gmane.network.openvpn.user

OpenVPN ethernet bridging

Otto Julio — 2012-05-24T00:32:54

Hi,

I have created 4 virtual machines (VMs) for purpose of testing OpenVPN
instalation and configuration before to implant it. These VMs are M1,
M2, M3, M4.
For installation of OpenVPN, I have followed this tutorial:
http://openvpn.net/index.php/open-source/documentation/howto.html. The
openvpn was installed on M2 (server) and M3 (client) and aparently is
working fine, but I'm not capable of execute ping command between VMs
that are in tunnel different sides.

Objective: provide comunication between M1 and M4.

The interfaces address of VMs are:

              eth0                   eth1
M1 - 192.168.1.2
M2 - 192,168.2.1   |   192.168.1.1
M3 - 192.168.2.2   |   192.168.1.11
M4 - 192.168.1.12

This is how VMs interfaces are connected:
M1 (eth0) <---> (eth1) M2 (eth0) <---> (eth0) M3 (eth1) <---> (eth0) M4.

When I ping M1 from M4, the arp request is delivered to M1 and the
response is generated by M1 on eth0. But the "tcpdump -ni eth1"
command on M2 don't show arp replies, show only the

Help with bridging setup

2012-05-23T16:31:21

Greetings All,

I'm having some trouble with bridging I can't quite figure out.  Here's
the scenario:

3 hosts, all Linux.  "Host 1" is the OpenVPN server.  It has a working
connection to "Host 2", which connects as a client.  This connection is a
normal routed ip connection.  "Host 3" is the host I wish to add to the
configuration.

Details:  "Host 2" has one public interface and two private interfaces. 
One of these private interfaces has it's subnet joined by routing to the
private subnet of "Host 1" via OpenVPN across the public interfaces.  This
works great.  "Host 2" also has another private interface, connected to a
switch with a bunch of WAPs on it.  This interface has no IP.  "Host 3"
has one public interface and one private interface.  It's private
interface is the gateway for a bunch of WAPs on one subnet.

The Goal: I'd like to connect the unnumbered interface on "Host 2" and
it's associated physical network to the private interface of "Host 3" via
a bridged connection over OpenVPN.  I have addit

update openssl

Bonno Bloksma — 2012-05-21T06:09:58

Hi,

I was wondering, after an openssl update like we had this weekend.....
If I just do apt-get update ; apt-get upgrade on a Debian machine will OpenVPN automatically use the new openssl or do I need to restart something?

I do not see any restart as being part of the upgrade process:
[....]
Unpacking replacement openssl ...
Processing triggers for man-db ...
Setting up libssl0.9.8 (0.9.8o-4squeeze13) ...
Setting up openssl (0.9.8o-4squeeze13) ...
root< at >lola2:~#

 
Bonno Bloksma
senior systeembeheerder

tio
university of applied sciences


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

bufferbloat in the tunnel

Brian J. Murrell — 2012-05-17T12:34:11

Hello,

I'm not sure if you folks have been, but I have been following the
progress on the great work being done over at www.bufferbloat.net to
find and eliminate bloated buffers that are the cause of huge latencies
with no benefit.

I followed Jim Gettys' advise on how to ensure you can control the
buffers at the bottleneck by making sure that queuing is happening on
your own gear using traffic shaping.  Well, to be honest, I have been
doing that for a lot longer than www.bufferbloat.net has been on the
case but it just happens to be one of their mitigating solutions (absent
codel).

Gettys also has some interesting experiments that one can do with an
interface's txqueuelen to demonstrate just how small a queue one really
can use on slow (read: Internet) links and still keep the pipe full and
since of course, the longer the queue, the higher the latency we want
that queue to be only as long as is needed to keep the pipe full.

Where this gets interesting and relevant to OpenVPN is that OpenVPN
configures a

Need to set an environment variable in openvpn fordebuggung

Ralf Hildebrandt — 2012-05-14T15:30:13

In order to debug an authentication issue with Kerberos, I need to do
this:


How can I set an environment variable for the authentication context -
doesn't openvpn purge the environment except for a few variables?

