avoid?

Stefan Bauer — 2012-05-10T11:23:18

-----Ursprüngliche Nachricht-----
Von:Jan Just Keijser <janjust< at >nikhef.nl>

Hi,

Here is the log from the termination - any idea which option could cause that instantly?

Thu May 10 12:59:52 2012 us=963000 RECEIVED PING PACKET
Thu May 10 12:59:55 2012 us=100000 TUN READ [52]
Thu May 10 12:59:55 2012 us=100000 MSS: 1460 -> 1350
Thu May 10 12:59:55 2012 us=100000 TLS: tls_pre_encrypt: key_id=0
Thu May 10 12:59:55 2012 us=100000 TCPv4_CLIENT WRITE [101] to vpn-gw:2000: P_DATA_V1 kid=0 DATA len=100
Thu May 10 13:00:01 2012 us=106000 TUN READ [48]
Thu May 10 13:00:01 2012 us=106000 MSS: 1460 -> 1350
Thu May 10 13:00:01 2012 us=106000 TLS: tls_pre_encrypt: key_id=0
Thu May 10 13:00:01 2012 us=106000 TCPv4_CLIENT WRITE [101] to vpn-gw:2000: P_DATA_V1 kid=0 DATA len=100
Thu May 10 13:00:12 2012 us=213000 TLS: tls_pre_encrypt: key_id=0
Thu May 10 13:00:12 2012 us=213000 SENT PING
Thu May 10 13:00:12 2012 us=213000 TCPv4_CLIENT WRITE [69] to vpn-gw:2000: P_DATA_V1 kid=0 DATA len=68
Thu May 10 13:00:13 2012 us=399000 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060)
Thu May 10 13:00:13 2012 us=399000 TCPv4_CLIENT READ [0] from vpn-gw:2000: DATA UNDEF len=-1
Thu May 10 13:00:13 2012 us=399000 Connection reset, restarting [-1]

We only have keepalive 10 600 on client and server - so the interruption should kick in several minutes later.

We also have this line:

inactive 7200 153600

should only terminate after 2 hours if not at least 150kb have been transfered. 


thank you

Stefan

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Openvpn-users mailing list
Openvpn-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

payload

2012-05-08T12:58:12

Hi all,

Just wondering:
With OpenVPN we mostly use the most basic protocols, like icmp, udp and tcp.

But how about others, like proto-4 (ip-in-ip), 8,9 (xGP) and 41,43,44,58,59 (IPv6), 50,51 (ESP,AH)

Just working (I assume), or any snags to be expected??


Hans

______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

VPN disconnects if there is no traffic for a while- howto avoid?

Stefan Bauer — 2012-05-08T06:47:16

Dear Developers&Users,

we're using openvpn-server on debian (2.1~rc11-1) and 2.1.4 and 2.2.2 for our windowsxp & win7 clients.

Here is the topology:

branch-office - > ipsec-site2site --> openvpn-server

users ------------ openvpn-tunnel --> openvpn-server

The users get randomly disconnected from openvpn if there is no traffic going forth and back for a while. If the user is running "top" on a remote machine to generate traffic, the tunnel is stable.

Please find the shortened client log attached.

We're using keepalive 10 600 to avoid that - unfortunately with no effect. Is there anything we can do?

Any help is greatly appreciated. Thank you in advance.