VPN disconnects if there is no traffic for a while- howto avoid?

Stefan Bauer — 2012-05-10T11:23:18

-----Ursprüngliche Nachricht-----
Von:Jan Just Keijser <janjust< at >nikhef.nl>

Hi,

Here is the log from the termination - any idea which option could cause that instantly?

Thu May 10 12:59:52 2012 us=963000 RECEIVED PING PACKET
Thu May 10 12:59:55 2012 us=100000 TUN READ [52]
Thu May 10 12:59:55 2012 us=100000 MSS: 1460 -> 1350
Thu May 10 12:59:55 2012 us=100000 TLS: tls_pre_encrypt: key_id=0
Thu May 10 12:59:55 2012 us=100000 TCPv4_CLIENT WRITE [101] to vpn-gw:2000: P_DATA_V1 kid=0 DATA len=100
Thu May 10 13:00:01 2012 us=106000 TUN READ [48]
Thu May 10 13:00:01 2012 us=106000 MSS: 1460 -> 1350
Thu May 10 13:00:01 2012 us=106000 TLS: tls_pre_encrypt: key_id=0
Thu May 10 13:00:01 2012 us=106000 TCPv4_CLIENT WRITE [101] to vpn-gw:2000: P_DATA_V1 kid=0 DATA len=100
Thu May 10 13:00:12 2012 us=213000 TLS: tls_pre_encrypt: key_id=0
Thu May 10 13:00:12 2012 us=213000 SENT PING
Thu May 10 13:00:12 2012 us=213000 TCPv4_CLIENT WRITE [69] to vpn-gw:2000: P_DATA_V1 kid=0 DATA len=68
Thu May 10 13:00:13 2012 us=399000

payload

2012-05-08T12:58:12

Hi all,

Just wondering:
With OpenVPN we mostly use the most basic protocols, like icmp, udp and tcp.

But how about others, like proto-4 (ip-in-ip), 8,9 (xGP) and 41,43,44,58,59 (IPv6), 50,51 (ESP,AH)

Just working (I assume), or any snags to be expected??


Hans

______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent i

VPN disconnects if there is no traffic for a while- howto avoid?

Stefan Bauer — 2012-05-08T06:47:16

Dear Developers&Users,

we're using openvpn-server on debian (2.1~rc11-1) and 2.1.4 and 2.2.2 for our windowsxp & win7 clients.

Here is the topology:

branch-office - > ipsec-site2site --> openvpn-server

users ------------ openvpn-tunnel --> openvpn-server

The users get randomly disconnected from openvpn if there is no traffic going forth and back for a while. If the user is running "top" on a remote machine to generate traffic, the tunnel is stable.

Please find the shortened client log attached.

We're using keepalive 10 600 to avoid that - unfortunately with no effect. Is there anything we can do?

Any help is greatly appreciated. Thank you in advance.

StefanWed May 02 11:05:42 2012 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Wed May 02 11:05:46 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed May 02 11:05:46 2012 LZO compression initialized
Wed May 02 11:05:46 2012 Control Channel MTU parms [ L:1560 D:140 E

behaviour when a second client connect with sameusername

Tobias Hachmer — 2012-05-05T21:47:41

Hello list,

what's happening if someone else tries to connect with the same 
username/password while the right client is connected?
Will openvpn catch this up?
If yes, will the connected be disconnected or will the second one be 
rejected?

Best regards,
Tobias Hachmer


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Tunnel collapsing under TCP load

Yan Seiner — 2012-05-05T15:45:17

I have a tunnel going out to a client.  Periodically I run rsync over 
the tunnel to get data.  The tunnel becomes non-responsive.  It doesn't 
go away; it just fails to send information.  Same with ssh.  I can ssh 
into the machine but if I try to, say, cat /var/log/syslog the ssh 
connection freezes and then drops.

I am running a udp tunnel so it should not be a tcp-over-tcp problem.  I 
added fragment 1400 mssfix to the config files; no joy.

I have 2 other tunnels configured identically that work fine.  This one 
used to work fine until they made some changes to their ISP.  All of 
this points to a network problem, but I can floodping the client just 
fine.  The issue seems to be when the client tries to send information 
out over the the tunnel.

The bad tunnel:

root< at >debian:~# openvpn --version
OpenVPN 2.1.3 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] 
[PF_INET6] [eurephia] built on Apr 12 2011
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales< at >openvp

AUTO: John Asplin is out of office.

2012-05-05T09:00:12

I am out of the office until 21/05/2012.

I am currently out of the office.


Note: This is an automated response to your message  "Openvpn-users Digest,
Vol 72, Issue 1" sent on 05/05/2012 09:25:26.

This is the only notification you will receive while this person is away.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

ns-cert-type not working?

Andre Ruiz — 2012-05-05T07:48:14

Hello list!

I'm having a hard time with ns-cert-type, it seems not to be working
as expected.

I understand that it is a security enhancement to check for types of
certificates of clients and servers, but if I want, could I use
"server"-type certificates on both sides? I would think it's just a
matter of not checking it or even specifying to expect type server on
both sides.

But it's not working. OpenVPN 2.2.1 and 2.2.2, both sides as
type=Server on the certificates, both sides without ns-cert-type check
(or with ns-cert-type server, it makes no difference), the error is
always the same:

May  5 04:38:10 vpbjz4 openvpn[6646]: 177.16.213.147:57137 VERIFY
ERROR: depth=0, error=unsupported certificate purpose:
/C=BR/O=Atendemos_Tecnologia_Ltda/OU=IT_Operations/CN=druid.vpn.atendemos
May  5 04:38:10 vpbjz4 openvpn[6646]: 177.16.213.147:57137 TLS_ERROR:
BIO read tls_read_plaintext error: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
May  5 04:38:10 vpbjz4 openvpn[6646]: 177.

using --passtos in conjunction with --fragment inOpenVPN 2.2.1

Frank Renwick — 2012-05-02T16:01:03

Hello,
 
We use openvpn for router-to-router tunneling in a hub-and-spoke VPN
deployment.
 
We utilize the --fragment option to avoid IP-layer fragmentation.
 
Recently we encountered a use case in which it became desirable to pass the
ToS Byte from the inner IP payload to the OpenVPN IP header  (we wish the
outer IP header to inheret the ToS byte of the payload datagram).
 
OpenVPN provides the --passtos option for this purpose, and when used
without also implementing the --fragment option it works as advertised in
our test lab.  However, when we implement --passtos and --fragment together,
the ToS byte of the inner payload datagram is not copied directly to the
OpenVPN IP header.  For example, if 0xB8 is the ToS byte value in the
original payload, then the OpenVPN IP header is 0xC0.
 
I suspect that this issue is related to the 4-byte reservation incurred by
exercising the --fragment option.  Is there anything we can do to enable us
to use both options in conjunction?
 
Thanks,
 
frank
 
Details of our ope

order on mssfix and fragment in the config file

Andy Wang — 2012-04-26T15:30:28

Hi All,
 
A quick (silly) question that I have:
 
In the wiki page, there is example for command line: 
--tun-mtu 1500 --fragment 1300 --mssfix

Does that mean that in the config file, (server/client.conf)
I have to put frament before the mssfix ? The following will NOT work:
(snipped of server/client.conf)
...
tun-mtu 1500
mssfix
fragment 1300


I would assume that there is no order requirement in either case.

Regards,
Andy

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

openvpn vs. UDP NAT

Les Mikesell — 2012-04-23T16:02:38

I'm trying to use openvpn from a remote windows host behind a NAT
router to an office location so we can connect through the tunnel with
VNC to manage it.   I used port 53, UCP since that was already open in
the firewalls. It came up working for a short time, but now it looks
like the return tunnel packets are being dropped by the remote NAT
router.  Are there any tricks to keeping this kind of connection up?

I have
keepaliave 30 120
ping-timer-rem
persist-tun
persist-key

But that doesn't seem to be enough.   Openvpn says it is connected,
tcpdump shows packets going back and forth, but I can't ping or
connect to the other tunnel endpoint.  I can't change the remote
router.  Should I have used TCP instead?