StefanWed May 02 11:05:42 2012 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Wed May 02 11:05:46 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed May 02 11:05:46 2012 LZO compression initialized
Wed May 02 11:05:46 2012 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed May 02 11:05:46 2012 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Wed May 02 11:05:46 2012 Attempting to establish TCP connection with 1.2.3.4:2000
Wed May 02 11:05:46 2012 TCP connection established with 1.2.3.4:2000
Wed May 02 11:05:46 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed May 02 11:05:46 2012 TCPv4_CLIENT link local: [undef]
Wed May 02 11:05:46 2012 TCPv4_CLIENT link remote: 1.2.3.4:2000
Wed May 02 11:05:46 2012 TLS: Initial packet from 1.2.3.4:2000, sid=7fd18434 663fce94
Wed May 02 11:05:47 2012 VERIFY OK: depth=1, SSL-STUFF
Wed May 02 11:05:47 2012 VERIFY OK: nsCertType=SERVER
Wed May 02 11:05:47 2012 VERIFY OK: depth=0, SSL-STUFF
Wed May 02 11:05:48 2012 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed May 02 11:05:48 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 02 11:05:48 2012 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed May 02 11:05:48 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 02 11:05:48 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed May 02 11:05:48 2012 [Server] Peer Connection Initiated with 1.2.3.4:2000
Wed May 02 11:05:50 2012 SENT CONTROL [Server]: 'PUSH_REQUEST' (status=1)
Wed May 02 11:05:51 2012 PUSH: Received control message: 'PUSH_REPLY,network-stuff,topology net30,ping 10,ping-restart 600,route stuff vpn_gateway,ifconfig'
Wed May 02 11:05:51 2012 OPTIONS IMPORT: timers and/or timeouts modified
Wed May 02 11:05:51 2012 OPTIONS IMPORT: --ifconfig/up options modified
Wed May 02 11:05:51 2012 OPTIONS IMPORT: route options modified
Wed May 02 11:05:51 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed May 02 11:05:51 2012 ROUTE default_gateway=default-gw
Wed May 02 11:05:51 2012 TAP-Win32 Driver Version 9.6 
Wed May 02 11:05:51 2012 TAP-Win32 MTU=1500
Wed May 02 11:05:51 2012 Successful ARP Flush on interface [12] {CC83BAB7-6899-406A-B675-0E47DAFF8479}
Wed May 02 11:05:53 2012 TEST ROUTES: 11/11 succeeded len=10 ret=1 a=0 u/d=up
Wed May 02 11:05:53 2012 Initialization Sequence Completed
Wed May 02 11:41:08 2012 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060)
Wed May 02 11:41:08 2012 Connection reset, restarting [-1]
Wed May 02 11:41:08 2012 TCP/UDP: Closing socket
Wed May 02 11:41:08 2012 SIGUSR1[soft,connection-reset] received, process restarting
Wed May 02 11:41:08 2012 Restart pause, 5 second(s)
Wed May 02 11:41:13 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed May 02 11:41:13 2012 Re-using SSL/TLS context
Wed May 02 11:41:13 2012 LZO compression initialized
Wed May 02 11:41:13 2012 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed May 02 11:41:13 2012 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Openvpn-users mailing list
Openvpn-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

behaviour when a second client connect with sameusername

Tobias Hachmer — 2012-05-05T21:47:41

Hello list,

what's happening if someone else tries to connect with the same 
username/password while the right client is connected?
Will openvpn catch this up?
If yes, will the connected be disconnected or will the second one be 
rejected?

Best regards,
Tobias Hachmer


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Tunnel collapsing under TCP load

Yan Seiner — 2012-05-05T15:45:17

I have a tunnel going out to a client.  Periodically I run rsync over 
the tunnel to get data.  The tunnel becomes non-responsive.  It doesn't 
go away; it just fails to send information.  Same with ssh.  I can ssh 
into the machine but if I try to, say, cat /var/log/syslog the ssh 
connection freezes and then drops.

I am running a udp tunnel so it should not be a tcp-over-tcp problem.  I 
added fragment 1400 mssfix to the config files; no joy.

I have 2 other tunnels configured identically that work fine.  This one 
used to work fine until they made some changes to their ISP.  All of 
this points to a network problem, but I can floodping the client just 
fine.  The issue seems to be when the client tries to send information 
out over the the tunnel.

The bad tunnel:

root< at >debian:~# openvpn --version
OpenVPN 2.1.3 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] 
[PF_INET6] [eurephia] built on Apr 12 2011
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales< at >openvpn.net>

client
dev tun
proto udp
mssfix
fragment 1400
remote xxx.com 1194
remote yyy.com 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca  /etc/openvpn/cert/keys/ca.crt
cert /etc/openvpn/cert/keys/client.crt
key  /etc/openvpn/cert/keys/client.key
comp-lzo
verb 3


The good tunnel:

apollodorus:~# openvpn --version
OpenVPN 2.1_rc4 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec  9 2007
Developed by James Yonan
Copyright (C) 2002-2005 OpenVPN Solutions LLC <info< at >openvpn.net>

client
dev tun
proto udp
fragment 1400
mssfix
remote xxx.com 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca  /etc/openvpn/cert/keys/client-ca.crt
cert /etc/openvpn/cert/keys/tndbeaufort.crt
key  /etc/openvpn/cert/keys/tndbeaufort.key
comp-lzo
verb 3

Any ideas on where to look?

AUTO: John Asplin is out of office.

2012-05-05T09:00:12

I am out of the office until 21/05/2012.

I am currently out of the office.


Note: This is an automated response to your message  "Openvpn-users Digest,
Vol 72, Issue 1" sent on 05/05/2012 09:25:26.

This is the only notification you will receive while this person is away.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

ns-cert-type not working?

Andre Ruiz — 2012-05-05T07:48:14

Hello list!

I'm having a hard time with ns-cert-type, it seems not to be working
as expected.

I understand that it is a security enhancement to check for types of
certificates of clients and servers, but if I want, could I use
"server"-type certificates on both sides? I would think it's just a
matter of not checking it or even specifying to expect type server on
both sides.