OpenSSL bug

Mike Tancsa — 2012-04-19T14:35:26

Has anyone looked at the potential impact on OpenVPN for this OpenSSL bug ?

http://www.openssl.org/news/secadv_20120419.txt

---Mike

VPN traffic drops for 5 to 10 seconds every 10minutes

Martijn Dekkers — 2012-04-18T14:15:30

Hi All,

I hope somebody can help out with a seriously vexing problem we have been
struggling with for some time.
We have an openvpn server, and 18 networks connecting to this server, all
networks can see all other networks. A few months ago, out of the blue, we
started seeing drops on the vpn, where all traffic just stops for anywhere
between 1 to 10 seconds, but most of the time 5 seconds, with a 10 second
drop being next common. This happens every 10.x minutes. We have tried many
things, including switching off the key renegotiation for some time, to get
to the root of this issue. As one of the traffic types on this network is
SIP, this obviously leads to frustrating problems for the users.

Running tcpdump, and importing the dump into wireshark, shows a clear drop
of all traffic for that period - i.e. no packets transmit or receive for
that time. Nothing shows in the vpn logs at all, no reconnect, no
renegotiation, nothing at all. dmesg is also clean, firewall works fine.
This is a busy server, and we ha

server an client setting in configfile

John Kuiper — 2012-04-17T07:30:58

Hello all,

I always thought that the configfile of openvpn was separated from each 
other. Both has their own settings.
No I learned from Jan Just Keijser that "gateway def1" can bet set in 
the server- or client configfile.
It's a plus for me, because I don't need a "VPN gateway" to send email, 
but my other colleagues does.

So, what is really the perpuse of these files (after sending the 
certificates for verification) and are there other settings (parameters) 
to be uses in the client configfile instead of server configfile.

Regards,
John

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev

OpenVPN iroute inner working

Felix Berlakovich — 2012-04-16T21:00:42

Hi,

 
I am able to configure OpenVPN to do what I want but there is one question i just can’t figure out. Why is the iroute command necessary? Please don’t provide any links to the manual or instructions on how to use iroute since I am able to use iroute correctly. I am just interested in the inner working. I already tried to read the OpenVPN sourcecode but since it is very extensive and my Linux programming skills are rather limited I couldn’t figure out the need for iroute. 

 
My assumption is as follows: On a TAP interface the kernel first looks up the corresponding entry in the routing table, and then forwards the packet (with the destination mac address set to the gateway of the routing table, which might involve an ARP Request) through the TAP interface. My understanding of TAP ist hat it behaves mostly like a normal interface and therefore can be treated as such. In contrast to that Layer 2 communication is not possible on TUN interfaces and therefore no ARP request is possible. While

Using AES-NI in OpenVPN with OpenSSL 1.0.1

Martin Beck — 2012-04-14T22:47:30

Hi all,

I just upgraded from OpenSSL 0.9.8o to 1.0.1 hoping to get AES-NI 
support for OpenVPN that way. But using 'openssl speed' I found that 
AES-128-CBC throughput dropped from 242 MB/s to 102 MB/s. After some 
searching I found that AES-NI support was moved from an engine to the 
EVP layer and on console i could get speed up to 603 MB/s by calling 
'openssl speed -evp aes-128-cbc'.

Does anyone know how to enable that using OpenVPN? Or does OpenVPN 
already use OpenSSL's EVP API by default?

Thanks

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

need help configuring windows 7 openvpn client...

Oriol Gómez — 2012-04-13T11:48:47

Hi, all.
I've been trying to set up my OpenVpn network  to work on my windows 7
64 bits box. The server is using debian 6 with the latest openvpn
found in the apt repositories.
The problem is that windows 7 dosen't see the route interface. It
keeps popping up the typical route waiting for tun/tap interface
error. It is very strange because I have reinstalled he progra several
times with no success.
Here's the log and hopefully one of you can help me. :)

http://dl.dropbox.com/u/2142080/client.log

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2