But it's not working. OpenVPN 2.2.1 and 2.2.2, both sides as
type=Server on the certificates, both sides without ns-cert-type check
(or with ns-cert-type server, it makes no difference), the error is
always the same:

May  5 04:38:10 vpbjz4 openvpn[6646]: 177.16.213.147:57137 VERIFY
ERROR: depth=0, error=unsupported certificate purpose:
/C=BR/O=Atendemos_Tecnologia_Ltda/OU=IT_Operations/CN=druid.vpn.atendemos
May  5 04:38:10 vpbjz4 openvpn[6646]: 177.16.213.147:57137 TLS_ERROR:
BIO read tls_read_plaintext error: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
May  5 04:38:10 vpbjz4 openvpn[6646]: 177.16.213.147:57137 TLS Error:
TLS object -> incoming plaintext read error
May  5 04:38:10 vpbjz4 openvpn[6646]: 177.16.213.147:57137 TLS Error:
TLS handshake failed

All the places I read suggest that the error "unsupported certificate
purpose" is because the server is expecting the type "client" on the
client, and that I should fix the certificate.

But I have a situation where the same openvpn will act as server to
one endpoint and client to another, using the same certs, so there is
one of the tunnels where I will have two "server" types connecting to
eachother. I do not mind turning that check off (and I know that I
could use two different certificates to work around that, but I would
like to know the reason as I think it should work).

Thanks!
Andre

--
Andre Ruiz  <andre.ruiz< at >gmail.com>
Curitiba, PR, Brasil
Tel +55 (41) 8407-3847

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

using --passtos in conjunction with --fragment inOpenVPN 2.2.1

Frank Renwick — 2012-05-02T16:01:03

Hello,
 
We use openvpn for router-to-router tunneling in a hub-and-spoke VPN
deployment.
 
We utilize the --fragment option to avoid IP-layer fragmentation.
 
Recently we encountered a use case in which it became desirable to pass the
ToS Byte from the inner IP payload to the OpenVPN IP header  (we wish the
outer IP header to inheret the ToS byte of the payload datagram).
 
OpenVPN provides the --passtos option for this purpose, and when used
without also implementing the --fragment option it works as advertised in
our test lab.  However, when we implement --passtos and --fragment together,
the ToS byte of the inner payload datagram is not copied directly to the
OpenVPN IP header.  For example, if 0xB8 is the ToS byte value in the
original payload, then the OpenVPN IP header is 0xC0.
 
I suspect that this issue is related to the 4-byte reservation incurred by
exercising the --fragment option.  Is there anything we can do to enable us
to use both options in conjunction?
 
Thanks,
 
frank
 
Details of our openvpn implementation are as follows:
OpenVPN 2.2.1 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia]
built on Sep 12 2011
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales< at >openvpn.net>
 
  $ ./configure --build=i386-redhat-linux-gnu --host=i386-redhat-linux-gnu
--target=i686-redhat-linux-gnu --program-prefix= --prefix=/usr
--exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
--datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib
--libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib
--mandir=/usr/share/man --infodir=/usr/share/info --enable-pthread
--enable-password-save --enable-iproute2 --with-ifconfig-path=/sbin/ifconfig
--with-iproute-path=/sbin/ip --with-route-path=/sbin/route
 
Compile time defines:  ENABLE_CLIENT_SERVER ENABLE_DEBUG ENABLE_EUREPHIA
ENABLE_FRAGMENT ENABLE_HTTP_PROXY ENABLE_MANAGEMENT ENABLE_MULTIHOME
ENABLE_PASSWORD_SAVE ENABLE_PORT_SHARE ENABLE_SOCKS USE_CRYPTO USE_LIBDL
USE_LZO USE_PKCS11 USE_SSL
[root< at >router-195 ~]# 
 
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Openvpn-users mailing list
Openvpn-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

order on mssfix and fragment in the config file

Andy Wang — 2012-04-26T15:30:28

Hi All,
 
A quick (silly) question that I have:
 
In the wiki page, there is example for command line: 
--tun-mtu 1500 --fragment 1300 --mssfix

Does that mean that in the config file, (server/client.conf)
I have to put frament before the mssfix ? The following will NOT work:
(snipped of server/client.conf)
...
tun-mtu 1500
mssfix
fragment 1300


I would assume that there is no order requirement in either case.

Regards,
Andy

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

openvpn vs. UDP NAT

Les Mikesell — 2012-04-23T16:02:38

I'm trying to use openvpn from a remote windows host behind a NAT
router to an office location so we can connect through the tunnel with
VNC to manage it.   I used port 53, UCP since that was already open in
the firewalls. It came up working for a short time, but now it looks
like the return tunnel packets are being dropped by the remote NAT
router.  Are there any tricks to keeping this kind of connection up?

I have
keepaliave 30 120
ping-timer-rem
persist-tun
persist-key

But that doesn't seem to be enough.   Openvpn says it is connected,
tcpdump shows packets going back and forth, but I can't ping or
connect to the other tunnel endpoint.  I can't change the remote
router.  Should I have used TCP instead?

OpenSSL bug

Mike Tancsa — 2012-04-19T14:35:26

Has anyone looked at the potential impact on OpenVPN for this OpenSSL bug ?

http://www.openssl.org/news/secadv_20120419.txt

---Mike

VPN traffic drops for 5 to 10 seconds every 10minutes

Martijn Dekkers — 2012-04-18T14:15:30

Hi All,

I hope somebody can help out with a seriously vexing problem we have been
struggling with for some time.
We have an openvpn server, and 18 networks connecting to this server, all
networks can see all other networks. A few months ago, out of the blue, we
started seeing drops on the vpn, where all traffic just stops for anywhere
between 1 to 10 seconds, but most of the time 5 seconds, with a 10 second
drop being next common. This happens every 10.x minutes. We have tried many
things, including switching off the key renegotiation for some time, to get
to the root of this issue. As one of the traffic types on this network is
SIP, this obviously leads to frustrating problems for the users.

Running tcpdump, and importing the dump into wireshark, shows a clear drop
of all traffic for that period - i.e. no packets transmit or receive for
that time. Nothing shows in the vpn logs at all, no reconnect, no
renegotiation, nothing at all. dmesg is also clean, firewall works fine.
This is a busy server, and we have increased txqueuelen and a bunch of
other tcp parameters, all to no avail.

For all intents and purposes, the machine (a VMWare ESXi VM) looks fine,
and connections not running over the VPN run without a hitch. We see no
increase in anything, and the drop is regular - like I said, every 10
minutes and a tiny bit (the minutes will roll over once a day, yesterday it
was on xx:x6 today it is on xx:x7) We see no increases in traffic or load
on this machine at all during the drop-outs

Any help or pointers at this time would be greatly appreciated.

Thanks

Martijn

server an client setting in configfile

John Kuiper — 2012-04-17T07:30:58

Hello all,

I always thought that the configfile of openvpn was separated from each 
other. Both has their own settings.
No I learned from Jan Just Keijser that "gateway def1" can bet set in 
the server- or client configfile.
It's a plus for me, because I don't need a "VPN gateway" to send email, 
but my other colleagues does.

So, what is really the perpuse of these files (after sending the 
certificates for verification) and are there other settings (parameters) 
to be uses in the client configfile instead of server configfile.

Regards,
John

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev

OpenVPN iroute inner working

Felix Berlakovich — 2012-04-16T21:00:42

Hi,

I am able to configure OpenVPN to do what I want but there is one question i just can’t figure out. Why is the iroute command necessary? Please don’t provide any links to the manual or instructions on how to use iroute since I am able to use iroute correctly. I am just interested in the inner working. I already tried to read the OpenVPN sourcecode but since it is very extensive and my Linux programming skills are rather limited I couldn’t figure out the need for iroute.

My assumption is as follows: On a TAP interface the kernel first looks up the corresponding entry in the routing table, and then forwards the packet (with the destination mac address set to the gateway of the routing table, which might involve an ARP Request) through the TAP interface. My understanding of TAP ist hat it behaves mostly like a normal interface and therefore can be treated as such. In contrast to that Layer 2 communication is not possible on TUN interfaces and therefore no ARP request is possible. While from the clients view there is just one other endpoint, from the servers view there may be many. Is it correct that iroute is needed in order to map clients to their subnets because of the lack of Layer 2 communication?

Thanks in advance

Felix.

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Openvpn-users mailing list
Openvpn-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Using AES-NI in OpenVPN with OpenSSL 1.0.1

Martin Beck — 2012-04-14T22:47:30

Hi all,

I just upgraded from OpenSSL 0.9.8o to 1.0.1 hoping to get AES-NI 
support for OpenVPN that way. But using 'openssl speed' I found that 
AES-128-CBC throughput dropped from 242 MB/s to 102 MB/s. After some 
searching I found that AES-NI support was moved from an engine to the 
EVP layer and on console i could get speed up to 603 MB/s by calling 
'openssl speed -evp aes-128-cbc'.

Does anyone know how to enable that using OpenVPN? Or does OpenVPN 
already use OpenSSL's EVP API by default?

Thanks

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

need help configuring windows 7 openvpn client...

Oriol Gómez — 2012-04-13T11:48:47

Hi, all.
I've been trying to set up my OpenVpn network  to work on my windows 7
64 bits box. The server is using debian 6 with the latest openvpn
found in the apt repositories.
The problem is that windows 7 dosen't see the route interface. It
keeps popping up the typical route waiting for tun/tap interface
error. It is very strange because I have reinstalled he progra several
times with no success.
Here's the log and hopefully one of you can help me. :)

http://dl.dropbox.com/u/2142080/client.log

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2